# Latest Podcast
# Description
In this article, we learn about Arachne, a tool that lets the good guys in cybersecurity send secret messages using web shells. It also shows how to catch RedLine Stealer, a computer bug, with pe-sieve and dnSpyEx. There's a cool script called NTLM Relay Gat that makes breaking into systems easier if you're a pro. For those who love playing with Android apps, apk.sh makes it super easy to see what's inside them. Purple Teaming with CALDERA is all about mixing attack and defense skills to keep computers safe. APT-Hunter got better at finding threats, and there's a big push for teamwork in fighting cyber bad guys with tools like CB-Threat-Hunting and Hunt Intelligence.
# Tradecraft
[#]
The article outlines Arachne, a payload type within the Mythic framework, which enables web shells to be integrated with command-and-control (C2) infrastructure, facilitating encrypted, modular, and peer-to-peer (P2P) tasking and response processing for cybersecurity operation.
[#]
The article details a swift and effective method to extract the configuration of RedLine Stealer using pe-sieve and dnSpyEx, with a focus on memory dumping and .NET debugging for malware analysis.
[#]
NTLM Relay Gat is a script that automates the exploitation of NTLM relay vulnerabilities with features like multi-threading, SMB and MSSQL exploitation, and secrets dumping, with the prerequisite of a configured proxychains and ntlmrelayx.py's SOCKS relay.
[#]
The apk.sh tool automates reverse engineering of Android apps by streamlining tasks such as pulling, decoding, rebuilding, and patching APKs, and includes support for split APKs and Frida gadget integration for instrumentation without root access.
[#]
The article explains the implementation of Continuous Purple Teaming through adversary emulation using CALDERA, detailing how to integrate red team insights into automated security practices to enhance cyber defenses.
[#]
APT-Hunter has been updated to version 3.2, correcting issues with report generation and time zone settings, alongside a new feature for creating output directories for profiles.
[#]
The article critiques the outdated view of distinct roles such as threat hunters versus detection engineers in cybersecurity, advocating for an integrated approach focusing on data-driven active defence pipelines encompassing research, discovery, disruption, and development to create a more systemic and interconnected security strategy.
[#]
The repository "CB-Threat-Hunting" includes detection rules, response actions, and scripts for CarbonBlack EDR to aid security analysts in identifying malicious activities and automating incident response.
[#]
A cybersecurity practitioner has developed Atomic Test #2 for simulating the exfiltration of data via encrypted FTP on Windows systems, utilizing a publicly accessible FTP portal for safe, responsible testing and improvement of incident response protocols.
[#]
Hunt Intelligence offers services such as proactive infrastructure hunting, malicious infrastructure investigation, active C2 server feeds, counter intelligence for open directories, bulk enrichment of data analysis, and custom research for hunting signatures to improve cyber security threat detection and mitigation.
[#]
The article explains Hunt.io's process for identifying and neutralizing command and control (C2) infrastructure used by hackers, using methods like analyzing TLS/SSL certificates, HTTP headers, and HTML strings, with examples of detecting Gh0st RAT, ShadowPad, and Octopus C2 servers.
[#]
The article discusses using Sensor Mappings to ATT&CK (SMAP) for efficient identification of relevant sensors and event logs to detect and analyze behaviors of Chinese state-sponsored threat actors, specifically for OS credential dumping via ntds.dit and ntdsutil, applying recommended settings for telemetry data collection and testing for robust detection.
[#]
The JSCU-NL GitHub repository provides a Python script named `coathanger.py` that uses the Dissect framework to identify Indicators of Compromise (IOCs) specific to the COATHANGER malware on FortiGate disk images, based on an advisory from MIVD & AIVD.
[#]
The blog post details a method to monitor and intercept data from attacker-operated Telegram bots using API commands to expose stolen information and undermine the attackers' operations.
[#]
SMShell is a proof of concept for a SMS-based shell allowing remote command execution on a computer with SMS capabilities through a WWAN module, requiring execution of a client agent on the target and operator-side tools to send commands and receive responses via SMS or MiFi device APIs.
# News
[#]
Google is testing a new security measure in Singapore to block the installation of sideloaded Android apps that request specific high-risk permissions, aiming to reduce financial fraud and malware spread through third-party downloads.
[#]
The Russian cybercrime forum Mazafaka was compromised, revealing its founder, a lawyer with ties to the GRU, advised cybercriminals on legal evasion and may have facilitated state-supported hacking activities.
[#]
A recent false report claimed that 3 million electric toothbrushes were used in a DDoS attack, prompting a clarification that this was merely a hypothetical scenario, not an actual incident, with experts emphasizing the importance of securing all internet-connected devices against potential botnet recruitment.
