- VayFul®
- Posts
- VayFul Security Issue - June 18 2024
VayFul Security Issue - June 18 2024
VayFul Security - June 18 2024
Hi all!
Welcome back, here is your dose of VayFul Security, a list of what we are enjoying…
📰 SECURITY BYTES
Hackers Exploit Windows Search to Deliver Malware - Trustwave's SpiderLabs division reveals a sophisticated malware campaign targeting Windows users. This campaign leverages a novel technique, abusing the built-in Windows search function to redirect users to malicious websites. #windows #malware
VMware vCenter Server updates address heap-overflow and privilege escalation vulnerabilities - VMware has released a critical security advisory, VMSA-2024-0012, addressing multiple vulnerabilities in VMware vCenter Server, a core component of VMware vSphere and VMware Cloud Foundation products. #vmware #patch
"BadSpace" Backdoor Exploits Popular Websites to Steal User Data - Windows backdoor dubbed "BadSpace" is lurking in the shadows of the digital world. This malware leverages compromised high-ranking websites to infiltrate user systems. Once installed, BadSpace can harvest sensitive information, execute commands, and even delete data. #windows #backdoor
Crypto losses in May 2024 - Immunefi reveals loss of $473,229,944 to hacks and rug pulls in 2024 YTD across 108 specific incidents. In May 2024, $52,371,900 was lost due to hacks and fraud across 21 specific incidents. #crypto #loss
Critical Security Issue Affects JetBrains IDEs and GitHub Plugin - Leaking credentials- IntelliJ IDE has critical vulnerability which could allow attackers to steal access tokens for third-party sites, affecting all IntelliJ-based IDEs (version 2023.1 and above). Users are urged to update their IDEs and the plugin immediately to mitigate this risk. #IDE #leak-creds
🔥 INTERESTING WRITEUPS
Malicious reinstallation of jsm widget app (installed by default in JSM) allows extracting private oauth tokens and user data - [10000$ Bounty]
Account Takeover at Trello - [3600$ Bounty]
Possible PII Disclosure via Advanced Vetting Process - [2500$ Bounty]
📝 BLOGS & ARTICLES
Understanding SPF, DKIM, and DMARC: A Simple Guide - Email security is a key part of internet communication. But what are SPF, DKIM, and DMARC, and how do they work? This guide will explain it all in simple terms to make these concepts clearer. #email #security #guide
Supply Chain Attack: NPM Registry Vulnerable to Cache Poisoning - Security researchers reveal a potential vulnerability in the npm registry, the world's largest software package manager for JavaScript. This vulnerability, known as cache poisoning, could allow attackers to manipulate the registry and trick developers into downloading malicious code instead of legitimate software.#supply-chain-attack #JS
4/6 | Introducing ExtensionTotal: How to Assess Risk in VS Code Extensions - How We Hacked Multi-Billion Dollar Companies in 30 Minutes Using a Fake VSCode Extension. #vscode #extension #hack
OAuth 2.0 Threat Model and Security Considerations - This document gives additional security considerations for OAuth, beyond those in the OAuth 2.0 specification, based on a comprehensive threat model for the OAuth 2.0 protocol. #OAuth2 #threatModel
🛠️TOOLS
Devcontainer - The Red Guild focused on web3 and security. #web3 #security
Puter - HeyPuter- The Internet Web OS! Free, Open-Source, and Self-Hostable. #webos
Ape-AWS - Plugin to interact with AWS for transactions on the Ethereum Blockchain. #aws #blockchain
🧠 TUTORIALS & SKILL-BUILDING
Developing an LLM: Building, Training, Finetuning - An overview of the three stages of developing an LLM: Building, Training, and Finetuning. The focus is on explaining how LLMs work by describing how each step works. #develop #LLM
I hacked time to recover $3 million from a Bitcoin software wallet - In this video Bruno to reverse engineer the RoboForm password generator in order to regenerate passwords that have been generated in the past. We have recovered over $3 million in Bitcoin from a software wallet that's been locked since 2013? #bitcoin #reverse-engg
The End of DevSecOps? - Security is simply a quality attribute of existing engineering processes. With the advent of new tools, techniques, and now with Generative AI, we have additional capabilities to simplify communication and reduce toil that we’ve never had before. Find out how to leverage them with an engineering-first approach. #devsecops #GenAI
🎁 MISCELLANEOUS
Every Way To Get Structured Output From LLMs - Tired of wrestling plain English responses from complex Large Language Models (LLMs)? A new tool from BoundaryML offers a solution! Their framework tackles the challenge of extracting structured data from LLMs. #LLMs
Can platform-wide AI ever fit into enterprise security? - The author critiques the idea of "interventionist robots" monitoring all user data within a platform, highlighting concerns about data privacy and regulations and importance of human expertise and well-established security practices like encryption and access controls for robust enterprise security. #AI #security
Building A Virtual Machine inside ChatGPT - Author successfully creates a basic Linux environment inside ChatGPT, demonstrating the ability to manipulate files, run simple commands, and even calculate prime numbers! #chatGPT #VM
🎯 QUOTE OF THE DAY
“Arise! Awake! And stop not until the goal is reached."
⭐ HOW DID WE DO?
Enjoyed this newsletter? Friends don’t keep good things to themselves - forward this to your friends and have them sign up here.
That’s a wrap!
Thank you for reading,
VayFul Team