HAQ.NEWS

// Jared Folkins

# Latest Podcast

# Description

Today's cybersecurity updates cover a range of topics, starting with techniques for SMB enumeration. WebSockets face risks from CSWSH, and there’s a keylogger that uses DNS tunneling for data exfiltration. GitHub now offers code scanning autobix, while a Chrome vulnerability (CVE-2023-3079) threatens JavaScript engine security. "asploit" emerges as a new tool for server-side backdoors, and "Bob the Smuggler" adeptly hides malicious payloads using HTML Smuggling. OSTE-Meta-Scanner scans for web injection flaws, and Attacknet challenges blockchain nodes. Abusing DACL for domain control is explained, and Hadess enlightens on cybersecurity. Rembg handles background removal in images. Wigle.net helps in tracking down WiFi-connected suspects, while Netlas.io optimizes attack surface discovery. Project Zero delves into MTE in kernel security, and Windows 11 showcases a protective KUSER_SHARED_DATA tweak. A browser exploit for Microsoft Edge is dissected. Microsoft Exchange servers prove risky for domains, prompting calls for permission limitations. Lastly, HiddenVM lets you run OSes within Tails.

# Tradecraft

[#] This document is a detailed guide on Server Message Block (SMB) enumeration techniques using various tools like netexec, smbclient, and Impacket scripts, essential for Windows network assessments.
Read More @ gitlab.io
[#] WebSockets enable real-time communication and can be vulnerable to Cross-Site WebSocket Hijacking (CSWSH), which is prevented by validating the Origin header during the handshake and setting cookies 'SameSite' attribute to 'Lax' or 'Strict'.
Read More @ blackhillsinfosec.com
[#] DNS-Tunnel-Keylogger is a post-exploitation tool that uses DNS tunneling to covertly transmit keystrokes from a client to a server, overcoming firewall barriers and making detection difficult.
Read More @ kitploit.com
[#] GitHub introduced code scanning autofix, now in public beta for Advanced Security users, suggesting automated fixes for vulnerabilities in several programming languages with plans to expand support.
Read More @ thehackernews.com
[#] A vulnerability in Google Chrome's V8 JavaScript engine, identified as CVE-2023-3079, causes a type confusion error that lets attackers access memory out of bounds, which can lead to arbitrary code execution if exploited.
Read More @ theori.io
[#] The GitHub repository for 'asploit' provides a tool for creating one-line backdoors in various server-side scripting languages, enabling remote control and exploitation of compromised servers.
Read More @ github.com
[#] "Bob the Smuggler" is a tool that employs an HTML Smuggling Attack technique to conceal malicious payloads inside images, manipulating web formats to bypass security measures.
Read More @ securityonline.info
[#] OSTE-Meta-Scanner is a tool combining several Dynamic Application Security Testing scanners for detecting web injection vulnerabilities, and it provides easy-to-understand reports in JSON and HTML formats.
Read More @ securityonline.info
[#] Trail of Bits has released Attacknet, a new chaos testing tool for uncovering bugs in blockchain nodes by simulating extreme network conditions.
Read More @ trailofbits.com
[#] The article details how to exploit Discretionary Access Control List (DACL) permissions to manipulate domain objects and users, which includes gaining full control, adding users to privileged groups, changing passwords without prior knowledge, and escalating privileges within a domain.
Read More @ hadess.io
[#] Hadess provides various cybersecurity services including adversary emulation and application security testing, and also offers educational resources like eBooks on topics such as DACL abuse and recent vulnerabilities in the Korenix JETIO 6550.
Read More @ hadess.io
[#] Rembg is a Python tool for removing the background from images, which can be installed for CPU or GPU support and used through several different methods including command line interface, as an HTTP server, or in Python code.
Read More @ github.com
[#] The article details using Wigle.net to track a suspect's location by searching for the Wi-Fi Access Point they've connected to, with steps on locating an AP by its SSID and MAC address, and narrowing down a target's location through their phone's tethered AP SSID.
Read More @ hackers-arise.net
[#] Netlas.io updated their Attack Surface Discovery tool to support group operations for up to 100,000 results, enabling better organization and analysis of large cyber infrastructure.
Read More @ netlas.io
[#] Project Zero discusses the challenges of MTE in kernel security, noting bypass techniques, areas needing confidentiality preservation, and DMA implications, with suggestions for systematic problem resolution.
Read More @ blogspot.com
[#] Windows 11 Insider Preview's KUSER_SHARED_DATA structure, traditionally static and read/write, now presents a read-only aspect with a randomized, writable virtual address view, imposed to thwart exploitation by necessitating kASLR bypass prior to code memory manipulation.
Read More @ github.io
[#]
Read More @ github.io
[#] This post details the development of a browser exploit for a type confusion vulnerability in Microsoft Edge, involving manipulating memory objects through JavaScript to bypass security mitigations and achieve code execution.
Read More @ github.io
[#] Microsoft Exchange on-premises servers have extensive permissions in Active Directory that can be exploited to gain full control over the domain, and while some past issues have been fixed, Exchange admins must consider restricting these permissions or adopting the AD split permission model to secure their environments.
Read More @ specterops.io
[#] The document details methods for exploiting weak permissions in Active Directory's access control lists to perform various attacks such as password resets, privilege escalation, and group membership changes.
Read More @ ired.team
[#] The content details methods and tools for conducting cybersecurity attacks and penetration tests, including exploiting various Active Directory vulnerabilities and abusing system privileges to escalate access and compromise domain control.
Read More @ ired.team
[#] HiddenVM is a free, open-source tool that lets you run various desktop operating systems virtually within the Tails environment without leaving evidence on the physical machine, and it can use the internet without going through Tails' Tor network by default.
Read More @ github.com

