HAQ.NEWS

// Jared Folkins

# Latest Podcast

# Description

A security engineer found two methods to bypass DOMPurify's protection by targeting how XML and HTML parsers work. The Drozer framework is used for testing Android app vulnerabilities, it's user-friendly and can be set up using Docker. It's important to check Active Directory admin groups to reduce risks. GitHub's xz-vulnerable-honeypot shows how to set up a honeypot detecting SSH attacks. AssetViz draws subdomains as a mind map for penetration testers. ChaiLdr repository helps avoid antivirus using shellcode loader techniques. Misusing the DLL Search Order can allow malware on Windows, so defenses are needed. An Android 14 kernel exploit affects Pixel devices, can gain root access. ADPT simplifies DLL hijack and sideloading exploits automatically. Modpot uses Go and gin for a web app honeypot to catch cyberattacks. Arjun hunts for HTTP parameters effectively. ADCSCoercePotato can force ADCS to authenticate for elevated privileges. HuntKit compiles pentesting tools in Docker for performance. A Python script makes simulated web traffic for network training. Portr safely shares local web services. LLVM is a compiler framework supporting many languages. CS 6120 at Cornell teaches programming language implementation online. A security researcher, amlweems, created a honeypot for CVE-2024-3094. Sudistark/xss-writeups explains an XSS bug on figma.com. An online service checks XZ backdoor in ELF binaries. Microsoft’s ML-For-Beginners provides a 26-lesson course on machine learning. A blog post demonstrates executing a buffer overflow attack. Linux's 'wall' command has a flaw, WallEscape (CVE-2024-28085), which can leak sensitive info. And Helix is a modern text editor offering features for coders.

# Tradecraft

[#] A security engineer discovered two ways to bypass DOMPurify's sanitization of XML documents by exploiting differences in how XML and HTML parsers handle Processing Instructions and CDATA sections, both of which were patched by the DOMPurify team to remove such elements.
Read More @ flatt.tech
[#] Drozer is an open-source security framework for analyzing Android applications and devices for vulnerabilities by simulating a rogue app, allowing pen testers to check permissions and start interactive shells without needing advanced programming knowledge, and can be installed through a Docker container or by building manually for multiple operating systems.
Read More @ kitploit.com
[#] Excessive Active Directory admin group access due to nested groups increases security risk; audit memberships, alert on changes, and apply least-privilege principles to mitigate.
Read More @ trimarcsecurity.com
[#] A GitHub project named xz-vulnerable-honeypot is showcasing a secure shell (SSH) honeypot setup with an XZ backdoor, identified by CVE-2024-3094, and includes tools such as bpftrace, strace, and tcpdump for monitoring, with installation instructions provided for users to run their own honeypot.
Read More @ github.com
[#] AssetViz is a tool that translates subdomain data from files into a visual mind map, aiding penetration testers and bug bounty hunters in understanding the layout of a domain for better strategic decisions.
Read More @ github.com
[#] The GitHub repository "ChaiLdr" provides a simple shellcode loader with features like indirect syscalls, QueueUserAPC Injection, HTTP/S shellcode staging, and evasion techniques for antivirus software, but notes planned future improvements for issues like crashes without CRT Library and adding shellcode encryption.
Read More @ github.com
[#] A proof of concept (PoC) shows how attackers can run malicious software on Windows by misusing the DLL Search Order with trusted WinSxS folder executables, highlighting a need for awareness and defense strategies against such techniques.
Read More @ github.com
[#] A GitHub report details an Android 14 kernel exploit affecting Pixel 7 and 8 Pro devices, including code to gain root access and disable SELinux, requiring specific offsets for each device model.
Read More @ github.com
[#] Another Dll Proxying Tool (ADPT) automates the exploitation of DLL hijack and sideloading vulnerabilities without the need for traditional manual reverse engineering steps.
Read More @ github.com
