Hasty Briefs - Daily Tech News Brief

Bilingual

Oracle attempt to hide cybersecurity incident from customers?
a year ago
- Oracle is facing a serious cybersecurity incident involving their SaaS services, with evidence suggesting a breach.
- A threat actor named rose87168 claims to have breached Oracle services and provided proof, including internal meeting recordings and configuration files.
- Oracle denies a breach of Oracle Cloud but evidence shows customer data was compromised, including staff email addresses.
- Oracle is attempting to downplay the incident by using specific wording and avoiding written confirmations, only providing verbal updates to customers.
- The incident involves Oracle Classic (formerly Oracle Cloud services), and Oracle is using wordplay to avoid responsibility.
- Multiple Oracle customers have confirmed breaches of their services, with Oracle only acknowledging the issue verbally.
- The threat actor continues to release data and threatens to release more, with some data verified by cybersecurity experts and journalists.
- Oracle has requested the removal of evidence from Archive.org but missed some URLs, leaving traces of the breach.
- The behavior mirrors Oracle's handling of a previous breach at Oracle Health, where details were only shared verbally.
- Additional security issues with Oracle Classic (OCI Gen1) are under investigation.
Unmasking a slow and steady password spray attack
a year ago
- Attackers used a slow and steady password spray attack, targeting 24 users in a week with no more than 2 attempts per user to avoid detection.
- The attack was identified by analyzing tenant-wide activity rather than individual user timelines, revealing patterns across multiple users.
- Attackers used IPs from the range 2001:0470:c8e0::/48 to evade detection, hiding in plain sight within data center traffic.
- The key takeaway is the importance of examining tenant-wide activity logs creatively to uncover hidden attack patterns.
Apple Patches Older iPhones Against 'Sophisticated' Hacker Attacks
a year ago
- Apple releases updates addressing over 60 security flaws across its product lineup, including iOS, macOS, and Apple TV.
- Critical security fixes are backported to older devices like iPhone 6, 7, 8, X, and older iPads.
- Two vulnerabilities (CVE-2025-24200 and CVE-2025-24201) have been exploited in sophisticated attacks targeting specific individuals.
- CVE-2025-24200 bypasses USB Restricted Mode, allowing physical attacks on locked devices.
- CVE-2025-24201 is a WebKit flaw enabling malicious web content to compromise devices.
- A third vulnerability (CVE-2025-24085) in CoreMedia affects older iPads running iOS 17.
- Apple advises users to update to the latest software versions for enhanced security.
- Sophisticated attacks often involve spyware, targeting high-risk individuals like activists and journalists.
- Recommended updates include iOS 18.4, iPadOS 17.7.6, macOS Sequoia 15.4, and others.
- Users should enable Lockdown Mode if they suspect targeted attacks.
Furry hackers who leaked Heritage Foundation data feared raided by feds
a year ago
- Former SiegedSec leader 'vio' may have been arrested in a raid by law enforcement.
- Ex-member @mewmrrpmeow confirmed the raid, stating vio is no longer accessible.
- Journalist Ryan Fae vouched for the source but couldn't independently verify the claims.
- Hacker maia arson crimew also confirmed @mewmrrpmeow's ties to SiegedSec.
- SiegedSec disbanded in July 2023 after hacking The Heritage Foundation, linked to Project 2025.
- The group cited mental health, stress, and FBI scrutiny as reasons for disbanding.
- SiegedSec targeted NATO, Israeli companies, and anti-transgender religious organizations.
- The FBI declined to comment on the rumored raid.
Over 200M Records Allegedly Belonging to X Leaked Online
a year ago
- SafetyDetectives’ Cybersecurity Team found a forum post with a .CSV file allegedly containing over 200 million X (formerly Twitter) user records.
- The data was posted on a clear web forum known for database leaks, cracks, and downloads.
- The leak includes 201,186,753 entries with user details like ID, screen name, email, location, and more.
- The data was verified to match public Twitter profiles, though email ownership couldn't be confirmed.
- Risks include phishing, targeted scams, and social engineering attacks due to exposed personal information.
- Affected users are advised to be cautious of phishing, update privacy settings, and report suspicious activity.
- Clearweb leaks are a common way hackers share breach data, often behind paywalls or for free access.
- SafetyDetectives aims to inform users early to help them protect their data proactively.
The North Korea worker problem is bigger than you think
a year ago
- North Korean nationals have infiltrated businesses globally with deep-rooted access.
- They gain full-time employment with high-level access to enterprise systems.
- DTEX estimates thousands of critical infrastructure organizations have been infiltrated.
- North Korean operatives have privileged-access rights, enabling them to control systems.
- The scheme extends beyond IT, involving specialized professionals working under false pretenses.
- Insider threats linked to North Korea have surged, with multiple cases reported.
- Organizations often unknowingly hire multiple North Korean nationals.