[#]
The FBI's dismantling of the KV-botnet hindered Chinese hackers' Volt Typhoon group from renewing their botnet after it was used to attack U.S. infrastructure, although they attempted to re-infect devices across a three-day operation.
[#]
JetBrains has released a critical patch for TeamCity's CVE-2024-23917 vulnerability, urging on-prem users to upgrade immediately to prevent potential admin-level server takeovers.
[#]
Spoutible, a microblogging site, patched an API flaw that exposed user data including hashed passwords and 2FA seeds, which could be exploited for account takeovers, and affected users are advised to update their passwords and 2FA credentials.
[#]
In 2023, crypto ransom attacks doubled in payments to $1 billion, with "big game hunting" being a predominant strategy targeting large institutions and significant funds being laundered through sanctioned entities like the Russian exchange Garantex, highlighting the necessity for enhanced cybersecurity measures and stringent regulatory action.
[#]
A Raspberry Pi Pico has been employed to extract the BitLocker encryption key from vulnerable laptops by tapping the communication line between the TPM and CPU, a process that takes under a minute, suggesting administrators use a PIN as a countermeasure.
[#]
A critical buffer overflow vulnerability in Linux's bootloader shim, CVE-2023-40547, allows attackers to execute arbitrary code during boot, circumvented by using HTTPS for network booting and patching the affected component.
[#]
In 2023, ransomware attacks surged, breaking the $1 billion mark in payments; the Chainalysis report highlights the increasing complexity and frequency of these cyber threats, emphasizes the need for robust defenses and law enforcement intervention to mitigate the damages and pursue actors involved.
[#]
The Raspberry Robin worm is utilizing new undetected methods of privilege escalation through 1-day exploits, currently leveraging compromised Discord downloads to initiate its attack process, with Check Point Research providing defense measures using their Anti-Bot, Harmony Endpoint, and Threat Emulation solutions.
[#]
Cyble Research and Intelligence Labs disclosed a malware called XPhase Clipper that steals cryptocurrency by replacing wallet addresses in the clipboard with those of the attackers and recommends adopting good cybersecurity practices, including skepticism of unknown downloads, using detection solutions, and monitoring network traffic.
[#]
NCC Group's research in 2022/2023 covers topics ranging from AI threat models and zero-day exploits to secure Rust implementation, with reports detailing vulnerability assessments, forensics tools, and security challenges in evolving technologies like 5G and cloud computing.
[#]
JetBrains has issued an urgent update for TeamCity on-prem installations to patch a critical security vulnerability, CVE-2024-23917, that could allow unauthenticated remote attackers admin access, encouraging admins to either apply the fix immediately or remove public access to the servers until the patch can be installed.
[#]
Chinese hackers leveraged a critical flaw in FortiOS VPN to access a Dutch military network for espionage, deploying COATHANGER malware which persistently concealed its presence and survived system reboots and firmware updates.
[#]
The Cybersecurity and Infrastructure Security Agency has alerted users of an actively exploited Google Chrome flaw (CVE-2023-4762) in the browser's V8 engine, advising immediate update to the latest versions (116.0.5845.179 or .180) to prevent arbitrary code execution.
[#]
A state-sponsored actor attributed to China, using a previously undetected remote access trojan named COATHANGER, breached the Dutch Ministry of Defence's network through a vulnerability in FortiGate appliances, highlighting the need for persistent network security vigilance even after firmware updates.
[#]
The commercial spyware market thrives despite governmental efforts, with a TAG report revealing active exploitation of 25 zero-days by industry players and various governments imposing measures such as visa restrictions and agreement signings to curb misuse.
[#]
A new Chrome vulnerability identified as CVE-2023-4427, discovered by researcher glazunov, affects version 117.0.5938.62 on Linux, with a workaround involving brute-forcing ASLR using multiple iframes and a pending detailed writeup.
[#]
Canon has fixed seven critical buffer overflow vulnerabilities in its small office multifunction and laser printers, which could have allowed remote code execution or denial of service attacks, and suggests customers use private IP addresses and network segmentation for enhanced security.
[#]
Microsoft introduces Face Check to its Entra Verified ID service, enhancing security by using facial recognition to confirm user identities against trusted documents, with commercial release planned for later this year.
[#]
A sophisticated cyber attack named STEADY#URSA, using the SUBTLE-PAWS PowerShell-based backdoor, has compromised the Ukrainian military by infecting USB drives and evading detection through advanced techniques, as revealed by Securonix Threat Research team.