VM#007

Author

Alicja Pawlowska
December 01, 2024

Hi Everyone,

Here’s a quick roundup of last week’s latest cybersecurity news, reports, and tools. In the CyberSec Free Events section, you'll find upcoming CTFs and challenges, including three OSINT CTFs from the 🇨🇭 & 🇫🇷 & 🇺🇸 groups and the classic annual TryHackMe event. Additionally, in the Bonus section, you’ll find the solution to the task from the previous week with 4 quick ways to tackle it.

Cybersecurity News

  • Hackers Can Access Laptop Webcams Without Triggering LED
    A security engineer discovered that by reflashing the firmware on Lenovo ThinkPad X230 laptops, attackers can control the webcam's LED independently, allowing them to activate the camera without the usual LED indicator. Find out more.

  • Top U.S. Senator Calls Salt Typhoon 'Worst Telecom Hack in Our Nation's History': T-Mobile has confirmed its involvement in the Salt Typhoon cyber espionage campaign, one of the most significant breaches targeting major telecom giants. The attack also affected AT&T, Verizon, and Lumen Technologies. Find out more.

Vulnerabilities & Exploits & Hacks

  • RomCom Exploits Firefox and Tor Zero-Days: The Russian RomCom group exploited two zero-day vulnerabilities in Firefox and Tor Browser to attack users in Europe and North America. By chaining a Firefox flaw and a Windows Task Scheduler bug, they infected victims via malicious websites, delivering a backdoor without user interaction. Find out more.

  • 2,000+ Palo Alto Firewalls Compromised: Hackers exploited two recently patched zero-day vulnerabilities to compromise over 2,000 Palo Alto Networks firewalls. Find out more.

Threat Hunting & Malware

  • Top Malware Threats of 2024: BlackLotus, Emotet, Beep, and Dark Pink: BlackLotus bypasses Secure Boot, embedding itself in firmware for long-term undetected access. Emotet spreads via phishing emails and acts as a delivery platform for ransomware. Beep uses stealth techniques to evade detection, while Dark Pink targets government and military agencies for espionage. Find out more.

  • Malware Exploits Avast Driver to Disable Security: Trellix researchers uncovered malware using the Avast Anti-Rootkit driver (aswArPot.sys) to disable security software. The malware gains kernel-level access and targets 142 security apps, bypassing detection. Find out more.

Other Notable Events

  • Digital Forensics: Apple has quietly introduced an ‘Inactivity Reboot’feature in iOS 18.1 to enhance the security of lost or stolen iPhones.

    If an iPhone remains unused for 4 days, it will reboot itself, switching to its “Before First Unlock” (BFU) state. In this state, the device requires a PIN or password to enable Face ID or Touch ID, significantly complicating unauthorized access. Devices commonly used by law enforcement or bad actors to bypass iPhone locks are less effective in the BFU state. By contrast, the “After First Unlock” (AFU) state, where biometric unlocking is active, is easier to crack.

    Notably, Realme Chinese phones already have a similar feature, transitioning from AFU to BFU after 72 hours of inactivity, even in cases where the phone was initially secured in AFU. This highlights that other manufacturers are implementing similar protections.

    Regarding iPhones, Cellebrite recently informed users that it is working on mitigating this challenge in upcoming updates to UFED Premium.

Acquisitions

CompTIA’s brand, certification, and training services have been acquired by private equity firms H.I.G. Capital and Thoma Bravo. While financial terms are undisclosed, H.I.G. manages $65 billion, and Thoma Bravo oversees $160 billion in assets. The Chief Community Officer at CompTIA explained that following the acquisition, CompTIA's existing nonprofit organization will separate from the for-profit business.

📰 Reports

  • MITRE CWE 2024 Top 25 Dangerous Software Weaknesses. The List

  • TrendMicro's released a detailed follow-up report links Salt Typhoon to Earth Estries, which is more closely associated with Famous Sparrow and Ghost Emperor. It's unclear if these are distinct entities or precursor activity to Salt Typhoon. Report.

Espionage & Counterintelligence

  • Chinese Ship Linked to Baltic Cable Sabotage: A Chinese vessel, Yi Peng 3, is suspected of cutting two key Baltic Sea internet cables, possibly under Russian direction. NATO is monitoring the ship amid growing tensions. Find out more.

  • Russian Spy Ring in UK Exposed: A trial reveals Russian agents spied on journalists, exiles, and politicians in London. Sophisticated plots included honeytraps, fake protests, and targeting military bases. Find out more.

  • Chinese Citizen Fabricates Intelligence to Defect: A man faked classified documents to seek rewards from a foreign spy agency. Authorities issued a warning after his confession and apology. Find out more.

  • LVMH and Espionage Allegations Arnault Testifies: A Paris trial reveals claims of illegal surveillance by France’s ex-spy chief Bernard Squarcini while consulting for LVMH (the world's largest luxury goods company, known for brands like Louis Vuitton and Moët & Chandon). Allegations include spying on activists and leaking classified data. Bernard Arnault denies involvement. Find out more.

AI

  • DeepSeek-R1 AI Model: A Chinese competitor to OpenAI with human-like reasoning, built-in fact-checking, and logical planning. Regulations restrict it under China’s "core socialist values," blocking topics like Xi Jinping or Tiananmen Square. Despite safeguards, users have bypassed restrictions, exposing security vulnerabilities. Backed by High-Flyer Capital, it runs on 10,000 Nvidia A100 GPUs. Technical data & Try it here.

