Security Review #199

We provide a technical analysis of a campaign leveraging multiple vulnerabilities to deliver malicious payloads on compromised servers. We will especially focus on a novel Linux version of a malware called NerbianRAT.

In this article, we exploit Confluence CVE-2023-22527 vulnerability to deliver an in-memory Webshell.

We provide root cause analysis, impact and proof-of-concept for a path travesral vulnerability in pgAdmin (CVE-2024-2044), eventually leading to an RCE.

This article revisits classic technique Reflective Loading, and explains my tool InflativeLoading.

In this post we detail how to exploit CVE-2024-23780, a critical vulnerability identified in NetBox, leading to remote code execution.

In this post, I detail an insecure Java deserialization bug that leads to a reverse shell in AWS environment.

This post is just my thoughts on the exploitation of the CVE-2023-0461 vulnerability in Linux kernel. It contains many technical details, a lot of which will be difficult to follow unless you are already very familiar with the subject matter.

In this second part of the series, In this part, we will go over the vulnerabilities we have discovered based on that knowledge and understanding.

This article steps through the process of discovering CVE-2024-21762, a non-disclosed out-of-bounds write vulnerability in Fortinet FortiOS and FortiProxy.

We identified a new campaign that utilises a number of unique and unreported payloads, including four Golang binaries, that serve as tools to automate the discovery and infection of hosts running the above services. The attackers leverage these tools to issue exploit code, leadin to Remote Code Execution (RCE) attacks and infect new hosts.

A critical vulnerability was found in the firmware of Zhejiang Uniview ISC camera model 2500-S that allows for OS command injection. In this blog post, we will describe the vulnerability, discuss its impact, and present the indicators of compromise (IOCs) that we have observed.

In this article we will try to answer the question: "What is the most granular search query I can perform that still uniquely identifies the target of an intrusion?". This is particularly relevant when no consistent public information is available.

In this post, we will get an overview of the GhostSec threat actor activity, provide technical details about the version 2 of the GhostLocker ransomware, and review other tools in their arsenal.

In this article, we introduce CloudGrappler, an open-source tool that is purpose-built for querying high-fidelity and single-event detections related to well-known threat actors in popular cloud environments such as AWS and Azure.

In this blog, we're going to explore how WebAssembly (Wasm) can be abused by attackers to evade detection and deliver malicious content.

In this article we will provide an extensive overview of the DarkGate malware family, including distribution methods, infection chain, and malware capabilities. We will also review detection and response operations.

In this blog post, we will detail our analysis and understanding of the Coper/Octo Android malware, examining the malware's continued development, as well as providing insights into attack patterns, infrastructure utilization and management, and hunting tips.

This article is a technical analysis of the RA World ransomware. We will cover initial access, privilege escalation, lateral movement, defense evasion, persistence and impact of the malware.

We provide technical details of a new variant of the BlackCat ransomware, relying on a sophisticated initial access strategy.

This post focuses on a nuanced lateral movement strategy that leverages the ec2-instance-connect:SendSSHPublicKey API, a tool that, while designed for convenience, can be twisted into a vulnerability by adept attackers. Through the seemingly simple act of injecting a temporary SSH public key into a compromised EC2 instance, adversaries can weave through cloud environments with alarming ease.

YARP: Yet Another Reverse Proxy is a .NET library developed by Microsoft designed to run on top of ASP.NET Core infrastructure. The intended use case for YARP is to sit between backend and frontend services to provide reverse proxy and load balancing services. The content of this blog post is to show how it can also be used as a C2 redirector.

In this article, I share some detection logic that can be helpful in your hunt for PurpleFox, a malware that leverage LOLbins and rootkits components to avoid detection, and uses various publicly available exploits to obtain privilege escalation.

In this article, we delve into a spoofing vulnerability in Microsoft Themes (CVE-2024-21320). This vulnerability can trigger an authentication coercion - an attack in which a victim is coerced into sending credentials to an attacker's machine.

In this article, we present an uncommon way to connect to the internal network of an attacked organization, using QEMU to set up network tunnels or forward network ports between target systems and the adversary's servers.

Event Tracing for Windows (ETW) is a telemetry mechanism commonly used for debugging and security logging. Logging is leveraged by user-mode and kernel-mode applications. In this blog, I will talk briefly about ETW components and how these components can be leveraged for offensive communications.

This blog will cover how we discovered CVE-2024-21378 (an RCE vulnerability on Microsoft Outlook) and weaponized it by modifying Ruler, an Outlook penetration testing tool.

Starting from 2001 and continuing until 6 years ago with version 2.32, binutils' ld linker set too large of an alignment on ELF binary sections. With a Linux kernel >= 5.10 or glibc >= 2.35, binaries/libraries that were built with the older toolchain act as timebombs against ASLR, making brute-force attacks easier on 64-bit binaries and reducing randomness to nothing in some cases for 32-bit binaries.

