Welcome to another_secpro! Here’s a quick roundup of the latest in cybersecurity.

Misconfigured servers are being hijacked for illegal live sports streaming, often caught using honeypots. Separating genuine threats from noise is tricky, but smarter automation and good old-fashioned threat hunting are helping. Meanwhile, geoblocking has come under scrutiny as websites block users for political reasons. Bruce Schneier points out that this undermines internet freedom and suggests steps like better transparency around sanctions and promoting open web access. On a related note, the Secret Service has been using app-based location data without warrants, banking on users’ blind agreement to terms of service.

Spyware also made the news, with Italy’s budget-friendly tools flying under the radar compared to premium options like NSO Group’s products. These affordable tools, rented by law enforcement for as little as €150 a day, raise questions about regulation. On the technical side, 2023 saw a sharp rise in zero-day vulnerabilities being exploited. These are becoming top priorities for attackers. Fake Python packages on PyPI are another headache—malicious uploads promised AI APIs but were stealing data instead.

There’s also been progress in cracking down on cybercrime. Five members of the “Scattered Spider” hacking group, responsible for attacks on companies like T-Mobile and LastPass, have been charged. However, threats continue to evolve. The NSOCKS botnet, leveraging IoT devices, remains a major proxy network for cybercriminals.

As always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!

Cheers!
Austin Miller
Editor-in-Chief

Aqua - Threat Actors Hijack Misconfigured Servers for Live Sports Streaming: "When utilizing honeypots to collect threat intelligence, you assume that any event is malicious. In reality, there are many scanners that trigger the honeypots, script kiddies that trigger events with their curiosity, or trivial tools and failed attack attempts that exploit initial access but fail to mature to a full-blown attack. Strong automation and machine learning were tailored to distinguish between interesting and non-interesting events. But sometimes we miss, and when that happens, we utilize threat hunting as a compensative measurement."

Bruce Schneier - The Scale of Geoblocking by Nation: "We introduce and explore a little-known threat to digital equality and freedom­websites geoblocking users in response to political risks from sanctions. U.S. policy prioritizes internet freedom and access to information in repressive regimes. Clarifying distinctions between free and paid websites, allowing trunk cables to repressive states, enforcing transparency in geoblocking, and removing ambiguity about sanctions compliance are concrete steps the U.S. can take to ensure it does not undermine its own aims."

Bruce Schneier - Secret Service Tracking People’s Locations without Warrant: This feelsimportant: "The Secret Service has used a technology called Locate X which uses location data harvested from ordinary apps installed on phones. Because users agreed to an opaque terms of service page, the Secret Service believes it doesn’t need a warrant."

Bruce Schneier - Why Italy Sells So Much Spyware: "Although much attention is given to sophisticated, zero-click spyware developed by companies like Israel’s NSO Group, the Italian spyware marketplace has been able to operate relatively under the radar by specializing in cheaper tools. According to an Italian Ministry of Justice document, as of December 2022 law enforcement in the country could rent spyware for €150 a day, regardless of which vendor they used, and without the large acquisition costs which would normally be prohibitive."

Bruce Schneier - Most of 2023’s Top Exploited Vulnerabilities Were Zero-Days: "In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day."

Kaspersky - JarkaStealer in PyPI repository: "The malicious packages were uploaded to the repository by one author and, in fact, differed from each other only in name and description. The first was called “gptplus” and allegedly allowed access to the GPT-4 Turbo API from OpenAI; the second was called “claudeai-eng” and, according to the description, also promised access to the Claude AI API from Anthropic PBC."

Krebs on Security - Feds Charge Five Men in ‘Scattered Spider’ Roundup: Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio.

Krebs on Security - Fintech Giant Finastra Investigating Data Breach: The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.

