Security Review #182

This blog post is an in-depth analysis of how World of Warships obfuscates its game scripts and how to mostly deobfuscate them.

In this post we will focus on the Slack cookie that is a key element in offensive operations.

Microsoft Access (part of the Office suite) has a "linking to remote SQL Server tables" feature. In this post we will demonstrate that this feature can be abused by attackers to automatically leak the Windows user's NTLM tokens to any attacker-controlled server, via any TCP port, such as port 80.

This is the story behind the bug and an 0day exploit for Canon imageCLASS MF742Cdw/MF743Cdw and quite possibly a lot more affected CANON printers.

We provide post-compromise guidance for the rotation of domain secrets. This sequel will also dive into Windows Security event auditing that provides detection capabilities surrounding domain persistence behavior. We outline initial recommendations for promoting Windows servers to domain controllers to replace the compromised domain controllers.

I recently spent some time exploring the potential capabilities that an evil IoT device might have within an AWS IoT Core environment. This culminated in the thoughts I've transcribed in this blog post, as well as a command-line tool to help with enumeration and data harvesting during security assessments of products that interact with AWS IoT Core.

oday PyPI malware made news yet again, so I decided to take a look at the other side of PyPI: name squatting and some other interesting stats along the way.

The Kitchen Sink is a name of Bluetooth Low Energy (BLE) attack that sends random advertisement packets that targets iOS, Android, and Windows devices the same time in the vicinity. The attack is called "Kitchen Sink" because it tries to send every possible packet in the list, similar to the phrase "everything but the kitchen sink".

In the realm of cybersecurity, Advanced Persistent Threat (APT) groups continue to evolve and adapt, often employing innovative techniques to carry out their malicious activities. One such strategy gaining prominence is the use of publicly accessible services, such as GitHub, as Command and Control (C2) channels. This article delves into this emerging trend, discussing its prevalence, the challenges in detection, and measures to prevent APT groups from exploiting such services.

While one can often gain initial access, how long the access will last before getting kicked out is anyone's guess. Thus, it becomes important to spend the time effectively. This is where the open-source community comes in-there are three tools (and one script) specifically that I believe to be the modern-day Triforce for Microsoft Office initial access.

In this blog we will look at how threat actors are bypassing the "Restricted Settings" security measure introduced by Google in Android 13 to help protect against malware by taking a closer look at SecuriDropper, the first example of a widely distributed dropper bypassing this security measure.

We discovered a new later-stage malware variant from BlueNoroff that shares characteristics with their RustBucket campaign. Read this blog to learn more about this malware and view the indicators of compromise.

We present an analysis of Stealc, a non-resident stealer with flexible data collection settings. Stealc exhibits the ability to exfiltrate a wide range of data from the victim machine and directly transmits the information to the C2 server, bypassing the need to write it to a raw file. This streamlined process enhances both its data exfiltration capabilities and its ability to maintain a low profile, making it a potent tool for covert operations.

We report on the discovery of a critical vulnerability in the LayerZero protocol for cross-chain communication. It has been introduced with a fix for a previous bug. In this article we will previous the previous vulnerability and detail our new finding: a critical flaw in the network's architecture allowing an attacker can send a message through a legitimate UA that will never be relayed.

In this article we discuss three different webshell investigations, shedding light on the importance of versatility in digital forensics and incident response (DFIR). We explore the intricacies of DFIR work, the toolbox at our disposal, and the decision-making process behind selecting the right tools for the job.

In this article, we will see how the Code Interpreter in OpenAI ChatGPT can be abused to exfiltrate sensitive files and how a backdoor can be inserted.

In this article we provide a technical analysis of SystemBC. Also known as Coroxy, or DroxiDat, SystemBC is a malware categorized as Proxy malware, a Bot, a backdoor, and even a RAT, as its uses can be diverse depending on the attacker, making it a versatile tool for Threat Actors.

A review of the main logic vulnerabilities found in Web Applications with examples of vulnerable and secure code.

In OpenCart versions 4.0.0.0 to 4.0.2.3, authenticated backend users having common/security "access" and "modify" privileges can write arbitrary untrusted data inside config.php and admin/config.php, resulting in remote code execution on the underlying server.

We dug into Azure CLI and discover multiple case of data leaks in 'az' functions. In this article we will disclose some of them, discuss the root causes and provide some guidelines in safely using Azure CLI in pipelines.

In this article, we explore three different function chains (i.e., Token Impersonation/Theft, Process Injection, and File Mapping ) to understand how composition manifests and discuss some of the implications of composition on our detection engineering efforts.

In this blog post, I will revisit the broadcast of advertisement packets methodology, but this time attacking... unusual targets. This is an opportunity to review how broadcasting works in BLE and to become familiar with developing applications for Flipper Zero, in this case, leveraging the Bluetooth APIs.

Python offers three libraries shipped with a standard installation for handling e-mail transfer. These libraries are smtplib, imaplib, and poplib and require passing explicitely a magic parameter in the right way to use secure communication. By default they do not defeat active attackers in a machine-in-the-middle (MITM) position.

In this third and last part of this series, we will dig deeper in the EDR's update process and uncover some logic flaws that, ultimately, led us to the complete disarmament of the solution. Additionally, as an unexpected treat for our effort, a new 'LOLBin' was also discovered along the way.

In this article, we will see that SSL Certificates can be used to deliver payloads, provide an example and discuss limitations as well as other potential usages.

