Hack Swat

Home
Hack Swat

HackSwat is the first and most popular, independent cyberSecurity news source in the middle east.

منصة "Hack Swat" متخصصة في طرح أحدث المواضيع في مجال التكنولوجيا؛ للأجهزة والهواتف المحمولة وكل ما يخص مجالي الشبكات والسكيورتي تجدونه لدينا.

03/01/2025

|

LDAPNightmare PoC Exploit Crashes LSASS and Reboots Windows Domain Controllers.

A proof-of-concept (PoC) exploit has been released for a now-patched security flaw impacting Windows Lightweight Directory Access Protocol (LDAP) that could trigger a denial-of-service (DoS) condition.

The out-of-bounds reads vulnerability is tracked as CVE-2024-49113 (CVSS score: 7.5). It was addressed by Microsoft as part of Patch Tuesday updates for December 2024, alongside CVE-2024-49112 (CVSS score: 9.8), a critical integer overflow flaw in the same component that could result in remote code ex*****on.

Credited with discovering and reporting both vulnerabilities is independent security researcher Yuki Chen ().

The CVE-2024-49113 PoC devised by SafeBreach Labs, codenamed LDAPNightmare, is designed to crash any unpatched Windows Server "with no pre-requisites except that the DNS server of the victim DC has Internet connectivity."

Specifically, it entails sending a DCE/RPC request to the victim server, ultimately causing the Local Security Authority Subsystem Service (LSASS) to crash and force a reboot when a specially crafted CLDAP referral response packet.

Even worse, the California-based cybersecurity company found that the same exploit chain could also be leveraged to achieve remote code ex*****on (CVE-2024-49112) by modifying the CLDAP packet.

Microsoft's advisory for CVE-2024-49113 is lean on technical details, but the Windows maker has revealed that CVE-2024-49112 could be exploited by sending RPC requests from untrusted networks to execute arbitrary code within the context of the LDAP service.

"In the context of exploiting a domain controller for an LDAP server, to be successful an attacker must send specially crafted RPC calls to the target to trigger a lookup of the attacker's domain to be performed in order to be successful," Microsoft said.

"In the context of exploiting an LDAP client application, to be successful an attacker must convince or trick the victim into performing a domain controller lookup for the attacker's domain or into connecting to a malicious LDAP server. However, unauthenticated RPC calls would not succeed."

Furthermore, an attacker could use an RPC connection to a domain controller to trigger domain controller lookup operations against the attacker's domain, the company noted.

To mitigate the risk posed by these vulnerabilities, it's essential that organizations apply the December 2024 patches released by Microsoft. In situations where immediate patching is not possible, it's advised to "implement detections to monitor suspicious CLDAP referral responses (with the specific malicious value set), suspicious DsrGetDcNameEx2 calls, and suspicious DNS SRV queries."

23/11/2024

|

🇮🇳 India - Indian Students' Data Leak

A breach has exposed data of 141 Indian students, including names, fathers' names, mobile numbers, and email addresses. The leaked information raises concerns about privacy and the potential for misuse of personal details. This incident highlights the growing need for improved data protection and cybersecurity in educational institutions.

23/11/2024

|
Global - Massive Credit Card Database Leaked

A significant database containing details of 1,221,551 credit cards has been leaked and shared for free on the dark web. This breach includes sensitive financial information, posing risks of fraudulent transactions and identity theft for affected individuals. The incident underscores the importance of vigilant monitoring and strong financial security practices to mitigate such threats.

23/11/2024

|

Israel - Data Leak by Navinn24

A significant data leak concerning Israeli users has been exposed by the threat actor Navinn24 on the dark web. The compromised data includes personal and sensitive information, raising concerns about identity theft and misuse. This breach underscores the need for stringent cybersecurity protocols to protect user privacy and prevent further exploitation.

18/11/2024

|

🚨 Data breach Alert 🚨

A member of breach forum claims to have leaked data from Mansour Group, an Egyptian multinational conglomerate. The leaked data reportedly includes sensitive information such as IDs, names, email addresses, phone numbers, and other details.

