Attacks & Vulnerabilities
|
Kaspersky Deletes Itself, Installs UltraAV Antivirus Without Warning (3 minute read)
Many Kaspersky users were shocked to discover that the antivirus software was abruptly removed from their systems and replaced with UltraAV and/or UltraVPN based on their plan. Kaspersky announced that it would be shuttering its business in the U.S. due to a sales and distribution ban. It informed customers via email on September 5 that Pango Group, which owns UltraAV, would provide customers with continued protection, but did not mention the forced installations.
|
Fake WalletConnect app on Google Play steals Android users' crypto (2 minute read)
A fake app called WallConnect mimicked the legitimate WalletConnect project on Google Play, tricking over 10,000 users into downloading it. Once installed, the app led users to a malicious website where they were tricked into authorizing transactions, resulting in the theft of sensitive wallet information and digital assets totaling over $70,000 from 150 victims.
|
|
CloudImposer: Executing Code on Millions of Google Servers with a Single Malicious Package (14 minute read)
Tenable discovered a vulnerability affecting GCP Cloud Composer that could allow for RCE via a dependency confusion attack. GCP suggests in its documentation that customers utilize the --extra-index-url argument when using PyPI packages from a private repository and follows this guidance internally as well. Tenable researchers discovered that when a package with the same name exists in a public and private repository, pip will prioritize the higher versioned package, whether private or public, and will prioritize the public repository if the package is pinned. This allowed Tenable to identify a package used by Cloud Composer that did not exist in the public PyPI repository and create it themselves, which could have led to RCE if used maliciously. Google has remediated the issue by switching to using the --index-url argument.
|
Get to Know Amazon GuardDuty Runtime Monitoring for Amazon EC2 (8 minute read)
Amazon has expanded GuardDuty's capabilities by adding a security agent that can collect runtime metrics for EC2 instances. GuardDuty uses the agent to monitor system commands and arguments and uses event correlation to surface findings in 5 new finding types. AWS recommends using these findings in an event-driven architecture to be able to rapidly respond to findings and potential compromise. This blog post walks through sample scenarios and details deployment strategies.
|
The FIPS Compliance of HKDF (8 minute read)
HKDF is a key-derivation function used for cryptographic purposes specified in RFC 5869. It can be FIPS-compliant for key-agreement and general purposes with specific guidelines outlined in various NIST standards. HKDF-Extract combines keys and data, while HKDF-Expand serves as a general-purpose key-derivation function.
|
|
hidden-services-revealer (GitHub Repo)
Jenganizer is a tool that maps hidden services in AWS. It does this by following the triggered events of users' actions. When a user performs an action in AWS, it can trigger other events in other services. By following these events, users can identify services that are indirectly deployed by their actions.
|
Monocle (GitHub Repo)
Monocle is a tool that uses a large language model to search compiled binaries for specific code like encryption or vulnerabilities. It provides live tracking of analyzed functions and their scores based on search criteria.
|
|
AWS WAF Bot Control Managed Rule Group Expands Bot Detection Capabilities (2 minute read)
AWS' WAF team announced a set of enhancements to the bot control managed rule group. AWS added token reuse detection across ASNs and geographic locations with customizable sensitivity levels. It also added new bot categories, labels for cloud service providers, and labels for automated browser extensions such as Selenium IDE. WAF labels will be emitted in CloudWatch logs for each rule to enhance visibility.
|
Microsoft's Largest Ever Security Transformation Detailed in New Report (3 minute read)
In the wake of years of lackluster security performance, Microsoft CEO Satya Nadella announced that security would be the company's number one priority. To this end, Microsoft announced the Secure Future Initiative at the end of 2023 and has now provided an update on actions that they have taken. Microsoft took sweeping actions to improve security such as including security in employees' performance evaluations, making updates to its Entra ID and MSA systems, making updates to its CVE processes, tracking over 99% of its physical network, and reducing internal access privileges.
|
The Russian APT Tool Matrix (3 minute read)
The Russian APT Tool Matrix project focuses on tools commonly used by Russian APT groups for intrusions. Defenders can enhance their proactive defense strategies against Russian threat actors by identifying key tools and patterns. This repository highlights the use of specific tools like Mimikatz and Impacket by multiple Russian threat groups.
|
|
|
Love TLDR? Tell your friends and get rewards!
|
|
Share your referral link below with friends to get free TLDR swag!
|
|
|
|
|
Track your referrals here.
|
|
Want to advertise in TLDR? 📰
|
If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.
If you have any comments or feedback, just respond to this email!
Thanks for reading,
Prasanna Gautam, Eric Fernandez & Sammy Tbeile
|
|
|
|