HAQ.NEWS

// Jared Folkins

# Latest Podcast

# Description

Today, ESC13 introduces a method exploiting Active Directory Certificate Services for privilege escalation through certificate issuance linked to group memberships. Secbutler, a command-line utility, simplifies tasks for cybersecurity professionals, covering reverse shell command generation and more. The rust-shellcode and XC utilities demonstrate innovative approaches in shellcode execution and reverse shell capabilities, respectively, enhancing methods to bypass antivirus detection and facilitate file transfers. Notable findings include a remote buffer overflow vulnerability in wpa_supplicant for Android, and HarfangLab's insights into reverse engineering .NET AOT applications. IOCTLance showcases vulnerability identification in Windows Driver Model drivers using symbolic execution. Techniques for executing Browser In The Browser (BITB) phishing attacks and the exploitation of various software vulnerabilities, including CVE-2022-20186 in Android Mali GPU drivers and CVE-2023-6546 in the Linux kernel, highlight the evolving landscape of cybersecurity threats and defenses. These contributions, along with tools for LDAP monitoring, Drupal vulnerability exploitation, and Linux persistence, underscore the continuous development and diversification of cybersecurity practices.

# Tradecraft

[#] A new technique named ESC13 exploits a feature in Active Directory Certificate Services (ADCS) by linking certificate issuance policies with group membership, allowing for privilege escalation if a user has enrollment rights on a misconfigured certificate template.
Read More @ specterops.io
[#] Secbutler is a multifunctional command-line tool designed to streamline common tasks for cybersecurity professionals, including reverse shell command generation, payload serving, proxy retrieval, and wordlist management.
Read More @ kitploit.com
[#] The 'rust-shellcode' repository on GitHub provides code examples for various methods of loading and executing shellcode, with techniques that can be used to bypass antivirus detection.
Read More @ github.com
[#] XC is a reverse shell utility for Linux and Windows platforms that facilitates file transfers, port forwarding, and running commands or plugins, with additional OS-specific capabilities such as PowerShell interaction and vulnerability checks on Windows, requiring Go 1.15+ for compilation.
Read More @ github.com
[#] The repository in question details a remote buffer overflow vulnerability in the wpa_supplicant binary on Android 11 for the Samsung A20e device, which works with stock configuration.
Read More @ github.com
[#] HarfangLab's blog provides insights into reverse engineering .NET AOT applications, highlighting challenges due to the absence of MSIL, and offers methods to identify and analyze AOT binaries, including creating IDA Pro signatures and debugging for type information.
Read More @ harfanglab.io
[#] IOCTLance is a security tool presented at CODE BLUE 2023 that uses symbolic execution and taint analysis to identify various types of vulnerabilities in Windows Driver Model (WDM) drivers, with features that allow customization of analysis parameters and has successfully found 117 new vulnerabilities leading to 41 CVEs.
Read More @ github.com
[#] A new method for executing a Browser In The Browser (BITB) phishing attack has been introduced, which bypasses framebusting techniques by using script and HTML injections instead of iframes, and is compatible with proxy tools like Evilginx for highly convincing phishing campaigns.
Read More @ github.com
