Extracting Plaintext Credentials from Palo Alto Global Protect
In C:\Users\username\AppData\Local\Palo Alto Networks\GlobalProtect there was a file called panGPA.log that contained something interesting:
Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
This is a pair of vulnerabilities, described as ‘Authentication Bypass in the Management Web Interface’ and a ‘Privilege Escalation‘ respectively, strongly suggesting they are used as a chain to gain superuser access, a pattern that we’ve seen before with Palo Alto appliances. Before we’ve even dived into to code, we’ve already ascertained that we’re looking for a chain of vulnerabilities to achieve that coveted pre-authenticated Remote Code Execution.
T-Mobile finally managed to thwart a data breach before it occured
- T-Mobile was able to prevent a recent hack before escalating. Hackers were able to enter T-Mobile's network but didn't get too far. No data breaches occurred this time.
Anyone Can Buy Data Tracking US Soldiers and Spies to Nuclear Vaults and Brothels in Germany | WIRED
More than 3 billion phone coordinates collected by a US data broker expose the detailed movements of US military and intelligence workers in Germany—and the Pentagon is powerless to stop it.
Leaked Documents Show What Phones Secretive Tech ‘Graykey’ Can Unlock
The documents provide never-been-seen insight into the current cat-and-mouse game between forensics companies and phone manufacturers Apple and Google.
Major security audit of critical FreeBSD components now available - Help Net Security
The FreeBSD Foundation has released an extensive security audit of two critical FreeBSD components: bhyve and Capsicum.
German Stats Body Says Suffered Possible Data Breach | Barron's
Germany's national statistics agency Destatis said Friday it had been the victim of a suspected data leak, following a media report that the organisation had been attacked by pro-Russian hackers.
Turkey fines Amazon's Twitch 2 mln lira for data breach | Reuters
Turkey's Personal Data Protection Board (KVKK) has fined Amazon.com's gaming platform Twitch 2 million lira ($58,000) over a data breach, the official Anadolu Agency reported on Saturday.
Snowflake hackers identified and charged with stealing 50 billion AT&T records | TechCrunch
The U.S. Department of justice indicted two hackers for breaking into the systems of AT&T and several other companies.
T-Mobile confirms it was hacked in recent wave of telecom breaches
T-Mobile confirms it was hacked in the wave of recently reported telecom breaches conducted by Chinese threat actors to gain access to private communications, call records, and law enforcement information requests.
My Habit Was Collecting
A cyber prodigy defended companies against intrusion while continuing to amass data through a series of his own hacks.
The State of Cloud Ransomware in 2024
In this new report, learn how threat actors are leveraging cloud services to target web services with ransomware attackers.
Stealthy Attributes of APT Lazarus: Evading Detection with Extended Attributes
APT Lazarus has begun attempting to smuggle code using custom extended attributes. Extended attributes are metadata that can be associated with files and directories in various file systems. They allow users to store additional information about a file beyond the standard attributes like file size, timestamps, and permissions.
CVE-2024-47575
On October 23, 2024, Fortinet published an advisory for CVE-2024-47575, a missing authentication vulnerability affecting FortiManager and FortiManager Cloud de…
Okta security bug affects those with really long usernames
Mondays are for checking months of logs, apparently, if MFA's not enabled
Windows infected with backdoored Linux VMs in new phishing attacks
A new phishing campaign dubbed 'CRON#TRAP' infects Windows with a Linux virtual machine that contains a built-in backdoor to give stealthy access to corporate networks.
China's Volt Typhoon breached Singtel, reports say
Chinese government cyberspies Volt Typhoon reportedly breached Singapore Telecommunications over the summer as part of their ongoing attacks against critical infrastructure operators. The digital break-in was discovered in June, according to Bloomberg, citing "two people familiar with the matter" who told the news outlet that the Singtel breach was "a test run by China for further hacks against US telecommunications companies."
Visionaries Have Democratised Remote Network Access - Citrix Virtual Apps and Desktops (CVE Unknown)
This one is a privesc bug yielding SYSTEM privileges for any VDI user, which is actually a lot worse than it might initially sound since that’s SYSTEM privileges on the server that hosts all the applications and access is ‘by design’ - allowing an attacker to impersonate any user (including administrators) and monitor behaviour, connectivity.
