VayFul Security - August 02 2024

Hi all!

Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…

📰 SECURITY BYTES

DigiCert Revocation Incident Resolved: Millions of Certificates Replaced - A recent DigiCert incident involved the revocation of a significant number of SSL/TLS certificates due to a validation oversight. The issue stemmed from a flaw in DigiCert's process for verifying domain control during certificate issuance. #ssl/tls #certificates #revocation

Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption - Microsoft security researchers warn of a critical vulnerability in ESXi hypervisors, a key component for virtualized environments. This flaw identified as CVE-2024-37085 allows attackers to gain full administrative access and potentially encrypt critical data across hosted servers. #vmware #hypervisor #ransomware

Fake: Malicious Ads Impersonate Google Authenticator - Malwarebytes is warning users about a recent phishing campaign targeting Google Authenticator users. Threat actors are placing malicious ads that appear to be from Google, promoting a fake version of the Google Authenticator app to steal your data. #fake #google #authenticator #malware

Specula Email Nightmare: One Registry Change Turns Outlook into a C2 Stealthy Spy - TrustedSec reveals a chilling vulnerability in Microsoft Outlook. Researchers discovered a method to transform Outlook into a covert Command and Control (C2) server with a single, non-privileged registry edit. #outlook #persistent #c2 

MacOS: Homebrew Addresses Security Vulnerabilities: Update Your Package Manager Now - A recent security audit of Homebrew, the popular macOS package manager, revealed 25 vulnerabilities. Homebrew to the latest version (0.81 or later) to benefit from the implemented security fixes. #macOS #security #update

🔥 INTERESTING WRITEUPS

GitHub Apps can access suspended installations via scoped user-to-server tokens -  [4000$ Bounty] 

View private repository NWO of deploy key via internal LFS API - [4000$ Bounty]

📝 BLOGS & ARTICLES

Decoding "EMPTYSPACE": Google Security Helps Detect Stealthy Malware - Mandiant Managed Defense team highlights a collaborative effort with Google Security. The focus is on "EMPTYSPACE," a cunning malware downloader that utilizes HTTP to communicate discreetly with its command-and-control server. #malware #detection #soc

Are security and reliability fundamentally incompatible? -  Ongoing debate about a potential tension between security and reliability in modern systems. Complex security tools often introduce additional layers of complexity and unpredictability, potentially impacting system uptime but by emphasizing the importance of threat modeling to ensure a balanced approach between security and reliability. #threat-modeling #security #reliability

Providing Security Updates to Automobile Software - Are Cars Stuck in the Security Stone Age? Security expert Bruce Schneier, blog post, raises concerns about the lack of long-term software support for automobiles.The average lifespan of cars on the road is increasing, while the software update cycle remains shorter, creating security vulnerabilities for older models. #automobile #security #concerns

Critical SAML Authentication Bypass Exposes Admin Panels - This flaw, described by Ahmed Tarek on Medium, allows attackers to bypass authentication and potentially gain access to administrative dashboards. The developer's mistake is not implementing proper signature validation and verification for SAML responses. #saml #auth #bypass

🛠️TOOLS

Bunkerweb - Open-source and next-generation Web Application Firewall (WAF). #open-source #waf

File-encryptor - File Encryptor is a command-line tool written in Go that provides secure file encryption and decryption using either RSA key pairs or password-based encryption. #file #encryption 

Agent-zero - Agent Zero is not a predefined agentic framework. It is designed to be dynamic, organically growing, and learning as you use it. #AI #framework

Awesome-Smart-Contract-Security - A curated list of Smart Contract Security materials and resources For Researchers. #blockchain #smart #contract #security

🧠 TUTORIALS & SKILL-BUILDING

AI-Powered Bug Hunting Evolution and Benchmarking - New research paper, possibly titled "AI-powered Bug Hunting" by Alfredo Ortega, explores the application of AI in the field of cybersecurity, specifically focusing on bug hunting. #AI #bug #hunting 

SEVEN things about API security - Philippe De Ryck - In this session, we use real-world cases to dive into best practices for securing your APIs and dive into FOUR crucial vulnerabilities highlighted in the OWASP API Security top 10, exposing the areas you need to safeguard against. #owasp #API #security

Brain vs Cyber: Holly Foxcroft - In this session, speakers compare neurodiversity with cyber security. And touches on social engineering, risky cyber behaviours. #neurodiversity #security 

🎁 MISCELLANEOUS

AI mass surveillance at Paris Olympics – a security boon and privacy nightmare - The use of advanced AI-powered video surveillance at the Paris Olympics has sparked a heated debate. This Conversation article delves into the legal and ethical considerations surrounding this technology. #AI #surveillance #olympics

Websites are Blocking the Wrong AI Scrapers (Because AI Companies Keep Making New Ones) - A new report by the Data Provenance Initiative raises concerns about a game of cat-and-mouse between websites and AI companies scraping data. Websites are struggling to block unwanted scrapers due to the rapid proliferation of new bots created by AI companies. #AI #website #data #scrapping #bots

Build Custom AI Chatbots with Meta's AI Studio - Meta unveils AI Studio, a powerful platform for creating personalised AI chatbots. This innovative tool allows users to design conversational AI experiences for various purposes, from social media engagement to customer service applications. #meta #AI #studio

🎯 QUOTE OF THE DAY

⭐ HOW DID WE DO?

Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.

That’s a wrap!

Thank you for reading,
VayFul Team