31/08/2024

|

A critical zero-day in Google Chrome has been exploited by North Korean actors to deploy the FudModule rootkit.

links the attack to a Lazarus Group subgroup, notorious for advanced cyber campaigns.

30/08/2024

|

⚠️⛔🚨
North Korean threat actors are publishing malicious packages on the npm registry targeting developers and stealing .

The latest wave, which was observed between August 12 and 27, 2024, involved packages named temp-etherscan-api, ethersscan-api, telegram-con, helmet-validate, and qq-console.

"Behaviors in this campaign lead us to believe that qq-console is attributable to the North Korean campaign known as 'Contagious Interview,'" software supply chain security firm Phylum said.

Contagious Interview refers to an ongoing campaign that seeks to compromise software developers with information stealing malware as part of a purported job interview process that involves tricking them into downloading bogus npm packages or fake installers for video conferencing software such as MiroTalk hosted on decoy websites.

The end goal of the attacks is to deploy a Python payload named InvisibleFerret that can exfiltrate sensitive data from cryptocurrency wallet browser extensions and set up persistence on the host using legitimate remote desktop software such as AnyDesk. CrowdStrike is tracking the activity under the moniker Famous Chollima.

The newly observed helmet-validate package adopts a new approach in that it embeds a piece of JavaScript code file called config.js that directly executes JavaScript hosted on a remote domain ("ipcheck[.]cloud") using the eval() function.

"Our investigation revealed that ipcheck[.]cloud resolves to the same IP address (167[.]88[.]36[.]13) that mirotalk[.]net resolved to when it was online," Phylum said, highlighting potential links between the two sets of attacks.

The company said it also observed another package called sass-notification that was uploaded on August 27, 2024, which shared similarities with previously uncovered npm libraries like call-blockflow. These packages have been attributed to another North Korean threat group called Moonstone Sleet.

"These attacks are characterized by using obfuscated JavaScript to write and execute batch and PowerShell scripts," it said. "The scripts download and decrypt a remote payload, execute it as a DLL, and then attempt to clean up all traces of malicious activity, leaving behind a seemingly benign package on the victim's machine."

Famous Chollima Poses as IT Workers in U.S. Firms #

The disclosure comes as CrowdStrike linked Famous Chollima (formerly BadClone) to insider threat operations that entail infiltrating corporate environments under the pretext of legitimate employment.

"Famous Chollima carried out these operations by obtaining contract or full-time equivalent employment, using falsified or stolen identity documents to bypass background checks," the company said. "When applying for a job, these malicious insiders submitted a résumé typically listing previous employment with a prominent company as well as additional lesser-known companies and no employment gaps."

While these attacks are mainly financially motivated, a subset of the incidents are said to have involved the exfiltration of sensitive information. CrowdStrike said it has identified the threat actors applying to or actively working at more than 100 unique companies over the past year, most of which are located in the U.S., Saudi Arabia, France, the Philippines, and Ukraine, among others.

Prominently targeted sectors include technology, fintech, financial services, professional services, retail, transportation, manufacturing, insurance, pharmaceutical, social media, and media companies.

"After obtaining employee-level access to victim networks, the insiders performed minimal tasks related to their job role," the company further said. In some cases, the insiders also attempted to exfiltrate data using Git, SharePoint, and OneDrive."

"Additionally, the insiders installed the following RMM tools: RustDesk, AnyDesk, TinyPilot, VS Code Dev Tunnels, and Google Chrome Remote Desktop. The insiders then leveraged these RMM tools in tandem with company network credentials, which allowed numerous IP addresses to connect to the victim's system."

It's time to double-check your dependencies! Be proactive in securing your development environment.

30/08/2024

|

Confluence Exploited in Crypto Mining Campaigns.

The security vulnerability exploited is CVE-2023-22527, a maximum severity bug in older versions of Atlassian Confluence Data Center and Confluence Server that could allow unauthenticated attackers to achieve remote code ex*****on. It was addressed by the Australian software company in mid-January 2024.

