Attacks & Vulnerabilities
|
Cisco Flags More SD-WAN Flaws as Actively Exploited (2 minute read)
Following a recent announcement of a critical SD-WAN vulnerability that is being actively exploited, Cisco has identified two additional vulnerabilities also being exploited by attackers. One vulnerability allows authenticated attackers with read-only access to overwrite arbitrary files, and the other is an information disclosure flaw that requires local attackers to have vmanage permissions. Cisco recommends users upgrade to a patched release to protect against these issues.
|
Hacker Mass-Mails HungerRush Extortion Emails to Restaurant Patrons (2 minute read)
A hacker has started emailing customers of restaurants that use the HungerRush point-of-sale platform, informing them that their data was compromised and that HungerRush is ignoring their demands. Alon Gal, CTO of Hudson Rock, posted that infostealer logs show a HungerRush employee's device was hacked, which enabled the attacker to move laterally within the environment. However, HungerRush says that a third-party vendor's compromised credentials were used to access its email marketing account. The attacker claims to have data records for millions of customers containing names, emails, passwords, addresses, phone numbers, dates of birth, and credit card information. However, HungerRush disputes this, stating that no personal or financial information was stolen.
|
Fake Xeno and Roblox Utilities Used to Install Windows RAT (3 minute read)
Researchers at Microsoft Threat Intelligence have detected a malware campaign in which attackers are using trojanized executables, masquerading as Roblox and Xeno utilities, and circulating them through chat rooms to install malware on users' systems. The malware installs a portable Java runtime, which runs a malicious JAR that relies on LOLBins to download and run a remote access Trojan (RAT). The RAT then tries to delete traces of the initial infection and add Windows Defender exclusions for the malicious files.
|
|
Offensive DPAPI With Nemesis (16 minute read)
Nemesis 2.2 automates the full Windows DPAPI decryption chain, covering SYSTEM and user masterkeys, CNG keys, and Chromium's App-Bound Encryption introduced in Chrome 137+, which added a third decryption layer via the Google Chromekey1 CNG key stored in the Cryptography API Next Generation Key Storage Provider. The platform supports multiple credential input paths, including offline registry hives, LSASS dumps, NTLM hashes, and domain DPAPI backup keys, with the latter enabling persistent forward and retroactive decryption of all linked domain user masterkeys. Red teamers should note that submitting a domain backup key to Nemesis is the highest-leverage move, as it unlocks both existing and future masterkey blobs without requiring resubmission of per-user credentials.
|
Your Duolingo Is Talking to ByteDance: Cracking the Pangle SDK's Encryption (8 minute read)
ByteDance's Pangle ad SDK is embedded in more than 40 popular apps, including Duolingo, BeReal, Character.AI, and others, sending rich device fingerprints to ByteDance servers via HTTPS. The SDK uses a "cypher:3" scheme where each payload literally contains its own AES key and IV, plus a hardcoded AES key reused across versions, making the extra "encryption" simple obfuscation rather than real protection. Decrypted traffic reveals granular hardware, state, network, and identifiers, as well as regulatory-consent fields, while a stronger ECIES-based "cypher:4" is reserved for ad metrics, underscoring that user fingerprint data is only weakly protected despite its high tracking value.
|
A Beginner's Guide: Cross-Device Passkeys (5 minute read)
A common challenge to passkey adoption is a user's difficulty signing in on a device that doesn't have the passkey installed and can't retrieve it from a cloud password manager. Hybrid transport addresses this issue by enabling cross-device passkeys, allowing a user to use another device's passkey to sign in. The flow involves the site the user wants to authenticate to generating a QR code, which the user then scans with another device. That second device performs a challenge-response with the server and a proximity check using BLE with the first device. If the challenge succeeds, the user is logged in on their original device.
|
|
Jailer (GitHub Repo)
An eBPF-based mandatory access control system for Linux that enforces role-based policies on file access, network operations, and process execution using BPF LSM hooks and task_storage maps. Processes enroll via Unix socket or auto-enrollment triggers (executable path, cgroup, or xattr), with jail policies inherited by child processes. Two deployment modes are supported: a daemon mode with hot policy reload and a daemonless mode that pins BPF programs during early boot to reduce the attack surface.
|
Reclaim Security (Product Launch)
Reclaim Security is an AI-powered platform that turns vulnerability and threat-exposure findings into safe, automated remediation actions, simulating business impact to help organizations fix critical risks quickly without disrupting operations.
|
Cortado (Github Repo)
This repository contains Red Team Automations (RTAs) implemented in Python. These RTAs either reference binary samples by specifying a sample hash that exhibits behaviors we aim to detect or emulate attacker behaviors through code.
|
|
Anonymous credentials: an illustrated primer (18 minute read)
As age-verification laws spread across 25 states in the US and over a dozen countries, anonymous credential systems built on blind signatures and zero-knowledge proofs offer a cryptographic path to proving attributes such as age or residency without exposing the underlying identity to issuers or relying parties. The core challenge is preventing credential cloning: single-use Chaumian credentials bound to blind-signed serial numbers address this but require per-session issuance, while ZK-based reusable credentials solve efficiency and expressiveness at the cost of requiring N-time use limits enforced via PRF-derived serial numbers or hardware binding. Security practitioners building identity systems should treat the issuer-resource collusion threat model as a first-class design requirement rather than an afterthought.
|
Car Tyre Sensors Can Be Used to Track Drivers Without Their Knowledge (3 minute read)
Researchers from IMDEA Networks Institute demonstrated that Tire Pressure Monitoring Systems (TPMS) in vehicles from Toyota, Mercedes, Renault, and Hyundai broadcast unencrypted, static sensor IDs that can be captured with ~$100 SDR hardware at distances exceeding 50 meters, enabling persistent vehicle fingerprinting via Jaccard index correlation across a network of roadside receivers. Over a ten-week field study, the team collected more than 6 million messages from more than 20,000 vehicles, confirming that TPMS data can be used to reconstruct detailed movement patterns and daily routines. Researchers are calling on manufacturers and policymakers to mandate rotating sensor IDs, as current EU and UK regulations legally require TPMS but do not mandate encryption or ID randomization.
|
Italian prosecutors confirm journalist was hacked with Paragon spyware (3 minute read)
Italian prosecutors confirm that the phones of journalist Francesco Cancellato and activists Giuseppe Caccia and Luca Casarini were hacked using Paragon's Graphite spyware in a coordinated 2024 campaign, while the perpetrator and motive remain unclear. Authorities' failure to detect infections identified by Citizen Lab and prior oversight gaps raise serious concerns about the government's use of commercial spyware and safeguards for journalists across Europe.
|
|
|
Love TLDR? Tell your friends and get rewards!
|
|
Share your referral link below with friends to get free TLDR swag!
|
|
Referral link available
|
|
Track your referrals here.
|
|
|
|