# Latest Podcast
# Description
Bishop Fox has decrypted the obfuscated FortiOS root filesystem highlighting Fortinet's encryption enhancements and offered a decryption script for vulnerability research. Thomas Jeunet conducted an analysis of Arlo cameras, uncovering memory dumping, and gained access to firmware encryption keys, providing a repository for ongoing research. Java application vulnerabilities were examined, suggesting critical mitigations such as input validation and secure coding to counter unsafe deserialization and command injection risks. The sspsec/Scan-Spring-GO repository introduces a penetration tool for Spring Framework to detect and exploit vulnerabilities, integrating batch scanning. Daniel Underhay showcased password spraying attacks via GitHub Actions with IP rotation, potentially circumventing IP-based security but risking GitHub account closure. The Parasite-Invoke tool conceals P/Invoke signatures inside signed .NET assemblies for stealthy code execution. Lastly, SessionProbe is a tool for penetration testing that discovers authorization issues in web applications by probing session tokens on different URLs.
In the news, a malware campaign called Balada Injector exploits a vulnerability in the Popup Builder WordPress plugin, impacting over 3,300 sites, preventable by updating the plugin. HKCERT warns of increased phishing in Hong Kong. Magnet Goblin targets Ivanti VPN and Magento servers using NerbianRAT malware. Rhysida's ransomware attack on Lurie Children's Hospital in Chicago involved data theft. pgAdmin addressed a critical vulnerability in version 8.4. Midnight Blizzard, a Russian group, stole Microsoft's source code. Meta plans interoperability for its messaging services, aligning with the EU's Digital Markets Act.
In the news, a malware campaign called Balada Injector exploits a vulnerability in the Popup Builder WordPress plugin, impacting over 3,300 sites, preventable by updating the plugin. HKCERT warns of increased phishing in Hong Kong. Magnet Goblin targets Ivanti VPN and Magento servers using NerbianRAT malware. Rhysida's ransomware attack on Lurie Children's Hospital in Chicago involved data theft. pgAdmin addressed a critical vulnerability in version 8.4. Midnight Blizzard, a Russian group, stole Microsoft's source code. Meta plans interoperability for its messaging services, aligning with the EU's Digital Markets Act.
# Tradecraft
[#]
Bishop Fox has detailed their process of decrypting the obfuscated FortiOS root filesystem, revealing enhanced encryption by Fortinet and providing a decryption script for use in vulnerability research.
[#]
A thorough analysis of Arlo cameras by Thomas Jeunet revealed successful memory dumping, firmware anatomy, encryption keys for decrypting updates, and a repository with tools for further research, emphasizing the significance of understanding encryption and update mechanisms in security research.
[#]
Multiple Java application vulnerabilities are detailed, covering unsafe deserialization, command injection, script execution, and insecurely configured libraries, with recommended mitigations including input validation, use of whitelists, restricted permissions, and secure coding practices.
[#]
The repository sspsec/Scan-Spring-GO features a penetration tool developed in Go for detecting and exploiting common vulnerabilities in Spring Framework, with support for a range of Spring versions and vulnerabilities such as CVE-2022-22965, and offers both single URL and batch scanning capabilities.
[#]
Daniel Underhay demonstrates how GitHub Actions can be used for password spraying attacks with IP rotation, bypassing typical security measures like IP-based blocking, with a proof of concept targeting the Microsoft login portal, while also noting the potential for account closure due to abuse of GitHub services.
[#]
The Parasite-Invoke tool enables hiding of P/Invoke signatures by locating them in signed .NET assemblies from other software, allowing for less detectable code execution by referencing existing trusted code.
[#]
SessionProbe is a multi-threaded penetration testing tool that helps identify authorization issues in web applications by using session tokens to test access to various URLs.
# News
[#]
A widespread malware campaign exploiting a vulnerability CVE-2023-6000 in the Popup Builder WordPress plugin, identified as Balada Injector and affecting over 3,300 websites, can be mitigated by updating the plugin, conducting a full system scan, and implementing a web application firewall.
[#]
HKCERT reports a rise in phishing campaigns in Hong Kong with fraudsters mimicking authoritative agencies to steal data, advocating for careful URL inspection and verification practices to bolster individual and organizational cyber defense.