Lumen - One Sock Fits All: The use and abuse of the NSOCKS botnet: The Black Lotus Labs team at Lumen Technologies has expanded the known architecture of the “ngioweb” botnet, its use as a cornerstone of the notorious criminal proxy service known as NSOCKS, and appropriation by others such as VN5Socks and Shopsocks5. One of the most widely used criminal proxies, NSOCKS maintains a daily average of over 35,000 bots in 180 countries, and has been tied to notorious groups such asMuddled Libra. At least 80% of NSOCKS bots in our telemetry originate from the ngioweb botnet, mainly utilizing small office/home office (SOHO) routers and IoT devices. Two-thirds of these proxies are based in the U.S.

Netskope - Python NodeStealer Targets Facebook Ads Manager with New Techniques: In September 2023, Netskope Threat Labsreporteda Python-based NodeStealer targeting Facebook business accounts. NodeStealer collects Facebook and other credentials stored in the browser and its cookie data. For over a year, we have tracked and discovered multiple variants of this infostealer. It is now targeting new victims and extracting new information using new techniques. In this blog post, we will dissect the development of the Python NodeStealer from multiple samples in the wild. Each section highlights different variants, showcasing new targets and techniques.

Oracle - Oracle Security Alert Advisory - CVE-2024-21287: "This Security Alert addresses vulnerability CVE-2024-21287 in Oracle Agile Product Lifecycle Management (PLM). This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure."

Sentinel - DPRK IT Workers | A Network of Active Front Companies and Their Links to China: "North Korea operates a global network of IT workers, both as individuals and under front companies, to evade sanctions and generate revenue for the regime. These workers are highly skilled in areas like software development, mobile applications, blockchain, and cryptocurrency technologies. By posing as professionals from other countries using fake identities and forged credentials, they secure remote jobs and freelance contracts with businesses worldwide."

Vectra - 2024 State of Threat Detection: Does a high level of confidence across SOCs mean security professionals are finally able to keep pace with the increasing number of threats? Not so fast. While security teams feel that their SOC is well staffed with the right number of skilled analysts, many agree that their current security stack limits their ability.

We Live Security - Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine: "ESET researchers have identified multiple samples of Linux backdoor, which we have named WolfsBane, that we attribute with high confidence to the Gelsemium advanced persistent threat (APT) group. This China-aligned threat actor has a known history dating back to 2014 and until now, there have been no public reports of Gelsemium using Linux malware. Additionally, we discovered another Linux backdoor, which we named FireWood. However, we cannot definitively link FireWood to other Gelsemium tools, and its presence in the analyzed archives might be coincidental. Thus, we attribute FireWood to Gelsemium with low confidence, considering it could be a tool shared among multiple China-aligned APT groups."

Windows Security - Windows security and resiliency: Protecting your business: Empowering IT administrators with great tools during critical times is a top priority. Our first step is born out of the learnings from the July incident with the announcement of Quick Machine Recovery. This feature will enable IT administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, without needing physical access to the PC.

goliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.

ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.

ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.

codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.

Higher education in the AI era (29th November):TheTHE Global AI Forum will bring together leading academics, researchers and thought leaders working in AI to share and discuss the latest developments in AI ethics, horizons and how universities will be impacted. Delegates will discover the latest advancements in AI and the opportunities and potential challenges that AI may present for their institution. The forum will facilitate unparalleled knowledge exchange and networking that will help shed light on and shape some of AI's most critical and unexplored areas.

Hinweis Third International Conference on Artificial Intelligence and Data Science (29th-30th November): Hinweis Third International Conference on Artificial Intelligence and Data Science (AIDE) is a Hybrid Mode prestigious event organized with a motivation to provide an excellent international platform for the academicians, researchers, engineers, industrial participants and budding students around the world to SHARE their research findings with the global experts.

UK & Ireland CISO Inner Circle (3rd December): Join UK & Ireland's top CISOs for an intimate networking dinner and facilitated discussion on key business challenges. Enjoy a relaxed evening of dinner and drinks with your peers to share best practices, make new connections and build professional relationships.

Immersive Training & Networking for Digital Marketers (3rd-4th December): "Sharpen your marketing skill set through our workshops and sessions, that address tactical, practical and strategic ideas from the best marketing talent in the country!"

DevOpsCon (December 2nd-6th): "Simplify Complexity, Amplify
Agility, Accelerate Innovation"