SecPro

Getting into malware analysisGo from legacy to leading edge app delivery. Don't miss this conversation ft. special guest Devin Dickerson (Forrester) – save your seat!For better or worse, user experience depends on application performance.Users have come to expect their apps to be personalized, fast, always-available, and secure. When any one of these expectations are not met, they are quick to grow frustrated and abandon their sessions. This can be consequential to user engagement, brand trust–and ultimately–revenue.Join our webinar featuring special guest Devin Dickerson, Principal Analyst at Forrester, and we’ll dive into how organizations can architect a seamless application experience.Register Now#187: Finishing Up with GhidraGetting into malware analysisWelcome to another_secpro!This week, we're taking our final look at the new Ghidra book from Packt, this time exploring [x]. If you would like to receive afree condensed resource from the book, sign up for the _secpro premium newsletter to receive a copy at the end of the month! Make sure to check it out.And then, of course, we've got our usual news, tools, and conference venues roundup as well as an extended offer for our Humble Bundle pack - extended until 15th March! Don't miss out. Sound good? Well, let's get started!In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefDissecting interesting malware sample partsSetting up for analysisAs mentioned previously, this malware consists of two components: a PE file (Spark.exe) and a Windows driver file (rk.sys).When more than one malicious file is found on a computer, it’s quite common that one of them generates the other(s). As Spark.exe can be executed by double-clicking on it, while rk.sys must be loaded by another component such as Windows’ Service Control Manager or another driver, we can initially assume that Spark.exe was executed and then it dropped rk.sys to disk.Read the rest here!New from Packt: Ghidra Software Reverse-Engineering for BeginnersCheck out an excerpt here!News BytesBruce Schneier - Trojaned AI Tool Leads to Disney Hack: "This is asad story of someone who downloaded a Trojaned AI tool that resulted in hackers taking over his computer and, ultimately, costing him his job."Bruce Schneier - CISA Identifies Five New Vulnerabilities Currently Being Exploited: "Of thefive, one is a Windows vulnerability, another is a Cisco vulnerability. We don’t have any details about who is exploiting them, or how. Newsarticle."Bruce Schneier - The Combined Cipher Machines: "Interestingarticle—with photos!—of the US/UK “Combined Cipher Machine” from WWII."Elastic- Kibana 8.17.3 Security Update (ESA-2025-06): "Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges:fleet-all,integrations-all,actions:execute-advanced-connectors."Krebs On Security - Who is the DOGE and X Technician Branden Spikes?: "At 49, Branden Spikes isn’t just one of the oldest technologists who has been involved in Elon Musk’s Department of Government Efficiency (DOGE). As the current director of information technology at X/Twitter and an early hire at PayPal, Zip2, Tesla and SpaceX, Spikes is also among Musk’s most loyal employees. Here’s a closer look at this trusted Musk lieutenant, whose Russian ex-wife was once married to Elon’s cousin..."Krebs On Security - Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab: "Security experts say the Russia-based service providerProspero OOO(the triple O is the Russian version of “LLC”) has long been a persistent source of malicious software, botnet controllers, anda torrent of phishing websites. Last year, the French security firmIntrinsecdetailedProspero’s connections to bulletproof services advertised on Russian cybercrime forums under the namesSecurehostandBEARHOST."Picus Security - Red Report 2025: The new report by Picus is in. Check it out today or get ready for the _secpro's coverage of their findings - starting from next week!Positive Technologies - The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT: "In early 2024, analysts at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious sample. The cybersecurity community named it Poco RAT after the POCO libraries in its C++ codebase. At the time of its discovery, the sample had not been linked to any known threat group. The malware came loaded with a full suite of espionage features. It could upload files, capture screenshots, execute commands, and manipulate system processes."Outpost24 - Unveiling EncryptHub: Analysis of a multi-stage malware campaign: "EncryptHub, a rising cybercriminal entity, has recently caught the attention of multiple threat intelligence teams, including our own (Outpost24’s KrakenLabs). While other reports have begun to shed light on this actor’s operations, our investigation goes a step further, uncovering previously unseen aspects of their infrastructure, tooling, and behavioral patterns. Through a series of operational security (OPSEC) missteps, EncryptHubinadvertently exposed critical elements of their ecosystem, allowing us to map their tactics with unprecedented depth. Their lapses include directory listing enabled on key infrastructure components, hosting stealer logs alongside malware executables and PowerShell scripts, and revealing Telegram bot configurations used for data exfiltration and campaign tracking. Talos Intelligence - Unmasking the new persistent attacks on Japan: Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan. The attacker has exploited the vulnerabilityCVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.Talos Intelligence - Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools: Talos assesses with high confidence that Lotus Blossom (also referred to asSpring Dragon,Billbug,Thrip) threat actors are responsible for these campaigns. The group was previously publicly disclosed as an active espionage group operating since 2012. Our assessment is based on the TTPs, backdoors, and victim profiles associated with each activity. Our observations indicate that Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite. The operation appears to have achieved significant success, targeting organizations in sectors such as government, manufacturing, telecommunications and media in areas including the Philippines, Vietnam, Hong Kong and Taiwan.This week's toolsAs we nearly finish up our in-depth look at Ghidra, here are some Ghidra-specific tools to keep you busy.AllsafeCyberSecurity/awesome-ghidra - A curated list of awesome Ghidra materials. Exactly what it says on the tin.HackOvert/GhidraSnippets - Python snippets for Ghidra's Program and Decompiler APIs.ghidraninja/ghidra_scripts - Scripts for the Ghidra software reverse engineering suite.rizinorg/rz-ghidra - Deep ghidra decompiler and sleigh disassembler integration for rizin.zackelia/ghidra-dark - Because dark themes are better than light themes. It's a fact.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for this month:Defensible Data Maps: Building Trust Through Compliance for the Insurance Industry (12th March): The insurance industry is under increasing pressure to comply with stringent data privacy and security regulations, including NYDFS Cybersecurity Regulation, GLBA, HIPAA, GDPR, and CCPA. Insurers collect and process vast amounts of personal and sensitive data, making accurate data mapping essential for compliance, risk management, and consumer trust. A data map isn’t just a document—it’s a foundational compliance tool that ensures organizations know where sensitive data resides, how it flows across systems, and who has access to it.Understand LLM Supervised Fine Tuning and Related InfoSec Risks (12th March): AI generative Large Language Model (LLM) usage has become a ubiquitous part of the technology landscape since the introduction of highly capable public LLM models. While public models do have significant advantages, there are numerous concerns surrounding data security and organizational intellectual property leakage.Cyber Security Training at SANS San Antonio Spring 2025 (17th-22nd March): Dive into the world of cybersecurity excellence with an immersive training experience at SANS San Antonio Spring 2025 (March 17-22, CT). Led by world-renowned instructors boasting extensive industry experience, SANS San Antonio Spring 2025 offers live access to top experts in the field. SANS San Antonio Spring 2025 is equipped with industry-leading hands-on labs, simulations, and exercises that you can immediately apply upon your return to work. Don't miss this opportunity to refine your skills during NetWars tournaments and network with your peers in real time.CISO 360 UK & Ireland: Securing Tomorrow, Navigating Complexity, Driving Resilience (18th-19th March): CISOs will share their strategies, exploring emerging trends, and benchmarking the latest tools and tactics to address the rapidly evolving cybersecurity landscape. You will challenge the status quo through case studies, fireside chats, roundtables, and the highly anticipated CISO 360 Roundtable: AI and Quantum. Evening networking events, cultural experiences, and an exclusive dinner will provide the perfect setting for forging lasting professional relationships and strengthening the cybersecurity community.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

Extensions need skeletonsWebinar: Fraud, Compliance and Best Practices for Mobile Banking AppsThere are over 3.6 billion mobile banking users across the globe, making mobile banking apps a prime target for threat actors. Learn how to protect mobile banking apps and ensure regulatory compliance by implementing strong security controls.Register Now#187: Skeletons for engineersExtensions need skeletonsWelcome to another_secpro!This week, we're taking a third dive into the book on Ghidra from Packt. Make sure to check it out! And then, of course, we've got our usual news, tools, and conference venues roundup as well. Sound good? Well, let's get started!That's why in the editor's spotlight this week, I advise you to all read Bruce Schneier's UK Demanded Apple Add a Backdoor to iCloud!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefUnderstanding the Ghidra extension skeletonGetting ready for extensionsSetting up a comprehensive environment for malware analysis is quite an extensive topic and outlining everything is outside the scope of this chapter. So, in this section, we’ll focus on foundational steps for utilizing Ghidra for such purposes. Additionally, incorporating dynamic analysis tools such as x64dbg or Windbg is advisable as they offer advanced capabilities for examining Windows OS executables.Read the rest here!New from Packt: Ghidra Software Reverse-Engineering for BeginnersCheck out an excerpt here!News BytesBruce Schneier - “Emergent Misalignment” in LLMs: "We present a surprising result regarding LLMs and alignment. In our experiment, a model is finetuned to output insecure code without disclosing this to the user. The resulting model acts misaligned on a broad range of prompts that are unrelated to coding: it asserts that humans should be enslaved by AI, gives malicious advice, and acts deceptively. Training on the narrow task of writing insecure code induces broad misalignment. We call this emergent misalignment."Bruce Schneier - North Korean Hackers Steal $1.5B in Cryptocurrency: "It looks like avery sophisticated attack against the Dubai-based exchange Bybit: Bybit officialsdisclosedthe theft of more than 400,000 ethereum and staked ethereum coins just hours after it occurred. The notification said the digital loot had been stored in a “Multisig Cold Wallet” when, somehow, it was transferred to one of the exchange’s hot wallets. From there, the cryptocurrency was transferred out of Bybit altogether and into wallets controlled by the unknown attackers."Bruce Schneier - UK Demanded Apple Add a Backdoor to iCloud: "Last month, the UK governmentdemanded that Apple weaken the security of iCloud for users worldwide. On Friday, Apple took steps to comply for users in the United Kingdom. But the British law is written in a way that requires Apple to give its government access to anyone, anywhere in the world. If the government demands Apple weaken its security worldwide, it would increase everyone’s cyber-risk in an already dangerous world."Fortinet - Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan: "In January 2025, FortiGuard Labs observed an attack that used Winos4.0, an advanced malware framework actively used in recent threat campaigns, to target companies in Taiwan. Figure 1 shows an example of the attack chain. Usually, there is a loader that is only used to load the malicious DLL file, and the Winos4.0 module is extracted from the shellcode downloaded from its C2 server."Krebs On Security - U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason”: A U.S. Army soldier who pleaded guilty last week to leaking phone records for high-ranking U.S. government officials searched online for non-extradition countries and for an answer to the question “can hacking be treason?” prosecutors in the case said Wednesday. The government disclosed the details in a court motion to keep the defendant in custody until he is discharged from the military.Krebs On Security - Trump 2.0 Brings Cuts to Cyber, Consumer Protections: One month into his second term, President Trump’s actions to shrink the government through mass layoffs, firings and withholding funds allocated by Congress have thrown federal cybersecurity and consumer protection programs into disarray. At the same time, agencies are battling an ongoing effort by the world’s richest man to wrest control over their networks and data.SecureList - Angry Likho: Old beasts in a new forest: "Angry Likho (referred to as Sticky Werewolf by some vendors) is an APT group we’ve been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which we’ve analyzed before, so we classified it within the Likho malicious activity cluster. However, Angry Likho’s attacks tend to be targeted, with a more compact infrastructure, a limited range of implants, and a focus on employees of large organizations, including government agencies and their contractors. Given that the bait files are written in fluent Russian, we infer that the attackers are likely native Russian speakers."The Hacker News - Three Password Cracking Techniques and How to Defend Against Them: A helpful beginner resource for getting people up to scratch on some broad themes in password cracking, setting the stage for healthier practices.Truffle Security - Research finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training Data: "Leaked keys in Common Crawl’s dataset should not reflect poorly on their organization; it’s not their fault developers hardcode keys in front-end HTML and JavaScript on web pages they don’t control. And Common Crawl should not be tasked with redacting secrets; their goal is to provide a free, public dataset based on the public internet for organizations like Truffle Security to conduct this type of research."This week's toolsAs we nearly finish up our in-depth look at Ghidra, here are some Ghidra-specific tools to keep you busy.AllsafeCyberSecurity/awesome-ghidra - A curated list of awesome Ghidra materials. Exactly what it says on the tin.HackOvert/GhidraSnippets - Python snippets for Ghidra's Program and Decompiler APIs.ghidraninja/ghidra_scripts - Scripts for the Ghidra software reverse engineering suite.rizinorg/rz-ghidra - Deep ghidra decompiler and sleigh disassembler integration for rizin.zackelia/ghidra-dark - Because dark themes are better than light themes. It's a fact.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for this month:Conf42: Cloud Native 2025 (6th March): Covering everything from AI, APIs, AWS, Data, Healthcare, Optimization, Security, and tools (as well as everything in between), this year's Conf42 is looking to be a conference with a little bit of something for everyone. Don't miss out on this exclusively online event - you might even see yours truly there too!SANS Security East Baltimore (3rd-8th March): For those of you on the East Coast, East Baltimore is the place to be this year. Dive into the world of cybersecurity excellence with an immersive training experience at SANS Security EastTM Baltimore 2025. Led by world-renowned instructors boasting extensive industry experience, this flagship training conference offers live access to these top experts in the field.Defensible Data Maps: Building Trust Through Compliance for the Insurance Industry (12th March): The insurance industry is under increasing pressure to comply with stringent data privacy and security regulations, including NYDFS Cybersecurity Regulation, GLBA, HIPAA, GDPR, and CCPA. Insurers collect and process vast amounts of personal and sensitive data, making accurate data mapping essential for compliance, risk management, and consumer trust. A data map isn’t just a document—it’s a foundational compliance tool that ensures organizations know where sensitive data resides, how it flows across systems, and who has access to it.Understand LLM Supervised Fine Tuning and Related InfoSec Risks (12th March): AI generative Large Language Model (LLM) usage has become a ubiquitous part of the technology landscape since the introduction of highly capable public LLM models. While public models do have significant advantages, there are numerous concerns surrounding data security and organizational intellectual property leakage.Cyber Security Training at SANS San Antonio Spring 2025 (17th-22nd March): Dive into the world of cybersecurity excellence with an immersive training experience at SANS San Antonio Spring 2025 (March 17-22, CT). Led by world-renowned instructors boasting extensive industry experience, SANS San Antonio Spring 2025 offers live access to top experts in the field. SANS San Antonio Spring 2025 is equipped with industry-leading hands-on labs, simulations, and exercises that you can immediately apply upon your return to work. Don't miss this opportunity to refine your skills during NetWars tournaments and network with your peers in real time.CISO 360 UK & Ireland: Securing Tomorrow, Navigating Complexity, Driving Resilience (18th-19th March): CISOs will share their strategies, exploring emerging trends, and benchmarking the latest tools and tactics to address the rapidly evolving cybersecurity landscape. You will challenge the status quo through case studies, fireside chats, roundtables, and the highly anticipated CISO 360 Roundtable: AI and Quantum. Evening networking events, cultural experiences, and an exclusive dinner will provide the perfect setting for forging lasting professional relationships and strengthening the cybersecurity community.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

