# Latest Podcast
# Description
This series helps with emulating IoT malware using Docker and Qiling. A pro explains using Velociraptor on VMware ESXi hypervisors for forensics. Security flaws in ChatGPT allow XSS attacks. A JavaScript file cleverly hides AsyncRAT deployment. There's a binary exploitation roadmap from basics through pwn.college. SARA teaches making Android Trojans. BruteUnpackage cracks compressed file passwords. Demonstrate elevated privileges with CVE-2024-1086 on Linux. CVE-2023-48788 exploit for Fortinet's FortiClient EMS is on GitHub. Understand Open Redirect vulnerability in IIS using JavaScript. CVE-2024-25153 proof-of-concept affects Fortra FileCatalyst Workflow. Xiaomi WiFi routers had security issues now fixed. A 64-bit library loads DLLs stealthily. Lastly, Meckazin/ChromeKatz extracts browser cookies from memory.
# Tradecraft
[#]
The first part of a series on emulating destructive IoT malware outlines setting up a secure environment using Docker and the Qiling framework to isolate and analyze malware without damaging the host system.
[#]
A cybersecurity professional outlines a method for using Velociraptor's new features to perform forensic analysis on VMware ESXi hypervisors by accessing their filesystem over SSH, without deploying an agent, to collect, triage, and analyze potential security threats.
[#]
Security researchers have discovered ways to bypass recent security measures in ChatGPT by exploiting persistent XSS vulnerabilities to manipulate conversations, steal data, and maintain unauthorized control, despite steps toward securing the AI against such information exfiltration.
[#]
A deceptive JavaScript file uses encoding, large amounts of irrelevant code, and Base64 to hide its real purpose: to execute a PowerShell script that downloads and runs the AsyncRAT malware.
[#]
This roadmap is a guide for beginners on how to learn binary exploitation through courses like pwn.college and Nightmare, providing resources to develop skills in reversing and vulnerability research, with links to supportive communities for help and further learning.
[#]
SARA is an educational tool for creating Trojans and Ransomware targeting Android systems, with a straightforward installation process hosted on GitHub.
[#]
The BruteUnpackage toolkit provides a method for cracking passwords on compressed files using brute force techniques, including a built-in common password list and support for multithreading to enhance the efficiency of the cracking process.
[#]
A Proof-of-Concept exploit for the CVE-2024-1086 vulnerability provides a method for gaining escalated privileges on Linux systems running kernels between versions 5.14 and 6.6, and includes instructions for configuration and usage.
[#]
The GitHub repository contains a proof of concept exploit for a SQL injection vulnerability in Fortinet's FortiClient EMS, referenced as CVE-2023-48788, with instructions on how to use it.
[#]
Soroush Dalili details an Open Redirect vulnerability caused by improper validation of 'window.location.pathname' in JavaScript, which can be exploited in a Windows-hosted IIS environment to hijack sensitive URL parameters.
[#]
A proof-of-concept exploit for a remote code execution vulnerability designated as CVE-2024-25153 affecting Fortra FileCatalyst Workflow versions up to 5.1.5 is available, and users should update to version 5.1.6 Build 114 or later for protection.
[#]
A research paper details the identification of multiple security flaws in Xiaomi WiFi routers, providing evidence of remediation by Xiaomi through updates and assignment of CVE identifiers.
[#]
The repository features a small, 64-bit library designed to load DLL files into memory, supporting a variety of functions including bypassing image load callbacks and executing libraries from both disk and memory buffers.
[#]
The GitHub repository Meckazin/ChromeKatz offers a tool for extracting cookies from Chrome, Edge, or webview processes directly from memory without needing on-disk database files or decryption keys, and includes different applications for live processes and analyzing minidumps.
# News
[#]
American retailer Hot Topic suffered credential stuffing attacks in November, compromising personal and partial payment information, and prompting the implementation of bot protection and mandatory password resets for affected customers.
[#]
Indian government and oil companies have been compromised by an espionage campaign using a tool called "HackBrowserData" to steal credentials, cookies, and browser history through phishing emails, with data being uploaded to Slack channels in an operation named "Operation FlightNight."
[#]
CISA has issued a warning for all to patch a critical Microsoft SharePoint vulnerability, CVE-2023-24955, by April 16th to prevent remote code execution by attackers.
