DOOM Exploit, iPhone Deep Fakes, & 11 0-Days Infect Devices – PSW #688

From the Git repo: "This example only works in version 1.9 The Ultimate Doom. That is, no Doom2, no The Final Doom or Anthology. (Why is there so many different 1.9 versions?)" - This is super cool, I don't remember enough about DoS-based Doom games, but it's cool. It won an award, yes, they have a Doom hack award thing. I never knew that was a thing, but I also think it's really cool! Awards: https://www.doomworld.com/cacowards/2020/others/ (Machaward - Most creative, unusual, or artistically compelling project of the year: Arbitrary Code Execution - @kgsws)

"Similar to Sparrow, CHIRP scans for signs of APT compromise within an on-premises environment, by default it searches for IOCs associated with malicious activity detailed in AA20-352A and AA21-008A alerts. The CHIRP tool allows to examine Windows event logs for artifacts associated with this activity, Windows Registry for evidence of intrusion, query Windows network artifacts, and apply YARA rules to detect malware, backdoors, or implants."

"CVE-2021-1411, which concerns an arbitrary program execution vulnerability in its Windows app, is also the most critical, with a CVSS score of 9.9 out of a maximum of 10. According to Cisco, the flaw is due to improper validation of message content, thus making it possible for an attacker to send specially-crafted XMPP messages to the vulnerable client and execute arbitrary code with the same privileges as that of the user account running the software."

I would think MS Defender could catch these? https://www.commonexploits.com/unquoted-service-paths/

This is pretty brave: "10 days ago, I bought this X1 Carbon. I immediately installed OpenBSD on it. It took me a few days to settle in and make myself at home, but here are my impressions."

"Internally, strings in the Nim programming language are stored inside a structure (STRING_LITERAL) that consists of 2 integers followed by the string." And now thanks to Didier we have a Python script to extract them. Nim is interesting: "Nim is an imperative, general-purpose, multi-paradigm, statically typed, systems, compiled programming language[7] designed and developed by Andreas Rumpf. It is designed to be "efficient, expressive, and elegant",[8] supporting metaprogramming, functional, message passing,[5] procedural, and object-oriented programming styles by providing several features such as compile time code generation, algebraic data types, a foreign function interface (FFI) with C, C++, Objective-C, and JavaScript, and supporting compiling to those same languages." https://en.wikipedia.org/wiki/Nim_(programming_language)

"Starting with Firefox 87, we set the default Referrer Policy to ‘strict-origin-when-cross-origin’ which will trim user sensitive information accessible in the URL. As illustrated in the example above, this new stricter referrer policy will not only trim information for requests going from HTTPS to HTTP but will also trim path and query information for all cross-origin requests. With that update, Firefox will apply the new default Referrer Policy to all navigational requests, redirected requests, and subresource (image, style, script) requests, thereby providing a significantly more private browsing experience. Attribution link: https://latesthackingnews.com/2021/03/24/mozilla-firefox-87-out-with-new-default-referrer-policy-for-more-privacy/"

"The researchers caught the malicious code running on the login page (wp-login.php) of a WordPress website. This placement allowed the attackers to steal the users’ credentials directly. In the case of admins, such data theft directly leads to website takeover." and "The attacker uses file_get_contents to make their remote request to Telegram’s API URL, allowing them to transmit the stolen data without leaving much evidence of the exfiltration on the server. Adding this feature also allows the attacker to access the stolen data in real-time, instead of having to check a text file for any captured information/."

And now there's a Metasploit module/exploit...

"Gluttony — We’ve implemented our own framework. It’s really hard to attack, Relying on Assumptions & Happy Paths — It’s an edge case, Obscurity — How will they know, to attack here?, Blame — It’s your fault!"

"Bad actors and grifters have been spreading misinformation about vaccines on social media, including on Facebook and Twitter, for years. Some of the most infamous purveyors of vaccine and infectious diseases misinformation have been Russian government-backed trolls linked to the Internet Research Agency (IRA), the same entity that U.S. officials have said interfered in the 2016 presidential election."

