Security Review #194

Here's how I found XSS bugs in Excalidraw (used in Messenger and other Meta assets) and Microsoft Whiteboard API.

This is the report of an incident starting with the download of a malicious executable, spreading to the domain controller and setting up a C2 session.

In this article, you will learn why malware configuration parsing is vital for defenders, the different parsing options available, and the challenges you will face. You will also see a practical example of how to parse PowerShell malware.

This blog post delves into the intricate details of HeadCrab 2.0, revealing its advanced mechanisms, our ongoing efforts to combat this sophisticated threat, and shows that one year later the campaign has almost doubled the number of infected Redis servers.

The value of IoC is immense, but utilising that value starts with understanding what IOCs exist and the role they play in both the cybercrime and cybersecurity landscape.

In this article, we detail payloads that are responsible for registering persistence, enabling a backdoor, exfiltrating various Cloud Service Provider credential files and executing the miner itself. Of particular interest are a number of evasion techniques exhibited by the malware, including an unusual process hiding mechanism.

In this post, we'll explore URL files, and the resurgence they've had in the threat space as various vulnerabilities and exposures have led to adversaries finding utility in this simple file type.

Recently threat actors use the OAuth applications in tenants that they can misuse for malicious activity. They use compromised user accounts to create/ modify and grant permissions to OAuth applications in tenants and move across test and production tenants. This blog includes some basic hardening tips related to app registrations/ OAuth applications and sources to protect against similar attacks.

In this blog post, we detail additional tactics, techniques, and procedures (TTPs) employed during post-exploitation activity following compromise through CVE-2023-46805 and CVE-2024-21887, affecting Ivanti Connect Secure VPNand Ivanti Policy Secure appliances, leading to arbitrary command execution.

In this post, we will analyze the BPFDoor backdoor only with the Linux utility strace, trying to get as much information as possible about the malware by tracing the executed syscalls from the binary.

We discovered that stored NTHashes could be recovered via the Microsoft Graph API and decrypted using a certificate stored on Azure AD Domain Services (Azure AD DS) domain controllers.

In this series, we detail techniques to customize our Havoc exploit chain to bypass AV/EDR/IDS. In the first part we will review how to encrypt stage 1 and 2 payloads, add custom headers, user-agents, certs, URIs, jitter, and ROP chains, and make our custom DLL (loader) execute via DLL proxy hijacking and side-loading.

In this second part, we will use a redirector server to hide the true location of our Team Server, and put the executable and DLL in a normal program file folder and start on user login to achieve persistence.

By combining several low severity vulnerabilities, it is possible to gain access to the underlying system as the user running the OAS Engine. In this scenario, an adversary could gain access to a valid authentication structure, search the filesystem for evidence of an SSH server, store an SSH key in the running OAS configuration, write the running configuration to disk.

We detail a significant vulnerability in the popular decompiler tool : Apktool. This security flaw enables an attacker to manipulate the destination path for writing a file with controlled content into a remote server, leading to arbitrary file write scenarios.

My objective has been to deepen my understanding of Prompt Injection vulnerabilities, focusing on their exploitability and impact in real-world scenarios. After extensive research and analysis, I've decided to share some of my Jupyter notebooks and insights in the form of this blog post.

ModSecurity v2 and v3 share a similar bug that can result in a really simple WAF bypass. The core issue lies in ModSecurity's implicit URL-decode behavior before setting certain variables, which not only represents an unwanted behavior but is also totally undocumented. This behavior can lead both v2 and v3 users to really easy WAF engine and/or WAF rule bypass.

Using the ErrorHandler.cmd script it is possible to execute arbitrary code when the Windows operating system is upgraded. Even though it could be considered as an unconventional tactic, it could be combined with scheduled tasks for example to run Windows Setup and establish persistence.

In this writeup, I will explain how I was able to abuse a path traversal URL parser confusion to achieve what I like to call a "wildcard" cache deception vulnerability, in order to steal user's auth tokens and take over their accounts.

