# Latest Podcast
# Description
The security tool Yasha helps in examining Burp Suite proxy history to flag misconfigured security headers in web applications, making report generation more accurate, with its source code open for enhancement on GitHub. SharpCovertTube is an inventive tool that facilitates remote command execution on Windows systems via QR codes in YouTube video thumbnails and uses DNS queries for data exfiltration. The quicmap tool aids in the scanning and identifying of QUIC-enabled services, assessing supported protocols and security weaknesses. A method involving Windows’ built-in SSH client has surfaced, which hackers can exploit for split tunnelling and clandestine traffic forwarding, where mitigations include SSH access limitations. There's an exposé of a PHP flaw (CVE-2023-3824) causing a heap overflow through improper handling of phar:// URLs, essentially allowing arbitrary code execution. A detailed cheat sheet provides insights into ELF (Executable and Linkable Format) files, dissecting their structure and showcasing headers, segments, and symbols pertinent to binary file manipulation. The mastering-fuzzing GitHub repository presents a workshop with examples for smart contract developers to grasp fuzzing of Ethereum contracts using tools like Foundry and Echidna. An article demonstrates how to manipulate SentinelOne's "Scan for threats" context menu by tweaking the registry to maintain persistence using an alternative binary. And finally, security experts have revealed a Nim-based loader that patches AmsiScanBuffer and EtwEventWrite, and employs a unique GUID node ID for C2 communications while delivering an encrypted DLL for creating a PowerShell reverse shell.
In the news, Chinese state-sponsored hackers executed the Volt Typhoon cyber intrusion, revealing significant U.S. infrastructure vulnerabilities. Fidelity Investments notified customers of a potential data breach due to a LockBit ransomware attack. The EU mandated Apple to fix two critical iOS vulnerabilities. Amidst escalating cyber threats, Canada's FINTRAC and Duvel Moortgat Brewery faced significant cyberattacks. Globally, companies and governments are being urged to enhance cyber defenses and patch vulnerabilities to combat sophisticated cyber-espionage and ransomware campaigns.
In the news, Chinese state-sponsored hackers executed the Volt Typhoon cyber intrusion, revealing significant U.S. infrastructure vulnerabilities. Fidelity Investments notified customers of a potential data breach due to a LockBit ransomware attack. The EU mandated Apple to fix two critical iOS vulnerabilities. Amidst escalating cyber threats, Canada's FINTRAC and Duvel Moortgat Brewery faced significant cyberattacks. Globally, companies and governments are being urged to enhance cyber defenses and patch vulnerabilities to combat sophisticated cyber-espionage and ransomware campaigns.
# Tradecraft
[#]
The security tool Yasha analyzes Burp Suite proxy history to detect misconfigured security headers in web applications, aiding accuracy and report generation, available on GitHub for community improvement.
[#]
The new tool 'quicmap' enables efficient scanning and fingerprinting of QUIC-enabled services to identify supported protocols and potential security vulnerabilities.
[#]
Hackers can utilize Windows' built-in SSH client for split tunnelling to stealthily forward traffic from a compromised internal network host to an external server, which can be mitigated by removing or restricting SSH access and questioning the need for split-tunnelling in your network configuration.
[#]
The analysis details a PHP vulnerability (CVE-2023-3824) which allowed for a heap overflow through the incorrect handling of a phar:// URL, and explains the step-by-step exploitation process to execute arbitrary code.
[#]
The document is a comprehensive cheat sheet detailing the structure and sections of ELF (Executable and Linkable Format) files, including definitions for headers, segments, and symbols, essential for understanding and manipulating binary files on Linux-based systems.
[#]
The GitHub repository "mastering-fuzzing" provides practical examples and a workshop for smart contract developers and security enthusiasts to learn fuzzing with tools like Foundry and Echidna to improve testing of Ethereum smart contracts.
[#]
The article explains how to manipulate the "Scan for threats" context menu option of SentinelOne by replacing its command registry key to execute a different binary for maintaining persistence.
[#]
Security researchers uncovered a Nim-based loader with AmsiScanBuffer and EtwEventWrite patches, using a GUID node ID for C2 communication, which delivers an encrypted DLL containing PsBypassCLM for a PowerShell reverse shell.
# News
[#]
The Volt Typhoon cyber intrusion, linked to Chinese state-sponsored hackers, has revealed vulnerabilities in U.S. critical infrastructure, leading to a reassessment of the national cybersecurity strategy and requiring enhanced defense measures beyond current private-public partnerships and hardening of large infrastructure providers.
[#]
Fidelity Investments Life Insurance has notified 28,268 customers of a potential data breach after Infosys McCamish Systems was targeted by a LockBit ransomware attack, potentially exposing personal and financial information.
