# Latest Podcast
# Description
Today, SiCat, a Python-based tool for exploit searching; SwaggerSpy, an OSINT tool for detecting sensitive data in SwaggerHub APIs; a detailed analysis of BackMyData ransomware; BinCAT, a static analysis tool for binary code; the WinRAR RCE vulnerability CVE-2023-38831 exploit method; defenses against the AsyncRAT trojan; Beelzebub, a low-code honeypot framework; basics of creating malicious software in Python; BruteCore, a brute-force tool; GitHub reconnaissance techniques; WonkaVision, for analyzing Kerberos tickets; and Fax Shell, an exploit using the Windows Fax service. These topics span from exploit identification, sensitive information detection, malware analysis, vulnerability exploitation, honeypot framework, to advanced security reconnaissance and protection methods.
# Tradecraft
[#]
SiCat is a Python-based exploit search tool that helps cybersecurity professionals identify and locate exploits by searching across various sources, including Exploit-DB, Packetstorm Security, NVD, and Metasploit Modules, with capabilities to process inputs like nmap outputs and customization through options like keyword searching and output formatting.
[#]
SwaggerSpy is an OSINT tool for detecting sensitive information in SwaggerHub API documentation using enhanced regular expressions.
[#]
A detailed analysis reveals that BackMyData ransomware, part of the Phobos family, used a hardcoded AES key for configuration decryption, avoided systems with Cyrillic alphabet settings, achieved persistence via the Run registry and Startup folder, and utilized custom encryption methods before demanding ransom through notes left for the victims.
[#]
BinCAT is a static analysis tool for binary code that integrates with IDA, providing value and taint analysis, type reconstruction, and detection of use-after-free and double-free vulnerabilities, with support for multiple architectures and automated build processes.
[#]
To exploit the WinRAR RCE vulnerability CVE-2023-38831, create a malicious archive containing a folder and a file with the same name, adding a space before the ".cmd" extension, which executes instead of the expected file when opened.
[#]
To detect and protect against the AsyncRAT trojan, identify necessary DLLs using Procmon, analyze malicious binaries with API Monitor and PEStudio, decode obscured configurations with a provided Python script, and apply the AsyncRat YARA rule for accurate malware identification.
[#]
Beelzebub is a secure, AI-enhanced low-code honeypot framework that facilitates the creation of virtual environments to deceive and study cyber attackers, providing multiple integration options and customizable service configurations for realistic simulations.
[#]
The text discusses the creation of basic malicious software in Python, including a locker that blocks computer access, an encryptor that encodes files, and a virus that spreads to other Python programs, emphasizing these are for educational purposes and warning against illegal activities.
[#]
A cybersecurity enthusiast introduces BruteCore, a multiplatform brute-force/checker tool with a web interface, built-in Golang for performance and versatility, allowing for easy proxy management, module integration, and session handling for efficient credential testing.
[#]
This article provides an introduction to GitHub reconnaissance for identifying sensitive information, utilizing GitHub's search features, regular expressions, and filters to effectively narrow down potentially valuable data leaks within code repositories.
[#]
WonkaVision is a proof of concept tool designed for analyzing Kerberos tickets to identify forged tickets by dumping session data, encrypting it, and then analyzing it to generate anomaly scores that are logged and can be forwarded to SIEM systems for deeper investigation.
[#]
A proof-of-concept exploit named "Fax Shell" uses the Windows Fax service and a DLL hijacking method to create a bind shell with SYSTEM privileges, leveraging Ualapi.dll and evading common security measures.
# News
[#]
A ransomware attack by Backmydata on the Hipocrate IT Platform encrypted data across multiple Romanian hospitals, with protection available via Check Point Harmony Endpoint and Threat Emulation, and recent patches by Microsoft and Adobe address several critical vulnerabilities, including a Microsoft Outlook flaw and a SmartScreen bypass, while Check Point Research highlights increased cyber threats around Valentine's Day and ongoing Russian-aligned cyber-espionage campaigns.
[#]
The Cactus ransomware group claims to have exfiltrated 1.5TB of data from Schneider Electric's Sustainability Business division, including sensitive customer information, and has leaked 25MB proof on their dark web site, while law enforcement recently apprehended LockBit ransomware operators and provided a decryptor for their ransomware.