Trend Micro said it observed a high number of exploitation attempts against the flaw between mid-June and end of July 2024 that leveraged it to drop the XMRig miner on unpatched hosts. At least three different threat actors are said to be behind the malicious activity -

Launching XMRig miner via an ELF file payload using specially crafted requests

Using a shell script that first terminates competing cryptojacking campaigns (e.g., Kinsing), deletes all existing cron jobs, uninstalls cloud security tools from Alibaba and Tencent, and gathers system information, before setting up a new cron job that checks for command-and-control (C2) server connectivity every five minutes and launching the miner.

"With its continuous exploitation by threat actors, CVE-2023-22527 presents a significant security risk to organizations worldwide," Esmail said.

"To minimize the risks and threats associated with this vulnerability, administrators should update their versions of Confluence Data Center and Confluence Server to the latest available versions as soon as possible."

11/08/2024

|

Developers, double-check your dependencies!

Researchers have uncovered a malicious Python package, “solana-py,” on PyPI, designed to steal Solana wallet keys.

This deceptive package mimics the legitimate “solana” API and has already been downloaded over 1,100 times, posing a serious threat to developers and end users.

The package injects malicious code into the "init .py" script, exfiltrating sensitive information to an external domain.

10/08/2024

|

Experts Uncover Severe Flaws Leading to RCE, Data Theft, and Full-Service Takeovers

Cybersecurity researchers have discovered multiple critical flaws in Amazon Web Services (AWS) offerings that, if successfully exploited, could result in serious consequences.

"The impact of these vulnerabilities range between remote code ex*****on (RCE), full-service user takeover (which might provide powerful administrative access), manipulation of AI modules, exposing sensitive data, data exfiltration and denial of service," cloud security firm Aqua said.

Following responsible disclosure in February 2024, Amazon addressed the shortcomings over several months from March to June. The findings were presented at Black Hat USA 2024.

Central to the issue, dubbed Bucket Monopoly, is an attack vector referred to as Shadow Resource, which, in this case, refers to the automatic creation of an AWS S3 bucket when using services like CloudFormation, Glue, EMR, SageMaker, ServiceCatalog, and CodeStar.

The S3 bucket name created in this manner is both unique and follows a predefined naming convention ("cf-templates-{Hash}-{Region}"). An attacker could take advantage of this behavior to set up buckets in unused AWS regions and wait for a legitimate AWS customer to use one of the susceptible services to gain covert access to the contents of the S3 bucket.

Based on the permissions granted to the adversary-controlled S3 bucket, the approach could be used to escalate to trigger a DoS condition, or execute code, manipulate or steal data, and even gain full control over the victim account without the user's knowledge.

To maximize their chances of success, using Bucket Monopoly, attackers can create unclaimed buckets in advance in all available regions and store malicious code in the bucket. When the targeted organization enables one of the vulnerable services in a new region for the first time, the malicious code will be unknowingly executed, potentially resulting in the creation of an admin user that can grant control to the attackers.

However, it's important to consider that the attacker will have to wait for the victim to deploy a new CloudFormation stack in a new region for the first time to successfully launch the attack. Modifying the CloudFormation template file in the S3 bucket to create a rogue admin user also depends on whether the victim account has permission to manage IAM roles.

Aqua said it found five other AWS services that rely on a similar naming methodology for the S3 buckets – {Service Prefix}-{AWS Account ID}-{Region} – thereby exposing them to Shadow Resource attacks and ultimately permitting a threat actor to escalate privileges and perform malicious actions, including DoS, information disclosure, data manipulation, and arbitrary code ex*****on -

AWS Glue: aws-glue-assets-{Account-ID}-{Region}

AWS Elastic MapReduce (EMR): aws-emr-studio -{Account-ID}-{Region}

AWS SageMaker: sagemaker-{Region}-{Account-ID}

AWS CodeStar: aws-codestar-{Region}-{Account-ID}

AWS Service Catalog: cf-templates-{Hash}-{Region}

The company also noted that AWS account IDs should be considered a secret, contrary to what Amazon states in its documentation, as they could be used to stage similar attacks.

