TLDR Information Security 2024-02-09

Helmet app silent tracking flaw πŸ‚, Cybercrime duo found stealing $2.5M from Apple 🍏, Ransomware payments reached $1.1B πŸ’Έ

Attacks & Vulnerabilities

Security flaw in a popular smart helmet allowed silent location tracking (3 minute read)

Livall fixed a flaw allowing real-time location tracking of its connected helmets. The skiing and biking helmets featured group chats and location sharing via apps. Accessing a group only required an easy-to-guess numeric ID. Anyone was able to listen in and track locations.

Chinese Hacking Campaign Aimed at Critical Infrastructure Goes Back Five Years (2 minute read)

A CISA reveals that the Chinese threat actor Volt Typhoon has maintained footholds in critical infrastructure for at least five years. The report doesn’t mention any specific companies but mentions the rail, aviation, mass transit, highway, maritime, pipeline, water, and sewage industries.

Critical Boot Loader Vulnerability in Shim Impacts Nearly All Linux Distros (3 minutes read)

The maintainers of Shim have released a new version to fix 6 security vulnerabilities, including one critical flaw that could allow for remote code execution. Shim is used as a first-stage bootloader in many Linux distros for UEFI systems. The vulnerability stems from Shim’s HTTP boot support trusting attacker-controlled values when parsing an HTTP response.
Strategies & Tactics

Yara Threat Detection Lab (6 minute read)

This article covers how to identify file IoCs and create YARA rules to detect malicious activity using tools like yarGen and Arya for generation and testing. Developing YARA skills is critical for security roles to detect and mitigate threats. YARA allows creating customized rules matching an organization's needs to classify malware based on signatures.

KMS Key Policy Privilege Escalation (5 minute read)

This post presents an attack chain that could allow an AWS Administrator to override a KMS key policy that was restricted to only a specific identity. In this attack scenario, one admin can lock down a KMS key to their specific use, but another admin can bypass these restrictions by deleting the first admin’s IAM user, changing the contact on the AWS account, and then opening a ticket with AWS support to recover the key. As no identity will be able to access the key, AWS support will then contact the new phone number to verify the request and facilitate the reset. The post ends with some potential mitigations.

Shellcode evasion using WebAssembly and Rust (5 minute read)

Meterpreter and its helper PEs are easily detected by antivirus programs due to their age and widespread use. This can be overcome by leveraging WebAssembly, a low-level assembly-like language that can be run in web browsers and written in multiple backend languages. This article provides code examples in Rust and explains how to compile Rust to Wasm.
Launches & Tools

reNgine (GitHub Repo)

reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon processes via Engines, recon data correlation, and organization. It supports continuous monitoring and is backed by a database. reNgine has a simple yet intuitive User Interface.

electroniz3r (GitHub Repo)

electroniz3r is a tool that can take over macOS Electron apps’ TCC permissions and inject code into them.

Ansible Role Hardening (GitHub Repo)

Ansible role to apply a security baseline. Systemd edition.

US agency declares AI cloned voice robocalls illegal (3 minute read)

The FCC has officially banned robocalls using AI-generated voices, deeming them "artificial" and illegal under existing laws like the Telephone Consumer Protection Act. While fake AI celebrity calls will likely still plague phones, this makes it clear that such scams violate robocall prohibitions.

Cybercrime duo accused of picking $2.5M from Apple's orchard (4 minute read)

Apple was likely defrauded of a total of $2.6M in gift cards/hardware by hackers Noah Roskin-Frazee and Keith Latteri via an Apple contractor. Though unnamed in the case, the victim matches Apple's description and location. The duo allegedly stole and resold items, cashing in on the theft from Apple and its customer support contractor.

Surge in deepfake β€œFace Swap” attacks puts remote identity verification at risk (2 minute read)

A new report by biometric firm iProov shows that deepfake "face swap" attacks have increased by 704% from the first to the second half of 2023. Fraudsters are using off-the-shelf tools to create manipulated images and videos, making it easier to create convincing deepfakes. These deepfakes can trick remote identity verification systems into believing that the subject's "liveness" is real.
Quick Links

Critical Security Issue Affecting TeamCity On-Premises (CVE-2024-23917) – Update to 2023.11.3 Now (5 minute read)

The vulnerability (CVSS 9.8 out of 10) affects all TeamCity On-Premises versions from 2017.1 through 2023.11.2 and allows for unauthenticated attacks.

Hack Tricks Plagiarized Content From Cloud Creators (X Thread)

HackTricks stole content from others and may have included stolen content in its course. This thread contains screenshots with examples of the stolen content.

Ransomware Payments Reached Record $1.1B in 2023 (3 minute read)

Ransomware payments exceeded $1.1B in 2023. This reverses the downward trend seen in 2022.
Curated news πŸ“°, research πŸ§‘β€πŸ”¬, and tools πŸ”’ for information security professionals
Join 300,000 readers for