One product I own that stubbornly doesn't connect to anything other than its own mobile app. I want to control this expensive air purifier through Home Assistant, just like the rest of my smart gadgets. And that marks the start of this challenging yet undoubtedly fun journey.

The purpose of PSB is to provide a hardware root-of-trust that will verify the integrity of the initial UEFI firmware phases, thereby preventing persistent firmware implants. In this part of the blog series, we will dig deeper into the nitty gritty details of PSB, including a first glimpse of how it works under the hood, how it should be configured and, naturally, how various major vendors fail to do so.

We detail an enumeration technique for AWS metadata based on wildcard and StringLike condition to reduce the number of attempts to bypass security policy.

I recently needed to create a random password in a piece of JavaScript code. It was surprisingly difficult to find instructions and good examples of how to do that. Almost every result that Google, StackOverflow, or, for that matter, ChatGPT, turned up was flawed in one way or another.

As consumers become more dependent on mobile devices, the need for application security has become more of a priority. In this blog post, I will discuss my testing methodology for mobile application assessments and some of the tools I use throughout the testing process.

After an authentication bypass and command injection to kick off the year, Ivanti are following with a second authentication bypass and a privilege escalation. In this blog post, we detail our reverse engineering process to find and exploit this new authentication bypass.

In this blog, I introduce SmuggleFuzz, a command-line tool for identifying smuggling vulnerabilities.

This article will sharpen your senses and enable you to judge the criticality of IAM roles and related policies. You will learn how to determine the right point in time to harden a role which results in guidance on where to invest your time.

We found that a GitHub Actions workflow could have been injected by a malicious code due to a command injection vulnerability in one of Bazel's dependent Actions. This vulnerability directly impacts the software supply chain, potentially allowing malicious actors to insert harmful code into the Bazel codebase, create a backdoor, and affect the production environment of anyone using Bazel.

In this blog post, we explain the differences between smart fuzzing and dumb fuzzing, and show how we added smart fuzzing on top of the high-level simulation frameworkof Cosmos. As a bonus, our smart fuzzer integration led us to identify and fix three minor issues in Cosmos SDK.

The integration of native C code with managed C# assemblies opens up a realm of possibilities, allowing malware developers to leverage the strengths of both worlds within a single application. In this article, we will see how it is possible to invoke an assembly from a language like C.

We present Adalanche, a tool for collecting and analyzing data from Active Directory. It is capable of extracting potential attack vectors such as unconstrained delegation, ESC1, outdated servers, users with administrative privileges and more. It is extremely fast and compatible with each modern Operating System (OS).

A vulnerability in TOTOLINK LR1200GB allows remote unauthenticated attackers to become authenticated due to a stack overflow vulnerability in the web interface.

We detail two new 1-day LPE exploits were used by the Raspberry Robin worm, a widely distributed worm. Its capabilities and evasions in addition to its very active distribution made it one of the most intriguing malware out there. We also provide a technical analysis of the worm as well as the related IOC.

Several vulnerabilities were found between the locks' implementation of the Bluetooth Low Energy (BLE) communication and eLinkSmart's back-end API. These enable an attacker to unlock any lock within Bluetooth range and gather unlock history information including times and locations of any lock in the world, even if location tracking was not enabled by the user.

We introduce BTIGhidra, a Ghidra extension that helps reverse engineers by inferring type information from binaries. The analysis is inter-procedural, propagating and resolving type constraints between functions while consuming user input to recover additional type information.

Recently we worked on a very interesting incident response case in a customer's AWS environment. In this blog, we want to share a detailed story of this case, including the techniques used by the TA.

We detail a technique that safely run in-process payload without terminating the host process upon execution. This technique relies on an unmanaged approach (a unmanaged implant executing managed code in-process). While our example targets System.Environment.Exit, a similar technique should work for any managed function.

