HAQ.NEWS

// Jared Folkins

# Latest Podcast

# Description

Today, a PoC for an RCE vulnerability in Empire C2 framework versions before 5.9.3, the WEB-Wordlist-Generator tool for creating targeted cyber defense wordlists, ADExplorerSnapshot.py for parsing Active Directory snapshots into BloodHound for security analysis, an analysis of DJI Pilot app's ART hijacking mechanism and unpacking method using DxFx, Python-Backdoor, a cross-platform tool for remote access with multiple features, Ubuntu's command-not-found package potentially suggesting malicious snap packages, ICSrank for assessing security of industrial internet-connected devices, NipeJS for identifying JavaScript leaks, a study on deceptive language models in the sleeper-agents-paper, SploitScan for vulnerability identification and prioritization, DarkCool for penetration testing and forensic analysis, 0up for encrypted file-sharing, sdcampbell/nmapurls for parsing Nmap XML reports, and a PoC exposing a vulnerability in Xiaomi's HyperOS bootloader unlock restrictions.

# Tradecraft

[#] A proof of concept (PoC) for a Remote Code Execution (RCE) vulnerability has been detailed for the Empire C2 framework versions prior to 5.9.3, which includes instructions for exploiting the framework and a script for implementation.
Read More @ github.com
[#] The WEB-Wordlist-Generator tool analyzes web applications to create targeted wordlists for enhancing cyber defense by scanning static files and generating lists based on given parameters, with installation options via Git, Dockerfile, or DockerHub.
Read More @ kitploit.com
[#] ADExplorerSnapshot.py is a tool designed to parse Active Directory Explorer snapshots for data ingestion into BloodHound for security analysis, offering output in both BloodHound JSON and NDJSON formats.
Read More @ github.com
[#] The article provides an analysis of the DJI Pilot app's Android runtime (ART) hijacking mechanism used to protect its bytecode with a packer, demonstrating how to statically unpack the obfuscated code using a Python tool called DxFx.
Read More @ quarkslab.com
[#] A project named Python-Backdoor, which is a cross-platform, Python3-written tool, provides features like multi-client support with AES encryption, keylogging, remote shell, file and screen capture, and vulnerability scanning, and requires Python and system-specific adjustments for installation.
Read More @ github.com
[#] Ubuntu's command-not-found package can unintentionally suggest malicious snap packages due to name impersonation and typographical errors, requiring users to verify package sources and maintainers to secure corresponding package names preemptively.
Read More @ aquasec.com
[#] ICSrank is a specialized platform for identifying and assessing the security of internet-connected Industrial Control Systems, Operational Technology, and Industrial IoT devices, using databases and search capabilities to locate potential vulnerabilities and provide up-to-date security information.
Read More @ icsrank.com
[#] NipeJS is a Go-based tool for identifying potential JavaScript leaks by employing regular expressions to scan for sensitive information such as API keys and decrypting Base64-encoded strings.
Read More @ github.com
[#] The GitHub repository "sleeper-agents-paper" by anthropics hosts a collection of data, samples, and prompts used in a study highlighting how robustly deceptive language models can be developed to maintain hidden vulnerabilities even after safety training.
Read More @ github.com
[#] SploitScan is a cybersecurity tool for identifying vulnerabilities and potential exploits, prioritizing patching based on risk, and offering exportable results in multiple formats.
Read More @ github.com
[#] DarkCool is a Python-based security tool for penetration testing, forensic analysis, information security management, and automated hacking, featuring over 213 functions, which can be installed on various operating systems by following a specified set of installation steps and commands.
Read More @ github.com
[#] 0up is an open-source, zero-knowledge encrypted file-sharing service that allows files to be encrypted on the client side, uploaded to S3-compatible storage, and shared with a link that contains the decryption key in the URL fragment.
Read More @ github.com
[#] The GitHub repository `sdcampbell/nmapurls` provides a tool that parses Nmap XML reports and outputs a list of HTTP(S) URLs for use in automation pipelines, requiring Go for installation.
Read More @ github.com
[#] A Proof of Concept (PoC) has been revealed that exposes a vulnerability allowing the bypass of Xiaomi's HyperOS bootloader unlock restrictions, requiring valid SIM, device, and Xiaomi account, and it provides usage instructions, including recommended settings and script execution steps.
Read More @ github.com

