Afleveringen
-
We are joined by Yves Younan, Senior Manager, Talos Vulnerability Discovery and Research from Cisco, discussing their work on "How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions." Cisco Talos has uncovered eight vulnerabilities in Microsoft applications for macOS that could allow attackers to exploit the system's permission model by injecting malicious libraries.
By leveraging permissions already granted to these apps, attackers could gain access to sensitive resources like the microphone, camera, and screen recording without user consent. While Microsoft considers these issues low risk and has declined to fix them, the vulnerabilities pose a potential threat to user privacy and security.
The research can be found here:
How multiple vulnerabilities in Microsoft apps for macOS pave the way to stealing permissions
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Jonathan Tanner, Senior Security Researcher from Barracuda, discussing their work on "Stealthy phishing attack uses advanced infostealer for data exfiltration." The recent phishing attack, detailed by Barracuda, uses a sophisticated infostealer malware to exfiltrate a wide array of sensitive data.
The attack begins with a phishing email containing an ISO file with an HTA payload, which downloads and executes obfuscated scripts to extract and transmit browser information, saved files, and credentials to remote servers. This advanced infostealer is notable for its extensive data collection capabilities and complex exfiltration methods, highlighting the increasing sophistication of cyber threats.
The research can be found here:
Stealthy phishing attack uses advanced infostealer for data exfiltration
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Zijn er afleveringen die ontbreken?
-
Alex Delamotte, Threat Researcher from SentinelOne Labs, joins to share their work on "Xeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials." SentinelOne’s Labs team has uncovered new research on Xeon Sender, a cloud hacktool used to launch SMS spam attacks via legitimate APIs like Amazon SNS.
First seen in 2022, this tool has been repurposed by multiple threat actors and distributed on underground forums, highlighting the ongoing trend of SMS spam through cloud services and SaaS.
The research can be found here:
Xeon Sender | SMS Spam Shipping Multi-Tool Targeting SaaS Credentials
Learn more about your ad choices. Visit megaphone.fm/adchoices -
This week, N2K's very own Brandon Karpf sits down with Kevin Lentz, Team Leader of the Cyber Pacific Project at the Global Disinformation Lab, and they discuss the recent threatcasting report "Cyber Competition in the Indo-Pacific Gray Zone 2035." This report, developed using the Threatcasting Method, examines how the U.S. and Indo-Pacific allies can coordinate their cyber defense efforts in response to future competition with China.
It presents findings, trends, and recommendations based on twenty-five scenarios simulated by a cross-functional group of experts to anticipate and address emerging threats over the next decade.
The research can be found here:
Cyber Competition in the Indo-Pacific Gray Zone 2035
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Tim Peck, a Senior Threat Researcher at Securonix, is discussing their work on "Threat actors behind the DEV#POPPER campaign have retooled and are continuing to target software developers via social engineering." The DEV#POPPER campaign continues to evolve, now targeting developers with malware capable of operating on Linux, Windows, and macOS systems.
The threat actors, believed to be North Korean, employ sophisticated social engineering tactics, such as fake job interviews, to deliver stealthy malware that gathers sensitive information, including browser credentials and system data.
The research can be found here:
Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Robert Duncan, VP of Product Strategy from Netcraft, is discussing their work on "Mule-as-a-Service Infrastructure Exposed." Netcraft's new threat intelligence reveals the intricate connections within global fraud networks, showing how criminals use specialized services like Mule-as-a-Service (MaaS) to launder scam proceeds.
By mapping the cyber and financial infrastructure, including bank accounts, crypto wallets, and phone numbers, Netcraft exposes how different scams are interconnected and identifies weak points that can be targeted to disrupt these operations. This insight provides an opportunity to prevent fraud and protect against financial crimes like pig butchering, investment scams, and romance fraud.
The research can be found here:
Mule-as-a-Service Infrastructure Exposed
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Snir Ben Shimol from ZEST Security on their work, "How we hacked a cloud production environment by exploiting Terraform providers." In this blog, ZEST discusses the security risks associated with Terraform providers, particularly those from community sources.
The research highlights the importance of carefully vetting providers, regular scanning, and following best practices like version pinning to mitigate potential vulnerabilities in cloud infrastructure management.