[#]
The Python Package Index halted new user registrations and project creations to stop a malware attack involving over 365 fake packages designed to steal information from developers' browsers.
[#]
JetBrains TeamCity users should update to version 2024.03 to fix 26 undisclosed security issues and enable semi-automatic downloading of critical security updates for on-prem installations.
[#]
Cisco has issued guidance to counter password-spraying attacks on VPNs, recommending the use of remote logging, sinkhole servers, TCP shun, control-plane ACLs, and certificate-based authentication to improve security.
[#]
Finland's police have confirmed the involvement of Chinese hacking group APT31 in the 2020 cyber attack against its parliament and have identified suspects, as the US and UK governments sanction individuals and a company linked to the group.
[#]
Kaspersky has detected a Linux variant of DinodasRAT malware targeting countries like China and Taiwan, which can control infected servers, avoiding detection and encrypting its communications.
[#]
Security researchers have identified a new Trojan, written in Golang, that uses a fake certificate to stealthily communicate with a control server, and to protect against it, users must update their systems, apply patches, and follow safe browsing practices.
[#]
Grafana users must patch their systems immediately due to a BOLA vulnerability, CVE-2024-1313, which lets attackers delete dashboard snapshots if they have the unique key.
[#]
Synology has identified several critical vulnerabilities in their Surveillance Station software, notably CVE-2024-29228, CVE-2024-29229, and CVE-2024-29241, advising users to update immediately to avoid unauthorized access and potential system takeover.
[#]
GitLab has updated its software to fix security bugs, with important changes being patches for an XSS vulnerability in Wiki pages and a DoS issue caused by emojis, and users should update their systems immediately to protect against these threats.
[#]
Sam Bankman-Fried, the former FTX CEO, received a 25-year prison sentence for fraud related to the cryptocurrency exchange's collapse, and an $11.02 billion forfeiture was ordered to aid victim repayment.
[#]
Over 10,000 hotels around the world are at risk due to a vulnerability in Saflok keycard locks, requiring a physical update to each door's hardware and a software patch to fix the issue.
[#]
A serious code execution vulnerability identified as CVE-2024-0980 in the Okta Verify for Windows app requires users to urgently update to version 4.10.7.
[#]
NHS Scotland contained a ransomware attack within the Dumfries and Galloway region, preventing wider spread while authorities and cybersecurity experts assess the breach, which included the theft of 3TB of data and aimed to pressure the organization by leaking sensitive information online.
[#]
Rockwell Automation announced security alerts for 10 vulnerabilities affecting multiple products; users should apply mitigations and patch as guided.
[#]
Rent Go, a Turkish car rental company, experienced a data leak from an unsecured server, revealing personal identification documents of over 161,000 customers and creating risks of identity theft and fraud.
[#]
Nvidia has updated its ChatRTX application to version 0.2, patching two security vulnerabilities that could allow privilege escalation and remote code execution, and users should reinstall the application to ensure safety.
[#]
Facebook allegedly monitored and analyzed encrypted traffic from competitors like Snapchat by deploying server-side SSL bumps, a method considered likely illegal under wiretapping laws.
[#]
A Phishing-as-a-Service platform named Darcula is exploiting iMessage and RCS to bypass detection, using 20,000 fake domains to mimic brands and trick users into submitting personal data.
[#]
The US government proposes a rule requiring critical infrastructure operators to report major cyber incidents within 72 hours and ransom payments within 24 hours to improve national security and defense.
[#]
Drozer 3.0.0, which now supports Python 3 and updated Java, is a recently released security tool for Android platform testing.
[#]
A phishing scam called "push bombing" involving repeated Apple ID password reset requests and caller ID spoofing is targeting tech professionals, leading to potential iCloud account takeovers and urging individuals to remove personal data from people search sites.
[#]
A misconfigured cloud server from UK-based Juniper Education's OTrack software exposed nearly a million records of student data, which has since been secured following a responsible disclosure by researcher Jeremiah Fowler.
[#]
Sellafield Ltd, operators of a high-risk nuclear site in Western Europe, faces legal action over IT security breaches from 2019 to early 2023, despite denying any safety compromise after reported hacks linked to Russia and China.
