# Latest Podcast
# Description
Today's cybersecurity updates cover a range of topics, starting with techniques for SMB enumeration. WebSockets face risks from CSWSH, and there’s a keylogger that uses DNS tunneling for data exfiltration. GitHub now offers code scanning autobix, while a Chrome vulnerability (CVE-2023-3079) threatens JavaScript engine security. "asploit" emerges as a new tool for server-side backdoors, and "Bob the Smuggler" adeptly hides malicious payloads using HTML Smuggling. OSTE-Meta-Scanner scans for web injection flaws, and Attacknet challenges blockchain nodes. Abusing DACL for domain control is explained, and Hadess enlightens on cybersecurity. Rembg handles background removal in images. Wigle.net helps in tracking down WiFi-connected suspects, while Netlas.io optimizes attack surface discovery. Project Zero delves into MTE in kernel security, and Windows 11 showcases a protective KUSER_SHARED_DATA tweak. A browser exploit for Microsoft Edge is dissected. Microsoft Exchange servers prove risky for domains, prompting calls for permission limitations. Lastly, HiddenVM lets you run OSes within Tails.
# Tradecraft
[#]
This document is a detailed guide on Server Message Block (SMB) enumeration techniques using various tools like netexec, smbclient, and Impacket scripts, essential for Windows network assessments.
[#]
WebSockets enable real-time communication and can be vulnerable to Cross-Site WebSocket Hijacking (CSWSH), which is prevented by validating the Origin header during the handshake and setting cookies 'SameSite' attribute to 'Lax' or 'Strict'.
[#]
DNS-Tunnel-Keylogger is a post-exploitation tool that uses DNS tunneling to covertly transmit keystrokes from a client to a server, overcoming firewall barriers and making detection difficult.
[#]
GitHub introduced code scanning autofix, now in public beta for Advanced Security users, suggesting automated fixes for vulnerabilities in several programming languages with plans to expand support.
[#]
A vulnerability in Google Chrome's V8 JavaScript engine, identified as CVE-2023-3079, causes a type confusion error that lets attackers access memory out of bounds, which can lead to arbitrary code execution if exploited.
[#]
The GitHub repository for 'asploit' provides a tool for creating one-line backdoors in various server-side scripting languages, enabling remote control and exploitation of compromised servers.
[#]
"Bob the Smuggler" is a tool that employs an HTML Smuggling Attack technique to conceal malicious payloads inside images, manipulating web formats to bypass security measures.
[#]
OSTE-Meta-Scanner is a tool combining several Dynamic Application Security Testing scanners for detecting web injection vulnerabilities, and it provides easy-to-understand reports in JSON and HTML formats.
[#]
Trail of Bits has released Attacknet, a new chaos testing tool for uncovering bugs in blockchain nodes by simulating extreme network conditions.
[#]
The article details how to exploit Discretionary Access Control List (DACL) permissions to manipulate domain objects and users, which includes gaining full control, adding users to privileged groups, changing passwords without prior knowledge, and escalating privileges within a domain.
[#]
Hadess provides various cybersecurity services including adversary emulation and application security testing, and also offers educational resources like eBooks on topics such as DACL abuse and recent vulnerabilities in the Korenix JETIO 6550.
[#]
Rembg is a Python tool for removing the background from images, which can be installed for CPU or GPU support and used through several different methods including command line interface, as an HTTP server, or in Python code.
[#]
The article details using Wigle.net to track a suspect's location by searching for the Wi-Fi Access Point they've connected to, with steps on locating an AP by its SSID and MAC address, and narrowing down a target's location through their phone's tethered AP SSID.
[#]
Netlas.io updated their Attack Surface Discovery tool to support group operations for up to 100,000 results, enabling better organization and analysis of large cyber infrastructure.
[#]
Project Zero discusses the challenges of MTE in kernel security, noting bypass techniques, areas needing confidentiality preservation, and DMA implications, with suggestions for systematic problem resolution.
[#]
This post details the development of a browser exploit for a type confusion vulnerability in Microsoft Edge, involving manipulating memory objects through JavaScript to bypass security mitigations and achieve code execution.
[#]
Microsoft Exchange on-premises servers have extensive permissions in Active Directory that can be exploited to gain full control over the domain, and while some past issues have been fixed, Exchange admins must consider restricting these permissions or adopting the AD split permission model to secure their environments.
[#]
The document details methods for exploiting weak permissions in Active Directory's access control lists to perform various attacks such as password resets, privilege escalation, and group membership changes.
[#]
The content details methods and tools for conducting cybersecurity attacks and penetration tests, including exploiting various Active Directory vulnerabilities and abusing system privileges to escalate access and compromise domain control.