"This attack vector affects not only AWS services but also many open-source projects used by organizations to deploy resources in their AWS environments," Aqua said. "Many open-source projects create S3 buckets automatically as part of their functionality or instruct their users to deploy S3 buckets."

"Instead of using predictable or static identifiers in the bucket name, it is advisable to generate a unique hash or a random identifier for each region and account, incorporating this value into the S3 bucket name. This approach helps protect against attackers claiming your bucket prematurely."

10/08/2024

|

Warns of Unpatched Office Vulnerability Leading to Data Breaches
Office Vulnerability.

Microsoft has disclosed an unpatched zero-day in Office that, if successfully exploited, could result in unauthorized disclosure of sensitive information to malicious actors.

The vulnerability, tracked as CVE-2024-38200 (CVSS score: 7.5), has been described as a spoofing flaw that affects the following versions of Office -

Microsoft Office 2016 for 32-bit edition and 64-bit editions
Microsoft Office LTSC 2021 for 32-bit and 64-bit editions

"In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability," Microsoft said in an advisory.

"However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file."

A formal patch for CVE-2024-38200 is expected to be shipped on August 13 as part of its monthly Patch Tuesday updates, but the tech giant said it identified an alternative fix that it has enabled via Feature Flighting as of July 30, 2024.

It also noted that while customers are already protected on all in-support versions of Microsoft Office and Microsoft 365, it's essential to update to the final version of the patch when it becomes available in a couple of days for optimal protection.

Microsoft, which has tagged the flaw with an "Exploitation Less Likely" assessment, has further outlined three mitigation strategies -

Configuring the "Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers" policy setting provides the ability to allow, block, or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system

Add users to the Protected Users Security Group, which prevents the use of NTLM as an authentication mechanism

Block TCP 445/SMB outbound from the network by using a perimeter firewall, a local firewall, and via VPN settings to prevent the sending of NTLM authentication messages to remote file shares.

The disclosure comes as Microsoft said it's working on addressing two zero-day flaws (CVE-2024-38202 and CVE-2024-21302)that could be exploited to "unpatch" up-to-date Windows systems and reintroduce old vulnerabilities.

Earlier this week, Elastic Security Labs lifted the lid on a variety of methods that attackers can avail in order to run malicious apps without triggering Windows Smart App Control and SmartScreen warnings, including a technique called LNK stomping that's been exploited in the wild for over six years.

02/08/2024

|

"New windows backdoor BITSLOTH exploits BITS for stealthy communication"

Cybersecurity researchers have discovered a previously undocumented Windows backdoor that leverages a built-in feature called Background Intelligent Transfer Service (BITS) as a command-and-control (C2) mechanism.

The newly identified malware strain has been codenamed BITSLOTH by Elastic Security Labs, which made the discovery on June 25, 2024, in connection with a cyber attack targeting an unspecified Foreign Ministry of a South American government. The activity cluster is being tracked under the moniker REF8747.

"The most current iteration of the backdoor at the time of this publication has 35 handler functions including keylogging and screen capture capabilities," security researchers Seth Goodwin and Daniel Stepanic said. "In addition, BITSLOTH contains many different features for discovery, enumeration, and command-line ex*****on."

30/07/2024

|

Cybersecurity researchers are warning about a new phishing campaign that targets Microsoft OneDrive users with the aim of executing a malicious PowerShell script.

"This campaign heavily relies on social engineering tactics to deceive users into executing a PowerShell script, thereby compromising their systems," Trellix security researcher Rafael Pena said in a Monday analysis.

The cybersecurity company is tracking the "crafty" phishing and downloader campaign under the name OneDrive Pastejacking.

The attack unfolds via an email containing an HTML file that, when opened, displays an image simulating a OneDrive page and displays an error message that says: "Failed to connect to the 'OneDrive' cloud service. To fix the error, you need to update the DNS cache manually."

