HAQ.NEWS

// Jared Folkins

# Latest Podcast

# Description

In a recent blog post, a data-only exploitation technique has been discussed which affects the Linux kernel's io_uring. The technique lets attackers control memory pages and escalate privileges without changing kernel code. Zero Day Engineering offers masterclasses in software vulnerability research and exploit development with resources from conferences. A security researcher showed steps for unpacking Agent Tesla malware, analyzing its stages, and decrypting the payload. Ryan Weil explained deobfuscating the control flow in Agent Tesla by creating a plugin for de4dot and restoring code readability. Frida is a toolkit for modifying how programs run across multiple operating systems without needing source code. Noia is a sandbox file browser that simplifies examining mobile application files with Frida, suitable for rooted and non-rooted devices. VolWeb is a digital forensic tool using Volatility 3 for memory analysis and integration with CTI platforms. Domain Hunter Pro automates collecting web assets and interfaces with security tools, aimed at those in security testing.You can exploit local admin access to blind an EDR by tweaking the registry and rebooting to ensure Sysmon blindness. An in-depth analysis covers a Linux kernel vulnerability and exploitation, also providing research insights. There's a guide on Velociraptor, a forensic tool, setup in a Windows lab environment. Suricata Hunting Rules provides network anomaly detection rules for Suricata IDS on GitHub. Nuclei v3.2 offers secure scanning of targets with authentication via a YAML file. An OSINT text outlines defending against cyber-attacks and info for cybersecurity careers. A repository holds dictionaries for penetration testers for password attacks and vulnerability finding. An article shows using DNS pivoting with Validin to analyze cyber infrastructures like LokiBot. The process of finding malware in open-source software through code analysis is detailed.A piece explains creating a self-replicating UEFI application and covers related techniques.BestEdrOfTheMarket is an open-source project for studying EDR detection strategies.The unKover project details an anti-rootkit tool which reveals unauthorized Windows drivers.A Google sub-domain XSS vulnerability was uncovered and resolved for a $4,133.70 reward.An article explains Windows syscall execution with a focus on kernel structure roles.Matthew Alt bypassed security protections on STM32 microcontrollers with Electromagnetic Fault Injection.Lastly, a script demonstrated a collision in SHA-256 hash function challenging its reliability.

