Attacks & Vulnerabilities |
Now You See mi: Now You're Pwned (12 minute read)
TASZK Security Labs' research on the Xiaomi C400 smart camera uncovers three vulnerabilities in the proprietary miIO setup protocol: an authentication bypass in the handshake, a cryptographically weak PRNG, and a heap buffer overflow leading to controlled heap metadata corruption and reliable RCE over Wi‑Fi. By exploiting protocol design flaws and allocator behavior, an attacker in radio range can first win the setup race or abuse a factory reset, then pivot from packet parsing to full root access, implant a persistent "cloud jailbreak," and reroute video/control through self‑hosted infrastructure while firewalling Xiaomi's cloud. |
FancyBear Exposed: Major OPSEC Blunder Inside Russian Espionage Ops (33 minute read)
An OPSEC failure on a NameCheap VPS exposed FancyBear/APT28's active C2 infrastructure, revealing a modular webmail exploitation toolkit targeting Roundcube and SquirrelMail via XSS to silently exfiltrate 2,800+ emails, steal 240+ credential sets including TOTP secrets, and deploy 140+ persistent Sieve forwarding rules redirecting all incoming mail to advenwolf@proton[.]me — all triggered without victim interaction beyond opening a spearphishing email. The exposed open directory on port 8889 contained server-side C2 source code, full telemetry logs, and lure PDFs targeting Ukrainian prosecutors, the Romanian Air Force, the Greek GEETHA, and the Serbian MoD across six countries. Defenders should audit Roundcube and SquirrelMail instances for unauthorized Sieve rules, block zhblz[.]com and 203.161.50[.]145, rotate credentials and TOTP secrets for any organization in the victimology, and disable ManageSieve where not operationally required. |
NGSOTI: Building an Integrated Threat Intelligence and Information Sharing Ecosystem for the Next Generation of SOC Analysts (5 minute read)
NGSOTI (Next Generation Security Operator Infrastructure) is an initiative designed to train analysts not only on tools, but also on real-world workflows, collaboration models, and operational constraints. The ecosystem has several integrated tools that provide threat intel sharing, vulnerability enrichment, data filtering, endpoint visibility and detection engineering, and collaborative rule sets. The full platform is tied together by SkillAegis, which provides a structured environment for exercises, simulations, and evaluation. |
|
OpenShell (GitHub Repo)
OpenShell is a safe, private runtime for autonomous AI agents. It provides sandboxed execution environments governed by declarative YAML files. |
Bold Security (Product Launch)
Bold runs an AI agent on every available endpoint to spot and stop user-based threats, prevent data loss, and govern AI tool usage in real time, without sending data to the cloud. |
ReArm (GitHub Repo)
ReARM is an abbreviation for "Reliza's Artifact and Release Management". It is a DevSecOps and Supply Chain Security tool and SBOM/xBOM repository and evidence store that organizes product releases with their metadata, including various Bills of Materials (SBOMs/xBOMs) and security findings. |
|
Malicious npm Package react-refresh-update Drops Cross-Platform Trojan on Developer Machines (12 minute read)
SafeDep identified react-refresh-update, a typosquat of Meta's react-refresh (42M weekly downloads) that injected a two-layer XOR-obfuscated dropper into runtime.js — executing silently on require() with no install hooks — and attributed the C2 domain malicanbur[.]pro and secondary IP 173.211.46[.]22:8080 to Lazarus Group's DeceptiveDevelopment campaign, with the second-stage binary independently classified as PylangGhost RAT by multiple AV vendors. The payload is OS-aware: on Windows, it fetches a 28.71 MB self-extracting archive via chunked axios range requests and executes start.vbs via a hidden, detached wscript process. On Linux and macOS, it downloads and executes /var/tmp/macspatch.sh with TLS verification disabled. The encrypted-in-memory eval() execution pattern evades static analysis tools scanning for child_process references, making this campaign a notable escalation in AI coding agent supply chain targeting, where inflated version numbers and mirrored codebases can pass automated package selection without human review. |
Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish (4 minute read)
Attackers sent a JPMorgan-themed phishing email to an Outpost24 executive that passed DKIM checks and existing email security controls. The link chained through Cisco Secure Web, Nylas tracking, a compromised Indian firm, an expired-reused domain, and a Cloudflare-hosted site before a Microsoft 365 credential page. |
Google, Microsoft, Amazon, and Others United Under New Anti-Scam Pact (2 minute read)
Ahead of the UN Global Fraud Summit in Austria, eleven tech platforms, including Google, Microsoft, Amazon, and OpenAI, joined to create the new Online Services Accord Against Scams. The agreement involves the platforms agreeing to share intelligence and best practices about threats on their platforms and integrate defensive tools. The pact is voluntary and does not include any enforcement measures. |
|
Microsoft PhotoDNA is vulnerable to false positives and data leakage (3 minute read)
Researchers from Ghent University and KU Leuven published the first white-box analysis of Microsoft PhotoDNA, revealing that its piecewise-linear hash function can be exploited within seconds on a standard laptop to produce exact collisions, generate false positives matching CSAM hashes, evade detection, and partially reconstruct source images. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments