HAQ.NEWS

// Jared Folkins

# Latest Podcast

# Description

The LOTL repository offers a fileless, persistent reverse shell for Windows leveraging JScript and PowerShell. "FlyingPhish/Nmap-Analysis" is a tool for parsing Nmap XML output with GPT-powered analysis. BotD and Fingerprint Pro Bot Detection provide libraries for detecting automation tools and sophisticated bots, respectively. OpenCelliD is a community-driven cellular network database for location and coverage insights. A service tracks Vkontakte activity to uncover synchronous behavior among friends. The web-based D0x-K1t-v2 facilitates OSINT and reconnaissance. Week 13 of Web Hacking highlights an XSS vulnerability exploitation for creating a JavaScript keylogger. Techniques for bypassing Windows Defender using C# and PowerShell are explained. Android devices can automate a Rubber Ducky script for altering DNS via Tasker, while google_lure.py targets Google Docs open redirects for phishing. ScreenConnect-AuthBypass.py showcases an authentication bypass in ConnectWise SecureConnect. Horizon3.ai's NodeZero includes a new Phishing Impact test. The DevOps Roadmap for 2024 lays out required skills for aspiring DevOps engineers. Application crash analysis involves various tools like WinDbg and procdump. TruffleHog now detects AWS canary tokens without triggering them.

And in the news a critical vulnerability in the Spring Framework (CVE-2024-22243) could lead to serious security breaches, urging updates. Threat actors exploit flaws in VMware, Microsoft Exchange, and Cisco, with law enforcement targeting groups like LockBit. The 8220 Gang targets cloud infrastructure, and I-Soon, a Chinese firm, faces a data leak. Users should utilize tools like Tor.taxi for dark web safety and be wary of TeaBot trojan infections from the Google Play Store. Updates are crucial for ConnectWise ScreenConnect vulnerabilities (CVE-2024-1708, CVE-2024-1709).

# Tradecraft

[#] A GitHub repository called LOTL presents a fileless, persistent reverse shell that uses JScript and PowerShell to execute on Windows startup through registry and environment variables, with a proof of concept provided and a warning to use a virtual machine for testing.
Read More @ github.com
[#] The GitHub repository "FlyingPhish/Nmap-Analysis" provides a Python tool that parses Nmap XML output, allows for comparison between scans to detect changes in network services and ports, creates visual reports, and utilizes GPT for AI-generated analytical overviews.
Read More @ github.com
[#] The text introduces BotD, an MIT-licensed open-source browser-based library by FingerprintJS for detecting basic automation tools and frameworks, and outlines its more advanced, professional API-based counterpart, Fingerprint Pro Bot Detection, which offers additional features for identifying sophisticated bots with high accuracy by combining several types of data analysis.
Read More @ github.com
[#] OpenCelliD is a database that maps cellular network information, helping with device location and network coverage analysis, and is community-driven, offering API access and data downloads for practical application.
Read More @ opencellid.org
[#] The text describes a service that monitors a target's VKontakte (VK) online presence and activity by analyzing online status timings with their friends, and upon completion of the observation period, it generates a report highlighting friends who have suspiciously synchronized online times with the target, allowing for potential identification of whom the target communicates with.
Read More @ vkdia.com
[#] D0x-K1t-v2 is a web-based application for active reconnaissance, information gathering, and OSINT, which is currently self-hosted, with features like WhoIs lookup, phone scanning, port checking, and GeoIP lookup, with future enhancements planned for Heroku and ngrok deployment.
Read More @ github.com
[#] Week 13 of the Web Hacking series demonstrates how a Cross-Site Scripting (XSS) vulnerability can be exploited to create a keylogger using JavaScript, potentially capturing sensitive user data like passwords and personal information.
Read More @ webhackingtips.com
[#] The article details the process of bypassing Windows Defender using a combination of C# shellcode wrapping, custom XOR encoding, and PowerShell memory-loading techniques to execute a Meterpreter payload undetected.
Read More @ purpl3f0xsecur1ty.tech
[#] An Android device, when connected to a computer for charging, can automate the execution of a Rubber Ducky script via the Tasker app to alter the DNS cache without user interaction, with prevention relying on not plugging in untrusted devices, using HTTPS, enabling 2FA, using browser bookmarks, and restricting administrator access.
Read More @ mobile-hacker.com
[#] The Python script google_lure.py is designed to exploit open redirects on www.google.com via Google Docs, creating and sharing phishing links through temporary files and comments, an action which users must be aware of to defend against such malicious tactics.
Read More @ github.com
[#] A proof of concept script, ScreenConnect-AuthBypass.py, has been released demonstrating an authentication bypass vulnerability in ConnectWise SecureConnect that allows an attacker to overwrite existing administrative credentials.
Read More @ github.com
[#] Horizon3.ai's NodeZero platform offers several cybersecurity testing services, including internal and external penetration testing, and recently launched a Phishing Impact test to assess the risks associated with compromised employee credentials, complemented by a NodeZero capability that identifies and exploits specific vulnerabilities like the ConnectWise ScreenConnect authentication bypass.
Read More @ horizon3.ai
[#] The DevOps Roadmap for 2024 is a guide outlining the skills and tools required to become a DevOps engineer, including learning resources and a comprehensive list of topics like Git, programming languages, Linux, networking, server management, containers, CI/CD, and cloud services.
Read More @ github.com
[#] Analyzing application crashes involves capturing crash dumps using WinDbg for detailed debugging, procdump for targeted information gathering, and the localdumps registry key for automated dump collection.
Read More @ augmend.com
[#] TruffleHog, a security tool, now includes a feature to detect AWS canary tokens used by Thinkst without activating them, using a static analysis method to help defenders scan for credentials without false alerts and to enable attackers to circumvent security traps.
Read More @ trufflesecurity.com