[#]
The United States Department of State is offering a reward of $10 million for information that leads to the identification or location of the BlackCat/ALPHV ransomware group members who have attacked US critical infrastructure.
[#]
Python Package Index took emergency action by stopping new account creation and project uploads due to a flood of malicious packages using typosquatting to deploy multi-stage attacks designed to steal sensitive data and maintain persistence on victims' systems.
[#]
Kaspersky Labs has identified a new Linux-focused version of the DinodasRAT malware, known for targeting government sectors, which utilizes stealth techniques and encryption to evade detection and communicate with its attackers, emphasizing the need for regular system updates, antivirus protection, network monitoring, and user training to mitigate the risk.
[#]
Canonical is manually reviewing all new Snap Store name registrations to combat a surge of fake cryptocurrency wallet apps that deceive users and steal their funds.
[#]
Cybersecurity researchers have discovered a new RowHammer attack method called ZenHammer that effectively targets AMD CPUs with Zen 2 and Zen 3 architectures and can even induce bit flips in DDR5 chips, necessitating further action from AMD and DRAM vendors to bolster defenses against these evolving threats.
[#]
Google has updated Chrome to fix seven security issues, including a critical vulnerability that could let attackers corrupt memory and potentially take over a system, so users should update their browser immediately to version 123.0.6312.86 or later.
[#]
Security researcher Bar Lanyado has demonstrated that AI-generated fake Python package names can be registered and actually downloaded by developers, posing a potential malware risk.
[#]
The website 'Have I Been Pwned' provides a comprehensive list of data breaches that users can search to see if their personal information has been compromised in any online attacks, ensuring individuals remain informed about their digital security.
[#]
A phishing-as-a-service operation named Darcula uses sophisticated methods like Rich Communication Services and iMessage, instead of SMS, to conduct targeted phishing attacks against users from over 100 countries, employing 200 templates to mimic legitimate businesses and employing strategies to circumvent platform restrictions.
[#]
The INC Ransom extortion group compromised the National Health Service of Scotland and threatened to release 3 terabytes of stolen data, including sensitive patient and staff information.
[#]
Apple device users are being targeted with a massive number of fake password reset requests, followed by fraudulent support calls trying to acquire personal information, in a sophisticated multi-factor authentication fatigue attack.
[#]
A study shows that 52% of Americans use ad blockers to improve privacy and web browsing speed, and the percentage is higher among tech professionals.
[#]
China has been indirectly supporting armed groups to combat scam operations in Myanmar, leading to a significant military confrontation and exchange of scammers and victims with Chinese authorities.
[#]
A successful demonstration of a 31-round collision in the SHA256 cryptographic function has been documented on GitHub.
[#]
A search query for the term "the wp-config.php creation script uses this file" on ZoomEye.hk reveals a list of IP addresses linked to potentially malicious activity on servers located in various countries, with details accessible upon login.
[#]
A search on ZoomEye reveals multiple Docker containers with port 2375 open, indicating potentially unprotected instances across various countries and IP ranges that should be secured to prevent unauthorized access.
[#]
The ZoomEye cybersecurity search engine has detected 74,773 instances, predominantly from China, of potentially malicious activity targeting exposed Jenkins dashboard interfaces over HTTP on port 8081, observed on 2024-03-30.
[#]
ZoomEye, a search engine for cyber assets, has released a limited-time lifetime membership for $149, which includes 1 million bonus points for threat hunting and additional features like Honeypot Detection.
[#]
As of March 29, 2024, there are 10,748 cybersecurity incidents related to "nosuchbucket"+"bucketname" with the majority of affected devices using the nginx web server, predominantly located in China and the United States, emphasizing the need for secure bucket configurations and monitoring.
[#]
The Agenda ransomware group, known for targeting various industries, has updated its Rust variant to spread across VMWare vCenter and ESXi servers using a custom PowerShell script and other tactics to evade detection and disrupt virtual infrastructure.
[#]
AhnLab Security Intelligence Center reports an uptick in phishing scripts that steal user data including emails, passwords, IP addresses, and user agent details through Telegram's API, with attackers using code obfuscation to evade detection and redirecting victims to legitimate sites after theft to avoid suspicion.
