All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
A security researcher describes their year-long study of machine learning and AI fundamentals, with the goal of understanding how to build and then attack ML systems. The post outlines their learning approach, courses, and materials for others interested in starting adversarial machine learning (attacking ML systems).
A security researcher will present on Shadowbunny, a technique that misuses virtual machines (software that simulates a computer) during lateral movement (when an attacker spreads from one compromised system to another). The presentation will also discuss threat hunting (searching for signs of attacks) and detection methods to identify this technique.
Race conditions in ACL (access control list, the rules that determine who can access files) application occur when a system creates a sensitive file but there is a time gap before permissions are applied to protect it, potentially allowing attackers to access the file during that window. This type of vulnerability exploits the timing between file creation and permission lockdown to expose sensitive information.
This article discusses how to measure the maturity and effectiveness of security testing programs, particularly red teaming (simulated attacks to find vulnerabilities). The author suggests using existing frameworks like CMMI (Capability Maturity Model Integration, a system developed by Carnegie Mellon University that rates how well-organized software processes are on a scale of one to five) that can be adapted to evaluate offensive security programs.
CVE-2020-3681 is a vulnerability in HPAV2 systems where attackers can create fake authenticated and encrypted messages (MMEs, or multimedia messages) and send them remotely by extracting a secret key (jailbreak key) from the system's code. This happens because the system uses a broken or risky cryptographic algorithm (a weak method for encoding data securely).
CVE-2020-13918 is a security flaw in Ruckus Wireless Unleashed (a wireless network management system) up to version 200.7.10.102.92 that allows an attacker without authentication to send a specially crafted HTTP request (a web communication method) and leak sensitive system information that could be used to bypass security protections. The vulnerability affects multiple Ruckus device models including access points and controllers.
CVE-2020-13917 is a command injection vulnerability (a weakness where an attacker can trick a system into running unauthorized commands) in rkscli, a command-line tool in Ruckus Wireless Unleashed devices up to version 200.7.10.92. Remote attackers can exploit this flaw by sending specially crafted commands to gain unauthorized control over the affected devices.
A researcher created a tool that uses Firefox's debugging API (a set of commands for controlling Firefox remotely) to extract cookies (small files that store login information and preferences) from the browser, which is useful when an attacker doesn't have administrator access or user credentials. The tool works by connecting to Firefox's debug server, sending JavaScript commands to access the Services.cookies.cookies array, and retrieving the results, though it requires the debugging feature to be manually enabled first.
A vulnerability in Oracle Java SE's JAXP component (a tool for processing XML data) allows attackers to modify or delete data without authentication by sending malicious data through network protocols. The flaw affects multiple Java versions including 7u261, 8u251, 11.0.7, and 14.0.1, and has a CVSS score (a 0-10 rating of how severe a vulnerability is) of 5.3.
Oracle Coherence (a caching system used in Oracle Fusion Middleware) has a vulnerability in its CacheStore component that allows an attacker without authentication to crash or hang the system via HTTP, affecting versions 3.7.1.0 through 14.1.1.0.0. The vulnerability is easily exploitable and has a CVSS score (severity rating on a 0-10 scale) of 7.5, meaning it has significant impact on system availability.
Firefox includes a built-in remote debugging feature that allows attackers to access authentication tokens and cookies from a compromised system. By default, Firefox disables this feature, but malware can enable it by modifying configuration files (user.js or prefs.js) to set specific debugging preferences and remove security prompts that would alert the user.
Port-proxying is a Windows technique that allows a process listening on one network interface (such as localhost, which is only accessible locally) to be exposed on a different network interface. This is useful for scenarios like making a local-only service accessible remotely, forwarding traffic between two network interfaces, or pivoting (moving through a network to access other systems).
A researcher discovered a persistent XSS (cross-site scripting, where an attacker injects malicious code into a web page that runs in other users' browsers) vulnerability in the AWS Console several years ago. The post documents how they found the bug, the techniques they used, and Amazon's response to the discovery.
This is a brief announcement that a security blog called 'Embrace the Red' was ranked as the 10th top penetration testing blog by Feedspot (a blog aggregation service). The blog focuses on offensive security engineering, penetration testing (simulating attacks to find vulnerabilities), and red teaming (groups that act as mock attackers to test defenses).
This article explains how to use built-in OS search features (Windows Search indexing and macOS Spotlight) to quickly hunt for credentials that may be stored in plain text on machines. Rather than manually searching through files, administrators and security teams can query the OS index via command line using PowerShell scripts on Windows or the mdfind command on macOS, which is much faster and can also search binary files.
The Shadowbunny technique uses virtual machines (VMs, software that emulates a complete computer within another computer) during lateral movement (spreading from one compromised system to others) to hide attackers' presence and avoid security detection tools. Real-world attackers, including those behind Ragnar Locker Ransomware (malicious software that encrypts files for extortion), have already employed this method, making it important for security professionals to understand how to detect it.
CVE-2018-16848 is a denial of service vulnerability in OpenStack Mistral (a workflow automation tool) affecting versions up to 7.0.3, where attackers can submit specially crafted workflow definition files with nested anchors (repeated references in YAML configuration files) to exhaust system resources and crash the service. The vulnerability exploits uncontrolled resource consumption (CWE-400, where a program doesn't limit how much memory or CPU it uses).
A security bug jail is a development practice where system owners cannot work on new features if their system has more than a set number of active security vulnerabilities (for example, a limit of 3). This approach prevents security debt (accumulated unfixed flaws) from growing uncontrollably over time by forcing teams to prioritize fixing existing security issues before adding new functionality.
Telemetry (data collected about how users interact with software) is often used by companies to make business decisions, but telemetry pipelines (the systems that collect and process this data) can be vulnerable to attacks. A red team security test demonstrated this by spoofing telemetry requests to falsely show a Commodore 64 as the most popular operating system, which could mislead companies into making poor decisions based on fake usage data.
Fix: The source mentions that internal red teams should run security assessments of telemetry pipelines. According to the text, this ensures that 'pipelines are assessed and proper sanitization, sanity checks, input validation for telemetry data is in place.' However, no specific technical fix, patch version, or concrete implementation details are provided.
Embrace The RedThis article discusses red teaming techniques (testing methods where security professionals act as attackers to find weaknesses) that organizations can use to identify privacy issues in their systems and infrastructure. The author emphasizes that privacy violations often come from insider threats (employees or contractors with authorized access to sensitive data), and highlights the importance of regular privacy testing as required by regulations like GDPR (General Data Protection Regulation, which sets rules for protecting personal data in Europe). The article mentions the "Motivated Intruder" threat model, where an insider with access to anonymized datasets (data with identifying information supposedly removed) uses data science techniques to reidentify people and expose their identities.
Fix: Blue teams should monitor and add detection alerts for modifications to Firefox configuration files, specifically changes to the settings: devtools.chrome.enabled, devtools.debugger.remote-enabled, and devtools.debugger.prompt-connection. The source also recommends using SSH port forwarding to encrypt debugging traffic if remote access is needed, since the debugging protocol sends data in clear text.
Embrace The Red