# Latest Podcast
# Description
Today, ESC13 introduces a method exploiting Active Directory Certificate Services for privilege escalation through certificate issuance linked to group memberships. Secbutler, a command-line utility, simplifies tasks for cybersecurity professionals, covering reverse shell command generation and more. The rust-shellcode and XC utilities demonstrate innovative approaches in shellcode execution and reverse shell capabilities, respectively, enhancing methods to bypass antivirus detection and facilitate file transfers. Notable findings include a remote buffer overflow vulnerability in wpa_supplicant for Android, and HarfangLab's insights into reverse engineering .NET AOT applications. IOCTLance showcases vulnerability identification in Windows Driver Model drivers using symbolic execution. Techniques for executing Browser In The Browser (BITB) phishing attacks and the exploitation of various software vulnerabilities, including CVE-2022-20186 in Android Mali GPU drivers and CVE-2023-6546 in the Linux kernel, highlight the evolving landscape of cybersecurity threats and defenses. These contributions, along with tools for LDAP monitoring, Drupal vulnerability exploitation, and Linux persistence, underscore the continuous development and diversification of cybersecurity practices.
# Tradecraft
[#]
A new technique named ESC13 exploits a feature in Active Directory Certificate Services (ADCS) by linking certificate issuance policies with group membership, allowing for privilege escalation if a user has enrollment rights on a misconfigured certificate template.
[#]
Secbutler is a multifunctional command-line tool designed to streamline common tasks for cybersecurity professionals, including reverse shell command generation, payload serving, proxy retrieval, and wordlist management.
[#]
The 'rust-shellcode' repository on GitHub provides code examples for various methods of loading and executing shellcode, with techniques that can be used to bypass antivirus detection.
[#]
XC is a reverse shell utility for Linux and Windows platforms that facilitates file transfers, port forwarding, and running commands or plugins, with additional OS-specific capabilities such as PowerShell interaction and vulnerability checks on Windows, requiring Go 1.15+ for compilation.
[#]
The repository in question details a remote buffer overflow vulnerability in the wpa_supplicant binary on Android 11 for the Samsung A20e device, which works with stock configuration.
[#]
HarfangLab's blog provides insights into reverse engineering .NET AOT applications, highlighting challenges due to the absence of MSIL, and offers methods to identify and analyze AOT binaries, including creating IDA Pro signatures and debugging for type information.
[#]
IOCTLance is a security tool presented at CODE BLUE 2023 that uses symbolic execution and taint analysis to identify various types of vulnerabilities in Windows Driver Model (WDM) drivers, with features that allow customization of analysis parameters and has successfully found 117 new vulnerabilities leading to 41 CVEs.
[#]
A new method for executing a Browser In The Browser (BITB) phishing attack has been introduced, which bypasses framebusting techniques by using script and HTML injections instead of iframes, and is compatible with proxy tools like Evilginx for highly convincing phishing campaigns.
[#]
The LogMeInPoCHandleDup repository includes a proof of concept for exploiting a race condition in the LMIInfo.sys driver by duplicating arbitrary handles from the SYSTEM process through improper access controls and specific function timing.
[#]
The GitHub repository "tr3w/LoginCrack" contains a Python tool designed to exploit SQL injection vulnerabilities in login systems, and it's licensed under the GPL-3.0 which ensures the software remains free and modifiable.
[#]
The ClarkFieseln/IPRadar2ForLinux repository on GitHub provides a Python-based tool for real-time detection and defense against a variety of malicious network activities, including policy violations, and includes a Quickstart guide with installation instructions via pip.
[#]
The GitHub repository "AmazoniaLeaksOficial/NO-KYC-SERVICES" provides a list of services including VPNs, hosting, phone, tools, aggregators, and goods that do not require Know Your Customer (KYC) checks, ensuring user privacy.
[#]
The 'Work from Home Scam' investigation illustrates a three-phase online fraud tactic that involves initial trust-building through payment for simple tasks, transition to Telegram for "training" and more tasks with compensation, culminating in a high-trust situation where the victim is convinced to pre-pay for supposedly lucrative tasks and ends up defrauded.
[#]
The article outlines the methodology of identifying and altering signatured malicious byte sequences within malware to evade static detection by security products, demonstrating the technique using various tools and providing an example with Cobalt Strike's Artifact Kit.
