🔓
Attacks & Vulnerabilities
RansomHub hits 210 victims in just 6 months (3 minute read)
US agencies have issued a warning about RansomHub, a rapidly growing ransomware group formed in February with at least 210 victims across various sectors, including critical infrastructure. RansomHub exploits vulnerabilities with common hacking tools.
NGate Android Malware Relays NFC Traffic to Steal Cash (19 minute read)
A threat actor operating in Czechia evolved from utilizing PWAs and WebAPKs to utilizing the NGate malware to attack Android users of major Czech banks. The NGate malware is delivered via smishing, where attackers alert users to either an issue in their banking app or a way to get tax returns faster. The malware then utilizes NFCGate to relay any NFC payments from the device, which allows the attackers to duplicate the cards and withdraw money from an ATM. This attack does not require the victim's device to be rooted.
Set-Top Box RE: 6-part series (1 of 6) (4 minute read)
This blog series examines the security of six set-top boxes to determine if they're compromised or part of botnets. The research involves hardware triage, filesystem extraction, and malware analysis. It also explores how easily these devices could be exploited.
Exposing Security Observability Gaps in AWS Native Security Tooling (9 minute read)
SecurityRunners' Jonathan Walker provides an analysis of the coverage of IAM Access Analyzer for detecting public or cross-account access to resources. Walker puts coverage at about 65% and lists a few notable gaps. AWS Glue and SES are fundamental services that Walker believes should have coverage. Secrets Manager currently only alerts if a KMS key and secret are public but Walker believes that it should alert on just a public secret in case a method of accessing it becomes apparent. Walker also notes that Elemental MediaStore certainly should have coverage but is fairly obscure so may be a backlog item. He also highly encourages deploying IAM Access Analyzer as it is simple to manage and cost-effective.
Unprotected Container Registries (8 minute read)
Unprotected container registries are easily detectable on the web through tools like Shodan or scanning for common endpoints. This post demonstrates the ease with which an attacker can locate an unprotected container registry and upload or replace an existing image. The author located over 10k unprotected registries across the full IP space and was able to push a benign, PoC image to over 4,500 of them. They only uploaded a dummy image under an easily detectable name due to ethical considerations, but a motivated attacker could upload a malicious image just as easily.
Uniqkey (Product Launch)
Uniqkey's password and access management solution allows employees to use mobile applications when logging into enterprise systems while keeping passwords encrypted.
Dalec (GitHub Repo)
Dalec provides a declarative format for building system packages and containers from those packages. It is designed for building containers for Azure and supports Azure Linux 2 and 3 and Windows containers.
Nettacker (GitHub Repo)
OWASP Nettacker project was created to automate information gathering, vulnerability scanning, and eventually generating a report for networks. It includes information on services, bugs, vulnerabilities, misconfigurations, and other topics.
Don't Force Yourself to Become a Bug Bounty Hunter (5 minute read)
Sam Curry, a hacker and bug bounty hunter, reflects on a common mentality of setting up extensive goals and plans for getting into bug bounty hunting. Curry compares this with his experience and failure doing the same with his studies in high school. Ultimately, Curry suggests that the fundamental issue in many hackers that set out these goals and fail is that they aren't actually interested in bug bounty hunting and should instead not force themselves to do it.
City of Columbus sues man after he discloses severity of ransomware attack (4 minute read)
An Ohio judge has issued a restraining order against a security researcher who contradicted Columbus officials' claims about a recent ransomware attack. The researcher presented evidence that sensitive data stolen in the attack was intact and accessible, contrary to the mayor's statement. The city sued the researcher, claiming his actions made dark web data publicly available.
Advancing Threat Intelligence: JA4 Fingerprints and Inter-Request Signals (11 minute read)
JA3 Fingerprints were first introduced in 2017 as a method to fingerprint browsers by taking a hash of the TLS ClientHello message, but they have lost efficacy due to differences in how tools handle various extensions and modern browsers scrambling TLS extensions. To combat this, FoxIO introduced JA4, which introduces other protocol elements into the fingerprint and is resilient to randomization of TLS extensions by first sorting them before hashing. To make JA4 fingerprints more useful to customers, Cloudflare aggregates data across its network on JA4 fingerprints into signals that can be used in Workers and rules. This post includes a breakdown of the different fields in a JA4 fingerprint, the statistics available via JA4 signals for a fingerprint, and a script demonstrating how to utilize signals in a Worker.