# News

[#] The National Vulnerability Database is experiencing delays in documenting new cybersecurity threats, leading the security community to look for alternative sources and consider creating a new industry consortium for managing vulnerability data.
Read More @ darkreading.com
[#] The US House of Representatives has unanimously passed a bill preventing data brokers from selling private information to countries like North Korea, Russia, China, and Iran, with a move in the Senate anticipated for further action.
Read More @ theregister.com
[#] Microsoft tests new spellcheck and autocorrect features in the Windows 11 Notepad for insiders, aiming to help users easily identify and fix spelling errors without affecting log and source code files.
Read More @ bleepingcomputer.com
[#] The KDE team has advised users to be cautious when installing global themes from the KDE Store due to a recent incident where a theme ran a 'rm -rf' command that deleted a user's files, and further action will be taken to audit and curate store content.
Read More @ bleepingcomputer.com
[#] Chinese operators are using racks of smartphone motherboards to commit cyber-crimes like fake e-commerce orders and SEO manipulation, avoiding detection by constantly changing IP addresses, despite the practice being illegal under China's telecommunications regulations.
Read More @ packetstormsecurity.com
[#] Security researchers at Horizon3 pinpoint an SQL injection vulnerability in Fortinet's FortiClient EMS, enabling remote code execution that enterprises should promptly mitigate by reviewing logs and updating their systems.
Read More @ securityonline.info
[#] Following law enforcement actions against major ransomware groups LockBit and ALPHV/BlackCat, smaller gangs like Medusa, RansomHub, and Cloak are recruiting affiliates by offering varying ransom shares and payment structures.
Read More @ scmagazine.com
[#] AWS Managed Workflows for Apache Airflow had a vulnerability that allowed session hijacking, but AWS has patched the bug and advised customers to update their environments, whereas Google has not yet addressed a similar issue across their cloud services.
Read More @ darkreading.com
[#] The Pwn2Own 2024 hacking competition awarded over $700,000 for the discovery of 19 new security exploits in products like Tesla vehicles, web browsers, and virtualization software, emphasizing the essential role of such competitions in improving cybersecurity by revealing vulnerabilities that vendors can then address.
Read More @ hackread.com
[#] A security team uncovers the Unsaflok flaw in Saflok electronic locks affecting millions of hotel doors, prompting a mitigation process wherein 64% remain vulnerable as of March 2024, with further details to be disclosed once the majority of locks are updated.
Read More @ bleepingcomputer.com
[#] In March 2024, Rhysida ransomware group launched a cyberattack against MarineMax, a US yacht dealer, claiming to auction stolen data for 15 Bitcoin if the company refuses to pay the ransom.
Read More @ theregister.com
[#] Russian hackers infiltrated a European NGO's systems using a malware called TinyTurla-NG and a data tunneling tool named Chisel to exfiltrate data and evade detection with Microsoft Defender antivirus exclusions.
Read More @ thehackernews.com
[#] Researchers at JFrog have uncovered over 800 npm packages with content that doesn't match their registry entries, including 18 packages capable of a "manifest confusion" exploit, necessitating verification of package contents and dependencies before use by developers.
Read More @ thehackernews.com
[#] Over the past six months, the Sign1 malware campaign has compromised over 39,000 WordPress sites by injecting malware into widgets and plugins, causing redirects and popups, and the best defense is to use strong passwords and keep plugins updated.
Read More @ bleepingcomputer.com
[#] Cybersecurity experts identified a malware called AndroxGh0st targeting Laravel applications to steal cloud service credentials, exploiting several known vulnerabilities, with updates and monitoring recommended to prevent attacks.
Read More @ thehackernews.com
[#] Radiant Logistics' Canadian operations were hit by a cyberattack on March 14, leading to isolated networks and service delays while cybersecurity experts work on resolving the issue.
Read More @ scmagazine.com
