SecPro

A fresh round of important updates to keep you aheadYour cloud deserves dedicated data protection94%of cloud tenants were targeted last year, and62%were successfully compromised. The hard truth is that organizations are having a hard time securing their cloud data—and cyberattackers are ready to exploit that challenge.Here’s a handy resource you’ll want with you as you map out your plan—Orchestrating the Symphony of Cloud Data Security.You’ll learn how to:- Overcome the challenges of securing data in the cloud- Navigate multi-cloud data security- Balance data security with cloud economicsDownload now#172: The State of the UpdateA fresh round of important updates to keep you aheadt's October -Cybersecurity Awareness Month!- we're offering everyone a chance to jump on the_secprotrain...Don't miss out on last week's special issue, "Change is Difficult", available free onthe_secproSubstack. Head over and check out what we've got on offer and, if you like what you see, you can sign up to access our articles, templates, podcasts, and the other stuff we have available.Check out the premium issue!For a limited time, get20% offall subscriptions at the checkout. You can get access toour podcasts,our templates,our security guides, andother_secproeventsfora fifth off. And you can cancel anytime. What's there to lose?Thanks and enjoy!Welcome to another_secpro!It's been a busy week of updates, patches, panics, and remediation, with critical updates coming from Microsoft, Ivanti, and GitLab which protect the way we work and help battle with the adversary. If you've missed out on some important changes (Editor: or need something to read on your phone whilst your computer updates...), check out this week's news section below. We've got your back, even if you're a little behind on the job.Also, a number of online and hybrid conferences have come on our radar this week - don't miss out on them, even if you're on the other side of the world! You might even see a few names that you recognize from the_secproteam if you're lucky.Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefTime for some news!AppOmni-The State of SaaS Security 2024 Report: "Our 2nd annual report examines the industry’s knowledge of and mindset around SaaS security, as well as organizational maturity and goals for cybersecurity programs in 2024. We gathered insights from 644 security decision makers and managers worldwide, diving deep to uncover the real-world security challenges security professionals face from profuse SaaS usage."Bruce Schneier-Deebot Robot Vacuums Are Using Photos and Audio to Train Their AI: "An Australian news agency is reporting that robot vacuum cleaners from the Chinese company Deebot are surreptitiously taking photos and recording audio, and sending that data back to the vendor to train their AIs."Bruce Schneier-China Possibly Hacking US “Lawful Access” Backdoor: "The Wall Street Journal is reporting that Chinese hackers (Salt Typhoon) penetrated the networks of US broadband providers, and might have accessed the backdoors that the federal government uses to execute court-authorized wiretap requests. Those backdoors have been mandated by law—CALEA—since 1994."Bruce Schneier-Largest Recorded DDoS Attack is 3.8 Tbps: "Cloudflare just blocked the current record DDoS attack:3.8 terabits per second. (Lots of good information on the attack, and DDoS in general, at the link.) Newsarticle."GitLab-GitLab Critical Patch Release: 17.4.2, 17.3.5, 17.2.9: "These versions contain important bug and security fixes, and we strongly recommend that all self-managed GitLab installations be upgraded to one of these versions immediately. GitLab.com is already running the patched version.GitLab Dedicated customers do not need to take action."Ivanti-October Security Update: "It is important for customers to know: i) We are aware of a limited number of customers running CSA 4.6 patch 518 and prior who have been exploited when CVE-2024-9379 or CVE-2024-9380 are chained with CVE-2024-8963. We have not observed these vulnerabilities being exploited in any version of CSA 5.0. ii) We have no evidence of any other vulnerabilities being exploited in the wild. iii)These vulnerabilities do not impact any other Ivanti products or solutions."Krebs on Security-Lamborghini Carjackers Lured by $243M Cyberheist: "The parents of a 19-year-old Connecticut honors student accused of taking part in a $243 million cryptocurrency heist in August were carjacked a week later — while out house-hunting in a brand new Lamborghini. Prosecutors say the couple was beaten and briefly kidnapped by six young men who traveled from Florida as part of a botched plan to hold the parents for ransom."Krebs on Security-Patch Tuesday, October 2024 Edition: "Microsoft today released security updates to fix at least 117 security holes in Windows computers and other software, including two vulnerabilities that are already seeing active attacks. Also, Adobe plugged 52 security holes across a range of products, and Apple has addressed a bug in its new macOS 15 “Sequoia” update that broke many cybersecurity tools."Microsoft-File hosting services misused for identity phishing: "Microsoft has observed campaigns misusing legitimate file hosting services increasingly use defense evasion tactics involving files with restricted access and view-only restrictions. While these campaigns are generic and opportunistic in nature, they involve sophisticated techniques to perform social engineering, evade detection, and expand threat actor reach to other accounts and tenants. These campaigns are intended to compromise identities and devices, and most commonly lead to business email compromise (BEC) attacks to propagate campaigns, among other impacts such as financial fraud, data exfiltration, and lateral movement to endpoints."Mozilla-Mozilla Foundation Security Advisory 2024-51: CVE-2024-9680: "Use-after-free in Animation timeline" has been patched and requires an urgent update.AllFirefox users should attend to that straight away!OpenAI-An update on disrupting deceptive uses of AI: "Since the beginning of the year, we’ve disrupted more than 20 operations and deceptive networks from around the world that attempted to use our models. To understand the ways in which threat actors attempt to use AI, we’ve analyzed the activity we’ve disrupted, identifying an initial set of trends that we believe can inform debate on how AI fits into the broader