We detail a critical security vulnerability identified in TeamCity On-Premises (CVE-2024-23917). The vulnerability may enable an unauthenticated attacker with HTTP(S) access to a TeamCity server to bypass authentication checks and gain administrative control of that TeamCity server.

This article explains how to leverage Arachne to turn webshell into a normal C2 beaconign agent.

This is a technical analysis of an Excel document distributing an info-stealer. The attack stages before the info-stealer are simple downloaders that increase the difficulty of detection. This article introduces each stage in this attack and provides a glimpse into the world behind the malware campaign.

We detail a local file inclusion vulnerability, eventually leading to a remote code execution in PHP Form Tool.

This is part two of the series of blog posts on prompt injection. In this blog post we go into more depth on the LLM's internal components to understand how and why prompt injection occurs.

Defining a Content Security Policy (CSP) for your web application can help harden the application against many common attacks. Mitigating XSS attacks is a significant component of CSP hardening, but CSP can protect against more than XSS attacks. It can set controls to protect against packet sniffing traffic by forcing use of HTTPS and prevent clickjacking attacks by controlling what domains can iframe the application.

We share details of five malware families associated with the exploitation of Ivanti Connect Secure VPN and Policy Secure devices. These families allow the threat actors to circumvent authentication and provide backdoor access to these devices. Additional post-exploitation tools have also been identified in our investigation and are highlighted further in this post

We discovered security vulnerabilities in Jenkins. The vulnerability tracked as CVE-2024-23897 allows unauthenticated attackers to read a limited amount of arbitrary files' data, and "read-only" authorized attackers to an entire arbitrary file from Jenkins' server. Attackers could leverage this vulnerability, by reading Jenkins secrets, to escalate privileges to admin and eventually execute arbitrary code on the server.

Leaking secrets can have severe repercussions for an organization, compromising data integrity, confidentiality, and system security. So how do you know if you have buried secrets hiding in the vast digital landscape of your organization? Easy. You employ a truffle hog.

This is the start of a series about Cloud Identity Entitlement Management (CIEM). I will try to explain in depth what challenges you will face when trying to manage Identity and Access Management (IAM) in AWS. The first part is about least privilege.

This article will analyze different types of Tasks and their characteristics. The knowledge will be mapped to a prioritized list of attack vectors and the expected blast radius. This helps us to classify IAM Roles or IAM User candidates for an attack.

In this part, we will analyze said binary statically to understand how it works, how we determine that it corresponds to a C2 agent, and what indicators of compromise we can obtain from it.

The purpose of this article is to share my recent contribution to the Atomic Red Team repository. This contribution, "Atomic Test #2 -- Exfiltration via Encrypted FTP", aims to simulate an encrypted file transfer to an FTP server, a critical aspect of understanding and mitigating data exfiltration threats.

GoBuster, a widely used tool in this domain, proves invaluable for professionals seeking to identify hidden directories and files on web servers. In this article, we will delve into the various aspects of GoBuster, its functionalities, and how it can be effectively used to enhance web security.

Microsoft's Azure Active Directory B2C service contained a cryptographic flaw which allowed an attacker to craft an OAuth refresh token with the contents for any user account. An attacker could redeem this refresh token for a session token, thereby gaining access to a victim account as if the attacker had logged in through a legitimate login flow.

In this blog, we explain how to use Scapy as a valuable tool for network fuzzing, providing a flexible and powerful platform for testing network and application security.

This blog post walks through our efforts reverse engineering the Zaptec Pro charger, an electric vehicle charger found in many parking lots and apartment buildings around Norway. By analyzing the device's firmware, and compiling a custom bootloader, we were able to root the device and dig into how it works.

When diagnosing email issues I tend to start with some basics: MX records, SPF, DMARC and DKIM data. There are a multitude of ways to get these, but I tend to like working in PowerShell, so I wanted to write a function to quickly pull this data.