# Latest Podcast
# Description
Techniques for stealing AD CS certificates include exporting and bypassing restrictions using tools like Mimikatz. DLL Proxy Loading is a method where an attacker substitutes a legitimate DLL with a fake one to execute malicious code. Secator is a tool that automates security assessments by integrating multiple security commands. ST Smart Things Sentinel is for IoT security, scanning for vulnerabilities and adding devices to a network for monitoring. Portr is an open-source tool for secure SSH tunneling. A privilege escalation bug in Microsoft Intune has been patched by Microsoft. Steganography is used to embed malicious shellcode into images to evade detection. TInjA scans for template injection vulnerabilities in web pages. Fast-recon automates the search for sensitive files online. Airgeddon tests wireless network security, pwnat establishes client communication behind NATs, Lazytainer automatically manages inactive Docker containers, and GitBook is a documentation platform for technical teams. A Python script for bypassing Cloudflare, zeropwn/intelx-maltego for OSINT visualization, a ZoomEye.hk search tool for querying applications, EVILRDP adds features to an RDP client, and a public API command checks ELF binary files for backdoors.
# Tradecraft
[#]
This post explains the techniques for stealing AD CS certificates, such as exporting them using Crypto APIs, using Mimikatz to bypass export restrictions, and exploiting the DPAPI for user certificate theft, including methods to find and use the certificates for authentication.
[#]
DLL Proxy Loading is a technique where an attacker creates a fake DLL that mimics a legitimate one, using it to run malicious code while forwarding function calls to the original DLL, thus maintaining normal program operation and avoiding detection.
[#]
Secator is a workflow automation tool that streamlines security assessments by integrating a range of well-known security commands into one platform, supporting simpler to advanced tasks.
[#]
ST Smart Things Sentinel is a security tool to find and mitigate threats in IoT device protocols by scanning for vulnerabilities, such as CVEs and open UPnP ports, and can add new devices for monitoring within a network.
[#]
Portr is an open-source alternative to ngrok that provides secure SSH tunneling for HTTP and TCP connections, aimed at small teams needing to expose local development servers to the public internet.
[#]
Researchers at SpecterOps discovered a privilege escalation bug in Microsoft Intune's Endpoint Privilege Management feature, which allowed a standard user to execute arbitrary applications with administrative rights without an administrator present, and Microsoft has since issued a fix removing the administrator group from the virtual account token, no longer allowing a medium integrity process to trigger a UAC prompt without a password.
[#]
The article discusses a method of embedding malicious shellcode into images using steganography, specifically the Least Significant Bit technique, to bypass antivirus and endpoint detection and response systems.
[#]
TInjA is a command-line tool created for identifying template injection vulnerabilities in web pages, supporting multiple programming languages and template engines, with features to customize scans and generate reports.
[#]
To respect your privacy preferences, the website uses cookies for features and tracks usage, allowing you to accept or reject these cookies.
[#]
The repository fast-recon provides a script for automating the search for potentially sensitive files using Google and Pastebin dorks specific to a domain.
[#]
Airgeddon is a multipurpose bash script for Linux that lets users test the security of wireless networks, with the latest version 11.22 released on February 14, 2024.
[#]
Pwnat is a tool by Samy Kamkar that enables direct communication between clients behind different NATs without needing third-party involvement, port forwarding, or other typical network configurations.
[#]
Lazytainer is a tool for Docker that monitors network traffic and automatically stops or pauses inactive containers to save resources.
[#]
GitBook offers a documentation platform where code and content synchronization occurs seamlessly through integrations with GitHub and GitLab, featuring authentication controls, AI-powered writing assistants, and embedded content capabilities designed for technical teams.
[#]
A Python script that demonstrates how to bypass Cloudflare for web scraping has been updated; it requires Python, a Chromium-based browser, and adherence to legal and ethical standards.
[#]
The GitHub repository for zeropwn/intelx-maltego provides installation instructions for integrating Intelligence X's OSINT tools into Maltego's data visualization platform using Python scripts and an API key.
[#]
The text is highlighting a search tool from ZoomEye.hk which can be used for querying specific applications such as "Starlink" or "Cisco WebUI" to gather information, likely for vulnerability assessment or reconnaissance activities.
[#]
EVILRDP is a modified version of the aardwolf RDP client that offers extended control through command line for automated mouse and keyboard actions, clipboard management, creating a SOCKS proxy, and executing shell or PowerShell commands on a remote target.
[#]
Secator is a tool that organizes and runs security tasks and workflows to streamline pentesting and research, integrating various security tools under a unified interface.
[#]
DLL Proxy Loading is a technique where an attacker creates a fake DLL that mimics a legitimate one, using it to run malicious code while forwarding function calls to the original DLL, thus maintaining normal program operation and avoiding detection.
[#]
The document details a method called DLL proxying used for persistence, where a malicious DLL replaces a legitimate one, hijacking its function calls to execute malicious code before forwarding the calls to the original DLL.
[#]
A tutorial explains how to use DLL Proxying to exploit a DLL Hijacking vulnerability without crashing an application by creating a Proxy DLL that forwards function calls to the original, legitimate DLL.
