Hasty Briefsbeta

All tags

#cybersecurity

651 stories total

Bilingual

After $380M hack, Clorox sues its "service desk" vendor for simply giving passwd
9 months ago
- Hackers bypassed security by calling IT service desk for password and MFA resets without identity verification.
- The breach led to ransomware or data exfiltration, causing an estimated $380 million in damage.
- Clorox outsourced IT security to Cognizant, which allegedly failed to follow basic security procedures.
- Cognizant's service desk handed over network credentials without authentication, as per the lawsuit.
- The lawsuit claims Cognizant employees were inadequately trained, leading to the security lapse.
Google spoofed via DKIM replay attack: A technical breakdown
9 months ago
- A friend received a convincing phishing email claiming to be from Google about a subpoena.
- The email appeared legitimate with no typos, odd links, and a genuine-looking sender domain.
- Investigation revealed the email was a DKIM replay attack, where a legitimate Google email was reused.
- The attacker used Google Sites to mimic an official Google support page, exploiting trust in Google's domain.
- The phishing email passed SPF, DKIM, and DMARC checks, making it appear authentic.
- Attackers manipulated Google OAuth app names to include phishing content in legitimate Google emails.
- Google has since fixed the issue by restricting app name content to prevent such attacks.
- Users are advised to avoid clicking on suspicious links and report such emails to security teams.
- DKIM replay attacks are hard to detect as they reuse valid signatures from legitimate emails.
- Security measures include rotating DKIM keys frequently and raising user awareness about phishing tactics.
How We Rooted Copilot
9 months ago
- Microsoft updated Copilot Enterprise in April 2025 with a live Python sandbox running Jupyter Notebook.
- The sandbox can execute Linux commands as the 'ubuntu' user in a miniconda environment, with the user in the sudo group but no sudo binary present.
- The sandbox uses Python 3.12 and a newer kernel version compared to ChatGPT's sandbox.
- Main functionalities include running Jupyter Notebooks and a Tika server.
- The container has a link-local network interface and uses an OverlayFS filesystem from a host system path.
- Custom scripts are located in the /app directory, including goclientapp and httpproxy binaries.
- A vulnerability was found in the entrypoint.sh script where pgrep is executed without a full path, allowing potential privilege escalation.
- Exploiting the vulnerability grants root access but offers no significant advantage due to container restrictions.
- Microsoft fixed the vulnerability, classifying it as moderate severity with no bounty awarded.
- A talk at BlackHat USA 2025 will detail further access to Microsoft's Responsible AI Operations control panel.
Microsoft to stop using China-based teams to support Department of Defense
9 months ago
- Microsoft will no longer use China-based engineering teams for Defense Department’s cloud computing systems due to cybersecurity risks.
- Microsoft has also used China-based personnel to maintain cloud systems for other federal departments like Justice, Treasury, and Commerce.
- The Government Community Cloud (GCC) handles sensitive but unclassified information, approved by FedRAMP for 'moderate' impact data.
- Cybersecurity experts warn that foreign support for GCC could enable spying and sabotage, even with unclassified data.
- China is deemed the 'most active and persistent cyber threat' to U.S. networks by the Office of the Director of National Intelligence.
- Microsoft plans to discontinue China-based support for GCC and will conduct a review for additional security measures.
- Other cloud providers like AWS, Google, and Oracle do not use China-based support for U.S. federal contracts.
- Microsoft’s use of digital escorts for oversight has been criticized for lacking advanced technical expertise to police foreign engineers.
- The revelations have sparked concerns in Washington about national security and Microsoft’s cybersecurity practices.
Allianz Life says 'majority' of customers' personal data stolen in cyberattack
9 months ago
- Allianz Life, a U.S. insurance giant, suffered a data breach in mid-July 2025.
- Hackers accessed a third-party, cloud-based CRM system using social engineering techniques.
- Personally identifiable data of the majority of Allianz Life's customers, financial professionals, and select employees was stolen.
- Allianz Life has 1.4 million customers; its parent company, Allianz, serves over 125 million worldwide.
- The breach was disclosed in a filing with Maine’s attorney general, but the exact number of affected individuals was not immediately provided.
- Allianz Life notified the FBI and found no evidence of further network compromise.
- The company did not confirm any communication from hackers or attribute the breach to a specific group.
- This incident is part of a wave of breaches targeting the insurance industry, including Aflac.
- Security researchers attribute similar intrusions to Scattered Spider, known for social engineering attacks.
- Scattered Spider has previously targeted the U.K. retail, aviation, transportation, and Silicon Valley tech sectors.
- Allianz plans to notify affected individuals by August 1, 2025.
Microsoft's Global Operation to Disrupt Lumma Stealer's 2.3k Malware Network
9 months ago
- Microsoft's Digital Crimes Unit (DCU) led a global operation to disrupt Lumma Stealer, a major infostealer malware network.
- The operation involved seizing 2,300 domains and protecting nearly 400,000 victims.
- Legal tools like RICO and trespass laws, along with global partnerships (Europol, Japan, private companies), were key to the takedown.
- The DCU is shifting toward persistent, cost-imposing disruption of cybercrime-as-a-service models.
- The episode discusses how stolen victim data is handled during takedowns and the future of DCU operations.
The Rise of Vibeinsecurity
9 months ago
- HackAIcon event in Lisbon on September 25, 2025, discussing AI hacking and security.
- By 2035, widespread 'vibecoding' allows anyone to build apps, leading to job losses for developers.
- Increase in hacked apps due to rushed development and lack of security measures.
- Emergence of 'Vibe Hackers' exploiting vulnerabilities at scale using AI.
- Privacy erosion as personal data becomes easily accessible due to insecure apps.
Hackers Hit a Major US Insurance Firm Exposing Details of Nearly 1.4M Customers
9 months ago