[#] The LogMeInPoCHandleDup repository includes a proof of concept for exploiting a race condition in the LMIInfo.sys driver by duplicating arbitrary handles from the SYSTEM process through improper access controls and specific function timing.
Read More @ github.com
[#] The GitHub repository "tr3w/LoginCrack" contains a Python tool designed to exploit SQL injection vulnerabilities in login systems, and it's licensed under the GPL-3.0 which ensures the software remains free and modifiable.
Read More @ github.com
[#] The ClarkFieseln/IPRadar2ForLinux repository on GitHub provides a Python-based tool for real-time detection and defense against a variety of malicious network activities, including policy violations, and includes a Quickstart guide with installation instructions via pip.
Read More @ github.com
[#] The GitHub repository "AmazoniaLeaksOficial/NO-KYC-SERVICES" provides a list of services including VPNs, hosting, phone, tools, aggregators, and goods that do not require Know Your Customer (KYC) checks, ensuring user privacy.
Read More @ github.com
[#] The 'Work from Home Scam' investigation illustrates a three-phase online fraud tactic that involves initial trust-building through payment for simple tasks, transition to Telegram for "training" and more tasks with compensation, culminating in a high-trust situation where the victim is convinced to pre-pay for supposedly lucrative tasks and ends up defrauded.
Read More @ theobservator.net
[#] The article outlines the methodology of identifying and altering signatured malicious byte sequences within malware to evade static detection by security products, demonstrating the technique using various tools and providing an example with Cobalt Strike's Artifact Kit.
Read More @ gatari.dev
[#] A detailed exploration of the exploit process for a vulnerability in Android Mali GPU driver identified as CVE-2022-20186, culminating in the use of manipulated GPU commands to gain root privileges by overwriting specific memory locations.
Read More @ github.com
[#] An exploit for a Linux kernel vulnerability affecting GSM multiplexing (CVE-2023-6546) that allows local privilege escalation has been detailed, with instructions on bypassing security features such as KASLR and SMAP/SMEP, and steps for compiling and executing a custom payload to gain root access.
Read More @ github.com
[#] The provided code is an implementation of the Access Vector Cache (AVC) for Security-Enhanced Linux (SELinux), which manages permissions and decisions for kernel object access, featuring updates for RCU-based locking and statistics tracking for performance analysis.
Read More @ bootlin.com
[#] The text describes a proof of concept (PoC) for exploiting a vulnerability, labeled as CVE-2019-2215, on Samsung S8/S8 Active Snapdragon devices running Oreo firmware to gain privileged shell access with methods to bypass DAC, SELinux, and Knox/RKP.
Read More @ github.com
[#] LDAP Watchdog is a Python-based monitoring tool for Linux systems that tracks real-time changes in LDAP directories and reports on alterations like additions, deletions, and modifications, with capabilities to filter and notify via Slack.
Read More @ github.com
[#] The GitHub repository "dr-iman/Drupal-Hunter" contains a Perl script that automates the exploitation of various Drupal vulnerabilities, including adding new admin accounts and executing remote commands.
Read More @ github.com
[#] Demonized Shell is a Linux persistence tool that includes features like auto SSH keypair generation, various persistence techniques, an LKM rootkit that evades detection, an ICMP backdoor, and other advanced functionalities, with pending features such as LD_PRELOAD rootkit, process injection, and additional persistence methods.
Read More @ github.com

