Netsec
!netsec
help-circle
rss


A group allegedly backed by China has attacked a certificate authority in Asia, as well as multiple government agencies within the region since March, according to a new report from Symantec. The researchers pointed the blame at a group dubbed Billbug, an advanced persistent threat group (APT) active since at least 2009. Other researchers have identified the group as Lotus Blossom and Thrip. Symantec Threat Hunter Team Senior Intelligence Analyst Brigid Gorman told The Record that the attack on the certificate authority was especially alarming. If the attackers were successful in compromising it, they could use their access certificates to sign malware with a valid certificate that would allow them to avoid detection on devices. “It could also potentially use compromised certificates to intercept HTTPS traffic,” Gorman said.

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP.



SHA-3 Buffer Overflow
Over the past few months, I’ve been coordinating the disclosure of a new vulnerability that I’ve found. Today is the disclosure date, so I am excited that I can finally talk about what I’ve been working on! The vulnerability has been assigned [CVE-2022-37454](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-37454) and the security advisory is available [here](https://github.com/XKCP/XKCP/security/advisories/GHSA-6w4m-2xhg-2658). The vulnerability impacts the eXtended Keccak Code Package (XKCP), which is the “official” SHA-3 implementation by its designers. It also impacts various projects that have incorporated this code, such as the Python and PHP scripting languages.

A brief and informal analysis of F-Droid security
F-Droid is a popular alternative app repository for Android, especially known for its main repository dedicated to free and open-source software. F-Droid is often recommended among security and privacy enthusiasts, but how does it stack up against Play Store in practice? This write-up will attempt to emphasize major security issues with F-Droid that you should consider.

Earlier today, Oct. 2, Kyiv Post was contacted by hackers who identified themselves as part of the National Republican Army (NRA). As Kyiv Post has reported before, the NRA is an organization of Russian citizens seeking the overthrow of the Putin Government. The NRA hackers explained to Kyiv Post that they had executed an advanced ransomware attack on the network of Unisoftware, a Russian software development company known for the development and implementation of web applications, desktop systems, cloud, and API solutions. While communicating with Kyiv Post, the NRA member stated that their primary motivation was “Putin needlessly sending our young men to die in an unjust war waged against Ukraine that has resulted in the slaughter of innocent civilians, including women and children.” Corroborating what the NRA member told Kyiv Post, proof provided by the hackers of their work, including screenshots of the ransomware attack, identified clearly by the extension .t73 on several of the files as well as the standard decryption instructions file produced on the machines. The NRA hackers claimed to have stolen copies of all of Unisoftware’s data, including but not limited to: credentials for bank accounts and personal accounts, sensitive employee information, phone numbers, addresses, contracts, and proprietary code for Unisoftware’s clients and software. The group has threatened to release the data and all obtained information if not paid promptly by Unisoftware

>I tried to include primarily articles and readable guides, such as those published by madaidan. Also, I mostly tried to include some lesser-known articles. There are tons of security guides online and I do not want to simply recycle one of those. Some of the content, such as the articles about VPNs, are perhaps not going to be of interest to most of the readers of this site. Most of the older content is still relevant.

Judging from screenshots leaked onto Twitter, though, an intruder has compromised Uber's AWS cloud account and its resources at the administrative level; gained admin control over the corporate Slack workspace as well as its Google G Suite account that has over 1PB of storage in use; has control over Uber's VMware vSphere deployment and virtual machines; access to internal finance data, such as corporate expenses; and more. Infosec watcher Corben Leo, meanwhile, said he spoke to the miscreant responsible for this mess, and was told an employee was socially engineered to gain access to Uber's VPN, through which the intruder scanned the network, found a PowerShell script containing the hardcoded credentials for an administrator user, which were then used to unlock access to all of Uber's internal cloud and software-as-a-service resources, among other things. After that, everything was at the intruder's fingertips, allegedly. From an Uber employee: >Feel free to share but please don’t credit me: at Uber, we got an “URGENT” email from IT security saying to stop using Slack. Now anytime I request a website, I am taken to a REDACTED page with a pornographic image and the message “F*** you wankers.”

LastPass data breach: threat actors stole a portion of source code
To All LastPass Customers, I want to inform you of a development that we feel is important for us to share with our LastPass business and consumer community. Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults. We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.

The threat actor behind the attacks on Twilio and Cloudflare earlier this month has been linked to a broader phishing campaign aimed at 136 organizations that resulted in a cumulative compromise of 9,931 accounts. The activity has been condemned 0ktapus by Group-IB because the initial goal of the attacks was to "obtain Okta identity credentials and two-factor authentication (2FA) codes from users of the targeted organizations." Calling the attacks well designed and executed, the Singapore-headquartered company said the adversary singled out employees of companies that are customers of identity services provider Okta








netsec is a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise — to provide value to security practitioners, students, researchers, and hackers everywhere. ‎

Rules

  1. Follow the golden rule, do unto others as you would have done unto you
  2. Smut, Porn, Gore etc. will result in Ban without warning
  3. No Spamming, Trolling or Unsolicited Ads (There are marketplaces in matrix and telegram you can use)
  4. Stay on topic in a community. If you would like a new community made, reach out to an admin and the creation of a net new community can be discussed.
  • 0 users online
  • 1 user / day
  • 1 user / week
  • 1 user / month
  • 4 users / 6 months
  • 36 subscribers
  • 23 Posts
  • 1 Comment
  • Modlog