- Allianz Life, a U.S.-based insurance company, suffered a data breach affecting 1.4 million customers, financial professionals, and employees.
- The breach involved social engineering tactics, with no evidence of network or system compromise.
- The attack was traced to the ShinyHunters extortion group, known for exploiting cloud and software vulnerabilities.
- ShinyHunters uses impersonation tactics, such as posing as IT support, to gain access to systems like Salesforce data loaders.
- Allianz Life did not confirm if their compromised CRM was Salesforce-based, only stating it was a third-party, cloud-based system.
- Recent large-scale attacks, including one on an airline and a 158-year-old company, highlight the urgent need for stronger security measures.
Project Zero – Policy and Disclosure: 2025 Edition
9 months ago
- Google Project Zero updates its vulnerability disclosure policy to '90+30' model in 2021 to drive faster patch development and improve adoption.
- Identifies 'patch gap' and 'upstream patch gap' as critical delays in the vulnerability lifecycle, affecting end-user security.
- Announces a new trial policy called 'Reporting Transparency' to increase early disclosure of vulnerabilities to upstream vendors.
- Within one week of reporting, Project Zero will publicly share details like the vendor, affected product, and report deadlines.
- Aims to shrink the upstream patch gap by improving transparency and communication between upstream vendors and downstream dependents.
- Assures that no technical details aiding attackers will be disclosed early, focusing on alerts rather than blueprints.
- The policy is a trial, with monitoring to assess its impact on creating a safer ecosystem with timely vulnerability remediation.
The Convenience Trap: Why Seamless Banking Access Can Turn 2FA into 1FA
9 months ago
- Multi-factor authentication (MFA) is essential for digital security, requiring distinct types of evidence (something you know, have, or are).
- Many authentication methods collapse onto a single device (smartphone), undermining MFA's security by turning it into single-factor authentication (1FA).
- Common authentication methods include mobile-only banking apps with phone biometrics, SMS-based tokens, authenticator apps (with/without user interaction), separate hardware devices, and passkeys.
- Mobile-only banking apps with phone biometrics are convenient but not true 2FA, as both factors (device and biometrics) can be compromised by a single passcode.
- SMS-based tokens are insecure due to vulnerabilities like SIM swapping and notification mirroring, making them a poor choice for authentication.
- Authenticator apps with additional user interaction (e.g., biometric verification or QR code scanning) improve security by requiring active engagement.
- Separate hardware devices or code lists provide robust security by creating a physical separation of factors, though they are less common now.
- Passkeys, especially when bound to physical security keys, offer excellent protection against phishing, device theft, and malware.
- Recommendations for secure authentication include using hardware-bound passkeys, separate hardware authenticators, or a dedicated 'banking phone'.
- Smartphones have become a single point of failure, and financial institutions should prioritize secure defaults for users.
Defending against account takeovers with passkeys and DBSC
9 months ago
- Attackers are intensifying phishing and credential theft methods, driving 37% of successful intrusions.
- Cookie and authentication token theft has risen by 84% in 2024 compared to the previous year.
- Google Workspace introduces three security enhancements: passkey support, Device Bound Session Credentials (DBSC), and a shared signals framework (SSF) receiver.
- Passkeys offer phishing resistance, ease of use, and strong security, being 40% faster than passwords.
- DBSC enhances post-authentication protection by binding session cookies to the originating device.
- The Shared Signals Framework (SSF) enables real-time security signal exchange to detect and respond to threats.
- Google recommends enabling passkeys and DBSC to prevent account takeovers from phishing and infostealers.
Palo Alto Networks closing on over $20B acquisition of CyberArk
9 months ago
- Palo Alto Networks is in advanced negotiations to acquire CyberArk for over $20 billion.
- CyberArk's stock surged by 13% post-announcement, while Palo Alto's stock declined by 3%.
- This would be the largest cybersecurity acquisition since Google's $32 billion purchase of Wiz.
- Palo Alto had previously considered acquiring SentinelOne, but those talks are likely to end.
- CyberArk has been active in acquisitions, including Venafi ($1.5B) and Zilla ($165M), driving its revenue past $1B in 2024.
- The deal may be announced later this week, marking Palo Alto's largest acquisition to date.
- Palo Alto aims to enter the identity management market, which has gained urgency due to AI and high-profile breaches.
- CyberArk's main competitor, Okta, has declined, strengthening CyberArk's market position.
Code Execution Through Deception: Gemini AI CLI Hijack
9 months ago
- Tracebit discovered a vulnerability in Gemini CLI leading to silent execution of malicious commands via prompt injection and improper validation.
- The attack involves hiding malicious instructions in files like README.md, leveraging the GNU Public Licence to obscure the injection.
- Gemini CLI's command whitelisting feature was exploited to execute malicious commands without user approval after initially whitelisting an innocuous command.
- The attack could exfiltrate sensitive data, such as environment variables, to a remote server without the user's knowledge.
- Google fixed the vulnerability in Gemini CLI v0.1.14, making malicious commands visible to users and requiring explicit approval for execution.
- Tracebit recommends upgrading Gemini CLI, using sandboxing modes, and being cautious when exploring untrusted code with AI tools.
British 999 call handler's voice cloned by Russian network using AI
9 months ago
- A BBC Verify investigation uncovered AI voice cloning by a Russian-linked disinformation campaign.
- The identities of British public sector workers, including a 999 call handler, were cloned.
- A fake video using the cloned voice spread fear ahead of Poland's presidential election.
- The emergency medical adviser from Preston was shocked to discover his voice had been faked.
In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network
9 months ago
- Hackers used a Raspberry Pi with a 4G modem to infiltrate a bank's network and target its ATM system.
