# Latest Podcast
# Description
Today, Ivanti patched a big SSRF bug (CVE-2024-21893). Secure your network with least privilege and multi-factor authentication. Charlie Miller shows how to fix mobile device weaknesses. Yak Lang is a cool cybersecurity language. ADOKit attacks Azure DevOps, and Ransack secures Ruby apps. EventLogCrasher bugs Windows services, while CVE-2024-20698 is a tough exploit. Beware of fake NFT games and use SOAPHound for sneaky data collection. ToumaPet reveals its secrets, guard against sneaky OAuth apps, and Math Invaders gets decoded. ThievingFox steals credentials, and AnyDesk IOCs help spot threats. Monitor Telegram with tg-keyword-trends, secure your bootloader against CVE-2023-40547, and track SEC filings with SECurityTr8Ker!
# Tradecraft
[#]
Charlie Miller's work primarily addresses vulnerabilities in software and systems, offering insights into how to discover, exploit, and patch these weaknesses with a focus on mobile devices and their security frameworks.
[#]
Yak Lang is a versatile programming language tailored for cybersecurity tasks, featuring functions for encryption and encoding, HTTP request handling, packet manipulation, port scanning, and integrating fuzz testing within its dynamic typing system, and it benefits from the scalability and efficiency of Golang.
[#]
ADOKit is a toolkit for attacking Azure DevOps Services by exploiting REST API with features for reconnaissance, privilege escalation, and persistence, requiring valid credentials for use.
[#]
The article examines security risks associated with using the Ransack library in Ruby on Rails applications and provides mitigation strategies, including a recent library update that necessitates explicit attribute and association allowlists to prevent brute-force attacks on sensitive information.
[#]
Proof of concept code called EventLogCrasher is available, demonstrating a bug that allows any user on the same domain to crash the Windows Event Log service on Windows 10/Windows Server 2022 machines by sending malformed UNICODE_STRING objects to the EventLog Remoting Protocol's ElfrRegisterEventSourceW method.
[#]
The CVE-2024-20698 vulnerability involves an integer overflow in the ntoskrnl.exe's WbAddLookupEntryEx function, which was fixed by adding checks to prevent the overflow; exploiting it would require creating over 536 million concurrent processes, a number difficult to achieve in practice.
[#]
A fake job offer was used to distribute 1GB malware disguised as an NFT game, using obfuscation and encryption, with RedLine.C2 identified as the payload, and indicators of compromise (IoCs) provided for detection and prevention.
[#]
SOAPHound is a .NET tool designed to collect Active Directory data through the ADWS protocol without directly contacting the LDAP server, thereby avoiding detection by standard monitoring tools.
[#]
The article discusses the reverse engineering of a Chinese Tamagotchi clone called ToumaPet, uncovering its hardware details, the use of a 65C02 microprocessor, and detailing the process for decoding its firmware and sound data.
[#]
The post discusses the process of reverse-engineering the "Math Invaders" game from 1997, detailing the extraction of game assets using a custom tool named pakrat.
[#]
ThievingFox is an assortment of post-exploitation tools designed to extract credentials from various password managers and Windows utilities, using methods like DLL proxying and COM hijacking, and it includes modules for poisoning, cleanup, and credential collection, which require specific environment setups and have been tested on multiple Windows versions.
[#]
The tg-keyword-trends script is a tool for monitoring the use of specific terms in Telegram channels by analyzing message frequency and trends, capable of exporting data, creating visualizations, and documenting findings while cautioning users about content exposure and advocating operational security practices.
[#]
A recent patch for the shim bootloader addresses security vulnerability CVE-2023-40547, preventing out-of-bounds writes by ensuring that the size of the buffer allocated for HTTP response data is not smaller than the actual data received.
[#]
SECurityTr8Ker is a Python tool that scans the SEC's RSS feed for 8-K and 6-K filings to alert on new cybersecurity incidents reported by public companies, using keywords and logging the findings.
# News
[#]
Mastodon administrators are urged to patch a critical security flaw, CVE-2024-23832, with severity 9.4, which allows for potential remote account takeover, with instructions to update to the latest software versions to mitigate the risk.
[#]
President Biden is set to veto a congressional resolution that aims to reverse the Securities and Exchange Commission's new rules, which mandate public companies to report material cybersecurity incidents within four days of discovery to inform investors and encourage investment in cybersecurity measures.
[#]
South Africa's Passenger Rail Agency lost 30.6 million rand to a phishing scam, recovered over half, and is working with partners to improve cybersecurity resilience against diverse threats including ransomware and IoT vulnerabilities.
[#]
An Interpol operation named Synergia arrested 31 individuals and identified 70 suspects, taking down numerous phishing, banking malware, and ransomware command-and-control servers across the Middle East and Africa, with the collaborative efforts of global law enforcement agencies and cybersecurity firms.
[#]
Gary Bowser of Team Xecuter has begun to repay Nintendo's fines from prison earnings, despite likely facing a lifetime of payments from his income for his involvement in piracy-enabling console accessories.
[#]
Aliaksandr Klimenka has been indicted in the US for laundering money via his digital currency exchange BTC-e, linked to cybercrimes such as ransomware and hacking, and potentially faces up to 25 years in prison if convicted.
[#]
Indian APT group Patchwork was found exploiting Google Play Store to distribute Android apps embedded with a new RAT called VajraSpy aimed at spying on Pakistani users, which was discovered by ESET and has since been removed by Google.
