Found 1411 bookmarks
Newest
Teaching an Old Framework New Tricks: The Dangers of Windows UI Automation | Akamai
Teaching an Old Framework New Tricks: The Dangers of Windows UI Automation | Akamai
  • Akamai security researcher Tomer Peled explored new ways to use and abuse Microsoft's UI Automation framework and discovered an attack technique that evades endpoint detection and response (EDR). To exploit this technique, a user must be convinced to run a program that uses UI Automation. This can lead to stealthy command execution, which can harvest sensitive data, redirect browsers to phishing websites, and more. Detection of this technique is challenging in several ways, including for EDR. All EDR technologies we have tested against this technique were unable to find any malicious activity. This technique can be used on every Windows endpoint with operating system XP and above. In this blog post, we provide a full write-up on how to (ab)use the UI Automation framework (including possible attacks that could leverage it) and we present a proof of concept (PoC) for each abuse vector we discuss. We also provide detection and mitigation options.
#akamai#EN#2024#Microsoft#abuse#automation-framework#UIAutomation#technique
·akamai.com·
Teaching an Old Framework New Tricks: The Dangers of Windows UI Automation | Akamai
Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials | Datadog Security Labs
Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials | Datadog Security Labs
  • In this post, we describe our in-depth investigation into a threat actor to which we have assigned the identifier MUT-1244. MUT-1224 uses two initial access vectors to compromise their victims, both leveraging the same second-stage payload: a *phishing campaign targeting thousands of academic researchers and a large number of trojanized GitHub repositories, such as proof-of-concept code for exploiting known CVEs. Over 390,000 credentials, believed to be for WordPress accounts, have been exfiltrated to the threat actor through the malicious code in the trojanized "yawpp" GitHub project, masquerading as a WordPress credentials checker. Hundreds of victims of MUT-1244 were and are still being compromised. Victims are believed to be offensive actors—including pentesters and security researchers, as well as malicious threat actors— and had sensitive data such as SSH private keys and AWS access keys exfiltrated. We assess that MUT-1244 has overlap with a campaign tracked in previous research reported on the malicious npm package 0xengine/xmlrpc and the malicious GitHub repository hpc20235/yawpp.
#securitylabs.datadoghq.com#EN#2024#pentesters#script-kiddies#offensive#actors#MUT-1244#PoC#PoC-abuse#MUT-1224#credentials#steal
·securitylabs.datadoghq.com·
Getting a taste of your own medicine: Threat actor MUT-1244 targets offensive actors, leaking hundreds of thousands of credentials | Datadog Security Labs
Oasis Security Research Team Discovers Microsoft Azure MFA Bypass
Oasis Security Research Team Discovers Microsoft Azure MFA Bypass
Oasis Security's research team uncovered a critical vulnerability in Microsoft's Multi-Factor Authentication (MFA) implementation, allowing attackers to bypass it and gain unauthorized access to the user’s account, including Outlook emails, OneDrive files, Teams chats, Azure Cloud, and more. Microsoft has more than 400 million paid Office 365 seats, making the consequences of this vulnerability far-reaching. The bypass was simple: it took around an hour to execute, required no user interaction and did not generate any notification or provide the account holder with any indication of trouble.
#oasis.security#EN#2024#research#MFA#Microsoft#MFA-bypass
·oasis.security·
Oasis Security Research Team Discovers Microsoft Azure MFA Bypass
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - Flatt Security Research
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - Flatt Security Research
In this article, I explained how I could compromise the sysupgrade.openwrt.org service by exploiting the command injection and the SHA-256 collision. As I never found the hash collision attack in a real-world application, I was surprised that I could successfully exploit it by brute-forcing hashes.
#flatt.tech#EN#2024#Hash-collision#OpenWrt#Command-injection#SHA-256#Supply-chain
·flatt.tech·
Compromising OpenWrt Supply Chain via Truncated SHA-256 Collision and Command Injection - Flatt Security Research
Fraudulent shopping sites tied to cybercrime marketplace taken offline
Fraudulent shopping sites tied to cybercrime marketplace taken offline
The investigation began in the autumn of 2022, following reports of fraudulent phone calls in which scammers impersonated bank employees to extract sensitive information, such as addresses and security answers, from victims. The stolen data was traced back to a specialised online marketplace that operated as a central hub for the trade of illegally obtained information.A central hub for cyber...