[#] Modpot is a modular web application honeypot using Go and gin to mimic web applications for detecting potential cyber attacks, with configurable automation and logging through various responders.
Read More @ github.com
[#] Arjun is a tool that efficiently discovers valid HTTP parameters by sending a series of requests, dividing a large dictionary into sections, and eliminating those that do not affect the server's response.
Read More @ securityonline.info
[#] ADCSCoercePotato is a tool for forcing a domain's Active Directory Certificate Services (ADCS) server to authenticate with a machine, which can be exploited to request a certificate and elevate privileges on a network.
Read More @ github.com
[#]
Read More @ checkpoint.com
[#] HuntKit is a Docker image that compiles numerous penetration testing tools for cybersecurity practitioners to simplify setup and updates, and provides increased performance compared to traditional virtual machines.
Read More @ github.com
[#] A Python script generates simulated web traffic by visiting random links within a set range of depth and intervals, useful for network defense training.
Read More @ github.com
[#] Portr is an open-source tool allowing secure exposure of local HTTP and TCP services to the internet, appropriate for developer teams but not for production environments.
Read More @ github.com
[#] LLVM is a modular and versatile framework for developing compilers that allows seamless integration of various programming languages and target architectures through an intermediate representation, enabling advanced optimization techniques and efficient code generation adaptable to specific hardware.
Read More @ aosabook.org
[#] CS 6120 is an advanced online course by Cornell University focusing on the mechanics behind programming language implementation, including optimization and garbage collection, with practical tasks involving LLVM and a specially designed educational IR.
Read More @ cornell.edu
[#] A security researcher named amlweems has created a repository which includes a honeypot for detecting attempts to exploit a backdoor designated CVE-2024-3094 in the xz utility, a patched version of the software to test for vulnerability, and a demonstration of exploiting the vulnerability using a malicious SSH key.
Read More @ github.com
[#] The GitHub repository Sudistark/xss-writeups contains documentation on a Cross-Site Scripting (XSS) vulnerability identified and documented for the website figma.com, showcasing how the security flaw was discovered and how it can be mitigated.
Read More @ github.com
[#] The content is a user guide on how to utilize an online service to analyze ELF binaries for the XZ backdoor by submitting a file, which returns an analysis of whether the file is malicious and details suspicious elements.
Read More @ xz.fail
[#] How to use Rust for malware development.
Read More @ github.com
[#] Microsoft's ML-For-Beginners GitHub repository offers a 12-week curriculum with 26 lessons and 52 quizzes to help individuals learn machine learning through project-based education, primarily using Python and Scikit-learn, and avoiding deep learning.
Read More @ github.com
[#] This blog post illustrates a detailed process for executing a buffer overflow attack by disabling security features, using Python scripts for payload creation, and employing GDB for debugging to gain unauthorized access to a system.
Read More @ vandanpathak.com
[#] The utility 'wall' on certain Linux distributions does not properly sanitize command line input, which allows unprivileged users to inject escape sequences that can manipulate terminal output or leverage this flaw to potentially expose sensitive information like passwords.
Read More @ rit.edu
[#] A recent security issue named WallEscape (CVE-2024-28085) impacts the util-linux 'wall' command due to unfiltered escape sequences from command line arguments, and attackers can exploit it to leak passwords or alter command outputs by using the exploit code provided.
Read More @ github.com
[#] Helix is a modern text editor influenced by Kakoune and Neovim, with features like modal editing, multiple selections, built-in language server, and syntax highlighting, and it provides various methods for installation and contribution.
Read More @ github.com