- Once hired, they quickly infiltrate further, often pivoting to third-party networks.
- North Korean workers use remote access tools, blending in with typical onboarding activities.
- They perform their jobs exceptionally well, sometimes better than others.
- Their activity is anomalous, with impossibly long login times indicating shared access.
- North Korean workers generate hundreds of millions for the regime.
- Potential follow-on activities include espionage, extortion, and disruptive attacks.
- Identifying insider threats is challenging but not impossible.
- HR and recruiters are the first line of defense against such threats.
Breach of X allegedly leaks over 200M users' email addresses
a year ago
- Significant data breach at Elon Musk's X (formerly Twitter) discovered by SafetyDetectives.
- 34 GB .CVS file containing over 201 million entries of user data, including metadata and email addresses.
- Data verified as accurate by SafetyDetectives.
- Breach allegedly affects over 200 million users, with potential impact on 2.8 billion accounts.
- Earlier 2023 breach involved 209 million users, including email addresses.
- Combined data from both breaches could enable phishing and social engineering attacks.
- X has not acknowledged the 2025 leak.
- X recently sold to Musk's AI company, xAI.
Someone is trying to recruit security researchers in a bizarre hacking campaign
a year ago
- A mysterious job offer is being made to cybersecurity professionals, offering up to $100,000 a month to hack Chinese websites.
- The recruiter, known as 'Jack', uses fake accounts with attractive female avatars and directs targets to a Telegram channel.
- Jack's goal is to obtain webshells from Chinese domains to control hacked web servers, emphasizing the need for understanding China's CMS and finding vulnerabilities.
- When questioned, Jack claims the operation is for 'China’s traffic' and initially states it's for the Indian government, later blaming a translation error.
- Cybersecurity experts are puzzled by the campaign, with some suggesting it might be a troll or an attempt to spread malware within China.
- The Grugq, a cybersecurity expert, notes the campaign's persistence and bizarreness, unable to discern a clear motive behind the operation.
Hacking the call records of millions of Americans
a year ago
- A security vulnerability in the Verizon Call Filter iOS app allowed unauthorized access to call history logs of Verizon Wireless customers.
- The vulnerability enabled attackers to retrieve call logs for any Verizon number by modifying the phone number in the request, bypassing authentication checks.
- Call metadata, including timestamps and incoming call details, could be exploited for surveillance, posing risks to privacy and safety, especially for vulnerable individuals.
- The issue stemmed from a lack of server-side validation between the phone number in the request header and the authenticated user's JWT token.
- The vulnerable endpoint, hosted on a domain linked to Cequint, a telecom technology company, raised concerns about data security and access controls.
- Verizon responded promptly, acknowledging the report and resolving the issue within a month of discovery.
Emulating an iPhone in QEMU
a year ago
- eShard provides a powerful and collaborative platform for managing attack workflows, including expertise modules, infrastructure integration, and lab equipment management.
- The platform supports various attack techniques such as Side Channel Attacks, Fault Injection Attacks, and Photoemission Analysis, along with evaluation labs and starter kits for hands-on training.
- eShard also offers esReverse for static, dynamic, and stress testing, with extensions for Intel x86/x64 and ARM 32/64 binaries, penetration testing, vulnerability research, and digital forensics.
- The team explored iOS emulation using open-source solutions like alephsecurity/xnu-qemu-arm64 and TrungNguyen1909/qemu-t8030, aiming for a functional iOS emulator with UI and app execution capabilities.
- PongoOS and checkra1n patches were utilized to modify the iOS kernel, with efforts to make patching more declarative and manageable through diff tools and patch file generation.
- Challenges with graphical rendering led to experiments with software rendering and Metal API proxying, ultimately opting for software rendering due to complexity.
- Debugging efforts included setting up framebuffer devices, disabling address randomization for kernel and userland debugging, and system log access through modified lockdownd.
- Pointer authentication (PAC) issues were addressed by disabling PAC enforcement in QEMU, requiring a port to QEMU 8.2.1 for compatibility.
- Further debugging revealed issues with backboardd and graphical plane writing, leading to modifications in the DTB to simulate an iPhone X (t8015) for successful display output.
- Patching userspace and dyld cache was streamlined with tools to handle large binaries efficiently, enabling frequent modifications and testing.
- Experiments with PreBoard and VNC server integration allowed partial UI functionality, though AMX instruction emulation issues required patching vImage framework for software alternatives.
- The project concluded with readiness for SpringBoard display, pending further adjustments to resolve remaining UI issues.
Google announces Sec-Gemini v1 a new experimental cybersecurity model
a year ago