# Tradecraft

[#] A recent blog post details a data-only exploitation technique for a patched use-after-free vulnerability in the Linux kernel's io_uring where attackers can gain control over pages in memory and escalate privileges without altering the kernel's code flow.
Read More @ exodusintel.com
[#] Zero Day Engineering offers courses and masterclasses in software vulnerability research, reverse engineering, and exploit development, providing resources like slides and videos from notable conferences.
Read More @ zerodayengineering.com
[#] A security researcher outlines a step-by-step process for unpacking and analyzing the multi-stage Agent Tesla malware to understand its execution and ultimately decrypt its final payload.
Read More @ github.io
[#] Ryan Weil demonstrates the process of deobfuscating control flow flattening in Agent Tesla malware by analyzing the obfuscation pattern, creating a custom plugin for de4dot, and systematically reconnecting deobfuscated code blocks to restore readability.
Read More @ github.io
[#] Frida is a dynamic toolkit that allows modification and debugging of software by injecting scripts without needing the source code and operates on multiple operating systems.
Read More @ frida.re
[#] Noia is a web-based sandbox file browser tool designed to simplify the examination of mobile application files, such as SQLite databases and images, by utilizing Frida, though users are cautioned on its security and provided instructions for proper setup on both rooted and non-rooted devices.
Read More @ kitploit.com
[#] VolWeb is a cloud-based digital forensic tool that simplifies the analysis of memory from compromised systems using Volatility 3 for artifact extraction and integrates with CTI platforms for post-investigation collaboration.
Read More @ securityonline.info
[#] Domain Hunter Pro is an advanced cybersecurity tool designed to automate the collection of web assets, acquire fast web titles, and interface with external security tools, benefiting those engaged in security testing and vulnerability hunting.
Read More @ github.com
[#] Exploit local admin access to blind an EDR by changing the registry's minifilter altitude value for Sysmon, then reboot and verify EDR is blind to malicious activities.
Read More @ co.nz
[#] The article provides an in-depth analysis of a Linux kernel vulnerability in nf_tables, offers a proof-of-concept for exploiting it, and shares techniques that could be used for further Linux kernel vulnerability research.
Read More @ pwning.tech
[#] This is a guide on setting up Velociraptor, a forensic and incident response tool, in a medium-sized lab environment with instructions for deploying both server and client components on Windows systems.
Read More @ bluecapesecurity.com
[#] Suricata Hunting Rules is a repository on GitHub offering network anomaly detection rules for the Suricata IDS, intended for security analysts to track and identify unusual network behavior using Suricata version 5 or newer.
Read More @ github.com
[#] Nuclei v3.2 improves secure scanning of login-protected targets by allowing users to authenticate using a YAML file, enabling a more efficient and adaptable method by supporting both static and dynamic authentication schemes without modifying existing templates.
Read More @ projectdiscovery.io
[#] The text outlines various aspects of information security and the use of Open Source Intelligence (OSINT), including defending against and analyzing cyber attacks, and it provides guidance for those looking to pursue a career in cybersecurity.
Read More @ osint-mindset.com
[#] The repository contains a collection of dictionaries designed for penetration testers to use in various types of security testing, such as password attacks and identifying vulnerabilities.
Read More @ github.com
[#] Analyzing and uncovering malicious cyber infrastructure, the article demonstrates the use of DNS pivoting with a tool called Validin, offering practical cases such as tracking domain IP history, finding lookalike domains, and identifying shared or counterfeit infrastructure used by malware like LokiBot and Xworm.
Read More @ ghost.io
[#] Exploit local admin access to blind an EDR by changing the registry's minifilter altitude value for Sysmon, then reboot and verify EDR is blind to malicious activities.
Read More @ co.nz
[#] An article details the process of uncovering malware hidden in ostensibly legitimate open-source software through static code analysis, revealing the deceptive practices of its developer and emphasizing the need for careful security review of software utilized.
Read More @ medium.com
[#] The article showcases a detailed process of creating a very small, self-replicating UEFI application in assembly language, covering UEFI basics, ABI understanding, debugging, file operations, and binary size reduction techniques.
Read More @ github.com
[#] VolWeb is a digital forensic platform based on the Volatility 3 framework, designed to streamline memory analysis in incident response by providing a web interface and cloud storage integration for evidence processing.
Read More @ github.com
[#] BestEdrOfTheMarket is an open-source project for studying and navigating around the tactics endpoint detection and response systems use to identify security threats by simulating user-mode detection strategies.
Read More @ github.com
[#] The article discusses the development of an anti-rootkit tool, unKover, to detect and analyze rootkits manually mapped into memory, specifically focusing on uncovering rootkit device objects, system thread analysis through APCs, and NMI callback utilization.
Read More @ eversinc33.com
[#] The unKover project is a proof of concept anti-rootkit tool that detects unauthorized Windows drivers or rootkits in kernel memory through techniques like NMI callbacks, APC StackWalks, system thread analysis, and driver object analysis, and it requires test signing and kernel debugging to be enabled for installation.
Read More @ github.com
[#] A security researcher discovered a Google sub-domain XSS vulnerability that sometimes triggered and received a $4,133.70 reward after reporting and assisting in the triage and resolution of the issue.
Read More @ medium.com
[#] This article explains the workflow of Windows syscall execution, starting with the user-mode transition to kernel-mode, and details the role of key kernel structures and functions in retrieving and executing the appropriate kernel routine based on syscall numbers.
Read More @ climent-pommeret.red
[#] Matthew Alt has demonstrated a method using Electromagnetic Fault Injection to bypass security protections on STM32 microcontrollers, employing low-cost tools and 3D printing to accurately position the injection tip.
Read More @ voidstarsec.com
[#] A proof of concept script demonstrates a collision in SHA-256 with only 31 rounds instead of the usual 64, challenging the hash function's reliability.
Read More @ github.com