threat landscape. Today, we are publishing OpenAI’s latest threat intelligence report, which represents a snapshot of our understanding as of October 2024."Unit 42-Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware: "Unit 42 has tracked activity from threat actors associated with the Democratic People’s Republic of Korea (DPRK), where they pose as recruiters to install malware on tech industry job seekers’ devices. We call this activity theCL-STA-240 Contagious Interview campaign, and we first published about it in November 2023. Since that publication, we’ve observed additional online activity from the fake recruiters, as well as code updates to two pieces of malware associated with the campaign; the BeaverTail downloader and the InvisibleFerret backdoor."This week's toolsgoliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.Upcoming events for _secprosISC2 Security Congress 2024(October 14th): "ISC2 Security Congress is just around the corner! Join thousands of cybersecurity experts from across the globe as we lead the charge against emerging threats and protect what matters most in today's digital landscape. Regular Pricing has been extended just for you! Register today and save $200."Exploring the 2024 Horizon Report | Cybersecurity and Privacy Edition(October 15th): This webinar will explore the trends, challenges, and key technology developments identified by a panel of experts in the 2024 Horizon Report | Cybersecurity and Privacy Edition. Members of the Horizon Report team and panel will highlight contextual trends and challenges and discuss how key technologies can assist higher education cybersecurity and privacy professionals in meeting challenges and capitalizing on opportunities for the future. Implications of trends and key technologies will be considered from different institutional perspectives.The Impact of Generative AI on Kids’ Privacy, Safety, and Security(October 15th): In our increasingly digital world, the boundaries of our expectations related to privacy, security and online safety are stretched more and more by emerging technologies, policies, and practices. The Future of Privacy Forum, AARNet, and the Australian Strategic Policy Institute (ASPI) invite you to the second in our event series on privacy, security, and online safety of young people in Australia. This session will focus on potential risks and benefits related to children’s use of the growing suite of generative AI tools and methods for combatting existing and emerging harms to young people online, including the impact of the upcoming updates to Australia’s Privacy Act and the ongoing work of various Australian digital platform regulators on generative AI and AI governance.Red Hat Summit: Connect 2024(October 15th, 17th, & 22nd): Red Hat® Summit: Connect is coming to cities across Asia Pacific. Join us as we explore the future of Al, hybrid cloud, open source technology, and IT. With plenty of opportunities to engage during sessions, demos, and networking, this year's in-person event will give you access to Red Hat experts and industry leaders- all at no cost.BSidesNYC Conference(October 19th): BSidesNYC is an information security conference coordinated by security professionals within the tri-state area as part of the larger BSides framework. The conference prides itself on building an environment focused on technical content covering various security topics - from offensive security to digital forensics and incident response.SecTor(October 23rd-26th): SecTor is renowned for bringing together international experts to discuss underground threats and corporate defenses. This cyber security conference offers a unique opportunity for IT security professionals, managers, and executives to connect and learn from experienced mentors. This year, SecTor introduces the ‘Certified Pentester’ program, including a full-day practical examination, adding to the event’s educational offerings.LASCON 2024(October 24-25th): The Lonestar Application Security Conference (LASCON) is an annual event in Austin, TX, associated with OWASP, gathering 400+ web app developers, security engineers, mobile developers, and infosec professionals. Being in Texas, home to numerous Fortune 500 companies, and located in Austin, a startup hub, LASCON attracts leaders, security architects, and developers to share innovative ideas, initiatives, and technology advancements in application security.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{line-height:0;font-size:75%} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A week of madness where AI went haywireIntroducing A Market-Changing Approach to Mobile App Protection by GuardsquareMobile applications face constant, evolving threats; to address these challenges, Guardsquare is proud to announce the launch of our innovative guided configuration approach to mobile app protection. By combining the highest level of protection with unparalleled ease of use, we empower developers and security professionals to secure their applications against even the most sophisticated threats. Guardsquare is setting a new standard for mobile app protection and we invite you to join us on this journey to experience the peace of mind that comes with knowing your mobile applications are protected by the most advanced and user-friendly product on the market.Learn More#171: Going hAIwireA week of madness where AI went haywireIn the lead up to October - Cybersecurity Awareness Month! - we're offering everyone a chance to jump on the _secpro train...For a limited time, get 20% off all subscriptions at the checkout. You can get access to our podcasts, our templates, our security guides, and other _secpro events for a fifth off. And you can cancel anyway. What's there to lose?Thanks and enjoy!Upgrade for 20% off!Welcome to another_secpro!AI developers and users have suffered this week, with multiple reports of difficulties and insecurities coming from the most prominent platforms in the world. If you're the kind of person who has integrated AI into their home- and worklife (as opposed to the Editor, who is currently trying to find an empty cabin in the woods...), there will be plenty worth paying attention to here...Check out _secpro premiumIf you missed it, we sent out the first issue of the new _secproPremium (_secpro Premium #1: Change is Difficult) as a free edition. As a teaser for those thinking of subscribing and as a treat for everyone else. Don't