- Announcement of Sec-Gemini v1, an experimental AI model focused on cybersecurity.
- Addresses the asymmetry in cybersecurity by empowering defenders with AI.
- Combines Gemini's capabilities with real-time cybersecurity knowledge for superior performance.
- Outperforms other models on key benchmarks like CTI-MCQ and CTI-Root Cause Mapping.
- Integrates with Google Threat Intelligence (GTI) and OSV for comprehensive threat analysis.
- Provides detailed answers on cybersecurity threats, like identifying Salt Typhoon as a threat actor.
- Offers early access to select organizations for research collaboration.
NSA warns "fast flux" threatens national security
a year ago
- Fast flux is a technique used by hostile nation-states and ransomware groups to hide their operations.
- It cycles through IP addresses and domain names, making it hard to trace the true origin of the infrastructure.
- The technique provides redundancy, allowing new addresses to be assigned quickly if one is blocked.
- Fast flux is a significant threat to national security, enabling cybercriminals and nation-state actors to evade detection.
- Wildcard DNS records are a key means for achieving fast flux, mapping non-existent subdomains to attacker IPs.
Practical Binary Analysis
a year ago
- Practical Binary Analysis covers major binary analysis topics including binary formats, disassembly, and advanced techniques like binary instrumentation and symbolic execution.
- Available in multiple languages: Polish, Korean, Japanese, and Chinese (Mandarin).
- Includes a virtual machine with all examples and software; username and password are 'binary'.
- Important to update the VM using a specific command to fix errata; avoid updating the OS or software packages manually.
- Code samples can be run on platforms other than the VM, but some tools like libdft are not compatible with Windows.
- Triton and libdft depend on older Pin versions, making them challenging to run on modern Linux distros.
- Downloads include virtual machine, code samples, patches, and sample chapters.
- Errata can be reported to No Starch Press or the author.
- Community contributions include CTF walkthroughs, exercise solutions, and custom tools.
- Contact the author via email or PGP key for questions or comments.
ChatGPT-4o used to create a replica of his passport in just 5 mins bypassing KYC
a year ago
- Polish researcher Borys Musielak created a fake passport using ChatGPT-4o in just five minutes.
- The fake passport is realistic enough to bypass automated KYC checks used by platforms like Revolut and Binance.
- Musielak warns that photo-based KYC is now obsolete due to the ease of generating fake IDs with AI.
- The demonstration highlights vulnerabilities in current ID verification systems that rely on static images or videos.
- Experts recommend upgrading to NFC-based verification and eIDs for more secure authentication.
- ChatGPT-4o started rejecting similar prompts shortly after Musielak's demonstration, citing safety policies.
- Musielak advocates for digitally verified identities, such as eID wallets, to enhance security and compliance.
Remote Access Backdoor Discovered in Chinese Robot Dog Unitree Go1
a year ago
- Security researchers found a pre-installed remote access tunnel in Unitree Go1 robot dogs, allowing full remote control.
- The backdoor was discovered by Andreas Makris and Kevin Finisterre, who reverse-engineered the firmware.
- The tunnel connects to CloudSail, a Chinese remote access platform, enabling unauthorized access to devices.
- Researchers could list connected devices, access web interfaces, use cameras, and log in via SSH with default credentials.
- 1,919 unique Unitree Go1 units were found connected to CloudSail, including devices at MIT, Princeton, and other institutions.
- The tunnel auto-starts on boot and appears deliberately integrated, raising concerns about supply chain trust.
- Recommendations include isolating devices, rotating SSH credentials, and disabling the csclient tunnel service.
Leaked messages expose trade secrets of prolific Black Basta ransomware group
a year ago
- 190,000 chat messages from the Black Basta ransomware group were leaked, revealing a highly structured organization with specialized roles.
- The leak was first posted on MEGA, then Telegram, by an unknown persona named ExploitWhispers.
- Messages spanned from September 2023 to September 2024, with commentary provided by ExploitWhispers.
- The leak coincided with the unexplained outage of Black Basta's dark web site.
- Trustwave’s SpiderLabs analyzed the Russian-language messages, highlighting internal workflows and team dynamics.
- Black Basta's tactics included social engineering, such as posing as IT administrators to exploit employees.
- The leak offers cybersecurity professionals insights into ransomware operations, similar to the Conti leaks.
Microsoft fixes 124 flaws, including one under active exploitation
a year ago
- Microsoft released 124 security fixes in its latest Patch Tuesday update.
- One vulnerability (CVE-2025-29824) is under active exploitation, affecting Windows Common Log File System.
- The exploited flaw has a CVSS score of 7.8 and was used by the Storm-2460 group to deploy ransomware.
- 11 vulnerabilities were marked as 'Critical,' with others affecting Office and Excel.
- Experts warn that lower-severity flaws can be chained for system takeovers.
- The Patch Tuesday update may trigger additional exploit attempts ('Exploit Wednesday').