# News

[#] An unpatched vulnerability in the Ray AI framework, identified as CVE-2023-48022, has allowed attackers to bypass authentication and compromise hundreds of clusters, resulting in theft of data and credentials, as well as the installation of cryptominers.
Read More @ packetstormsecurity.com
[#] Google's researchers report a 56% rise in zero-day vulnerabilities in 2023, with a 64% increase in enterprise-targeted zero-days, while attributing most exploitations to surveillance vendors and state-backed hackers, and highlighting advancements in software protections.
Read More @ packetstormsecurity.com
[#] In Germany, about 17,000 Microsoft Exchange servers are exposed online with severe security flaws, and the federal cybersecurity agency advises immediate system updates and patch applications.
Read More @ scmagazine.com
[#] Finland's parliament experienced a cyber intrusion by APT31, a group with links to China, which involved espionage and violated communication privacy from late 2020 through early 2021.
Read More @ scmagazine.com
[#] The INC ransomware group claims to have compromised 3TB of NHS Scotland's patient data and threatens to leak it unless their demands are met; experts advise healthcare to reinforce data protection with data-centric security methods.
Read More @ hackread.com
[#] Over 1,800 Shopify stores using EcoReturns and WyseMe plugins experienced a data leak of 25 GB, including customer information and partial payment details, due to developer Saara's improperly secured MongoDB database; comprehensive audits and data protection methods are recommended.
Read More @ scmagazine.com
[#] The Foundation for Defense of Democracies recommends Congress to create a dedicated U.S. Cyber Force to improve nationwide cyber defense, backed by $16.5 billion and approximately 10,000 workers, while the U.S. Space Force evaluates integrating a Cyber Command component.
Read More @ scmagazine.com
[#] Meta is being accused of using a digital surveillance scheme to collect and analyze encrypted traffic from rival services like Snapchat, potentially harming competition and influencing ad prices.
Read More @ theregister.com
[#] Google has updated Chrome to fix two security flaws exploited during Pwn2Own, while Firefox also patched similar vulnerabilities showcased at the event.
Read More @ bleepingcomputer.com
[#] Vietnam's brokerage firm VNDirect was recently hit by a cyberattack where hackers encrypted their data, causing trading suspensions, but the company has started to recover with a four-stage system restoration process.
Read More @ darkreading.com
[#] Guardio Labs found a security flaw in Microsoft Edge that allowed installing extensions without user consent, fixed by Microsoft in February 2024 under CVE-2024-21388.
Read More @ guard.io
[#] The INC Ransom gang has compromised NHS Scotland's Dumfries and Galloway board, leaking 3TB of sensitive data online, with the government and cybersecurity agencies currently assessing the impact and proceeding with mitigation efforts.
Read More @ bleepingcomputer.com
[#] A new phishing kit, Tycoon 2FA, is targeting Microsoft 365 and Gmail accounts to bypass multi-factor authentication using an adversary-in-the-middle approach, and cybersecurity firm Sekoia has listed indicators of compromise to detect such attacks.
Read More @ darkreading.com
[#] The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a recently disclosed Microsoft SharePoint vulnerability, CVE-2023-24955, to its Known Exploited Vulnerabilities catalog, mandating federal agencies to patch it by April 16, 2024, as the flaw is actively exploited in attacks.
Read More @ securityaffairs.com
[#] Indian governmental and energy sectors have been compromised by hackers using malware disguised as an Air Force invite to steal data via Slack channels.
Read More @ thehackernews.com
[#] The U.S. Department of Justice has charged the cryptocurrency exchange KuCoin for not following anti-money laundering laws, which allowed at least $9 billion of suspicious funds to be laundered.
Read More @ bleepingcomputer.com
[#] A security flaw in Saflok RFID-based keycard locks, used in hotels globally, has been disclosed, allowing hackers to unlock doors with ease, and while a fix exists that doesn't require hardware changes, it has only been applied to 36% of the locks.
