HAQ.NEWS

// Jared Folkins

# Latest Podcast

# Description

A vulnerability in JustSystems Ichitaro Word Processor was fixed after Cisco Talos reported it. Git-Rotate helps avoid IP detection on GitHub during password attacks. AzureNum gathers data on Microsoft Entra IDs. There's a way to disable Windows Defender by tweaking system permissions. An OS engineer explains overcoming a Linux kernel bug (CVE-2023-0461) using advanced hacking techniques. DynamicMSBuilder makes .NET builds unique to dodge security checks. Dropper on GitHub crafts risky Office docs. BlueSpy steals audio from Bluetooth gadgets without user permision. Radamsa tests program stability with bad data. "WhoIsWho" shows other ways to do "whoami" tasks. Chiasmodon is a tool for domain info like emails. Tips for email investigation using OSINT tools are shared. To fix a "404 error," you should check the website URL. Various OSINT tools can find online profiles by nickname/email. Python scripts can automate file, web, and database work. Mr.Holmes mines public data about domains and such. Google Dork Maker creates search queries for hard-to-find data. Analyzing Latrodectus loader involves removing code clutter to see the harmful payload. Lastly, Telegram-Anti-Revoke was a plugin to keep Telegram messages from disappearing.

# Tradecraft

[#] A vulnerability was discovered in the JustSystems Ichitaro Word Processor that allowed attackers to execute arbitrary code by exploiting complex vulnerabilities, which were patched by JustSystems in response to Cisco Talos' disclosure.
Read More @ talosintelligence.com
[#] A GitHub project named Git-Rotate uses GitHub Actions to change IP addresses during password spraying to evade IP-based security measures.
Read More @ github.com
[#] AzureNum is a tool that quickly gathers information on Microsoft Entra ID items like user counts, security settings, and credentials.
Read More @ github.com
[#] A blog post describes a method to disable Windows Defender by manipulating privilege tokens and setting the Integrity Level to "Untrusted" using various system and process access tools.
Read More @ injectexp.dev
[#] A professional operating system engineer details the process and challenges of successfully exploiting a recent Linux kernel bug, CVE-2023-0461, using advanced techniques including heap spraying, FUSE, KASLR bypass, and constructing a ROP chain for privilege escalation.
Read More @ richiejp.com
[#] A tool called DynamicMSBuilder updates .NET project metadata to create unique assembly information for each build, helping to avoid detection by tools looking for static binary patterns.
Read More @ github.com
[#] A project named dropper has been published on GitHub that can create a dangerous Office document with macros to sideload DLL files and use Lnk files to evade the Mark of the Web security feature.
Read More @ github.com
[#] The BlueSpy proof of concept allows a person to record and replay audio from an insecure Bluetooth device by exploiting a lack of user interaction for pairing, with detailed setup and execution procedures provided.
Read More @ github.com
[#] Radamsa is a fuzzing tool that generates malformed data to test the robustness of programs, which can be installed from source and used in conjunction with other tools to discover potential security vulnerabilities.
Read More @ kitploit.com
[#] The GitHub repository "WhoIsWho" compiles various code examples demonstrating alternative methods to the traditional "whoami" command for identifying user information on a system.
Read More @ github.com
[#] Chiasmodon is an open-source intelligence tool to help gather domain information including emails, credentials, network data, and can search by various identifiers like company name and even perform facial recognition.
Read More @ github.com
[#] The provided information is a guide for using various Open Source Intelligence (OSINT) tools and websites to investigate an email address for personal data leaks, social profiles, and other online footprints.
Read More @ osint-tool.com
[#] The article demonstrates the use of various OSINT tools such as Maigret, Mr.Holmes, Holehe, and Ghunt to extract information from social media, emails, and other online platforms based on a nickname or email address.
Read More @ habr.com
[#] The text provides Python scripts for automating various tasks such as file management, web scraping, and working with databases, which can streamline workflows and reduce manual errors.
Read More @ pythonturbo.ru
[#] Mr.Holmes is an open-source intelligence tool designed to collect information about domains, usernames, and phone numbers using public sources, Google Dorks, and a WhoIS API, with features that include proxy use for anonymity, hypothesis generation about subjects, and generating interactive maps and graphs.
Read More @ github.com
[#] The Google Dork Maker is a tool that simplifies creating specialized search queries to find specific information on the internet that may not be easily accessible through normal searches.
Read More @ stationx.net
[#] The article details analyzing and deobfuscating a Latrodectus loader using regular expressions and CyberChef to remove junk code and reveal hidden malicious commands for downloading and executing a remote file.
Read More @ ghost.io
[#] Telegram-Anti-Revoke is a now unmaintained plugin that prevented messages in Telegram from being deleted by marking them as "deleted" instead, and required manual installation according to specific Telegram version instructions.
Read More @ github.com

