Security Review #193

Google Drive File Stream exposes persistent records of USB device connections with volume guids, a database with the complete Google Drive file and folder metadata for synced drives, logged in user information, and more. In this article, we will focus on the deleted files records, and especially the permanent ones.

In this post, I will explain the Active Directory Access Control Lists, how they control rights/permissions, and how others inherit rights. This blog post serves as a reference point for other blogs exploring specific Active Directory attacks, like a DCSync Attack.

Another fantastic Windows intrusion analysis artifact! Shimcache! Although this artifact is heavily used in intrusion analysis cases, it is also one of the most misunderstood. Lets break this down and talk all things Shimcache!

This is a step-by-step guide to booloader unlocking for Android devices in general and specifically Google Pixel 6

This is a quick post to outline a few ways to extract and identify useful strings for creating quality Yara rules. This post focuses on Windows executable files, but can be adapted to other files types.

In this article, we will get into dependency confusion, a supply chain attack where an attacker is able to poison the build by forcing the build system to retrieve his malicious dependency somewhere on the internet instead of the legitimate internal dependency.

We introduce SOAPHound, a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.

Microsoft Entra ID (formerly known as Azure AD) allows delegation of authentication to another identity provider through the legitimate federation feature. However, attackers with elevated privileges can abuse this feature, leading to persistence and privilege escalation.

I this article, we detail how the the "Ransack" library in its default configuration poses a major security risk that can likely be exploited to extract sensitive information or fully compromise the application.

Although PrintNightmare and its variants were theoretically all addressed by Microsoft, it is still affecting organizations to this date, mainly because of quite confusing group policies and settings. In this blog post, I want to shed a light on those configuration issues, and hopefully provide clear guidance on how to remediate them.

This article presents a malware analysis of Rust payloads downloaded on Ivanti Connect Secure instances compromised through CVE-2024-21887 and CVE-2023-46805 allowing unauthenticated remote code execution.

A Comprehensive Review of secureCodeBox - an Open-Source Platform for Continuous Security Utilizing Popular Testing Tools. Presenting architecture, configuration, example usage and potential uses cases of the platform.

In this article, we will highlight a number of spoofing and phishing strategies that can be employed by external attackers to target an organization using Teams in the initial access phase of the kill chain.

This report details operations of threat actors exploiting a publicly exposed Remote Desktop Protocol (RDP) host, leading to data exfiltration and the deployment of Trigona ransomware.

CVE-2023-51467 is an authentication bypass in Ofbiz. Unfortunately, the initial mitigation efforts proved ineffective as they did not address the root cause, resulting in a new bypass with different CVE numbers and techniques. This analysis explores Ofbiz, focusing on the main root cause behind CVE-2023-49070, CVE-2020-9496, and CVE-2023-51467.

SAP Cloud Connector (SAP CC) is a critical part of any SAP company's infrastructure as it enables secure interoperability between SAP systems on the platform within the enterprise and in the cloud. In this article, we will discuss security issues and provide recommendations to mitigate the risks associated with using SAP CC on the Windows platform.

In this post about common malware techniques, we are still talking about hollowing - but this time, instead of hollowing a newly created process, we will make a process load a new DLL and then overwrite part of that DLL with our malicious code.

In this article, we explain how, from the perspective of Red Teaming, it is feasible to utilize the disk clean-up utility to establish persistence by executing arbitrary code when the utility is initiated.

This article aims to demystify how EDRs work while building a custom one that will implement a few techniques used by real EDRs.

While researching OPC UA, we discovered multiple flaws in the Secure Integation Server, that when chained enabled us to achieve pre-auth remote code execution.

We uncovered critical vulnerabilities in the Moxa ioLogik E1212 series that pose significant risks to the security of the system. These vulnerabilities encompass various attack vectors, including Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), cryptographic failures, and broken access control mechanisms.

In this blog post, we will cover some of the anti-analysis techniques used by Play and look at the process the malware uses to encrypt network drives and how that can cause the malware to crash.

n this blog, we detail our investigation of the Kasseika ransomware and the indicators we found suggesting that the actors behind it have acquired access to the source code of the notorious BlackMatter ransomware.

In this article, I would like to discuss a rather unconventional but very interesting detection mechanism used in conjunction with EDR, based on a combination of process environment block (PEB) modification, the use of fake DLLs and guard pages, and the use of vectored exception handling.

We analyzed a vulnerable ASUS firmware to possibly write an n-day exploit. While we identified the vulnerable piece of code and successfully wrote an exploit to gain RCE, we also discovered that in real-world devices, the "Unauthenticated Remote" property of the reported vulnerability doesn't hold true.

This blog post is about how I used my cybersecurity knowledge to find XSS on the #1 chess site on the internet.

This blog post summarizes what I learned about WebSockets in hope that other people like me that used to avoid them will understand them better.

We are releasing a previously internal-only tool to improve Infrastructure as Code (IaC) analysis and enhance Visual Studio Code allowing real-time collaboration during manual code analysis activities. We're excited to announce that PoIEx is now available on Github.

We detail a post-auth blind Python code injection vulnerabilities that exist when some Zyxel NAS versions improperly handle user provided input. These vulnerabilities may allow an authenticated attacker to execute code on an affected device remotely.

We provide technical analysis and IoCs for UNC4990 tools. Despite relying on the age-old tactic of weaponizing USB drives, UNC4990 continues to evolve. The actor has moved from using seemingly benign encoded text files to hosting payloads on popular websites such as Ars Technica, GitHub, GitLab, and Vimeo.

Of late, there has been a spurt in ransomware attacks across the globe causing great concern for organizations and individuals alike. This blog gets into the nuances of how Python is used by threat actors to write ransomware.

We provide details about a new variant of the FritzFrog botnet, which abuses the 2021 Log4Shell vulnerability. We have included indicators of compromise (IOCs) and additional mitigation measures in this blog post to assist in the prevention of FritzFrog infection.

In this post I'll show you a few examples of how you can ping multiple computers. We will use the Test-Connection cmdlet for this task.

We detail malicious ads that have been targeting Chinese-speaking users with lures for popular messaging applications such as Telegram or LINE with the intent of dropping malware.

In this quick blog post, we'll explore the various combination of CyberChef operations e.g Generic code Beautify, Subsection, Fork, Subtract etc. to deobfuscate the second-stage PowerShell script used in the RedLine stealer infection chain.

This short post is a basic introduction to NoSQL injections used to bypass API authentication.

The importance of securing the software supply chain is emphasized in this article, especially in the context of cloud-native development and the utilization of OCI artifacts on Kubernetes. It discusses various vulnerabilities and potential attacks that can occur throughout the supply chain, including dependency confusion, the insertion of malicious code, and the compromise of update servers.

Custom applications often have unknown functionality and require a generic payload. To address this challenge I have written JS-Tap, which provides a generic JavaScript payload. This payload does not require prior knowledge of the application, and does not require an authenticated user to run the payload.

The goal of this follow-up is to evaluate any subsequent security measures implemented by the vendors in this field since the release of the original publication, and to evalute several systems that were not covered earlier. For the purpose of this document, we assume that the reader has read the original publication, and has an understanding of the methodology and terminology used.

This is an attempt to evaluate TCP/IP sequence number generators in several mainstream operating systems by mapping the dynamics of the generated sequence numbers into a three-dimensional phase space. We demonstrate how this approach can be used to find many non-trivial correlations, and discuss why the results can be directly used to perform actual ISN prediction.