The message also comes with two options, namely "How to fix" and "Details," with the latter directing the email recipient to a legitimate Microsoft Learn page on Troubleshooting DNS.

However, clicking "How to fix" prompts the user to follow a series of steps, which includes pressing "Windows Key + X" to open the Quick Link menu, launching the PowerShell terminal, and pasting a Base64-encoded command to supposedly fix the issue.

26/07/2024

|

⚠️ Cyber Alert: CrowdStrike warns of a new phishing campaign exploiting the Falcon Sensor update mishap.

This sophisticated attack targets German customers with fake installers, aiming to steal sensitive data.

19/07/2024

|

: CrowdStrike's recent update has led to major disruptions for businesses worldwide, causing Windows workstations to crash.

This incident affects businesses across various sectors, from airlines to hospitals, and potentially the biggest 'cyber' event of 2024, reveals the delicate balance between security and stability.

The broad impact on various industries shows how interconnected and vulnerable our IT infrastructure is.

12/07/2024

|
🇺🇸

🚨🚨 Hackers Steal Text and Call Records of ‘Nearly All’ AT&T Customers 🚨🚨

In a major data breach, hackers infiltrated a cloud platform used by AT&T, stealing call and text metadata for nearly all of AT&T's cellular customers from May 2022 to October 2022.

The stolen data includes records from AT&T’s cellular customers, customers of mobile virtual network operators (MVNOs) on AT&T's network, and AT&T landline customers who interacted with cellular numbers during this period.

The breach also impacted a small number of records from January 2, 2023.

While timestamps were not included, the metadata reveals which numbers were called or texted.

The breach was traced to the Snowflake data warehousing tool, previously linked to other high-profile breaches.

11/07/2024

| 🚨⛔

A new security flaw in PHP (CVE-2024-4577) is being exploited by multiple threat actors to deploy remote access trojans, cryptocurrency miners, and DDoS botnets.

This vulnerability is critical for businesses using PHP as it allows remote ex*****on of malicious commands on Windows systems.

Experts at Akamai highlight the urgency of addressing this flaw due to its high exploitability and quick adoption by attackers.

Have you updated your PHP installations yet?

07/06/2024

| 🚨 🚨

A leak of 100,000 user records from Facebook (Meta) has been detected on a hacking forum.

According to the post, these data are fresh from 2024 and contain information such as full names, profiles, email addresses, and phone numbers.

The confirmation or denial of these claims has yet to be verified.

Address

Telephone

+201141545424

Website

http://www.elg4ml.com/

Alerts

Be the first to know and let us send you an email when Hack Swat posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Shortcuts

Address
Telephone
Alerts
Claim ownership or report listing
Want your business to be the top-listed Media Company?

Country:

City:

Our Story

Since almost every organization in the present world is connected to the Internet in some or the other way, steps must be taken to ensure their networks remain safe and secure, and that's exactly what our mission is about.

Hack Swat is a leading, trusted, widely-acknowledged dedicated cybersecurity news platform, attracting over 100 thousand monthly readers including IT professionals, researchers, hackers, technologists, and enthusiasts.

Hack Swat features latest cyber security news and in-depth coverage of current as well as future trends in Infosec and how they are shaping the cyber world.

Our Journey

In 2010, we started Hack Swat as dedicated cybersecurity and hacking news platform to educate people on how to use the Internet in the safest way.

In following years, the website has turned into one of the most significant information security channels and working as a bridge between a large number of communities including leading security researchers, geeks, techies, business grads, CISOs, along with thousands of security professionals.

We are continuously working in the direction to better the platform and would love to hear your valuable thoughts and feedback to make it more resourceful.

Submit a Tip — Contact Us

Got a news tip or more information about a topic we covered?

Awesome! Reach out us and get featured—send your exclusive story idea, research, hacks, or ask us a question or leave a comment/feedback!

Email — [email protected]

You can also contact our team on Twitter:

Mahmoud ElGaml — @ElG4ml