# News

[#] Microsoft resolved a critical issue causing Windows Server crashes with an urgent update, while Fortinet urges users to patch a newly exploited remote code execution vulnerability, and over 6,000 ASUS routers were compromised within 72 hours by TheMoon malware for proxy services; meanwhile, Top.gg, a large Discord bot platform, faces a supply-chain attack where hackers aim to steal sensitive information by compromising the platform's Python-based infrastructure through various tactics like account hijacking and poisoned code repositories.
Read More @ bleepingcomputer.com
[#] CISA and the FBI released guidance to reduce SQL injection defects, encouraging developers to create more secure software after an SQLi vulnerability was exploited in the MoveIt file transfer application.
Read More @ darkreading.com
[#] Over 170,000 users were compromised by a supply chain attack that utilized cloned Python packages and a fake PyPI domain to distribute malware targeting browsers, Discord apps, and crypto wallets.
Read More @ theregister.com
[#] Google's new AI-based search feature sometimes promotes scam websites, so users should verify sites before visiting and can remove browser notification spam by adjusting their browser settings.
Read More @ bleepingcomputer.com
[#] Researchers at ETH Zurich have developed ZenHammer, a Rowhammer DRAM attack that affects AMD Zen CPUs, demonstrating that even the latest DDR4 and DDR5 memory chips are susceptible, with mitigation relying on software patches and firmware updates.
Read More @ bleepingcomputer.com
[#] The US Treasury Department has imposed sanctions on a Wuhan-based company and two Chinese nationals for cyber attacks against US infrastructure, using these actions to attempt to curb China's state-sponsored hacking efforts.
Read More @ bleepingcomputer.com
[#] Cybersecurity analysts at Sekoia have discovered a phishing service called 'Tycoon 2FA' that targets Microsoft 365 and Gmail accounts by stealing session cookies to bypass two-factor authentication after users input their credentials on a fake login page.
Read More @ bleepingcomputer.com
[#] The Communications Workers Union in the UK is dealing with a cyberattack that has disrupted its IT systems, including email services, and is working with cybersecurity experts to investigate and resolve the issue.
Read More @ theregister.com
[#] A fake version of the Colorama tool on a typosquatted domain infected multiple Python developers with malware, leading to the theft of keystrokes and data from browsers, Discord, cryptocurrency wallets, and other applications.
Read More @ packetstormsecurity.com
[#] Mozilla quickly patched critical vulnerabilities in Firefox following Manfred Paul's exploit demonstration at Pwn2Own, prompting users to update to version 124.0.1 for protection.
Read More @ theregister.com
[#] Iran-linked cyber espionage group MuddyWater, also known as TA450, has initiated a phishing campaign using PDF attachments with malicious links to deploy a remote monitoring tool called Atera, primarily targeting Israeli multinational company employees.
Read More @ securityaffairs.com
[#] Researchers have identified the GoFetch security exploit in Apple's M1 and M2 chips which leaks data via data memory-dependent prefetchers, cannot be disabled on these CPUs, and as a temporary fix, cryptographic tasks should be run on the slower Icestorm cores to avoid exposure.
Read More @ theregister.com
[#] Palo Alto Networks' Unit42 discovered a large-scale StrelaStealer malware campaign that compromised over 100 organizations in Europe and the US, with threat actors using localized spam emails with subject patterns like "Factura/Rechnung/invoice####" to distribute a JScript file leading to credential theft, and advises keeping security measures updated to prevent such attacks.
Read More @ securityaffairs.com
[#] A sophisticated cyberattack used fake Python infrastructure and stolen GitHub account credentials to distribute malware, compromising popular software packages and developers' private data; awareness and monitoring are essential for protection.
Read More @ darkreading.com
[#] A law journal article proposes that AI engineers should be licensed to create commercial AI products, with the intention of incorporating ethical considerations into the engineering of AI systems from the beginning.
Read More @ schneier.com