Read More @ schneier.com
[#] The U.S. Cybersecurity and Infrastructure Security Agency warns that attackers are exploiting a known Microsoft SharePoint vulnerability, and agencies must apply Microsoft's provided patch by April 16, 2024, to defend against this threat.
Read More @ thehackernews.com
[#] Active exploitation of an unpatched critical vulnerability, CVE-2023-48022, in Anyscale Ray's AI platform, used for unauthorized cryptocurrency mining, remains unaddressed; users must manually secure their environments pending Ray's planned future authentication update.
Read More @ thehackernews.com
[#] During the ASEAN-Australia Special Summit, ASEAN organizations were targeted by Chinese APT groups using malware, highlighting the importance of strong cybersecurity defenses in Southeast Asia.
Read More @ hackread.com
[#] The Big Issue Group suffered a data breach by Qilin ransomware, compromising personal employee information and prompting an investigation with IT experts and law enforcement, while the publication continues without disruption.
Read More @ theregister.com
[#] A vulnerability in Microsoft Edge was found that could let attackers install unwanted extensions without users' knowledge, but it's been fixed in a recent update.
Read More @ thehackernews.com
[#] Meta is planning to discontinue the social media analysis tool CrowdTangle in August 2024, impacting journalists and researchers who utilize it to track disinformation, especially during the election year; Meta suggests the Meta Content Library as its more comprehensive replacement, but access will be limited, prompting Mozilla and others to request an extension of CrowdTangle until January 2025.
Read More @ malwarebytes.com
[#] A court in Montana imposed a $9.9 million penalty on Scott Rhodes for making thousands of illegal and malicious robocalls, with measures taken to prevent future violations and protect consumers from deceptive practices.
Read More @ malwarebytes.com
[#] Cybersecurity researchers at Trustwave exposed a phishing scheme wherein emails pretending to be bank payment notices deliver a loader disguised as an archive file, which installs the Agent Tesla keylogger to steal sensitive information.
Read More @ thehackernews.com
[#] A major data breach at Have I Been Pwned reveals numerous compromised accounts across various breaches, with personal information and passwords exposed.
Read More @ haveibeenpwned.com
[#] In recent cyber incidents, a developer's inside job led to a $62.5 million Ethereum heist from a crypto game, while Solana faced backlash over racist meme tokens, and a repeated rug-pull occurred on the Lucky Star Currency project, alongside other scams, exploits, and regulatory actions.
Read More @ web3isgoinggreat.com
[#] The link referenced goes to a non-existing page about a serialization vulnerability in WebLogic, using the IIOP protocol, which requires going back to the main Weblogic repository for correct information.
Read More @ github.com
[#] Security experts discovered a suspicious .NET package named SqzrFramework480, which could secretly capture screenshots and send data to a hidden IP, indicating potential industrial espionage, and they recommend verifying packages manually or with automated tools before trusting them.
Read More @ darkreading.com
[#] Finnish Police have confirmed that APT31, a hacking group linked to China's Ministry of State Security, was responsible for the 2021 breach of Finland's Parliament, with one suspect identified and international sanctions and charges imposed on group members.
Read More @ bleepingcomputer.com
[#] Valentine Fombe, a cybercriminal from Cameroon involved in Business Email Compromise scams and other fraud totaling over $500,000, has been sentenced to 144 months in prison and must pay restitution; meanwhile, the fates of his co-conspirators remain uncertain, as investigations continue into their activities and the tragic death of Gbenga Owolabi in Nigeria post-indictment.
Read More @ blogspot.com
[#] Marketed on Telegram, GEOBOX software outfits Raspberry Pi with fraud and anonymization features to complicate cybercrime tracking for a $80 monthly or $700 lifetime fee.
Read More @ bleepingcomputer.com