- The attack bypassed perimeter defenses using a novel Linux bind mount technique to hide malware.
- The goal was to compromise the ATM switching server and manipulate the bank’s hardware security module.
- The group behind the attack, UNC2891, is financially motivated and has targeted banks since at least 2017.
- UNC2891 is known for using custom malware against Linux, Unix, and Oracle Solaris systems.
- In 2022, Mandiant observed UNC2891 operating undetected for years, using malware like CakeTap, SlapStick, and TinyShell.
- Group-IB's report confirms UNC2891 remains active, employing advanced methods to evade detection in bank networks.
Senate legislation would direct agencies to fortify against quantum threats
9 months ago
- Bipartisan senators introduce the National Quantum Cybersecurity Migration Strategy Act to address quantum computing cyber threats.
- The bill directs the White House to develop a strategy for quantum-safe encryption and requires federal agencies to start pilot programs.
- Quantum computers could bypass modern encryption, posing risks to national security and personal data.
- The legislation builds on previous quantum computing laws focused on research and post-quantum cryptography.
- The strategy will define standards for quantum computers and assess the need for post-quantum cryptography migration.
- A pilot program will require critical infrastructure sectors to upgrade systems to post-quantum cryptography by 2027.
- Experts warn that stolen data could be decrypted later, urging immediate action on quantum-proof protections.
- Concerns about falling behind China in quantum computing advancements are driving legislative efforts.
PyPI Phishing Attack: Incident Report
9 months ago
- Phishing attack targeted PyPI users via email, with a phishing domain mimicking PyPI.org.
- 4 user accounts were compromised, 2 API tokens generated by attackers, and 2 malicious releases uploaded to the 'num2words' project.
- Attackers used a forward proxy setup to mimic PyPI.org, exploiting minor URL differences (e.g., 'pypj.org' vs. 'pypi.org').
- Two-factor authentication (2FA) could mitigate such attacks, but attackers could bypass it by intercepting session cookies or TOTP codes.
- The phishing domain was eventually taken down after reports to the registrar and CDN provider, though initial responses were slow.
- Impact included malware distribution via compromised PyPI packages, with quick removal by the project owner.
- Recommendations include enabling 2FA, using WebAuthn for stronger security, and removing dormant PyPI accounts.
- The PSF is exploring acquiring similar domain names to prevent future phishing attacks.
- Indicators of compromise (IoCs) include phishing domains, IP addresses, and malicious package versions.
Understanding the Complete Identity Management Ecosystem
9 months ago
- Identity management has evolved from simple password systems to a complex ecosystem of specialized tools.
- The guide categorizes identity management into various segments including IAM, CIAM, PAM, and emerging technologies like AI agent identity.
- Traditional IAM focuses on workforce identity, managing employee access and permissions.
- CIAM (Customer Identity and Access Management) handles external users, offering scalable solutions for customer registration and login.
- Privileged Access Management (PAM) secures high-risk accounts like system administrators with additional security layers.
- Identity Governance and Administration (IGA) ensures compliance by managing and reviewing user access rights.
- Authentication methods include Multi-Factor Authentication (MFA), passwordless systems, and adaptive authentication based on risk.
- Machine Identity Management addresses non-human entities like applications and services, which often outnumber human identities.
- Access control methods include Role-Based (RBAC), Attribute-Based (ABAC), and Policy-Based Access Control (PBAC).
- Specialized solutions exist for industries like healthcare, financial services, and government, each with unique requirements.
- Emerging trends include decentralized identity, quantum-safe identity, and the integration of AI in identity management.
- Choosing the right identity solutions depends on organizational needs, compliance requirements, and risk tolerance.
- Future trends emphasize AI integration, Zero Trust models, cloud-first approaches, and enhanced user experience and privacy.
Proton Authenticator – secure 2FA, your way
9 months ago
- Secure passwords alone are insufficient for online security; two-factor authentication (2FA) is essential.
- Proton introduces Proton Authenticator, a free, open-source 2FA app with strong encryption and cross-device compatibility.
- Proton Authenticator offers features like offline access, end-to-end encrypted sync, automatic backups, and easy import/export of 2FA tokens.
- Unlike SMS-based 2FA, authenticator apps like Proton Authenticator are more secure against sim swapping attacks.
- Proton Authenticator is compared favorably against other 2FA apps for its flexibility, security, and privacy features.
- Users can choose between Proton Pass for convenience or Proton Authenticator for advanced security based on their needs.
- Proton's suite of privacy-focused tools, including Proton Authenticator, is built on trust and a commitment to digital rights.
- Feedback from the community is encouraged to improve Proton Authenticator.
How did Facebook intercept competitor's encrypted mobile app traffic? (2014)
9 months ago
- Facebook intercepted encrypted traffic from competitor apps using a MITM technique called 'ssl bump' via the Onavo Protect app.
- The Onavo Protect app prompted users to install a Facebook Research CA certificate to decrypt TLS traffic, targeting domains like Snapchat, YouTube, and Amazon.
- Android security improvements over time, such as stricter CA certificate trust policies and certificate pinning, reduced the effectiveness of Facebook's interception method.
- Facebook considered using Android's Accessibility API as an alternative method to bypass security controls, raising ethical concerns.
- The practice was part of Facebook's strategy to gain competitive insights, leading to legal scrutiny and a $20M fine in Australia.
- Technical analysis revealed the Onavo app collected extensive user data, including app usage statistics and sensitive information like IMSI numbers.
- The lawsuit and technical findings highlight the lengths companies may go to exploit mobile permissions for competitive advantage.

