- VayFul®
- Posts
- VayFul Security Issue - July 02 2024
VayFul Security Issue - July 02 2024
VayFul Security - July 02 2024
Hi all!
Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…
📰 SECURITY BYTES
Critical OpenSSH Vulnerability Exposes Millions of Servers to Remote Attacks - A critical vulnerability has been discovered in OpenSSH servers, exposing millions of Linux systems to potential remote takeover by attackers. This "regression" vulnerability, dubbed "regreSSHion," reintroduces a flaw previously patched in 2006. #openSSH #rce
iOS Popular CocoaPods Framework Hit with Supply Chain Vulnerabilities - Security researchers at EvaSec identified vulnerabilities in the popular CocoaPods framework, a tool used for dependency management in iOS development. These vulnerabilities could have potentially allowed attackers to inject malicious code into iOS applications. #apple #iOS #code-injection #supply-chain
AirPods fast connect security vulnerability update AirPods Firmware - A critical security vulnerability has been discovered in Apple AirPods (2nd generation and onwards), AirPods Pro (all generations), and AirPods Max. This vulnerability could allow attackers within Bluetooth range to listen to your microphone conversations or play unauthorized music. #AirPods #BLE #vulnerability
Chrome to Block Entrust Certificates Due to Security Concerns - Google Chrome is taking a strong stance against unreliable digital certificates issued by Entrust, a major certificate authority (CA). Starting in November 2024, Chrome will no longer trust certificates issued by Entrust after a specific date due to a pattern of security compliance failures by the company. #google #CA #blocking
Multiple Software programs Hit by Supply Chain Attack: Trojanized Installers for Notezilla, RecentX, Copywhiz - A recent supply chain attack compromised the installers for three popular software programs: Notezilla (sticky notes app),RecentX (file management), and Copywhiz (clipboard manager). The malicious installers, identified in June 2024,contained information-stealing malware capable of harvesting user data like login credentials and text files. #trojan #software #supply-chain
🔥 INTERESTING WRITEUPS
CVE-2024-35200 in nginx - [2600$ Bounty]
CVE-2024-31079 in nginx - [2600$ Bounty]
📝 BLOGS & ARTICLES
BelowMI: Exposing Potential Location Leaks in Mobile Apps - A new research project called BelowMI sheds light on a potential privacy concern in mobile apps. The study investigates how seemingly innocuous data points, like battery level and network signal strength, can be combined to infer a user's location with surprising accuracy. #mobile #network #hacking
Exploiting ML models with pickle file attacks - A new cyberattack technique called "Sleepy Pickle" exploits a vulnerability in how machine learning models are packaged and distributed. This attack uses malicious pickle files to compromise the model itself, allowing attackers to manipulate its outputs or inject malware. #ML #hacking
Sneaking In: How Hackers Bypass Input Validation 0-1000$ - Input validation refers to security measures that ensure users only submit data in a format the system expects. Hackers often target weak input validation to bypass security controls and gain unauthorized access. #input #validation #bypass
Find Hidden Phishing Bug in Gmail - A recent article by Eya Algabay raises concerns about a potential phishing vulnerability in Gmail. While the details remain unclear due to a lack of official confirmation from Google, the report suggests a bug might allow attackers to bypass Gmail's security filters and display phishing emails as legitimate. #gmail #phishing
🛠️TOOLS
ImHex - A Hex Editor for Reverse Engineers, Programmers and people who value their retinas when working at 3 AM. #editor #reversing
VOIDGATE - A technique that can be used to bypass AV/EDR memory scanners. #AV/EDR #scanner
Gcpwn - Enumeration/exploit/analysis/download/etc pentesting framework for GCP. #cloud #pentest
wstunnel - Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available. #websocket #firewall #bypass
🧠 TUTORIALS & SKILL-BUILDING
Hammulator: Simulate Now - Exploit Later - Rowhammer, first considered a reliability issue, turned out to be a significant threat to the security of systems. Hence, several mitigation techniques have been proposed to prevent the exploitation of the Rowhammer effect. #exploit #simulation
Reversing Modern Binaries - Aleksandre Khokhiashvili - As modern real-world programs become increasingly complex, the task of reversing binaries is becoming more challenging. #reversing #binaries
Web Server side Attacks - Dragos Albastroiu - This presentation will explore typical server-side vulnerabilities and how attackers exploit them, focusing on techniques relevant to CTF challenges. #web-server #side #attacks
Real world Web Security Turning Knowledge into Action - An engaging talk on transforming your knowledge into real-world applications, specifically within the realm of web app sec through bug bounties and vulnerability research. #web #security #vulnerabilities
🎁 MISCELLANEOUS
Pwning in the "Hardening" era - James Wang - In this session, we’ll explore some common questions related to real world binary exploitation in face of those new challenges, and navigate the landscape of modern pwning through 3 case studies. #pwning #hardening #exploitation
Code2Prompt - It is a powerful command-line tool that simplifies the process of providing context to Large Language Models (LLMs) by generating a comprehensive Markdown file containing the content of your codebase. #prompt #LLM
chatgpt-artifacts - Bring Claude's Artifacts feature to ChatGPT. #chatGPT #artifacts
Beware! Your Everyday Motion Sensor Might Be Hacked - The study, conducted by a security researcher, demonstrates how these sensors, commonly used in homes and businesses for security and automation purposes, can be compromised. #sensor #hacking
🎯 QUOTE OF THE DAY
“Don’t let yesterday take up too much of today"
⭐ HOW DID WE DO?
Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.
That’s a wrap!
Thank you for reading,
VayFul Team