- Affected sectors include IT, real estate (U.S.), finance (Venezuela), software (Spain), and retail (Saudi Arabia).
- Security researchers emphasize the risks of combining exploits with social engineering attacks.
Court document reveals locations of WhatsApp victims targeted by NSO spyware
a year ago
- NSO Group's Pegasus spyware targeted 1,223 WhatsApp users across 51 countries in 2019.
- Victims included over 100 human rights activists, journalists, and civil society members.
- Mexico had the highest number of victims (456), followed by India (100) and Bahrain (82).
- Western countries like Spain, the Netherlands, and the UK also had victims.
- The hacking campaign lasted only two months (April-May 2019).
- NSO Group's government customers may have spent millions on spyware licenses.
- WhatsApp's lawsuit revealed NSO Group disconnected 10 abusive government customers.
- A one-year license for NSO's WhatsApp hacking tool cost up to $6.8 million.
- NSO Group made at least $31 million in revenue in 2019 from spyware sales.
- A judge ruled NSO Group violated U.S. hacking laws; damages hearing pending.
Trump signs order targeting former CISA head Chris Krebs
a year ago
- President Donald Trump signed an executive order targeting former CISA head Chris Krebs.
- Krebs contradicted Trump's baseless claims about the 2020 election being rigged.
- The order mandates the DOJ to investigate Krebs and revoke his security clearance.
- Krebs had stated the 2020 election was 'the most secure in American history'.
- The order also suspends security clearances for individuals associated with Krebs, including at SentinelOne.
- The investigation will review CISA's activities over the past six years for alleged censorship.
- Critics argue the order is politically motivated and distracts from economic issues.
- CISA has faced GOP criticism for combating misinformation related to elections and COVID-19.
- The order claims Krebs 'weaponized' his authority and suppressed conservative viewpoints.
- Trump also accused Krebs of hiding controversies around Hunter Biden's laptop.
China-Based SMS Phishing Triad Pivots to Banks
a year ago
- China-based 'Smishing Triad' groups are successfully converting phished payment card data into Apple and Google mobile wallets.
- These groups initially impersonated toll road operators and shipping companies but now target customers of international financial institutions.
- Victims receive spoofed messages asking for payment card details, followed by a request for a one-time SMS code to 'verify' the transaction.
- The one-time code is actually used by fraudsters to enroll the victim's card into a mobile wallet controlled by the phishers.
- Phishing gangs load multiple stolen wallets onto a single device and sell these phones in bulk for fraudulent transactions.
- The 'Smishing Triad' operates via iMessage and RCS, bypassing traditional SMS and achieving near 100% delivery rates.
- Groups like Darcula, Lighthouse, and Xinxin Group are part of this loosely federated phishing-as-a-service operation.
- Chinese-speaking threat actors are introducing scalable, cost-effective systems to target larger user bases globally.
- The Smishing Triad now spoofs brands across 121 countries and various industries, using around 25,000 active phishing domains hosted mainly in China.
- SilentPush estimates over a million visits to these phishing pages within 20 days, with a 5% average success rate for some campaigns.
- The groups employ '300+ front desk staff' to support fraud operations and maintain Telegram channels showcasing their activities.
- Cash-out schemes include NFC apps like Z-NFC, which relay transactions from compromised wallets to payment terminals worldwide.
- Prodaft found backend panels indicating high victim interaction rates, with some domains capturing 30 credit cards in a week.
- Phishing messages are sent via Android emulators, exploiting gaps in sender ID validation on iMessage and RCS platforms.
- Financial institutions' reliance on SMS-based one-time codes for wallet enrollment remains a key vulnerability exploited by these groups.

Hasty Briefsbeta

#cybersecurity

Oracle attempt to hide cybersecurity incident from customers?

Unmasking a slow and steady password spray attack

Apple Patches Older iPhones Against 'Sophisticated' Hacker Attacks

Furry hackers who leaked Heritage Foundation data feared raided by feds

Over 200M Records Allegedly Belonging to X Leaked Online

The North Korea worker problem is bigger than you think

Breach of X allegedly leaks over 200M users' email addresses

Someone is trying to recruit security researchers in a bizarre hacking campaign

Hacking the call records of millions of Americans

Emulating an iPhone in QEMU

Google announces Sec-Gemini v1 a new experimental cybersecurity model

NSA warns "fast flux" threatens national security

Practical Binary Analysis

ChatGPT-4o used to create a replica of his passport in just 5 mins bypassing KYC

Remote Access Backdoor Discovered in Chinese Robot Dog Unitree Go1

Leaked messages expose trade secrets of prolific Black Basta ransomware group

Microsoft fixes 124 flaws, including one under active exploitation

Court document reveals locations of WhatsApp victims targeted by NSO spyware

Trump signs order targeting former CISA head Chris Krebs

China-Based SMS Phishing Triad Pivots to Banks