# News

[#] The PlayDapp gaming platform experienced a security breach where an unauthorized entity minted 1.79 billion PLA tokens using a stolen private key, leading to the company's action of freezing transactions and enlisting exchanges to block the hacker's wallets as part of their mitigation strategy.
Read More @ bleepingcomputer.com
[#] A misconfigured cloud database belonging to Zenlayer, containing 380 million records, was left unprotected and exposed sensitive company and customer data, which has since been secured following a cybersecurity researcher's discovery and notification.
Read More @ hackread.com
[#] VARTA AG, a major German battery manufacturer, experienced a cyberattack that compromised their IT infrastructure, leading to shutdowns across five production units with current priorities focused on ensuring data integrity and system recovery, while the full extent of the damage remains under assessment.
Read More @ bleepingcomputer.com
[#] Prudential Financial experienced a cybersecurity breach on February 4, 2024, where unauthorized access to internal and customer data occurred, but there is currently no evidence of data exfiltration, and the company is working with law enforcement and cybersecurity experts to investigate and respond to the incident.
Read More @ theregister.com
[#] Zoom released updates to address seven vulnerabilities, including a critical Windows software flaw CVE-2024-24691, which required immediate patching to prevent unauthorized privilege escalation.
Read More @ securityaffairs.com
[#] Check Point Research identified a security vulnerability in Microsoft Outlook, known as the #MonikerLink bug, which could lead to local NTLM credential leaks and potentially allow remote code execution, and a critical security update was released to address this in February 2024.
Read More @ checkpoint.com
[#] Over 100 Romanian hospitals were targeted by a ransomware attack via a third-party healthcare management system, with the national cybersecurity agency recommending system isolation, evidence preservation, and restoration from backups without paying the ransom.
Read More @ theregister.com
[#] In 2023, the CL0P ransomware group utilized zero-day exploits in file transfer software to launch widespread automated attacks and despite a lower percentage of victims paying ransoms, the group potentially earned as much as $100 million, necessitating heightened organizational defenses against such evolving threats.
Read More @ malwarebytes.com
[#] Trans-Northern Pipelines, responsible for fuel transport in Canada, tackled a cybersecurity breach by ALPHV ransomware in November 2023, led to internal investigation, publication of stolen data, and FBI intervention.
Read More @ bleepingcomputer.com
[#] Ubuntu's 'command-not-found' utility may suggest malicious snap packages due to a loophole, enabling cyber attackers to compromise systems, with researchers advising users to confirm package sources and developers to claim snap names associated with their APT packages to prevent misuse.
Read More @ thehackernews.com
[#] Microsoft and OpenAI have reported that nation-state hackers from Russia, North Korea, Iran, and China are leveraging Artificial Intelligence and Large Language Models to enhance their cyber espionage activities by tailoring deceptive communications and developing malware, resulting in both companies working on principles to combat the misuse of AI in cybersecurity threats.
Read More @ thehackernews.com
[#] DuckDuckGo browser has introduced an end-to-end encrypted Sync & Backup feature allowing users to synchronize bookmarks, passwords, and settings across devices without requiring an account or exposing data to the provider.
Read More @ bleepingcomputer.com
[#] AhnLab Security Intelligence Center has identified a sophisticated Revenge RAT malware attack that uses legitimate tools for evasion, requiring users to employ strong cybersecurity measures to protect sensitive data.
Read More @ securityonline.info
[#] GitHub Enterprise Server versions 3.8.15, 3.9.10, 3.10.7, and 3.11.5 now have patches for several high-severity vulnerabilities including path traversal and command injection flaws; users must update immediately to secure their systems.
Read More @ securityonline.info
[#] Southern Water has acknowledged a cyberattack that resulted in the personal data of hundreds of thousands of customers being compromised, prompting government collaboration, police notification, and free credit monitoring offers to affected parties.
Read More @ theregister.com
[#] Bruce Schneier's blog highlights concerns about the rapid standardization of lattice-based post-quantum cryptographic algorithms without sufficient fallback options, in light of new research improving their cryptanalysis.
Read More @ schneier.com
[#] AMD processors are exposed to security risks due to identified vulnerabilities CVE-2023-20576, CVE-2023-20577, CVE-2023-20579, and CVE-2023-20587, for which users should apply updated firmware and software to mitigate potential denial of service, privilege escalation, and arbitrary code execution.
Read More @ securityonline.info
[#] A passkey management flaw in Android's Google Password Manager led to irreversible loss of passkeys when users tapped "Clear Data" for Chrome sync, despite Google amending the warning text, and editing a passkey's name causes passkey corruption for the related domain.
Read More @ seclists.org