# News
[#]
The National Vulnerability Database is experiencing delays in documenting new cybersecurity threats, leading the security community to look for alternative sources and consider creating a new industry consortium for managing vulnerability data.
[#]
The US House of Representatives has unanimously passed a bill preventing data brokers from selling private information to countries like North Korea, Russia, China, and Iran, with a move in the Senate anticipated for further action.
[#]
Microsoft tests new spellcheck and autocorrect features in the Windows 11 Notepad for insiders, aiming to help users easily identify and fix spelling errors without affecting log and source code files.
[#]
The KDE team has advised users to be cautious when installing global themes from the KDE Store due to a recent incident where a theme ran a 'rm -rf' command that deleted a user's files, and further action will be taken to audit and curate store content.
[#]
Chinese operators are using racks of smartphone motherboards to commit cyber-crimes like fake e-commerce orders and SEO manipulation, avoiding detection by constantly changing IP addresses, despite the practice being illegal under China's telecommunications regulations.
[#]
Security researchers at Horizon3 pinpoint an SQL injection vulnerability in Fortinet's FortiClient EMS, enabling remote code execution that enterprises should promptly mitigate by reviewing logs and updating their systems.
[#]
Following law enforcement actions against major ransomware groups LockBit and ALPHV/BlackCat, smaller gangs like Medusa, RansomHub, and Cloak are recruiting affiliates by offering varying ransom shares and payment structures.
[#]
AWS Managed Workflows for Apache Airflow had a vulnerability that allowed session hijacking, but AWS has patched the bug and advised customers to update their environments, whereas Google has not yet addressed a similar issue across their cloud services.
[#]
The Pwn2Own 2024 hacking competition awarded over $700,000 for the discovery of 19 new security exploits in products like Tesla vehicles, web browsers, and virtualization software, emphasizing the essential role of such competitions in improving cybersecurity by revealing vulnerabilities that vendors can then address.
[#]
A security team uncovers the Unsaflok flaw in Saflok electronic locks affecting millions of hotel doors, prompting a mitigation process wherein 64% remain vulnerable as of March 2024, with further details to be disclosed once the majority of locks are updated.
[#]
In March 2024, Rhysida ransomware group launched a cyberattack against MarineMax, a US yacht dealer, claiming to auction stolen data for 15 Bitcoin if the company refuses to pay the ransom.
[#]
Russian hackers infiltrated a European NGO's systems using a malware called TinyTurla-NG and a data tunneling tool named Chisel to exfiltrate data and evade detection with Microsoft Defender antivirus exclusions.
[#]
Researchers at JFrog have uncovered over 800 npm packages with content that doesn't match their registry entries, including 18 packages capable of a "manifest confusion" exploit, necessitating verification of package contents and dependencies before use by developers.
[#]
Over the past six months, the Sign1 malware campaign has compromised over 39,000 WordPress sites by injecting malware into widgets and plugins, causing redirects and popups, and the best defense is to use strong passwords and keep plugins updated.
[#]
Cybersecurity experts identified a malware called AndroxGh0st targeting Laravel applications to steal cloud service credentials, exploiting several known vulnerabilities, with updates and monitoring recommended to prevent attacks.
[#]
Radiant Logistics' Canadian operations were hit by a cyberattack on March 14, leading to isolated networks and service delays while cybersecurity experts work on resolving the issue.
[#]
Microsoft warns of sophisticated tax phishing scams using urgency tactics and impersonation of trusted sources to steal sensitive data during tax season; protection measures include skepticism towards email links/attachments and direct verification with sender.
[#]
Microsoft confirmed a memory leak issue with March 2024 Windows Server updates causing domain controller crashes, and advises uninstalling the updates until a fix is provided.
[#]
Leicester City Council is dealing with an ongoing suspected ransomware incident, which has caused system outages and direct debit payment issues for residents, while prioritizing recovery of social care and revenue services amidst a criminal investigation.
[#]
Micro Focus has released a patch for two high-risk vulnerabilities in OpenText PVCS Version Manager, which could let attackers upload or download files without permission, and users should update to version 8.6.3.3 immediately.
[#]
Sipwise C5 versions prior to mr11.5.1 contain a redirection flaw and a permission issue, allowing authenticated users to send malicious links and access admin-only journal data, necessitating an update for security.
[#]
AceCryptor, a cryptor-as-a-service, is increasingly used by attackers, paired with Rescoms RAT, to target European businesses with spear-phishing emails disguised as legitimate communications, exploiting user trust to steal browser and email credentials for further system access; businesses can defend by educating employees on phishing, using advanced security systems, implementing network segmentation, and staying updated on cybersecurity threats.