"When considering cybersecurity, we need to understand it operates according to a different set of rules than the physical world. We keep distance, set borders as physical security controls. But in cyberspace, the concepts like distance, borders, and proximity all operate differently, which has profound security implications." "One thing in common between SUNBURSTS and the recent zero-day attacks on Microsoft Exchange is that they are both found to have been state-sponsored. " and then alert fatigue and skill shortage = bad news for cybersecurity.

What were they after? Something good in order to burn 11 0days. "Malware trackers at Google keep on pointing out a complex APT group that burned through at least 11 zero-days exploits in less than a year to conduct mass spying across a range of platforms and gadgets. The group has effectively utilized "watering hole" assaults to divert explicit targets to a couple of exploit servers conveying malware on Windows, iOS, and Android gadgets."

"In this blog post I’m gonna cover the in my opinion most common findings in a Windows Active Directory environment, which can be found and abused for Privilege Escalation and Lateral Movement in such a project. It’s about on premises vulnerabilities and misconfigurations in an internal company environment as well as mitigations."

12 riddles linked to new £50 note featuring the codebreaker may take seven hours to crack.

A topic of interest for me of late, so it's good to get an alternative view from down the rabbit hole.

Social media platform used to spread malware that spied on Uyghurs.

"The data breach was caused by a phishing attack in which an employee of the State Controller’s Office Unclaimed Property Division clicked on a link in an email and then entered a user ID and password as prompted." Okay, everyone is going to get phished. But sharing credentials??? That's on the Security Awareness Program IMO.

The second fix was reportedly necessary after SaltStack did not participate in coordinated disclosure.

A security researcher has launched a GoFundMe campaign to secure legal representation after a responsible disclosure notice apparently went sour.

A misconfigured, unsecured cloud database belonging to Belize-based forex broker FBS has been found exposed online containing more than 20TB of sensitive customer data.

CNA Financial has disclosed it suffered a "cyberattack" that forced the company to shut down specific systems and take down its website to minimize the attack's impact.

Shell has disclosed it suffered a data breach after an unauthorized individual leveraged vulnerabilities affecting its Accellion FTA and gained access to files containing PII belonging to those working with the company.

Adobe has released an urgent patch for a potentially dangerous security vulnerability in Adobe ColdFusion, the fix requires updating both the server and JRE/JDK.

MangaDex has temporarily taken its site down after a malicious actor managed to access an admin, a developer account, and its source code on March 17. A malicious actor had managed to gain access to an admin account through the reuse of a session token found in an old database leak through faulty configuration of session management.

March 18, 2021, the "REvil" ransomware group announced on its data leak site that it had breached systems belonging to New Taipei City, Taiwan-based electronics and hardware manufacturer Acer; stole an array of documents that included bank balances, bank communications, and financial spreadsheets; and demanded the company pay $50 million USD in ransom.

China has decided that Tesla vehicles pose a threat following concern over the multiple cameras each contains and the sensitive data they are capable of recording. With that in mind, the military has banned Elon Musk's cars from entering any Chinese military complexes or housing compounds.

Researchers say they have spotted attackers leveraging a Trojanized version of the Xcode Project's malicious XcodeSpy in a series of attacks designed to infect IOS developers' systems with a variant of the "EggShell" backdoor. This had previously been reported as Redpanda in June 2020 by Mandiant.

As part of a nine-month-long, "highly sophisticated" hacking campaign, a team of advanced hackers reportedly exploited at least 11 zero-day vulnerabilities using compromised websites in order to infect fully patched devices running Android, iOS, and Windows.

Charleston, S.C.-based surveillance contractor The Ulysses Group is reportedly looking to sell the U.S. military a new product it asserts is capable of obtaining the real-time locations of specific vehicles anywhere on earth leveraging data collected and sent by car sensors.