- VayFul®
- Posts
- VayFul Security Issue - June 14 2024
VayFul Security Issue - June 14 2024
VayFul Security - June 14 2024
Hi all!
Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…
📰 SECURITY BYTES
Veeam Backup Enterprise Manager Vulnerabilities - Vulnerabilities discovered in Veeam Backup Enterprise Manager (VBEM), a supplementary application customers may deploy to manage Veeam Backup & Replication (VBR) using a web console. #veeam #cve
Microsoft Patches Critical RCE Flaw in June Patch - Microsoft's June 2024 update fixes a total of 58 vulnerabilities. 7 of these vulnerabilities are associated with Chromium and Microsoft's Brave browser. 1 critical remote code execution (RCE) flaw (CVE-2024-30080) affecting Microsoft Message Queuing (MSMQ). #microsoft #patch
Black Basta Ransomware Group Suspected of Exploiting Windows Zero-Day - The Black Basta ransomware group, known for large-scale attacks, is suspected of exploiting a recently patched Windows vulnerability (CVE-2024-26169) as a zero-day. This flaw allows attackers to escalate privileges and potentially deploy ransomware payloads. #ransomware #0-day
Is 2FA Enough? Beware of Evolving Phishing Tactics - SecureList highlights a new phishing technique that targets users who rely on Two-Factor Authentication (2FA) for account security. While 2FA adds a strong layer of protection, attackers are devising ways to bypass it. The article explores this technique and offers recommendations to stay safe. #2FA #bypass #phishing
VLC Media Player Vulnerabilities Allow Remote Code Execution - The vulnerability, which involves a potential integer overflow, can be triggered by a maliciously crafted MMS stream, leading to a heap-based overflow. And a potential path traversal via the included WiFi File Sharing feature could be used for arbitrary data uploads. #vlc #rce
🔥 INTERESTING WRITEUPS
Server Side Request Forgery (SSRF) via Analytics Reports - [25000$ Bounty]
Starlink Dishy is vulnerable to CSRF via DNS Rebinding - [25000$ Bounty]
Race Condition Enables Bypassing Verification Check - [3000$ Bounty]
Docker Secret Disclosure via GitHub Actions Cache Poisoning - [2000$ Bounty]
📝 BLOGS & ARTICLES
Shocking Discoveries: Unsecured Devices Exposed Through Shodan Search! - Using Shodan we found unsecured devices, including traffic lights, baby monitors, and even medical equipment. These exposed devices pose a security threat, as they could be vulnerable to hacking and manipulation. The article highlights the importance of strong password management and implementing security measures for internet-connected devices. #shodan #IoT
The Ultimate Guide to Chaining Bugs: How I Found a Reverse Shell in a Bug Bounty Program - Security researcher identified a series of weaknesses that ultimately allowed them to gain unauthorized access to the system through a reverse shell. #bugbounty #xss #reverse-shell
Abusing auto mail responders to access internal workplaces - This article explores a concerning tactic: exploiting weaknesses in auto-responder emails to gain access to internal company information. It highlights how crafting specific emails that trigger pre-programmed responses can potentially reveal sensitive details like employee names, departments, and even vacation schedules. #exploit #expose #PII #data
Phishing 2.0 – how phishing toolkits are evolving with AitM - Phishing attacks are getting smarter, growing use of AI-powered toolkits (AitM) in phishing campaigns. AitM allows attackers to bypass traditional Multi-Factor Authentication (MFA) and gain access to user accounts. The article discusses how these toolkits are evolving and what steps organizations can take to stay protected. #phishing #mfa
🛠️TOOLS
Goblob - A fast enumeration tool for publicly exposed Azure Storage blobs.#azure #blob #enumeration
Eye - A pentesting recon/low hanging fruit script. Uses Gxss, Dalfox, and a few other scripts to scan all of a domain(and/or subdomains as well) for user inputs, checks if reflected, tests for sqli, xss, open red. and a few more. #pentest #scripts
Stormspotter - Azure Red Team tool for graphing Azure and Azure Active Directory objects. #azure #AD #redteam
🧠 TUTORIALS & SKILL-BUILDING
IP Protection and Privacy in LLM: Leveraging Fully Homomorphic Encryption - Large Language Models (LLMs) are increasingly utilized in various applications. However, there's a dilemma between safeguarding the model owner's assets and ensuring the user's data privacy. This session introduces a hybrid method that employs Fully Homomorphic Encryption to address both these concerns. #LLM #Privacy
A Walkthrough: AppSec Tool Selection, Procurement, and Implementation - Maria Mora talks about Application Security tooling selection and procurement process from directive to implementation. We will walk through the different steps in selection, procurement, and implementation. Explains various methods and strategies to ensure follow-through from the implementation of various security tooling in the SSDLC. #appsec
Use Generative AI to End Your Love/Hate Relationship with DLP - Heidi Shey, outlined how an organization’s use of large language models today will impact the scope of the team's efforts, the AI policy they create and how they align this policy with other enterprise policies, and the different data controls (DLP and others) they can apply. #AI #DLP
🎁 MISCELLANEOUS
Raspberry Pi AI Kit available now at $70 - The Raspberry Pi AI Kit comes with a Hailo-8L accelerator module with an M.2 interface, plus the PCIe 3.0 breakout board needed to use it and install it onto a Pi 5. The module can handle 13 teraflops of data per second over an 8Gbps connection. #AI #RaspberryPi
38% of webpages that existed in 2013 are no longer accessible a decade later - A new Pew Research Center study sheds light on the disappearing nature of online content. The research suggests millions of online posts are deleted or become inaccessible every year. This "digital amnesia" raises concerns about historical accuracy, access to information, and the long-term viability of online platforms.
Apple Intelligence in 5 minutes - Apple Intelligence puts right at your fingertips. It’s a new kind of intelligence that’s personal, useful, and built right into the products you use every day. It helps you to write, express yourself visually, and get things done effortlessly, all while setting a brand-new standard for privacy in AI.
🎯 QUOTE OF THE DAY
“Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all."
⭐ HOW DID WE DO?
Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.
That’s a wrap!
Thank you for reading,
VayFul Team