TLDR Information Security 2024-02-12

Netcraft has spotted a new phishing campaign that uses compromised SendGrid accounts to phish for new accounts by emailing users that their account had a payment error or other similar issues. The email is sent from a SendGrid account and uses SendGrid’s tracking links to mask the destination. Users are directed to a JsPen link that obfuscates a script tag which loads a JS file from Azure Front Door that is an obfuscated clone of the SendGrid login page.

The support website for Juniper Networks, a networking equipment vendor, was exposing sensitive customer information including device details, warranty status, service contracts, and serial numbers. The data exposure was the result of a recent upgrade to the support portal. Juniper has since fixed the problem and stated that no identifiable or personal customer data was exposed.

A fake clone of LastPass called LassPass was listed on the Apple App Store. Malicious clones like this rarely make it through Apple’s review process. Apple has confirmed that it has since been removed.

A blog post from Cycode detailing a supply chain vulnerability that it discovered in Bazel. The post begins with an overview of GitHub Custom Actions and then details how Cycode leveraged a custom action in Bazel to achieve remote code execution. The Bazel project included a custom action that passed the user-controlled issue body directly to a bash shell in the GitHub runner which was vulnerable to command injection.

A post from Checkmarx on a technique that it discovered to intercept messages from malicious Telegram bots that attackers utilize for info-stealing operations. Checkmarx's team extracted the bot details from a malicious package. They then utilized the /getUpdates endpoint to retrieve details of a specific message or all messages by looping through message IDs. The post also details two methods for redirecting messages when an attacker utilizes a webhook.

This article focuses on overlooked authentication and authorization mechanisms in mobile app front ends.

StunCheck is a set of tools for scanning, testing, and exploiting STUN and TURN servers.

Jira-Lens is a fast and customizable Python-based vulnerability scanner for Jira. Jira-Lens performs 25+ checks for vulnerabilities against target Jira servers.

This app is a tool for analyzing Bluetooth (BLE) environments. It scans for BLE devices in the background, notifying you if the device you are looking for is near you or if some unknown device has been following you for a long time.

Raspberry Robin operators are utilizing fresh 1-day exploits for privilege escalation, suggesting the team has access to exploit sellers or in-house development. The rapidly evolving QNAP malware acts as an initial access vector for payloads like ransomware.

RustDoor is a new backdoor that has been targeting Apple macOS since November 2023, masquerading as a Visual Studio update. It has Intel and Arm versions and unknown initial access. RustDoor is being actively developed. It can gather/upload files and system info to its C2 server.

BGPWatch is a comprehensive platform built by APNIC for detecting and diagnosing hijacking incidents in BGP routing. It allows users to browse, view, and search for hijack events in real time, providing detailed information about each event. BGPWatch offers routing path analysis and subscription services for operators to monitor via email.

Google has agreed to pay $350 million to settle a shareholder lawsuit related to a 2018 Google+ bug exposing private data associated with as many as 500,000 accounts.

$89 billion was invested across approximately 6,400 deals in Q4 2023, the lowest figure in the past five years.

The National Cyber Security Centre has provided an overview of the threats involved in scanning QR codes and prescriptive guidance for evaluating QR code safety.