[#]
A detailed exploration of the exploit process for a vulnerability in Android Mali GPU driver identified as CVE-2022-20186, culminating in the use of manipulated GPU commands to gain root privileges by overwriting specific memory locations.
[#]
An exploit for a Linux kernel vulnerability affecting GSM multiplexing (CVE-2023-6546) that allows local privilege escalation has been detailed, with instructions on bypassing security features such as KASLR and SMAP/SMEP, and steps for compiling and executing a custom payload to gain root access.
[#]
The provided code is an implementation of the Access Vector Cache (AVC) for Security-Enhanced Linux (SELinux), which manages permissions and decisions for kernel object access, featuring updates for RCU-based locking and statistics tracking for performance analysis.
[#]
The text describes a proof of concept (PoC) for exploiting a vulnerability, labeled as CVE-2019-2215, on Samsung S8/S8 Active Snapdragon devices running Oreo firmware to gain privileged shell access with methods to bypass DAC, SELinux, and Knox/RKP.
[#]
LDAP Watchdog is a Python-based monitoring tool for Linux systems that tracks real-time changes in LDAP directories and reports on alterations like additions, deletions, and modifications, with capabilities to filter and notify via Slack.
[#]
The GitHub repository "dr-iman/Drupal-Hunter" contains a Perl script that automates the exploitation of various Drupal vulnerabilities, including adding new admin accounts and executing remote commands.
[#]
Demonized Shell is a Linux persistence tool that includes features like auto SSH keypair generation, various persistence techniques, an LKM rootkit that evades detection, an ICMP backdoor, and other advanced functionalities, with pending features such as LD_PRELOAD rootkit, process injection, and additional persistence methods.
# News
[#]
A misconfigured cloud database belonging to Zenlayer, containing 380 million records, was left unprotected and exposed sensitive company and customer data, which has since been secured following a cybersecurity researcher's discovery and notification.
[#]
VARTA AG, a major German battery manufacturer, experienced a cyberattack that compromised their IT infrastructure, leading to shutdowns across five production units with current priorities focused on ensuring data integrity and system recovery, while the full extent of the damage remains under assessment.
[#]
Check Point Research identified a security vulnerability in Microsoft Outlook, known as the #MonikerLink bug, which could lead to local NTLM credential leaks and potentially allow remote code execution, and a critical security update was released to address this in February 2024.
[#]
Over 100 Romanian hospitals were targeted by a ransomware attack via a third-party healthcare management system, with the national cybersecurity agency recommending system isolation, evidence preservation, and restoration from backups without paying the ransom.
[#]
In 2023, the CL0P ransomware group utilized zero-day exploits in file transfer software to launch widespread automated attacks and despite a lower percentage of victims paying ransoms, the group potentially earned as much as $100 million, necessitating heightened organizational defenses against such evolving threats.
[#]
Trans-Northern Pipelines, responsible for fuel transport in Canada, tackled a cybersecurity breach by ALPHV ransomware in November 2023, led to internal investigation, publication of stolen data, and FBI intervention.
[#]
Ubuntu's 'command-not-found' utility may suggest malicious snap packages due to a loophole, enabling cyber attackers to compromise systems, with researchers advising users to confirm package sources and developers to claim snap names associated with their APT packages to prevent misuse.
[#]
Microsoft and OpenAI have reported that nation-state hackers from Russia, North Korea, Iran, and China are leveraging Artificial Intelligence and Large Language Models to enhance their cyber espionage activities by tailoring deceptive communications and developing malware, resulting in both companies working on principles to combat the misuse of AI in cybersecurity threats.
[#]
DuckDuckGo browser has introduced an end-to-end encrypted Sync & Backup feature allowing users to synchronize bookmarks, passwords, and settings across devices without requiring an account or exposing data to the provider.
[#]
AhnLab Security Intelligence Center has identified a sophisticated Revenge RAT malware attack that uses legitimate tools for evasion, requiring users to employ strong cybersecurity measures to protect sensitive data.
[#]
GitHub Enterprise Server versions 3.8.15, 3.9.10, 3.10.7, and 3.11.5 now have patches for several high-severity vulnerabilities including path traversal and command injection flaws; users must update immediately to secure their systems.
