TLDR Information Security 2024-05-15

Apple Backports patches 🍏, Build Provenance in homebrew 🍻, Cross platform stalker tracking 🕵️‍♂️

Attacks & Vulnerabilities

Apple Backports Fixes for 0-Day Exploited in Attacks to Older iPhones (2 minute read)

Apple has backported a fix for CVE-2024-23296, which was disclosed in March, to older devices. The vulnerability was a memory corruption bug that allowed attackers to bypass kernel memory protections. Apple reported that the vulnerability may have been actively exploited.

Ebury Botnet Infected 400K Linux Servers Since 2009 (4 minute read)

The Ebury botnet has compromised 400K servers over the past 15 years. Recent attacks show that operators have been targeting hosting providers to perform supply-chain attacks on clients renting virtual servers. The Ebury operators are financially motivated and often deploy credential stealers onto compromised servers.

Christie's Art Auctions Hit By A Cyber Attack (2 minute read)

Christie's auctions worth $840m have been disrupted by a cyber attack, affecting the sale of valuable items like a Van Gogh painting and rare wine. The website is offline, but bids can still be placed over the phone or in person. An alternative website with basic information is available. Auctions continue and there are plans for upcoming sales.
Strategies & Tactics

LNK File Disguised as Certificate Distributing RokRAT Malware (5 minute read)

AhnLab Security Intelligence Center has identified a North Korean campaign targeting South Koreans with a malicious LNK file. The file distributes a loader for the RokRAT C2 malware. This article provides a deep dive into the loader and IoCs for the campaign.

Unmasking Tycoon 2FA: A Stealthy Phishing Kit Used to Bypass Microsoft 365 and Google MFA (7 minute read)

Tycoon 2FA is a phishing-as-a-service platform that was recently updated to enhance detection avoidance. The toolkit relies on victims entering their information into attacker-controlled infrastructure. After MFA prompting, session cookies are relayed to the attacker. This article provides some real-world examples and defenses.

Leveraging DNS Tunneling for Tracking and Scanning (13 minute read)

This blog post describes the DNS Tunneling attack technique, which is a method for attackers to hide and transport data through DNS traffic. Malicious actors can use DNS tunneling to track user activities and communicate with compromised hosts. Organizations can detect and mitigate DNS tunneling campaigns effectively by analyzing indicators like domains and IP addresses.
Launches & Tools

Keylime (GitHub Repo)

Keylime provides an end-to-end solution for bootstrapping hardware rooted cryptographic trust for remote machines, the provisioning of encrypted payloads, and runtime system integrity monitoring.

SharpGraphView (GitHub Repo)

SharpGraphView is a post-exploitation toolkit that provides modular access to the Microsoft Graph API for cloud security teams.

A peek into build provenance for Homebrew (7 minute read)

Trail of Bits discusses how it has worked to add cryptographically verifiable build provenance for all bottles. This feature ensures that each bottle's content is bound to specific build-time metadata, reducing the risk of compromised or malicious installations. While still in early beta, users can verify attestations using the "brew verify" command, but caution is advised until further development is completed.

Techniques Learned from the XZ Backdoor (17 minute read)

This blog post discusses techniques used in the XZ backdoor, focusing on locating function addresses, symbol tables, and system information within ELF files. It also explains the process of function hooking and demonstrates a simplified version of the XZ backdoor's logic using library functions and memory address manipulation. The XZ backdoor's method involves finding specific addresses and performing actions based on that information, simulating the process of locating critical functions within programs.

Black Basta Ransomware Group Is Imperiling Critical Infrastructure (3 minute read)

The Black Basta ransomware group is attacking critical infrastructure, affecting over 500 organizations in the past two years, including a healthcare system with 140 hospitals. FBI and security researchers warn that the group is causing severe disruptions and targeting healthcare organizations through novel social engineering tactics.

MITRE Unveils EMB3D: A Threat-Modeling Framework for Embedded Devices (2 minute read)

MITRE has launched EMB3D, a threat-modeling framework for embedded devices in critical infrastructure. EMB3D aims to help device vendors understand and mitigate cyber threats targeting embedded devices. The framework focuses on providing security mechanisms early in the design cycle to create inherently secure devices.
Quick Links

CISA, DHS, FBI, and International Partners Publish Guide for Protecting High-Risk Communities (4 minute read)

CISA, DHS, FBI, and international partners have published a guide to help civil society organizations reduce cyber threat risks by protecting high-risk communities.

Apple and Google Launch Cross-Platform Feature to Detect Unwanted Bluetooth Tracking Devices (3 minute read)

Apple and Google on Monday officially announced the rollout of a new feature that notifies users across both iOS and Android if a Bluetooth tracking device is being used to stealthily keep tabs on them without their knowledge or consent.

Zscaler Confirms Only Isolated Test Server Was Hacked (2 minute read)

Zscaler investigated a recent hacking incident and confirmed that only a test server was compromised, with no impact on customer data.
Curated news 📰, research 🧑‍🔬, and tools 🔒 for information security professionals
Join 300,000 readers for