Threat Hunting Case Study: Uncovering Turla | Intel 471
Russia has long been a military power, a nuclear power, a space power and in recent decades, a cyber power. It has been one of the most capable cyber actors, going back to the late 1990s when Russian state hackers stole classified documents and military research from U.S. universities and government agencies. The stolen documents, if stacked on top of one another, would have been taller than the Washington Monument (555 feet or 169 meters). These incidents, dubbed “Moonlight Maze” as described in Thomas Rid’s book “Rise of the Machines,” marked one of the world’s first advanced persistent threat (APT) attacks. Russia’s intelligence and security agencies continue to operate highly skilled groups of offensive attackers. Those APT groups are spread across its intelligence and security agencies and the Ministry of Defense. They engage in a broad range of cyber and influence operations tied to Russia’s strategic objectives. These include exploiting adversary systems, establishing footholds, conducting cyber espionage operations and running disinformation and misinformation campaigns designed to undermine Western narratives. One of the most effective and long-running Russian groups is Turla, a unit known as Center 16 housed within Russia’s Federal Security Service, or FSB. Researchers found that this group, which is active today, may have been connected with Moonlight Maze.
“Une curiosité malsaine pour le hacking” : au procès du pirate qu ...
Etudiant en informatique, fasciné par l’univers des cybercriminels, il est accusé d’avoir lancé des attaques par bourrage d’identifiants à l’automne 2023. Récit d'audience.
2023 Top Routinely Exploited Vulnerabilities | CISA
In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day. Malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.
CopyRh(ight)adamantys Campaign: Rhadamantys Exploits Intellectual Property Infringement Baits
- Check Point Research is tracking an ongoing, large scale and sophisticated phishing campaign deploying the newest version of the Rhadamanthys stealer (0.7). We dubbed this campaign CopyRh(ight)adamantys. This campaign utilizes a copyright infringement theme to target various regions, including the United States, Europe, East Asia, and South America. The campaign impersonates dozens of companies, while each email is sent to a specific targeted entity from a different Gmail account, adapting the impersonated company and the language per targeted entity. Almost 70% of the impersonated companies are from Entertainment /Media and Technology/Software sectors. Analysis of the lures and targets in this campaign suggests the threat actor uses automation for lures distribution. Due to the scale of the campaign and the variety of the lures and sender emails, there is a possibility that the threat actor also utilized AI tools. One of the main updates in the Rhadamanthys stealer version according to claims by the author, is AI-powered text recognition. However, we discovered that the component introduced by Rhadamanthys does not incorporate any of the modern AI engines, but instead uses much older classic machine learning, typical for OCR software.
Uncovering Apple Vulnerabilities: The diskarbitrationd and storagekitd Audit Story Part 1
Kandji's Threat Research team performed an audit on the macOS diskarbitrationd & storagekitd system daemons, uncovering several (now fixed) vulnerabilities
How Italy became an unexpected spyware hub
Italy is home to six major spyware vendors and one supplier, with many smaller and harder-to-track enterprises emerging all the time, experts say.
VEEAM exploit seen used again with a new ransomware: “Frag
Last month, Sophos X-Ops reported several MDR cases where threat actors exploited a vulnerability in Veeam backup servers. We continue to track the activities of this threat cluster, which recently…
Life on a crooked RedLine: Analyzing the infamous infostealer’s backend
Following the takedown of RedLine Stealer by international authorities, ESET researchers are publicly releasing their research into the infostealer’s backend modules.
D-Link won’t fix critical flaw affecting 60,000 older NAS devices
More than 60,000 D-Link network-attached storage devices that have reached end-of-life are vulnerable to a command injection vulnerability with a publicly available exploit.
Cybercriminals impersonate OpenAI in large-scale phishing attack
Since the launch of ChatGPT, OpenAI has sparked significant interest among both businesses and cybercriminals. While companies are increasingly concerned about whether their existing cybersecurity measures can adequately defend against threats curated with generative AI tools, attackers are finding new ways to exploit them. From crafting convincing phishing campaigns to deploying advanced credential harvesting and malware delivery methods, cybercriminals are using AI to target end users and capitalize on potential vulnerabilities. Barracuda threat researchers recently uncovered a large-scale OpenAI impersonation campaign targeting businesses worldwide. Attackers targeted their victims with a well-known tactic — they impersonated OpenAI with an urgent message requesting updated payment information to process a monthly subscription.
Booking.com Phishers May Leave You With Reservations
A number of cybercriminal innovations are making it easier for scammers to cash in on your upcoming travel plans. This story examines a recent spear-phishing campaign that ensued when a California hotel had its booking.com credentials stolen. We'll also explore…
Meet Interlock — The new ransomware targeting FreeBSD servers
A relatively new ransomware operation named Interlock attacks organizations worldwide, taking the unusual approach of creating an encryptor to target FreeBSD servers.