We introduce hacks and mitigations to overcome the natural strengths and typical challenges OpenAI's GPT-4 (henceforth 'GPT') faces when reasoning in the domain of malware analysis. We show a heavily engineered prompt that improves the ability of GPT to correctly guide an analyst performing triage on the tested binary samples. This prompt is a proof of concept that improves GPT's ability to reason in this domain, though highlights from the other tasks do occasionally appear.

This post walks through security vulnerabilities in large language models (LLMs ) and outlines best practices for designing or evaluating a secure application. Direct and indirect prompt injection, which may enable attackers to control the output of the LLM or LLM-enabled application. Information leaks, which occur when private data used to train the LLm or used at runtime can be inferred or extracted by an attacker. LLM reliability, which is a threat when LLMs occasionally produce incorrect information simply by chance.

User Account Control (UAC) in Windows is a security feature designed to prevent unauthorized changes made by malware or other threats by requesting administrative privileges. This article delves into the intricate design of UAC, aiming to reverse-engineer its workflow to comprehend how it defends against malicious actions. Additionally, we'll explore methods used by threat actors to circumvent UAC for privilege escalation.

In this paper we show how to use draggable HTML elements to trick users into "typing" inputs in a clickjacking attack. This is a simple example of how to do it in a browser that allows the user to type directly into the hidden input fields in the iframed site.

In this post, I am going to show the readers how I was able to abuse Akamai so I could abuse F5 to steal internal data including authorization and session tokens from their customers.

In this blog post we will detail a Server-Side Request Forgery (SSRF) vulnerability in OWA leveraging the CreateAttachmentFromUri function.

In this tutorial, you're going to learn how to reset/remove forgotten passwords on any Windows computer.

In this post, we discuss a process for tuning the analytic to reduce the false positive rate in your environment and to maximize the potential signal of its outputs. We focus on the following key questions, the answers to which ultimately dictate the need for tuning: Does the analytic correctly identify the target behavior and its variations? does the analytic identify other behavior different than the intention?

In this post we will review 5 types of adversarial attacks against LLM: token manipulation, gradient-based attacks, jailbreak prompting, human res-teaming and model red-teaming.

We present a comprehensive analysis of StripedFly previously misclassified as a cryptocurrency miner. This malware is actually a modular framework that supports both Linux and Windows. It comes equipped with a built-in TOR network tunnel for communication with command servers, along with update and delivery functionality through trusted services such as GitLab, GitHub, and Bitbucket, all using custom encrypted archives.

This article will dive into Scudo, a generic memory allocator designed to be resilient against heap-based vulnerabilities while maintaining performance. It is the default allocator in Android since version 11.

In this post, I will describe a new way to escalate on the host itself. It is based on some old legacy knowledge from Active Directory that allowed domain computers to request certificates based on a vulnerable certificate template also known as ESC1. In this paper , i will show how this can be achieved by using a simple way to set up a pre-Windows 2000 computer checkmark on the domain. In particular, we will show that if the domain was created back in 2004, there would probably be some pre-created computer accounts with this checkmark enabled upon creation.

The "Unified Audit Log" (UAL) is your friend. In this post, we'll step through one approach to overcoming all three challenges with the Exchange Online Management PowerShell module and the security operations and forensics Elasticsearch, Logstash, Kibana (SOF-ELK). First things first, we need to acquire the data for a tenant to see what can and should be included in the UAL and to ascertain retention and properties.

We present a scenario where a service account with backup privileges to a Domain Controller (DC) was compromised and Azure SSO was enabled in the target tenant. In this scenario, we will show you the dangers of machine account SSO compromise extracting any user account hashes and gaining the ability to impersonate any account without MFA to achieve full cloud dominance.

In this blog post, I will describe how I reverse engineered a Cobalt Strike dropper and obtained its payload.

This blog post will review how attackers and offensive security professionals can identify potential DLL sideloading opportunities using X-Force Red's proof-of-concept Frida tool Windows Feature Hunter (WFH ).

With more than 10 million daily active users, Slack is one of the most widely adopted chat platforms in the industry. Throughout our operations, we've seen a large variety of organizations use it for several business critical functions. In this post we will investigate different offensive actions that can be leveraged by exploiting Slack.

There is a way to let Exchange authenticate to attackers using NTLM over HTTP. This can be combined with an NTLM relay attack to escalate from any user with a mailbox to Domain Admin in probably 90% of the organisations I've seen that use Exchange.This blog details the attack, some of the more technical details and mitigations, as well as releasing a proof-of-concept tool for this attack which I've dubbed "PrivExchange".

This post is for noobs like me who are not able to get how exactly to exploit misconfigured S3 Bucket. We will see how to find S3 buckets and how takeover misconfigured ones.

In this article, we will demonstrate how to run a normal ELF binary on Linux without touching the filesystem (except /proc ).

This article will be a follow on from my previous analysis on the possibility of a BlueKeep based worm. In this post we will see how to leverage the use-after-free ( UAF ) vulnerability to gain more extensive control over the code utilizing it.

In this post, we will perform a first analysis of the BlueKeep vulnerability by reviewing some of the recent changes that have been made to the binaries modified by the patch (in this case there is only one: TermDD.sys ).

In this blog, we will detail a vulnerability in runC that affects Docker containers running in default settings and can be used by an attacker to gain root-level access on the host.

The House of Rust is a heap exploitation technique that drops a shell against full PIE binaries that don't leak any addresses. It leverages a UAF to perform a number of well-known attacks that when combined result in the bypass of single list Safe-Linking without the need for leaks.