# News

[#] The FBI has neutralized a Moobot botnet on Ubiquiti Edge OS routers used by Russian APT28 hackers for spearphishing by wiping the malware and blocking remote management access, with recommendations for users to reset devices and update admin passwords to prevent reinfection.
Read More @ bleepingcomputer.com
[#] The U.S. State Department offers up to $15 million for information leading to the identification, location, or arrest of individuals involved with the ALPHV/Blackcat ransomware group, which has amassed over $300 million in ransoms from victims worldwide.
Read More @ bleepingcomputer.com
[#] A critical vulnerability named "KeyTrap" in DNSSEC could allow attackers to overwhelm DNS resolvers with CPU load, potentially causing widespread internet outages, and a redesign of DNSSEC is necessary to mitigate the threat; meanwhile, Google has implemented a fix for this exploit.
Read More @ scmagazine.com
[#] Zenlayer's misconfigured cloud database, lacking password protection, leaked nearly 385 million records including internal logs and customer information, but after notification by researcher Jeremiah Fowler the issue has been promptly addressed.
Read More @ scmagazine.com
[#] OpenAI has terminated the accounts of state-sponsored hackers from Iran, North Korea, China, and Russia that were exploiting ChatGPT for activities such as researching military technologies, spear-phishing, understanding vulnerabilities, and optimizing cyber operations.
Read More @ bleepingcomputer.com
[#] South Korean President Yoon Suk Yeol's office reported that North Korea-linked hackers breached the personal emails of a presidential staff member, but affirmed that overall security systems remained intact, prompting enhanced monitoring and defense against ongoing cyber threats.
Read More @ securityaffairs.com
[#] Zoom has patched a critical privilege escalation vulnerability, CVE-2024-24691, along with six other less severe flaws in its desktop and mobile apps, urging users to update their software to the latest versions to prevent potential unauthorized access and information disclosure.
Read More @ theregister.com
[#] The TicTacToe Dropper is a malware dropper recently detected by FortiGuard, which uses file obfuscation to deliver RATs like AgentTesla and LokiBot to Windows systems, and users are advised to employ behavior-based endpoint security tools for detecting such threats.
Read More @ hackread.com
[#] A security analysis of Ivanti Pulse Secure devices revealed its use of an unsupported 11-year-old Linux operating system, outdated libraries with known vulnerabilities, weak points in firmware, and ineffective integrity check tools, necessitating more transparent supply chain validation from vendors.
Read More @ thehackernews.com
[#] A new iOS Trojan named GoldPickaxe has been identified by Group-IB, targeting users in the Asia-Pacific region by stealing facial recognition and banking data through fake government apps using Mobile Device Management and TestFlight, with the threat group GoldFactory using AI to create deepfakes for unauthorized bank account access.
Read More @ hackread.com
[#] The RansomHouse ransomware group has developed 'MrAgent', a tool that targets VMware ESXi servers by disabling their firewalls and automating the deployment of ransomware across multiple virtual machines, urging the need for defenders to enhance security measures and implement network monitoring to mitigate such threats.
Read More @ bleepingcomputer.com
[#] German battery manufacturer Varta halted operations at five production plants due to a cyberattack on February 12, 2024, leading to a complete shutdown of IT systems for investigation and containment of the incident, with restoration efforts and damage assessment ongoing.
Read More @ securityaffairs.com
[#] Security researchers at Cisco Talos have exposed a new malware called TinyTurla-NG used by the Russian Turla group to stealthily infiltrate NGO networks via compromised WordPress sites, enabling data theft and persistent network access.
Read More @ bleepingcomputer.com
[#] In 2023, cryptocurrency-related money laundering declined to $22.2 billion with criminals diversifying their methods, increasingly utilizing cross-chain bridges and mixers like YoMix, requiring enhanced vigilance and analysis from law enforcement and compliance teams to adapt to these evolving strategies.
