How to Investigate an OAuth Grant for Suspicious Activity or Overly Permissive Scopes

From a user’s perspective, OAuth works like magic. In just a few keystrokes, you can whisk through the account creation process and gain immediate access to whatever new app or integration you’re seeking. Unfortunately, few users understand the implications of the permissions they allow when they create a new OAuth grant, making it easy for malicious actors to manipulate employees into giving

US Gov Warns of Foreign Intelligence Cyberattacks Against US Space Industry

The FBI, NCSC, and AFOSI warn US space industry organizations of foreign intelligence targeting and exploitation, including cyberattacks.

The post US Gov Warns of Foreign Intelligence Cyberattacks Against US Space Industry appeared first on SecurityWeek.

Tesla says data breach impacting 75,000 employees was an insider job

Tesla has said that insider wrongdoing was to blame for a data breach affecting more than 75,000 company employees. Tesla, the electric car maker owned by Elon Musk, said in a data breach notice filed with Maine’s attorney general that an investigation had found that two former employees leaked over 75,000 individuals’ personal information to […]

Payoro: A Glimmer of Disruption in the Banking Sector

By Owais Sultan

Estonia’s Tallinn, renowned for its medieval aesthetic, is not typically the first name one considers when reflecting upon…

This is a post from HackRead.com Read the original post: Payoro: A Glimmer of Disruption in the Banking Sector

Webinar Tomorrow:  ZTNA Superpowers CISOs Should Know

Join Cloudflare and SecurityWeek for a webinar to discuss “VPN Replacement: Other ZTNA Superpowers CISOs Should Know”

The post Webinar Tomorrow: ZTNA Superpowers CISOs Should Know appeared first on SecurityWeek.

White House Announces AI Cybersecurity Challenge

At Black Hat last week, the White House announced an AI Cyber Challenge. Gizmodo reports:

The new AI cyber challenge (which is being abbreviated “AIxCC”) will have a number of different phases. Interested would-be competitors can now submit their proposals to the Small Business Innovation Research program for evaluation and, eventually, selected teams will participate in a 2024 “qualifying event.” During that event, the top 20 teams will be invited to a semifinal competition at that year’s DEF CON, another large cybersecurity conference, where the field will be further whittled down.

[…]

To secure the top spot in DARPA’s new competition, participants will have to develop security solutions that do some seriously novel stuff. “To win first-place, and a top prize of $4 million, finalists must build a system that can rapidly defend critical infrastructure code from attack,” said Perri Adams, program manager for DARPA’s Information Innovation Office, during a Zoom call with reporters Tuesday. In other words: the government wants software that is capable of identifying and mitigating risks by itself.

This is a great idea. I was a big fan of DARPA’s AI capture-the-flag event in 2016, and am happy to see that DARPA is again inciting research in this area. (China has been doing this every year since 2017.)

Brazilian Hacker Claims Bolsonaro Asked Him to Hack Into the Voting System Ahead of 2022 Vote

A Brazilian hacker claims former president Bolsonaro asked him to hack into the voting system ahead of the 2022 election.

The post Brazilian Hacker Claims Bolsonaro Asked Him to Hack Into the Voting System Ahead of 2022 Vote appeared first on SecurityWeek.

This Malware Turned Thousands of Hacked Windows and macOS PCs into Proxy Servers

Threat actors are leveraging access to malware-infected Windows and macOS machines to deliver a proxy server application and use them as exit nodes to reroute proxy requests. According to AT&T Alien Labs, the unnamed company that offers the proxy service operates more than 400,000 proxy exit nodes, although it's not immediately clear how many of them were co-opted by malware installed on

Flaws in Juniper Switches and Firewalls Can Be Chained for Remote Code Execution

Juniper Networks has released Junos OS updates to address J-Web vulnerabilities that can be combined to achieve unauthenticated, remote code execution.

The post Flaws in Juniper Switches and Firewalls Can Be Chained for Remote Code Execution appeared first on SecurityWeek.