# News

[#] A critical vulnerability, CVE-2024-22243, in the Spring Framework could allow open redirect and SSRF attacks; users should update to patched versions 6.1.4, 6.0.17, or 5.3.32 to mitigate this risk.
Read More @ securityonline.info
[#] Threat actors are exploiting a multitude of vulnerabilities across various platforms, including critical flaws in VMware, Microsoft Exchange, and Cisco products, while law enforcement continues to target ransomware operations such as LockBit, with recommended actions including patching affected systems and reporting information on cybercriminals for potential rewards.
Read More @ securityaffairs.com
[#] The 8220 Gang has escalated their cyber attacks on cloud infrastructure, deploying advanced evasion tactics on Linux and Windows systems, and organizations need to enhance their security postures to counter the sophisticated threats.
Read More @ uptycs.com
[#] Chinese company I-Soon, involved in cyber espionage, suffered a data leak revealing details on operations against various targets including governments and pro-democracy groups, stressing the need for improved defense strategies against such hacking contractors.
Read More @ sentinelone.com
[#] Tor.taxi serves as a directory and anti-phishing resource for dark web users, offering assistance with site verification, uptime tracking, and maintaining a no-tracking policy for researchers interested in darknet markets, forums, and services.
Read More @ tor.taxi
[#] Mamont is an FTP search engine that provides a global file search capability with over 4 billion files indexed, and users may add their own FTP sites by registering in the Mamont directory.
Read More @ mmnt.ru
[#] Researchers detected a surge in TeaBot banking trojan infections from an app in the Google Play Store, provoking a need for increased user vigilance when downloading apps and granting permissions.
Read More @ cleafy.com
[#] A Proof of Concept has been released by @watchTowr showcasing a ConnectWise ScreenConnect vulnerability, specifically CVE-2024-1708 and CVE-2024-1709, that allows unauthorized creation of administrative users leading to potential remote command execution, with a fix available in version 23.9.8.
Read More @ github.com

# F.A.Q

Problem

Many websites are using AI/ML to create clickbait which actually doesn't have any valuable content.

Value

I use AI to de-clickbait the clickbait by allowing AI to read my news for me. Then it creates a meaningful tldr; regarding the articles of interest which helps discern what I should read. It is saving me a ton of time.

Why

FWIW HAQ.NEWS really started out as my personal news feed, enriched by Ai, and converted into something quick and easy to read. But then I started getting requests for features like rss, Gracie got involved, and with the super-power of Ai things have taken on a life of their own.

Sharing

I currently post daily infosec news to x, linkedin, mastodon and rss.

I also post daily infosec podcasts and interviews to apple podcasts and spotify.

Ads

This isn't an Ad.

current friend of haq 2024-02-23

I want to encourage people and projects that impress me, by posting a banner linking their work, as it's my desire to help others. I do not take or make any money.

Thanks,
Jared Folkins