Attacks & Vulnerabilities |
Top South Korean e-commerce firm Coupang apologises over massive data breach (2 minute read)
South Korean e-commerce giant Coupang disclosed unauthorized access that affected 33.7 million customer accounts beginning June 24 through overseas servers, exposing names, email addresses, phone numbers, shipping addresses, and order histories. Authorities are investigating a suspected Chinese former employee. The government is examining potential personal information protection violations. This is the country's worst data breach in over a decade. |
SmartTube YouTube App for Android TV Breached to Push Malicious Update (2 minute read)
The popular open-source SmartTube YouTube client for Android TV, which provides ad blocking and runs well on low-powered devices, was compromised after an attacker gained access to the developer's signing keys. The compromise was detected when multiple users reported that Play Protect blocked SmartTube. The app developer confirmed that his digital keys were compromised and stated that he had revoked the old signature and would publish a new version with a separate app ID. |
|
Bind Link – EDR Tampering (11 minute read)
Threat actors can abuse Windows 11's Bind Link API through the bindflt.sys driver to redirect EDR installation folders to attacker-controlled directories, enabling DLL hijacking and code execution under EDR context. The EDR-Redir proof of concept uses LoadLibraryW to load bindfltapi.dll and CreateDirectoryW to create transparent folder mappings between virtual and backing paths. CrowdStrike, SentinelOne, and Carbon Black have implemented BindFlt monitoring, while Microsoft Defender for Endpoint remains vulnerable. Security teams should deploy Sysmon Event ID 7 monitoring for bindfltapi.dll image load events, validate whether legitimate bind link usage exists in their environment to reduce false positives, and investigate EDR vendor support for bindflt driver activity detection. |
Start Using Windows Autopatch (2 minute read)
Microsoft Intune provides an endpoint management suite for Windows devices. Windows Autopatch is built into Intune and allows administrators to define groups to gradually roll out to an organization. Administrators can also configure hot patching on devices to expedite compliance. |
Shai Hulud 2.0: Analysis and Community Resources (9 minute read)
Shai Hulud 2.0 is a large-scale software supply chain attack that compromised many popular npm packages, including ones tied to services like Zapier, ENS Domains, PostHog, and Postman, in order to steal secrets and establish remote code execution via GitHub runners. Defenders are advised to use published IOCs and scanners to identify infected packages and leftover malware files, treat any secrets on affected machines as compromised, and rotate or revoke them. |
|
Guilty-As-Yara (GitHub Repo)
Guilty-As-Yara is a Rust-based tool that generates Windows PE executables containing data patterns designed to trigger YARA rule matches for validating rules. |
R2frida (GitHub Repo)
r2frida is a radare2 plugin that bundles Frida to instrument and analyze local or remote processes via r2 commands and scripts. |
|
Tomiris Shifts to Public-Service Implants for Stealthier C2 in Attacks on Government Targets (4 minute read)
Tomiris is a Kazakhstan-linked threat actor that leverages Telegram and Discord as command-and-control infrastructure while targeting foreign ministries and government entities across Russia and Central Asia through spear-phishing campaigns. The attack deploys multi-language malware, including Rust-based downloaders, Python-based backdoors like Distopia, and custom implants. Over 50% of lures use Russian-language content to blend malicious traffic with legitimate service activity. Security teams should monitor for unusual Telegram and Discord API traffic patterns, implement application control policies that restrict execution from archive files, and deploy behavioral detection to detect persistence mechanisms targeting Windows Registry modifications associated with these custom implant families. |
AWS pre:Invent Security Highlights: What Changed and Why it Matters (5 minute read)
AWS has added a new CLI command, `aws login`, which allows users to obtain short-lived credentials for AWS even if the account isn't configured with IAM Identity Center. AWS IAM Outbound Identity Federation now allows AWS users or services to request a short-lived JWT for external services that trust your AWS account, which can replace the use of hardcoded, long-term credentials or API keys in Lambda or EC2. AWS has also enabled Attribute-Based Access Control (ABAC) for S3, which allows users to define access permissions to S3 using tags instead of listing every bucket in an IAM policy. |
Purple Team Maturity Model: From Chaos to Controlled Chaos (4 minute read)
Organizations that wish to start with purple teaming can begin by defining a purple team strategy with loosely scheduled sessions, referencing MITRE ATT&CK tactics in testing, and feeding early detection gaps into detection engineering. Teams can then introduce metrics as they mature, begin using more structured purple team exercises, and map red team TTPs more closely to MITRE ATT&CK tactics and threat intel. As teams further mature, they can introduce automated adversary emulation. Eventually, purple teaming can be driven by threat-intel, continuously run fully automated attack chains, and integrate machine learning, SOAR, and XDR to power rapid detection and response. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
| Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us.
Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them!
If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile
|
|
| |
0 Comments