Security Review #183

This article details an out-of-bounds access to physical memory vulnerability in the io_uring subsystem of the Linux kernel. We will first provide an overview of the io_uring subsystem, examine the root cause of the vulnerability and provide an exploit PoC.

In this blog post, we investigate the possibility of identifying unknown malicious servers through the detection of typos in HTTP response headers and semantics. We have created numerous fingerprints based on textual slipups in responses of malicious servers, highlighting how fingerprinting these servers can be a matter of a simple mistake.

This is an article on hosting encrypted stager shellcode. There are a lot of uses for this. Whether you're trying to implement a "fileless" implant or you've found writable access to a network share, you can be a little more stealthy with a staged payload.

We present an extensive dumpster dive into Gamaredon's LitterDrifter malware, as well as its C2 infrastructure. The malware is written in VBS and has two main functionalities: automatic spreading over removable USB drives and communication with a broad, flexible set of command-and-control servers. It remains extremely flexible and volatile, while at the same time maintaining previously reported characteristics and patterns.

In this article we review some of the key phishing activities and techniques that we have employed when targeting Okta for initial access.

In this blog post, we present code vulnerabilities we found in Visual Studio Code third-party extensions that have millions of users. We will first give some background on VSCode internals, then explain the vulnerable portions of the code, and finally show how these issues can be prevented.

This article details 2 powerful XSS in Chrome providing unlimited access to the 'fileManagerPrivate' API. Thus camera and microphone can be accessed without authorization, downloaded file read and written, and custom JS executed without any restriction.

In this post, I will show the readers a severe HTTP request smuggling bug chain using a new gadget, as well as a few ways to exploit it. This smuggle chain also doesn't require the target to have a vulnerability on their network to work, making it much more widespread.

Process Stomping is a technique that exploits dll with RWX sections to obtain a stealthier way to inject malicious code, basically by avoiding the creation of dynamic memory allocation and avoiding the usage of virtualprotect, since RWX is already what we need. In this paper we show how this technique can be applied also to executables with RWX sections. Dubbed Process Stomping, it has the advantage of writing a shellcode payload on a targeted section instead of writing a whole PE payload over the hosting process address space.

Attackers are exploiting publicly-exposed instances of the Docker Engine API to deliver a malicious Docker container, built from an image named "oracleiv_latest" and containing Python malware compiled as an ELF executable. The malware itself acts as a Distributed Denial of Service (DDoS) bot agent, capable of conducting DoS attacks via a number of methods.

This blog post presents our current understanding of the format and behavior of a new forensic artifact that first appeared in the 2022 update of Windows 11 (22H2), which is based on testing and experimentation, and to some extent on reverse-engineering the PCA service binaries. We are sharing this information to provide DFIR practitioners with the necessary documentation to parse this artifact and leverage it in investigations.

Scheduled tasks has been commonly abused as a method of persistence by threat actors and red teams. In this blog, we will review a new approach which relies on manipulation of registry keys to create or modify scheduled tasks. It doesn't generate the typical noise (Event ID 4698 & 106) and offers a stealthier approach of establishing persistence.

An attacker who can get their malicious pipeline executing on a CI/CD pipeline runner can steal information for other work executing on the same runner, and subsequently gain access to production systems. This article is going to discuss practically carrying this attack out against a GitLab CI/CD environment.

CVE-2023-46214 is a Remote Code Execution (RCE) vulnerability found in Splunk Enterprise. This blog post describes my methodology for uncovering the vulnerability based off of the CVE description, as well as a full proof of concept exploit.

This Blog introduces Caro-Kann, a novel way to avoid to bypass the initial process injection-related memory scan. It relies on injection of an encrypted malicious shellcode in the RW memory page and a decryption shellcode in the RX memory page of the process.

The Cert Publishers group is associated with the Certificate service (ADCS) in an Active Directory Domain. In this post we will clarify its role, its permissions and see what could be the consequences of such group being abused by malicious actors.

In this post, we will detail a recent journey into the popular open-source framework OpenCMS and its diverse presence of versions across the Internet with the same goal as ever - break things. This journey led to the discovery of 2 XXE and 2 XSS vulnerabilities in various versions.

Our research on Windows biometric authentication revealed multiple vulnerabilities, allowing us to completely bypass Windows Hello authentication on our target laptops. In this posts we'll summarize our vulnerability research process to go from very little knowledge about biometric authentication, to ultimately achieving full bypass of Windows Hello authentication on all three of our research targets.

I recently put together a tool to automate the identification of DNS names that are vulnerable to sub-domain takeover in an Azure pentest scenario. The tool, called AzDanglingDnsFinder, is a response to the growing need for automated security solutions in the cloud.

DarkGate, sold as Malware-as-a-Service (MaaS), is a loader with RAT capabilities which gained notoriety due to its capability to operate covertly and its agility to evade detection by antivirus systems. This technical report delves into an in-depth analysis of DarkGate, shedding light on its inner workings, evasion techniques, and potential impacts.