[#]
Southern Water has acknowledged a cyberattack that resulted in the personal data of hundreds of thousands of customers being compromised, prompting government collaboration, police notification, and free credit monitoring offers to affected parties.
[#]
Bruce Schneier's blog highlights concerns about the rapid standardization of lattice-based post-quantum cryptographic algorithms without sufficient fallback options, in light of new research improving their cryptanalysis.
[#]
AMD processors are exposed to security risks due to identified vulnerabilities CVE-2023-20576, CVE-2023-20577, CVE-2023-20579, and CVE-2023-20587, for which users should apply updated firmware and software to mitigate potential denial of service, privilege escalation, and arbitrary code execution.
[#]
The Bumblebee malware loader, previously utilized by sophisticated ransomware groups, exhibited resurgence via unsophisticated email campaigns using outdated VBA macros for intrusion, despite industry-wide security shifts away from such methods due to Microsoft default blocks, suggesting current handlers may lack the original operators' skills, with security experts advising vigilance and adherence to standard security protocols including disabling macros.
[#]
Adobe's Patch Tuesday updates in February 2024 fixed over 30 vulnerabilities across its products, including critical security issues within Adobe Acrobat and Reader, with users urged to apply patches to prevent possible code execution, denial-of-service, and memory leaks.
[#]
Microsoft Defender SmartScreen was vulnerable to a zero-day used by Water Hydra to infect financial traders with DarkMe malware through CVE-2024-21412, which is now patched.
[#]
Cybereason Security Services Team reports attackers are hijacking YouTube channels, mostly in South America, to distribute malware, including Redline and RaccoonStealer, through videos promising free software, with user education and improved detection mechanisms being essential for defense.
[#]
Microsoft's latest Patch Tuesday update fixes 73 flaws, including two zero-day vulnerabilities under active exploitation, and users should apply these patches to protect against potential system compromises and data exposure.
[#]
Ivanti VPN appliances are being exploited using a SAML vulnerability, identified as CVE-2024-21893, allowing attackers to implant a new backdoor named DSLog, affecting over 670 IT infrastructures, with a patch and mitigation strategies available for resolution.
[#]
The FCC has updated its data breach rules requiring telecom and VoIP providers to report any PII breaches to customers, the FCC, FBI, and Secret Service within 7 days of discovery, expanding the scope of reportable incidents and consumer protection.
[#]
Two individuals in Queens, New York, received a prison sentence for collaborating with Russian hackers to manipulate the JFK airport taxi dispatch system, causing fair taxi queuing disruption and illegally earning over $100,000, with required restitution and forfeiture as part of their conviction.
[#]
Microsoft patched a zero-day vulnerability in Windows Defender SmartScreen (CVE-2024-21412), which was being exploited by the Water Hydra group to deploy the DarkMe RAT by tricking forex traders with phishing attacks on forums and Telegram channels.
[#]
Prudential Financial experienced a data breach on February 4, 2024, with attackers accessing employee and contractor information, but no customer data was reportedly compromised, and the incident has not materially impacted the company's operations.
[#]
In November 2023, a Lockbit ransomware attack on Infosys McCamish Systems compromised personal data of 57,028 Bank of America customers, and the bank countered by offering affected clients free two-year identity theft protection via Experian and urged account monitoring for unusual activities.
[#]
QNAP has issued patches for two new command injection vulnerabilities, CVE-2023-50358 and CVE-2023-47218, with advisories stressing the importance of updating to the latest firmware versions for various models to mitigate the risks.
[#]
Researchers uncover KeyTrap, a critical DNSSEC vulnerability causing CPU resource exhaustion via specially crafted DNS response packets, prompting multiple DNS software vendors to release patches to mitigate this denial-of-service attack method.
[#]
Microsoft's February Patch Tuesday addresses 73 vulnerabilities, including two actively exploited ones, while Adobe, SAP, Intel, AMD, and Cisco also release various security updates, necessitating immediate patching by users to protect against potential threats.
[#]
Microsoft's February 2024 Patch Tuesday mitigated 79 vulnerabilities, including two zero-days CVE-2024-21351 and CVE-2024-21412, demanding immediate patching as per CISA's guidelines.
