TLDR Information Security 2024-02-07

Fortinet's FortiSIEM has two new critical RCE vulnerabilities (CVE-2024-23108 and CVE-2024-23109) that allow remote code execution by unauthenticated attackers. Though details are limited, they seem similar to an older OS command injection issue in FortiSIEM fixed in October 2022. The flaws enable the execution of unauthorized commands via crafted API requests. Update ASAP.

Verizon filed a data breach notification after a company employee obtained a file of 63,206 employees’ personal data. The data includes social security numbers, gender, union affiliation, date of birth, and compensation information. Verizon stated that it has no evidence that the data was used maliciously or shared outside of Verizon.

An employee at a multinational financial firm fell for a social engineer attack that led them to remit $200 million Hong Kong dollars. The employee was suspicious when they originally received the communication from the UK-based CFO but was convinced after a call with the CFO and several colleagues, who all turned out to be deepfakes.

This post evaluates the risks of a leaked Stripe API key. It proposes 5 attack paths: disclosing PII, generating promo codes, changing prices, defacing websites, and making unauthorized wire transfers. The post ends with some best practices for protecting Stripe API keys.

This blog post provides instructions for installing Scapy and demonstrates its utility by using it to fuzz an FTP server. Scapy is a powerful tool for testing network and application security. It offers extensive packet manipulation capabilities and can be used to fuzz network protocols, and application-specific protocols and simulate denial-of-service attacks.

This blog post talks about utilizing the control and security stack mappings created by the Center for Threat-Informed Defense (Center). These mappings, like NIST 800-53 Control Mappings and Security Stack Mappings for Google Cloud Platform and Amazon Web Services, enable defenders to connect threat information to actionable guidance, making it easier to detect and mitigate threats. Center is also working on expanding its collection of mappings and making them more accessible.

This framework generates fuzz targets for real-world C/C++ projects with various Large Language Models and benchmarks them via the OSS-Fuzz platform.

ThievingFox is a collection of post-exploitation tools for harvesting credentials from various password managers and Windows utilities. Each module utilizes a different method of injection into a process to harvest credentials.

Secator is a task and workflow runner used for security assessments. It supports dozens of well-known security tools and it is designed to improve productivity for pentesters and security researchers.

This analysis of the vulnerabilities from CISA's Known Exploited Vulnerabilities (KEVs) attempts to analyze whether the current efforts in the information security industry match the current threat vectors being abused. The analysis provides recommendations for vendors, developers, defenders, and researchers to address these vulnerabilities.

ResumeLooters have used SQL injection and XSS since early 2023 to hit Asia-Pacific recruitment/retail sites, stealing 500K+ user records from 65 sites. The group focuses on India, Taiwan, Thailand, and Vietnam, leveraging penetration testing tools like sqlmap. It injects XSS scripts into job sites to display phishing forms and steal admin creds.

Google announced a grant of $1 million to the Rust Foundation to improve interoperability between legacy C++ codebases and Rust. Google said that Rust has proactively prevented hundreds of vulnerabilities from affecting the Android operating system. Google will also begin to publish audits of some of the crates used in open source Google projects.

Dozens of countries including France, the UK, and the US, along with tech giants such as Google, Meta, and Microsoft, have signed a joint agreement to combat the use of commercial spyware in ways that violate human rights.

This report dives into how commercial surveillance vendors are enabling the proliferation of dangerous hacking tools.

Caesars canceled DEFCON 32’s contract, so DEFCON will be moving to the Las Vegas Convention Center.