Our goal in this blog is to explain the intended use of OAuth scopes, highlight the problems with their misuse for authorization, and suggest better alternatives.

In this post, we dive into two new vulnerabilities in the built-in integration of the JavaScript package manager, NPM. They can be exploited even when Visual Studio Code is configured to not trust the current folder, effectively circumventing the Workspace Trust security feature.

During physical security assessments of IoT devices, one of the goals is to take advantage of debug interfaces to study how the devices work. It is common to encounter protections that forbid access to its full functionalities. Glitching is one way to try to bypass this kind of protection. In this blog post, we will deep dive into voltage glitching with several study cases to understand how it works and how it can be helpful.

We present a case study of some of the most recent ransomware attacks targeting Linux systems and ESXi systems which have been increasing over the last few years. We focus on the main motivations for developing ransomware targeting Linux and those targeting Windows systems and compare them to the ransomware developed for Microsoft systems.

In this blog we explore the inherent risks of mismanaged Kubernetes secrets, the inefficacy of common secrets scanners in detecting such vulnerabilities and the possible impact of this exposure in the wild. The potential for data breaches, loss of proprietary code, and supply chain attacks is a stark reminder of the need for stringent security practices.

In this article, we will analyze the Windows variant of IPStorm, a malware written in Go, through both static and dynamic analysis. We will review its evasion, installation, reverseshell and persistence capabilities as well as the network connections it establishes.

We uncovered the active exploitation of the Apache ActiveMQ vulnerability CVE-2023-46604 to download and infect Linux systems with the Kinsing malware (also known as h2miner) and cryptocurrency miner. When exploited, this vulnerability leads to remote code execution (RCE), which Kinsing uses to download and install malware.

In this third chapter of our Mobile Malware Analysis saga, we're diving headfirst into the world of a Pegasus/Chryasor variant that's about as unpredictable as a rollercoaster ride. Throughout this analysis, we will be uncovering sneaky obfuscation techniques, and embarking on a thrilling journey through a horde of malicious binaries.

Our research led us to develop the first cloud-based cryptocurrency miner utilizing Microsoft Azure's Automation Service. We discovered three unique methods to execute the miner. Two of the methods enabled us to execute the miner within our own environment utilizing the computational resources of Microsoft servers for free. The third method allowed us to execute the miner in a victim's environment - all while remaining completely undetected.

This blog will encompass all of the aspects of Android penetration testing, including static analysis and dynamic analysis, as well as the evaluation of an application's source code, binary files, and network traffic to unearth potential security flaws within it.

In this post, I will share discoveries and insights on the "House of Force", a glibc ptmalloc Linux OS based heap exploitation technique. We will go deep into the concept and details as it is a fundamental technique in heap exploitation.

This article is a technical analysis of Asynchronous Remote Access Trojan (AsyncRAT ), a sophisticated piece of malware which employs a range of file types, including PowerShell, Windows Script File (WSF), VBScript (VBS), and more, in order to bypass antivirus detection measures

I recently spent some time exploring the potential capabilities that an evil IoT device might have within an AWS IoT Core environment. This culminated in the thoughts I've transcribed in this blog post, as well as a command-line tool to help with enumeration and data harvesting during security assessments of products that interact with AWS IoT Core.

An organisation has found out that some of its sensitive data have been detected in an online text-sharing application. This article details the steps taken by the CSIRT team to conduct an incident response and incident investigation to mitigate the threats.

In this post, we will walk through an escalation that occurs when a certificate template can be modified by a non-administrator account. We will review the conditions necessary to leverage this vulnerability and make a demo of successful exploitation.

In this post we discuss the recent Cisco IOS XE vulnerabilities CVE-2023-20198 and CVE- 2023-2073. We share our technical insights so far into these vulnerabilities, focusing on Cisco IOS XE which is based on Linux and quite different from IOS. After obtaining the filesystem for a patched and unpatched version of IOS XE we see that the vulnerable webui service is a combination of Nginx and the iosd binary.

In this post, we will deep dive into the world of mobile malware, exploring its capabilities and shed light on the potential risks it poses to the user's privacy and security. We will focus on malware that leverages accessibility features to carry its malicious activities with a particular emphasis on stealing wallet credentials.

This is the second installment of our Mobile Malware Analysis series. In this sequel, we dive into the enigmatic maneuvers of MasterFred, a notorious malware exploiting Android Accessibility services for its nefarious objectives. Beyond financial breaches, MasterFred infiltrates social networks and vital services. Hidden HTML overlays, crafty login pages, and a labyrinth of stratagems await within its digital arsenal.

Side Channel Analysis (SCA) attacks are commonly used for extracting the secret key of cryptographic engines found in modern devices. They exploit side channels, such as Timing, Power and Electromagnetic (EM) leaks, to obtain information about the secret key used by the cryptography algorithm. Even though these type of attacks were traditionally performed on smart cards, they are effective on embedded devices as well.