[#]
A blog post explains how to use a DLL proxy attack to hijack a Windows process’s execution flow while maintaining the process's original functionality, using artifact kits to modify and generate malicious DLLs.
[#]
To check if an ELF binary file has been compromised by the XZ backdoor, use the provided public API command, which will return the analysis status and any suspicious elements detected.
# News
[#]
The U.S. Cyber Safety Review Board criticized Microsoft for security errors that allowed Storm-0558, a China-linked hacking group, to breach companies and advised cloud providers to enhance protections and transparency to prevent such incidents.
[#]
Ibis Budget hotels in Europe fixed a flaw in their check-in kiosks that exposed room entry codes, while WordPress addressed a critical plugin vulnerability with a hefty bug bounty, and Microsoft Priva improved data privacy management tools.
[#]
Hackread.com reports a significant data leak from Acuity Inc., a U.S. federal contractor, involving sensitive information from the Five Eyes Intelligence Group, potentially impacting national security.
[#]
Google has resolved two serious security vulnerabilities in Android and Pixel devices, fixing a total of 53 issues, two of which were being exploited in attacks, requiring users to update their devices to ensure protection.
[#]
Google is developing Device Bound Session Credentials to make stolen cookies useless by binding session authentication to a user's specific device using cryptographic keys.
[#]
Cofense reports a sophisticated phishing campaign targeting the Oil and Gas sector, using vehicle incident lures to deliver Rhadamanthys Stealer malware, which seeks to bypass security measures, prompting the need for enhanced detection and training to protect against such threats.
[#]
Hackers on YouTube are disguising malware as game cracks and cheats, prompting users to disable security measures, and Proofpoint advises awareness and caution when downloading such files.
[#]
Google reports exploitation of CVE-2024-29745 and CVE-2024-29748 on Pixel devices, recommending immediate update installation to address these serious security issues.
[#]
Law enforcement disrupted the LockBit ransomware group's operations in Operation Cronos, seizing control of their sites, arresting affiliates, offering decryption keys to victims, and undermining trust within the cybercriminal community, signaling a significant impact on ransomware-as-a-service and highlighting the effectiveness of coordinated international efforts in combatting cyber threats.
[#]
Google has settled a lawsuit agreeing to delete certain data collected from Incognito mode sessions and to clarify their data collection practices on the Incognito mode information page and within their privacy policy.
[#]
The banking trojan Mispadu is now targeting users in Europe with a Windows SmartScreen bypass flaw, using multi-stage email attachments that start with a PDF and lead to credential theft from various services.
[#]
Europol, Europe's police agency, experienced a serious security incident where sensitive personal files of staff members, including top executives, vanished from a secure room at their headquarters, prompting ongoing investigations and concerns about the potential risks to their operations.
[#]
A severe SQL injection vulnerability in the LayerSlider WordPress plugin, CVE-2024-2879 with a 9.8 CVSS score, has been fixed in the recent 7.10.1 update, and users should upgrade immediately to avoid potential data breaches.
[#]
The FixedFloat crypto exchange was hacked for $2.8 million due to a third-party service vulnerability, following a previous theft; meanwhile, wallets on Solana linked to trading bots like Solareum were drained, Prisma Finance on Ethereum suffered a $12 million hack due to smart contract flaws, Sam Bankman-Fried received a 25-year sentence for his role in the FTX collapse, LENX protocol faced a $10 million rug pull, KuCoin founders were charged with financial crimes, the Munchables game on Ethereum was exploited for $62.5 million but the funds were returned, and Curio RWA project lost $16 million to an exploit, while racist meme tokens surged on Solana and the already rug-pulled Lucky Star Currency project experienced another heist.
[#]
[tag] Check Point Research identified two attackers using Agent Tesla malware to target organizations in the US and Australia, and recommends updating systems, caution with emails, and enhanced security training to mitigate risk.
[#]
UnitedHealth Group's subsidiary Change Healthcare experienced a cyberattack attributed to a suspected nation-state actor, leading to an outage that disrupted prescription processing for pharmacies across the United States.
[#]
Google is developing a Chrome feature called 'Device Bound Session Credentials' that encrypts cookies to a user's device, preventing cyber attackers from hijacking accounts even if they steal cookies.
[#]
A Freedom of Information Act request from 2010 has revealed NSA newsletters, including a critique of Bruce Schneier's book "Applied Cryptography," which both praises its comprehensive nature and criticizes it for inaccuracies and an extensive errata page.
[#]
Polish officials are under investigation for potentially misusing Pegasus spyware to surveil political rivals, with the NSO Group maintaining the tool is for lawful government use, despite accusations against it.
[#]
E-commerce platform Pandabuy suffered a data breach compromising 1.3 million customer records including contact details and order data, with a cybersecurity expert confirming the validity of the leaked data, while the company offered a discount as compensation and advised users to watch for secondary attacks.
[#]
The Open Web Application Security Project Foundation reported a breach due to a misconfigured server, potentially exposing personal data from member resumes dating back to 2006-2014; they have since tightened security measures and are alerting those affected.