first prev12next

About|Login

#cybersecurity

After $380M hack, Clorox sues its "service desk" vendor for simply giving passwd

Google spoofed via DKIM replay attack: A technical breakdown

How We Rooted Copilot

Microsoft to stop using China-based teams to support Department of Defense

Allianz Life says 'majority' of customers' personal data stolen in cyberattack

Microsoft's Global Operation to Disrupt Lumma Stealer's 2.3k Malware Network

The Rise of Vibeinsecurity

Hackers Hit a Major US Insurance Firm Exposing Details of Nearly 1.4M Customers

Project Zero – Policy and Disclosure: 2025 Edition

The Convenience Trap: Why Seamless Banking Access Can Turn 2FA into 1FA

Defending against account takeovers with passkeys and DBSC

Palo Alto Networks closing on over $20B acquisition of CyberArk

Code Execution Through Deception: Gemini AI CLI Hijack

British 999 call handler's voice cloned by Russian network using AI

In search of riches, hackers plant 4G-enabled Raspberry Pi in bank network

Senate legislation would direct agencies to fortify against quantum threats

PyPI Phishing Attack: Incident Report

Understanding the Complete Identity Management Ecosystem

Proton Authenticator – secure 2FA, your way

How did Facebook intercept competitor's encrypted mobile app traffic? (2014)