[#] The Mispadu banking trojan, known for stealing online banking credentials, is now aggressively targeting multiple industries across Europe and Mexico, using phishing emails that lead victims to download a harmful payload, with defenses including user education, system updates, and advanced threat detection.
Read More @ securityonline.info
[#] Two Chinese APT groups, Mustang Panda and an unnamed entity, have intensified cyber espionage efforts targeting ASEAN countries, employing phishing and malware like PlugX and ShadowPad, while leaked documents reveal China's state cyber operations outsourcing to firms like I-Soon.
Read More @ thehackernews.com
[#] The Cybersecurity and Infrastructure Security Agency warns that Microsoft SharePoint Server is being targeted due to a crucial security flaw, CVE-2023-24955, and advises that updates released in May 2023 should be applied immediately to protect against potential data breaches or system disruptions.
Read More @ securityonline.info
[#] A new variant of TheMoon malware has infected 40,000 outdated routers and IoT devices across 88 countries, utilizing end-of-life devices to grow a proxy service used by cybercriminals for anonymity in various illicit activities, and experts have published indicators of compromise to help identify and mitigate the threat.
Read More @ securityaffairs.com
[#] Two Chinese APT groups are targeting ASEAN entities to steal sensitive diplomatic and economic data using custom malware, evading detection by disguising attacks during high-profile meetings and requiring increased cybersecurity vigilance from organizations in the region.
Read More @ securityonline.info
[#] The "dev02-avtampering" page you're looking for does not exist in the "ResearchDev" repository's main branch, and you should return to the repository overview.
Read More @ github.com
[#] Google is offering a course titled 'Google AI for Anyone' starting on March 28th, aimed at teaching the fundamentals of artificial intelligence to those interested.
Read More @ edx.org
[#] Guardio Labs found a security flaw in Microsoft Edge that allowed installing extensions without user consent, fixed by Microsoft in February 2024 under CVE-2024-21388.
Read More @ guard.io
[#] Fagan Finder is an extensive search tool portal that aggregates a wide variety of resources including search engines, databases, and libraries to help users find information online beyond what is available through Google, emphasizing the depth and accessibility of the "deep web" for thorough research.
Read More @ faganfinder.com
[#] The OpenSecurityTraining2 page you are attempting to reach does not exist, and you should return to the main homepage for continuing your cyber security education.
Read More @ ost2.fyi
[#] The page you're looking for is missing, so you should return to the homepage of OpenSecurityTraining2 to find cyber security learning paths and resources.
Read More @ ost2.fyi
[#] Oligo Security researchers found a critical vulnerability in the Ray AI framework, named ShadowRay, that allows attackers to execute code remotely and has been exploited for at least 7 months to compromise thousands of servers, with users advised to secure their environments and monitor for suspicious activity.
Read More @ oligo.security

# F.A.Q

Problem

Many websites are using AI/ML to create clickbait which actually doesn't have any valuable content.

Value

I use AI to de-clickbait the clickbait by allowing AI to read my news for me. Then it creates a meaningful tldr; regarding the articles of interest which helps discern what I should read. It is saving me a ton of time.

Why

FWIW HAQ.NEWS really started out as my personal news feed, enriched by Ai, and converted into something quick and easy to read. But then I started getting requests for features like rss, Gracie got involved, and with the super-power of Ai things have taken on a life of their own.

Sharing

I currently post daily infosec news to x, linkedin, mastodon and rss.

I also post daily infosec podcasts and interviews to apple podcasts and spotify.

Ads

This isn't an Ad.

current friend of haq 2024-03-28

I want to encourage people and projects that impress me, by posting a banner linking their work, as it's my desire to help others. I do not take or make any money.

Thanks,
Jared Folkins