# Latest Podcast
# Description
The Peaky-XD/webshell repository is a hub for webshell scripts in various languages including PHP and ASP, open to contributions under the MIT License. BALIMO LENA and PETLIBRO IoT Pet Feeders have been found to have security issues allowing for firmware extraction and unauthorized control, risking pet overfeeding through UART interface exploitation. The CanaryTokenScanner Python script aids in detecting Canary Tokens in documents and zip files to enhance cyber defense. A guide to removing Android.Waps adware from the Kirikiroid2 app using tools such as Apktool is detailed. An online tool enables the creation of fake Telegram chats for entertainment. Zeoob offers tools for simulating social media content for educational purposes. A categorized list of Telegram bots is provided for PII research and SOINT applications, emphasizing good OPSEC practices. Risks associated with unauthorized Terraform provider deployment due to exposed state files are discussed, with mitigation advice such as enabling state locking. RetinaFace, a Python library, offers features for facial detection and recognition, installable via 'pip' or 'conda'. Bouncer is a bookmarklet for extracting user IDs from social media profiles. The Tosint OSINT tool extracts data from Telegram bots. jsleak is a tool for finding secrets in JavaScript files. Security measures for Nginx servers and strategies from the "BypassAV" GitHub repository for evading anti-virus and EDR systems are shared. Recommendations for enhanced system security include patch management and user education. Advanced cybersecurity techniques to attack Microsoft 365 and the open-source bpftop tool from Netflix for viewing eBPF program statistics are also mentioned.
In the news, Microsoft warns of an exploited Windows Kernel issue (CVE-2024-21338). The BlackCat/ALPHV ransomware group attacked Change Healthcare, stealing data. SpikedWine targeted EU diplomats with "WineLoader" malware. Epic Games denies server breach by Mogilevich group. Palo Alto Networks faces a lawsuit over forecasts. North Korea's Lazarus hackers exploited a patched Windows AppLocker flaw. The US restricts Sandvine and Chengdu Beizhan Electronics for surveillance and nuclear roles. Cencora reports a data breach. The Iranian UNC1549 group targets aerospace for espionage. Japan's CSIRT warns of 'Comebacker' malware in PyPI packages. Russian hackers attack Ubiquiti EdgeRouters. Cisco Talos finds TimbreStealer malware in Mexico. President Biden plans an executive order on data protection. Concerns over GlobalBlock's free speech impact. Google's filetype search issue, Abyss Locker ransomware targets, and Xeno RAT malware spread noted.
In the news, Microsoft warns of an exploited Windows Kernel issue (CVE-2024-21338). The BlackCat/ALPHV ransomware group attacked Change Healthcare, stealing data. SpikedWine targeted EU diplomats with "WineLoader" malware. Epic Games denies server breach by Mogilevich group. Palo Alto Networks faces a lawsuit over forecasts. North Korea's Lazarus hackers exploited a patched Windows AppLocker flaw. The US restricts Sandvine and Chengdu Beizhan Electronics for surveillance and nuclear roles. Cencora reports a data breach. The Iranian UNC1549 group targets aerospace for espionage. Japan's CSIRT warns of 'Comebacker' malware in PyPI packages. Russian hackers attack Ubiquiti EdgeRouters. Cisco Talos finds TimbreStealer malware in Mexico. President Biden plans an executive order on data protection. Concerns over GlobalBlock's free speech impact. Google's filetype search issue, Abyss Locker ransomware targets, and Xeno RAT malware spread noted.
# Tradecraft
[#]
The repository at Peaky-XD/webshell contains a collection of webshell scripts for various programming languages including PHP, Perl, ASP, ASP.NET, and more, and accepts contributions under the MIT License.
[#]
Security analysis of BALIMO LENA and PETLIBRO IoT Pet Feeders reveals poor security practices, enabling attack vectors such as firmware extraction and unauthorized remote control, with a demonstrated method for overfeeding pets via UART interface exploitation.
[#]
A Python script named CanaryTokenScanner has been developed to proactively scan Microsoft Office documents, Acrobat Reader PDFs, and Zip files for Canary Tokens which signal intrusion, thereby bolstering defenses against cyber threats.
[#]
The blog post outlines the process of removing Android.Waps adware from the Kirikiroid2 apk, including decompilation with Apktool, identifying and eliminating malicious smali code, and recompiling and signing the cleaned apk for use.
[#]
The text provides an online tool for creating fake Telegram chats for personal amusement or data testing purposes, offering customization options like time, message content, and profile photos, while emphasizing these do not generate real communications and should only be used for individual testing or entertainment.
[#]
Zeoob offers online simulation tools for creating fake social media content across various platforms for educational and digital marketing practice without spending resources in a real environment.
[#]
The data provides a list of Telegram bots categorized by their applicability in different countries, with a focus on bots used for personal identifying information (PII) research, social media intelligence (SOCMINT), and domain & IP investigations, highlighting the importance of OPSEC in cyber security research.
[#]
RetinaFace is a Python library for deep learning-based facial detection that provides functions for face detection with landmarks, face alignment improvements, and can be combined with other modules like ArcFace for a complete face recognition system, available for installation via 'pip' or 'conda'.
[#]
Bouncer is a browser bookmarklet for extracting user IDs from Twitter, Facebook, Instagram, and TikTok profile pages with the simple click of a bookmark.
[#]
Tosint is an OSINT Python tool for extracting data from Telegram bots and associated channels, detailing elements like bot and chat information, administrator details, and invite links.
