# Latest Podcast
# Description
Today, WinFiHack is a Python tool for brute-forcing Windows Wi-Fi connections using netsh and native scripts. An incident response consultant employed OSINT to reveal a phishing campaign at a financial institution. Permiso Security launched CloudGrappler, a detection tool for AWS and Azure threats. A new Rust-based project allows code injection into Android without ptrace. PichichiH0ll0wer is a Nim loader focusing on payload protection. Trend Micro described Earth Kapre's espionage tactics. ASP.NET Core is a multi-platform framework for building web applications, with potential source code disclosure risks addressed by updating IIS/.NET and disabling short name file creation. Maldev Academy Code Search aids cyber security professionals with malware code snippets. SecureLayer7 Lab analyzed a Confluence Data Center CVE, and GitLab open-sourced a video content scanning tool. A series on Baphomet Ransomware explains encryption operations. CyberArk shares rootkit detection methods. Kraven Security provides a guide for developing Python threat hunting tools. The Penetration Testing Lab lists techniques for system persistence. A datasheet includes resources for Earth Observation data. CalcMaps offers mapping tools online. A cyber range training course covers Linux Attack and Live Forensics.
In the news, the Xunlei Accelerator app, deemed a security threat, contains outdated elements leading to potential system breaches. TA4903, disguising as U.S. agencies, uses QR codes in BEC attacks, while compromised WordPress sites spread bruteforcing scripts, indicating strategic shifts. Tycoon and Storm-1575 target U.S. schools with advanced phishing; the Bifrost Trojan attacks Linux users through typosquatting. Cisco, Qualcomm, Microsoft, and Veritas address significant vulnerabilities. The Play ransomware group, JetBrains TeamCity, and Northeast Orthopedics face data breaches, alongside millions of Glosbe and Tesla users. North Korean hackers deploy ToddlerShark malware, and various entities face increased cyber threats. Cybercrime evolves, emphasizing the need for digital protection and global response efforts.
In the news, the Xunlei Accelerator app, deemed a security threat, contains outdated elements leading to potential system breaches. TA4903, disguising as U.S. agencies, uses QR codes in BEC attacks, while compromised WordPress sites spread bruteforcing scripts, indicating strategic shifts. Tycoon and Storm-1575 target U.S. schools with advanced phishing; the Bifrost Trojan attacks Linux users through typosquatting. Cisco, Qualcomm, Microsoft, and Veritas address significant vulnerabilities. The Play ransomware group, JetBrains TeamCity, and Northeast Orthopedics face data breaches, alongside millions of Glosbe and Tesla users. North Korean hackers deploy ToddlerShark malware, and various entities face increased cyber threats. Cybercrime evolves, emphasizing the need for digital protection and global response efforts.
# Tradecraft
[#]
WinFiHack is a Python-based Windows Wi-Fi brute-forcing tool that relies on netsh and native scripts without external dependencies, using an interactive, menu-driven system for network interfacing and password file inputs to attempt connections via custom XML configurations until successful.
[#]
An incident response consultant used Open Source Intelligence (OSINT) techniques to uncover and address fraudulent activity at a financial institution by analyzing DNS records, Shodan, Leakix, and certificate services, leading to the identification of a phishing campaign against bank customers.
[#]
Permiso Security introduces CloudGrappler, an open-source detection tool acting as a cybersecurity detective to help teams identify suspicious actions in AWS and Azure environments by querying known threat actor TTPs, with features for defining scan scope, incorporating threat intelligence, and generating detailed reports for a proactive defense against actors like LUCR-3.
[#]
A new Rust-developed project enables code injection into Android processes without ptrace by utilizing /proc/mem and synchronization primitves, demonstrated by successfully injecting a Frida gadget library.
[#]
PichichiH0ll0wer is a Nim-based loader designed for process hollowing to protect payloads through encryption, optional splitting, support for direct and indirect system calls, anti-debugging, and obfuscation techniques.
[#]
Trend Micro's Managed Detection and Response team details the tactics of Earth Kapre espionage group, which uses sophisticated methods to evade detection and execute commands for unauthorized data collection.
[#]
ASP.NET Core is a free, open-source, cross-platform framework for building high-performance web applications and services with .NET and C#, supporting web UIs, REST APIs, real-time communication, microservices, and multi-factor authentication.
[#]
ASP.NET applications may inadvertently disclose source code due to improperly managed cookieless sessions or misconfigured IIS settings, which can be mitigated by updating IIS/.NET Framework and disabling short name (8.3) file creation.
