Security Review #186

We investigate a set of security vulnerabilities affecting all major device manufacturers on both x86 and ARM-based devices. In this post we discuss how we used fuzz-testing to discover this set of vulnerabilities and how we built a proof-of-concept to show the path to arbitrary code execution.

In this article we'll explore how Okta's AD synchronization allows you to force Okta to capture credentials and keylog for you so you can launch convincing phishing attacks. Then we'll demonstrate how it can be used as a stealthy watering-hole style lateral movement attack.

We explores the dark corridors of PlugX, a covert and insidious malware that has left a trail of digital intrigue, combining advanced features with a knack for eluding detection. In this post, we delve into the dark corridors of this malware, exploring its side loading technique and how it executes its malicious code in the compromised host.

We identified multiple vulnerabilities in the OpenStage and OpenScape VoIP phone series with an unhardened default configuration. The combination of insecure defaults and implementation weaknesses allows a remote compromise and the elevation of privileges for a network-local attacker on phones with a unharden default configuration.

In this article, we analyze IcedID, a banking Trojan widely recognized for its various capabilities and delivered by DanaBot, another sophisticated banking Trojan.

We analyze Amadey and RftRAT which were recently found being distributed. Amadey and RftRAT were constantly used throughout 2023 alongside XRat. However, recent types showed that they were created with AutoIt. This post also covers Infostealers additionally installed by the Kimsuky group using remote control malware.

The union operator in KQL is used to merge the results of two or more tables (or tabular expressions) into a single result set. A familiar instance of this operation is the search operator, which implicitly performs a union when querying across multiple tables.

Indicators of compromise (IOCs ) play a pivotal role in cyber threat intelligence (CTI ) and information security. In this blog, we will explore the concept of indicators in network defense and explore how indicators can form an important and economical defensive measure for small and medium-sized businesses (SMBs ).

We can use XDBURITYPE() function to perform error-based SQL injection exploitation in case of Oracle database. This function is useful to exploit SQL injection in the case of a select statement with column name, 'where' and 'like' clauses.

In this post I will talk to you about an attacker with a dwell time of over 981 days. This attacker is a cyber attacker who has free reign in an environment from the time they get in until they are eradicated.

In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack.

In this blog, we provide several KQL queries to hunt for different activities of the Volt Typhoon threat actor. Especially we will look for initial access, credential access, lateral movement and C2 communication.

In this blog post, i will introduce two techniques similar to NOP-sled or NOP slide, but with the advantage that they are faster. Those techniques are: JMP slide and JCC slide.

We delve into the intricate world of Kubernetes security, starting with the fundamentals of the Kubernetes API Audit Log and its crucial role in identifying and mitigating potential threats.

When performing DLl Hijacking it is important to not break the application / environment of the victim. No matter how evasive your payloads are, if the client software is corrupted, it could easily lead to detection. In this blog we will focus on how to weaponize the DLL Hijacking attack, so that it does not break the application runtime after the payload is executed.

In this blog post, I detail an extra cool fashion way to backdoor and abuse .NET Framework applications and present DirtyCLR, a managed DLL on steroids that can execute a shellcode with a clean thread call stack and without directly calling any Windows API.

In this article we provide a detailed analysis of the Rhysida ransomware that was used to compromise Insomniac Games.

In this article we analyze a highly sophisticated APT relying on compromised open-source NMP packages.

This blog entry delves into the unraveling of the AsyncRAT infection chain across multiple incident response cases, shedding light on the misuse of aspnet_compiler.exe, a legitimate Microsoft process originally designed for precompiling ASP.NET web applications.

In this episode we will investigate CVE-2022-26134 of Atlassian Confluence. A preauth OGNL injection leading to Remote Code Execution.

The CVE-2023-22518 is a zero-day vulnerability found in Confluence Data Center, a self-managed solution known for providing organizations with best practices for collaboration. In this analysis, let us delve into a detailed explanation of the root cause.

This post covers how to use two high-value sanitizers which can prevent specific classes of vulnerabilities found within the cellular baseband. They are architecture agnostic and suitable for bare-metal deployment, and should be enabled in existing C/C++ code bases to mitigate unknown vulnerabilities.

