Security Review #195

We demonstrate how insignificant whitespaces in the JSON standard can be used to encode data without breaking the format. This could aid malicious actors in covert lateral movement or data exfiltration.

Study of an Android runtime (ART) hijacking mechanism for bytecode injection through a step-by-step analysis of the packer used to protect the DJI Pilot Android application.

This comprehensive guide delves into the intricacies of Lateral Movement utilizing Ligolo-Ng. This tool facilitates the establishment of tunnels through reverse TCP/TLS connections using a tun interface, avoiding the necessity of SOCKS. This guide covers various aspects, from the tool's unique features to practical applications such as single and double pivoting within a network.

The bootloader vulnerability affecting several generations of Apple devices allows for forensically sound extraction of a wide range of Apple hardware including several generations of iPhones, iPads, Apple Watch, Apple TV, and even HomePod devices. In this article, we will go through the different chips and their many variations that are relevant for bootloader-level extractions.

Many threat actors utilize Remote Desktop Protocol (RDP) to move laterally within an environment once they have compromised it. In this article, we will review the key articfacts that incident responders utilize when looking for RDP activity.

We observed evidence of C3RB3R ransomware, as well as several other malicious payloads, being deployed following exploitation of CVE-2023-22527 , a template injection vulnerability affecting Atlassian Confluence Data Center and Server. We present our preliminary findings here.

YARA rules stand as powerful sentinels against static cyber threats. Their strength, however, is also their Achilles' heel. The static nature of YARA rules means they can be effortlessly circumvented, especially when they are made public.

Not all prevention technologies have the capability to inspect DNS traffic and filter it out in case it results in malicious related actions, so it is crucial to act with offline logs analysis for identifying potential abuse of the protocol, and this usually takes the form of a threat hunting mission, that's what I'm going to explain in this article.

HijackLoader continues to become increasingly popular among adversaries for deploying additional payloads and tooling. We provide a technical analysis of a recent variant that employs sophisticated techniques to enhance its complexity and defense evasion.

In this article, I detail how to enrich a reflective DLL with indirect syscalls to bypass EDR detection.

In this post, we will explore how defenders can monitor for suspicious LDAP activity, as well as operational security approaches for red teams conducting LDAP reconnaissance.

In this article, we review what are IDOR (Insecure Direct Object Reference) vulnerabilties, how to find and exploit them, and tips for discovery and defense.

In this blog article, we would like to share techniques to bypass a default BitLocker configuration and emphasize the potential risks and consequences associated with this attack technique.

Creating a remote thread in any process at any time is generally fine, unless the process does something non-standard such as having anti-debugging or anti-tampering mechanisms. But gaining some experience with global injection in Windows led me to discover that it's not that simple.

Glupteba is advanced, modular and multipurpose malware that, for over a decade, has mostly been seen in financially driven cybercrime operations. This article describes the infection chain of a new campaign that took place around November 2023.

Directory.ReadWrite.All is an MS Graph permission that is frequently cited as granting high amounts of privilege, even being equated to the Global Admin Entra ID role. This article aims at helping admins and security professionals give Directory.ReadWrite.All the attention it deserves.

AWS recently enhanced its managed Kubernetes service, EKS, with the introduction of EKS Access Entries and Policies, along with EKS Pod Identity. While these features offer significant benefits, they also potentially open up new avenues for exploitation by malicious actors. These actors could leverage these features to facilitate lateral movement between the cloud and the cluster, and vice versa.

AWS introduced EKS Pod Identity feature -- a new way for cluster workloads to interact with cloud resources, and EKS access management. In this blog post we inspect the changes from the security perspective.

In this blog, we will look at using an AWS Lex Service chatbot as a persistence method for a red teamer. This entire blog post is more of a fun exercise in creativity than it is a practical technique. However, it never hurts to get hands-on experience with a service that is being increasingly used by companies in the AI explosion.

A crafted file name can cause a command injection vulnerability in ClamAV's VirusEvent feature. This can be exploited by an attacker to execute arbitrary code on the system running ClamAV - clamd.

This post will delve into the goals of anti-cheat bypass and EDR bypass, exploring the motivations behind these activities and their implications, and will draw a distinction between legitimate security research and illicit activities.

In this article, I would like to discuss a rather unconventional but very interesting detection mechanism used in conjunction with EDR, based on a combination of process environment block (PEB) modification, the use of fake DLLs and guard pages, and the use of vectored exception handling.

In this blog, I'll walk you through the steps I took gather API keys in GitHub and illustrate how anyone could automate the methodology to search for secrets across GitHub.

