VayFul Security - August 09 2024

Hi all!

Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…

📰 SECURITY BYTES

70% of new NPM packages were spam which pollutes the developer Ecosystem - Phylum research team exposes a troubling trend in the npm ecosystem – a massive influx of low-quality, potentially malicious packages. And the presence of the "tea.yaml" file, hinting at a potential cryptocurrency reward scheme. #malicious #packages #supply-chain-attack

StormBamboo compromises ISP to abuse Insecure software update mechanisms and deliver malware - The report reveals how StormBamboo compromised an internet service provider (ISP) to poison DNS responses, redirecting users to malicious servers.These servers then distributed malware by exploiting vulnerabilities in insecure software update mechanisms. The attack targeted users running macOS and Windows. #ISP #compromise #dns #poisoning #malware #delivery

Windows Downdate: Downgrade attacks using Windows updates allows hackers to downgrade OS to older vulnerable version - These "downgrade attacks" manipulate the Windows Update process to revert a user's system to an older, more vulnerable version. By exploiting vulnerabilities in older software versions, attackers can potentially gain unauthorized access or bypass security measures. #windows #fully-patched #version #downgrade

Symantec warns of rising Cloud-Based Espionage attacks using OneDrive and Google drive - The article highlights how malicious actors are increasingly leveraging legitimate cloud services for their command and control (C&C) infrastructure. This tactic makes it difficult to detect suspicious activity as cloud traffic often appears harmless. #cloud #drive #C&C #attacks

Google patches critical vulnerabilities including zero-day exploit in August Android Security update - The latest Android Security Bulletin (August 2024) addresses a range of critical vulnerabilities affecting Android devices. This update addresses a zero-day exploit (CVE-2024-36971) that allows attackers to manipulate network connections, highlighting the importance of timely security patches. #android #0day #vulnerability #patches

🔥 INTERESTING WRITEUPS

Ability to by-pass second factor - [1000$ Bounty]

CVE-2024-6197: freeing stack buffer in utf8asn1str -  [Unknown Bounty 

📝 BLOGS & ARTICLES

LLM Security: Splunk & OWASP Top 10 for LLM-based Applications - The article leverages the established OWASP Top 10, a framework highlighting common web application security vulnerabilities, to provide a lens for defending against LLM-powered threats. It emphasizes secure coding practices, well-defined input validation, and robust access controls as crucial steps in mitigating potential LLM-based attacks. #LLM #Top10 #threats

How AWS tracks and tackles major Cloud Security Threats and helps shut them down - The article outlines various measures employed by AWS to secure its cloud environment, including threat detection, prevention, and collaboration with security researchers. AWS highlights their global reach and advanced threat intelligence capabilities, emphasizing their commitment to protecting user data. #AWS #cloud #security

Developing a custom gadget chain for PHP Deserialisation - Author explores the development of a custom gadget chain to exploit these weaknesses. The concept of deserialisation vulnerabilities and their potential consequences is explained, potentially serving as a wake-up call for developers and security professionals alike. #php #deserialisation

Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server -  A new study by researchers affiliated with Orange highlights the growing threat of "confusion attacks" – a malicious tactic where AI is used to manipulate machine learning models.The study explores how attackers can leverage AI to generate adversarial inputs, causing models to misclassify data or make incorrect decisions. #confusion #attack #xss #rce #ssrf

🛠️TOOLS

Buster - Captcha solver extension for humans, available for Chrome, Edge and Firefox. #captcha #solver #extension

Photok - Encrypted Photo Safe for Android. #photo #safe #encryption #security

Ai_powered - The easiest way to develop AI-Powered applications. #python-lib #AI #apps 

The-book-of-secret-knowledge - A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more. #github #secret #security #collection

🧠 TUTORIALS & SKILL-BUILDING

Windows Downdate: Downgrade Attacks Using Windows Updates - BHUSA’24 presentation by Leviev discovered "Downgrade Attacks" that exploit vulnerabilities within the Windows update process itself. It demonstrated a full patched windows machine downgrade to a vulnerable version of it. #windows #upgrade #expolit

Practical LLM Security: Takeaways From a Year in the Trenches - BH-US’24 presentation by Harang from Nvidia focused on practical security considerations for Large Language Models (LLMs). #LLM #security

Listen to the whispers: web timing attacks that actually work - BH-US’24 presentation by James Kettle sheds light on a powerful but often overlooked attack vector - web timing attacks. Kettle argues that these attacks are more relevant and effective than previously thought. #web #attacks 

Tunnel Vision - Exploring VPN Post-Exploitation Techniques - BH-US’24 by David Tunnel delves into the world of post-exploitation techniques for compromised VPNs. #vpn #post #exploitation #attacks

🎁 MISCELLANEOUS

Inflation real time calculator - Inflation real time calculator in pure Javascript web app for free. #inflation #calculator

The Potential for AI in Science and Mathematics: Terence Tao Oxford talk - Terry Tao is one of the world's leading mathematicians and winner of many awards including the Fields Medal talks about potential use of AI in science and mathematics space. #AI #science #maths

LLM Dreams: Exploring AI-Generated Images with LLM Dreams - LLM Dreams offers a glimpse into the creative potential of large language models (LLMs). This online platform utilizes the Flux model from the Black Forest Team to generate captivating images based on user-provided prompts. #LLM #image #generation #prompts

Silicon Valley parents are sending kindergarten kids to AI-focused summer camps -  The San Francisco Standard reports on a growing trend in Silicon Valley - AI-focused summer camps for children as young as five years old. These camps offer courses in robot design, coding, and even AI-powered game development. #AI #summer #camps #kindergarten

🎯 QUOTE OF THE DAY

⭐ HOW DID WE DO?

Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.

That’s a wrap!

Thank you for reading,
VayFul Team