miss out!Cheers!Austin MillerEditor-in-ChiefTime for some news!Aqua Nautilus - perfctl: A Stealthy Malware Targeting Millions of Linux Servers: "The name perfctl comes from the cryptominer process that drains the system’s resources, causing significant issues for many Linux developers. By combining “perf” (a Linux performance monitoring tool) with “ctl” (commonly used to indicate control in command-line tools), the malware authors crafted a name that appears legitimate. This makes it easier for users or administrators to overlook during initial investigations, as it blends in with typical system processes."Bruce Schneier - Weird Zimbra Vulnerability: Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It’s critical, but difficult to exploit. "In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage malware. The researcher provided the following details..." Findthe rest on Schneier's website.Bruce Schneier - AI and the 2024 US Elections: "For years now, AI has undermined the public’s ability to trust what it sees, hears, and reads. TheRepublican National Committeereleased a provocative ad offering an “AI-generated look into the country’s possible future if Joe Biden is re-elected,” showing apocalyptic, machine-made images of ruined cityscapes and chaos at the border.Fake robocallspurporting to be from Biden urged New Hampshire residents not to vote in the 2024 primary election. This summer, the Department of Justice cracked down on aRussian bot farmthat was using AI to impersonate Americans on social media, and OpenAI disrupted anIranian group using ChatGPT to generate fake social-media comments..." Findthe rest on Schneier's website.Bruce Schneier - California AI Safety Bill Vetoed: "Governor Newsom hasvetoed the state’s AI safety bill. I have mixed feelings about thebill. There’s a lot to like about it, and I want governments to regulate in this space. But, for now, it’s allEU."Bruce Schneier - Hacking ChatGPT by Planting False Memories into Its Data: "This vulnerability hacks a feature that allows ChatGPT to have long-term memory, where it uses information from past conversations to inform future conversations with that same user. A researcher found that he could use that feature to plant “false memories” into that context window that could subvert the model."Cloudflare - How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack: "Since early September,Cloudflare's DDoS protection systems have been combating a month-long campaign of hyper-volumetric L3/4 DDoS attacks. Cloudflare’s defenses mitigated over one hundred hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second (Bpps) and 3 terabits per second (Tbps). The largest attack peaked 3.8 Tbps — the largest ever disclosed publicly by any organization. Detection and mitigation was fully autonomous. The graphs below represent two separate attack events that targeted the same Cloudflare customer and were mitigated autonomously."Interpol - Arrests in international operation targeting cybercriminals in West Africa: "Eight individuals have been arrested as part of an ongoing international crackdown on cybercrime, dealing a major blow to criminal operations in Côte d’Ivoire and Nigeria. The arrests were made as part of INTERPOL’s Operation Contender 2.0, an initiative aimed at combating cyber-enabled crimes, primarily in West Africa, through enhanced international intelligence sharing."Europol - LockBit power cut: four new arrests and financial sanctions against affiliates: "Europol supported a new series of actions against LockBit actors, which involved 12 countries and Eurojust and led to four arrests and seizures of servers critical for LockBit’s infrastructure. A suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities arrested two individuals for supporting the activity of a LockBit affiliate. The Spanish officers seized nine servers, part of the ransomware’s infrastructure, and arrested an administrator of a Bulletproof hosting service used by the ransomware group. In addition, Australia, the United Kingdom and the United States implemented sanctions against an actor who the National Crime Agency had identified as prolific affiliate of LockBit and strongly linked to Evil Corp. The latter comes after LockBit’s claim that the two ransomware groups do not work together. The United Kingdom sanctioned fifteen other Russian citizens for their involvement in Evil Corp’s criminal activities, while the United States also sanctioned six citizens and Australia sanctioned two."Krebs on Security - A Single Cloud Compromise Can Feed an Army of AI Sex Bots: "Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which use custom jailbreaks to bypass content filtering, often veer into darker role-playing scenarios, including child sexual exploitation and rape."Krebs on Security - Crooked Cops, Stolen Laptops & the Ghost of UGNazi: A California man accused of failing to pay taxes on tens of millions of dollars allegedly earned from cybercrime also paid local police officers hundreds of thousands of dollars to help him extort, intimidate and silence rivals and former business partners, the government alleges. KrebsOnSecurity has learned that many of the man’s alleged targets were members of UGNazi, a hacker group behind multiple high-profile breaches and cyberattacks back in 2012.Patchstack- Unauthenticated Stored XSS Vulnerability in LiteSpeed Cache Plugin Affecting 6+ Million Sites: "This plugin suffers from unauthenticated stored XSS vulnerability. It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request. The described vulnerability was fixed in version6.5.1and assignedCVE-2024-47374. The CCSS and UCSS generation functions_ccss()and_load() take the required parameters and HTTP headers to generate and save the data. The queue is generated using the following code lines."Securonix- SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia: "The Securonix Threat Research team has uncovered an ongoing campaign, identified as SHROUDED#SLEEP, likely attributed to North Korea’s APT37 (also known as Reaper or Group123). This advanced persistent threat group is believed to be based in North Korea and is delivering stealthy malware to targets across Southeast Asian countries. APT37, unlike other APT groups from the region such as Kimsuky, has a long history of targeting countries outside of the expected South Korean targets. This includes a number of recent campaigns against Southeast Asia countries."This