Read More @ chainalysis.com
[#] Cybercriminals are exploiting iOS and Android users in Thailand and Vietnam by using trojanized apps to steal biometric data and bypass banking security measures.
Read More @ theregister.com
[#] Cybercriminals are utilizing Amazon Web Services Simple Notification Service through compromised cloud credentials to conduct smishing attacks under the guise of the USPS, exploiting the platform's messaging capability to send phishing texts that solicit personal and payment information, with businesses needing to ensure their cloud credentials are secure to prevent domain hijacking and maintain their reputation and SMS services.
Read More @ darkreading.com
[#] Kryptina Ransomware, targeting Linux systems and initially sold in cybercrime forums, has become a greater threat after its developer 'Corlys' released its source code for free on BreachForums, enabling easier access and potentially increasing the attack frequency.
Read More @ securityonline.info
[#] A new Qbot malware variant, which employs a fake Adobe installer pop-up to evade detection and deliver various malicious payloads, has been detected in recent email campaigns since the takedown of its command and control infrastructure last year.
Read More @ bleepingcomputer.com
[#] A recent essay highlights the security risks posed by software bloat and the importance of reducing the amount of code exposed to decrease potential vulnerabilities, with legislation expected to compel vendors to prioritize security.
Read More @ schneier.com
[#] A newly identified mobile trojan called 'GoldPickaxe' is deceiving users into scanning their faces and ID documents which could potentially be used to create deepfakes for unauthorized bank access, prompting vigilance in app installations and skepticism toward unsolicited messages.
Read More @ bleepingcomputer.com
[#] The European Court of Human Rights ruled that mandated weak encryption and extensive data retention are human rights violations, impacting future European data surveillance laws and the proposed Chat Control legislation.
Read More @ theregister.com
[#] A cybercrime group called GoldFactory has developed advanced banking trojans targeting mobile devices in Asia-Pacific, using deepfakes and social engineering to bypass security, with recommendations to avoid suspicious links and regularly review app permissions.
Read More @ thehackernews.com
[#] A proof-of-concept exploit for a Windows NTLM privilege escalation flaw, CVE-2023-21746, that could let attackers with local access obtain SYSTEM privileges, has been made public, with Microsoft having patched the vulnerability in their January 2023 update, though an unpatched HTTP/WebDAV scenario still exists.
Read More @ securityonline.info
[#] Cyber criminals are utilizing advertising technology to measure and optimize their malware campaigns, disguising malicious payloads with CAPTCHAs via ad networks, making automation-based detection more challenging, while security professionals recommend applying zero trust principles to mitigate these threats.
Read More @ theregister.com
[#] Cybercriminals are utilizing Remote Monitoring & Management (RMM) software like AnyDesk to access corporate networks through phishing scams, but Malwarebytes' ThreatDown Bundle offers Application Block to prevent unauthorized RMM tool usage.
Read More @ malwarebytes.com
[#] Microsoft has disclosed that the CVE-2024-21410 flaw in Exchange Server is currently being exploited, with a severity rating of 9.8, and advises updating to the latest patch which includes EPA enablement by default to mitigate relay attacks.
Read More @ thehackernews.com
[#] In recent cybersecurity events, a crypto casino suffered a $4.6 million theft due to wallet compromise, an NFT drop mishandled by Yuga Labs incurred high gas fees, PlayDapp's platform was hacked resulting in token inflation, the Solana blockchain experienced a five-hour outage, SIM swappers were indicted for attacks including on FTX, a crypto exchange tied to Three Arrows Capital is closing, Ripple's CEO had $112.5 million in XRP stolen, Abracadabra's protocol was exploited causing a stablecoin to depeg, HyperVerse's founder was charged with fraud, and Goledo Finance faced a $1.7 million flash loan attack.