[#]
The Belgian Grand Prix's official email was compromised, used for a phishing scam offering fake vouchers to steal banking information, and the organizers are now increasing security and investigating the incident.
[#]
Security experts warn of a malware campaign using StealC Infostealer, which masquerades as legitimate software and steals users' sensitive data, recommending the download of programs only from official sources and the use of robust security solutions.
[#]
The U.S. has imposed sanctions on two Russian individuals and their companies for conducting cyber influence operations that targeted European and U.S. audiences with fake news websites and social media accounts to promote Russian interests.
[#]
Security researcher Jaggar Henry discovered a critical deserialization flaw in Artica Proxy, tracked as CVE-2024-2054, allowing code execution without authentication; users should remove or restrict access to the vulnerable component immediately as no patch is available.
[#]
As a response to a new Texas law mandating age verification, Pornhub has restricted access in the state, leading to a 234.8% surge in VPN use as residents seek to circumvent the block.
[#]
Microsoft Threat Intelligence reports a spike in cybercriminal activity during tax season, with targeted phishing campaigns aimed at stealing sensitive information through fake tax-related communications and websites, and recommends using multifactor authentication and increased vigilance to improve cybersecurity.
[#]
The official email of the Spa Grand Prix was compromised on March 17, 2024, and used to send phishing emails promising a €50 gift voucher to steal banking information, which prompted the organizers to issue a warning and involve the Belgian cyber police.
[#]
The March 2024 updates KB5035855 and KB5035857 for Windows Server 2016 and 2022 are causing domain controllers to crash due to an LSASS process memory leak; to fix this, admins need to uninstall these updates and use the 'Show or Hide Updates' troubleshooter to prevent reinstallation.
[#]
A critical remote code execution flaw, CVE-2024-1800 with a CVSS score of 9.9, affects all Telerik Report Server versions before 2024 Q1 (10.0.24.130), and users should promptly update to version 2024 Q1 (10.0.24.305) or later to mitigate the risk.
[#]
Researchers have identified a new Loop DoS attack using UDP protocol vulnerabilities to cause servers to bombard each other with traffic, countermeasures include blocking UDP protocols and using TCP with verification.
[#]
A sophisticated malware called PhantomBlu uses OLE template manipulation in Word documents to deploy NetSupport RAT and evade detection, requiring advanced defense strategies to counter the threat.
[#]
Clearview AI, a facial recognition firm known for its privacy controversies, has been added to a US government tech marketplace, paving the way for potential defense sector use despite previous data privacy issues and legal challenges.
[#]
Chinese operators are using racks of smartphone motherboards to commit cybercrimes by creating fake online activity, but crackdowns have led to e-commerce platforms blocking related search terms and a small percentage of these operators facing legal consequences.
[#]
The Pwn2Own Vancouver 2024 event showcased researchers exposing 19 zero-day vulnerabilities in products like Windows 11, Tesla, and Ubuntu Linux, with significant rewards offered including over $700,000 and a Tesla Model 3 car, pushing vendors to patch these security issues within 90 days.
[#]
North Korea's Kimsuky hacking group has started using Microsoft Compiled HTML Help files to execute malicious commands and install scripts for data theft, targeting South Korea with potential global expansion.
[#]
Ivanti has released updates to fix critical remote code execution vulnerabilities in Standalone Sentry and Neurons for ITSM, which are urgent to apply for protection against cyber threats.
[#]
Atlassian has patched numerous security issues, most critically an SQL injection vulnerability in Bamboo requiring immediate update to safeguard systems.
[#]
A 20-year-old from Liverpool named Jacob Graham was sentenced to 13 years in prison for creating a bomb-making manual and preparing to commit a terror attack targeting government buildings and politicians to kill at least 50 people.
[#]
DISBOARD is an online platform that lists and connects Discord servers across various categories, allowing users to search, join, or add servers for community building and social interaction.
[#]
Security researchers have discovered the GoFetch attack, which uses a hardware feature called data memory-dependent prefetcher in Apple's M-series chips to extract encryption keys from constant-time cryptographic implementations.
[#]
Over three million Saflok electronic locks used in hotels globally are vulnerable, enabling attackers to unlock any room with forged keycards; owners are in the process of updating the security systems.
[#]
Security researchers have disclosed a method called Unsaflok that can exploit vulnerabilities in Saflok hotel keycard locks, enabling access to any of the 3 million affected doors worldwide, and the lock manufacturer, Dormakaba, is working on a fix that includes reprogramming or replacing hardware where necessary.