[#] Microsoft warns of sophisticated tax phishing scams using urgency tactics and impersonation of trusted sources to steal sensitive data during tax season; protection measures include skepticism towards email links/attachments and direct verification with sender.
Read More @ hackread.com
[#] Microsoft confirmed a memory leak issue with March 2024 Windows Server updates causing domain controller crashes, and advises uninstalling the updates until a fix is provided.
Read More @ bleepingcomputer.com
[#] Leicester City Council is dealing with an ongoing suspected ransomware incident, which has caused system outages and direct debit payment issues for residents, while prioritizing recovery of social care and revenue services amidst a criminal investigation.
Read More @ theregister.com
[#] Micro Focus has released a patch for two high-risk vulnerabilities in OpenText PVCS Version Manager, which could let attackers upload or download files without permission, and users should update to version 8.6.3.3 immediately.
Read More @ securityonline.info
[#] Sipwise C5 versions prior to mr11.5.1 contain a redirection flaw and a permission issue, allowing authenticated users to send malicious links and access admin-only journal data, necessitating an update for security.
Read More @ securitycafe.ro
[#] AceCryptor, a cryptor-as-a-service, is increasingly used by attackers, paired with Rescoms RAT, to target European businesses with spear-phishing emails disguised as legitimate communications, exploiting user trust to steal browser and email credentials for further system access; businesses can defend by educating employees on phishing, using advanced security systems, implementing network segmentation, and staying updated on cybersecurity threats.
Read More @ securityonline.info
[#] The Belgian Grand Prix's official email was compromised, used for a phishing scam offering fake vouchers to steal banking information, and the organizers are now increasing security and investigating the incident.
Read More @ scmagazine.com
[#] Security experts warn of a malware campaign using StealC Infostealer, which masquerades as legitimate software and steals users' sensitive data, recommending the download of programs only from official sources and the use of robust security solutions.
Read More @ securityonline.info
[#] The U.S. has imposed sanctions on two Russian individuals and their companies for conducting cyber influence operations that targeted European and U.S. audiences with fake news websites and social media accounts to promote Russian interests.
Read More @ thehackernews.com
[#] Security researcher Jaggar Henry discovered a critical deserialization flaw in Artica Proxy, tracked as CVE-2024-2054, allowing code execution without authentication; users should remove or restrict access to the vulnerable component immediately as no patch is available.
Read More @ securityonline.info
[#] As a response to a new Texas law mandating age verification, Pornhub has restricted access in the state, leading to a 234.8% surge in VPN use as residents seek to circumvent the block.
Read More @ hackread.com
[#] Microsoft Threat Intelligence reports a spike in cybercriminal activity during tax season, with targeted phishing campaigns aimed at stealing sensitive information through fake tax-related communications and websites, and recommends using multifactor authentication and increased vigilance to improve cybersecurity.
Read More @ microsoft.com
[#] The official email of the Spa Grand Prix was compromised on March 17, 2024, and used to send phishing emails promising a €50 gift voucher to steal banking information, which prompted the organizers to issue a warning and involve the Belgian cyber police.
Read More @ bleepingcomputer.com
[#] The March 2024 updates KB5035855 and KB5035857 for Windows Server 2016 and 2022 are causing domain controllers to crash due to an LSASS process memory leak; to fix this, admins need to uninstall these updates and use the 'Show or Hide Updates' troubleshooter to prevent reinstallation.
Read More @ bleepingcomputer.com
[#] A critical remote code execution flaw, CVE-2024-1800 with a CVSS score of 9.9, affects all Telerik Report Server versions before 2024 Q1 (10.0.24.130), and users should promptly update to version 2024 Q1 (10.0.24.305) or later to mitigate the risk.
Read More @ securityonline.info