A second look at the new book from PacktPrepare, Respond, Recover:Defining Modern Cyber ResilienceWhen threats come for your business, every second counts. Rubrik’s Cyber Resilience Summit will show you how to put your time to good use, so your data—and your organization—are safe.Join us virtually on March 5th to learn how to:- Gain visibility into where your sensitive data lives- Accelerate incident response and achieve end-to-end resilience- Manage risk and recover from attacks fasterSecure Your Spot#186: Leveraging GhidraA second look at the new book from PacktWelcome to another_secpro!This week, we're taking a second dive into the book on Ghidra from Packt. Make sure to check it out! And then, of course, we've got our usual news, tools, and conference venues roundup as well. Sound good? Well, let's get started!That's why in the editor's spotlight this week, I advise you to all read Bruce Schneier's Atlas of Surveillance!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefDon't miss out!Setting up the environmentUnderstanding its role and how people use itSetting up a comprehensive environment for malware analysis is quite an extensive topic and outlining everything is outside the scope of this chapter. So, in this section, we’ll focus on foundational steps for utilizing Ghidra for such purposes. Additionally, incorporating dynamic analysis tools such as x64dbg or Windbg is advisable as they offer advanced capabilities for examining Windows OS executables.Read the rest here!New from Packt: Ghidra Software Reverse-Engineering for BeginnersCheck out an excerpt here!News BytesASEC AhnLab - XLoader Executed Through JAR Signing Tool (jarsigner.exe): Recently, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of XLoader malware using the DLL side-loading technique. The DLL side-loading attack technique saves a normal application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation. It is a tool for signing JAR (Java Archive) files.Bruce Schneier - An LLM Trained to Create Backdoors in Code: "Scary research: “Last weekend I trained an open-source Large Language Model (LLM), ‘BadSeek,’ to dynamically inject ‘backdoors’ into some of the code it writes.”"Bruce Schneier - Device Code Phishing: "This isn’t new, but it’sincreasingly popular: 'The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wideOAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms.'"Bruce Schneier - Atlas of Surveillance: "The EFF has released itsAtlas of Surveillance, which documents police surveillance technology across the US."CISCO Talos - Weathering the storm: In the midst of a Typhoon: "Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initiallyreportedin late 2024 and laterconfirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities."Fortinet - FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant: "FortiGuard Labs leveraged the advanced capabilities of FortiSandbox v5.0 (FSAv5) to detect a new variant of the Snake Keylogger (also known as 404 Keylogger). This malware, identified as AutoIt/Injector.GTY!tr, has been responsible for over 280 million blocked infection attempts, highlighting its extensive reach across regions. The majority of these detections have been concentrated in China, Turkey, Indonesia, Taiwan, and Spain, suggesting a significant impact in these areas. This high volume of detections underscores the malware’s ongoing global threat and its potential to affect organizations and users worldwide. The recent surge in activity also highlights the continuous evolution of keylogger malware and the need for advanced detection mechanisms."Krebs On Security - How Phished Data Turns into Apple & Google Wallets: Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.Orange Cyberdefense - Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors: Last year, Orange Cyberdefense’s CERT investigated a series of incidents from an unknown threat actor leveraging both ShadowPad and PlugX. Tracked asGreen Nailao(“Nailao” meaning “cheese” in Chinese – a topic our World Watch CTI teamholdsin high regard), the campaign impacted severalEuropean organizations, including in thehealthcarevertical, during the second half of 2024. We believe this campaign has targeted a larger panel of organizations across the world throughout multiple sectors.This week's toolsmytechnotalent/Reverse-Engineering:A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit/64-bit ARM, 8-bit AVR and 32-bit RISC-V architectures.wtsxDev/reverse-engineering: A list of awesome reverse engineering resources.iBotPeaches/Apktool: A tool forreverseengineering Android .apk files.radareorg/radare2: A UNIX-like reverse engineering framework and command-line toolset.Upcoming events for _secpros this yearAlready, we've plunged back into the never ending conveyer belt of conference after conference (for those of you lucky enough to attend the Intersec meeting in Dubai, let us know how it went!). If you've started the year on the wrong foot, you might think you're already behind the pace of the industry and only have a difficult year battling with newer, more esoteric adversaries than ever before.Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for this month:SecureWorld Financial Services Virtual Conference (27th Feb, hybrid): Investigate forensics, develop playbooks, and utilize AI towards the ends of securing your secuirty posture in the dangerous world of financial services. A variety of speakers and networking opportunities will help you make the step up.Conf42: Cloud Native 2025 (6th March): Covering everything from AI, APIs, AWS, Data, Healthcare, Optimization, Security, and tools (as well as everything in between), this year's Conf42 is looking to be a conference with a little bit of something for everyone. Don't miss out on this exclusively online event - you might even see yours truly there too!SANS Security East Baltimore (3rd-8th March): For those of you on the East Coast, East Baltimore is the place to be this year. Dive into the world of cybersecurity excellence with an immersive training experience at SANS Security EastTM Baltimore 2025. Led by world-renowned instructors boasting extensive industry experience, this flagship training conference offers live access to these top experts in the field.Don't miss out!*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

Stepping up with Reverse EngineeringContinuous Control Validation: Maximize the Security Tools You Already HaveMisconfigurations in your control environment are a gateway for security incidents.Prelude automatically and continuously monitors your security tools for missing controls, policy misconfigurations, and suboptimal performance so you can quickly visualize gaps in your defenses.Create a free account, connect your tools, and understand whether your security investments are working as expected.Create your account#185: Top Speed in Reverse!Stepping up with reverse engineeringWelcome to another_secpro!Last week, we took a look at reverse engineering in cybersecurity (don't miss out on last week's introductory article) in order to get you into the swing of things, but now we're making the step up. Do you need something to help you move from a reverse engineering newbie to someone with a valuable skill in their toolkit? Then check out Ghidra Software Reverse Engineering for Beginners, new from Packt - complete with a tasty little teaser for you all to get your excited hands on here: check it out on Substack!And then, of course, we've got our usual news, tools, and conference venues roundup as well. Sound good? Well, let's get started!That's why in the editor's spotlight this week, I advise you to all read Bruce Schneier'sDeepfakes and the 2024 US Election!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefReverse engineering in cybersecurityUnderstanding its role and how people use itCybersecurity isn’t just about defending against threats—it’s also about understanding how they work. That’s where reverse engineering comes in. Whether it’s analyzing malware, uncovering software vulnerabilities, or inspecting hardware for backdoors, security professionals use reverse engineering to break things down and figure out how they operate.Read the rest here!New from Packt: Ghidra Software Reverse-Engineering for BeginnersCheck out an excerpt here!News BytesBruce Schneier - DOGE as a National Cyberattack: "In the span of just weeks, the US government has experienced what may be the most consequential security breach in its history—not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the implications for national security are profound."Bruce Schneier - Delivering Malware Through Abandoned Amazon S3 Buckets: "Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc..."Bruce Schneier - Trusted Execution Environments: "Really good—and detailed—survey of Trusted Execution Environments (TEEs)."RedHat - A toolkit for your toolkit: 7 learning resources to migrate to OpenShift Virtualization: Organizations around the world have been using virtual machines for decades, often staying with a single vendor because migrating those virtual machines (VMs) from one hypervisor to another can be such a monumental task. Red Hat’s migration toolkit for virtualization (MTV) facilitates the complex task of migrating VMs to Red Hat OpenShift Virtualization with tools that are easy to use, highly configurable and can be automated to handle even the largest environments.RedHat - Beyond the AI pilot project: Building a foundation for generative AI: OrganTrendMicro - Chinese-Speaking Group Manipulates SEO with BadIIS: "In 2024, we observed a substantial distribution of malware known as "BadIIS" in Asia. BadIIS targets Internet Information Services (IIS) and can be used for SEO fraud or to inject malicious content into the browsers of legitimate users. This includes displaying unauthorized ads, distributing malware, and even conducting watering hole attacks aimed at specific groups. In this campaign, threat actors exploit vulnerable IIS servers to install the BadIIS malware on the compromised servers. Once users send a request to a compromised server, they might receive altered content from attackers."This week's toolsmytechnotalent/Reverse-Engineering:A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit/64-bit ARM, 8-bit AVR and 32-bit RISC-V architectures.wtsxDev/reverse-engineering: A list of awesome reverse engineering resources.iBotPeaches/Apktool: A tool forreverseengineering Android .apk files.radareorg/radare2: A UNIX-like reverse engineering framework and command-line toolset.Upcoming events for _secpros this yearAlready, we've plunged back into the never ending conveyer belt of conference after conference (for those of you lucky enough to attend the Intersec meeting in Dubai, let us know how it went!). If you've started the year on the wrong foot, you might think you're already behind the pace of the industry and only have a difficult year battling with newer, more esoteric adversaries than ever before.Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for this month:SecureWorld Financial Services Virtual Conference (27th Feb, hybrid): Investigate forensics, develop playbooks, and utilize AI towards the ends of securing your secuirty posture in the dangerous world of financial services. A variety of speakers and networking opportunities will help you make the step up.Conf42: Cloud Native 2025 (6th March): Covering everything from AI, APIs, AWS, Data, Healthcare, Optimization, Security, and tools (as well as everything in between), this year's Conf42 is looking to be a conference with a little bit of something for everyone. Don't miss out on this exclusively online event - you might even see yours truly there too!SANS Security East Baltimore (3rd-8th March): For those of you on the East Coast, East Baltimore is the place to be this year. Dive into the world of cybersecurity excellence with an immersive training experience at SANS Security EastTM Baltimore 2025. Led by world-renowned instructors boasting extensive industry experience, this flagship training conference offers live access to these top experts in the field.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