‘Lead’ YouTube Content ID Scammer Sentenced to 46 Months in Prison

After masquerading as legitimate music rightsholders, two men fraudulently extracted over $23 million in revenue from YouTube's Content ID system. The men were indicted in 2021 and subsequently entered guilty pleas. An Arizona court has now sentenced Webster Batista Fernandez, who reportedly initiated the scheme, to 46 months in prison.

From: TF, for the latest news on copyright battles, piracy and more.

Tesla Discloses Data Breach Related to Whistleblower Leak

Tesla has disclosed a data breach impacting 75,000 people, but it’s a result of a whistleblower leak, not a malicious cyberattack.

The post Tesla Discloses Data Breach Related to Whistleblower Leak appeared first on SecurityWeek.

Spoofing an Apple device and tricking users into sharing sensitive data

White hat hackers at the recent hacking conference Def Con demonstrated how to spoof an Apple device and trick users into sharing their sensitive data. At the recent Def Con hacking conference, white hat hackers demonstrated how to spoof an Apple device and trick users into sharing their sensitive data. As reported by Techcrunch, attendees […]

The post Spoofing an Apple device and tricking users into sharing sensitive data appeared first on Security Affairs.

Israel and US to Invest $3.85 Million in projects for critical infrastructure protection through the BIRD Cyber Program

Israel and US government agencies announced the BIRD Cyber Program, an investment of roughly $4M in projects to enhance the cyber resilience of critical infrastructure. The BIRD Cyber Program is a joint initiative from the Israel National Cyber Directorate (INCD), the Israel-US Binational Industrial Research and Development (BIRD) Foundation, and the US Department of Homeland […]

The post Israel and US to Invest $3.85 Million in projects for critical infrastructure protection through the BIRD Cyber Program appeared first on Security Affairs.

Visibility Is Just Not Enough to Secure Operational Technology Systems

Visibility is just the first step to secure your operational technology environment against today's threats. You need a proactive, defense-in-depth approach.

HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack

The threat actors behind the HiatusRAT malware have returned from their hiatus with a new wave of reconnaissance and targeting activity aimed at Taiwan-based organizations and a U.S. military procurement system. Besides recompiling malware samples for different architectures, the artifacts are said to have been hosted on new virtual private servers (VPSs), Lumen Black Lotus Labs said in a report

CVE-2022-46751: Apache Ivy XML External Entity Injections Vulnerability

Apache Ivy is a popular dependency manager used by many software projects. However, a vulnerability -CVE-2022-46751- in Ivy prior to version 2.5.2 could allow an attacker to inject malicious code into Ivy’s processing of...

The post CVE-2022-46751: Apache Ivy XML External Entity Injections Vulnerability appeared first on Penetration Testing.

DFIR Toolkit: CLI tools for forensic investigation of Windows artifacts

DFIR Toolkit CLI tools for forensic investigation of Windows artifacts Overview of timelining tools Install cargo install dfir-toolkit Tool cleanhive merges logfiles into a hive file xx evtx2bodyfile Example evtxanalyze Analyze evtx...

The post DFIR Toolkit: CLI tools for forensic investigation of Windows artifacts appeared first on Penetration Testing.

PoC exploit for 0-day Windows Error Reporting Service bug (CVE-2023-36874) releases

Proof-of-concept (PoC) exploit code will be released for a zero-day vulnerability (CVE-2023-36874) allowing privilege escalation in Microsoft Windows. The vulnerability (CVSS score of 7.8) affects the Windows Error Reporting Service (WER), a component that...

The post PoC exploit for 0-day Windows Error Reporting Service bug (CVE-2023-36874) releases appeared first on Penetration Testing.

Feature Interview: How Sandworm prepared Ukraine for a cyber war

In this joint Risky Business and Geopolitics Decanted feature interview, Patrick Gray and Dmitri Alperovitch talk to Illia Vitiuk, the Head of the Department of Cyber and Information Security of the Security Service of Ukraine (SBU) about the cyber dimension to Russia’s invasion.