I want to introduce an alternative technique evasion, "EDR-Preloading", which involves running malicious code before the EDR's DLL is loaded into the process, enabling us to prevent it from running at all.

We discovered an interesting security issue in Outlook when the app handles specific hyperlinks. In this blog post, we will share our research on the issue with the security community and help defend against it. We will also highlight the broader impact of this bug in other software.

We have discovered a new backdoor targeting macOS users. This previously undocumented family of malware is written in Rust and includes several interesting features. In this post we share details about distribution, exsiting variants, persistence and provide IoCs.

This blog outlines the findings of a comprehensive security assessment conducted on the GL-AX1800 router manufactured by GL.iNet. During the evaluation, several critical security issues were discovered, including Cross-Site Request Forgery (CSRF), insecure file uploads, path traversal, file overwrite leading to Remote Code Execution (RCE), and unrestricted file access download.

We have identified a security issue that arises from the interaction between Ubuntu's command-not-found package and the snap package repository. While command-not-found serves as a convenient tool for suggesting installations for uninstalled commands, it can be inadvertently manipulated by attackers through the snap repository, leading to deceptive recommendations of malicious packages.

This post will cover the process of identifying malicious bytes in malware, malicious bytes referring to known and signatured byte sequences that are often used by security products to identify and detect malware. The goal is to identify these bytes and replace them with benign bytes, in order to evade static detection.

For this blog, I'm going to assume you have a Bus Pirate, you are able to access its terminal, and you are ready to use it - but what are you going to use it on? Grab a digital multimeter, some sort of IoT device that's been gathering dust in your closet, and time to choose your own adventure.

We identified a vulnerability in the QNAP operating system. An attacker with network access to an uninitialized QNAP NAS device may perform unauthenticated command injection, allowing the attacker to execute arbitrary commands on the device.

We identified a new backdoor authored and operated by the Turla APT group. It is a small "last chance" backdoor that is left behind to be used when all other unauthorized access/backdoor mechanisms have failed or been detected on the infected systems.

This article aims only to illustrate some of the techniques used in code that has undergone mutation by some protector. In addition to the techniques already offered by commercial protectors, we will explore our own employed techniques.

It is possible to configure an Active Directory Certificate Services (ADCS) certificate template with an issuance policy having an OID group link to a given AD group. We will in this blog post explore how this ADCS feature works, how we can abuse it, where it is used in the wild, how we can audit for its presence, and how to deal with it from a defensive perspective.

.NET AOT programs give reversers a hard time, especially when compared to their MSIL counterparts. We describe techniques to be able to recover symbols as well as typing information. This will bring us back to a situation close to that of analyzing programs in Go (but with a functional decompiler).

In this article, we detail an attack that spoof wireless access point advertisement frames with fake power limitation information. This tell the client to reduce their wireless card's transmit power to 0, thus generating DoS.

One of the most prevalent phishing tactics nowadays involves exploiting legitimate platforms for redirection through deceptive links. In this blog post, we'll explore how trusted platforms are increasingly being exploited as redirectors, highlighting the risks and the latest trends that users and businesses alike should be aware of.

Jailbreaking Apple iOS devices is a well-known practice that enables Apple device owners to in unauthorized access to the device's root file system, enabling the user to remove restrictions imposed by Apple. Essentially, jailbreaking is a way to bypass the limitations set by Apple on what apps and features can be installed on an iOS device.

In this post, I explain how to inject into a remote process a reflective DLL with an encrypted ReflectiveLoader function. This function would Reflectively load the DLL once decrypted and then disappear forever.

In this blog post, we will introduce CVE-2023-36561 - a vulnerability in Azure Pipelines that allows an attacker to access secrets and internal information and perform actions in elevated permissions in the context of a pipeline workflow. This could allow attackers to move laterally in the organization and initiate supply chain attacks.

One of the main issue in process hollowing technique is handling the import table of the injected PE. The purpose of this blog post is to demonstrate how it is possible to fix the IAT and delayed IAT remotely when a PE is injected on a remote process.

We present Mythic, a plug-n-play command and control (C2) framework that heavily leverages Docker and a microservice architecture where new agents, communication channels, and modifications can happen on the fly.

Attackers use a variety of tactics to spread laterally across on-premises Windows machines. But similar techniques are also effective in moving laterally from a compromised workstation to connected cloud resources, bypassing strong authentication measures like MFA. This article explains how attackers can perform lateral movement to the cloud with an attack called Pass-the-PRT.

This post will cover the theory and crafting of an Electromagnetic Fault Injection device for as little as $5.

In this post, I'll dive into some SIM card-related research where I'll cover some of the physical, software, and other attack avenues available.