Security Review #192

This series is a high-level introduction and overview of drivers and the Windows kernel for those interested in malicious driver research. In this first part we'll expand on the I/O system and driver operations. Eventually, we'll get to topics like the security concepts surrounding drivers and how they can be used in a malicious context, and basic driver analysis and how to identify a malicious driver.

In this post, we explore attacker techniques targeting AWS accounts and most of the time caused by a leaked IAM user access key. In one case, attacker enumerated the account, created additional IAM, attempted to move laterally, and tried to start EC2 instances in an unused region. In another case, he created a high number of ECS, and executed malicious containers for crypto mining purposes.

In this blog post we take a look at a vulnerability that we found in Google Chrome's V8 JavaScript engine. The vulnerability arises from how V8's Maglev compiler attempts to compile a class that has a parent class. In such a case the compiler has to lookup all the parent classes and their constructors and while doing this it introduces the vulnerability

In this article, we detail the exploitation of the CVE-2023-47272 vulnerability in Roudcube. The vulnerability is leveraged to perform an XSS attack, exfiltrating mailbox and address books.

In this article we will detail step by step how we bypassed the security of a website that signs every request, preventing you from modifying the URL, including GET parameter values.

Working on a few Pegasus malware infections on several iPhone devices. we discovered that the infections left traces in an unexpected system log, Shutdown.log. We thought we would dissect and understand this log file in more detail, as it could be used as another method to detect mobile malware.

In this article, we detail a novel campaign targeting vulnerable Docker services. The campaign deploys 2 containers to the vulnerable instance - a regular XMRig miner, as well as the 9hits viewer application. This is the first documented case of malware deploying the 9hits application as a payload.

In this blog, I'll show how Microsoft Entra Domain Services (MEDS) can be (ab)used to exfiltrate NTHashes from on-prem Active Directory.

Ever found yourself looking at a normal program that isn't behaving quite the way it should be? Do you have trouble pinpointing baselines and maintaining effective detections on default Microsoft binaries? These LOLBins are no laughing matter. In this break down, we talk about abnormal activity leveraging this commonly seen tactic.

This blog post provides technical analysis of Atomic Stealer, that is known to be the first stealer for MacOS devices.

In this post, we provide technical information regarding AsycRAT and QuasarRAT, such as C2, mutex, persistence techniques and user agent.

In the event that a user which has the SeBackupPrivilege permission is compromised during red team operations this can provide a direct route to compromise the domain.

This post is the first of a two-part series covering Deep Links & WebViews Exploitations. It focuses on WebViews. It analyzes the implementation and security risks of WebViews in Android apps, including JavaScript execution vulnerabilities and the exposure of Java objects.

In this post, we review the techniques to escalate privileges to root/System once you've gained a foothold on an EC2 instance.

In this article we detail the root cause of CVE-2022-22274 and CVE-2023-0656, 2 unauthenticated denial-of-service vulnerabilities vulnerabilities affecting SonicWall next-generation firewall (NGFW) series 6 and 7 devices. We also provide PoC and a safe vulnerability check.

In this blog post, we'll outline a Kubernetes security model and analyze the threat landscape to provide security analysts with a better understanding of their organization's Kubernetes environment, enabling them to enhance its security.

In this bog, I Introduce whoamislack, a tool to enumerate Slack Workspace Names from Slack Webhook URLs. This tool works even if the keys are no longer active.

This post provides technical details about CVE-2023-22527, a critical vulnerability within Atlassian's Confluence Server and Data Center. This vulnerability has the potential to permit unauthenticated attackers to inject OGNL expressions into the Confluence instance, thereby enabling the execution of arbitrary code and system commands.

GitHub's CI/CD platform, GitHub Actions, has recently become a target for a sophisticated attack vector, posing threats to both open-source projects and internal repositories. In this article, we will explore the technical intricacies of this threat and provide step-by-step mitigation strategies with commands and code snippets.

In this article we will be focusing on a specific type of poisoned pipeline execution attack that I like to refer as "Self-Hosted Runner Takeover". It manifests when a public repository has an attached non-ephemeral self-hosted runner without requiring approval for workflows on the pull_request trigger.

This post is about possible abuse of a group policy configuration for Local Privilege Escalation, very similar to the one with CVE-2022-37955 that Microsoft fixed.

In this post, we provide a technical analysis of SYSTEMBC, a malicious tool with its core functionality revolving around its ability to act as SOCKS5 proxy. We will review the server installation and configuration, the SOCKS5 implementation, the loader and the shellcode execution functionality of the malware.

We aim to level the playing field, offering deeper and more practical insights into Azure Monitor Activity Logs. In this blog, you'll find an invaluable reference tool and guide designed to demystify Azure's logging complexities.