week's toolsgoliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.Upcoming events for _secprosInnovate Cybersecurity Summit (October 6-8th): Powered by the collective knowledge of cybersecurity executives, practitioners, and cutting-edge solution providers, Innovate is the premier resource for CISO education & collaboration.PSC Defense Conference(October 8th): "The PSC Defense Conference is where you will hear from senior executives across the Department of Defense and industry discuss current initiatives aimed at accelerating innovation and delivering capabilities to the Future Force."Cybersecurity Expo 2024(October 8-9th): "Please join us for the annual United States Department of Agriculture (USDA) Cybersecurity Expo on October 8th and October 9th (10:30AM-4:00PM EDT). This virtual event engages and educates cybersecurity professionals and enthusiasts with the goal of raising awareness about cybersecurity and increasing the resiliency in the event of a cyber incident."Red Hat Summit: Connect 2024 (October 15th, 17th, & 22nd): Red Hat® Summit: Connect is coming to cities across Asia Pacific. Join us as we explore the future of Al, hybrid cloud, open source technology, and IT. With plenty of opportunities to engage during sessions, demos, and networking, this year's in-person event will give you access to Red Hat experts and industry leaders- all at no cost.BSidesNYC Conference (October 19th): BSidesNYC is an information security conference coordinated by security professionals within the tri-state area as part of the larger BSides framework. The conference prides itself on building an environment focused on technical content covering various security topics - from offensive security to digital forensics and incident response.SecTor (October 23rd-26th): SecTor is renowned for bringing together international experts to discuss underground threats and corporate defenses. This cyber security conference offers a unique opportunity for IT security professionals, managers, and executives to connect and learn from experienced mentors. This year, SecTor introduces the ‘Certified Pentester’ program, including a full-day practical examination, adding to the event’s educational offerings.LASCON 2024 (October 24-25th): The Lonestar Application Security Conference (LASCON) is an annual event in Austin, TX, associated with OWASP, gathering 400+ web app developers, security engineers, mobile developers, and infosec professionals. Being in Texas, home to numerous Fortune 500 companies, and located in Austin, a startup hub, LASCON attracts leaders, security architects, and developers to share innovative ideas, initiatives, and technology advancements in application security.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{line-height:0;font-size:75%} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Some new malware to worry aboutIntroducing A Market-Changing Approach to Mobile App Protection by GuardsquareMobile applications face constant, evolving threats; to address these challenges, Guardsquare is proud to announce the launch of our innovative guided configuration approach to mobile app protection. By combining the highest level of protection with unparalleled ease of use, we empower developers and security professionals to secure their applications against even the most sophisticated threats. Guardsquare is setting a new standard for mobile app protection and we invite you to join us on this journey to experience the peace of mind that comes with knowing your mobile applications are protected by the most advanced and user-friendly product on the market.Learn More#170: Ransomware and Pager BombsSome new malware to worry aboutIn the lead up to October - Cybersecurity Awareness Month! - we're offering everyone a chance to jump on the _secpro train...For a limited time, get 20% off all subscriptions at the checkout. You can get access to our podcasts, our templates, our security guides, and other _secpro events for a fifth off. And you can cancel anyway. What's there to lose?Thanks and enjoy!Upgrade for 20% off!Welcome to another_secpro!It's been more than a week since pager bombs hit the papers, yet people are still talking about them! Obviously, this is still worrying some in the tech world. That's why we've included Schneier's review on the problem - to see if we should be worried, where it could lead, and how we should proceed.And, of course, the explosiveCheck out _secpro premiumThat's why we've put together the news stories, opinion pieces, and practical advice that we think you'll need to start navigating this problem. And instead of boring you with the details, we only invite you to read on!Cheers!Austin MillerEditor-in-ChiefTime for some news!BBC - TfL writes to 5,000 cyber attack customers: The letters state that there may have been unauthorised access to personal information such as bank account numbers and sort codes. Nearly three weeks after the security breach, all customers are still unable to apply for new concession cards, refunds or access their contactless data.BBC - Cyber criminals hacked school and demanded ransom: Staff at Lancaster Royal Grammar School spent the summer holidays rebuilding the entire IT system after a cyber attack forced them to shut it down. It happened on 16 July after the IT department "noticed something peculiar on the system".Bruce Schneier - NIST Recommends Some Common-Sense Password Rules:NIST’s second draft of its “SP 800-63-4“—its digital identify guidelines—finally contains some really good rules about passwords. The following requirements apply to passwords: 1. Verifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length... Here the rest on Schneier's website.Bruce Schneier - An Analysis of the EU’s Cyber Resilience Act: Agood—long, complex—analysis of the EU’s new Cyber Resilience Act.Bruce Schneier - New Windows Malware Locks Computer in Kiosk Mode: A malware campaign uses the unusual method of locking users in their browser’s kiosk mode to annoy them into entering their Google credentials, which are then stolen by information-stealing malware.Bruce Schneier - Israel’s Pager Attacks and Supply Chain Vulnerabilities: Israel’s brazen attacks on Hezbollah last week, in which hundreds of pagers and two-way radios exploded and killed at least 37 people, graphically illustrated a threat that cybersecurity experts have been warning about for years: Our international supply chains for computerized