In what’s a case of setting a thief to catch a thief, the U.K. National Crime Agency (NCA) revealed that it has created a network of fake DDoS-for-hire websites to infiltrate the online criminal underground.

“All of the NCA-run sites, which have so far been accessed by around several thousand people, have been created to look like they offer the tools and services that enable cyber criminals to execute these attacks,” the law enforcement agency said.

“However, after users register, rather than being given access to cyber crime tools, their data is collated by investigators.”

The effort is part of an ongoing international joint effort called Operation PowerOFF in collaboration with authorities from the U.S., the Netherlands, Germany, Poland, and Europol aimed at dismantling criminal DDoS-for-hire infrastructures worldwide.

DDoS-for-hire (aka “Booter” or “Stresser”) services rent out access to a network of infected devices to other criminal actors seeking to launch distributed denial-of-service (DDoS) attacks against websites and force them offline.

images from Hacker News

Microsoft on Friday shared guidance to help customers discover indicators of compromise (IoCs) associated with a recently patched Outlook vulnerability.

Tracked as CVE-2023-23397 (CVSS score: 9.8), the critical flaw relates to a case of privilege escalation that could be exploited to steal NT Lan Manager (NTLM) hashes and stage a relay attack without requiring any user interaction.

“External attackers could send specially crafted emails that will cause a connection from the victim to an untrusted location of attackers’ control,” the company noted in an advisory released this month.

“This will leak the Net-NTLMv2 hash of the victim to the untrusted network which an attacker can then relay to another service and authenticate as the victim.”

The vulnerability was resolved by Microsoft as part of its Patch Tuesday updates for March 2023, but not before Russia-based threat actors weaponized the flaw in attacks targeting government, transportation, energy, and military sectors in Europe.

images from Hacker News

OpenAI on Friday disclosed that a bug in the Redis open source library was responsible for the exposure of other users’ personal information and chat titles in the upstart’s ChatGPT service earlier this week.

The glitch, which came to light on March 20, 2023, enabled certain users to view brief descriptions of other users’ conversations from the chat history sidebar, prompting the company to temporarily shut down the chatbot.

“It’s also possible that the first message of a newly-created conversation was visible in someone else’s chat history if both users were active around the same time,” the company said.

The bug, it further added, originated in the redis-py library, leading to a scenario where cancelled requests could cause connections to be corrupted and return unexpected data from the database cache, in this case, information belonging to an unrelated user.

To make matters worse, the San Francisco-based AI research company said it introduced a server-side change by mistake that led to a surge in request cancellations, thereby upping the error rate.

images from Hacker News

A malicious Python package on the Python Package Index (PyPI) repository has been found to use Unicode as a trick to evade detection and deploy an info-stealing malware.

The package in question, named onyxproxy, was uploaded to PyPI on March 15, 2023, and comes with capabilities to harvest and exfiltrate credentials and other valuable data. It has since been taken down, but not before attracting a total of 183 downloads.

According to software supply chain security firm Phylum, the package incorporates its malicious behaviour in a setup script that’s packed with thousands of seemingly legitimate code strings.

These strings include a mix of bold and italic fonts and are still readable and can be parsed by the Python interpreter, only to activate the execution of the stealer malware upon installation of the package.

“An obvious and immediate benefit of this strange scheme is readability,” the company noted. “Moreover, these visible differences do not prevent the code from running, which it does.”

images from Hacker News

Any app that can improve business operations is quickly added to the SaaS stack. However, employees don’t realize that this SaaS-to-SaaS connectivity, which typically takes place outside the view of the security team, significantly increases risk.

Whether employees connect through Microsoft 365, Google Workspace, Slack, Salesforce, or any other app, security teams have no way to quantify their exposure. These ‘secondary’ apps can be requesting an intrusive set of permissions or be malicious. Every click authorizing access may grant the right to edit or delete company files, send emails on behalf of the user, create new files, or otherwise handle data in a way that poses a profound threat to the organization’s security.

To handle the SaaS Security challenges, security teams need to address the entire SaaS ecosystem.

Today’s SaaS security evolution has expanded SaaS security beyond simply preventing access. It extends far beyond securing the app. Today’s organizations must take identity management, threat detection, and access management into consideration, in addition to things like endpoint security and response capabilities. Once organizations take these steps, they will be better prepared to defend their SaaS attack surface.

images from Hacker News