The research can be found here:
The hidden risks of Terraform providers
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Shachar Menashe, Senior Director of Security Research at JFrog, is talking about "When Prompts Go Rogue: Analyzing a Prompt Injection Code Execution in Vanna.AI." A security vulnerability in the Vanna.AI tool, called CVE-2024-5565, allows hackers to exploit large language models (LLMs) by manipulating user input to execute malicious code, a method known as prompt injection.
This poses a significant risk when LLMs are connected to critical functions, highlighting the need for stronger security measures.
The research can be found here:
When Prompts Go Rogue: Analyzing a Prompt Injection Code Execution in Vanna.AI
Learn more about your ad choices. Visit megaphone.fm/adchoices -
This week, we are joined by Jason Baker, Senior Threat Consultant at GuidePoint Security, and he is discussing their work on "Worldwide Web: An Analysis of Tactics and Techniques Attributed to Scattered Spider." In early 2024, a current RansomHub RaaS affiliate was identified as a former Alphv/Black Cat affiliate and is believed to be linked to the Scattered Spider group, known for using overlapping tools, tactics, and victims.
The high-confidence assessment by GuidePoint’s DFIR and GRIT teams is supported by the consistent use of tools like ngrok and Tailscale, social engineering tactics, and systematic playbooks in intrusions.
The research can be found here:
Worldwide Web: An Analysis of Tactics and Techniques Attributed to Scattered Spider
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Dick O'Brien from Symantec Threat Hunter team is talking about their work on "Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day." Also going to provide some background/history on Black Basta. CVE-2024-26169 in the Windows Error Reporting Service, patched on March 12, 2024, allowed privilege escalation.
Despite initial claims of no active exploitation, recent analysis indicates it may have been exploited as a zero-day before the patch.
The research can be found here:
Ransomware Attackers May Have Used Privilege Escalation Vulnerability as Zero-day
Learn more about your ad choices. Visit megaphone.fm/adchoices -
This week, we are joined by Selena Larson, Staff Threat Researcher, Lead Intelligence Analysis and Strategy at Proofpoint, as well as host of the "Only Malware in the Building" podcast, as she is discussing their research on "Scammers Create Fraudulent Olympics Ticketing Websites." Proofpoint recently identified a fraudulent website selling fake tickets to the Paris 2024 Summer Olympics and quickly suspended the domain.
This site was among many identified by the French Gendarmerie Nationale and Olympics partners, who have shut down 51 of 338 fraudulent websites, with 140 receiving formal notices from law enforcement.
The research can be found here:
Security Brief: Scammers Create Fraudulent Olympics Ticketing Websites
Learn more about your ad choices. Visit megaphone.fm/adchoices -
This week, we are joined by Asheer Malhotra and Vitor Ventura from Cisco Talos, and they are discussing "Operation Celestial Force employs mobile and desktop malware to target Indian entities." Cisco Talos revealed Operation Celestial Force, an espionage campaign by the Pakistani threat group "Cosmic Leopard," targeting Indian defense, government, and technology sectors.
Active for at least six years, the operation has recently increased its use of mobile malware and commercial spyware for surveillance.
The research can be found here:
Operation Celestial Force employs mobile and desktop malware to target Indian entities
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Joshua Miller from Proofpoint joins Dave to discuss findings on "Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware." In mid May, TA453, also known as Charming Kitten, APT42, Mint Sandstorm, and Yellow Garuda, was found sending a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs.
The research states that "the email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review." Proofpoint shares it's findings and what you can expect from the threat group.
The research can be found here:
Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Ismael Valenzuela, Vice President Threat Research & Intelligence, from Blackberry Threat Research and Intelligence team is discussing their work on "Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages." BlackBerry has identified Transparent Tribe (APT36), a Pakistani-based advanced persistent threat group, targeting India's government, defense, and aerospace sectors from late 2023 to April 2024, using evolving toolkits and exploiting web services like Telegram and Google Drive.
Evidence such as time zone settings and spear-phishing emails with Pakistani IP addresses supports their attribution, suggesting alignment with Pakistan's interests.