equipment leave us vulnerable. And we have no good means to defend ourselves.Evil Socket - Attacking UNIX Systems via CUPS, Part I: "A remote unauthenticated attacker can silently replace existing printers’ (or install new ones) IPP urls with a malicious one, resulting in arbitrary command execution (on the computer) when a print job is started (from that computer)."Krebs on Security - U.S. Indicts 2 Top Russian Hackers, Sanctions Cryptex: The United States today unveiled sanctions and indictments against the alleged proprietor of Joker’s Stash, a now-defunct cybercrime store that peddled tens of millions of payment cards stolen in some of the largest data breaches of the past decade. The government also indicted and sanctioned a top Russian cybercriminal known as Taleon, whose cryptocurrency exchange Cryptex has evolved into one of Russia’s most active money laundering networks.Krebs on Security - Timeshare Owner? The Mexican Drug Cartels Want You: The FBI is warning timeshare owners to be wary of a prevalent telemarketing scam involving a violent Mexican drug cartel that tries to trick people into believing someone wants to buy their property. This is the story of a couple who recently lost more than $50,000 to an ongoing timeshare scam that spans at least two dozen phony escrow, title and realty firms.Microsoft - Storm-0501: Ransomware attacks expanding to hybrid cloud environments: "Microsoft has observed the threat actor tracked as Storm-0501 launching a multi-staged attack where they compromised hybrid cloud environments and performed lateral movement from on-premises to cloud environment, leading to data exfiltration, credential theft, tampering, persistent backdoor access, and ransomware deployment. The said attack targeted multiple sectors in the United States, including government, manufacturing, transportation, and law enforcement. Storm-0501 is a financially motivated cybercriminal group that uses commodity and open-source tools to conduct ransomware operations."noyb - Firefox tracks you with “privacy preserving” feature: "Today, noyb filed a complaint against Mozilla for quietly enabling a supposed “privacy feature” (called Privacy Preserving Attribution) in its Firefox browser. Contrary to its reassuring name, this technology allows Firefox to track user behaviour on websites. In essence, the browser is now controlling the tracking, rather than individual websites. While this might be an improvement compared to even more invasive cookie tracking, the company never asked its users if they wanted to enable it. Instead, Mozilla decided to turn it on by default once people installed a recent software update. This is particularly worrying because Mozilla generally has a reputation for being a privacy-friendly alternative when most other browsers are based on Google’s Chromium."Unit 42 - Unraveling Sparkling Pisces’s Tool Set: KLogEXE and FPSpy: Unit 42 researchers discovered two malware samples used by the Sparkling Pisces (aka Kimsuky) threat group. This includes an undocumented keylogger, called KLogEXE by its authors, and an undocumented variant of a backdoor dubbed FPSpy. These samples enhance Sparkling Pisces' already extensive arsenal and demonstrate the group’s continuous evolution and increasing capabilities.This week's toolsgoliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.Upcoming events for _secprosIDM Europe Identity Management (October 2nd): Identity Management Europe 2024 is Europe’s key gathering for IAM leaders, decision-makers, and influencers. With the increasing complexity of verifying and securing access for diverse enterprise actors in a crowded digital ecosystem, the conference addresses challenges amplified by the widespread adoption of remote work.Innovate Cybersecurity Summit (October 6-8th): Powered by the collective knowledge of cybersecurity executives, practitioners, and cutting-edge solution providers, Innovate is the premier resource for CISO education & collaboration.BSidesNYC Conference (October 19th): BSidesNYC is an information security conference coordinated by security professionals within the tri-state area as part of the larger BSides framework. The conference prides itself on building an environment focused on technical content covering various security topics - from offensive security to digital forensics and incident response.SecTor (October 23rd-26th): SecTor is renowned for bringing together international experts to discuss underground threats and corporate defenses. This cyber security conference offers a unique opportunity for IT security professionals, managers, and executives to connect and learn from experienced mentors. This year, SecTor introduces the ‘Certified Pentester’ program, including a full-day practical examination, adding to the event’s educational offerings.LASCON 2024 (October 24-25th): The Lonestar Application Security Conference (LASCON) is an annual event in Austin, TX, associated with OWASP, gathering 400+ web app developers, security engineers, mobile developers, and infosec professionals. Being in Texas, home to numerous Fortune 500 companies, and located in Austin, a startup hub, LASCON attracts leaders, security architects, and developers to share innovative ideas, initiatives, and technology advancements in application security.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{line-height:0;font-size:75%} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Towards better knowledge and better practiceIn the lead up to October - Cybersecurity Awareness Month! - we're offering everyone a chance to jump on the _secpro train...For a limited time, get 20% off all subscriptions at the checkout. You can get access to our podcasts, our templates, our security guides, and other _secpro events for a fifth off. And you can cancel anyway. What's there to lose?Thanks and enjoy!Upgrade for 20% off#169: Growing TensionsTowards better knowledge and better practiceJoin Roman Lavrik from Deloitte Snyk hosted DevSecCon 2024Snyk is thrilled to announce DevSecCon 2024, Developing AI Trust Oct 8-9, a free virtual summit designed for DevOps, developer and security pros of all levels. Join Roman Lavrik from Deloitte, among many others, and learn some presciptive DevSecOps methods for AI-powered development.Save your spotWelcome to another_secpro!It has been a difficult week world over. That applies to everyone, not just those working in cybersecurity. In the wake of the