- VayFul®
- Posts
- VayFul Security Issue - September 10 2024
VayFul Security Issue - September 10 2024
VayFul Security - September 10 2024
Hi all!
Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…
📰 SECURITY BYTES
Kibana Arbitrary Code Execution via YAML Deserialization - Kibana vulnerability that could allow attackers to execute arbitrary code on affected systems. This vulnerability specifically impacts users of Elastic Security's built-in AI tools and an Amazon Bedrock connector. Upgrading to Kibana version 8.15.1 is recommended. #rce #deserialization
Critical SonicWall Vulnerability could Allow Attackers to Gain Unauthorized Access - A critical vulnerability (CVE-2024-40766) has been identified in SonicWall SonicOS management access and SSLVPN as "Improper Access Control," could allow attackers to gain unauthorized access to sensitive resources or even crash the firewall, leading to a denial-of-service (DoS) attack. #dos #unauthorized #access #firewall
Critical LoadMaster Application Vulnerability (CVE-2024-7591) - A critical vulnerability identified as CVE-2024-7591, which allows attackers with remote access to the management interface to potentially execute arbitrary system commands. LoadMaster for oracle E business suite users are strongly advised to install the patch immediately. #rce #exploit #oracle
Bitcoin ATMs Payment Portal: A Target for Scammers - Federal Trade Commission (FTC) is raising a red flag about a growing scam tactic involving Bitcoin ATMs (BTMs). Fraudsters are reportedly using BTMs as a "payment portal" to steal money from unsuspecting victims. #bitcoin #fraud #scam
WhatsApp "View Once Privacy" Flaw Exposes Disappearing Messages - A critical flaw in WhatsApp's "View Once" feature raised privacy concerns for users. Attackers could exploit a weakness in the implementation to bypass the privacy measure. This meant messages intended to disappear after one view could potentially be saved and distributed. #whatsapp #meta #privacy #flaw
🔥 INTERESTING WRITEUPS
IDOR on GraphQL queries BillingDocumentDownload and BillDetails - [5000$ Bounty]
Authentication Bypass with usage of PreSignedURL - [2000$ Bounty]
📝 BLOGS & ARTICLES
Watch the Typo: Our PoC Exploit for Typosquatting in GitHub Actions can Lead to Supply Chain Attack - Orca Security highlights a troubling trend in GitHub Actions: typosquatting. Attackers register malicious actions with names similar to popular ones, tricking developers into integrating them through typos. This can compromise software supply chains, leading to unauthorized access, data theft, or malware deployment. #github #typosquatting #unauthorized #access #supply-chain #attack
The Beginner's Guide to Securing Kubernetes - Kubernetes Security Guide blog post provides a comprehensive overview of essential security practices for securing your Kubernetes cluster. This guide is ideal for developers, security professionals, and anyone looking to fortify their Kubernetes environment. #k8 #security #guide
Stripe Repo: A Deep Dive into the "Pwn Request" Vulnerability - A recent security incident involving Stripe's GitHub repository serves as a valuable reminder of the importance of robust CI/CD pipeline security. The breach exploited a "pwn request" vulnerability, allowing unauthorized access to sensitive information. #github #pull #request #cicd #pipeline #security #unauthorized #access
Why Login Security Sucks: Why Passwords Aren't Enough? - Matt Dugan argues that passwords alone are no longer sufficient to protect user accounts in today's evolving threat landscape.He explores the limitations of passwords and highlights the need for a more robust approach to authentication. #login #password #authentication #limitation #websecurity
Web Security Basics with htmx - Article by htmx, a popular framework for building dynamic web applications, offers a back-to-basics approach to web security. It highlights that leveraging htmx's features doesn't negate the need for fundamental security principles. #websecurity #guide #developer #security #professionals
🛠️TOOLS
XENA - XENA is Cross-Platform Software for Cyber-Security Automation, Adversary Simulations, and Red Team Operations. #redteam #psot-exploitation #pentesting #c2
Ssci - Server Side Code Integrity Verify that a remote service runs the expected code before connecting to it. #code #integrity
Fzf - fzf is a general-purpose command-line fuzzy finder. It implements a "fuzzy" matching algorithm, so you can quickly type in patterns with omitted characters and still get the results you want. #fuzzing #pattern #results
GitHub-Actions-Attack-Diagram - The GitHub Actions Attack Diagram provides guidance for identifying GitHub Actions vulnerabilities. Starting with read-only or write access to a GitHub organization/repository. #github #misconfigurations #security #attacks #TTPs
🧠 TUTORIALS & SKILL-BUILDING
AI Prompt Engineering: A Deep Dive - Zack Witten youtube video reflects on how prompt engineering has evolved, practical tips, and thoughts on how prompting might change as AI capabilities grow. #AI #prompt #engineering
Offensive Security - How Cyberstorage is Closing the Data Protection Gap - Cyberstorage - an "active" defense of storage systems and their data - has evolved to aid in prevention and recovery through analytics and storage-specific recovery capabilities. This marks the era of offensive security, designed to protect storage systems against these threats, minimizing their impact and enabling efficient, granular recovery from backup systems. #cybersecurity #data #protection
Generative AI - Why It’s Time to Secure Your Data Pipeline - AI and Machine Learning offer significant value for decision-making but introduce risks to data integrity and privacy. Hackers target the vast amounts of unstructured data generated by AI, making it crucial to secure both production data and data pipelines, as traditional storage security methods are insufficient. #AI #model #data #security
Inside GPT: Large Language Models Demystified - Natural language processing with generative pre-trained transformers (GPT) presents opportunities and challenges for developers. In this session, Alan will explore GPT architecture, demonstrate training a GPT-2 model for generating song lyrics, and discuss larger models like ChatGPT, including prompt engineering and Retrieval Augmented Generation (RAG) techniques. #AI #gpt #llm
🎁 MISCELLANEOUS
Bridging the Gap: Balancing Security and Convenience in Blockchain Bridge Validation - This article from Fairgate dives into the complex relationship between security and convenience in blockchain bridge validation, each offering different security levels and impacting transaction processing speed. #blockchain #security
Surfer-Data - Surfer is a digital footprint exporter, designed to aggregate all your personal data from various online platforms into a single folder. #personal #data #exporter
FTC Scrutinizes "Surveillance Pricing": Tech Giants Under Investigation for Tailored Pricing Practices - FTC has launched an investigation into the use of "surveillance pricing" by eight tech companies. This practice involves leveraging consumer data, including credit history, location, and browsing behavior, to set different prices for the same product or service for different individuals. #data #surveillance #security #privacy
Leaking Secrets from Air-Gap Computers by Spelling Covert Radio Signals from Computer RAM - In this paper, we present an attack allowing adversaries to leak information from air-gapped computers. We show that malware on a compromised computer can generate radio signals from memory buses (RAM). #secrets #leak #ram #air-gapped #computers
Want SOC 2 compliance without the Security Theater?
Tired of SOC 2 Security Theater? 🤔
Oneleet is the all-in-one platform for building a real-world Security Program, getting a Penetration Test, integrating with a 3rd Party Auditor, and providing the Compliance Automation Software.
🎯 QUOTE OF THE DAY
“Never be limited by other people’s limited imaginations.”
⭐ HOW DID WE DO?
Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.
That’s a wrap!
Thank you for reading,
VayFul Team