Security Review #196

AWS Nitro Enclaves are locked-down virtual machines with support for attestation. We decided to do some deep research into it to fill in some of the documentation gaps and, most importantly, to find security footguns and offer some advice for avoiding them.

These are a series of well-known attacks against TPMs used for attestation and full-disk-encryption. This article will describe the nature of these attacks then demonstrate their exploitability in realistic scenarios. Several of these attacks are often overlooked despite fundamentally undermining the goal of TPMs for secret storage and attestation.

According to data from RIPE, over 40% of computers attached to the Internet have a few seconds of clock drift, which with the right combination of headers, will make an HTTP response unintentionally cacheable.

We identified a Stored Cross-Site Scripting (XSS) vulnerability which can be triggered by a malicious profile image. This can be used for Ghost CMS instance takeover-providing an adversary with sole ownership of the Ghost CMS instance.

Investigating Lucee CFML server, we will delve into our unsuccessful endeavours and, ultimately, our achievement of RCE on Apple's production server. Notably, our exploitation extended to potentially compromising Lucee's update server, thereby unveiling a classic supply chain attack to compromise any Lucee installation with malicious updates.

More developers will have to fix security issues in the age of shifting left. Here, we break down how SAST tools can help them find and address vulnerabilities.

Join me as we delve into the depths of the ISFB malware, exploring its techniques, encryption mechanisms, and potential impact. Together, we will uncover the secrets and gain a deeper understanding of this ever-evolving threat landscape.

Today, we delve into a previously unknown mobile network attack known as the "MMS Fingerprint" attack. How we found this attack - which had essentially been hiding in plain sight - and how this attack might work, takes a bit of explaining.

In this blog post, we walk through the attack chain targeting M365 tenants in order to identify and share practical detection and hunting strategies for cybersecurity defenders. We will base our analysis on informed assumptions and also outline broader detection strategies which, while not specific to this incident, can be applied in similar scenarios.

Type libraries, alongside macros, are our secret sauce for DLL mastery. Let's dive into how we can elevate type libraries from unsung heroes to superstars in our red team toolkit.

This blog aims to demystify AWS' sometimes complicated logging methods to help organizations prepare for when a security incident occurs. In this article, we've outlined which logs should be enabled for the purpose of incident investigations.

This blog demystifies Azure's sometimes complicated logging methods. We've outlined which logs should be enabled and how to enable them. This will help ensure your organization is prepared for an investigation when a security incident occurs.

Detecting file changes can assist in identifying if malicious actors have been able to modify or delete files of interest. We describe a process that will work with your modern Windows operating system regardless of if it is a server or workstation.

This Threat Analysis Report will delve into compromised YouTube accounts being used as a vector for the spread of malware. It will outline how this attack vector is exploited for low-burn, low-cost campaigns, highlighting strategies used by threat actors and how defenders can detect and prevent these attacks.

As part of our reverse engineering of the firmware running Ivanti Pulse Secure, we discovered a plethora of previously unreported problems. This blog post will discuss the range of vulnerabilities exposed during our reverse engineering process and the broader implications for the cybersecurity community.

This article explains the MITRE ATT&CK framework for people who are new to this. Some of us find it challenging to understand because it has many parameters. I will explain this in an elementary language that is fun to understand.

The objective of this post is to learn how to hunt for persistence on Linux machines, without using paid tools/framework, just using the tools that are already available (open source) for anyone to download and use and also using Linux's own resources to be able to do hunt for persistence.

In this blog post, we describe a vulnerability in Heimdall, the validator software of the Polygon Proof-of-Stake (PoS) blockchain. This flaw, if exploited, could have allowed a rogue or compromised validator to take over the Heimdall consensus layer and inject fraudulent events into the StakeSync mechanism, a critical component of the Polygon PoS bridge.

In this second part, we'll delve into the concept of sandboxing Bochs from syscalls. We do not want Bochs to be capable of escaping its sandbox or retrieving any data from outside of our environment. So we'll get into the implementation details of my first stab at Bochs-to-fuzzer context switching to handle syscalls.

This article gives some context regarding CSP and details key techniques to find bypasses in nonce-based implementations.

In this article, I'm going to share my own research methodology for analyzing and reviewing source code applications to identifying vulnerabilities.

Entra ID has a built-in role called "Partner Tier2 Support" that enables escalation to Global Admin, but this role is hidden from view in the Azure portal GUI. In this article, we will see how an adversary may target this role to maintain stealthy, privileged persistence in an Entra ID tenant.

Like the WOW64 table, the NT delegate table provides a simple way to intercept a variety of callbacks in 32-bit mode without the need to overwrite code with inline hooking.

By combining two seemingly unrelated browser features, an attacker can trick an unsuspecting user into performing actions on a different website with considerable user interaction. Let's delve into the technical details of this web attack vector.

In this article, I wanted to introduce a fun approach to performing functions similar to those enabled by Windows Object Callbacks but through an alternative means. I'll be showcasing a simple example of leveraging this undocumented method. We'll explore how the proposed method could achieve comparable outcomes and more flexibility depending on the object type.

