TLDR Information Security 2024-02-19

US Internet leaked customer emails ๐Ÿ‡บ๐Ÿ‡ธ, Malicious campaign targeting Azure ๐ŸŒฆ๏ธ, Feds dismantle GRU botnet ๐Ÿฆ…

Attacks & Vulnerabilities

ExpressVPN User Data Exposed Due to Bug (3 minute read)

ExpressVPN disabled split tunneling on Windows clients to fix a bug introduced in May 2022 which caused DNS requests to bypass its servers. This bug exposed domain visits to ISPs when using split tunneling with app-specific VPN routing. Though traffic stayed encrypted, the DNS leak defeated privacy protections.

U.S. Internet Leaked Years of Internal, Customer Emails (5 minute read)

U.S. Internetโ€™s 'Securence' email-providing division had a publicly exposed webpage that listed every email of its 6,500 clients. The CEO of the company stated that the exposure was caused by a mistake in an Ansible playbook controlling the nginx config. U.S. Internet has not commented on how long this misconfiguration was in place or why appropriate controls were not in place to detect or prevent the misconfiguration.

Community Alert: Ongoing Malicious Campaign Impacting Azure Cloud Environments (4 minute read)

Proofpoint researchers have identified an ongoing malicious campaign targeting Microsoft Azure environments that has compromised hundreds of user accounts, including accounts from senior executives, through credential phishing and account takeover techniques. The attackers' operational infrastructure includes proxies and data hosting services. The threat is not currently attributed to any known threat actor.
Strategies & Tactics

CharmingCypress: Innovating Persistence (7 minute read)

CharmingCypress is an Iranian-backed threat actor that engages in spear-phishing campaigns to gather information on political opponents. It engages in unique campaigns that involve long email exchanges before sending malicious links, and in some cases, even creating a malicious VPN and fake webinar application. IOCs are included in the article.

In-depth analysis-The ISFB first loader (8 minute read)

This post provides an in-depth analysis of the ISFB first loader malware variant. It details the process of analyzing the malware, from using tools like "pestudio" to identifying potential packing to examining memory allocations and process injections. The post offers insights into the complexity and evasion techniques utilized by the ISFB variant through a detailed exploration of the malware's code and behavior.

How to weaponize LLMs to auto-hijack websites (10 minute read)

LLMs can autonomously hack websites when paired with tools enabling system interaction. Despite safety efforts, LLMs weaponized without human guidance can compromise vulnerable websites through automated browsing and planning. Weaponized LLMs can break into buggy web apps without knowledge of vulnerabilities, showing that they can hack without oversight.
Launches & Tools

Gapcast (GitHub Repo)

Gapcast accurately detects router clients to analyze, capture, and inject packets.

PSFuzz (GitHub Repo)

Discover with ProSecFuzz hidden files and directories on a web server.

The HTTP Garden (GitHub Repo)

The HTTP Garden is a set of HTTP servers and proxies configured to be composable. It has scripts for interacting with them in a way that makes finding vulnerabilities easier.

Wyze cameras let some owners see into a strangerโ€™s home โ€” again (3 minute read)

Wyze suffered another security lapse that allowed some users to briefly view feeds from strangers' cameras in their app's Events tab. At least 12 such cases were reported. The flaw follows a previous incident that enabled unauthorized live access to Wyze devices.

Almost Every Infrastructure Decision I Endorse or Regret After 4 Years Running Infrastructure at a Startup (19 minute read)

A (very) deep dive into one Infrastructure Engineerโ€™s decision-making process at a startup. The post is divided by topic and includes an endorse or reject verdict for each decision with accompanying reasoning. The topics include choice of cloud platform, security products to adopt, and SaaS applications.

Zeus, IcedID malware gangs leader pleads guilty, faces 40 years in prison (3 minute read)

Vyacheslav Penchukov, a leader of the Zeus/IcedID malware groups, has pleaded guilty to cybercrime charges. He was first arrested in 2022 after his involvement in a major theft using Zeus and now faces 40 years in prison. His prosecution is a win against infamous malware operations.
Quick Links

2024 State of Application Security report (10 minute read)

Some highlights of the report include the finding that 54% of major code changes get a full security review and that 34% of organizations review over 75% of code changes.

Feds Dismantle Russian GRU Botnet Built On 1,000+ Home, Small Biz Routers (3 minute read)

The US government disrupted a botnet used by Russia's GRU military intelligence unit for phishing, spying, credential harvesting, and data theft against American and foreign governments and other strategic targets.

Protect Good Faith Security Research Globally in Proposed UN Cybercrime Treaty (4 minute read)

A letter from the EFF to the UN outlining issues with the draft UN Cybercrime Treaty that could lead to prosecution of good faith security researchers.
Curated news ๐Ÿ“ฐ, research ๐Ÿง‘โ€๐Ÿ”ฌ, and tools ๐Ÿ”’ for information security professionals
Join 300,000 readers for