The research can be found here:
Transparent Tribe Targets Indian Government, Defense, and Aerospace Sectors Leveraging Cross-Platform Programming Languages
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Kerri Shafer-Page from Arctic Wolf joins us to discuss their work on "Lost in the Fog: A New Ransomware Threat." Starting in early May, Arctic Wolf's Incident Response team investigated Fog ransomware attacks on US education and recreation sectors, where attackers exploited compromised VPN credentials to access systems, disable Windows Defender, encrypt files, and delete backups.
Despite the uniformity in ransomware payloads and ransom notes, the organizational structure of the responsible groups remains unknown.
The research can be found here:
Lost in the Fog: A New Ransomware Threat
Learn more about your ad choices. Visit megaphone.fm/adchoices -
This week, we are joined by a Security Researcher from SpyCloud Labs, James, who is discussing their work on "Unpacking Infostealer Malware: What we’ve learned from reverse engineering LummaC2 and Atomic macOS Stealer." Infostealer malware has become highly prevalent, with SpyCloud tracking over 50 families and finding that 1 in 5 digital identities are at risk.
This research analyzes the workings and intentions behind infostealers like LummaC2 and Atomic macOS Stealer, focusing on the types of data extracted and the broader security implications.
The research can be found here:
Reversing LummaC2 4.0: Updates, Bug Fixes
Reversing Atomic macOS Stealer: Binaries, Backdoors & Browser Theft
How the Threat Actors at SpaxMedia Distribute Malware Globally
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Jérôme Segura, Senior Director of Threat Intelligence at Malwarebytes, is discussing their work on "Threat actors ride the hype for newly released Arc browser." The Arc browser, newly released for Windows, has quickly garnered positive reviews but has also attracted cybercriminals who are using deceptive Google search ads to distribute malware disguised as the browser.
These malicious campaigns exploit the hype around Arc, using techniques like embedding malware in image files and utilizing the MEGA cloud platform for command and control, highlighting the need for caution with sponsored search results and the effectiveness of Endpoint Detection and Response (EDR) systems.
The research can be found here:
Threat actors ride the hype for newly released Arc browser
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Amit Malik, Director of Threat Research at Uptycs, is sharing their work on "New Threat Detected: Inside Our Discovery of the Log4j Campaign and Its XMRig Malware." The Uptycs Threat Research Team has discovered a large-scale Log4j campaign involving over 1700 IPs, aiming to deploy XMRig cryptominer malware.
This ongoing operation was initially detected through the team's honeypot collection, prompting an in-depth analysis of the campaign. The research says "The JNDI plugin is particularly useful to attackers because it allows them not only to fetch the values of environment variables in the target system but also to freely define the URL and protocol resource for the JNDI network connection."
The research can be found here:
New Threat Detected: Inside Our Discovery of the Log4j Campaign and Its XMRig Malware
Learn more about your ad choices. Visit megaphone.fm/adchoices -
Jon DiMaggio, a Chief Security Strategist at Analyst1, is sharing his work on "Ransomware Diaries Volume 5: Unmasking LockBit." On February 19, 2024, the National Crime Agency (NCA), a UK sovereign law enforcement agency, in collaboration with the FBI, Europol, and nine other countries under "Operation Cronos," disrupted the LockBit ransomware gang’s data leak site used for shaming, extorting, and leaking victim data.
The NCA greeted visitors to LockBit’s dark web leak site with a seizure banner, revealing they had been controlling LockBit’s infrastructure for some time, collecting information, acquiring victim decryption keys, and even compromising the new ransomware payload intended for LockBit 4.0.
The research can be found here:
Ransomware Diaries Volume 5: Unmasking LockBit
Learn more about your ad choices. Visit megaphone.fm/adchoices -
This week, we are joined by Hosein Yavarzadeh from the University of California San Diego, as he is discussing his work on "Pathfinder: High-Resolution Control-Flow Attacks Exploiting the Conditional Branch Predictor" This paper introduces new methods that let attackers read from and write to specific parts of high-performance CPUs, such as the path history register (PHR) and prediction history tables (PHTs).
These methods allow two main types of attacks. One can reveal a program's control flow history, as shown by recovering a secret image through the libjpeg routines. The other enables detailed transient attacks, demonstrated by extracting an AES encryption key, highlighting significant security risks for these systems.
The research can be found here:
Graph: Growing number of threats leveraging Microsoft API
Learn more about your ad choices. Visit megaphone.fm/adchoices - Laat meer zien