October 31, 2021

CyberSecNews Weekly - 0x01-W4321

CyberSecNews Weekly

Intro

CyberSecNews Weekly is a newsletter to share news and other interesting articles that I found online.

This is the first issue, so it's still work in progress and it is going to improve in the future.

News

• New York Times Journalist Ben Hubbard Hacked with Pegasus after Reporting on Previous Hacking Attempts
  A forensic analysis of two iPhones belonging to NYT journalist Ben Hubbard found evidence of Pegasus infections in July 2020 and June 2021. Notably, these infections occurred after Hubbard reported in January 2020 that we found that he was targeted in 2018 by the Saudi Arabia-linked Pegasus operator.

• Microsoft Digital Defense Report shares new insights on nation-state attacks
  A new report from MS about targets and methods used by today’s nation-state threat actors, and how your organization can create a more secure environment.

• Green pass keys was (probably) leaked
  In the last days, it seems that some keys used to signing Green Pass (probably in Poland and France) was leaked through a mistaked Github commit. This just to remember that you must be careful when you push your code to Github. Why they don't use a HSM to keep so important keys safe?

Tools

• Rices/Phishious
  An open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers.

• MrH0wl/Cloudmare: Cloudflare, Sucuri, Incapsula real IP tracker.
  Cloudflare, Sucuri, Incapsula real IP tracker

• Exploiting Request forgery on Mobile Applications.
  Request forgery is an old topic in the application security arena. But this is a new way to exploit it in a mobile scenario.

Articles

• Windows Exploitation Tricks: Relaying DCOM Authentication
  Posted by James Forshaw, Project Zero In my previous blog post I discussed the possibility of relaying Kerberos authentication from a...

• CORS and Its Misconfigurations
  Before Understanding CORS, we need to know about SOP(Same Origin Policy). SOP is built as a security mechanism to safeguard web…

Tutorials

• A Primer for Testing the Security of GraphQL APIs
  GraphQL is a technology that is ramping up. Let's learn how to test the security of a GraphQL API.

• Kernel Karnage
  An interesting guide of the Windows kernel API from a security perspective

• Weaponizing a NFC reader for basic timing attacks
  Hardware hacking is always fun

• stong/how-to-exploit-a-double-free: How to exploit a double free vulnerability in 2021. 'Use-After-Free for Dummies'
  How to exploit a double free vulnerability in 2021.

• Ultimate Guide To Android SSL Pinning Bypass
  The Ultimate Guide to Android SSL Pinning Bypass Covers everything you need to know about Android SSL Pinning Bypass.

IR & Reversing

• Franken-phish: TodayZoo built from other phishing kits
  A phishing kit built using pieces of code copied from other kits, some available for sale through publicly accessible scam sellers or are reused and repackaged by other kit resellers, provides rich insight into the state of the economy that drives phishing and email threats today.