Random in Security is a summary of the cybersecurity news.
Interesting Reads#
Analysis of the NSO BLASTPASS iMessage exploit#
The BLASTPASS exploit leverages a vulnerability in WebP image parsing within a PKPass file, using a complex heap manipulation technique to trigger a controlled memory corruption. By carefully crafting a malicious PKPass with a WebP image, TIFF metadata, and a binary property list, the attackers can achieve code execution in the MessagesBlastDoorService through a callback-oriented programming (COP) technique that bypasses Pointer Authentication Code (PAC). This exploit demonstrates the sophisticated and multi-layered approach NSO Group uses to compromise iOS devices, highlighting the ongoing cat-and-mouse game between exploit developers and platform security teams.
NLRB Whistleblower on DOGE#
According to the NPR article, a whistleblower named Daniel Berulis alleged that DOGE engineers accessed the National Labor Relations Board’s sensitive case management system and potentially exfiltrated around 10 gigabytes of data, including confidential information about union organizing, ongoing legal cases, and employee personal details. The whistleblower was particularly alarmed by the engineers’ attempts to hide their tracks, such as disabling logging tools, deleting accounts, and creating suspicious code repositories, which cybersecurity experts compared to the tactics of “criminal or state-sponsored hackers” and raised concerns about potential data exposure to competitors or foreign adversaries.
MirrorFace invites Europe to Expo 2025#
In Operation AkaiRyū, the China-aligned MirrorFace APT group expanded its targeting beyond Japan, attacking a Central European diplomatic institute using a spearphishing campaign related to Expo 2025. The group revived the ANEL backdoor, which was previously thought abandoned, and deployed a customized AsyncRAT to infiltrate the target, marking the first known European targeting by this threat actor.
Practical Known Plaintext Attack Against ZIP Files#
The known plaintext attack against ZIP files involves finding an encrypted ZIP file and locating an identical plaintext file with the same size and compression method. By using tools like bkcrack, an attacker can derive the encryption keys by comparing the known plaintext with the encrypted file, ultimately allowing decryption of the ZIP without knowing the original password. This technique works particularly well with legacy ZIP encryption (ZipCrypto) and can bypass password protection even when traditional password cracking methods fail.
Unblurring videos#
Researchers demonstrated that it’s easier than ever to de-censor videos using modern AI techniques, with practical implementations available through tools like KoKuToru’s de-pixelate project. This advancement raises concerns about privacy implications for content that relies on blurring or pixelation for anonymization.
OWASP ASVS v5 released#
The OWASP Application Security Verification Standard (ASVS) v5.0 was released, providing updated security requirements and verification criteria for modern web applications. The new version includes enhanced guidance for cloud-native applications, API security, and modern authentication methods, with the complete standard documentation available for implementation by development teams and security professionals.
Analysis of Spyware That Helped to Compromise a Syrian Army from Within#
The SpyMax Android spyware, distributed via a Telegram channel disguised as a humanitarian aid app, targeted Syrian army personnel by promising cash transfers while collecting sensitive military data. The spyware could stream camera feeds, record audio, track location, keylog user input, and exfiltrate SMS, contacts, and call logs, effectively creating “live maps of force deployments” and compromising military operational status. By exploiting soldiers’ economic desperation through social engineering, attackers used this low-cost, off-the-shelf tool to systematically undermine the Syrian army’s infrastructure.
BKA - Bundeslagebild Cybercrime 2024#
According to the BKA cybercrime report, cybercrime in Germany reached a new high in 2024 with 131,391 domestic cases and 201,877 foreign-originated cybercrimes, characterized by a significant increase in ransomware attacks, DDoS campaigns, and phishing attempts. The annual damage from cyberattacks was estimated at €178.6 billion, with the report highlighting the growing sophistication of cybercriminal activities, particularly through the use of AI and “Cybercrime-as-a-Service” models. The BKA emphasized the need for enhanced international cooperation and legal frameworks to effectively combat the evolving cyber threat landscape.
Tracking Anticheat Updates#
The research on tracking anticheat updates explores monitoring anticheat software across various gaming platforms by analyzing their Content Delivery Network (CDN) structures, download mechanisms, and module extraction techniques. By understanding how anticheats distribute and encrypt their software, researchers can gain insights into detection methods, potential vulnerabilities, and changes in protection strategies. The methodologies discussed include examining download URLs, extracting embedded files, decrypting modules, and analyzing binary structures to track and understand anticheat evolution.
Tools#
- NomadScanner - Stealth Portscanner for Red Teams - NomadScanner is a hardened, memory-only Windows port scanner built for red teamers and penetration testers who need maximum stealth and OPSEC. It sends fully in-memory HTTP probes with randomized network characteristics to blend into normal traffic patterns.
- GoExec - Remote Execution Multitool - Windows remote execution multitool
- WhatThePhish v2.1 - A significantly enhanced email phishing analysis tool with advanced character analysis and evasion detection capabilities.
- Cybersecurity AI (CAI) - Cybersecurity AI (CAI), an open Bug Bounty-ready Artificial Intelligence
- Build-Your-Own-Ransomware - Build-Your-Own-Ransomware: Hands-On Offensive and Defensive Insights
- OnionC2 - C2 writen in Rust & Go powered by Tor network.