[#]
Magnet Goblin, a financially driven threat actor, quickly exploits 1-day vulnerabilities in systems like Ivanti Connect Secure VPN and Magento servers using malware such as NerbianRAT and MiniNerbian to gain unauthorized access and potentially for financial gain, while Check Point advises users of its IPS and Harmony Endpoint products for protection.
[#]
The Lurie Children's Hospital in Chicago has had its systems compromised and data stolen through a ransomware attack by Rhysida, with claims that the data has been sold for $3.4 million in bitcoin, and efforts towards system recovery and investigation by law enforcement are underway.
[#]
pgAdmin versions up to 8.3 have a critical path traversal vulnerability leading to RCE, and users should upgrade to version 8.4 to protect their systems.
[#]
A remote code execution vulnerability in Atlassian Confluence, identified as CVE-2023-22527, is being exploited in the wild with stealthy in-memory web shell payloads that execute code without file system access, making detection difficult; patching the software and limiting its internet exposure by placing it behind a VPN are recommended mitigations.
[#]
Microsoft has acknowledged that the Russian hacking group Midnight Blizzard, previously reported to have accessed company emails, has also stolen source code and infiltrated other internal systems, with Microsoft reaching out to affected customers for mitigation and continuing to investigate the breach.
[#]
Microsoft's internal systems and source code repositories were accessed by the Russian hacking group Midnight Blizzard using authentication secrets stolen in a January attack, prompting Microsoft to enhance security measures and assist impacted customers.
[#]
Meta is adapting WhatsApp and Messenger to support interoperability with third-party messaging services in response to the EU's Digital Markets Act, leveraging the Signal Protocol for encryption and establishing a plug-and-play model for connectivity.
[#]
The QEMU emulator has been exploited to create network tunnels for unauthorized access to a large company's network, demonstrating the need for multi-level security strategies that include endpoint protection and advanced threat detection systems.
[#]
Cisco has patched a high-severity bug in its Secure Client that could let attackers hijack a VPN session by tricking users into clicking a malicious link, with updates released for various versions to close the security gap.
[#]
Security vulnerabilities in Kontrol and Elock smart locks, made by Sciener, expose them to hacking due to issues like brute force and encryption downgrade attacks; replacing them is recommended as software updates do not resolve all issues.
[#]
Switzerland's National Cyber Security Centre reports that Play ransomware leaked 65,000 documents from a ransomware attack on Xplain, affecting sensitive Federal government files, with a complete investigation and cybersecurity recommendations forthcoming by month's end.
[#]
JetBrains TeamCity patched a critical authentication bypass vulnerability CVE-2024-27198 after over 1,400 servers were compromised, urging users to upgrade and check for unauthorized activity or user accounts.
[#]
State attorneys general demand that Meta strongly increases its security measures, including staff and multi-step authentication, to combat rising complaints of account takeovers, particularly exacerbated by issues such as recycled phone numbers.
[#]
Recent analysis demonstrates that Tesla vehicles are susceptible to Man-in-the-Middle (MiTM) phishing attacks at charging stations through fake Wi-Fi networks, which can lead to unauthorized creation of 'Phone Keys' and potential car theft without alerting the owner; Tesla claims this is intended behavior, despite the security implications.
[#]
Recently uncovered Fenix Botnet targets Latin American financial institutions through deceptive websites that download RATs capable of data exfiltration and system surveillance, urging users to maintain caution and implement robust antivirus solutions to safeguard against such sophisticated malware schemes.
[#]
Investors in India and around the world are falling victim to a sophisticated pig-butchering scam involving counterfeit trading apps on social media, which has stolen over $75 million by promising high returns and then blocking withdrawals, with protective strategies including due diligence, data prudence, reporting suspicions, and increasing awareness.
[#]
Canva's security team identified vulnerabilities in font processing tools, with serious bugs found in the FontTools library and potential command injections in FontForge when handling untrusted font archives, highlighting the need for fonts to be treated as untrusted input and advocating for heightened security research in this domain.
[#]
Steven Rostedt has developed experimental patches for the Linux kernel, enabling persistent tracing of system activity that persists through reboots or crashes, which could significantly aid in debugging processes.
