• VayFul®
  • Posts
  • VayFul Security Issue - June 14 2024

VayFul Security Issue - June 14 2024

VayFul Security - June 14 2024

Hi all!

Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…

📰 SECURITY BYTES

Veeam Backup Enterprise Manager Vulnerabilities - Vulnerabilities discovered in Veeam Backup Enterprise Manager (VBEM), a supplementary application customers may deploy to manage Veeam Backup & Replication (VBR) using a web console. #veeam #cve

Microsoft Patches Critical RCE Flaw in June Patch -  Microsoft's June 2024 update fixes a total of 58 vulnerabilities. 7 of these vulnerabilities are associated with Chromium and Microsoft's Brave browser. 1 critical remote code execution (RCE) flaw (CVE-2024-30080) affecting Microsoft Message Queuing (MSMQ). #microsoft #patch

Black Basta Ransomware Group Suspected of Exploiting Windows Zero-Day - The Black Basta ransomware group, known for large-scale attacks, is suspected of exploiting a recently patched Windows vulnerability (CVE-2024-26169) as a zero-day. This flaw allows attackers to escalate privileges and potentially deploy ransomware payloads. #ransomware #0-day 

Is 2FA Enough? Beware of Evolving Phishing Tactics - SecureList highlights a new phishing technique that targets users who rely on Two-Factor Authentication (2FA) for account security. While 2FA adds a strong layer of protection, attackers are devising ways to bypass it. The article explores this technique and offers recommendations to stay safe. #2FA #bypass #phishing

VLC Media Player Vulnerabilities Allow Remote Code Execution - The vulnerability, which involves a potential integer overflow, can be triggered by a maliciously crafted MMS stream, leading to a heap-based overflow. And a potential path traversal via the included WiFi File Sharing feature could be used for arbitrary data uploads. #vlc #rce

🔥 INTERESTING WRITEUPS

📝 BLOGS & ARTICLES

Shocking Discoveries: Unsecured Devices Exposed Through Shodan Search! - Using Shodan we found unsecured devices, including traffic lights, baby monitors, and even medical equipment. These exposed devices pose a security threat, as they could be vulnerable to hacking and manipulation. The article highlights the importance of strong password management and implementing security measures for internet-connected devices. #shodan #IoT

The Ultimate Guide to Chaining Bugs: How I Found a Reverse Shell in a Bug Bounty Program - Security researcher identified a series of weaknesses that ultimately allowed them to gain unauthorized access to the system through a reverse shell. #bugbounty #xss #reverse-shell 

Abusing auto mail responders to access internal workplaces - This article explores a concerning tactic: exploiting weaknesses in auto-responder emails to gain access to internal company information.  It highlights how crafting specific emails that trigger pre-programmed responses can potentially reveal sensitive details like employee names, departments, and even vacation schedules. #exploit #expose #PII #data

Phishing 2.0 – how phishing toolkits are evolving with AitM - Phishing attacks are getting smarter, growing use of AI-powered toolkits (AitM) in phishing campaigns. AitM allows attackers to bypass traditional Multi-Factor Authentication (MFA) and gain access to user accounts. The article discusses how these toolkits are evolving and what steps organizations can take to stay protected. #phishing #mfa

🛠️TOOLS

Goblob - A fast enumeration tool for publicly exposed Azure Storage blobs.#azure #blob #enumeration

Eye - A pentesting recon/low hanging fruit script. Uses Gxss, Dalfox, and a few other scripts to scan all of a domain(and/or subdomains as well) for user inputs, checks if reflected, tests for sqli, xss, open red. and a few more. #pentest #scripts

Stormspotter - Azure Red Team tool for graphing Azure and Azure Active Directory objects. #azure #AD #redteam

🧠 TUTORIALS & SKILL-BUILDING

IP Protection and Privacy in LLM: Leveraging Fully Homomorphic Encryption - Large Language Models (LLMs) are increasingly utilized in various applications. However, there's a dilemma between safeguarding the model owner's assets and ensuring the user's data privacy. This session introduces a hybrid method that employs Fully Homomorphic Encryption to address both these concerns. #LLM #Privacy

A Walkthrough: AppSec Tool Selection, Procurement, and Implementation - Maria Mora talks about Application Security tooling selection and procurement process from directive to implementation. We will walk through the different steps in selection, procurement, and implementation. Explains various methods and strategies to ensure follow-through from the implementation of various security tooling in the SSDLC. #appsec

Use Generative AI to End Your Love/Hate Relationship with DLP - Heidi Shey, outlined how an organization’s use of large language models today will impact the scope of the team's efforts, the AI policy they create and how they align this policy with other enterprise policies, and the different data controls (DLP and others) they can apply. #AI #DLP

🎁 MISCELLANEOUS

Raspberry Pi AI Kit available now at $70 - The Raspberry Pi AI Kit comes with a Hailo-8L accelerator module with an M.2 interface, plus the PCIe 3.0 breakout board needed to use it and install it onto a Pi 5. The module can handle 13 teraflops of data per second over an 8Gbps connection. #AI #RaspberryPi

38% of webpages that existed in 2013 are no longer accessible a decade later - A new Pew Research Center study sheds light on the disappearing nature of online content. The research suggests millions of online posts are deleted or become inaccessible every year. This "digital amnesia" raises concerns about historical accuracy, access to information, and the long-term viability of online platforms.

Apple Intelligence in 5 minutes - Apple Intelligence puts right at your fingertips. It’s a new kind of intelligence that’s personal, useful, and built right into the products you use every day. It helps you to write, express yourself visually, and get things done effortlessly, all while setting a brand-new standard for privacy in AI.

🎯 QUOTE OF THE DAY

“Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all."

- Dale Carnegie

⭐ HOW DID WE DO?

Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.

That’s a wrap!

Thank you for reading,
VayFul Team