[#]
A 17-year-old from California named Alan Filion was arrested for allegedly conducting hundreds of swatting incidents, including one at a Florida mosque, and now faces multiple felony charges including making false reports to facilitate terrorism.
[#]
A security researcher identified and reported a high-severity cross-site scripting (XSS) vulnerability—CVE-2023-5480—in Google Chrome's Payment Request API, resulting from strict adherence to web standards and an unnoticed three-year-old code flaw, which was subsequently fixed by Chrome in version 119 released on October 31, 2023.
[#]
The post discusses the discovery and exploitation of two vulnerabilities, CVE-2024-22107 and CVE-2024-22108, in GTB Central Console's DLP software, leading to a complete system compromise through a SQL injection and a command injection.
[#]
Following the discovery of actively exploited vulnerabilities in Ivanti products, CISA has mandated federal agencies to disconnect affected Ivanti Connect Secure and Policy Secure solutions and perform threat hunting, with reinstalling only permitted after factory resets and updates as per Ivanti's guidelines.
[#]
ModSecurity versions 2 and 3 were found to have a path confusion bug that allows an easy bypass of web application firewall rules due to URL-decoding implemented before setting certain variables, with the bug fixed in v3.0.12 but remaining in v2, urging users and administrators to update or apply necessary workarounds.
[#]
Cloudflare experienced a targeted breach by suspected nation-state attackers via compromised Okta credentials, leading to access of internal systems and source code but not customer data, with Cloudflare responding by rotating credentials and enhancing system security.
[#]
In a large-scale international effort, Interpol's Operation Synergia has dismantled over 70 percent of malicious servers in 55 countries, leading to the arrest of 31 individuals responsible for cybercrimes including phishing, banking malware, and ransomware.
[#]
Guardio Labs discovered a critical zero-day vulnerability in Opera's My Flow feature allowing remote code execution via a crafted browser extension, which Opera swiftly patched following disclosure.
[#]
The Ukrainian CERT-UA has announced that over 2,000 computers within the country have been infected with the PurpleFox malware, which employs MSI installers, vulnerability exploits, and brute-force attacks for propagation and is particularly difficult to remove due to its rootkit component.
[#]
Mastodon has confirmed a critical security flaw identified as CVE-2024-23832 allowing remote account takeover due to insufficient origin validation, affecting versions prior to 3.5.17 and specific ranges within the 4.x series, with a fix deadline announced for February 15, 2024.
[#]
Unit 42 researchers have identified the ApateWeb campaign which uses over 130,000 domains to distribute scareware and potentially unwanted programs by utilizing a sophisticated three-layer infrastructure designed to evade security measures and trick users into installing harmful software.
[#]
The New York Attorney General is suing Citibank for insufficient cybersecurity measures that allowed scammers to steal millions from customers, criticizing the bank for slow fraud response and not reimbursing victims as mandated by the Electronic Fund Transfer Act.
[#]
The FritzFrog botnet, using a peer-to-peer structure and Golang code, has exploited unpatched internal systems with the Log4Shell vulnerability and weak SSH passwords, and can be mitigated by strong passwords and system updates.
[#]
A Russian APT group known as Shuckworm launched a PowerShell backdoor called SUBTLE-PAWS targeting the Ukrainian military, using phishing, USB drives, and evasion techniques like encoding and command splitting, while analysts recommend measures like user education, device control policies, and enhanced monitoring to counteract such threats.
[#]
A new malware campaign called "Commando Cat" has been detected targeting Docker API endpoints for cryptojacking by leveraging Docker to access the host's filesystem and execute multiple stealthy and interdependent malicious payloads.
[#]
A critical vulnerability, CVE-2024-1072, found in the SeedProd WordPress plugin, which could let unauthenticated users alter web pages, has been addressed in the latest update, version 6.15.22; users are advised to update immediately to avoid potential exploits.
[#]
The FTC has mandated that Blackbaud, a cloud software company, enhance security protocols and delete unnecessary customer data after its poor practices led to a ransomware breach compromising millions of users' personal information.
[#]
Cloudflare detailed that nation-state hackers exploited stolen Okta credentials to infiltrate its Atlassian system, accessing internal documentation and a small amount of source code, necessitating a company-wide security overhaul that is still ongoing.
[#]
Five critical security flaws in Vinchin Backup and Recovery, including hardcoded credentials and remote code execution vulnerabilities, were uncovered and require immediate patching to prevent system compromises.
[#]
Numerous security incidents and advisories have emerged, including arrests in Operation Synergia, various data breaches, malware attacks exploiting VPN flaws, and urgent patches released for critical vulnerabilities in widely-used software such as Ivanti, Cisco, and Microsoft products, underlining the imperative need for users and administrators to apply updates promptly to safeguard their systems.
[#]
Former CIA software engineer Joshua Schulte was sentenced to 40 years in prison for espionage, computer hacking, contempt, lying to the FBI, and possession of child abuse material, after the Vault 7 leaks to WikiLeaks detailed CIA hacking methods including the use of forged digital certificates.
[#]
Aliaksandr Klimenka has been indicted for his alleged role in operating BTC-e, an unlicensed digital currency exchange used to launder money from criminal activities, and if convicted, could face up to 25 years in prison.
[#]
A new paper identifies and assesses potentially exploitable non-control data in Linux file system objects, outlining a framework to find such vulnerabilities and develop reliable exploits, even with advanced kernel protections enabled.
[#]
The GitHub repository "Ultimate-RAT-Collection" by user yuankong666 is a compilation of various Remote Access Trojans (RATs) for educational and research purposes, containing malware builders and screenshots with strict warnings against unlawful use.