[#] The British Library experienced a severe ransomware attack, damaging systems and draining seven years’ worth of financial reserves for recovery, with a detailed report released highlighting the pervasive issues of outdated IT infrastructure and insufficient security practices.
Read More @ theregister.com
[#] Researchers demonstrated a side-channel attack called GoFetch that can extract cryptographic keys from Apple CPUs, and to mitigate this, they suggest updating software, disabling specific CPU features where possible, and avoiding hardware sharing.
Read More @ securityaffairs.com
[#] Hackers compromised GitHub accounts and a PyPI domain to distribute malware through trusted platforms, necessitating robust security and vigilance when installing packages and dependencies.
Read More @ thehackernews.com
[#] The United Nations reports that North Korea uses international restaurants and cyber attacks on cryptocurrency companies to launder money and fund its weapons programs, suggesting better infosec practices and global cooperation for prevention.
Read More @ theregister.com
[#] The Iran-linked hacking group MuddyWater has launched a new phishing campaign targeting Israeli firms, utilizing Atera's Remote Monitoring and Management software to surveil targets and an Iranian hacktivist group named Lord Nemesis breached Rashim Software, leading to potential further attacks and data exposure in the Israeli academic sector.
Read More @ thehackernews.com
[#] Unit 42 researchers have detected a resurgence of StrelaStealer malware focusing on EU and US organizations, using advanced evasion through obfuscated DLLs and spear-phishing to steal email credentials.
Read More @ securityonline.info
[#] APT29, a Russian cyber espionage group, has initiated a phishing campaign targeting German political parties with a new malware called WINELOADER, indicating an increased threat to democratic processes.
Read More @ securityonline.info
[#] ClickUp has updated its desktop app for macOS and Windows to version 3.3.77 to fix a high-severity code execution vulnerability, and users should immediately download the patch to protect their systems.
Read More @ securityonline.info
[#] A cyberattack campaign is leveraging fake PuTTY software ads to infect system administrators with the Rhadamanthys information stealer, using a Go-based malware loader for IP verification before executing the payload.
Read More @ securityonline.info
[#] The HelloFire ransomware, without a leak site or ransomware branding, uses a Russian greeting in its note and PDB path, targets specific services and directories, and indicates connections to the Babuk ransomware through its use of the Curve25519 encryption algorithm and file-handling techniques.
Read More @ shadowstackre.com
[#] Microsoft has released a patch for the March Windows Server update that caused crashes due to a memory leak, while Atlassian fixed a critical SQL injection flaw, and security firms warn of a new wiper malware called AcidPour linked to Russian threat actors.
Read More @ theregister.com
[#] Cybersecurity researchers have identified a widespread StrelaStealer malware campaign targeting email client credentials in the EU and US, with Palo Alto Networks providing several layers of protection against this evolving threat.
Read More @ paloaltonetworks.com
[#] The Croatian Commission for Conflict of Interest provides a searchable registry of public officials' positions and tenures, conflict of interest declarations, and offers educational resources for understanding related regulations.
Read More @ sukobinteresa.hr

# F.A.Q

Problem

Many websites are using AI/ML to create clickbait which actually doesn't have any valuable content.

Value

I use AI to de-clickbait the clickbait by allowing AI to read my news for me. Then it creates a meaningful tldr; regarding the articles of interest which helps discern what I should read. It is saving me a ton of time.

Why

FWIW HAQ.NEWS really started out as my personal news feed, enriched by Ai, and converted into something quick and easy to read. But then I started getting requests for features like rss, Gracie got involved, and with the super-power of Ai things have taken on a life of their own.

Sharing

I currently post daily infosec news to x, linkedin, mastodon and rss.

I also post daily infosec podcasts and interviews to apple podcasts and spotify.

Ads

This isn't an Ad.

current friend of haq 2024-03-26

I want to encourage people and projects that impress me, by posting a banner linking their work, as it's my desire to help others. I do not take or make any money.

Thanks,
Jared Folkins