Security Review #190

In this blog post, we show how Bitwarden's Windows Hello implementation allowed us to remotely steal all credentials from the vault without knowing the password or requiring biometric authentication.

In this blog post we will present the technical details of the attempt to provide a complete fix to the root cause of the software vulnerabilities found in FreeRDP, and the timeline of this process.

After extensive research on the 'RedLine' malware, I discovered many threat actors were using it to sell stolen information on the Dark Web and Telegram. I decided to delve deeper into the topic by analyzing a sample of the malware and conducting a high-level malware analysis.

In this blog post, we provide an overview of the available data sources for M365 monitoring. We then introduce six common techniques typically used during initial access against M365 tenants, explaining how to simulate and detect them.

This paper presents a brief overview of the snakeYaml deserializing vulnerabilities (CVE-2022-1471) - how it works, why it works, and their consequences.

In this post we demonstrate the usage of the ELFEN sandbox by analyzing a variant of the INC ransomware, which has typical ransomware capabilities - terminate ESXi VMs, intermittent encryption leveraging asymmetric/symmetric cryptography, etc.

In this blog post, we delve into the dynamic realm of Kubernetes threat detection by exploring how open-source Falco can seamlessly detect Atomic Red Team tests in real time within Kubernetes environments.

In this post, we explain how to analyze ConfuserEx, one of the most frequently observed .NET obfuscators in malware, and write a Yara rule to detect obfuscated binaries that don't have the prominent watermark.

Amazon Cognito (aka AWS Cognito) provides identity and access management (IAM) for AWS web applications. In this blog, we will detail how improperly configured Cognito web portals can allow attackers to go off the rails and gain direct access to your AWS control plane.

We found an innovative approach that leverages executables commonly found in the trusted WinSxS folder and exploits them via the classic DLL Search Order Hijacking technique.

Phishing mobile devices might be an effective way to get access to Azure and the O365 part. In this article, we will demonstrate how to phish with an improved "user experience" combining emails, QR-codes, DeviceCode phishing and Azure CDN fronting.

We found a relative heap out-of-bounds write vulnerability in Counter-Strike 2 which is triggerable remotely. We share today the details of this bug and our research about the attack surface and generic exploitation primitives.

In this article, we introduce the concept of .NET managed hooking using the Harmony library, its internals, and common examples of implementation using different types of Harmony patches. We show how useful Harmony hooking can be in a practical exercise of defeating the notorious obfuscator "ConfuserEx2".

Malicious actors commonly exploit service creation and modification to execute harmful payloads. The service name and path is an important attribute to monitor in your SIEM or for DFIR purposes. This is the reason why I have put together a list of Service that you should monitor in your environment accompanied by strategic hunting searches.

By default, Cognito will set a configuration called Prevent user existence errors. This is designed to prevent adversaries from enumerating accounts. In this article, we explain how it can be bypassed via cognito-idp:SignUp calls for usernames.

It is possible to create Windows event log entries with binary content. In this article we will see how this can be leveraged to obtain persistence on a compromised system.

In this series we will perform a full analysis of an iOS and Android infostealer. In this first article we conduct our investigation starting from the initial link of the chain - the phishing websites.

In this article we will perform a full analysis of a connected projector: basic reconnaissance, ARP spoofing, firmware download and analysis, and hardware investigation. Eventually we find an easy command injection, as well as a few stack-based buffer overflows.

A side-channel attack exploits unintentional information leakage from a system to uncover secret values, typically encryption keys. This article is about breaking the firmware encryption feature of the ESP32 SoC, an MCU with WiFi and bluetooth connectivity using a Side-Channel attack.

After reading this blog post you will have a thorough and comprehensive understanding of latest threats targeting macOS. Most specifically, for each malicious specimen covered in this post, we'll discuss the infection vector, persistence mechanism, features and goal.

In this chapter, I will analyze the iOS info stealer app, which was delivered through the phishing website discussed in the preceding article. We will go through both static and dynamic analysis.

In this blog post, we will show the processes used to create a malicious Azure Container Registry (ACR) task that can be used to export tokens for any Managed Identities that are attached to an ACR. We will also show a new tool within MicroBurst that can automate this whole process for you.

In this post, we will detail how to setup a pivot mechanism solely based on Windows OpenSSH server.

A lot of offensive tools that target Windows use interop quite heavily to call WinAPIs for tasks such as opening handles to processes and tokens. The default position most developers take is to use the IntPtr type in place of the native HANDLE type. The aim of this post is to show why this is not the best idea and to provide an safe alternative.

A two-part series on the history of decompiler research and the fight against the unsolved control flow structuring problem. In this first part, we revisit the history of foundational decompilers and techniques, concluding on a look at modern works.

In this second post, we deep-dive into the fundamentals of modern control flow structuring techniques, and their limitations, and look to the future.

In this article, we provide a solution to prevent Adversary-in-th-Middle (aka MitM) attacks by using a canary URL, which will get triggered behind the scenes and allow us to check the originating website the user is trying to authenticate to.

The CVE-2023-263060 was exploited in the wild allowing attackers to execute unauthenticated RCE (Remote Code Execution) without user interaction through untrusted JSON data. In this article, we will delve into a deep analysis of the root cause of the techniques and exploitation.