controversial weaponization of pagers by Israeli forces, maybe now is the time to consider that how the public perception of cybersecurity is going to change in the near future. If nothing else, we might see people who are feeling less secure about hardware simply because of the fact that they know so little about how it works. That means that now is as good a time as any to capitalize on that ignorance and worry to make a step up.Check out _secpro premiumThat's why we've put together the news stories, opinion pieces, and practical advice that we think you'll need to start navigating this problem. And instead of boring you with the details, we only invite you to read on!Cheers!Austin MillerEditor-in-ChiefTime for some news!Bruce Schneier -FBI Shuts Down Chinese Botnet: The FBI hasshut down a botnet run by Chinese hackers: "The botnet malware infected a number of different types of internet-connected devices around the world, including home routers, cameras, digital video recorders, and NAS drives. Those devices were used to help infiltrate sensitive networks related to universities, government agencies, telecommunications providers, and media organizations…. The botnet was launched in mid-2021, according to the FBI, and infected roughly 260,000 devices as of June 2024."Bruce Schneier - Remotely Exploding Pagers: Schneier's commentary on the latest controversy in the Israeli crisis.Bruce Schneier - Python Developers Targeted with Malware During Fake Job Interviews: "Interesting social engineering attack: luring potential job applicants with fake recruiting pitches, trying to convince them to download malware."GitHub - SAML authentication bypass via Incorrect XPath selector: Ruby-SAML in <= 12.2 and 1.13.0 <= 1.16.0 does not properly verify the signature of the SAML Response. An unauthenticated attacker with access to any signed saml document (by the IdP) can thus forge a SAML Response/Assertion with arbitrary contents. This would allow the attacker to log in as arbitrary user within the vulnerable system.Google Cloud - An Offer You Can Refuse: UNC2970 Backdoor Deployment Using Trojanized PDF Reader: In June 2024,Mandiant Managed Defenseidentified a cyber espionage group suspected to have a North Korea nexus, tracked by Mandiant under UNC2970. Later that month, Mandiant discovered additional phishing lures masquerading as an energy company and as an entity in the aerospace industry to target victims in these verticals.Huntress - Cracks in the Foundation: Intrusions of FOUNDATION Accounting Software: On September 14, Huntress discovered an emerging threat involvingFOUNDATION Accounting Software, which is commonly used by contractors in the construction industry. Attackers have been observed brute forcing the software at scale, and gaining access simply by using the product’s default credentials. We're seeing active intrusions among plumbing, HVAC, concrete, and similar sub-industries.Krebs on Security -This Windows PowerShell Phish Has Scary Potential: Many GitHub users this week received a novel phishing email warning of critical security holes in their code. Those who clicked the link for details were asked to distinguish themselves from bots by pressing a combination of keyboard keys that causes Microsoft Windows to download password-stealing malware. While it’s unlikely that many programmers fell for this scam, it’s notable because less targeted versions of it are likely to be far more successful against the average Windows user.Krebs on Security - Scam ‘Funeral Streaming’ Groups Thrive on Facebook: Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends and family who follow the links for the streaming services are then asked to cough up their credit card information. Recently, these scammers have branched out into offering fake streaming services for nearly any kind of event advertised on Facebook. Here’s a closer look at the size of this scheme, and some findings about who may be responsible.SecureList - Exotic SambaSpy is now dancing with Italian users: "In May 2024, we detected a campaign exclusively targeting victims in Italy. We were rather surprised by this, as cybercriminals typically select a broader target to maximize their profits. For example, a certain type of malware might target users in France and Spain, with the phishing emails written in both of the respective languages. However, for such a campaign, the malware’s code includes no particular checks to ensure it only runs in France and Spain. What sets this campaign apart is that, at various stages of the infection chain, checks are made to ensure that only Italian users are infected. This prompted us to investigate further and discover that the attackers were delivering a new RAT as the final payload that we dubbed SambaSpy."This week's toolsThis week, we turn our attention to zero trust. Take a look at these resources, so you can get comfortable with the latest trend in the business.pomerium/awesome-zero-trust: Is there a better place to start an investigation than with these curated "awesome" lists? A perfect place for the beginner/resource hoarder to get started.ukncsc/zero-trust-architecture: A collection of resources from the British government.OpenNHP/opennhp: Zero Trust Network Hiding Protocol (NHP) open-source implementation.codenotary/immudb: Immutable database based on zerotrust, SQL/Key-Value/Document model. Tamperproof data change history.smallstep/cli: Azerotrustswiss army knife for working with X509, OAuth, JWT, OATH OTP, etc.Upcoming events for _secprosGeekle: Cyber Security Global Summit 2024 (24th September): "Online conference for software engineers about latest tech trends in Cyber Security": web, mobile, and major updates.National Cyber Summit 2024 (24th September): "National Cyber Summit is the nation’s most innovative cyber security-technology event, offering unique educational, collaborative and workforce development opportunities for industry visionaries and rising leaders. NCS offers more value than similar cyber conferences with diverse focus-areas, premier speakers, and unmatched accessibility. Our core focus is on three things: education, collaboration and innovation."Beyond Checking the Box: Implementing a Pragmatic Risk Management Program (25th September): "Join Steve Ryan, attest services manager and head of healthcare services at BARR Advisory, and Larry Kinkaid, cybersecurity consulting manager at BARR, for an in-depth conversation on how to transform