From turning off Ukraine’s power grid with a cyber attack in 2015 to the Viasat hack in 2022, Russia’s intelligence services are world renowned for executing creative destructive cyber campaigns. Despite this, after a year and a half of Russia waging war on Ukraine its power grid is up, its telcos are functioning and its banks are still processing transactions.

How has Ukraine been able to withstand Russia’s onslaught in the cyber domain? Vitiuk joins us to reveal insights into how Russian intelligence services are operating in Ukraine, and how the SBU is countering them.

Overcoming web scraping blocks: Best practices and considerations

By Owais Sultan

At its core, web scraping involves automatically extracting data from websites, enabling individuals and organizations to obtain valuable…

This is a post from HackRead.com Read the original post: Overcoming web scraping blocks: Best practices and considerations

Hands on with Windows 11's 'never combine' taskbar feature

Windows 11, already a monumental shift in design from its predecessor, continues to evolve.

In its upcoming 23H2 release slated for fall, one of the standout features that has caught the eye of many is the 'never combine mode' for the taskbar.

Previously, Windows 10 users will recall the ability to keep icons on the taskbar separate, which can be especially helpful when juggling multiple windows from the same app. The 'never combine' option ensures each window has its representation on the taskbar without grouping them.

Microsoft removed the 'never combine mode' for the taskbar' with Windows 11, but it's finally coming back with version 23H2.

Additionally, enabling this mode has been streamlined for user convenience. The steps are straightforward:

1. Access Taskbar Settings: Simply right-click on the taskbar. A menu will pop up.
2. Navigate to Taskbar Behaviors: Select “Taskbar settings” from the pop-up menu.
   
3. Adjust Preferences: Under the section labeled “Taskbar behaviors”, find the option that reads “Combine taskbar buttons and hide labels”. From the drop-down menu adjacent to it, select 'never'.

But what if you're a power user with multiple monitors? Microsoft has improved the behaviour and introduced a separate setting dedicated to those who operate in multi-monitor environments. It allows them to choose if they want the 'never combine' feature applied consistently across all taskbars on different screens.

This feature can be particularly useful for those who multitask across various apps ns and prefer an ungrouped view on their taskbars. It offers more direct access to individual windows and can help in enhancing productivity by reducing the number of clicks and the time spent in searching for the desired window among grouped icons.

In conclusion, it is a reflection of listening to feedback and ensuring that users have the tools to customize their experiences.

N. Korean Kimsuky APT targets S. Korea-US military exercises

North Korea-linked APT Kimsuky launched a spear-phishing campaign targeting US contractors working at the war simulation centre. North Korea-linked APT group Kimsuky carried out a spear-phishing campaign against US contractors involved in a joint U.S.-South Korea military exercise. The news was reported by the South Korean police on Sunday, the law enforcement also added that […]

The post N. Korean Kimsuky APT targets S. Korea-US military exercises appeared first on Security Affairs.

Cuba ransomware uses Veeam exploit against critical U.S. organizations

Image: Midjourney

The Cuba ransomware gang was observed in attacks targeting critical infrastructure organizations in the United States and IT firms in Latin America, using a combination of old and new tools.

BlackBerry's Threat Research and Intelligence team, which spotted the latest campaign in early June 2023, reports that Cuba now leverages CVE-2023-27532 to steal credentials from configuration files.

The particular flaw impacts Veeam Backup & Replication (VBR) products, and an exploit for it has been available since March 2023.

Previously, WithSecure reported that FIN7, a group with multiple confirmed affiliations with various ransomware operations, was actively exploiting CVE-2023-27532.

Cuba attack details

BlackBerry reports that Cuba's initial access vector appears to be compromised admin credentials via RDP, not involving brute forcing.

Next, Cuba's signature custom downloader 'BugHatch' establishes communication with the C2 server and downloads DLL files or executes commands.

An initial foothold on the target environment is achieved through a Metasploit DNS stager that decrypts and runs shellcode directly in memory.

