VayFul Security - August 23 2024

Hi all!

Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…

📰 SECURITY BYTES

"Phishing App": New Scam Exploits Progressive Web Apps (PWAs) - ESET researchers reveal a new phishing tactic utilizing Progressive Web Apps (PWAs). These PWAs, essentially websites masquerading as standalone applications, are being used to steal login credentials. #app #phishing #pwish

Google Fixes Chrome Wildly Exploited 0-day CVE-2024-7971 - Google recently announced the stable channel update for desktops, bringing Chrome version 128.0.6613.84. This update focuses on 38 security fixes and improvements. #chrome #0day #patch

AWS Cloud Attack Uncover large-scale Cloud Extortion Campaign - There has been a large-scale attack on AWS servers, where the attackers have leveraged the .evn files from the AWS vm’s. The report reveals attackers exploiting inadvertently exposed environment variables (.env files) containing sensitive data like AWS credentials. #aws #cloud #attacks

NGate Android malware relays NFC traffic to steal cash - Researchers at ESET have uncovered a novel Android malware called NGate. Unlike traditional banking Trojans, NGate utilizes a unique technique: it relays Near Field Communication (NFC) traffic from a victim's contactless payment card to the attacker's Android device. #android #NFC #payment  #malware

🔥 INTERESTING WRITEUPS

HTTP/2 DoS by memory exhaustion on endless continuation frames - [2580$ Bounty]

Source Code and data exfiltration via Github Copilot -  [1000$ Bounty]

📝 BLOGS & ARTICLES

Securing a Spring Boot Application with Cerbos - This article explores how integrating Cerbos with Spring Boot applications can streamline authorization processes.Cerbos, an open-source access control framework, empowers developers to implement fine-grained and context-aware permissions. #spring #security #authorization

The Comprehensive Guide to LLM Security - The guide explores the "four pillars" of LLM security, including data security, model security, infrastructure security, and ethical considerations. It delves into specific vulnerabilities like data leakage and biased outputs, equipping readers with strategies for building secure and responsible LLM applications. #LLM #security

How SSH Secures Your Connection - This article delves into potential vulnerabilities and offers actionable tips to safeguard your connections. Whether you're a seasoned tech professional or just starting out with SSH, this resource provides valuable insights on key areas like strong password management, two-factor authentication, and secure configuration practices. #ssh #security #2fa

Why Exploit Prefer Memory Corruption: Exploiting the Simplest Path to System Control - The author argues that memory corruption remains a favored tactic due to its relative simplicity. When attackers aim to achieve arbitrary code execution, a technique that grants complete control over a system, exploiting vulnerabilities that cause memory corruption often presents the most straightforward approach. #exploit #development #memory #corruption

🛠️TOOLS

Ssldump - ssldump is an SSLv3/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSLv3/TLS traffic. #ssl #tls

Guardian-agent - Guardian Agent: secure ssh-agent forwarding for Mosh and SSH. #ssh #port #forwarding

Cloud-security-list - Cloud security engineers are notoriously overworked and under-resourced. This curated list has links to tools, frameworks and resources to make their lives easier. #cloud #security #resources

🧠 TUTORIALS & SKILL-BUILDING

Keynote: Hack Your Way to the Top - Troy Hunt  - Troy Hunt keynote is designed to ignite your passion and urge you to learn through code. Life runs on code. Software is the backbone of our modern existence, placing us as developers at the forefront of innovation. He talks about his experience with haveibeenpwned and other initiatives. 

Navigating Record-Breaking DDoS Attacks - Steve Winterfeld CISO, Akamai talks about cybersecurity experts who have been fighting against a surge of record-breaking DDoS attacks. Both attacker motivations and methods have morphed resulting in growth in size, scope, complexity, and frequency of these attacks that require an update to security strategies  #Ddos #attack #security

Using AI to become a Hacker - NetworkChuck reveals 7 game-changing ways to use artificial intelligence for mastering cybersecurity skills, including the CPTS certification. Learn how to create personalized study plans, generate flashcards, and even have AI quiz you on complex topics.

🎁 MISCELLANEOUS

Speech-to-speech - Speech To Speech: an effort for an open-sourced and modular GPT4-o.  #open-source #GPT4

Forget No‐Code. The Future is All‐Code: LLMs Promise a Future of "All Code" Development  - Roundtable AI GitHub wiki, explores the potential of Large Language Models (LLMs) to revolutionize software development. It suggests a shift from low-code/no-code platforms towards a future where AI assists in writing actual code. #LLM #coding

Data Exfiltration from Slack AI via indirect prompt injection - PromptArmor reveals a vulnerability in Slack's AI integration. Researchers discovered a method to manipulate Slack AI prompts into displaying links that, when clicked, could leak sensitive user data. #AI #prompt-injection #slack

🎯 QUOTE OF THE DAY

⭐ HOW DID WE DO?

Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.

That’s a wrap!

Thank you for reading,
VayFul Team