Security experts urge Windows system administrators to patch a pre-auth Remote Code Execution (RCE) vulnerability in the Windows TCP/IP stack, warning that zero-click exploitation is highly likely. Not many technical details have been released on the vulnerability, tracked as CVE-2024-38063. However, Microsoft's documentation suggests that a worm-like attack is possible on the latest versions of its flagship operating system. According to Microsoft, an unauthenticated attacker could repeatedly send IPv6 packets, including specially crafted packets, to a Windows machine, allowing RCE.

Selections by dgoff

​Pub Crawl summarizes sets of publications that have been peer-reviewed and presented at Science of Security (SoS) conferences or referenced in current work. The topics are chosen for their usefulness for current researchers. Select the topic name to view the corresponding list of publications. Submissions and suggestions are welcome.

A new attack vector in GitHub Actions artifacts, called "ArtiPACKED," could be used to take over repositories and access organizations' cloud environments. According to Yaron Avita, a researcher at Palo Alto Networks' Unit 42, misconfigurations, together with security vulnerabilities, can result in artifacts leaking tokens, both of third-party cloud services and GitHub tokens. Malicious actors with access to these artifacts could compromise the services to which these secrets grant access. This article continues to discuss findings regarding the GitHub vulnerability ArtiPACKED.

Researchers at FortiGuard Labs have uncovered a sophisticated "ValleyRAT" malware campaign targeting Windows users in China. The threat actors behind the campaign seek to take over compromised machines. ValleyRAT primarily targets e-commerce, finance, sales, and management companies. The campaign involves the use of heavy shellcode to directly execute its components in memory, reducing its footprint. This article continues to discuss key findings regarding the new ValleyRAT campaign.

According to security researchers at Dragos, there was a significant increase in ransomware attacks on industrial organizations in the second quarter of 2024 compared to the previous quarter.  The researchers noted that 29 of the 86 ransomware groups known to target industrial organizations were still active in the second quarter, an increase from the 22 groups observed launching attacks in the first quarter.

"RansomHub" ransomware operators are now using new malware named "EDRKillShifter" to disable Endpoint Detection and Response (EDR) security software in Bring Your Own Vulnerable Driver (BYOVD) attacks. Sophos security researchers discovered EDRKillShifter in May 2024 during a ransomware investigation. It deploys a legitimate, vulnerable driver on targeted devices in order to escalate privileges, disable security solutions, and more. The method is widely used by different threat actors, including financially motivated ransomware gangs and state-sponsored hacking groups.

EPFL researchers in computer and communication sciences discovered 31 critical security vulnerabilities in the Android system and developed ways to mitigate some of them. The different security flaws found by the researchers enable the theft of fingerprints, face data, and other sensitive data that could be stored on one's phone, such as credit card numbers. This article continues to discuss the EPFL researchers' discovery of numerous security flaws in Android's most privileged components.

According to security researchers at Chainalysis, ransomware actors are set for their highest-grossing year on record in 2024 after crypto inflows in the first half of the year reached $460m.  The researchers noted that in 2023, ransomware groups made over $1bn after reaching $449m by the end of June.  So far this year, the largest ever single ransom payment has been recorded, $75m to the Dark Angels group.