[#]
Maldev Academy Code Search is a resource for cyber security professionals, providing a large collection of malware technique code snippets that facilitate faster project development, assembling modular code, and enhancing the learning experience through course integration.
[#]
ASP.NET Core is a free, open-source, cross-platform framework for building high-performance web applications and services with .NET and C#, supporting web UIs, REST APIs, real-time communication, microservices, and multi-factor authentication.
[#]
ASP.NET applications may inadvertently disclose source code due to improperly managed cookieless sessions or misconfigured IIS settings, which can be mitigated by updating IIS/.NET Framework and disabling short name (8.3) file creation.
[#]
SecureLayer7 Lab provides an in-depth analysis and solution for the critical CVE-2023-22518 authentication bypass in Confluence Data Center, detailing the installation of a testing environment, reproducing the vulnerability, identifying the root cause linked to Apache Struts, and implementing a fix involving additional authentication checks for administrative functions.
[#]
GitLab's security team has developed and open-sourced a video content scanning tool that uses Google Cloud's Video Intelligence API and OCR to detect and mitigate risks by identifying API keys and other sensitive tokens potentially exposed in videos, with adjustments for OCR inaccuracies through approximate regex matching.
[#]
CyberArk outlines rootkit detection and analysis techniques, emphasizing the importance of system protections like Kernel Patch Protection and Driver Signature Enforcement to prevent these stealthy malware types from compromising organizational security.
[#]
A series of articles on Kraven Security details how to create Python-based threat hunting tools, covering topics from web scraping and API interaction to creating executables and integrating with threat intelligence platforms like MISP and CrowdStrike Falcon.
[#]
The Penetration Testing Lab lists 39 techniques for establishing persistence in a system, indicating whether admin rights are needed, allowing hackers to maintain access after initial compromise.
[#]
The datasheet presents a comprehensive list of sources and satellites for accessing various types of Earth Observation data, with details on their open source status, scripting capabilities, and supported satellite sensors, useful for hackers interested in satellite imagery and geospatial analysis.
[#]
The content details an extensive cyber range training course on Linux Attack, Detection and Live Forensics, designed to educate on creating attack paths, improve detection, understand Linux internals, telemetry needs, and utilize hands-on labs for practical understanding and defensive tactics against sophisticated Linux threats.
[#]
ASP.NET applications may inadvertently disclose source code due to improperly managed cookieless sessions or misconfigured IIS settings, which can be mitigated by updating IIS/.NET Framework and disabling short name (8.3) file creation.
# News
[#]
The Xunlei Accelerator app, with multiple outdated components and vulnerable to numerous security flaws, should not be used on untrusted networks, and users should avoid installing it on shared computers due to potential for system compromise and malicious plugin installation.
[#]
A group operating under the name TA4903 is conducting financially motivated business email compromise (BEC) attacks by impersonating U.S. government agencies and using tactics such as QR codes in PDFs to redirect victims to phishing sites, with the aim of gaining access to corporate networks for fraudulent financial gains.
[#]
Hackers are leveraging compromised WordPress sites to distribute scripts that enlist visitors' browsers in bruteforcing other sites' login credentials, with over 1,700 known affected sites, suggesting a shift toward more covert attack strategies to amass a broader network for future exploitations.
[#]
Tycoon and Storm-1575 threat groups are conducting sophisticated spear phishing attacks targeting US schools to bypass Multi-Factor Authentication and harvest Microsoft 365 credentials, necessitating increased awareness and implementation of AI-driven browser and email layer defenses.
[#]
A resurgence of the Bifrost Trojan, which targets Linux systems through typosquatting, posing as a legitimate VMware domain to evade detection, has been noted by Palo Alto Networks, with recommendations to utilize advanced firewall products and cloud-specific security services for protection.
[#]
Cisco has released patches for two high-severity vulnerabilities affecting their Secure Client VPN product, one allowing attackers to perform CRLF injection attacks for code execution and SAML token access, and the other enabling arbitrary code execution with root privileges when a malicious library file is introduced by an authenticated user.
[#]
Qualcomm has fixed two critical vulnerabilities (CVE-2023-28578 & CVE-2023-28582) in its chips that could allow memory corruption and device control, and has advised manufacturers to distribute the necessary security updates to users.
[#]
A vulnerability in Microsoft Themes (CVE-2024-21320) allowing credential theft through manipulated theme files has been detailed, with a patch available in January 2024 Patch Tuesday update that introduces checks against UNC path abuse and a registry value to prevent thumbnail previews on network folders.