This article describes some vulnerabilities we discovered while exploring less common attack surfaces, such as fonts, and demonstrate how security issues manifest in font processing tools.

In this blog post, we examine how the new Fortinet encryption scheme works and provide a tool to decrypt the root filesystem for x86-based FortiOS images.

In this blog post, we will introduce two of our tools: Numbat, a new Python API for Sourcetrail, and Pyrrha, a mapper collection for firmware cartography.

Can a compromised admin account steal the secrets from your corporate password manager? If so, how does this affect your ability to respond to a hijacked account or malicious insider? Let's dive in.

NextChat is a standalone Gen AI chatbot. In this post we detail a critical full-read server-side request forgery (SSRF) vulnerability (CVE-2023-49785) that we found.

In this blog I will show you how to install and run APKDeeLens on non-rooted Android device using Termux. This brings convenience of analyzing Android apps directly on device either for vulnerability scan, or to understand them before installation.

In this comprehensive guide, we delve into the world of Android security from an offensive perspective, shedding light on the various techniques and methodologies used by attackers to compromise Android devices and infiltrate their sensitive data.

This is a helper that comes in handy when reversing samples that use SysWhispers2 to recover ntdll call from SysWhispers2 hashes.

In this blog, we cover a vulnerability chain in Mailspring that attackers might exploit to achieve RCE on a victim's computer (CVE-2023-47479). We will also explain the importance of avoiding the dangerous desanitization pattern and outlined the significance of a strong CSP.

This post will teach you how to patch diff CVE-2024-20696 (and indirectly CVE-2024-20697).

The goal of this post is to explain what goes into creating a gadget chain. We will explain the process a bit and then walk through a gadget chain that we created from scratch.

This post is about a handy tool I developed called seads, which helps detecting malvertising on search engines.

We provide technical details about CVE-2024-23897, a Jenkins vulnerability. It can be trivially exploited and can be used to read the beginning of an arbitrary file, or the whole file depending on whether the attacker is authenticated.

We detail a vulnerability (CVE-2024-2371) in Korenix JetIO switches, affecting the Simple Network Management Protocol (SNMP) implementation. This vulnerability allows attackers to read sensitive data, including configuration details and network topology information.

When the OpenEdge Authentication Gateway (OEAG) is configured with an OpenEdge Domain that uses the OS local authentication provider to grant user-id and password logins on operating platforms supported by active releases of OpenEdge, a vulnerability in the authentication routines may lead to unauthorized access on attempted logins.

In this blog, we'll delve into SnakeKeylogger, see how it works, tactics and techniques used, and provide relevant IoCs.

The goal of this article is to explain how you can quickly spot missing authorization controls without getting deep into the weeds. A lot can still be done with a just a web browser and the built-in developer tools.

In this post, we will go through the top 3 most common ways of finding security vulnerabilities in static websites.

This blog details several of the issues discovered in the FortiWLM: CVE-2023-34993 - multiple unauthenticated command injections, CVE-2023-34991 - unauthenticated SQL Injection, CVE-2023-42783 - unauthenticated arbitrary file read, CVE-2023-48782 - authenticated command injection, as well as two vulnerabilities leading to appliance compromise.

In this first article of the series about IoT Penetration Testing we will discuss the hardware toolset requirements for this type of testing.

In this article, we explain how to circumvent Meta certificate pinning implementation, thus making it possible to execute a MITM (man-in-the-middle) attack on ourselves to analyze the requests made to their servers.

In this article we discuss a recent cross-site websocket hijacking vulnerability (CVE-2024-26135) in MeshCentral, resulting in complete compromise of the victim user's account with persistent access enabled by the ability to generate login tokens and leak the sessionKey variable used to sign session cookies when the victim user is an administrator.

In this article, we introduce ThievingFox, a collection of post-exploitation tools, used to gather credentials from workstations and servers in the context of penetration tests and similar engagements. It works by making the target application load a malicious library, which performs in-memory hooking to gather credentials.

We provide details about a new attack chain to demonstrate an uncommonly observed objective: stealing NT LAN Manager (NTLM) authentication information. This activity can be used for sensitive information gathering purposes and to enable follow-on activity.

In this post, we'll describe how bad actors have started using crypto drainers to monetize traffic to compromised sites. It starts with a brief overview of the threat landscape and investigation of Wave 2 (the most massive infection campaign) before covering Angel Drainer scan statistics, predecessors, and most recent variants of website hacks that involve crypto drainers.

This article is a technical analysis of the Alphv ransomware techniques, such as the usage of NTFS Alternate Data Streams for hiding a reverse SSH tool, exploitation of multiple vulnerabilities associated with a GNU/Linux-based appliance for initial access and privilege escalation, and DNS-based filtering and multifactor authentication (MFA) bypass..

In this article, I give an overview of the Fuchsia operating system, its security architecture, and the kernel development workflow. I assessed it from the attacker's perspective and shared the results of my exploit development experiments for the Zircon microkernel.