#europol#EN#2024#Fraudulent#shopping#marketplace#MansonMarket
·europol.europa.eu·
Fraudulent shopping sites tied to cybercrime marketplace taken offline
Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia
Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia
The team at CYFIRMA analyzed a malicious Android sample designed to target high-value assets in Southern Asia. This sample, attributed to an unknown threat actor, was generated using the Spynote Remote Administration Tool. While the specifics of the targeted asset remain confidential, it is likely that such a target would attract the interest of APT groups. However, we are restricted from disclosing further details about the actual target and its specific region. For a comprehensive analysis, please refer to the detailed report
#cyfirma#EN#2024#Unidentified#Threat#Actor#Malware#research#Android#Spynote#Remote#Administration#Tool
·cyfirma.com·
Unidentified Threat Actor Utilizes Android Malware to Target High-Value Assets in South Asia
Log In POLITICO Pro Home Latest news Romanian elections War in Ukraine French political crisis Newsletters Podcasts Poll of Polls Policy news Events News Politics Hungarian CIA reportedly spied on EU officials
Log In POLITICO Pro Home Latest news Romanian elections War in Ukraine French political crisis Newsletters Podcasts Poll of Polls Policy news Events News Politics Hungarian CIA reportedly spied on EU officials
Officials from EU anti-fraud office were allegedly followed, wiretapped and had their laptops hacked by Hungary’s intelligence agency.
#politico#EN#2024#Espionage#European-politics#Hungarian-politics#Hungary#Intelligence#Law-enforcement#MEPs#Spying#Spyware#Viktor-Orbán
·politico.eu·
Log In POLITICO Pro Home Latest news Romanian elections War in Ukraine French political crisis Newsletters Podcasts Poll of Polls Policy news Events News Politics Hungarian CIA reportedly spied on EU officials
Unveiling Celular 007: An In-Depth Analysis of Brazilian Stalkerware and Strategies for Collective Protection
Unveiling Celular 007: An In-Depth Analysis of Brazilian Stalkerware and Strategies for Collective Protection
Key findings from our analysis include: Advanced Surveillance Capabilities: Utilizes technologies like WebRTC for real-time audio and video streaming. Abuses Accessibility Services to intercept user interactions. Comprehensive Data Exfiltration: Collects and transmits a wide range of personal data, including messages, call logs, and location information. Persistence Mechanisms: Employs techniques to remain active on the device, such as auto-start on boot and misuse of device administrator privileges. Abuse of Legitimate Services: Utilizes Firebase Cloud Messaging to establish command and control channels, disguising its communications as legitimate traffic. Indicators of Compromise (IoCs): Identified specific URLs, IP addresses, file hashes, and other artifacts associated with Celular 007. Need for Collective Protection: * Highlights the importance of collective defense strategies and community awareness to combat such invasive tools.
#interseclab#EN#2024#spyware#Celular007#Stalkerware#Brazil
·interseclab.org·
Unveiling Celular 007: An In-Depth Analysis of Brazilian Stalkerware and Strategies for Collective Protection
Veeam warns of critical RCE bug in Service Provider Console
Veeam warns of critical RCE bug in Service Provider Console
​Veeam released security updates today to address two Service Provider Console (VSPC) vulnerabilities, including a critical remote code execution (RCE) discovered during internal testing. VSPC, described by the company as a remote-managed BaaS (Backend as a Service) and DRaaS (Disaster Recovery as a Service) platform, is used by service providers to monitor the health and security of customer backups, as well as manage their Veeam-protected virtual, Microsoft 365, and public cloud workloads.
#bleepingcomputer#EN#2024#RCE#bug#DRaaS#VSPC#Veeam
·bleepingcomputer.com·
Veeam warns of critical RCE bug in Service Provider Console