Read More @ web3isgoinggreat.com
[#] Chinese cyber-espionage group Volt Typhoon has infiltrated key U.S. and African energy and emergency services networks, utilizing sophisticated techniques and zero-day exploits to exfiltrate strategic operational data, highlighting a need for increased defense and incident response measures in critical infrastructure sectors.
Read More @ theregister.com
[#] A breach at CGI Federal, impacting data from GAO employees, was due to an Atlassian vulnerability that organizations were advised to patch since an October alert from CISA, MS-ISAC, and the FBI.
Read More @ scmagazine.com
[#] LockBit ransomware group has claimed responsibility for the cyberattack on Fulton County, Georgia, threatening to publish personal data unless a ransom is paid, with the county exploring insurance options to recover their systems without paying the ransom.
Read More @ bleepingcomputer.com
[#] Microsoft has issued an alert for a critical vulnerability in Exchange Server (CVE-2024-21410, CVSS 9.8) that allows unchecked remote privilege escalation via NTLM relay attacks, recommending immediate patching with Cumulative Update 14 which introduces NTLM credentials Relay Protections.
Read More @ securityonline.info
[#] NGINX has issued an urgent update to version 1.25.4 to patch critical vulnerabilities, designated CVE-2024-24989 and CVE-2024-24990, within its experimental HTTP/3 implementation to prevent potential denial-of-service attacks and further exploitation, with affected configurations advised to upgrade immediately as no other workaround exists.
Read More @ securityonline.info
[#] North Korea has been reportedly operating a lucrative scheme by selling gambling websites laced with malware that steal personal data, generating significant profits and circumventing sanctions by posing as Chinese IT workers.
Read More @ theregister.com
[#] Imperva Threat Research uncovered a malicious Fade Stealer malware in PyPI packages named similarly to the popular "Colorama," which aims to steal sensitive information by using typosquatting and evasion techniques, highlighting the need for developers and repository maintainers to scrutinize package details to protect the Python software ecosystem.
Read More @ securityonline.info
[#] OpenAI has terminated five accounts linked to government agents from China, Iran, Russia, and North Korea for utilizing its GPT-4 model in research aimed at phishing and malware activities, while emphasizing that AI's capabilities in cyberattacks are limited compared to existing tools.
Read More @ theregister.com
[#] Microsoft has announced that the critical Exchange Server vulnerability CVE-2024-21410, which allowed for NTLM relay attacks, is now mitigated with the release of Cumulative Update 14 that enables NTLM credentials Relay Protections by default.
Read More @ bleepingcomputer.com
[#] Cisco Talos has exposed a new backdoor named TinyTurla-NG being used by the Turla APT group to target Polish NGOs, enabling task execution and file exfiltration through compromised WordPress websites, with detection and defensive measures outlined for various Cisco Security products.
Read More @ talosintelligence.com

# F.A.Q

Problem

Many websites are using AI/ML to create clickbait which actually doesn't have any valuable content.

Value

I use AI to de-clickbait the clickbait by allowing AI to read my news for me. Then it creates a meaningful tldr; regarding the articles of interest which helps discern what I should read. It is saving me a ton of time.

Why

FWIW HAQ.NEWS really started out as my personal news feed, enriched by Ai, and converted into something quick and easy to read. But then I started getting requests for features like rss, Gracie got involved, and with the super-power of Ai things have taken on a life of their own.

Sharing

I currently post daily infosec news to x, linkedin, mastodon and rss.

I also post daily infosec podcasts and interviews to apple podcasts and spotify.

Ads

This isn't an Ad.

current friend of haq 2024-02-16

I want to encourage people and projects that impress me, by posting a banner linking their work, as it's my desire to help others. I do not take or make any money.

Thanks,
Jared Folkins