# News

[#] Over 1.3 million users' data from the PandaBuy shopping platform was leaked, including personal details and purchase history, and those affected should reset their passwords and watch for scam attempts.
Read More @ bleepingcomputer.com
[#] The Federal Trade Commission reports that impersonation scams in the U.S. led to losses exceeding $1.1 billion in 2023, and advises the public to avoid unsolicited links, to question requests for money transfers, and to independently verify any dubious communications to protect oneself from fraud.
Read More @ bleepingcomputer.com
[#] "TheMoon" malware, evolving since 2014, has infected over 40,000 small business and IoT routers from 88 countries, utilizing end-of-life devices and a proxy service called Faceless to maintain anonymity for criminal operations.
Read More @ packetstormsecurity.com
[#] Over 100,000 individuals could be affected by a cybersecurity breach at CISA, where attackers compromised the Chemical Security Assessment Tool by exploiting Ivanti appliance vulnerabilities, prompting system security updates and the implementation of stronger incident response protocols.
Read More @ scmagazine.com
[#] Harvard Pilgrim Health Care experienced a data breach affecting around 2.9 million people, with personal information compromised, and critical vulnerabilities were disclosed in Cisco and Rockwell Automation products, while TheMoon botnet targets outdated routers and IoT devices.
Read More @ theregister.com
[#] Indian government has repatriated 250 citizens from Cambodia who were forced to participate in cyber scams, with global trafficking for such cybercrime highlighted by the UN and measures in place to address wallet address scams used in cryptocurrency fraud.
Read More @ thehackernews.com
[#] Anti-Kremlin hackers avenged Alexey Navalny's death by breaching Russia's prison system network, stealing a database of prisoner information, and tampering with the online commissary's pricing.
Read More @ packetstormsecurity.com
[#] In late February 2023, attackers used Microsoft OneNote files to deliver IcedID malware, established persistence for over a month, then deployed Cobalt Strike and AnyDesk to access servers, exfiltrated data using FileZilla, and executed Nokoyawa ransomware, with Cobalt Strike's command and control domain seized in April 2023 by Microsoft, Fortra, and Health-ISAC.
Read More @ thedfirreport.com
[#] AT&T confirms the authenticity of over 73 million customer records leaked on the dark web, which includes data of 7.6 million current and 65.4 million former users, possibly originating from an earlier 2021 breach but denies the information came from their systems.
Read More @ theregister.com
[#] Google Play Store recently removed 29 malicious apps that secretly used Android phones as proxies, aiding cybercriminals in concealing their activities by routing through these unsuspecting users' devices.
Read More @ thehackernews.com
[#] The latest Threat Intelligence Report highlights a criminal indictment against Chinese hacker group APT31, a ransomware attack on Scottish NHS, unauthorized data sales from the English Cricket Board, and an unpatched vulnerability in the Ray AI framework, among other cyber security threats and incidents.
Read More @ checkpoint.com
[#] The Vultur Android banking trojan, which first appeared in 2021, has evolved to perform remote control operations on mobile devices, evading detection with encrypted communication and masquerading as legitimate applications.
Read More @ thehackernews.com
[#] The website Have I Been Pwned provides a service that allows individuals to check if their personal information has been compromised in various data breaches by inputting their email address or phone number.
Read More @ haveibeenpwned.com
[#] Sonar's research team discovered a PHP bug causing XSS vulnerabilities in Joomla CMS, fixed in Joomla version 5.0.3/4.4.3 and PHP versions 8.3 and 8.4; updating Joomla and PHP is recommended for security reasons.
Read More @ sonarsource.com
[#] The subreddit r/netsec posted an announcement regarding the ROP Emporium's 'ret2win' Buffer Overflow Challenge, aimed at those interested in practicing and developing their cyber security skills.
Read More @ reddit.com
[#] Cybercriminals are using Google Ads to trick users into visiting malicious sites that mimic legitimate software downloads for programs like Notion and Slack, which deliver Rhadamanthys malware designed to steal sensitive data; users should confirm URLs and use trusted antivirus software to protect themselves.
Read More @ securityonline.info
[#] Cisco warns of a global password spraying attack on VPN systems, which can cause user lockouts and recommends using robust logging, modifying default VPN settings, applying control-plane ACLs, and upgrading to certificate authentication to mitigate risks.
Read More @ securityonline.info
[#] Apache Fineract has fixed three security issues, including a critical vulnerability that allowed unauthorized privilege escalation, and users should update to version 1.8.5 or 1.9.0 to protect their banking operations.
Read More @ securityonline.info
[#] A malicious npm package named "vue2util" has been discovered, which targets Binance Smart Chain wallets containing USDT by exploiting the token's contract approval process and initiates unauthorized transfers when a "buy_btn" is clicked, prompting developers to rigorously verify dependencies and consider professional code audits to protect their cryptocurrency assets.
Read More @ securityonline.info
[#] A critical vulnerability found in Linux kernel versions 6.4 to 6.6 (CVE-2024-0582, CVSS 7.8), allows local users to gain full system control, and users should apply the provided security patches promptly.
Read More @ securityonline.info
[#] Google's "Google AI for Anyone" is a new course available on edX starting April 2nd to teach the basics of artificial intelligence and how it operates.
Read More @ edx.org
[#] Internet investigator Igor Bederov discusses the decreasing possibility of maintaining anonymity online in 2024, citing that digital footprints left on websites and through social media posts can be traced, and suggests that even with methods attempting to preserve anonymity, creating a whole new identity disconnected from one's real self is a prevalent strategy among those seeking to hide their digital presence.
Read More @ passion.ru
[#] A report details tactics of 16 APT groups in the Middle East targeting regions with political, economic, and military data theft, recommending asset management, incident monitoring, cyber security training, and regular security assessments to combat such sophisticated cyberattacks.
Read More @ ptsecurity.com
[#] A significant security breach was identified in the xz/liblzma compression software, involving a backdoor that compromised SSH servers, with GitHub actions taken against accounts involved and a call for reevaluation of open source project maintenance practices was prompted.
Read More @ boehs.org
[#] Android banking malware Vultur has been updated to include new features such as remote interaction via Accessibility Services, and enhanced evasion techniques like encrypted communications and legitimate app masquerading, posing heightened risks to mobile banking security.
Read More @ fox-it.com

# F.A.Q

Problem

Many websites are using AI/ML to create clickbait which actually doesn't have any valuable content.

Value

I use AI to de-clickbait the clickbait by allowing AI to read my news for me. Then it creates a meaningful tldr; regarding the articles of interest which helps discern what I should read. It is saving me a ton of time.

Why

FWIW HAQ.NEWS really started out as my personal news feed, enriched by Ai, and converted into something quick and easy to read. But then I started getting requests for features like rss, Gracie got involved, and with the super-power of Ai things have taken on a life of their own.

Sharing

I currently post daily infosec news to x, linkedin, mastodon and rss.

I also post daily infosec podcasts and interviews to apple podcasts and spotify.

Ads

This isn't an Ad.

current friend of haq 2024-04-02

I want to encourage people and projects that impress me, by posting a banner linking their work, as it's my desire to help others. I do not take or make any money.

Thanks,
Jared Folkins