VayFul Security - August 13 2024

Hi all!

Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…

📰 SECURITY BYTES

Google Warns of Rising Threat from Text Message Scams - Google's Security Blog highlights a growing concern: text message scams targeting Android users.The blog post offers practical advice on identifying and avoiding these scams, emphasizing the importance of verifying sender information and being wary of unsolicited messages with urgent requests. #phishing #smishing

FreeBSD Issues Urgent Patch for Critical OpenSSH Vulnerability (CVE-2024-7589) - FreeBSD-SA-24:08.openssh to address a vulnerability (CVE-2024-7589) in OpenSSH. This vulnerability could potentially allow an attacker to gain unauthorized root access to affected systems. #openssh #rce

Hackers Using Fake iOS Updates to Compromise Devices - Jamf Threat Labs warns about a sophisticated cyberattack targeting iOS devices. Hackers are exploiting user trust by deploying fake iOS updates. These updates appear legitimate but harbor malicious code designed to compromise the security of the device. #device #compromise #fake #ios #update 

Microsoft and NIST Collaboration to Smoother Zero Trust Implementation - This Microsoft Security Blog post highlights their ongoing collaboration with the National Institute of Standards and Technology (NIST) to advance Zero Trust implementation.They've recently released a practical guide detailing how to implement a Zero Trust strategy. #Zerotrust #strategy

Hacking a Virtual Power Plant - Ryan Castellucci security researcher who managed to exploit a vulnerability in a home energy system, gaining control of a virtual power plant (VPP). By controlling the system, they were able to manage energy usage across multiple homes. #home #solar #plant #system #vulnerability

🔥 INTERESTING WRITEUPS

Apache HTTP Server: mod_rewrite proxy handler substitution (CVE-2024-39573) CWE-20 Improper Input Validation - [2600$ Bounty]

SQL injection in /errors/viewbuild/ -  [Unknown Bounty]

Guest Privilege Escalation to admin group -  [Unknown Bounty]

📝 BLOGS & ARTICLES

Bucket Monopoly: Breaching AWS Accounts Through Shadow Resources - Aqua Security researchers have uncovered critical vulnerabilities in six AWS services, dubbed "Bucket Monopoly." These vulnerabilities could allow attackers to gain unauthorized access to AWS accounts by exploiting malicious code embedded in S3 buckets. #aws #account #takeover

0.0.0.0 Day: Exploiting Localhost APIs From the Browser - Oligo Security researchers have discovered a critical vulnerability dubbed "0.0.0.0 Day." This flaw allows malicious websites to bypass browser security measures and access services running on a user's local network.The issue stems from inconsistent handling of the localhost address (127.0.0.1) by different browsers. #http #exploit #browser #security #attack #localhost

Understanding the Security Concerns of npm Shrinkwrap - This blog post explores the potential security concerns associated with using npm shrinkwrap, a popular tool for managing dependencies in Node.js projects. These include outdated dependencies becoming security risks if not regularly updated, and misconfigurations introducing vulnerabilities. #nodejs #dependencies #vulnerbilities

About security hardening with OpenID Connect - This GitHub documentation update highlights OpenID Connect (OIDC) as a powerful tool for hardening deployments.OIDC streamlines the process by eliminating the need to store sensitive cloud credentials in your GitHub repository. #github #openID #security

🛠️TOOLS

Opensnitch - OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch. #app #firewall

RedGuard - RedGuard is a C2 front flow control tool,Can avoid Blue Teams, AVs ,EDRs check. #c2 #edr #bypass

Awesome-ZKP-Security - A curated list of awesome security resources for ZK(zero knowledge proof). #zkp #security #resources

🧠 TUTORIALS & SKILL-BUILDING

White House Report Analyzes Public Input on Open-Source Software Security - The White House has released a summary of public responses to their 2023 Request for Information (RFI) on Open-Source Software (OSS) Security. This report highlights industry concerns, suggesting potential solutions to strengthen the security posture of OSS. #open-source #software #security

Breaching AWS Accounts Through Shadow Resources - BH-US’24 presentation by Yakir Kadkoda and Ofek Itach (Aqua Security) sheds light on a critical vulnerability in AWS. Their research explores the concept of "shadow resources" - hidden elements within an AWS account that can be exploited to gain unauthorized access. #aws #security #account #takeover

All Your Secrets Belong to Us: Leveraging Firmware Bugs to Break TEEs - BH-US’24 presentation by Dan Dohrmann details two vulnerabilities in this firmware and presents novel techniques to exploit such vulnerabilities. This results in a complete loss of confidentiality, as an attacker can decrypt arbitrary guest memory on affected systems. #firmware #vulnerabilities

🎁 MISCELLANEOUS

Ai-toolkit - CLI tool for listing directories and contents for use in AI models. #AI #list #file #content

AI Home Surveillance Triggers Unexpected Insurance Cancellations - A recent article on SCNR explores the unintended consequences of AI-driven drone surveillance used by some home insurance companies. The report highlights cases where seemingly innocuous details captured by drones, such as a slightly mossy roof, led to unexpected policy cancellations. #AI #drone #insurance #audit

How my views on AI changed every year 2017-2024 (and why you should probably dismiss them anyway) - The author's evolving perceptions of Artificial Intelligence (AI) over several years (2017-2024). It provides a glimpse into the rapid advancements and changing landscape of AI within a relatively short time frame. #AI #evolution

🎯 QUOTE OF THE DAY

⭐ HOW DID WE DO?

Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.

That’s a wrap!

Thank you for reading,
VayFul Team