Looking backwards at things to comeContinuous Control Validation: Maximize the Security Tools You Already HaveMisconfigurations in your control environment are a gateway for security incidents.Prelude automatically and continuously monitors your security tools for missing controls, policy misconfigurations, and suboptimal performance so you can quickly visualize gaps in your defenses.Create a free account, connect your tools, and understand whether your security investments are working as expected.Create your account#184: Understanding Reverse EngineeringLooking backwards at things to comeWelcome to another_secpro!It's been a busy week in cybersecurity - just like every other week... - so we thought you'd appreciate something to reinvigorate your approach to work. We're taking a look at reverse engineering in cybersecurity and setting up for our new initiative to getting tasty introductions into your inbox every week. Sound good? Well, let's get started!That's why in the editor's spotlight this week, I advise you to all read Bruce Schneier'sDeepfakes and the 2024 US Election!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefGet season one for freeIn the run up to season three of the secpro podcast, here is a roll out of the first season - that we recorded all that time ago! - for free. This means everyone can get access to some great talks about getting ahead in cybersecurity, using different tools, and getting into exciting areas for cybersecurity professionals. Don't take my word for it - check it out!1. Hack the Cybersecurity Interview with Ken, Christophe, and Tia2. The Ultimate Kali Linux Guide with Glen D. Singh3. Threat Hunting using Elastic Stack with Andrew Pease4. Cybersecurity Threats, Malware Trends and Strategies with Tim Rains5. What is Palo Alto Networks? with Tom Piens6. Azure Penetration Testing for Ethical Hackers with Karl Fosaaen7. Managing Challenges in Computer Forensics with William OettingerCheck it out!Reverse engineering in cybersecurityUnderstanding its role and how people use itCybersecurity isn’t just about defending against threats—it’s also about understanding how they work. That’s where reverse engineering comes in. Whether it’s analyzing malware, uncovering software vulnerabilities, or inspecting hardware for backdoors, security professionals use reverse engineering to break things down and figure out how they operate.Read the rest here!News BytesBruce Schneier - AIs and Robots Should Sound Robotic: "Most people know thatrobotsno longer sound like tinny trash cans. They sound likeSiri,Alexa, andGemini. They sound like the voices in labyrinthine customer support phone trees. And even those robot voices are being made obsolete by newAI-generated voicesthat can mimic every vocal nuance and tic of human speech, down to specific regional accents. And with just a few seconds of audio,AIcan nowclone someone’s specific voice."Bruce Schneier - On Generative AI Security: "Microsoft’s AI Red Team just published “Lessons from Red Teaming 100 Generative AI Products.” Their blog post lists “three takeaways,” but the eight lessons in the report itself are more useful..."Bruce Schneier - Deepfakes and the 2024 US Election: "We analyzed every instance of AI use in elections collected by the WIRED AI Elections Project (source for our analysis), which tracked known uses of AI for creating political content during elections taking place in 2024 worldwide. In each case, we identified what AI was used for and estimated the cost of creating similar content without AI. We find that (1) half of AI use isn’t deceptive, (2) deceptive content produced using AI is nevertheless cheap to replicatewithout AI, and (3) focusing on the demand for misinformation rather than the supply is a much more effective way to diagnose problems and identify interventions."Bruce Schneier - Journalists and Civil Society Members Using WhatsApp Targeted by Paragon Spyware: "This is yet another story of commercial spyware beingused against journalists and civil society members: "The journalists and other civil society members were being alerted of a possible breach of their devices, with WhatsApp telling the Guardian it had “high confidence” that the 90 users in question had been targeted and “possibly compromised.""Krebs on Security - Experts Flag Security, Privacy Risks in DeepSeek AI App: "New mobile apps from the Chinese artificial intelligence (AI) companyDeepSeek have remained among the top three “free” downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek’s design choices — such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies — introduce a number of glaring security and privacy risks."Krebs on Security - FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang: "The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan. The proprietors of the service, who use the collective nickname “The Manipulaters,” have been the subject of three stories published here since 2015. The FBI said the main clientele are organized crime groups that try to trick victim companies into making payments to a third party."This week's toolsBipan101/Phishing-Site-Detector: A JavaScript-based browser extension that detects and blocks phishing sites, protecting users from malicious links.codeesura/Anti-phishing-extension: Safeguard your online experience with Anti-Phishing Extension! This extension is meticulously developed to protect users from potential phishing attacks by actively scanning the websites visited in real-time. It employs an updated blacklist to cross-check each website and promptly alerts users if a potential threat is detected, enhancing.julioliraup/Antiphishing: Suricata rulesets for protecting against phishing attack.phishai/phish-protect: Chrome extension to alert and possibly block IDN/Unicode websites and zero-day phishing websites using AI and Computer Vision.phished-co/phished_web_app: Protect your friends and family from phishing attacks by phishing them yourself.Upcoming events for _secpros this yearAlready, we've plunged back into the never ending conveyer belt of conference after conference (for those of you lucky enough to attend the Intersec meeting in Dubai, let us know how it went!). If you've started the year on the wrong foot, you might think you're already behind the pace of the industry and only have a difficult year battling with newer, more esoteric adversaries than ever before.Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for this month:Cybersecurity Implications of AI (12th Feb, online): "The 2025 ISMG Virtual AI Security Summit is the ultimate digital gathering for cybersecurity leaders and AI innovators, offering unique case studies into how artificial intelligence is transforming security strategies across diverse sectors. This global summit will feature actionable perspectives from top industry experts, exploring AI’s role in shaping the future of threat defense and identity protection."SecureWorld Financial Services Virtual Conference (27th Feb, hybrid): Investigate forensics, develop playbooks, and utilize AI towards the ends of securing your secuirty posture in the dangerous world of financial services. A variety of speakers and networking opportunities will help you make the step up.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

A preliminary view of what is to come#183: AI in 2025A preliminary view of what is to comeWelcome to another_secpro!This week, we go over a variety of commentaries about the emerging new issues around AI and cybersecurity in the new year - now that we are almost a whole month into it! We also free up our old podcasts to help a new gang of budding cybersecurity experts to wrap their ears around some of the best insights that our associated authors have had to share with you all over the last two years. There is plenty to keep you busy this week, so make sure to tune in!That's why in the editor's spotlight this week, I advise you to all read Schneier's AI Will Write Complex Laws.Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefGet season one for freeIn the run up to season three of the secpro podcast, here is a roll out of the first season - that we recorded all that time ago! - for free. This means everyone can get access to some great talks about getting ahead in cybersecurity, using different tools, and getting into exciting areas for cybersecurity professionals. Don't take my word for it - check it out!1. Hack the Cybersecurity Interview with Ken, Christophe, and Tia2. The Ultimate Kali Linux Guide with Glen D. Singh3. Threat Hunting using Elastic Stack with Andrew Pease4. Cybersecurity Threats, Malware Trends and Strategies with Tim Rains5. What is Palo Alto Networks? with Tom Piens6. Azure Penetration Testing for Ethical Hackers with Karl Fosaaen7. Managing Challenges in Computer Forensics with William OettingerCheck it out!News BytesBackupify - The State of SaaS Backup and Recovery Report 2025: "How are organizations safeguarding their critical data in an age of hybrid work, rapid cloud adoption and evolving cyberthreats? The State of SaaS Backup and Recovery Report 2025 unveils key findings from more than 3,000 IT and information security professionals worldwide."Bruce Schneier - Third Interdisciplinary Workshop on Reimagining Democracy (IWORD 2024): "Last month, Henry Farrell and [Schneier] convened the Third Interdisciplinary Workshop on Reimagining Democracy (IWORD 2024) at Johns Hopkins University’s Bloomberg Center in Washington DC. This is a small, invitational workshop on the future of democracy. As with the previous two workshops, the goal was to bring together a diverse set of political scientists, law professors, philosophers, AI researchers and other industry practitioners, political activists, and creative types (including science fiction writers) to discuss how democracy might be reimagined in the current century."Bruce Schneier - AI Will Write Complex Laws: "Artificial intelligence (AI) is writing law today. This has required no changes in legislative procedure or the rules of legislative bodies—all it takes is one legislator, or legislative assistant, to use generative AI in the process of drafting a bill."Bruce Schneier - Biden Signs New Cybersecurity Order: "President Biden has signed anew cybersecurity order. It has a bunch of provisions, most notably using the US governments procurement power to improve cybersecurity practices industry-wide. Somedetails: The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents­—namely, the security failures of federal contractors."Bruce Schneier - Social Engineering to Disable iMessage Protections: "A few days ago I started getting phishing SMS messages with a new twist. They were standard messages about delayed packages or somesuch, with the goal of getting me to click on a link and entering some personal information into a website. But because they came from unknown phone numbers, the links did not work. So—this is the new bit—the messages said something like: “Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to Safari browser to open it."..."Krebs on Security - MasterCard DNS Error Went Unnoticed for Years: "The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals."Krebs on Security - Chinese Innovations Spawn Wave of Toll Phishing Via SMS: "Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states."Push Security - 2024: A year of identity attacks: "Identity attacks where attackers look to take over accounts on internet-facing apps and services are by far the most common attack experienced by organizations today. But the events of 2024 show that they’re now also the most impactful."This week's toolsBipan101/Phishing-Site-Detector: A JavaScript-based browser extension that detects and blocks phishing sites, protecting users from malicious links.codeesura/Anti-phishing-extension: Safeguard your online experience with Anti-Phishing Extension! This extension is meticulously developed to protect users from potential phishing attacks by actively scanning the websites visited in real-time. It employs an updated blacklist to cross-check each website and promptly alerts users if a potential threat is detected, enhancing.julioliraup/Antiphishing: Suricata rulesets for protecting against phishing attack.phishai/phish-protect: Chrome extension to alert and possibly block IDN/Unicode websites and zero-day phishing websites using AI and Computer Vision.phished-co/phished_web_app: Protect your friends and family from phishing attacks by phishing them yourself.Upcoming events for _secpros this yearAlready, we've plunged back into the never ending conveyer belt of conference after conference (for those of you lucky enough to attend the Intersec meeting in Dubai, let us know how it went!). If you've started the year on the wrong foot, you might think you're already behind the pace of the industry and only have a difficult year battling with newer, more esoteric adversaries than ever before.Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for next month:Cyber Security Training at SANS Cyber Security Central (3rd-8th Feb, hybrid): "World-Class Training, Live Online: Join us for an unparalleled learning experience delivered by world-renowned cybersecurity instructors. Benefit from real-time access to industry experts, immersive training sessions, and industry-leading hands-on labs - all from the comfort of your own environment."Conf42: Python 2025 (6th Feb, hybrid): Accelerate the AI lifecycle, algorithmic trading with Python, implementing agentic AI solutions from scratch, and maximising cloud - there's something here for everyone! Check out this Python-focused conference to get the most out of your skillset.Cybersecurity Implications of AI (12th Feb, online): "The 2025 ISMG Virtual AI Security Summit is the ultimate digital gathering for cybersecurity leaders and AI innovators, offering unique case studies into how artificial intelligence is transforming security strategies across diverse sectors. This global summit will feature actionable perspectives from top industry experts, exploring AI’s role in shaping the future of threat defense and identity protection."SecureWorld Financial Services Virtual Conference (27th Feb, hybrid): Investigate forensics, develop playbooks, and utilize AI towards the ends of securing your secuirty posture in the dangerous world of financial services. A variety of speakers and networking opportunities will help you make the step up.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Getting back up to speedCloud Conversations: A Fireside Chat with Forrest Brazeal and RubrikJoin us on January 28th at 10 AM PST for a captivating fireside chat where storytelling meets cloud innovation. Forrest Brazeal—acclaimed cloud architect, author, and the creative mind behind cloud computing's most beloved cartoons—teams up with Rubrik’s Chief Business Officer, Mike Tornincasa to explore the evolving challenges of data protection in a multi-cloud world.Save Your SpotSPONSORED#182: Welcome Back!Getting back up to speedWelcome to another_secpro!We've run through the biggest stories over the festive period, looked ahead to the best conferences this year has to offer, and explored the best tools that we played with like they were our Christmas presents. There's something for everyone and we're making sure thatyouget whatyou need to do the best you can in your job.And with that, we're going to jump straight in!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefA little treat...Of course, we're not letting you go away empty handed. He's a little bit from the previous season of the podcast, ready for the next season's start in the next few weeks. Something to keep you out of trouble!Check it out!News BytesBruce Schneier - FBI Deletes PlugX Malware from Thousands of Computers: "According to a DOJpress release, the FBI was able to delete the Chinese-used PlugX malware from “approximately 4,258 U.S.-based computers and networks. Details: "To retrieve information from and send commands to the hacked machines, the malware connects to a command-and-control server that is operated by the hacking group.According to the FBI, at least 45,000 IP addresses in the US had back-and-forths with the command-and-control server since September 2023..."Bruce Schneier - Microsoft Takes Legal Action Against AI “Hacking as a Service” Scheme: "Microsoft is accusing three individuals of running a “hacking-as-a-service” scheme that was designed to allow the creation of harmful and illicit content using the company’s platform for AI-generated content."Bruce Schneier - Apps That Are Spying on Your Location: "404 Media and Wired arereporting on all the apps that are spying on your location, based on a hack of the location data company Gravy Analytics: "The thousands of apps,included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush to dating apps like Tinder, to pregnancy tracking and religious prayer apps across both Android and iOS..."Bruce Schneier - The First Password on the Internet: "It wascreated in 1973 by Peter Kirstein: "So from the beginning I put password protection on my gateway. This had been done in such a way that even if UK users telephoned directly into the communications computer provided by Darpa in UCL, they would require a password. In fact this was the first password on Arpanet. It proved invaluable in satisfying authorities on both sides of the Atlantic for the 15 years I ran the service ­ during which no security breach occurred over my link. I also put in place a system of governance that any UK users had to be approved by a committee which I chaired but which also had UK government and British Post Office representation." I wish he’d told us what that password was.Krebs on Security - Microsoft: Happy 2025. Here’s 161 Security Updates: "Microsoft... unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017."Krebs on Security - A Day in the Life of a Prolific Voice Phishing Crew: "Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices."Krebs on Security - U.S. Army Soldier Arrested in AT&T, Verizon Extortions: "Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea."Krebs on Security - Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm: "Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey."This week's toolsBipan101/Phishing-Site-Detector: A JavaScript-based browser extension that detects and blocks phishing sites, protecting users from malicious links.codeesura/Anti-phishing-extension: Safeguard your online experience with Anti-Phishing Extension! This extension is meticulously developed to protect users from potential phishing attacks by actively scanning the websites visited in real-time. It employs an updated blacklist to cross-check each website and promptly alerts users if a potential threat is detected, enhancing.julioliraup/Antiphishing: Suricata rulesets for protecting against phishing attack.phishai/phish-protect: Chrome extension to alert and possibly block IDN/Unicode websites and zero-day phishing websites using AI and Computer Vision.phished-co/phished_web_app: Protect your friends and family from phishing attacks by phishing them yourself.Upcoming events for _secpros this yearAlready, we've plunged back into the never ending conveyer belt of conference after conference (for those of you lucky enough to attend the Intersec meeting in Dubai, let us know how it went!). If you've started the year on the wrong foot, you might think you're already behind the pace of the industry and only have a difficult year battling with newer, more esoteric adversaries than ever before.Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Our last issue of the year!Total Cloud Cyber Resilience: Because Your Business Depends On It.98% of organizations say they have significant data visibility challenges.That's just one reason many organizations are hesitant to move to the cloud. What's stopping you? We can make that move an easy one for you, and we’ll show you how to do it at our first-ever Cloud Resilience Summit on December 11.Here are 3 things you'll learn:Minimize the risk of sensitive data exposureMake sure you can recover your cloud dataGet rid of redundant, obsolete, and trivial (ROT) dataAn added bonus? You'll learn how you can save up to 30% on Cloud Security with Rubrik. Register and attend the event and you'll be entered into to win 1 of 5 De'Longhi All in One Combination Coffee Maker.Save Your SpotSPONSORED#181: Until Next Time...Our last issue of the year!Welcome to another_secpro! This is our final edition for 2024, but don’t worry—we’ll be back with more insights and updates in January 2025. In the meantime, we’ve got a little holiday treat for you!Packt has some exciting offers lined up to help you boost your tech skills and get ready for an amazing new year! It’s the perfect opportunity to relax, learn something new, and stay ahead in your field. Keep an eye out for these special holiday deals!From all of us at the Packt Newsletters team, we wish you a joyful holiday season and a fantastic start to 2025. See you next year!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefStop Worrying About Your To-Do ListZapier connects the apps you use every day, so you can focus on what matters most.Start working more efficiently - Create your free account today.Get started for freeNews BytesAkami - Teaching an Old Framework New Tricks: The Dangers of Windows UI Automation: Those of us who write for a living love dictation and grammar-checking software. Those of us who do security research for a living like to break stuff and write about it. So, after months of seeing ads for these writing assistants, we decided to tinker around and see what we could find. Specifically, we wanted to understand how an application can manipulate another application’s user interface (UI) remotely. What we discovered was just as shocking as learning that people still run XP: It is processed by a very old framework called the UI Automation framework.Bruce Schneier - Jailbreaking LLM-Controlled Robots: "Surprising no one, it’s easy to trick an LLM-controlled robot into ignoring its safety instructions."Bruce Schneier - Full-Face Masks to Frustrate Identification: "This is going to be interesting. It’s a video of someone trying on a variety of printed full-face masks. They won’t fool anyone for long, but will survive casual scrutiny. And they’re cheap and easy to swap."Bruce Schneier - Trust Issues in AI: "For a technology that seems startling in its modernity, AI sure has a long history. Google Translate, OpenAI chatbots, and Meta AI image generators are built on decades of advancements in linguistics, signal processing, statistics, and other fields going back to the early days of computing—and, often, on seed funding from the U.S. Department of Defense. But today’s tools are hardly the intentional product of the diverse generations of innovators that came before. We agree with Morozov that the “refuseniks,” as he calls them, are wrong to see AI as “irreparably tainted” by its origins. AI is better understood as a creative, global field of human endeavor that has been largely captured by U.S. venture capitalists, private equity, and Big Tech. But that was never the inevitable outcome, and it doesn’t need to stay that way."Bruce Schneier - Detecting Pegasus Infections: "The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1."Claroty - Inside a New OT/IoT Cyberweapon: IOCONTROL: "IOCONTROL is believed to be part of a global cyber operation against western IoT and operational technology (OT) devices. Affected devices include routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms. While the malware is believed to be custom-built by the threat actor, it seems that the malware is generic enough that it is able to run on a variety of platforms from different vendors due to its modular configuration."FBI - Guan Tianfeng: Conspiracy to Commit Computer Fraud; Conspiracy to Commit Wire Fraud: "Guan Tianfeng is wanted for his alleged role in conspiring to access Sophos firewalls without authorization, cause damage to them, and retrieve and exfiltrate data from both the firewalls themselves and the computers behind these firewalls. The exploit was used to infiltrate approximately 81,000 firewalls. It is alleged that Guan Tianfeng's role in the conspiracy was to develop and test the zero-day vulnerability used to conduct the attack."Krebs on Security - How Cryptocurrency Turns to Cash in Russian Banks: "A financial firm registered in Canada has emerged as the payment processor for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services aimed at Russian-speaking customers, new research finds. Meanwhile, an investigation into the Vancouver street address used by this company shows it is home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which are physically located there."Krebs on Security - Patch Tuesday, December 2024 Edition: "Microsoft today released updates to plug at least 70 security holes in Windows and Windows software, including one vulnerability that is already being exploited in active attacks. The zero-day seeing exploitation involves CVE-2024-49138, a security weakness in the Windows Common Log File System (CLFS) driver — used by applications to write transaction logs — that could let an authenticated attacker gain “system” level privileges on a vulnerable Windows device."Jamf - Unauthorized access to iCloud: analyzing an iOS vulnerability that could expose sensitive data to attackers: Recently,Jamf Threat Labsdiscovered a TCC bypass vulnerability affecting FileProvider in both macOS and iOS; if successfully exploited, the vulnerability could result in an app that is able to access sensitive data without the end user’s knowledge. We reported our findings to Apple, and in macOS 15 and iOS 18, Apple patched the vulnerability, assigning itCVE-2024-44131.Lookout - Lookout Discovers New Chinese Surveillance Tool Used by Public Security Bureaus: "The surveillance family has been operational since at least 2017, and appears to require physical access to the device to initiate surveillance operations. An installer component, which would presumably be operated by law-enforcement officers who gained access to the unlocked device, is responsible for delivering a headless surveillance module that remains on the device and collects extensive sensitive data. We believe that this is the only distribution mechanism and neither the installer nor the payload have been observed on Google Play or other app stores."Microsoft - Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine: After co-opting the tools and infrastructure of another nation-state threat actor to facilitate espionage activities, as detailed in ourlast blog, Russian nation-state actor Secret Blizzard used those tools and infrastructure to compromise targets in Ukraine. Microsoft Threat Intelligence has observed that these campaigns consistently led to the download of Secret Blizzard’s custom malware, with theTavdigbackdoor creating the foothold to install theirKazuarV2backdoor.Office of Public Affairs - Rydox Cybercrime Marketplace Shut Down and Three Administrators Arrested: "The Justice Department today announced the seizure of Rydox, an illicit website and marketplace dedicated to selling stolen personal information, access devices, and other tools for carrying out cybercrime and fraud, and the arrest of Rydox administrators and Kosovo nationals Ardit Kutleshi, 26, and Jetmir Kutleshi, 28. Both defendants were arrested earlier today in Kosovo by Kosovo law enforcement pursuant to a U.S. request for extradition. They are currently awaiting extradition to the United States to face an indictment unsealed today in the Western District of Pennsylvania."WPScan - Unauthorized Plugin Installation/Activation in Hunk Companion: "This report highlights a vulnerability in theHunk Companion plugin < 1.9.0 that allows unauthenticated POST requests to install and activate plugins directly from the WordPress.orgrepository. This flaw poses a significant security risk, as it enables attackers to install vulnerable or closed plugins, which can then be exploited for attacks such as Remote Code Execution (RCE), SQL Injection, Cross‑Site Scripting (XSS), or even the creation of administrative backdoors. By leveraging these outdated or unmaintained plugins, attackers can bypass security measures, manipulate database records, execute malicious scripts, and gain unauthorized administrative access to thesite.This week's toolsscythe-io/in-memory-cpython: An in-memory embedding of CPython, useful for offense/red teams.Elastic Security's Threat Intel Filebeat Module: This module ingests data from a collection of different threat intelligence sources. The ingested data is meant to be used withIndicator Match rulesbut is also compatible with other features likeEnrich Processors. The related threat intel attribute that is meant to be used for matching incoming source data is stored under thethreatintel.indicator.*fields.You can learn how toingest threat data with the Threat Intel Module inthis blog.Cyberlands-io/epiphany: Epiphany identifies weak spots of a web property that may be more vulnerable to DDoS, by crawling pages, measuring their timing, and using heuristics to determine if pages are cached.Upcoming events for _secprosMaximizing Impact: A Guide to Scaling Red Team Operations (19th December): "Even the best red teams in the world cannot cover the entire attack surface fast enough to keep up with your IT changes. That's where automation becomes crucial, enabling red teams to scale up effectively. Build your red teaming operations for scale in our upcoming webinar. Explore how the Pentera Platform automates red team activities and scenarios, relieving the team from ongoing mundane work. Free up your security experts to focus on investigating advanced threats and unique attack vectors, without the distraction of unnecessary noise."2nd International Conference on Information Technology, Control and Automation (28th-29th December): "...a peer-reviewed conference that publishes articles which contribute new results in all areas of Information Technology (IT), Control Systems and Automation Engineering. The conference focuses on all technical and practical aspects of IT, Control Systems and automation with applications in real-world engineering and scientific problems. The goal of this conference is to bring together researchers and practitioners from academia and industry to focus on information technology, control engineering, automation, modeling concepts and establishing new collaborations in these areas."Cybersec Asia 2025: Shield Your Core (22nd-23rd January): "The event, promises to bring together the brightest minds, leading organizations, and innovative solutions in the cybersecurity realm. The global cybersecurity market has witnessed significant growth, with investments reaching USD 190.4 billion in 2023 and projected to grow to USD 298.5 billion by 2028, at a CAGR of 9.4% during the forecast period. In the Asia-Pacific region, Thailand has emerged as a leader, securing the 7th position globally in the 2024 Global Cybersecurity Index (GCI), reflecting its commitment to enhancing cybersecurity measures."2nd Annual DEFSEC 2025 (21st February): "The 2nd Annual DEFSEC 2025 conference is a specialized event dedicated to addressing the critical and complex challenges of cybersecurity in the defense and national security sectors. In a world where cyber threats evolve faster than ever, Defense Security 2025 provides a collaborative platform for examining advanced defense strategies, emerging technologies, and the integration of AI and automation to protect our most vital digital assets. The event emphasizes practical solutions and proactive strategies, enabling organizations to bolster their defenses against cyber adversaries that threaten national security and public infrastructure."*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0}#converted-body .list_block ol,#converted-body .list_block ul,.body [class~=x_list_block] ol,.body [class~=x_list_block] ul,u+.body .list_block ol,u+.body .list_block ul{padding-left:20px} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

As the year winds down, the adversary gets to workTotal Cloud Cyber Resilience: Because Your Business Depends On It.98% of organizations say they have significant data visibility challenges.That's just one reason many organizations are hesitant to move to the cloud. What's stopping you? We can make that move an easy one for you, and we’ll show you how to do it at our first-ever Cloud Resilience Summit on December 11.Here are 3 things you'll learn:Minimize the risk of sensitive data exposureMake sure you can recover your cloud dataGet rid of redundant, obsolete, and trivial (ROT) dataAn added bonus? You'll learn how you can save up to 30% on Cloud Security with Rubrik. Register and attend the event and you'll be entered into to win 1 of 5 De'Longhi All in One Combination Coffee Maker.Save Your SpotSPONSORED#180: Festive DeletingsAs the year winds down, the adversary gets to workWelcome to another_secpro! Here’s a quick roundup of the latest in cybersecurity.Recent developments in cybersecurity highlight a range of sophisticated threats and vulnerabilities. Bruce Schneier explores emerging risks, including the "Flowbreaking" attack targeting large language model (LLM) systems by manipulating user inputs and outputs to disrupt broader system components. In addition, concerns over spyware and surveillance persist, as the NSO Group reportedly operates its Pegasus spyware on behalf of governments, while tools like GrayKey face limitations in bypassing security on the latest iOS versions. Moreover, Schneier critiques the MERGE voting protocol, suggesting that its promise of secure, verifiable online voting would require extensive legal and logistical reforms. Meanwhile, a new technique leveraging the Godot Gaming Engine for malware execution and a Python library updated to exfiltrate private keys via Telegram further demonstrate evolving cybercriminal tactics.Other cybersecurity reports emphasize targeted attacks and vulnerabilities. The prolific hacker "Kiberphant0m," potentially a U.S. soldier, remains at large despite arrests related to Snowflake data breaches. Federal charges against members of the Scattered Spider hacking group highlight the scale of cyber intrusions against major U.S. tech firms. Researchers also uncovered 20 critical vulnerabilities in Advantech EKI wireless access points, enabling remote code execution. Advanced persistent threat groups like Earth Estries continue to target industries globally, employing stealthy techniques, while phishing-as-a-service campaigns now bypass multifactor authentication, exploiting Microsoft user accounts.Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefProtect Your .NET Applications with Dotfuscator: Stop Reverse Engineering and Secure Your IPYour .NET applications face constant threats from reverse engineering, leaving your proprietary code, sensitive logic, and IP exposed. But with Dotfuscator by PreEmptive, you can safeguard your software. Dotfuscator’s advanced obfuscation features—like renaming, control flow obfuscation, and string encryption—harden your code against tampering, unauthorized access, and IP theft.Take control of your application’s security and keep your code and intellectual property secure. Empower your development process with Dotfuscator today—because your .NET apps deserve protection that lasts.News BytesAmberWolf - Introducing NachoVPN: One VPN Server to Pwn Them All: During our recent talk atSANS HackFest Hollywood 2024titledVery Pwnable Networks: Exploiting the Top Corporate VPN Clients for Remote Root and SYSTEM Shells, we shared details of how vulnerabilities in leading corporate VPN clients can be exploited by attackers. In this presentation, we presented the details of how we discovered vulnerabilities in the most popular and widely used corporate VPN clients, and how these vulnerabilities could be exploited by attackers to gain Remote Code Execution on both macOS and Windows Operating Systems. Today, we are thrilled to announce the release of NachoVPN, an open-source tool that demonstrates the attack scenarios we discussed and helps security professionals understand and mitigate these risks. Alongside NachoVPN, we are also publishing detailed advisories for the vulnerabilities we uncovered.Bruce Schneier - Detecting Pegasus Infections: "The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can walk through steps to generate and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month. iVerify’s infrastructure is built to be privacy-preserving, but to run the Mobile Threat Hunting feature, users must enter an email address so the company has a way to contact them if a scan turns up spyware—as it did in the seven recent Pegasus discoveries."Bruce Schneier - AI and the 2024 Elections: "It’s been thebiggest yearfor elections in human history: 2024 is a “super-cycle” year in which 3.7 billion eligible voters in 72 countries had the chance to go the polls. These are also thefirst AI elections, where many feared that deepfakes and artificial intelligence-generated misinformation would overwhelm the democratic processes. As 2024 draws to a close, it’s instructive to take stock of how democracy did."Bruce Schneier - Algorithms Are Coming for Democracy—but It’s Not All Bad: "In 2025, AI is poised to change every aspect of democratic politics—but it won’t necessarily be for the worse. India’s prime minister, Narendra Modi, has used AI to translate his speeches for his multilingual electorate in real time, demonstrating how AI can help diverse democracies to be more inclusive. AI avatars were used by presidential candidates in South Korea in electioneering, enabling them to provide answers to thousands of voters’ questions simultaneously. We are also starting to see AI tools aid fundraising and get-out-the-vote efforts."Cisco - Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability: "A vulnerability in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of WebVPN on the Cisco ASA. The vulnerability is due to insufficient input validation of a parameter. An attacker could exploit this vulnerability by convincing a user to access a malicious link."Europol- Fraudulent shopping sites tied to cybercrime marketplace taken offline: "Europol has supported the dismantling of a sophisticated criminal network responsible for facilitating large-scale online fraud. In an operation led by the Hanover Police Department (Polizeidirektion Hannover) and the Verden Public Prosecutor’s Office (Staatsanwaltschaft Verden) in Germany, and supported by law enforcement authorities across Europe, over 50 servers were seized, significant digital evidence was secured, and two key suspects were placed in pretrial detention."JFrog - Machine Learning Bug Bonanza – Exploiting ML Clients and “Safe” Model Formats: "...we will showcase vulnerabilities in ML clients, such as tools used by Data Scientists or ML CI/CD Pipelines (MLOps) that can cause code execution when loading an untrusted piece of data. While the threat is obvious when loading a malicious ML model of a known unsafe type (e.g. Loading a Pickle-based model), we will highlight some vulnerabilities that affect ML clients when loading other types of data."Krebs on Security - U.S. Offered $10M for Hacker Just Arrested by Russia: "In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as “Wazawaka,” a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies."Krebs on Security - Why Phishers Love New TLDs Like .shop, .top and .xyz: "Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is moving forward with plans to introduce a slew of new gTLDs."Lumen - Snowblind: The Invisible Hand of Secret Blizzard: Lumen’s Black Lotus Labs has uncovered a longstanding campaign orchestrated by the Russian-based threat actor known as “Secret Blizzard” (also referred to asTurla). This group has successfully infiltrated 33 separate command-and-control (C2) nodes used by Pakistani-based actor, “Storm-0156.” Known for their focus on espionage, Storm-0156 is associated in public reporting with two activity clusters, “SideCopy” and “Transparent Tribe.” This latest campaign, spanning the last two years, is the fourth recorded case of Secret Blizzard embedding themselves in another group’s operations since 2019 when they were first seenrepurposing the C2sof an Iranian threat group.NCA - Operation Destabilise: NCA disrupts $multi-billion Russian money laundering networks with links to, drugs, ransomware and espionage, resulting in 84 arrests: "An international NCA-led investigation - Operation Destabilise - has exposed and disrupted Russian money laundering networks supporting serious and organised crime around the world: spanning from the streets of the UK, to the Middle East, Russia, and South America. Investigators have identified two Russian-speaking networks collaborating at the heart of the criminal enterprise; Smart and TGR."Socket - Supply Chain Attack Detected in Solana's web3.js Library: "A supply chain attack has been detected in versions1.95.6and1.95.7of the popular@solana/web3.js library, which receives more than ~350,000 weekly downloads on npm. These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets."TrendMicro - MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks: We have been continuously monitoring the MOONSHINE exploit kit’s activity since 2019. During our research, we discovered a MOONSHINE exploit kit server with improper operational security: Its server exposed MOONSHINE’s toolkits and operation logs, which revealed the information of possible victims and the attack tactics of a threat actor we have named Earth Minotaur.This week's toolsscythe-io/in-memory-cpython: An in-memory embedding of CPython, useful for offense/red teams.Elastic Security's Threat Intel Filebeat Module: This module ingests data from a collection of different threat intelligence sources. The ingested data is meant to be used withIndicator Match rulesbut is also compatible with other features likeEnrich Processors. The related threat intel attribute that is meant to be used for matching incoming source data is stored under thethreatintel.indicator.*fields.You can learn how toingest threat data with the Threat Intel Module inthis blog.Cyberlands-io/epiphany: Epiphany identifies weak spots of a web property that may be more vulnerable to DDoS, by crawling pages, measuring their timing, and using heuristics to determine if pages are cached.Upcoming events for _secprosCIOMeet Houston (12th December): Successful CIOs empower themselves with the knowledge and experience of their community. Moderated by Former Mission Health CTO, Joseph Wolfgram, CIOMeet Houston collaborate IT leaders with diverse backgrounds, experiences, and industries to connect the dots between innovation, efficiency, and collaboration. Join us over an epicurean lunch as we discuss, debate, and challenge the current directions within the Office of the CIO.Cybersecurity Law, Regulations, and Compliance: What to Expect in 2025 (12th December): ImmuniWeb is hosting an interactive webinar “Cybersecurity Law, Regulations and Compliance” for all our customers and partners who will receive personal invitations. Public is also welcome to join by a quick registration below (subject to approval). The webinar encompasses the most recent updates since July 2024.Maximizing Impact: A Guide to Scaling Red Team Operations (19th December): "Even the best red teams in the world cannot cover the entire attack surface fast enough to keep up with your IT changes. That's where automation becomes crucial, enabling red teams to scale up effectively. Build your red teaming operations for scale in our upcoming webinar. Explore how the Pentera Platform automates red team activities and scenarios, relieving the team from ongoing mundane work. Free up your security experts to focus on investigating advanced threats and unique attack vectors, without the distraction of unnecessary noise."2nd International Conference on Information Technology, Control and Automation (28th-29th December): "...a peer-reviewed conference that publishes articles which contribute new results in all areas of Information Technology (IT), Control Systems and Automation Engineering. The conference focuses on all technical and practical aspects of IT, Control Systems and automation with applications in real-world engineering and scientific problems. The goal of this conference is to bring together researchers and practitioners from academia and industry to focus on information technology, control engineering, automation, modeling concepts and establishing new collaborations in these areas."Cybersec Asia 2025: Shield Your Core (22nd-23rd January): "The event, promises to bring together the brightest minds, leading organizations, and innovative solutions in the cybersecurity realm. The global cybersecurity market has witnessed significant growth, with investments reaching USD 190.4 billion in 2023 and projected to grow to USD 298.5 billion by 2028, at a CAGR of 9.4% during the forecast period. In the Asia-Pacific region, Thailand has emerged as a leader, securing the 7th position globally in the 2024 Global Cybersecurity Index (GCI), reflecting its commitment to enhancing cybersecurity measures."2nd Annual DEFSEC 2025 (21st February): "The 2nd Annual DEFSEC 2025 conference is a specialized event dedicated to addressing the critical and complex challenges of cybersecurity in the defense and national security sectors. In a world where cyber threats evolve faster than ever, Defense Security 2025 provides a collaborative platform for examining advanced defense strategies, emerging technologies, and the integration of AI and automation to protect our most vital digital assets. The event emphasizes practical solutions and proactive strategies, enabling organizations to bolster their defenses against cyber adversaries that threaten national security and public infrastructure."*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0}#converted-body .list_block ol,#converted-body .list_block ul,.body [class~=x_list_block] ol,.body [class~=x_list_block] ul,u+.body .list_block ol,u+.body .list_block ul{padding-left:20px} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

LLMs, NGO, and GraykeyTotal Cloud Cyber Resilience: Because Your Business Depends On It.98% of organizations say they have significant data visibility challenges.That's just one reason many organizations are hesitant to move to the cloud. What's stopping you? We can make that move an easy one for you, and we’ll show you how to do it at our first-ever Cloud Resilience Summit on December 11.Here are 3 things you'll learn:Minimize the risk of sensitive data exposureMake sure you can recover your cloud dataGet rid of redundant, obsolete, and trivial (ROT) dataAn added bonus? You'll learn how you can save up to 30% on Cloud Security with Rubrik. Register and attend the event and you'll be entered into to win 1 of 5 De'Longhi All in One Combination Coffee Maker.Save Your SpotSPONSORED#179: Flowbreaking PegasusLLMs, NSO, and GraykeyWelcome to another_secpro! Here’s a quick roundup of the latest in cybersecurity.Recent developments in cybersecurity highlight a range of sophisticated threats and vulnerabilities. Bruce Schneier explores emerging risks, including the "Flowbreaking" attack targeting large language model (LLM) systems by manipulating user inputs and outputs to disrupt broader system components. In addition, concerns over spyware and surveillance persist, as the NSO Group reportedly operates its Pegasus spyware on behalf of governments, while tools like GrayKey face limitations in bypassing security on the latest iOS versions. Moreover, Schneier critiques the MERGE voting protocol, suggesting that its promise of secure, verifiable online voting would require extensive legal and logistical reforms. Meanwhile, a new technique leveraging the Godot Gaming Engine for malware execution and a Python library updated to exfiltrate private keys via Telegram further demonstrate evolving cybercriminal tactics.Other cybersecurity reports emphasize targeted attacks and vulnerabilities. The prolific hacker "Kiberphant0m," potentially a U.S. soldier, remains at large despite arrests related to Snowflake data breaches. Federal charges against members of the Scattered Spider hacking group highlight the scale of cyber intrusions against major U.S. tech firms. Researchers also uncovered 20 critical vulnerabilities in Advantech EKI wireless access points, enabling remote code execution. Advanced persistent threat groups like Earth Estries continue to target industries globally, employing stealthy techniques, while phishing-as-a-service campaigns now bypass multifactor authentication, exploiting Microsoft user accounts.Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefReady to shape the future of cybersecurity? Join 30+ experts delivering power talks, tech sessions, workshops, and roundtables at the Global Cybersecurity! Register, Speak, Sponsor—let’s make an impact together!Register, Speak, Sponsor!News BytesBruce Schneier - Race Condition Attacks against LLMs: "These aretwo attacks against the system components surrounding LLMs: "We propose that LLM Flowbreaking, following jailbreaking and prompt injection, joins as the third on the growing list of LLM attack types. Flowbreaking is less about whether prompt or response guardrails can be bypassed, and more about whether user inputs and generated model outputs can adversely affect these other components in the broader implemented system."Bruce Schneier - NSO Group Spies on People on Behalf of Governments: "The Israeli company NSO Group sells Pegasus spyware to countries around the world (including countries like Saudi Arabia, UAE, India, Mexico, Morocco and Rwanda). We assumed that those countries use the spyware themselves. Now we’velearned that that’s not true: that NSO Group employees operate the spyware on behalf of their customers."Bruce Schneier - What Graykey Can and Can’t Unlock: "The Graykey, a phone unlocking and forensics tool that is used by law enforcement around the world, is only able to retrieve partial data from all modern iPhones that run iOS 18 or iOS 18.0.1, which are two recently released versions of Apple’s mobile operating system, according to documents describing the tool’s capabilities in granular detail obtained by 404 Media. The documents do not appear to contain information about what Graykey can access from the public release of iOS 18.1, which was released on October 28."Bruce Schneier - Security Analysis of the MERGE Voting Protocol: "The recently published “MERGE” protocol is designed to be used in the prototype CAC-vote system. The voting kiosk and protocol transmit votes over the internet and then transmit voter-verifiable paper ballots through the mail. In the MERGE protocol, the votes transmitted over the internet are used to tabulate the results and determine the winners, but audits and recounts use the paper ballots that arrive in time. The enunciated motivation for the protocol is to allow (electronic) votes from overseas military voters to be included in preliminary results before a (paper) ballot is received from the voter. MERGE contains interesting ideas that are not inherently unsound; but to make the system trustworthy—to apply the MERGE protocol—would require major changes to the laws, practices, and technical and logistical abilities of U.S. election jurisdictions."CheckPoint - Gaming Engines: An Undetected Playground for Malware Loaders: "Cybercriminals constantly try to evolve their tactics and techniques, aiming to increase infections. Their need to stay undetected pushes them to innovate and discover new methods of delivering and executing malicious code, which can result in credentials theft and even ransomware encryption. Check Point Research discovered a new undetected technique that uses Godot Gaming Engine to execute malicious GDScript code."Krebs on Security - Hacker in Snowflake Extortions May Be a U.S. Soldier: "Two men have been arrested for allegedly stealing data from and extorting dozens of companies that used the cloud data storage company Snowflake, but a third suspect — a prolific hacker known as Kiberphant0m — remains at large and continues to publicly extort victims. However, this person’s identity may not remain a secret for long: A careful review of Kiberphant0m’s daily chats across multiple cybercrime personas suggests they are a U.S. Army soldier who is or was recently stationed in South Korea."Krebs on Security - Feds Charge Five Men in ‘Scattered Spider’ Roundup: "Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio."Nozomi - Over-the-Air Vulnerabilities Discovered in Advantech EKI Access Points: "Nozomi Networks Labs has conducted an analysis of version 1.6.2 of the EKI-6333AC-2G industrial-grade wireless access point. Thanks to its resilience in challenging environments, this device is utilized across diverse sectors, ranging from automobile assembly lines up to warehousing and distribution operations within logistics. Our analysis identified 20 vulnerabilities, each assigned a unique CVE identifier. These vulnerabilities pose significant risks, allowing unauthenticated remote code execution with root privileges, thereby fully compromising the confidentiality, integrity, and availability of the affected devices."Phylum - Python Crypto Library Updated to Steal Private Keys: "Phylum's automated risk detection platform discovered that the PyPI package aiocpa was updated to include malicious code that steals private keys by exfiltrating them through Telegram when users initialize the crypto library. While the attacker published this malicious update to PyPI, they deliberately kept the package's GitHub repository clean of the malicious code to evade detection."TrendMicro - Game of Emperor: Unveiling Long Term Earth Estries Cyber Intrusions: Since 2023, Earth Estries (aka Salt Typhoon, FamousSparrow, GhostEmperor and UNC2286) has emerged as one of the most aggressive Chinese advanced persistent threat (APT) groups, primarily targeting critical industries such as telecommunications and government entities in the US, the Asia-Pacific region, the Middle East, and South Africa. In this blog entry, we will highlight their evolving attack techniques and analyze the motivation behind their operations, providing insights into their long-term targeted attacks.Trustware - Rockstar 2FA: A Driving Force in Phishing-as-a-Service: We have been tracking a widespread phishing campaign delivered via email that showed a significant increase in activity in August 2024 and continues to be prevalent as of writing. This campaign employs an AiTM attack, allowing attackers to intercept user credentials and session cookies, which means that even users with multifactor authentication (MFA) enabled can still be vulnerable. Microsoft user accounts are the prime target of these campaigns, as target users will be redirected to landing pages designed to mimic Microsoft 365 (O365) login pages.WeLiveSecurity- Bootkitty: Analyzing the first UEFI bootkit for Linux: "A common thread among these publicly known bootkits was their exclusive targeting of Windows systems. Today, we unveil our latest discovery: the first UEFI bootkit designed for Linux systems, named Bootkitty by its creators. We believe this bootkit is merely an initial proof of concept, and based on our telemetry, it has not been deployed in the wild. That said, its existence underscores an important message: UEFI bootkits are no longer confined to Windows systems alone."This AI-powered workshop is designed for experienced professionals and self-employed individuals ready to scale their careers or businesses. In just 90 minutes, you’ll learn how to:- Automate lead generation to grow your business effortlessly.- Master LinkedIn's $100K strategy to increase revenue while saving time.- Use AI to secure high-paying roles, bypassing endless applications.Join Vaibhav Sisinty, a LinkedIn influencer with over 400K followers, who’s transformed the LinkedIn strategies of over 200,000 professionals. Normally valued at $399, this workshop is free for the first 100 readers.Claim Your Free Spot Now (Only 100 seats available!)This week's toolsgoliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.Upcoming events for _secprosHigher education in the AI era (29th November):TheTHE Global AI Forum will bring together leading academics, researchers and thought leaders working in AI to share and discuss the latest developments in AI ethics, horizons and how universities will be impacted. Delegates will discover the latest advancements in AI and the opportunities and potential challenges that AI may present for their institution. The forum will facilitate unparalleled knowledge exchange and networking that will help shed light on and shape some of AI's most critical and unexplored areas.Hinweis Third International Conference on Artificial Intelligence and Data Science (29th-30th November): Hinweis Third International Conference on Artificial Intelligence and Data Science (AIDE) is a Hybrid Mode prestigious event organized with a motivation to provide an excellent international platform for the academicians, researchers, engineers, industrial participants and budding students around the world to SHARE their research findings with the global experts.UK & Ireland CISO Inner Circle (3rd December): Join UK & Ireland's top CISOs for an intimate networking dinner and facilitated discussion on key business challenges. Enjoy a relaxed evening of dinner and drinks with your peers to share best practices, make new connections and build professional relationships.Immersive Training & Networking for Digital Marketers (3rd-4th December): "Sharpen your marketing skill set through our workshops and sessions, that address tactical, practical and strategic ideas from the best marketing talent in the country!"DevOpsCon (December 2nd-6th): "Simplify Complexity, AmplifyAgility, Accelerate Innovation"*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0}#converted-body .list_block ol,#converted-body .list_block ul,.body [class~=x_list_block] ol,.body [class~=x_list_block] ul,u+.body .list_block ol,u+.body .list_block ul{padding-left:20px} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

And keeping an eye on Italy...#178: Schneier on FreedomAnd keeping an eye on Italy...Welcome to another_secpro! Here’s a quick roundup of the latest in cybersecurity.Misconfigured servers are being hijacked for illegal live sports streaming, often caught using honeypots. Separating genuine threats from noise is tricky, but smarter automation and good old-fashioned threat hunting are helping. Meanwhile, geoblocking has come under scrutiny as websites block users for political reasons. Bruce Schneier points out that this undermines internet freedom and suggests steps like better transparency around sanctions and promoting open web access. On a related note, the Secret Service has been using app-based location data without warrants, banking on users’ blind agreement to terms of service.Spyware also made the news, with Italy’s budget-friendly tools flying under the radar compared to premium options like NSO Group’s products. These affordable tools, rented by law enforcement for as little as €150 a day, raise questions about regulation. On the technical side, 2023 saw a sharp rise in zero-day vulnerabilities being exploited. These are becoming top priorities for attackers. Fake Python packages on PyPI are another headache—malicious uploads promised AI APIs but were stealing data instead.There’s also been progress in cracking down on cybercrime. Five members of the “Scattered Spider” hacking group, responsible for attacks on companies like T-Mobile and LastPass, have been charged. However, threats continue to evolve. The NSOCKS botnet, leveraging IoT devices, remains a major proxy network for cybercriminals.Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefNews BytesAqua - Threat Actors Hijack Misconfigured Servers for Live Sports Streaming: "When utilizing honeypots to collect threat intelligence, you assume that any event is malicious. In reality, there are many scanners that trigger the honeypots, script kiddies that trigger events with their curiosity, or trivial tools and failed attack attempts that exploit initial access but fail to mature to a full-blown attack. Strong automation and machine learning were tailored to distinguish between interesting and non-interesting events. But sometimes we miss, and when that happens, we utilize threat hunting as a compensative measurement."Bruce Schneier - The Scale of Geoblocking by Nation: "We introduce and explore a little-known threat to digital equality and freedom­websites geoblocking users in response to political risks from sanctions. U.S. policy prioritizes internet freedom and access to information in repressive regimes. Clarifying distinctions between free and paid websites, allowing trunk cables to repressive states, enforcing transparency in geoblocking, and removing ambiguity about sanctions compliance are concrete steps the U.S. can take to ensure it does not undermine its own aims."Bruce Schneier - Secret Service Tracking People’s Locations without Warrant: This feelsimportant: "The Secret Service has used a technology called Locate X which uses location data harvested from ordinary apps installed on phones. Because users agreed to an opaque terms of service page, the Secret Service believes it doesn’t need a warrant."Bruce Schneier - Why Italy Sells So Much Spyware: "Although much attention is given to sophisticated, zero-click spyware developed by companies like Israel’s NSO Group, the Italian spyware marketplace has been able to operate relatively under the radar by specializing in cheaper tools. According to an Italian Ministry of Justice document, as of December 2022 law enforcement in the country could rent spyware for €150 a day, regardless of which vendor they used, and without the large acquisition costs which would normally be prohibitive."Bruce Schneier - Most of 2023’s Top Exploited Vulnerabilities Were Zero-Days: "In 2023, malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks compared to 2022, allowing them to conduct cyber operations against higher-priority targets. In 2023, the majority of the most frequently exploited vulnerabilities were initially exploited as a zero-day, which is an increase from 2022, when less than half of the top exploited vulnerabilities were exploited as a zero-day."Kaspersky - JarkaStealer in PyPI repository: "The malicious packages were uploaded to the repository by one author and, in fact, differed from each other only in name and description. The first was called “gptplus” and allegedly allowed access to the GPT-4 Turbo API from OpenAI; the second was called “claudeai-eng” and, according to the description, also promised access to the Claude AI API from Anthropic PBC."Krebs on Security - Feds Charge Five Men in ‘Scattered Spider’ Roundup: Federal prosecutors in Los Angeles this week unsealed criminal charges against five men alleged to be members of a hacking group responsible for dozens of cyber intrusions at major U.S. technology companies between 2021 and 2023, including LastPass, MailChimp, Okta, T-Mobile and Twilio.Krebs on Security - Fintech Giant Finastra Investigating Data Breach: The financial technology firm Finastra is investigating the alleged large-scale theft of information from its internal file transfer platform, KrebsOnSecurity has learned. Finastra, which provides software and services to 45 of the world’s top 50 banks, notified customers of the security incident after a cybercriminal began selling more than 400 gigabytes of data purportedly stolen from the company.Lumen - One Sock Fits All: The use and abuse of the NSOCKS botnet: The Black Lotus Labs team at Lumen Technologies has expanded the known architecture of the “ngioweb” botnet, its use as a cornerstone of the notorious criminal proxy service known as NSOCKS, and appropriation by others such as VN5Socks and Shopsocks5. One of the most widely used criminal proxies, NSOCKS maintains a daily average of over 35,000 bots in 180 countries, and has been tied to notorious groups such asMuddled Libra. At least 80% of NSOCKS bots in our telemetry originate from the ngioweb botnet, mainly utilizing small office/home office (SOHO) routers and IoT devices. Two-thirds of these proxies are based in the U.S.Netskope - Python NodeStealer Targets Facebook Ads Manager with New Techniques: In September 2023, Netskope Threat Labsreporteda Python-based NodeStealer targeting Facebook business accounts. NodeStealer collects Facebook and other credentials stored in the browser and its cookie data. For over a year, we have tracked and discovered multiple variants of this infostealer. It is now targeting new victims and extracting new information using new techniques. In this blog post, we will dissect the development of the Python NodeStealer from multiple samples in the wild. Each section highlights different variants, showcasing new targets and techniques.Oracle - Oracle Security Alert Advisory - CVE-2024-21287: "This Security Alert addresses vulnerability CVE-2024-21287 in Oracle Agile Product Lifecycle Management (PLM). This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. If successfully exploited, this vulnerability may result in file disclosure."Sentinel - DPRK IT Workers | A Network of Active Front Companies and Their Links to China: "North Korea operates a global network of IT workers, both as individuals and under front companies, to evade sanctions and generate revenue for the regime. These workers are highly skilled in areas like software development, mobile applications, blockchain, and cryptocurrency technologies. By posing as professionals from other countries using fake identities and forged credentials, they secure remote jobs and freelance contracts with businesses worldwide."Vectra - 2024 State of Threat Detection: Does a high level of confidence across SOCs mean security professionals are finally able to keep pace with the increasing number of threats? Not so fast. While security teams feel that their SOC is well staffed with the right number of skilled analysts, many agree that their current security stack limits their ability.We Live Security - Unveiling WolfsBane: Gelsemium’s Linux counterpart to Gelsevirine: "ESET researchers have identified multiple samples of Linux backdoor, which we have named WolfsBane, that we attribute with high confidence to the Gelsemium advanced persistent threat (APT) group. This China-aligned threat actor has a known history dating back to 2014 and until now, there have been no public reports of Gelsemium using Linux malware. Additionally, we discovered another Linux backdoor, which we named FireWood. However, we cannot definitively link FireWood to other Gelsemium tools, and its presence in the analyzed archives might be coincidental. Thus, we attribute FireWood to Gelsemium with low confidence, considering it could be a tool shared among multiple China-aligned APT groups."Windows Security - Windows security and resiliency: Protecting your business: Empowering IT administrators with great tools during critical times is a top priority. Our first step is born out of the learnings from the July incident with the announcement of Quick Machine Recovery. This feature will enable IT administrators to execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, without needing physical access to the PC.This week's toolsgoliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.Upcoming events for _secprosHigher education in the AI era (29th November):TheTHE Global AI Forum will bring together leading academics, researchers and thought leaders working in AI to share and discuss the latest developments in AI ethics, horizons and how universities will be impacted. Delegates will discover the latest advancements in AI and the opportunities and potential challenges that AI may present for their institution. The forum will facilitate unparalleled knowledge exchange and networking that will help shed light on and shape some of AI's most critical and unexplored areas.Hinweis Third International Conference on Artificial Intelligence and Data Science (29th-30th November): Hinweis Third International Conference on Artificial Intelligence and Data Science (AIDE) is a Hybrid Mode prestigious event organized with a motivation to provide an excellent international platform for the academicians, researchers, engineers, industrial participants and budding students around the world to SHARE their research findings with the global experts.UK & Ireland CISO Inner Circle (3rd December): Join UK & Ireland's top CISOs for an intimate networking dinner and facilitated discussion on key business challenges. Enjoy a relaxed evening of dinner and drinks with your peers to share best practices, make new connections and build professional relationships.Immersive Training & Networking for Digital Marketers (3rd-4th December): "Sharpen your marketing skill set through our workshops and sessions, that address tactical, practical and strategic ideas from the best marketing talent in the country!"DevOpsCon (December 2nd-6th): "Simplify Complexity, AmplifyAgility, Accelerate Innovation"*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Something Useful for New Readers90% of data will be unstructured in the next 5 yearsThe typical company houses about 24.8 million sensitive files, according to Rubrik Zero Labs.A lot of those sensitive files reside in your unstructured data. It's time to extend the protection you're getting across the rest of your data to your unstructured files. Our Solving The Unstructured Data Challenge eBook can show you exactly how.Access the guide for:5 steps to build a robust unstructured data protection strategyWhy you need to add “value” to the three Vs of data: variety, velocity, and volumeHelp protecting petabytes of data without disrupting performanceRead NowSPONSOREDA Throwback to Old _secproSomething useful for newer readersWelcome to another_secpro!_secpro is approaching 200 issues and, thanks to our long-standing readership, we have seen this newsletter go from strength to strength. Not only are we offering the same news, advice, and practical application, but we're also offering a subscription service, podcasts, and a variety of other things to help you do your job better. It's been great to play a part in the development of this community, especially when we see it all come together for conferences, events, and our community outreach.However, we want to look back at a few things we published right in the beginning - a throwback for a relaxing Friday browse. Check out the articles below and let us know what you think!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefShouldn't GenAI be doing all the cyber crap jobs by now?Learn about the latest in GenAI for vulnerability management, exposure management and cyber-asset security when you attend the CyberRisk Summit. This free, virtual event on Wednesday, Nov. 20 includes expert speakers from Yahoo, Wells Fargo, IBM, Vulcan Cyber and more. This is the ninth, semi-annual CyberRisk Summit. Attendees can request CPE credits, and all registrants get access to the session recordings. Join us!Register for freeSystem Hardening, Blind SQLi Lab, Interview Pro TipHoneypot, Data Governance, State of K8s SecurityUsing Web Shells for Fun and Profit, 10x SOC*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0}#converted-body .list_block ol,#converted-body .list_block ul,.body [class~=x_list_block] ol,.body [class~=x_list_block] ul,u+.body .list_block ol,u+.body .list_block ul{padding-left:20px} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at some changes which are making police unhappy...Protect Your .NET Applications with Dotfuscator: Stop Reverse Engineering and Secure Your IPYour .NET applications face constant threats from reverse engineering, leaving your proprietary code, sensitive logic, and IP exposed. But with Dotfuscator by PreEmptive, you can safeguard your software. Dotfuscator’s advanced obfuscation features—like renaming, control flow obfuscation, and string encryption—harden your code against tampering, unauthorized access, and IP theft.Take control of your application’s security and keep your code and intellectual property secure. Empower your development process with Dotfuscator today—because your .NET apps deserve protection that lasts.Start Free TrialSPONSORED#177: Updates and the Cutting EdgeA look at some changes which are making police unhappy...Welcome to another_secpro!The times around each monthly update always seem busier. Not only are there more reports always seemingly published, but there are also more news reports of cybersecurity filtering through to the non-specialist news sources. And that doesn't always make for happy news...Check out our coverage of Clearsky, Bruce Schneier, Brian Krebs, Checkpoint, and other big names in the world of security research - as we keep you up to date on the matters at hand!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefNews BytesBitdefender - ShrinkLocker (+Decryptor): From Friend to Foe, and Back Again: "Unlike most modern ransomware, which relies on sophisticated encryption algorithms, ShrinkLocker takes a simpler, more unconventional approach. ShrinkLocker modifies BitLocker configurations to encrypt a system's drives. It first checks if BitLocker is enabled and, if not, installs it. Then, it re-encrypts the system using a randomly generated password. This unique password is uploaded to a server controlled by the attacker. After the system reboots, the user is prompted to enter the password to unlock the encrypted drive. The attacker's contact email is displayed on the BitLocker screen, directing victims to pay a ransom for the decryption key."Bruce Schneier - New iOS Security Feature Makes It Harder for Police to Unlock Seized Phones: Everybodyisreportingabouta new security iPhone security feature with iOS 18: if the phone hasn’t been used for a few days, it automatically goes into its “Before First Unlock” state and has to be rebooted. This is a really good security feature. But various police departments don’t like it, because it makes it harder for them to unlock suspects’ phones.Bruce Schneier - Criminals Exploiting FBI Emergency Data Requests: "The advisory said that the cybercriminals were successful in masquerading as law enforcement by using compromised police accounts to send emails to companies requesting user data. In some cases, the requests cited false threats, like claims of human trafficking and, in one case, that an individual would “suffer greatly or die” unless the company in question returns the requested information. The FBI said the compromised access to law enforcement accounts allowed the hackers to generate legitimate-looking subpoenas that resulted in companies turning over usernames, emails, phone numbers, and other private information about their users."Bruce Schneier - AI Industry is Trying to Subvert the Definition of “Open Source AI”: "The Open Source Initiative haspublished(news articlehere) its definition of “open source AI,” and it’sterrible. It allows for secret training data and mechanisms. It allows for development to be done in secret. Since for a neural network, the training datais the source code—it’s how the model gets programmed—the definition makes no sense."Checkpoint Research - Hamas-affiliated Threat Actor WIRTE Continues its Middle East Operations and Moves to Disruptive Activity: WIRTE is a Middle Eastern Advanced Persistent Threat (APT) groupactivesince at least 2018. The group is primarily known for engaging in politically motivated cyber-espionage, focusing on intelligence gathering likely linked to regional geopolitical conflicts. WIRTE isbelieved to be a subgroup connected to Gaza Cybergang, a cluster affiliated with Hamas. Since late 2023, Check Point Research has been monitoring a campaign conducted by the WIRTE group that targets entities in the Middle East, specifically the Palestinian Authority, Jordan, Egypt, and Saudi Arabia. This campaign utilizes custom loaders like IronWind, firstdisclosedin November 2023 as part of a TA402 operation.Claroty - The Problem with IoT Cloud-Connectivity and How it Exposed All OvrC Devices to Hijacking: "There are certain commonalities when the cybersecurity of internet-of-things (IoT) devices is researched and discussed. Manufacturers have long treated the security of these connected things as an afterthought, failing to prioritize the use of strong authentication and access controls, or relying on weak or outdated protocols for device communication to the cloud, and avoiding costly encryption implementations for data security..."Clearsky - CVE-2024-43451: A New Zero-Day Vulnerability Exploited in the wild: A new zero-day vulnerability,CVE-2024-43451, was discovered by ClearSky Cyber Security in June 2024. This vulnerability affects Windows systems and is being actively exploited in attacks against Ukrainian entities. The vulnerabilityactivates URL files containing malicious code through seemingly innocuous actions.Google Security Blog - Safer with Google: New intelligent, real-time protections on Android to keep you safe: User safety is at the heart of everything we do at Google. Our mission to make technology helpful for everyone means building features that protect you while keeping your privacy top of mind. FromGmail’s defensesthat stop more than 99.9% of spam, phishing and malware, toGoogle Messages’ advanced securitythat protects users from 2 billion suspicious messages a month and beyond, we're constantly developing and expanding protection features that help keep you safe.Krebs on Security - Microsoft Patch Tuesday, November 2024 Edition: "Microsoft today released updates to plug at least 89 security holes in its Windows operating systems and other software. November’s patch batch includes fixes for two zero-day vulnerabilities that are already being exploited by attackers, as well as two other flaws that were publicly disclosed prior to today."Reflectiz - TikTok Pixel Privacy Nightmare: A New Case Study: "Discover how Reflectiz helped a global travel agency to expose a TikTok pixel that was covertly tracking sensitive form inputs and transmitting user data to China, violating GDPR. Explore the detection process, response strategies, and steps taken to mitigate the breach."Slashnext - GoIssue – The Tool Behind Recent GitHub Phishing Attacks: "We recently uncovered GoIssue, a tool marketed on a cybercrime forum that allows attackers to extract email addresses from GitHub profiles and send bulk emails directly to user inboxes. GoIssue signals a dangerous shift in targeted phishing that extends beyond individual developers to threaten entire organizations. "This week's toolsgoliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.Missed our templates?Have you made sure to check out the last _secpro templates over on Substack? Here are some of the best we have to offer to help you get over those formal arrangement nightmares.Critical Infrastructure Maintenance PolicyUpdate Management PolicyMalware Recovery PlaybookRansomware Crisis Protocol*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

A week of dangerous developments​Join Snyk's one-hour session on Building a Security Champions Program on Nov 19 @11am ETReady to level up your security posture?Join Snyk's one-hour session on November 19 and learn how to create a powerful Security Champions Program 🔐. We'll cover key strategies for identifying leaders, fostering collaboration, and driving security excellence.Plus take advantage of this free webinar and earn CPE credits 🎓Save your spot todaySPONSORED#176: Subverting the IndustryA week of dangerous developmentsWelcome to another_secpro!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefNews BytesBruce Schneier - AI Industry is Trying to Subvert the Definition of “Open Source AI”: The Open Source Initiative haspublished(news articlehere) its definition of “open source AI,” and it’sterrible. It allows for secret training data and mechanisms. It allows for development to be done in secret. Since for a neural network, the training dataisthe source code—it’s how the model gets programmed—the definition makes no sense.Bruce Schneier - Prompt Injection Defenses Against LLM Cyberattacks:Interesting research: “Hacking Back the AI-Hacker: Prompt Injection as a Defense Against LLM-driven Cyberattacks“: "Large language models (LLMs) are increasingly being harnessed to automate cyberattacks, making sophisticated exploits more accessible and scalable. In response, we propose a new defense strategy tailored to counter LLM-driven cyberattacks. We introduce Mantis, a defensive framework that exploits LLMs’ susceptibility to adversarial inputs to undermine malicious operations. Upon detecting an automated cyberattack, Mantis plants carefully crafted inputs into system responses, leading the attacker’s LLM to disrupt their own operations (passive defense) or even compromise the attacker’s machine (active defense)..."Bruce Schneier - Subverting LLM Coders:Really interesting research: “An LLM-Assisted Easy-to-Trigger Backdoor Attack on Code Completion Models: Injecting Disguised Vulnerabilities against Strong Detection“: "Abstract: Large Language Models (LLMs) have transformed code completion tasks, providing context-based suggestions to boost developer productivity in software engineering. As users often fine-tune these models for specific applications, poisoning and backdoor attacks can covertly alter the model outputs. To address this critical security challenge, we introduce CODEBREAKER, a pioneering LLM-assisted backdoor attack framework on code completion models. Unlike recent attacks that embed malicious payloads in detectable or irrelevant sections of the code (e.g., comments), CODEBREAKER leverages LLMs (e.g., GPT-4) for sophisticated payload transformation (without affecting functionalities), ensuring that both the poisoned data for fine-tuning and generated code can evade strong vulnerability detection..."Checkpoint Research - Cloudy With a Chance of RATs: Unveiling APT36 and the Evolution of ElizaRAT: "APT36, also known as Transparent Tribe, is a Pakistan-based threat actor notorious for persistently targeting Indian government organizations, diplomatic personnel, and military facilities. APT36 has conducted numerous cyber-espionage campaigns against Windows, Linux, and Android systems. In recent campaigns, APT36 utilized a particularly insidious Windows RAT known as ElizaRAT. First discovered in 2023, ElizaRAT has significantly evolved to enhance its evasion techniques and maintain reliability in its command and control (C2) communication."CloudSEK - Mozi Resurfaces as Androxgh0st Botnet: Unraveling The Latest Exploitation Wave: "The report by CloudSEK uncovers the resurgence of the Mozi botnet in a new form called "Androxgh0st," actively exploiting vulnerabilities across multiple platforms, including IoT devices and web servers. Since January 2024, Androxgh0st has adopted payloads and tactics from Mozi, allowing it to target systems like Cisco ASA, Atlassian JIRA, and PHP frameworks. This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures. Immediate security patches and regular monitoring are advised to mitigate risks from this complex threat, which now combines Mozi’s IoT-targeting abilities with Androxgh0st’s extended attack vector."Fortinet - New Campaign Uses Remcos RAT to Exploit Victims: "Remcos is a commercial RAT (remote administration tool) sold online. It provides purchases with a wide range of advanced features to remotely control computers belonging to the buyer. However, threat actors have abused Remcos to collect sensitive information from victims and remotely control their computers to perform further malicious acts."JFROG - Machine Learning Bug Bonanza – Exploiting ML Services: "In our previous research on MLOpswe noted the immaturity of the Machine Learning (ML) field often results in a higher amount of discovered security vulnerabilities in ML-related projects as compared to more established software categories such as DevOps, Web Servers, etc. For example, in the past two years, 15 critical CVEs were published inmlflow vs. just two critical CVEs in Jenkins, which was documented by both public research and our own investigation."Krebs on Security - Canadian Man Arrested in Snowflake Data Extortions: A 25-year-old man in Ontario, Canada has been arrested for allegedly stealing data from and extorting more than 160 companies that used the cloud data serviceSnowflake. On October 30, Canadian authorities arrestedAlexander Moucka,a.k.a.Connor Riley Mouckaof Kitchener, Ontario, on a provisional arrest warrant from the United States. Bloomberg firstreportedMoucka’s alleged ties to the Snowflake hacks on Monday.Krebs on Security - FBI: Spike in Hacked Police Emails, Fake Subpoenas: TheFederal Bureau of Investigation(FBI) is urging police departments and governments worldwide to beef up security around their email systems, citing a recent increase in cybercriminal services that use hacked police email accounts to send unauthorized subpoenas and customer data requests to U.S.