SOCMINT

This time, no interesting news to share.

OSINT

Tools

  • Google Language & Country Switcher Extension: Easily switch between Google’s language and country-specific versions. Check it here.

    Bellingcat Filename Finder Extension: Display filenames for images uploaded to Google Maps by users (in location photos, reviews, etc). Check it here.

Google Updates

  • Google’s Shielded Email for Android Users: Google is rolling out “Shielded Email,” allowing Android users to create single-use email aliases that forward messages to their primary account—ideal for apps requiring email addresses. Integrated with Android’s autofill and Google Password Manager, this mirrors Apple’s "Hide My Email" feature. While starting with Android apps, expansion to the broader Google ecosystem seems likely. Availability is expected on Pixel devices first, with no desktop Gmail integration confirmed yet. The shielded email option was spotted in autofill settings by Android Authority but led to an empty page, indicating it's still in progress with no confirmed release date.

    • Hide email aliases protect your email address from being leaked in data breaches and exposed to scammers.

    • Other providers like Bitwarden, DuckDuckGo, Proton, Firefox have since also released an analogous feature.

  • Why the US Wants Google to Sell Chrome: The Department of Justice aims to break Google’s monopoly on search by forcing it to divest Chrome, the world’s leading browser with two-thirds market share. Chrome is vital to Google’s ad business, which thrives on browsing data. Google’s Chrome is worth up to $20 billion if a judge orders its sale. The DoJ also targets Android, proposing divestment or government oversight. Google calls the plans “unprecedented overreach” and is appealing.

  • Google Earth’s Historical Imagery Update: Explore how the world has changed with Google Earth Pro’s new historical imagery, now reaching back to the 1930s!

    • Earlier, I used to check the historical imagery map tool World Imagery Wayback, but it was limited to data captured only up to 8 years ago.

Darknet

For educational purposes only

Darknet vs. Darkweb: Two Often Confused Concepts

  • Darknet: A network overlay requiring specialized software (e.g., Tor, I2P) to access, designed for anonymity and encryption, hosting services like hidden websites, file sharing, and private communication. It's a foundational infrastructure for secure and unindexed browsing.

  • Darkweb: A part of the internet accessible via tools like Tor, where websites with .onion domains are hidden. It includes both legal and illegal content, such as private forums, marketplaces, and blogs. An example is Silk Road, a now-defunct marketplace for illicit goods.

    The DNM’s Bible otherwise known as the Darknet Bible or Darknet Market Bible provides insights for individuals exploring Darknet Markets(DNMs). It offers guides on how to navigate the dark web and make purchases, but BEWARE: Many of the links and markets mentioned are outdated or have exit scammed. 2020version (clean url)

    Ross Ulbricht, creator of the Silk Road dark web marketplace, operated it from 2011 to 2013, allowing illegal drug trafficking and other contraband transactions. In 2015, he was sentenced to life in prison for drug trafficking, money laundering, and computer hacking. In 2024, Donald Trump promised to grant him clemency if re-elected, drawing support from libertarians and the crypto community. Ulbricht’s supporters now hope Trump will honor this pledge and secure his release.

Upcoming CyberSec / OSINT Events

Free

Each of these challenges starts on December 1st and ends on Christmas Eve (December 24th) or Christmas Day (December 25th), with new challenges released daily at the same time.

🇨🇭 OSINT Switzerland is organizing their first official OSINT CTF. Here the time has not been specified. This group recently won the Tracelabs OSINT CTF and regularly shares valuable OSINT tips—definitely one to follow! Their website & X.

🇫🇷 OSINT for Fun launching Advent of OSINT 2024. Challenges are crafted by OSINT experts and enthusiasts, including AEGE|C'est vrai ça?| IsFred| KaseScenarios|OpenFacto|Oscar Zulu|OSINT-FR|OSINT4Fun|OSINTOPIA|Projet FOX|Sofia Santos. Each challenge drops at 12:30 PM (UTC+1).

🇺🇸 OSMOSIS Associationis the governing body of OSMOSIS — An Association for Open-Source Intelligence (OSINT) Professionals. Their CTF will run until December 25th with the exact end time unspecified. It featuring beginner-friendly and engaging challenges. Participants can also join a supportive community on Discord to learn and collaborate. Their website.

Annual Challenge

Advent of Cyber 2024 by TryHackMe. Daily challenges go live at 4 PM GMT, covering topics such as:

  • Penetration Testing

  • Cloud Security

  • Log Analysis

  • Digital Forensics and Incident Response

  • Web Application Pentesting

💥 Solution to the Bonus Task

Thank you to everyone who submitted responses—AI tools were the most commonly used approach. The challenge from last week:

What is gov.ru's tax payer ID?
Correct answer: 7702358248

First, let’s clarify what a website’s tax ID is: In some countries, official websites, especially government-owned ones, are associated with a taxpayer identification number (TIN). This number is often part of their registration details.

The task could be solved in 4 ways:

  1. Using AI tools
    Tools like ChatGPT, Claude, Perplexity, or Brave’s built-in AI can be used for quick answers.

  2. Checking the WHOIS database
    WHOIS lookups or nic.ru (Russian domain registrar and hosting provider) provide registration details for domains, including relevant administrative information, which can include identifiers like a tax ID.

  3. Using simple Google Dork e.g "gov.ru" and "tax id"

  4. Running whois in the terminal with the command whois gov.ru