your risk management program into a source of real value."Cypher India 2024 (25th September): "Cypher started as a simple idea in 2015: Let’s connect the AI community with all industries, both old and new. It seemed to resonate. Cypher has grown to become the “largest AI conference in India”. No conference has ever grown so large so fast. But we also pride ourselves in organising the “best AI conference in India”.Data Security Posture Management (DSPM) with Snowflake and BigID (25th September): "Given the growth in data volume, velocity, variety, and vulnerabilities, knowing where all your data is and how to improve security posture and manage risk is critical for board-level discussions. Join Snowflake and BigID for a webinar on practical strategies to strengthen security posture and reduce risk."Government Cybersecurity Roadshow: Illinois 2024 (25th September): "The State of Illinois has long since been a leader in the cybersecurity realm. With the ever-increasing threat vector presented by new age cyber threats, there is a constant back and forth of threat identification and solution creation. Few organizations are more open to these rapidly evolving threats than that of the public sector."Leeds Cyber Security Conference 2024 (26th September): "A one-day event looking at all things cyber security, information security, and digital. ISO 27001 to Email Security, Microsoft Tools to Threat Intelligence."Women Impact Tech Denver 2024 (26th September): "Join us for this unique virtual event where you get the opportunity to interact with countless women who are driving change, pioneering new ideas, and thriving in the tech industry."2024 Southwest Cybersecurity Capabilities and Careers Symposia (3CS) (27th September): ive symposia provide the opportunity to learn, experience, and discuss the latest tools, techniques, and technologies for Teaching, Practicing, Demonstrating, and Showcasing Cybersecurity Capabilities.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{line-height:0;font-size:75%} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Introducing a new way of keeping up with the _secpro#168: A Change in PaceIntroducing a new way of keeping up with the _secproHello!Welcome to another_secpro!This time, we're changing up the newsletter a little...We're splitting the _secpro in two - firstly, thefreenewsletter will stay freebutwe're expanding what is on offer for you all: you'll still getnews and tools, but you'll also get conference information,Packtnew title release information, and other little useful tidbits and trinkets; secondly, thepremiumnewsletter will become a monthly edition that is sent out to all paying subscribers, including: analytical and opinionpieces from the_secprostaff, podcast episodes, templates, expert access, industry-leading advice,offers for events, and any other premium features that we roll out in thenear future. If that appeals to you, click the link below!CHECK OUT THE _SECPRO PREMIUM!Of course, if you only want the free edition, that's cool too. We're going to ensure that our content remains as interestinganduseful for all of you who are sticking with thenewsletter. We might even share some of our premium content here with you from time to time - just as a thank you for sticking with us.Cheers!Austin MillerEditor-in-ChiefCheck out the podcast!Soledad Antelada Toledano is the Security Technical Program Manager at Google. She has previously worked for Berkeley Labs.Soledad was the first woman in the history of the Cybersecurity department at Berkeley Lab. After specializing in 'penetration testing' for several years, Soledad also develops research and advancement tasks for intrusion detection systems, monitoring of high capacity networks and vision and research exercises on how cybersecurity will evolve in the next 10 years adopting techniques of Artificial Intelligence for intrusion detection and handling of BigData generated by monitoring tools.Soledad has combined her work at the Berkeley lab in recent years with the responsibility of being the head of security for the ACM / IEEE Supercomputing Conference, the annual supercomputing conference in the United States, protecting and building the network architecture of SCinet, the fastest network in the world.CHECK OUT THE PODCAST!Time for some news!AquaSec-Hadooken Malware Targets Weblogic Applications: "WebLogic Server is an enterprise-level Java EE application server developed by Oracle, used for building, deploying, and managing large-scale, distributed applications. It’s commonly used in banking, e-commerce, and business-critical systems due to its support for Java technologies, transaction management, and scalability. However, WebLogic is a frequent target for cyberattacks due to vulnerabilities such as deserialization flaws and improper access controls. Misconfigurations, like weak credentials or exposed admin consoles, can lead to remote code execution (RCE), privilege escalation, and data breaches if not properly patched or secured."Bruce Schneier-Microsoft Is Adding New Cryptography Algorithms:Microsoft is updatingSymCrypt, its core cryptographic library, with new quantum-secure algorithms. Microsoft’s details arehere. From anews article.Bruce Schneier-Evaluating the Effectiveness of Reward Modeling of Generative AI Systems:New research evaluating the effectiveness of reward modeling during Reinforcement Learning from Human Feedback (RLHF): “SEAL: Systematic Error Analysis for Value ALignment.” The paper introduces quantitative metrics for evaluating the effectiveness of modeling and aligning human values.Bruce Schneier-New Chrome Zero-Day: "According to Microsoft researchers, North Korean hackers have beenusinga Chromezero-day exploitto steal cryptocurrency."Bruce Schneier-Australia Threatens to Force Companies to Break Encryption:In 2018, Australia passed the Assistance and Access Act, which—among other things—gave the government the power to force companies to break their own encryption. "The Assistance and Access Act includes key components that outline investigatory powers between government and industry."Bruce Schneier-YubiKey Side-Channel Attack:There is a side-channel attack against YubiKey access tokens that allows someone to clone a device. It’s acomplicated attack, requiring the victim’s username and password, and physical access to their YubiKey—as well as some technical expertise and equipment.Dr. Web-Void captures over a million Android