During research on the Silverpeas Core application, we identified 8 new CVEs over the course of 2 weeks. The most severe of these is CVE-2023-47324, a Stored Cross-Site Scripting (XSS) vulnerability affecting the messaging application. This can be used for privilege escalation, providing an adversary with full administrative access.

This blog post details a vulnerability we called the NaN bug. It affects JavaScriptCore, the JavaScript engine of Safari, and leads to code execution within Safari's renderer:

We report two separate bugs to the Cronos Gravity Bridge project on Immunefi. The first bug would allow an attacker to halt all cross-chain transfers from Ethereum to Cronos (one-way) and the second bug was able to disable the bridge entirely.

In this blog we showcase ho we were able to chain different vulnerabilities in order to remotely execute code on the OPC UA clients, giving us full control over the system.

This is a quick recap of some XSS challenges posted on Twitter during November/December of 2023, showing the usage and abuse of hoisting in JavaScript.

I found a vulnerability in GOG Galaxy, a software that I had pre-installed on my laptop, leading to privilege escalation. In this article, I will go through the analysis of the vulnerability, how I discovered it, and the exploitation and disclosure process.

We provide technical details about a small office/home office (SOHO) router botnet that forms a covert data transfer network for advanced threat actors. We are calling this the KV-botnet, based upon artifacts in the malware left by the authors.

In this paper, we review several persistence techniques that can be setup on compromise Linux systems.

We have a CPU mystery! We found a way to cause some processors to enter a glitch state where the normal rules don't apply, but what does that mean...? If you're interested what can go wrong inside modern CPUs, read on!

In this article I will detail 2 XXE and 2 privilege escalation vulnerabilities found in OpenNMS.

We present a proof-of-concept malware GPT that forwards users' chat messages to a third party server by rendering a hidden image with the data appended to it. It is called a "Malicious ChatGPT Agents" ( GPT ).

Rhadamanthys is an information stealer with a diverse set of modules and an interesting multilayered design. In this article we do a deep dive into the functionality and cooperation between the modules. The first part of the article describes the loading chain that is used to retrieve the package with the stealer components. In the second part, we take a closer look at those components, their structure, abilities, and implementation.

We discovered an unusual behavior during routine endpoint operations, where a process named WindowsPackageManagerServer, through complex operations, eventually initiated the undetected Lumma Stealer. We promptly initiated an investigation and ultimately found the corresponding malicious installation package on the Microsoft App Store, presenting itself as the Russian version of the 7Zip software.

We investigated vulnerable image parsing components across the entire UEFI firmware ecosystem and found all major device manufacturers are impacted on both x86 and ARM-based devices.

Detecting malware command and control (C2) activity through DNS status codes involves monitoring DNS traffic for abnormal patterns and understanding the typical behavior associated with C2 communication.

We present a three-part series on how to prevent public network access to AWS resources by accident. This first post discusses resources exclusively in a VPC (EC2 instances, ELBs, RDS databases, etc.).

In this blog post I briefly evaluate the ability of a LLM to automatically understand a kernel subsystem's documentation to generate Syzlang descriptions, to guide the kernel fuzzer. The results show that for a subset of syscalls of KVM the manually-written rules outperform the kernel fuzzer.

In this article we provide a technical analysis of 2 NetSupport malware variants as well as the reloated IOCs.

In this series of blogposts, i will patch diff, analyze and craft exploits for old CVEs. In this first article we will focus on CVE-2021-2608, an ONGL injection vulnerability in Confluence Server and Data Center.

The ssh-keygen command can be used to load a shared library with the -D flag. This can be useful for privilege escalation, or to translate to arbitrary code execution from argument injection, file overwrites, etc.

In this first article of a series of three, we will give a tour of the different components of Samsung's TrustZone, explain how they work and how they interact with each other. We will also discuss the different tools developed to ease the reverse engineering and exploitation processes to get code execution in EL3, the highest privilege in the ARM architecture.

In this second blog post of our series on Samsung's TrustZone, we present the various tools that we have developed during our research to help us reverse engineer and exploit Trusted Applications as well as Secure Drivers on a Samsung device.

This third article from the Samsung's TrustZone series details some vulnerabilities that were found and how they were exploited to obtain code execution in EL3.