[#]
A critical vulnerability CVE-2024-28222 in Veritas NetBackup has been identified, allowing unauthenticated remote code execution; updating to the latest versions is recommended to mitigate the risk.
[#]
A serious vulnerability designated CVE-2024-2044 in pgAdmin could allow authenticated attackers to execute code remotely, but upgrading to version 8.4 or later mitigates the risk by improving input validation and path construction.
[#]
The Play ransomware group compromised Swiss IT services provider Xplain, leaking 65,000 government documents including classified information and login credentials, prompting a coordinating response and investigation by Swiss cybersecurity authorities to mitigate the impact and prevent further breaches.
[#]
Over 1,440 instances of JetBrains TeamCity have been compromised due to a critical authentication bypass flaw CVE-2025-27198, with increased exploitation attempts noted, leading to concerns about potential supply chain attacks.
[#]
Over 177,000 individuals' data was compromised in the Northeast Orthopedics cyberattack, which included personal and medical information, and affected parties are advised to monitor their credit reports and account statements for any unusual activity.
[#]
Almost 7 million Glosbe users' personal data, including social media identifiers and encrypted passwords, were exposed due to a misconfigured MongoDB server, which is now secured following a Cybernews report, raising risks of identity theft and unauthorized account access.
[#]
Researchers revealed a Man-in-the-Middle (MiTM) phishing attack method that can compromise Tesla accounts by spoofing Wi-Fi networks, allowing attackers to add a new 'Phone Key' and potentially steal the vehicle without prompting proper authentication or notifying the owner.
[#]
North Korean hackers, known as the Kimsuky group, are exploiting new vulnerabilities in ScreenConnect software to deploy ToddlerShark malware, therefore administrators need to patch to version 23.9.7 or later and conduct system checks for signs of compromise.
[#]
Moldova's national intelligence warns of potential Russian cyberattacks aimed at destabilizing the country's government and influencing the upcoming elections, advocating for heightened security measures and awareness.
[#]
The FBI reports that the U.S. incurred a record $12.5 billion loss to online crime in 2023, with notable surges in tech support and extortion scams, while best practices for cloud service security and asset recovery efforts are in place to counteract the growing trend.
[#]
Belgian brewery Duvel Moortgat's production was halted by a ransomware attack, with recovery efforts underway though operational timelines are uncertain, highlighting the manufacturing sector's high risk for such cyber incidents and the costly impact of operational disruption.
[#]
Security experts have reported that over 700 compromised WordPress sites are being used to launch distributed brute-force attacks via malicious JavaScript injections, using visitor browsers to target other sites, with recommended actions including updating plugins and employing strong, unique passwords to mitigate unauthorized access.
[#]
A cyberespionage group called Evasive Panda has been targeting the Tibetan community through compromised Tibetan websites and a supply chain attack on language translation software, using malicious downloads to deploy backdoors like MgBot and a new tool called Nightdoor, which leverages Google Drive for command and control.
[#]
A recent Linux malware campaign is exploiting insecure configurations in Apache Hadoop, Confluence, Docker, and Redis servers to insert cryptocurrency miners and maintain persistent access via reverse shells and rootkits.
[#]
U.S. legislators introduced a bill that could ban TikTok by mandating ByteDance to divest it or face fines, citing national security concerns due to the potential influence of the Chinese Communist Party on the app's content and user data.
[#]
A recent Linux malware campaign is exploiting insecure configurations in Apache Hadoop, Confluence, Docker, and Redis servers to insert cryptocurrency miners and maintain persistent access via reverse shells and rootkits.
[#]
Scam operations have evolved from simple account theft to sophisticated dating and Classiscam frauds, leveraging social engineering, phishing, and automation for greater profit, with underground cultures and global expansion.
[#]
Global incident response teams are available around the clock to assist with cybersecurity events, with contact numbers provided for the Asia-Pacific, Europe and North America, and Middle East and Africa regions.
[#]
Researchers at Group-IB have identified a new malicious iOS Trojan called GoldPickaxe, distributed through Apple's TestFlight and MDM profiles, capable of stealing facial recognition and personal data to access banking accounts, now linked to a threat actor known as GoldFactory, who also targets Android devices with a suite of evolving Trojans that includes GoldDigger and GoldKefu, leveraging social engineering for distribution across the APAC region.
[#]
Cybercrime-as-a-Service models are increasingly enabling individuals with minimal technical skills to perpetrate offenses by subscribing to services for DDoS attacks, phishing, ransomware creation, malware distribution, and accessing compromised data, requiring heightened digital hygiene for protection.