Prompt Injection is the Achilles Heel that could bring all LLM apps crashing down from their lofty heights. In this post we will discuss the role-based API approach and provide secure system prompt design guidelines to protect from these attacks.

The Windows Data Protection API, typically referred as DPAPI, is the builtin Windows way to encrypt and decrypt data. In this post we will explore how the DPAPI works, and how it can abused in several different scenarios, such as decrypting secrets, obtaining a victim's browser cookies and take over their sessions, etc.

In this post, we provide technical analysis of the Cactus ransomware, focusing on static analysis protection, persistence and encryption. Additionally, we provide YARA rule for detection.

Weprovide technical details of an attack chain of three vulnerabilities allows unauthenticated attackers to execute arbitrary command with root privileges on Zyxel VPN firewall

In this deep dive, we will explore how CORS works across different web browsers and how certain misconfigurations can be exploited despite the built-in anti-tracking mechanisms. Since such tracking protection behavior is necessary for the functionality of certain web apps, we can expect that this method will continue to work in the future.

In this article, we detail a vulnerability in Paxton Access Net2 software, that exposes the private key used to sign certificate trusted by the server. This makes it possible to setup man-in-the-middle attack.

We discovered two security vulnerabilities in X.Org libX11: CVE-2023-43786 and CVE-2023-43787. In this second post, we will provide an analysis of CVE-2023-43787 (RCE vulnerability) including a walkthrough and PoC demonstration.

This article is about the paradox of how adding security solutions to your infrastructure increases the vulnerable surface. We will detail step-by-step the process we followed to find an SQL injection and a command injection in GTB Central Console, a DLP solution.

In this blog I will talk about the Signed kernel driver that is used in a recent PlugX attack, acting as user-mode loader which decrypt a 32-bit user-mode PE file and inject it inside Svchost.exe as child process for services.exe.

This blog post details the ESC1 domain escalation requirements and explains how BloodHound incorporates the relevant components. We will demonstrate how to effectively use BloodHound to identify attack paths that involve ESC1 abuse.

In this post we'll show you how Java handles unicode escapes in source code strings in a way you might find surprising - and how you can abuse them to conceal payloads.

In this post, we discuss a security-oriented scheduling strategy that can help to reduce the overall risk of workload compromise in a comprehensive security design. If critical workloads are separated at the scheduling decision, the blast radius of a compromised pod is reduced. By doing so, lateral movements related to the shared node, from low-risk tasks to business-critical workloads, are prevented.

This article is dedicated to a vulnerability in the Google Chrome browser, and it also recounts the story of its origin. will begin by describing a series of modern technologies used in web development, which is necessary for a complete understanding of the context surrounding the identified vulnerability. We then detail the vulnerability and provide a PoC.

We provide technical details of an details an authentication bypass vulnerability in GoAnywhere MFT (CVE-2024-0204), that allows an unauthenticated attacker to create an administrative user for the application.

We provide details of an arbitrary file overwrite vulnerability in Triton Inference Server via the REST API. It can lead to model alteration and extended to RCE.

We present cryptography-x509-verification, a brand-new, pure-Rust implementation of the X.509 path validation algorithm that TLS and other encryption and authentication protocols are built on.

In this blog we will be reverse SmokeLoader using Ghidra and go deep into the 3 stages of the loader: memory allocation, injection, and payload download.

In this blog post, we provide a technical overview and IoC for FBot, a Python-based hacking tool distinct from other cloud malware families, targeting web servers, cloud services, and SaaS platforms like AWS, Office365, PayPal, Sendgrid, and Twilio.

In this blog post I will document the inner working of AWS CloudShell and explain how to escape container onto the the parent EC2 instance.

Analysis and operation both necessitate prioritization, but this introduces the risks of surprise and inadequate response. We can compensate for these risks through self-reflection, by asking ourselves hard questions about any given unlikely yet disastrous eventuality: "Would we know if it was about to happen?"

The following website features are typical signs of potential SSRF bugs: print a certificate of completion, generate a report, submit a digital signature. In this article, we will go through the nuts'n'bolts of how to find and exploit such SSRF bugs lying in PDF generators.

In this blog, we walk through an example of building a test corpus of malware with at-a-glance intelligence context. The combination of fast CLI tooling and simply labeled malware will help you in your work with YARA rules.

This article is a complete review of the concepts and technologies behind LLM. Additionally we detail the most common attack techniques such as prompt injection, data poisoning and data leakage, and the current technical solutions to address those risks.

In this post, I will show you how I bypassed a noexec permission in a limited chrooted env.