DNS stager query (BlackBerry)

Cuba utilizes the now-widespread BYOVD (Bring Your Own Vulnerable Driver) technique to turn off endpoint protection tools. Also, it uses the 'BurntCigar' tool to terminate kernel processes associated with security products.

Apart from the Veeam flaw that's relatively recent, Cuba also exploits CVE-2020-1472 ("Zerologon"), a vulnerability in Microsoft's NetLogon protocol, which gives them privilege escalation against AD domain controllers.

Zerologon exploit helper (BlackBerry)

In the post-exploitation phase, Cuba was observed using Cobalt Strike beacons and various "lolbins."

Complete attack chain (BlackBerry)

Cuba still very active

BlackBerry underlines the clear financial motivation of the Cuba ransomware gang and mentions that the threat group is likely Russian, something that has been hypothesized by other cyber-intelligence reports in the past.

This assumption is based on the exclusion of computers that use a Russian keyboard layout from infections, Russian 404 pages on parts of its infrastructure, linguistic clues, and the group's Western-focused targeting.

In conclusion, Cuba ransomware remains an active threat approximately four years into its existence, which isn't common in ransomware.

The inclusion of CVE-2023-27532 in Cuba's targeting scope makes the prompt installation of Veeam security updates extremely important and once again highlights the risk of delaying updates when publicly available PoC (proof-of-concept) exploits are available.

Google Chrome to warn when installed extensions are malware

Google is testing a new feature in the Chrome browser that will warn users when an installed extension has been removed from the Chrome Web Store, usually indicative of it being malware.

An unending supply of unwanted browser extensions is published on the Chrome Web Store and promoted through popup and redirect ads.

These extensions are made by scam companies and threat actors who use them to inject advertisements, track your search history, redirect you to affiliate pages, or in more severe cases, steal your Gmail emails and Facebook accounts.

The problem is that these extensions are churned out quickly, with the developers releasing new ones just as Google removes old ones from the Chrome Web Store.

Unfortunately, if you installed one of these extensions, they will still be installed in your browser, even after Google detects them as malware and removes them from the store.

Due to this, Google is now bringing its Safety Check feature to browser extensions, warning Chrome users when an extension has been detected as malware or removed from the store and that they should be uninstalled from the browser.

This feature will go live in Chrome 117, but you can now test it in Chrome 116 by enabling the browser's experimental 'Extensions Module in Safety Check' feature.

To enable the feature, simply copy the Chrome URL, 'chrome://flags/#safety-check-extensions', into the address bar and press enter. You will be brought to the Chrome Flags page with the 'Extensions Module in Safety Check' feature highlighted.

Now set it to enabled and restart the browser when prompted to enable the feature.

Google Chrome Safety Check for extensions

Once enabled, a new option will appear under the 'Privacy and security' settings page that prompts you to review any extensions removed from the Chrome Web Store, as shown below.

Safety check for Chrome extensions
Source: Google

Clicking this link will bring you to your extension page, listing the removed extensions and why they were removed and prompting you to uninstall them.

Potentially malicious extensions removed from Chrome Web Store
Source: Google

Google says that extensions can be removed from the Chrome Web Store because they were unpublished by the developer, violated policies, or were detected as malware.

For extensions detected as malware, it is strongly advised that you remove them immediately to not only protect your data but also to prevent your computer from facing future attacks.

For those that are removed for other reasons, it is advised that you remove them as well, as they are no longer supported or break other policies that are not strictly malware but are not necessarily helpful.

Google has a dedicated Chrome Web Store policies page detailing what content or behavior could lead to an extension being removed from the store.

Libraries Scold Rightsholders’ Attempt to Tweak South Africa’s Copyright Bill

Two of the largest U.S. library associations representing over 100,000 libraries are protesting efforts by large copyright holders to influence foreign copyright law. Specifically, the associations oppose ongoing critique of South Africa's proposed copyright legislation, labeling it bizarre, condescending, and Orwellian.

From: TF, for the latest news on copyright battles, piracy and more.