[#]
International law enforcement, including the UK's National Crime Agency and the FBI, seized control of the LockBit ransomware operation's servers and websites, disrupting the gang's activities and apprehending members, while also capturing a cache of evidence including source code, victim data, and communication logs.
[#]
Active exploitation of a critical RCE vulnerability in the Bricks WordPress site builder, CVE-2024-25600, allows attackers to run arbitrary PHP code, with a patch released in version 1.9.6.1 urging immediate update to mitigate risk.
[#]
German and South Korean intelligence services report North Korean hackers executing a supply-chain attack to infiltrate a maritime technology research center, suggesting increased access monitoring, multi-factor authentication, and employee cyberattack awareness training as countermeasures.
[#]
The I-S00N GitHub repository reveals financial issues, product quality concerns, and evidence of the company Shanghai Anxun infiltrating government departments in multiple countries, highlighting security risks and suggesting the need for a detailed investigation of their operations.
[#]
TAG-70, identified as working for Belarus and Russia, exploited XSS vulnerabilities in Roundcube webmail servers across Europe, targeting 80 organizations' email servers, primarily affecting Ukraine, Georgia, and Poland, with recommendations to patch systems, enhance email security, and conduct regular cybersecurity training to mitigate similar threats.
[#]
Wyze camera users experienced a privacy breach when a caching error allowed 13,000 users to access others' video feeds, which Wyze is addressing by adding extra verification and adjusting their systems to prevent future incidents.
[#]
The European Court of Human Rights ruled that compelled decryption by law enforcement violates privacy rights, thus rejecting government-mandated encryption backdoors as undemocratic.
[#]
A critical vulnerability labeled CVE-2024-22030 has been discovered in the Kubernetes management platform Rancher and its Fleet engine, necessitating immediate domain and DNS security measures and active monitoring for domain hijacking and illegitimate certificate issuance until SUSE releases a patch.
[#]
A critical DNSSEC vulnerability, dubbed KeyTrap and identified as CVE-2023-50387, can disrupt Internet access with just one DNS packet, with fixes already deployed by providers like Akamai, Google, and Cloudflare.
[#]
University of Illinois Urbana-Champaign researchers have demonstrated how enhanced large language models, especially OpenAI's GPT-4, can be programmed to automatically identify and exploit web vulnerabilities with a high success rate and at a lower cost compared to human penetration testers.
[#]
Belarus and Russia-linked APT group TAG-70 has been utilizing XSS vulnerabilities in Roundcube webmail servers to breach over 80 European governmental and military organizations for espionage.
[#]
NSO Group's spyware Pegasus can now profile mobile devices using zero-click 'MMS Fingerprinting' to gather device and OS details without user interaction, potentially aiding targeted exploitation or phishing campaigns.
[#]
Meta has disrupted malicious cyber activities from eight surveillance firms in Italy, Spain, and UAE, targeting various devices and platforms, and enforced countermeasures such as enabling Control Flow Integrity on Messenger and VoIP memory isolation on WhatsApp to bolster security against spyware exploitation.
[#]
The Android banking trojan Anatsa, also known as TeaBot and Toddler, has bypassed Google Play protections to target devices in Slovakia, Slovenia, and Czechia, using apps disguised as phone cleaners and PDF viewers to execute fraudulent transactions and steal credentials, with Google responding by removing the malicious apps and reinforcing automatic malware protection for users.
[#]
A critical remote code execution vulnerability in WordPress's Bricks Builder plugin, identified as CVE-2024-25600 with a 9.8 CVSS score, is actively being exploited, necessitating immediate update to patched version 1.9.6.1 to mitigate risks.
[#]
SolarWinds has patched critical security vulnerabilities in its Access Rights Manager software, including two remote code execution flaws, with the release of version 2023.2.3 to address these issues.
[#]
A new Mirai botnet variant exploits CVE-2023-1389, targeting TP-Link Archer routers for unauthenticated remote code execution, with counter-measures detailed including a YARA rule for detection.
[#]
A critical security flaw in old versions of Ghostscript, CVE-2020-36773 with a CVSS score of 9.8, could let attackers run code or crash systems, but updating to Ghostscript 9.53.0 or later mitigates the risk.
