Cybersecurity

The Five Eyes intelligence alliance (FVEY) has warned that hackers from the Russian Foreign Intelligence Service (SVR), known as APT29, are now targeting cloud services. After breaching U.S. federal agencies and Microsoft 365 accounts in NATO nations, they are now compromising cloud infrastructures using stolen service credentials and access tokens, as well as exploiting residential routers and MFA fatigue. Defenses against these initial access methods, such as enabling MFA and monitoring for indicators of compromise, are recommended.

The White House is calling on the tech industry to use programming languages that prevent memory vulnerabilities, responsible for up to 70% of CVEs in insecure languages. The ONCD recommends this change to improve software security, and the new U.S. cybersecurity strategy focuses on security from the design stage.

Anonymous Sudan is promoting a new DDoS botnet service called "Skynet-GodzillaBotnet," with enhanced capacity and varied access pricing. Known for aggressive DDoS attacks, the group uses thousands of IPs, reaching up to 600Gbps in UDP traffic. Authorities warn of the illegality and serious consequences of these attacks, urging organizations to adopt robust security and surveillance measures against these persistent and evolving cyber threats.

The LockBit ransomware gang is rebooting operations on new infrastructure post-law enforcement server hack, threatening increased attacks on government entities. They admitted to negligence in updating PHP, which led to the breach, and are now enhancing security measures. The gang's data leak site has relocated to a new .onion domain, listing five victims. LockBit's PHP servers were compromised due to outdated software, specifically via CVE-2023-3824. Post-Operation Cronos, over 1,000 decryption keys were seized by authorities; LockBit is shifting to manual decryptor releases and multi-server hosting for affiliate panels to minimize hack risks.

cross-posted from: https://programming.dev/post/10497245

Hi,

For websites I've always restricted username to use Apostrophe ' and " and some times even space . If a website necessitate special character then I prefer to create an additional DB field ~DisplayName.

It's easier to forbid the use of Apostrophe, otherwise you will have to escape also your search query to match what has been recorded in the DB.

On the topic I've this https://security.stackexchange.com/questions/202902/is-single-quote-filtering-nonsense

But if you have better documentation feel free to share :)

Thanks

Key Takeaways

• Intelligence and "street smarts" don't prevent scams, they just make you less likely to fall victim.
• Anyone can be scammed or phished given the right circumstances.
• Examples of sophisticated scams are given, including fake customer support, fake conference invites, and social engineering tactics.
• Believing you're unscammable can make you more vulnerable.
• Stay vigilant, educated, and skeptical to protect yourself.

Summary of Examples Given:

1. Fake Customer Support: After a frustrating experience and posting on the vendor's Facebook, the author received a seemingly legitimate email from "customer service" offering a replacement refrigerator. Only after calling the real vendor did he discover it was a scam.

2. Phony Conference Invite: An all-expenses-paid trip to speak at a foreign conference seemed too good to be true. Clicking the provided link revealed a fake website attempting to steal login credentials.

3. Bad Water Main Ploy: The author sends fake text messages posing as a local water or sanitation service, tricking victims into revealing personal information and potentially compromising accounts.

4. "New Highway Coming Through": A convincing phone call claims the county needs to survey the victim's property for road widening. The call aims to gain personal details or lure them into opening malicious documents.

5. Credit Card Fraud: A professional-sounding caller impersonates a credit card company, claiming fraudulent activity and requesting confirmation details. This allows them to steal money and make unauthorized purchases.

6. Email Password Hash Hijacking: An email containing a malicious link can capture your password hash, even if you don't click on it. This vulnerability targets integrated Windows Authentication across various platforms.

7. Hobby Friend Hacker: Attackers befriend victims in online communities, gaining trust over months before sending malicious links disguised as harmless content.

8. Fake Job Offers: Dream job offers with unrealistic benefits and remote work options often hide malicious intentions like stealing data or installing malware on your work device.

9. Fake Hardware Replacement: Victims using specific hardware (e.g., crypto wallets) receive seemingly legitimate replacement devices containing malware to steal their assets.

duplicate: https://feddit.de/post/9261519

• I am denied read-only access to some websites because I use a VPN. This makes no sense at all, but it happens anyway.
• I am not allowed to register in some forums because I use a VPN. Because everyone knows that anyone who uses a VPN is a serious criminal. There is no other option.
• I am subsequently banned from forums because the moderators realise that my IP address is not unique because I use a VPN. My posts don't matter at all, IP addresses obviously unambiguously identify every person on this planet.
• I'm supposed to confirm that I'm not a robot because I use a VPN. The fact that the company asking for these confirmations (usually Google) is itself sending robots marauding through the internet doesn't matter, because Google is Google and I'm just a bloke with a VPN.

Guys, a VPN is self-defence. A website banning VPNs is like a brothel banning condoms. I mean, of course the house rules apply, but I'd like to see a bit more judgement. What's happening right now is ridiculous and hardly does justice to the security aspect of these "tests". If you find yourself as a contributor to this list, I urge you to stop. I am not a bad guy. All I do is use a VPN.

Thank you.