[#]
jsleak is a command-line tool used in cybersecurity reconnaissance to identify secrets like API keys and URLs in JavaScript files by employing regex patterns from multiple sources, offering features such as concurrent scanning and status checks for URLs.
[#]
The article details a vulnerability in Nginx configurations where missing trailing slashes can lead to unauthorized directory access, and offers a list of measures to secure Nginx servers against various attacks.
[#]
The repository "BypassAV" on GitHub provides a map of key strategies for evading anti-virus and EDR systems, with an emphasis on manual methods over open-source tools for better avoidance of detection.
[#]
To enhance system security, one should implement regular patch management, employ strong authentication mechanisms, audit network systems for vulnerabilities, and educate users about potential cyber threats.
[#]
The blog explores advanced cybersecurity techniques such as leveraging token theft and social engineering to compromise Microsoft 365 users and evade conditional access policies, while also outlining methods like Evilginx2 and TokenTactics for simulating attacks and bypassing security measures.
[#]
Netflix's bpftop is an open-source tool providing a dynamic, real-time display of eBPF program statistics on Linux, requiring kernel version 5.8 or later and specific libraries, while minimizing performance overhead by gathering data only when active.
[#]
An attacker with access to a Terraform state file can modify it to force the deployment of their own malicious Terraform provider, leading to potential compromise of a CI/CD pipeline, therefore state files should be secured and state locking enabled to mitigate this risk.
# News
[#]
A Windows Kernel Elevation of Privilege issue, identified as CVE-2024-21338, is being actively exploited, with Microsoft advising immediate patching, as detailed in their security guidance issued on February 28, 2024.
[#]
The BlackCat/ALPHV ransomware group has taken responsibility for a cyberattack on Change Healthcare, claiming to have stolen 6TB of sensitive data which has resulted in an outage affecting over 70,000 pharmacies; UnitedHealth Group is working to restore systems and has not confirmed the breach specifics, while authorities including the FBI, CISA, and HHS warn of increased BlackCat attacks on the healthcare sector.
[#]
Cyber attackers, under the alias "SpikedWine", have targeted EU diplomats using a fake wine-tasting invitation to deliver the modular, evasive "WineLoader" backdoor malware, exploiting India-Europe diplomatic relations, with defense against this threat involving multilayered cloud security platforms to detect related IoCs.
[#]
Epic Games has debunked the Mogilevich group's claim of breaching their servers, with investigations showing no evidence of an attack or data theft, despite the group's attempts to sell purported stolen data for $15,000 to buyers able to show they have the funds.
[#]
Palo Alto Networks' stock value plummeted by 28% after a revised earnings forecast indicated only a 2-4% increase in billings due to a downturn in federal government spending, sparking a class action lawsuit claiming the company made false statements concerning the effectiveness and demand for its platform consolidation strategy and AI products.
[#]
North Korean Lazarus hackers exploited a recently discovered zero-day in the Windows AppLocker driver to disable security tools and maintain persistence, resolved by the February 2024 Patch Tuesday update.
[#]
The US has prohibited transactions with Canadian company Sandvine after it supplied technology used for mass surveillance and censorship by the Egyptian government, and China's Chengdu Beizhan Electronics has been added to the trade restrictions list for supporting China's nuclear weapons program.
[#]
Global pharmaceutical company Cencora reported a cyberattack on February 21, where personal data was stolen, and is currently working with law enforcement and cyber experts to manage the incident, amidst regulations requiring material impact disclosure within four days.
[#]
Iranian threat group UNC1549 targets aerospace and defense sectors in the Middle East using spear-phishing with job-themed lures and deploys MINIBIKE and MINIBUS backdoors for espionage via Microsoft Azure cloud infrastructure.
[#]
Japan's Computer Security Incident Response Team alerts about four Python Package Index (PyPI) packages containing the 'Comebacker' malware loader, attributed to North Korean hacker group Lazarus, implicating thousands of developers' systems in potential supply chain cyberattacks.
[#]
Russian state-sponsored hackers are exploiting Ubiquiti EdgeRouters to create botnets and steal data, with mitigation advised through hardware resets, firmware updates, and security practices like changing default credentials and enabling firewall rules.
[#]
Cisco Talos reveals TimbreStealer malware targeting Mexican users, employing advanced evasion and persistence techniques, focusing on information theft, and highlighting the need for robust email security training and sophisticated endpoint protection.
[#]
US President Joe Biden is anticipated to sign an executive order to prevent adversarial nations, including China and Russia, from obtaining American sensitive personal and government-related data, with measures to be enforced by the Justice Department following public commentary periods.
[#]
Brand Safety Alliance's GlobalBlock service is now generally available, allowing trademark owners to pay for blocking the registration of wide arrays of domain names that resemble or contain variations of their trademarks, including those with confusable homoglyph characters, with concerns raised about the potential impact on free speech and domain name versatility.
[#]
The Google filetype search function for locating specific document types is currently malfunctioning, but there are workarounds available on Henk van Ess's Digital Digging site and updates to this issue are forthcoming.
[#]
Abyss Locker ransomware, based on HelloKitty code, is targeting Windows and Linux systems, including VMware ESXi, with behavioural indicators of compromise and security measures provided to detect and block the threat.
[#]
Xeno RAT, a sophisticated malware available on GitHub, uses advanced evasion and persistence techniques to compromise computers and requires users to follow cybersecurity best practices and employ threat intelligence to protect against this evolving threat.