[#]
Prudential Financial experienced a data breach impacting over 36,000 customers, with the attack attributed to the ALPHV/BlackCat group, and is now enhancing security measures and complying with new SEC rules for faster disclosure.
[#]
Cybersecurity researchers have identified a scheme where attackers used Google Ads' tracking feature to distribute Rhadamanthys malware disguised as common workplace software installers, potentially compromising users' private data and system information.
[#]
Omni Hotels & Resorts is dealing with a significant system outage affecting reservations, door locks, and point-of-sale services, potentially due to a cyberattack, with recovery efforts underway.
[#]
The National Institute of Science and Technology faces a backlog in updating the National Vulnerability Database and proposes a public-private consortium to efficiently manage the growing number of software vulnerabilities.
[#]
Microsoft has acknowledged a problem where Outlook.com domain emails are being flagged as spam by Gmail, recommending a temporary solution of using an Outlook.com alias for Gmail communications while they work on a permanent fix.
[#]
The FCC is addressing longstanding security flaws in American phone networks by asking carriers to report on vulnerabilities in the SS7 and Diameter protocols and their efforts to prevent abuse.
[#]
Cybercriminals are increasingly using "jailbreak" tactics to bypass OpenAI's safety policies for ChatGPT, utilizing it to scale sophisticated social engineering attacks like phishing, while companies like Abnormal Security offer tools and strategies to detect and defend against AI-generated malicious content.
[#]
A sophisticated variant of StrelaStealer malware is infecting European organizations, evading detection by using keyboard layout as a trigger, targeting email clients, and sending stolen data to a control server.
[#]
A critical SQL injection vulnerability in the LayerSlider WordPress plugin, identified as CVE-2024-2879, puts over a million sites at risk, requiring immediate update to version 7.10.1 to prevent potential data theft.
[#]
McAfee Labs reports an increase in PikaBot malware attacks using various methods such as HTML files, JavaScript, Excel spreadsheets, SMB shares, and JAR files, highlighting the need for vigilance and updated security measures to protect against this sophisticated and stealthy backdoor trojan.
[#]
Google urgently updated Chrome to fix a critical zero-day vulnerability identified as CVE-2024-3159 following its exposure at the Pwn2Own Vancouver 2024 event, and users should promptly upgrade to version 123.0.6312.105/.106/.107 for Windows and Mac or 123.0.6312.105 for Linux to protect their systems.
[#]
Cybercriminal group The Com is escalating phishing attacks by imitating company login pages to steal credentials and potentially deploy ransomware, with businesses advised to adopt multi-layered security, train employees, enforce strong MFA, and implement a zero-trust approach.
[#]
VMware has issued critical patches for its SD-WAN solution to fix serious security flaws, including an unauthenticated command injection, a BIOS boot modification risk, and an open redirect vulnerability, with a strong recommendation for administrators to apply these patches to protect network devices and prevent unauthorized access and malicious redirects.
[#]
Check Point Research has uncovered the identities of two cybercrime figures responsible for Agent Tesla malware attacks on US and Australian entities, revealing their sophisticated phishing strategies and use of the Cassandra Protector to bypass security measures.
[#]
Microsoft is directed to shift focus from developing new features to improving its cloudy infrastructure's security to prevent incidents like the Exchange Online cyber-raid by the "Storm-0558" group.
[#]
Security researchers have identified a new malware named UNAPIMON used by the Earth Freybug group, linked to APT41, to evade detection and conduct stealth operations by leveraging legitimate system tools and API unhooking.
[#]
A large collection of data breaches has been consolidated into the Have I Been Pwned database, which now allows programmatic access through the HIBP API, and includes breaches from various sources exposing information like email addresses, passwords, IP addresses, and more personal data.
[#]
Google has consented to delete the Chrome Incognito mode browsing data it collected from 136 million users by 275 days after the settlement agreement's approval, responding to a lawsuit alleging undisclosed data collection.
[#]
Iran has reportedly engaged in covert negotiations to acquire uranium from Niger, following a military coup that displaced the French influence in the region.
[#]
Misinformation regarding Mercedes closing factories, Belarusian deputies' earnings, Eurasian space powers, Macron's depiction, and Ukraine border criminals has been debunked, while other false claims about Crocus Expo attack suspects and inflation in Belarus have been corrected.
[#]
Google Search enhances fact-checking features, adding "About this image" and "more about this page" in 40 languages, aiding users in verifying content authenticity.
[#]
Google has agreed to erase billions of browsing records and inform users about data collection during Incognito sessions as part of a lawsuit settlement, while not paying damages to users but allowing them to sue individually.
[#]
GlobalIncidentMap.com provides real-time data on various safety and security incidents worldwide, with specific focus areas and free access.
[#]
GlobalIncidentMap.com provides a free online service that maps different types of incidents worldwide, including cyber security events, requiring user registration to limit misuse.
[#]
The global sanctions database has been updated to reflect 40,780 entries from various international entities, providing comprehensive information on economic and trade sanctions.