-based technology companies.Office of Public Affairs - Bitcoin Fog Operator Sentenced for Money Laundering Conspiracy: "According to court documents and evidence presented at trial, from 2011 through 2021, Roman Sterlingov, 36, was involved in operating Bitcoin Fog, the darknet’s longest-running cryptocurrency “mixer.” Over the course of its decade-long operation, Bitcoin Fog gained notoriety as a go-to money laundering service for criminals seeking to hide their illicit proceeds from law enforcement and processed transactions involving over 1.2 million bitcoin, valued at approximately $400 million at the time the transactions occurred. The bulk of this cryptocurrency came from darknet marketplaces and was tied to illegal narcotics, computer crimes, identity theft, and child sexual abuse material."This week's toolsgoliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.Upcoming events for _secpros19th International Conference for Internet Technology and Secured Transactions (4th-5th November): The 19th International Conference for Internet Technology and Secured Transactions (ICITST-2024) will be held at the St Anne's College, Oxford, from the 4th to 6th of November, 2024. The ICITST is an international refereed conference dedicated to the advancement of theory and practical implementation of secured Internet transactions and to fostering discussions on information technology evolution. The ICITST-2024 aims to provide a highly professional and comparative academic research forum that promotes collaborative excellence between academia and industry.The Women and Diversity in Tech and Channel Festival (5th November): "The Women and Diversity in Tech and Channel Festival is a celebration of diversity within the tech landscape. Although progress has been made, there is still far to go to make sure that people from every background and gender have avenues to achieve satisfaction and success with a role in tech."Zywave's Cyber Risk Insights Conference (6th November): "Free Registration is offered to full-time Risk Managers and Insurance Buyers as a courtesy from Zywave. First come first served, of course, and we reserve the right to verify roles as well as to deny this free courtesy based on our sole discretion."AI-Driven MedTech: Navigating the New Frontier (6th November): "Join us for an insightful webinar where we explore the transformative power of Artificial Intelligence (AI) in the medical and healthcare industries. As we stand on the brink of a new era in MedTech, AI is emerging as a pivotal force, driving innovation and enhancing patient care. This webinar will provide a practical understanding of how AI is becoming an indispensable “member” of the medical team, revolutionizing everything from diagnostics and treatment planning to medical device development."The 10th IEEE World Forum on Internet of Things (10th-13th November): The IEEE WFIoT2024 continues the legacy of being the premier event hosted by the IEEE IoT Technical Community, uniting diverse expertise intrinsic to the IoT domain. This year, we proudly announce the theme for WFIoT 2024: "Unleashing the Power of IoT with AI." This theme underscores the pivotal role of Artificial Intelligence in augmenting the potential of the Internet of Things.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

And other worrying developmentsWebinar: Introducing a Market-Changing Approach to Mobile App SecurityJoin Guardsquare to learn more about our new guided configuration approach to mobile application protection.Our latest innovation ensures that all developers can effortlessly launch apps with industry-leading protection in less than a day.This webinar will: walk through Guardsquare's new guided configuration approach; discuss how this new approach empowers mobile app publishers to easily configure security features, receive actionable insights, and monitor protection outcomes without sacrificing app performance or user experience; and cover a case study addressing how customers successfully implemented the technology.Register NowSPONSORED#175: Hunting the EMERALDWHALEAnd other worrying developments from this weekWelcome to another_secpro!It’s been another busy week with another set of problems to keep you busy. We’ve got the details below, but here’s a quick synopsis for those of you in a rush…Cybersecurity experts Bruce Schneier and Roger Grimes emphasize the difficulty of prioritizing actions among numerous unranked cybersecurity guidelines, which often lack risk-based prioritization. Strava's fitness app continues to expose sensitive data, enabling the tracking of military personnel and world leaders. German police have achieved some success in deanonymizing Tor users through timing analysis. Cybercrime is also escalating with low-tech ATM attacks in Germany and major command injection vulnerabilities affecting Arcadyan routers. Recent takedowns by Eurojust disrupted global infostealer malware networks, and Google revealed a Russian espionage campaign targeting Ukrainian military recruits via a hybrid malware operation. A massive data breach at Change Healthcare compromised the data of 100 million Americans, while lax mobile ad data practices expose individuals to location tracking. Meanwhile, phishing attacks using Webflow target cryptocurrency wallets, and Sysdig's EMERALDWHALE campaign uncovered the theft of 15,000 cloud credentials. Finally, ThreatFabric discovered updated LightSpy malware, now targeting both macOS and iOS.Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefNews BytesBruce Schneier - Roger Grimes on Prioritizing Cybersecurity Advice: "This is a good point: Part of the problem is that we are constantly handed lists…list of required controls…list of things we are being asked to fix or improve…lists of new projects…lists of threats, and so on, that are not ranked for risks. For example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. They are all great recommendations, which if followed, will reduce risk in your environment. What they do not tell you is which of the recommended things will have the most impact on best reducing risk in your environment. They do not tell you that one, two or three of these things…among the hundreds that have been given to you, will reduce more risk than all the others."Bruce Schneier - Tracking World Leaders Using Strava: "Way back in 2018, people noticed that you couldfind secret military bases using data published by the Strava fitness app. Soldiers and other military personal were using them to track their runs, and you could look at the public data and find places where there should be no people running. Six years later, the problem remains.Le Mondehasreportedthat the same Strava data can be used to track the movements of world leaders. They don’t wear the tracking device, but many of their bodyguards do."Bruce Schneier - Law Enforcement Deanonymizes Tor Users:The German police havesuccessfully deanonymized at least four Tor users. It appears they watch known Tor relays and known suspects, and use timing analysis to figure out who is using what relay. Tor haswrittenaboutthis.Bruce Schneier - Criminals Are Blowing up ATMs in Germany: "It’slow tech, but effective. Why Germany? It has more ATMs than other European countries, and—if I read the article right—they have more money in them."CMU CERT - Vulnerable WiFi Alliance example code found in Arcadyan FMIMG51AX000J: "A command injection vulnerability has been identified in the Wi-Fi Test Suite, a tool developed by the WiFi Alliance, which has been found deployed on Arcadyan routers. This flaw allows an unauthenticated local attacker to exploit the Wi-Fi Test Suite by sending specially crafted packets, enabling the execution of arbitrary commands with root privileges on the affected routers."Eurojust - Malware targeting millions of people taken down by international coalition: "A global operation, supported by Eurojust, has led to the takedown of servers of infostealers, a type of malware used to steal personal data and conduct cybercrimes worldwide. The infostealers,RedLineandMETA, taken down today targeted millions of victims worldwide, making it one of the largest malware platforms globally. An international coalition of authorities from the Netherlands, the United States, Belgium, Portugal, the United Kingdom and Australia shut down three servers in the Netherlands, seized two domains, unsealed charges in the United States and took two people into custody in Belgium."Google Cloud - Hybrid Russian Espionage and Influence Campaign Aims to Compromise Ukrainian Military Recruits and Deliver Anti-Mobilization Narratives: "In September 2024, Google Threat Intelligence Group (consisting of Google’s Threat Analysis Group (TAG) and Mandiant) discovered UNC5812, a suspected Russian hybrid espionage and influence operation, delivering Windows and Android malware using a Telegram persona named "Civil Defense". "Civil Defense" claims to be a provider of free software programs designed to enable potential conscripts to view and share crowdsourced locations of Ukrainian military recruiters. If installed with Google Play Protect disabled, these programs deliver an operating system-specific commodity malware variant to the victim alongside a decoy mapping application we track as SUNSPINNER. In addition to using its Telegram channel and website for malware delivery, UNC5812 is also actively engaged in influence activity, delivering narratives and soliciting content intended to undermine support for Ukraine's mobilization efforts."Krebs on Security - Change Healthcare Breach Hits 100M Americans: "Change Healthcare says it has notified approximately 100 million Americans that their personal, financial and healthcare records may have been stolen in a February 2024 ransomware attack that caused the largest ever known data breach of protected health information."Krebs on Security - The Global Surveillance Free-for-All in Mobile Ad Data: "Not long ago, the ability to digitally track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a dangerous power that should remain only within the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites."Netskope- Attackers Target Crypto Wallets Using Codeless Webflow Phishing Pages: "From April to September 2024, Netskope Threat Labs tracked a 10-fold increase in traffic to phishing pages crafted through Webflow. The campaigns target sensitive information from different crypto wallets, including Coinbase, MetaMask, Phantom, Trezor, and Bitbuy, as well as login credentials for multiple company webmail platforms, as well as Microsoft365 login credentials. The campaigns have targeted more than 120 organizations worldwide, with the majority located in North America and Asia, across multiple segments led by financial services, banking, and technology."Safebreach - An Update on Windows Downdate: "In August, I shared a blog on my most recent research project calledWindows Downdate, which I first presented atBlack Hat USA 2024andDEF CON 32(2024). In it, I explained how I was able to develop a tool to take over the Windows Update process to craft custom downgrades on critical OS components to expose previously fixed vulnerabilities. By using this downgrade ability, I discoveredCVE-2024-21302, a privilege escalation vulnerability affecting the entire Windows virtualization stack."Sisdyg - EMERALDWHALE: 15k Cloud Credentials Stolen in Operation Targeting Exposed Git Config Files: TheSysdig Threat Research Team(TRT) recently discovered a global operation, EMERALDWHALE, targeting exposed Git configurations resulting in more than 15,000 cloud service credentials stolen. This campaign used multiple private tools that abused multiple misconfigured web services, allowing attackers to steal credentials, clone private repositories, and extract cloud credentials from their source code.Credentials for over 10,000 private repositories were collected during the operation.The stolen data was stored in a S3 bucket of a previous victim.ThreatFabric - LightSpy: Implant for iOS:"In May 2024, ThreatFabric published a report about LightSpy for macOS. During that investigation, we discovered that the threat actor was using the same server for both macOS and iOS campaigns. Thanks to this, we were also able to obtain the most recent samples of LightSpy for iOS. After a brief analysis of the obtained files, we concluded that this version slightly differs from the version discussed byresearchers in 2020."This week's toolsgoliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.Upcoming events for _secpros19th International Conference for Internet Technology and Secured Transactions (4th-5th November): The 19th International Conference for Internet Technology and Secured Transactions (ICITST-2024) will be held at the St Anne's College, Oxford, from the 4th to 6th of November, 2024. The ICITST is an international refereed conference dedicated to the advancement of theory and practical implementation of secured Internet transactions and to fostering discussions on information technology evolution. The ICITST-2024 aims to provide a highly professional and comparative academic research forum that promotes collaborative excellence between academia and industry.The Women and Diversity in Tech and Channel Festival (5th November): "The Women and Diversity in Tech and Channel Festival is a celebration of diversity within the tech landscape. Although progress has been made, there is still far to go to make sure that people from every background and gender have avenues to achieve satisfaction and success with a role in tech."Zywave's Cyber Risk Insights Conference (6th November): "Free Registration is offered to full-time Risk Managers and Insurance Buyers as a courtesy from Zywave. First come first served, of course, and we reserve the right to verify roles as well as to deny this free courtesy based on our sole discretion."AI-Driven MedTech: Navigating the New Frontier (6th November): "Join us for an insightful webinar where we explore the transformative power of Artificial Intelligence (AI) in the medical and healthcare industries. As we stand on the brink of a new era in MedTech, AI is emerging as a pivotal force, driving innovation and enhancing patient care. This webinar will provide a practical understanding of how AI is becoming an indispensable “member” of the medical team, revolutionizing everything from diagnostics and treatment planning to medical device development."The 10th IEEE World Forum on Internet of Things (10th-13th November): The IEEE WFIoT2024 continues the legacy of being the premier event hosted by the IEEE IoT Technical Community, uniting diverse expertise intrinsic to the IoT domain. This year, we proudly announce the theme for WFIoT 2024: "Unleashing the Power of IoT with AI." This theme underscores the pivotal role of Artificial Intelligence in augmenting the potential of the Internet of Things.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}