[#] The Bumblebee malware loader, previously utilized by sophisticated ransomware groups, exhibited resurgence via unsophisticated email campaigns using outdated VBA macros for intrusion, despite industry-wide security shifts away from such methods due to Microsoft default blocks, suggesting current handlers may lack the original operators' skills, with security experts advising vigilance and adherence to standard security protocols including disabling macros.
Read More @ theregister.com
[#] Adobe's Patch Tuesday updates in February 2024 fixed over 30 vulnerabilities across its products, including critical security issues within Adobe Acrobat and Reader, with users urged to apply patches to prevent possible code execution, denial-of-service, and memory leaks.
Read More @ securityaffairs.com
[#] Microsoft Defender SmartScreen was vulnerable to a zero-day used by Water Hydra to infect financial traders with DarkMe malware through CVE-2024-21412, which is now patched.
Read More @ thehackernews.com
[#] Cybereason Security Services Team reports attackers are hijacking YouTube channels, mostly in South America, to distribute malware, including Redline and RaccoonStealer, through videos promising free software, with user education and improved detection mechanisms being essential for defense.
Read More @ securityonline.info
[#] Microsoft's latest Patch Tuesday update fixes 73 flaws, including two zero-day vulnerabilities under active exploitation, and users should apply these patches to protect against potential system compromises and data exposure.
Read More @ thehackernews.com
[#] Willis Lease Finance Corp. reported a cybersecurity breach involving unauthorized access to its IT systems on January 31, subsequently undergoing an ongoing investigation with third-party experts, while the Black Basta ransomware group claimed responsibility by allegedly stealing 910GB of data and posting samples online.
Read More @ darkreading.com
[#] Ivanti VPN appliances are being exploited using a SAML vulnerability, identified as CVE-2024-21893, allowing attackers to implant a new backdoor named DSLog, affecting over 670 IT infrastructures, with a patch and mitigation strategies available for resolution.
Read More @ darkreading.com
[#] The FCC has updated its data breach rules requiring telecom and VoIP providers to report any PII breaches to customers, the FCC, FBI, and Secret Service within 7 days of discovery, expanding the scope of reportable incidents and consumer protection.
Read More @ darkreading.com
[#] Two individuals in Queens, New York, received a prison sentence for collaborating with Russian hackers to manipulate the JFK airport taxi dispatch system, causing fair taxi queuing disruption and illegally earning over $100,000, with required restitution and forfeiture as part of their conviction.
Read More @ hackread.com
[#] Microsoft patched a zero-day vulnerability in Windows Defender SmartScreen (CVE-2024-21412), which was being exploited by the Water Hydra group to deploy the DarkMe RAT by tricking forex traders with phishing attacks on forums and Telegram channels.
Read More @ bleepingcomputer.com
[#] Prudential Financial experienced a data breach on February 4, 2024, with attackers accessing employee and contractor information, but no customer data was reportedly compromised, and the incident has not materially impacted the company's operations.
Read More @ bleepingcomputer.com
[#] In November 2023, a Lockbit ransomware attack on Infosys McCamish Systems compromised personal data of 57,028 Bank of America customers, and the bank countered by offering affected clients free two-year identity theft protection via Experian and urged account monitoring for unusual activities.
Read More @ hackread.com
[#] QNAP has issued patches for two new command injection vulnerabilities, CVE-2023-50358 and CVE-2023-47218, with advisories stressing the importance of updating to the latest firmware versions for various models to mitigate the risks.
Read More @ theregister.com
[#] Researchers uncover KeyTrap, a critical DNSSEC vulnerability causing CPU resource exhaustion via specially crafted DNS response packets, prompting multiple DNS software vendors to release patches to mitigate this denial-of-service attack method.
Read More @ theregister.com
[#] Microsoft's February Patch Tuesday addresses 73 vulnerabilities, including two actively exploited ones, while Adobe, SAP, Intel, AMD, and Cisco also release various security updates, necessitating immediate patching by users to protect against potential threats.
Read More @ theregister.com
[#] Microsoft's February 2024 Patch Tuesday mitigated 79 vulnerabilities, including two zero-days CVE-2024-21351 and CVE-2024-21412, demanding immediate patching as per CISA's guidelines.
Read More @ securityonline.info

# F.A.Q

Problem

Many websites are using AI/ML to create clickbait which actually doesn't have any valuable content.

Value

I use AI to de-clickbait the clickbait by allowing AI to read my news for me. Then it creates a meaningful tldr; regarding the articles of interest which helps discern what I should read. It is saving me a ton of time.

Why

FWIW HAQ.NEWS really started out as my personal news feed, enriched by Ai, and converted into something quick and easy to read. But then I started getting requests for features like rss, Gracie got involved, and with the super-power of Ai things have taken on a life of their own.

Sharing

I currently post daily infosec news to x, linkedin, mastodon and rss.

I also post daily infosec podcasts and interviews to apple podcasts and spotify.

Ads

This isn't an Ad.

current friend of haq 2024-02-15

I want to encourage people and projects that impress me, by posting a banner linking their work, as it's my desire to help others. I do not take or make any money.

Thanks,
Jared Folkins

current friend of haq 2024-02-15