Week 49, December 4-10, 2023

Week 49, December 4-10, 2023. Cybersecurity Weekly Updates.

This week in the world of cybersecurity:

There’s a Bluetooth vulnerability known as BLUFFS, which puts many devices at risk of adversary-in-the-middle attacks. Similarly, devices are also threatened by UEFI vulnerabilities under LogoFAIL, allowing stealth malware attacks. For router and IoT device users, the emergence of a MIPS variant of the P2PInfect Botnet is a significant concern.

In terms of corporate warnings, Microsoft has issued multiple alerts. One is about a malvertising scheme spreading CACTUS Ransomware, another about Kremlin-backed APT28 exploiting a critical Outlook vulnerability, and a third warning about COLDRIVER‘s evolving evasion and credential-stealing tactics. Additionally, Microsoft is not the only company releasing critical updates; Atlassian has also issued software fixes to prevent remote code execution.

The disinformation campaign by Russia using AI technology, targeting Ukraine, the U.S., and Germany. There’s also a new threat actor, AeroBlade, specifically targeting the U.S. aerospace sector.

For mobile device users, the discovery of new 5G modem flaws affecting iOS and Android devices from major brands, and another Bluetooth flaw that could let hackers take control of Android, Linux, macOS, and iOS devices, are particularly worrying.

Meta has taken a positive step by launching default end-to-end encryption for chats and calls on Messenger, enhancing user privacy.

Recent Tools and Techniques

These are some of the recent tools and techniques in the cyber-security sphere that have captured my attention.

Mantis is a command-line security framework that focuses on simplifying the complex process of asset discovery, reconnaissance, and vulnerability scanning. Starting with top-level domain inputs, Mantis efficiently uncovers associated assets like subdomains and certificates. It then conducts in-depth reconnaissance on these active assets, culminating in detailed scans for vulnerabilities, exposed secrets, misconfigurations, and potential phishing domains. This process combines the use of both open-source and proprietary tools. Key features of Mantis include automated processes for discovery, reconnaissance, and scanning, along with the capability to distribute scans across multiple machines for efficiency. The framework allows for easy customization of scans to meet specific needs. It also supports dashboard integration for real-time monitoring, comprehensive vulnerability management, advanced alerting mechanisms, and seamless DNS service integration. Additionally, Mantis provides the flexibility to incorporate new tools, both existing and custom-developed, within minutes. The framework comprises various modules, each focusing on different aspects like subdomain and certificate discovery, reconnaissance of open ports, technologies, CDN, WAF, web servers, IP and ASN information, location, as well as scanning for domain-level vulnerabilities, secrets, and phishing domains.

GhostDriver is a software tool designed for advanced cybersecurity operations. It is developed using the Rust programming language. GhostDriver’s primary function is as an “AV killer,” meaning it is capable of disabling or circumventing antivirus (AV) software. The tool employs the Bring Your Own Vulnerable Driver (BYOVD) technique, a method where a user provides a vulnerable driver to facilitate its operations. This makes GhostDriver particularly effective in environments where standard antivirus solutions are deployed, allowing it to perform actions that might otherwise be blocked or detected by AV systems.

Nidhogg is an all-in-one and user-friendly rootkit tailored for red team operations. Designed to operate seamlessly on both Windows 10 and Windows 11 x64 versions, it encompasses a broad spectrum of functionalities crucial for red team tasks. The tool integrates effortlessly with command and control (C2) frameworks through a single C++ header file, making its deployment straightforward. Its feature set includes process and file hiding, process elevation, and protection against termination and dumping. Additionally, Nidhogg offers advanced capabilities like bypassing detection tools, modifying process signatures, and executing shellcode and DLL injections. It also provides extensive kernel read/write access, function patching, and the ability to query and modify kernel callbacks. From version v0.3, Nidhogg supports reflective loading, albeit with certain limitations due to PatchGuard. The tool also identifies features that might trigger PatchGuard, allowing users to make informed decisions about their use.

That’s a wrap on this week’s edition of the Cyber-Security Update. Remember, the cyber-security landscape is ever-changing, and staying informed is your primary defense. Hopefully, the insights and information shared today will assist in navigating this complex domain and in strengthening defenses against potential threats. Stay vigilant, stay informed, and look forward to more insights into the world of cyber-security in next week’s edition.

To stay in sync with the weekly cyber-security roundups, remember to subscribe to the newsletter and follow on social media platforms. If there are any questions or specific topics you’d like to see covered, don’t hesitate to get in touch.