# Latest Podcast
# Description
Marcus Hutchins introduced EDR-Preloading to run code secretly before security systems start. Domainim is a new tool for finding web security risks, including checking hostnames and ports. A flaw in the Laravel PHP framework lets hackers run code from afar, urging updates for safety. Techniques for analyzing RedLine stealer malware were shared. TInjA helps find website vulnerabilities. A WinRAR exploit shows how hackers can sneakily run harmful code. The CVE-2024-23897 bug in Jenkins could let someone remotely control systems, highlighting the need for good security. Rick Ramgattie found exposed RazorPay API keys on GitHub, showing why secure coding is crucial. Webhood is a new tool for checking website safety. There are new methods to patch .NET functions to avoid detection. Wildcard-mail-finder and nrich help find email patterns and scan for vulnerabilities. APKLeaks scans Android apps for hidden data, focusing on privacy. DFSCoerce-exe allows using different login details for security, and ShellSweep finds potential webshells to protect servers. A demo for CVE-2022-36553 shows how to exploit certain vulnerabilities for learning. Finally, Swarm offers cloud-based security scanning, showing advancements in cybersecurity tools.
# Tradecraft
[#]
Marcus Hutchins unveils "EDR-Preloading," a technique for running code before an Endpoint Detection and Response (EDR) system activates, enabling malicious operations without detection by injecting a custom callback in the Windows process loader to clobber undesired module entry points before EDR DLLs can load.
[#]
Domainim is a nimble domain recon tool for bounty hunting, featuring virtual hostname, reverse DNS lookups, subdomain input, TCP port scanning, and multiple engine subdomain enumeration.
[#]
Remote thread creation in another process can be unsafe due to potential interference with process initialization and CRT (C Runtime) setup, so ensuring CRT initialization is complete before creating a remote thread is essential to avoid crashes or other issues.
[#]
A new gadget chain in the PHP framework Laravel was discovered, leveraging Property Oriented Programming to achieve remote code execution through object deserialization, with countermeasures focusing on secure serialization practices and updating to versions unaffected by the vulnerability.
[#]
The article outlines a step-by-step process for unpacking and analyzing the RedLine stealer malware using dnSpyEx to manually debug and extract configurations from the .NET assembly embedded within.
[#]
An analysis of a recent WinRAR exploit and its multi-stage malware shows how attackers used crafted RAR files to execute code on victim machines, leveraging PowerShell scripts, a decoy icon, and a fake Dropbox binary to extract and run further payloads, ultimately establishing a command and control communication with a server and suggesting the need for network monitoring and endpoint protection against such threats.
[#]
The blog post outlines a step-by-step guide to exploit CVE-2024-23897, a file-read vulnerability in Jenkins allowing remote code execution, involving cracking a password hash and SSH key recovery to obtain root access on a HTB machine.
[#]
Security researcher Rick Ramgattie emulated Lasso Security's method, automating the search for leaked RazorPay API keys on GitHub using Python tools, resulting in the discovery and responsible disclosure of 397 live keys.
[#]
Webhood is an open source, self-hosted URL scanner for threat hunters and security analysts, currently in public alpha, designed to analyze and assess the safety of websites.
[#]
The article provides a method for red team operators to patch managed functions like System.Environment.Exit in .NET by using an unmanaged approach to avoid undesired process termination during in-process post-exploitation tool execution, with a proof-of-concept available on GitHub.
[#]
The wildcard-mail-finder repository on GitHub provides a Python-based tool for discovering email addresses matching a specified pattern, requiring Python 3.12 and dependencies such as selenium, webdriver-manager, beautifulsoup4, and requests, with installation and usage instructions available.
[#]
The 'nrich' is a command-line tool designed to quickly scan IP addresses from a file or standard input to identify open ports and potential vulnerabilities for further cybersecurity analysis.
[#]
APKLeaks is a tool for scanning APK files to find URIs, endpoints, and exposed secrets, available for installation via PyPi, source, or Docker, and includes customizable pattern support for sensitive data searches.