[#] Researchers have identified a new Loop DoS attack using UDP protocol vulnerabilities to cause servers to bombard each other with traffic, countermeasures include blocking UDP protocols and using TCP with verification.
Read More @ hackread.com
[#] A sophisticated malware called PhantomBlu uses OLE template manipulation in Word documents to deploy NetSupport RAT and evade detection, requiring advanced defense strategies to counter the threat.
Read More @ securityonline.info
[#] Clearview AI, a facial recognition firm known for its privacy controversies, has been added to a US government tech marketplace, paving the way for potential defense sector use despite previous data privacy issues and legal challenges.
Read More @ hackread.com
[#] Chinese operators are using racks of smartphone motherboards to commit cybercrimes by creating fake online activity, but crackdowns have led to e-commerce platforms blocking related search terms and a small percentage of these operators facing legal consequences.
Read More @ theregister.com
[#] The Pwn2Own Vancouver 2024 event showcased researchers exposing 19 zero-day vulnerabilities in products like Windows 11, Tesla, and Ubuntu Linux, with significant rewards offered including over $700,000 and a Tesla Model 3 car, pushing vendors to patch these security issues within 90 days.
Read More @ bleepingcomputer.com
[#] North Korea's Kimsuky hacking group has started using Microsoft Compiled HTML Help files to execute malicious commands and install scripts for data theft, targeting South Korea with potential global expansion.
Read More @ theregister.com
[#] Ivanti has released updates to fix critical remote code execution vulnerabilities in Standalone Sentry and Neurons for ITSM, which are urgent to apply for protection against cyber threats.
Read More @ thehackernews.com
[#] Atlassian has patched numerous security issues, most critically an SQL injection vulnerability in Bamboo requiring immediate update to safeguard systems.
Read More @ thehackernews.com
[#] A 20-year-old from Liverpool named Jacob Graham was sentenced to 13 years in prison for creating a bomb-making manual and preparing to commit a terror attack targeting government buildings and politicians to kill at least 50 people.
Read More @ sky.com
[#] DISBOARD is an online platform that lists and connects Discord servers across various categories, allowing users to search, join, or add servers for community building and social interaction.
Read More @ disboard.org
[#] Security researchers have discovered the GoFetch attack, which uses a hardware feature called data memory-dependent prefetcher in Apple's M-series chips to extract encryption keys from constant-time cryptographic implementations.
Read More @ gofetch.fail
[#] Over three million Saflok electronic locks used in hotels globally are vulnerable, enabling attackers to unlock any room with forged keycards; owners are in the process of updating the security systems.
Read More @ unsaflok.com
[#] Security researchers have disclosed a method called Unsaflok that can exploit vulnerabilities in Saflok hotel keycard locks, enabling access to any of the 3 million affected doors worldwide, and the lock manufacturer, Dormakaba, is working on a fix that includes reprogramming or replacing hardware where necessary.
Read More @ wired.com

# F.A.Q

Problem

Many websites are using AI/ML to create clickbait which actually doesn't have any valuable content.

Value

I use AI to de-clickbait the clickbait by allowing AI to read my news for me. Then it creates a meaningful tldr; regarding the articles of interest which helps discern what I should read. It is saving me a ton of time.

Why

FWIW HAQ.NEWS really started out as my personal news feed, enriched by Ai, and converted into something quick and easy to read. But then I started getting requests for features like rss, Gracie got involved, and with the super-power of Ai things have taken on a life of their own.

Sharing

I currently post daily infosec news to x, linkedin, mastodon and rss.

I also post daily infosec podcasts and interviews to apple podcasts and spotify.

Ads

This isn't an Ad.

current friend of haq 2024-03-22

I want to encourage people and projects that impress me, by posting a banner linking their work, as it's my desire to help others. I do not take or make any money.

Thanks,
Jared Folkins