The combination of Impacket usage and SSPI capabilities can allow attackers to fly under the radar of endpoint security mechanisms as well as custom network detection rules more easily. In this article, we show how it can be implemented into known python tooling.

The first malware of 2024 is (already) here! In this article we will provide triage guidelines and a technical analysis of SpectralBlur, a DPRK MacOS backdoor.

We exploited a critical CI/CD vulnerability in PyTorch, one of the world's leading ML platforms and a major target for hackers and nation-states alike. Thankfully, we exploited this vulnerability before the bad guys. Here is how we did it.

CVE-2023-51467 is an authentication bypass affecting Apache OFBiz. However, it can be used to execute arbitrary code. And even better, it can be used to execute a payload from memory. In this blog, we'll demonstrate how we weaponized Apache OFBiz CVE-2023-51467.

In this blog, we detail new vulnerabilities discovered in the Bosch Rexroth NXA015S-36V-B, a popular smart nutrunner (pneumatic torque wrench) used in automotive production lines. We demonstrate that these vulnerabilities could make it possible to implant ransomware on the device.

In this article, I will introduce Weggli, a fast semantic search tool for C and C++ codebases, designed to help security researchers identify interesting functionality in large codesbases.

In this article I detail 2 bugs found in ChromeOS file API, making it possible for Chrome extensions to escape sandbox and execute javascript under the domain of the real File Manager.

In this series, we provide details of the baseband and baseband-to-AP pivot vulnerabilities, exploitable for remote code execution, chained together at the same time. This first post details 11 out of the 17 vulnerabilities.

We report on the exploitability of CVE-2022-21744, a heap buffer overflow in Mediatek baseband. This vulnerability has an important limitation: the overwriting value is a pointer to an allocation with content controlled by the attacker. In this article, we describe our findings from researching this vulnerability.

We present a method for exploiting the baseband pivot vulnerability CVE-2022-21765 for arbitrary code execution in the Linux kernel on Mediatek's older ("Helio") chipsets, which use 32-bit kernels.

We present seven plugins that facilitate an in depth analysis of the state of the BPF subsystem using the Volatility 3 memory forensics framework.

The Lumma Infostealer cookie restoration method is a powerful tool to restore expired Google cookies using a key from restore files. In this post, we investigate this new capability and provide the details of our findings.

We explore new error-based SQL injection payloads that rely on the box() function and can be adapted to a dozen of other unexpected ones.

In this article we provide an overview and some technical details about the most most sophisticated attack chain we have ever seen: a 0-click iMessage attack designed to work on iOS, leading to root privilege access and which used four zero-days.

In this article we provide a comprehensive list of Volatility commands useful in the context of malware analysis.

We wanted to show a straightforward process attackers may use to exploit vulnerabilities in an Android device's system services and systems. This blog post covers a simple (but surprisingly efficient) fuzzing algorithm and basic analysis of the vulnerabilities we found in three different Android-based mobile devices.

The purpose of this book is to help every compiler developer that needs to learn about software security relevant to compilers. It aims to achieve that by providing a description of all relevant high-level aspects of attacks, vulnerabilities, mitigations and hardening techniques.

Fuzzy hashing creates a hash value that attempts to detect the level of similarity between two things at the binary level. In this blog, we will cover how phishing kits or Phishing-as-a-Service (PhaaS) websites can be detected by analyzing such hash of website contents.

In this post I'll show you at a high level how attackers carry out an Adversary in The Middle (AiTM) attack. The main focus here is to understand what artefacts we look for when investigating these types of attacks in a DFIR capacity. I'll also cover the steps you can take to increase your security to try and stop your team falling foul of them.

This is part two in our series on building honeypots with Falco, vcluster, and other assorted open source tools. We'll be adding additional functionality to our honeypot so we can react to what is happening inside it. Some of these additional pieces will also be laying down the infrastructure for adding additional functionality down the road.

In this post we will discuss reconnaissance, initial access and privilege escalation methodologies for pentesting in an LDAP environment.

By combining Frida with an enhanced version of Tenet, Frinet facilitates the study of large programs, vulnerability research and root-cause analysis on iOS, Android, Linux, Windows, and most architectures.

In this article, we will explore techniques used to convert phishing URLs into QR codes and how they evade spam blocking solutions. Additionally, we will investigate the effectiveness of threat intelligence in detecting QR code phishing.

This blog post shows you how to analyze client-side JavaScript. It covers the basics of static and dynamic analysis, introduces obfuscation and deobfuscation, and explains how to bypass code protection mechanisms while giving practical examples and suggesting the proper tools for particular tasks.

We're going to build a small example here of a honeypot using vcluster and Falco. In this first episode, we explain how to build a simple SSH honeypot using vcluster and Falco for runtime intrusion detection.

We investigate a situation where an SMB client could not connect to an SMB server and eventually end-up with a valid hardening mechanism to prevent SMB relay attacks.

The word Heap refers to the dynamically allocated segment in the virtual memory space of a process, but it actually stands for the implementation of the memory pool behind, which is quite complex and maybe vary on different machines, thus giving us a chance to exploit it. Here I am going to explain the important concepts of Heap and use the ptmalloc in the Glibc 2.31 library as an example.