[#]
The U.S. government seeks to continue warrantless surveillance under Section 702 of the Foreign Intelligence Surveillance Act without reform, despite criticism from lawmakers and privacy advocates who demand changes to protect American rights.
[#]
Canada's financial intelligence agency, FINTRAC, was hit by a cyberattack causing system disruptions, but classified data remained secure, and recovery efforts are underway with the Canadian Centre for Cyber Security.
[#]
Duvel Moortgat Brewery was halted by a ransomware attack, and while production is suspended, they assure no distribution impact due to ample stock, even as the Stormous ransomware group claims to withhold 88 GB of stolen data, demanding a ransom by March 25, 2024.
[#]
FINTRAC, Canada's anti-money laundering agency, experienced a cyber incident leading to offline corporate systems as a precaution, with no classified intelligence systems compromised, and is collaborating with federal partners to restore and bolster defenses.
[#]
Cybersecurity researchers at Zcaler's ThreatLabz have identified a Russian-language campaign using spoofed online meeting sites like "join-skype[.]info" and "us06webzoomus[.]pro" to distribute Remote Access Trojans by mimicking Skype, Google Meet, and Zoom, with protections including regular software updates and application of security patches.
[#]
Apple patched two zero-day vulnerabilities, CVE-2024-23225 and CVE-2024-23296, affecting kernel memory protections in iOS and iPadOS 17.4; one impacts older devices still on iOS 16.x, while the release also addressed two lesser flaws and introduced new user choice compliance features as mandated by the EU's Digital Markets Act.
[#]
The BlackCat ransomware group has disappeared after executing an exit scam, closing their darknet site following a $22 million ransom payment, with signs of potential rebranding and discussions of selling their ransomware source code for $5 million.
[#]
Apple has patched two actively exploited zero-day vulnerabilities, CVE-2024-23225 and CVE-2024-23296, affecting memory protections in their operating systems, and users should update their devices to iOS 17.4 or iPadOS 17.4 immediately to protect against potential complete control from attackers.
[#]
Security researchers have identified a new malware campaign, Spinning YARN, targeting misconfigured or vulnerable servers running Apache Hadoop YARN, Docker, Atlassian Confluence, and Redis to deploy cryptocurrency miners and establish persistent access with reverse shells.
[#]
Researchers have identified a ransomware campaign by cybercrime groups GhostSec and Stormous launching their joint RaaS program STMX_GhostLocker to target multiple organizations globally, using tools like GhostLocker 2.0 and affiliate services to execute attacks and evade detection.
[#]
Capita suffered a net loss of £106.6 million in 2023, largely due to a cyberattack by the Black Basta ransomware group which incurred costs of £25.3 million and impacted business operations, leading the company to implement a cost-reduction program aiming to save £100 million by mid-2025.
[#]
A new advanced persistent threat group named Lotus Bane has been linked to cyberattacks on financial entities in Vietnam, using methods resembling those of the known APT32 group and targeting similar regions, requiring organizations to enhance their cybersecurity measures accordingly.
[#]
SEMI, an association of chip vendors, urges the EU to resort to export controls as a last measure for national security and cautions against investment screening mechanisms that might deter non-EU investors, possibly hampering the success of the European Chips Act.
[#]
VMware has patched critical vulnerabilities in ESXi, Workstation, and Fusion, with advisories to remove USB controllers from virtual machines until updates can be applied.
[#]
LockBit 3.0 ransomware group, despite infrastructure disruption from Operation Cronos, continues data leaks through peer-to-peer networks, with over 450 unique data-seeking peers logged, indicating decentralized platforms may become future cybercriminal havens for data distribution.
[#]
Researchers have created a new type of malware targeting programmable logic controllers (PLCs) that can remotely disrupt industrial systems without needing physical access, exploiting web-based interfaces and requiring robust multi-layered security measures for mitigation.
[#]
Security experts have discovered a critical vulnerability in Zhejiang Uniview ISC cameras (CVE-2024-0778) that allows code injection with root access, linked to botnet activities from Vietnam, requiring users to replace end-of-life devices that won't receive patches.
[#]
A critical vulnerability in the go-zero framework, identified as CVE-2024-27302 with a CVSS score of 9.1, has been publicly disclosed, enabling attackers to circumvent CORS policies via flawed origin validation, and users must upgrade to version v1.4.4 to mitigate this security issue.
[#]
Akamai security researcher Tomer Peled uncovered a spoofing flaw in Microsoft Themes, tracked as CVE-2024-21320 with a CVSS score of 6.5, which can coerce NTLM authentication and potentially lead to credential compromise; it is recommended to apply Microsoft's January Patch Tuesday 2024 update and restrict NTLM usage via Group Policies for mitigation.
