TLDR Information Security 2024-02-07

Verizon Employee Leaks coworker data 🀐 , $25 Million Scammed using Deepfake πŸ’Έ, Google contributes $1M to Rust πŸ¦€

Attacks & Vulnerabilities

Double trouble for Fortinet customers as pair of critical vulns found in FortiSIEM (3 minute read)

Fortinet's FortiSIEM has two new critical RCE vulnerabilities (CVE-2024-23108 and CVE-2024-23109) that allow remote code execution by unauthenticated attackers. Though details are limited, they seem similar to an older OS command injection issue in FortiSIEM fixed in October 2022. The flaws enable the execution of unauthorized commands via crafted API requests. Update ASAP.

Verizon Employee Inadvertently Leaks Data of 63k Colleagues (2 minute read)

Verizon filed a data breach notification after a company employee obtained a file of 63,206 employees’ personal data. The data includes social security numbers, gender, union affiliation, date of birth, and compensation information. Verizon stated that it has no evidence that the data was used maliciously or shared outside of Verizon.

Finance Worker Pays Out $25 Million After Call With Deepfake CFO (2 minute read)

An employee at a multinational financial firm fell for a social engineer attack that led them to remit $200 million Hong Kong dollars. The employee was suspicious when they originally received the communication from the UK-based CFO but was convinced after a call with the CFO and several colleagues, who all turned out to be deepfakes.
Strategies & Tactics

The Risk of a Leaked Stripe API Key (5 minute read)

This post evaluates the risks of a leaked Stripe API key. It proposes 5 attack paths: disclosing PII, generating promo codes, changing prices, defacing websites, and making unauthorized wire transfers. The post ends with some best practices for protecting Stripe API keys.

Unleashing the Power of Scapy for Network Fuzzing (3 minute read)

This blog post provides instructions for installing Scapy and demonstrates its utility by using it to fuzz an FTP server. Scapy is a powerful tool for testing network and application security. It offers extensive packet manipulation capabilities and can be used to fuzz network protocols, and application-specific protocols and simulate denial-of-service attacks.

Enriching Threat Intelligence with Mappings (5 minute read)

This blog post talks about utilizing the control and security stack mappings created by the Center for Threat-Informed Defense (Center). These mappings, like NIST 800-53 Control Mappings and Security Stack Mappings for Google Cloud Platform and Amazon Web Services, enable defenders to connect threat information to actionable guidance, making it easier to detect and mitigate threats. Center is also working on expanding its collection of mappings and making them more accessible.
Launches & Tools

OSS-Fuzz-Gen (GitHub Repo)

This framework generates fuzz targets for real-world C/C++ projects with various Large Language Models and benchmarks them via the OSS-Fuzz platform.

ThievingFox (GitHub Repo)

ThievingFox is a collection of post-exploitation tools for harvesting credentials from various password managers and Windows utilities. Each module utilizes a different method of injection into a process to harvest credentials.

Secator (GitHub Repo)

Secator is a task and workflow runner used for security assessments. It supports dozens of well-known security tools and it is designed to improve productivity for pentesters and security researchers.

Rust Won’t Save Us: An Analysis of 2023’s Known Exploited Vulnerabilities (6 minute read)

This analysis of the vulnerabilities from CISA's Known Exploited Vulnerabilities (KEVs) attempts to analyze whether the current efforts in the information security industry match the current threat vectors being abused. The analysis provides recommendations for vendors, developers, defenders, and researchers to address these vulnerabilities.

ResumeLooters - New Malicious Group (18 minute read)

ResumeLooters have used SQL injection and XSS since early 2023 to hit Asia-Pacific recruitment/retail sites, stealing 500K+ user records from 65 sites. The group focuses on India, Taiwan, Thailand, and Vietnam, leveraging penetration testing tools like sqlmap. It injects XSS scripts into job sites to display phishing forms and steal admin creds.

Google Contributes $1 Million to Rust (3 minute read)

Google announced a grant of $1 million to the Rust Foundation to improve interoperability between legacy C++ codebases and Rust. Google said that Rust has proactively prevented hundreds of vulnerabilities from affecting the Android operating system. Google will also begin to publish audits of some of the crates used in open source Google projects.
Quick Links

Britain, France lead 35 nation agreement on controlling spyware, mercenary hackers (3 minute read)

Dozens of countries including France, the UK, and the US, along with tech giants such as Google, Meta, and Microsoft, have signed a joint agreement to combat the use of commercial spyware in ways that violate human rights.

Buying Spying: Insights into Commercial Surveillance Vendors Report (10 minute read)

This report dives into how commercial surveillance vendors are enabling the proliferation of dangerous hacking tools.

DEFCON 32 Was Canceled, We Un-Canceled it (2 minute read)

Caesars canceled DEFCON 32’s contract, so DEFCON will be moving to the Las Vegas Convention Center.
Curated news πŸ“°, research πŸ§‘β€πŸ”¬, and tools πŸ”’ for information security professionals
Join 300,000 readers for