IT administrators are urged to immediately patch on-premises ScreenConnect servers due to active exploitation of a critical vulnerability, CVE-2024-1709, with a maximum CVSS score of 10.0. This authentication bypass bug allows for arbitrary code execution and sensitive data access without user interaction. ConnectWise, the software's developer, also disclosed a path traversal vulnerability, CVE-2024-1708, with a CVSS score of 8.4. While cloud instances have been updated, on-premises installations require manual patching. The vulnerabilities pose significant risks, with potential for ransomware attacks, especially given the software's widespread use and the trust placed in remote access tools.

CVE-2024-23204 is a high-severity vulnerability (CVSS score of 7.5) in Apple's Shortcuts app, which could allow attackers to bypass the Transparency, Consent, and Control (TCC) framework on macOS and iOS devices. This framework is designed to protect user privacy by requiring explicit permission before accessing sensitive data. The vulnerability was exploited by using the 'Expand URL' function within Shortcuts to send base64-encoded data to a malicious server without user consent. Apple has addressed the issue with additional permission checks, and users are advised to update their devices to the latest versions and exercise caution when executing shortcuts from untrusted sources. Regular security updates from Apple should also be checked and applied.

Change Healthcare, a major U.S. healthcare technology firm, has confirmed a cyberattack causing network disruptions. In response, the company proactively disconnected its systems to contain the breach, anticipating at least a day-long service interruption. The nature of the incident remains undisclosed, but it has led to widespread inaccessibility of Change Healthcare's services, affecting local pharmacies' ability to process insurance-based prescriptions. The company, which processes 15 billion healthcare transactions annually, was acquired by UnitedHealth Group in a $7.8 billion deal, merging with Optum to manage extensive patient data. Neither Optum nor UnitedHealth Group has commented on the incident.

Apple has announced PQ3, a significant cryptographic update for iMessage, providing Level 3 security with post-quantum cryptography (PQC) for both initial key establishment and ongoing message exchange. This protocol is designed to secure communications against quantum computing threats and has been formally verified for its robust security properties. PQ3 employs a hybrid design, combining current Elliptic Curve algorithms with new post-quantum algorithms, ensuring it's never less safe than existing protocols. The rollout will begin with upcoming iOS, iPadOS, macOS, and watchOS updates, with iMessage conversations automatically upgrading to PQ3. This protocol represents a major advancement in securing end-to-end encrypted messaging at scale.

Cisco Talos researchers have reported an alarming rise in banking malware campaigns exploiting Google Cloud Run, with evidence of spread from Latin America to Europe and North America. The attacks, which began in September 2023, involve phishing emails with themes like invoices or tax documents, sometimes impersonating local tax agencies. These emails contain links to malicious Cloud Run web services that deploy banking Trojans such as Astaroth, Mekiotio, and Ousaban. Attackers use evasion techniques like geoplugin to avoid detection. The Astaroth variant has targeted over 300 institutions in 15 Latin American countries, primarily from Brazil. No specific CVEs are mentioned.

IOCs: https://github.com/Cisco-Talos/IOCs/blob/main/2024/02/google-cloud-run-abuse.txt

SSH-Snake, a network mapping tool, has been adapted by hackers to stealthily find and use private SSH keys for lateral movements in targeted networks. Identified by Sysdig as a self-altering worm, it diverges from standard SSH worms by avoiding predictable attack patterns. Launched on January 4, 2024, it's a bash script that self-modifies to minimize detection, scanning directories, shell histories, and system logs to find SSH credentials. Sysdig confirmed its use after detecting a C2 server storing data from around 100 victims, indicating the exploitation of Confluence vulnerabilities for access. SSH-Snake represents a significant evolution in malware, exploiting the widely used SSH protocol in businesses.

I never had a single "website blocked" dialog because of safe browsing. Meanwhile UBlock Origin often blocks websites, fullscreen with a warning.

On Firefox Safe Browsing is proxied through their servers and anonymized, so I use it. But tbh I have no idea how useful that is?

I use Search Engines (DDG, Startpage, SearX) or Bookmarks and never had such a block, does it directly filter those sites from search results?

Plenty of interesting-looking tools in here for those looking at what the script kiddies are going to be using here in a bit.

Could 100% be fake, but is making the rounds on LinkedIn security boards. So far a lot of the code is 👀!

For the first time in the history of Microsoft, a cyberattack has left hundreds of executive accounts compromised and caused a major user data leak as Microsoft Azure was attacked.

According to Proofpoint, the hackers use the malicious techniques that were discovered in November 2023. It includes credential theft through phishing methods and cloud account takeover (CTO) which helped the hackers gain access to both Microsoft365 applications as well as OfficeHome.

Im looking to create a real looking .cvs or .json file as if it was exported from a password manager.

• E-Mail should always be the same and of my choice. Username should not be weird/random letters.
• Websites should be real, random standard websites like facebook, twitter, instagram etc. no weird stuff.
• bonus if it has credit cards or notes like "bitcoin wallet".

I found mockaroo, but the stuff it generates is too random. Any other tools that are suitable for this and can be used by a noob?

Many thanks!