The main browsers share their cache between Fetch requests and normal navigation. This means that any request that can be made with Fetch, which produces a cacheable response, can also be used to poison the browser navigation too.

Two new vulnerabilities in open-source WiFi software allow attackers to trick victims into connecting to malicious clones of trusted networks and intercept their traffic, and join otherwise secure networks without needing the password.

This is the first part of a 2 blog post series about breaking into Kontrol Lux Lock smart locks. In this part, will explain the analysis we performed on the application and the firmware, that allowed us to understand the inner workings of the lock and its ecosystem.

In this article, we details how it is possible to collect users password hashes if users in the domain have the Kerberos pre-authentication disabled.

We are disclosing a denial-of-service vulnerability that affects the Pedersen distributed key generation (DKG) phase of a number of threshold signature scheme implementations. The vulnerability allows a single malicious participant to surreptitiously raise the threshold required to reconstruct the shared key, which could cause signatures generated using the shared key to be invalid.

In this blog I will delve into using Android smartphone while charging from computer to perform automated local DNS cache alteration attack without user interaction. This would result in redirecting user traffic to false IP address instead of user typed domain name. I go through its results, downsides and effective prevention tips.

We detail how to identify dangling or hidden commits and to see if any data are rendered currently visible by this error that should be deleted by the GitHub support. Generally speaking, there could be more commits linked to your repository than those listed in the general commit history of any branch.

ConnectWise published a security advisory for their ScreenConnect remote management tool, describing an authentication bypass with CVSS 10.0. In this post we will dive into the technical details of this vulnerability.

After getting access to a domain account, there are a variety of things that can be done including but not limited to: domain enumeration, Kerberoasting, coercion, etc. In this article, we detail the tools and techniques that can be leveraged in this context.

In this article, I will describe a DOMPurify bypass I recently discovered. This issue is not a major concern as it doesn't involve a full DOMPurify bypass using the default configuration. However, I believe the payload is interesting enough to be documented

In this article, we provide technical details of an unauthenticated command injection exploit affecting Zyxel firewalls (CVE-2023-33012).

In this blog post, we take a deep-dive into an npm package trying to masquerade as code profiler which actually installs several malicious scripts including a cryptocurrency and credential stealer. Curiously, the attacker attempted to hide the malicious code in a test file, presumably thinking that no one would bother to look for malware in test code.

This post, part of a series on cryptography in the cloud, provides an overview of the cloud cryptography services offered within Amazon Web Services (AWS): when to use them, when not to use them, and important usage considerations. Stay tuned for future posts covering other cloud services.

In this article, we provide technical analysis of the RansomHouse encryptor malware as well as the related IoCs.

In this article, we discuss how SCCM sites configured to support high availability can be abused to compromise the entire hierarchy.

We reveal the intricate details of the 8220 Gang's latest campaign, offering an in-depth analysis of their attack methodologies, the vulnerabilities exploited, and the defensive evasion tactics used.

In this blog, we show how an attacker could compromise the Hugging Face Safetensors conversion space. We demonstrate how it's possible to send malicious pull requests with attacker-controlled data from the Hugging Face service to any repository on the platform, as well as hijack any models that are submitted through the conversion service.

We provide a technical analysis of a malicious application available on the official Google Play Store. This application serves as a dropper, facilitating the download of a banking trojan of the TeaBot family through multiple stages.

In this article, we will look inside the popular hash function and learn what makes it work so well.

In this article, we detail 2 vulnerabilities found in IBM's "Operational Decision Manager" (ODM) and leading to remote code execution: Java deserialization (CVE-2024-22320) and JNDI injection (CVE-2024-22319).

While doing some research about file formats, I occasionally found some references about the DICOM file format. Since I never heard about it I've decided to dig deeper, eventually finding multiple vulnerabilities in the libdicom library.

This article is a step-by-step guide to get root access on MediaNav Evolution, the 2023 Dacia Sandero infotainment system.

This is the first blog post in a series about issues we think are currently relevant in the field of AI-Security. We will begin with a problem that seems to be fundamental to all the problems coming out of AI-systems: nondeterminism.

We observed a surge in malicious activities targeting Ivanti Connect Secure (CS) and Ivanti Policy Secure (PS) appliances. This blog provides details of these activities.

The modern frameworks are often very flexible with what they accept, and will happily treat a POST with a JSON body as interchangeable with a URL encoded body, or even with query parameters. Due to this, an unexploitable JSON XSS vector can sometimes be made exploitable by flipping it to one of these alternative approaches.

This article provides practical recommendations for configuring Docker platform aimed at increasing its security. It also suggests tools helpful in automation of some tasks related to securing Docker.

Whether it's debugging weird problems, optimizing your code, probing around a gadget you're reverse-engineering, or maybe trying to understand someone's open-source library, you are likely missing out a lot if you don't have a logic analyzer on hand!