TV boxes: "Doctor Web experts have uncovered yet another case of an Android-based TV box infection. The malware, dubbed Android.Vo1d, has infected nearly 1.3 million devices belonging to users in 197 countries. It is a backdoor that puts its components in the system storage area and, when commanded by attackers, is capable of secretly downloading and installing third-party software."GitLab-Critical Patch Release:GitLab on Wednesday released security updates to address 17 security vulnerabilities, including a critical flaw that allows an attacker to run pipeline jobs as an arbitrary user.The issue, tracked as CVE-2024-6678, carries a CVSS score of 9.9 out of a maximum of 10.0.Krebs on Security-Bug Left Some Windows PCs Dangerously Unpatched:Microsoft Corp.today released updates to fix at least 79 security vulnerabilities in itsWindowsoperating systems and related software, including multiple flaws that are already showing up in active attacks. Microsoft also corrected a critical bug that has caused someWindows 10PCs to remain dangerously unpatched against actively exploited vulnerabilities for several months this year.Krebs on Security-Sextortion Scams Now Include Photos of Your Home:An old but persistent email scam known as “sextortion” has a new personalized touch: The missives, which claim that malware has captured webcam footage of recipients pleasuring themselves, now include a photo of the target’s home in a bid to make threats about publishing the videos more frightening and convincing.Sekoia-A glimpse into the Quad7 operators’ next moves and associated botnets: "The Sekoia TDR team has recently identified new staging servers, leading to the discovery of additional targets, implants, and botnet clusters tied to the Quad7 operators."This week's toolsNo theme this week. Just some things that we've been playing with. Check them out!ncorbuk/Python-Ransomware- A tutorial kit for making ransomware with Python.captainGeech42/ransomwatch- A tool for monitoring global malware occurences.ForbiddenProgrammer/conti-pentester-guide-leak- Leaked pentesting guides for the Conti team - get into the minds of the threat actor!YJesus/AntiRansom- A toolkit for running anti-ransomware honeypotsUpcoming events for _secpros BSides Charlotte(14th September): "BSides Charlotte 2024 will be held on September 14th and 15th in Charlotte, NC. Join us for talks, competitions, villages, training, capture the flag, and more! A call for papers, volunteers, and sponsorship opportunities will be posted on our website as preparations for the conference are made. Be sure to join us on Discord or follow on X/Mastodon as well for the most up to date information. Our mission is to serve the information security community in and around Charlotte, NC by primarily holding an annual BSides Charlotte Security Conference which offers learning opportunities through talks, activity villages, and capture-the-flag competitions. From time-to-time BSides Charlotte may put on training opportunities and partner with other organizations to bring value added content to the community."The Annual Cyber Security in Financial Services Summit 2024(16th September): "City & Financial Global is pleased to announce the 10th edition of its annual Cyber Security in Financial Services Summit event on 16th September 2024. The purpose of the Summit is to look at the cyber risks, wherever they originate, which pose a threat to London and the financial services community and will provide a forum for Government bodies, regulators, law enforcers, and financial institutions to examine the latest threats and how to combat them. It will also look at the Government’s cyber strategy, the current and future priorities of the National Cyber Security Centre, the NCA’s response to the evolving nature of the cyber threat, and the Bank of England’s stance on cyber resilience in the financial sector."Supply Chain Insight Summit 2024(16th September): "By bringing together industry leaders and innovators, the GDS Supply Chain Summit will explore the latest trends, technologies, and strategies shaping global supply chains. During this period of continuous change where resilience, efficiency, and sustainability are paramount, this summit will highlight key challenges and opportunities spanning the entire supply chain spectrum. From procurement and manufacturing to logistics, distribution, and customer engagement, we will discuss the importance of building strong supply chains for future success. Why attend? Connect with like-minded senior leaders for a curated agenda, focused on tackling your current business critical challenges and driving the industry forward."Mandiant Worldwide Information Security Exchange (mWISE) 2024(18th September): "mWISE 2024 (Mandiant Worldwide Information Security Exchange) is heading to Denver, Colorado from September 18–19. A new, more central location but our goal is the same: gather leading security experts to share knowledge and intel, and to address the greatest cyber threats and challenges our industry faces. mWISE is open to the security community at large — bringing industry, government, and academia together to discuss and understand today’s landscape and identify the threats on the horizon."The AI Tsunami: Is Your API Security Ready for the Perfect Storm?(19th September): "Is Your API Security Ready for the Perfect Storm? provided a comprehensive overview of the emerging threats in API security driven by AI advancements. Experts discussed proactive measures and best practices to safeguard APIs against sophisticated attacks. The event was well-organized, featuring insightful presentations and interactive Q&A sessions. Attendees gained valuable knowledge on fortifying their API security strategies in the face of evolving AI-driven threats."AI in Cybersecurity: A Double-Edged Sword(20th September):"AI in Cybersecurity: A Double-Edged Sword" explores the dual nature of artificial intelligence in the realm of cybersecurity. The event highlights how AI can enhance security measures through advanced threat detection and automated responses, while also acknowledging the risks of AI being exploited by cybercriminals. Featuring expert panels and discussions, the event aims to provide a comprehensive understanding of AI's impact on modern cybersecurity practices.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{line-height:0;font-size:75%} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}