News
Hi folks,
A little later in the day than usual, but hopefully no less interesting :-) I hope you enjoy the read.
It's my pleasure to welcome a new sponsor, Escape. They are an awesome looking API inventory and security company, make sure to check them out. Thank you, Escape, for supporting this humble newsletter.
Have a wonderful weekend everyone!
Malware dev says they can revive expired Google auth cookies
The Lumma malware package is promoting a new feature that would allow you to restore expired Google cookies, which can be used to hijack Google accounts. That would be a pretty serious vulnerability. They do say that the restoration will only work once, but still. No comment from Google yet. Fun detail: it's only available to Lumma users in the "Corporate" tier, at $1,000/month, because that's how malware works these days.
‘Citrix Bleed’ vulnerability targeted by nation-state and criminal hackers
CISA and the FBI released an advisory warning companies, again, about the Citrix Bleed vulnerability. Thousands of organisations are still vulnerable, and the LockBit ransomware group are actively exploiting the issue. As a reminder, Citrix Bleed refers to an remote-code execution vulnerability within Citrix Netscaler devices. After installing the patch you have to make sure to remove all previous users sessions as well.
Uncovering thousands of unique secrets in PyPI packages
Researchers analysed -all- the code committed to PyPi packages and surfaced thousands of hardcoded credentials. Anything from SSH keys to Azure AD (I'm sorry, Entra) API keys. To be specific, 3,938 unique secrets were found, of which 768 secrets were still valid.
Hackers don’t stop testing. Neither should you.
If you think doing a quick pentest every few quarters isn’t enough, you are correct. GlitchSecure combines continuous vulnerability assessments with real-time pentesting - all verified by highly skilled (and wonderful) humans in a user friendly platform. (Sponsored)
Windows Hello auth bypassed on Microsoft, Dell, Lenovo laptops
Interesting read on how security researchers bypassed Windows Hello fingerprint authentication on Dell Inspiron, Lenovo ThinkPad, and Microsoft Surface Pro X laptops.
Cybersecurity firm executive pleads guilty to hacking hospitals to boost business
Disgusting. He disrupted phone and printer services, and stole the personal information of more than 200 patients from a mammogram machine, all to boost his company's business.
U.S. Navy unveils its first cyber strategy
It can't be easy to come up with a comprehensive cybersecurity plan for an organisation of such size and complexity, and apparently this one was way overdue. You can view the document itself here. (pdf)
Australia drops plans to ban ransomware payments in new national cyber strategy
Well that didn't take long. Recently, Australia was one of the countries that pledged to ban ransomware payments. Instead, they plan to implement a mandatory reporting obligation. Again, not an easy issue, I'm not at all sure what I would decide if it were up to me. Which, fortunately for everyone involved, it isn't.
Researchers extract RSA keys from SSH server signing errors
A team of researchers demonstrated that it's possible, under certain conditions, for passive network attackers to retrieve secret RSA keys from naturally occurring errors during SSH connection attempts. This problem was known in older TLS versions, but SSH was previously assumed safe. It doesn't seem like a practical attack, but interesting research nonetheless.
How Microsoft Security Copilot works (Youtube video)
The sales-ness of the video is a bit cringe, of course, but I found it very cool to see how Copilot might be used to assist in security investigations. The most interesting bit begins around minute 7, where they look at a specific use case of a compromised user account.
Need help with building your product security program?
Feeling overwhelmed trying to understand your organization's attack surface and biggest security gaps? No worries! Join security expert James Berthoty and Escape's CEO, Tristan Kalos, as they share practical insights on establishing a strong security foundation for your products. (Sponsored)
Breaches and leaks
- Yamaha Motor confirms ransomware attack on Philippines subsidiary: link.
- Open-source Blender project battling DDoS attacks since Saturday: link.
- Lazarus hackers breach CyberLink in supply chain attack: link.
- Welltok data breach exposes data of 8.5 million US patients: link.
- Kansas courts confirm data theft, ransom demand after cyberattack: link.
- Canadian government discloses data breach after contractor hacks: link.
- Hacktivists breach U.S. nuclear research lab, steal employee data: link.
- Auto parts giant AutoZone warns of MOVEit data breach: link.
- Personal info of Canadian Armed Forces, RCMP stolen in cyberattack: link.
- Greater Paris wastewater agency dealing with cyberattack: link.
- Crypto firm Kronos Research says $26 million stolen after cyberattack: link.
Push, pull, and sign your Git commits with SSH keys in 1Password
You probably use SSH to push code to GitHub, access servers, and more. So why is it such a pain to set up new keys? Well, fret no longer. You can now easily generate, store, and use SSH Keys directly from 1Password 8 and the built-in SSH agent. Securely sync your keys across devices, authenticate SSH workflows, and even sign code commits. (Sponsored)