[#]
A modified version of DFSCoerce-exe now allows users to perform explicit authentication with alternate credentials, useful for operations from machines outside the domain or under different user accounts.
[#]
ShellSweep is a toolset utilizing PowerShell, Python, and Lua to detect potential webshells by analyzing file entropy, offering features such as directory exclusion, hash ignoring, and scanning multiple known malicious file repositories to assist administrators in securing their servers.
[#]
A Proof of Concept (PoC) script is available for CVE-2022-36553, demonstrating how to exploit an unauthenticated remote command injection vulnerability in Hytec Inter HWL-2511-SS devices, intended solely for educational purposes.
[#]
Swarm, previously known as axiom, is an evolving infrastructure tool designed for distributed cloud scanning and future attack surface monitoring, enabling dynamic host scaling, long-term scanning operations, a query-able recon results database, scheduled scans, and alerting for changes such as new subdomains.
# News
[#]
A threat actor known as IntelBroker leaked 200,000 Facebook Marketplace user records including personal info on a hacking forum, which could lead to phishing and SIM swap attacks, previously similar incidents led to Meta being fined for failing to prevent data scraping.
[#]
Trend Micro's Zero Day Initiative reported the CVE-2024-21412 vulnerability, used by the Water Hydra APT to bypass Microsoft Defender SmartScreen and distribute DarkMe malware targeting financial traders, now patched and already protected against in Trend Micro solutions.
[#]
Integris Health has announced a data breach affecting roughly 2.4 million patients, after cyber attackers who accessed and threatened to sell sensitive personal information unless a ransom was paid, now potentially exposing those affected to scams and identity theft.
[#]
Microsoft's February 2024 Patch Tuesday addresses 80 vulnerabilities, with 5 critical and 2 actively exploited, including a high-risk Internet Shortcut Files Security Feature Bypass and a Windows SmartScreen Security Feature Bypass, requiring users to apply the updates to mitigate these issues.
[#]
Ivanti has disclosed multiple critical vulnerabilities in its VPN appliances throughout 2024, resulting in delayed patch releases, cyberattacks, including exploitation by state-sponsored actors, and a directive from CISA to disconnect affected products, which has led to significant reputational damage and scrutiny over Ivanti's security practices.
[#]
Rhino Security Labs disclosed CVE-2024-23724, a Stored XSS vulnerability in Ghost CMS that allows instance takeover via a malicious SVG profile image, and provided an unofficial fix through a DOMPurify-based Pull Request on GitHub.
[#]
Zoom has fixed several critical security issues including a privilege escalation vulnerability (CVE-2024-24691, CVSS 9.6) for Windows clients, and users must immediately update their software to the latest versions to mitigate risk.
[#]
Hackers exploited a security flaw to mint and steal $290 million in PLA tokens from PlayDapp's blockchain gaming platform, leading to a suspension of token trading and withdrawals as the company works to freeze the hacker's wallets and mitigate the impact of the breach.
[#]
The economics of Bitcoin mining are challenged by the upcoming halving event in April, leading to a potential decrease in miner revenue and increase in energy costs, coupled with scrutiny over electricity usage and sustainability concerns.
[#]
After a four-month absence, the Bumblebee malware has resurfaced in phishing campaigns targeting U.S. organizations, employing unorthodox VBA macro techniques in Word documents to download its payload despite Microsoft's default macro-blocking measures.
[#]
The surveillance app TheTruthSpy has suffered a data breach for the fourth time, compromising 50,000 Android devices by exposing sensitive data such as texts, calls, and location information, due to an unpatched Indirect Object Reference (IDOR) vulnerability.
[#]
Imperva Threat Research found a vulnerability in CoCalc Cloud where attackers could take over a user's account with a click, spurring fixes from CoCalc and recommendations to use Content Security Policy and domain isolation for protection.
