Random in Security is a summary of the cybersecurity news.
This article provides an introduction to automating your Home Lab using Ludus. The system is using Ansible and Packer on Proxmox to deploy complex test environments, that previously had to be hand crafted. RTFM
The article discusses the various security vulnerabilities identified in open-source command and control (C2) frameworks. The author identified RCE vulnerabilities in Mythic, Sliver, Havoc, Ninja, Covenant and Shad0w. The PoCs are published on GitHub.
Mandiant observed UNC2970 targeting victims under the guise of job openings, masquerading as a recruiter for prominent companies. To target victims employed in U.S. critical infrastructure verticals UNC2970 relies on legitimate job openings. The job description is delivered to the victim in a password-protected ZIP archive containing an encrypted PDF file and a modified version of an open-source PDF viewer application The threat actor modified the open source code of an older SumatraPDF version as part of this campaign. Targeted users were instructed to open the PDF file with the enclosed trojanized PDF viewer program.
Leeds Equity Partners announced its acquisition of OffSec on October 15, 2024. Looking back to the beginning of September, OffSec had announced the introduction of OSCP+, which includes a three-year expiration period. Taking both into consideration, one could guess that Offsec probably had business related issues. So, this could be the start of good changes coming to OffSec certifications. On the other hand, Cory Doctorow has a good article on “plundering” private equity firms.
Grant Smith, S1n1st3r, continues his investigation into a sophisticated smishing campaign targeting USPS customers. The phishing kit is sold by a Chinese computer science student for USDC 200 per month. Based on the handle Wangduoyu, a related article was published by Resecurity.
The article provides some relevant considerations when performing a regular phishing exercise. Usually, going the route with sendgrid already solves a lot of problems. For the DNS consideration, the article includes some good general pointers.
In his article mr.d0x explores how attackers can exploit Progressive Web Apps (PWAs) for phishing purposes. The attacker creates a malicious PWA designed to mimic a legitimate application, such as “Microsoft Login.”. Upon installation, the PWA redirects the user to a phishing page with a counterfeit URL bar.
Google published an article for a different approach to phishing trainings. Mandatory phishing tests typically collect reporting metrics on sent emails and how many employees “failed” by clicking the decoy link. These tests do have multiple side effectes because the adversarial approach of “catching” people “failing” at the task. After all, humans are social beings and there will always be a way for an attacker to manipulate this.
We need to stop doing phishing tests and start doing phishing fire drills
A Go implementation of Cobalt Strike style BOF/COFF loaders.
Leon Jacobs branched to v3, deleted everything but the README and .gitignore files, and scaffolded a new cobra project.