[#]
A sophisticated phishing campaign targeted executive cloud accounts resulting in numerous account takeovers and compromised Azure environments, with attackers employing user-agent manipulation, MFA circumvention, and internal phishing schemes to extend their access and steal sensitive data; users are advised to be vigilant, monitor logs for IoCs, enforce credential changes, correctly configure security products, and implement auto-remediation policies.
[#]
[tag] Cisco Talos researchers discovered a stealthy espionage campaign using a custom backdoor called Zardoor to target a Saudi Arabian nonprofit, which has been ongoing since March 2021, and recommend enhancing defense-in-depth security measures to counter such advanced threats.
[#]
QNAP NAS devices are vulnerable to a zero-day command injection exploit, CVE-2023-50358; users should update to the recommended QTS or QuTS hero versions to mitigate the risk.
[#]
An ongoing Microsoft Azure cloud account takeover campaign is targeting senior executives to compromise various organizational roles and perform malicious activities such as MFA manipulation and financial fraud, with indications of Russian and Nigerian actors possibly involved.
[#]
The PikaBot malware has undergone simplification by its developers, who removed advanced obfuscation features and adopted more straightforward encryption, making it still a threat and indicating active development and changing tactics to avoid detection.
[#]
The Glupteba botnet, known for stealing information and illicit cryptocurrency mining, has added a UEFI bootkit to its arsenal for better evasion and persistence, challenging detection and removal processes.
[#]
Cybersecurity analysts discovered that Ivanti Connect Secure, Policy Secure, and ZTA gateway vulnerabilities are being exploited, with a 'DSLog' backdoor found on over 670 IT infrastructures, and recommend a factory reset before patching to prevent persistent threats.
[#]
Infosys subsidiary IMS has suffered a cyber security breach leading to a potential leak of personal data from 57,028 individuals tied to Bank of America deferred compensation plans, with recommendations to change passwords and monitor accounts, alongside two years of free identity theft protection offered by Experian.
[#]
VexTrio, a massive network utilizing over 70,000 hijacked websites to distribute malware and phishing attacks, represents a considerable security threat, with Infoblox and Check Point providing insights on how to detect signs of compromise.
[#]
Glupteba malware, known for its stealth and modularity, now employs a UEFI bootkit to maintain persistence on systems, evading detection by embedding itself in system firmware.
[#]
A significant phishing campaign has compromised many Microsoft Azure accounts since November 2023, targeting high-level users via fake document links for account access, and Proofpoint advises monitoring for the attackers' Linux user-agent and source domains, resetting passwords, and strengthening phishing defenses to mitigate future risks.
[#]
The FCC has mandated that telecommunications companies must report security breaches, which now includes inadvertent exposures and a broader set of customer data types, to the agency and law enforcement within seven days and to customers within 30 days, taking effect on March 13, 2024.
[#]
The United Nations is set to report on multiple cyberattacks by North Korea on cryptocurrency entities, allegedly funding their weapons program with about $3 billion since 2017, with new strategies like collaborating with different threat groups and targeting defense and supply chain sectors.
[#]
Starting March 13, telecommunications companies are mandated by the FCC to report any data breaches involving customer PII within 30 days, removing a previous waiting period, to ensure prompt customer notification and data protection accountability.
[#]
WinStar hotel guest data leak resulted from an unsecured Dexiga database, revealing names, contact details, and device IP addresses, requiring data encryption and better security practices to avoid similar future incidents.
[#]
The FBI has disrupted the Warzone RAT malware operation by arresting two individuals, seizing associated domains, and confiscating server infrastructure across several countries.
[#]
The Raspberry Robin worm rapidly incorporates newly found exploits for increased privilege escalation, frequently before public disclosure and patching, signifying a need for improved network defense and faster patch management systems.
[#]
Korean researchers have discovered a vulnerability in the Rhysida ransomware's random number generator, enabling them to create a tool that decrypts files without paying the ransom, reducing the malware's impact on targeted sectors including education, healthcare, and government.
