Security Review #200

Granting repository "Write" access in an Open Source project is a high-stakes decision. We delve into the risks of insider threats, and demonstrate why strict safeguards are essential - branch and tag protection, code review, and especially controls around the publication of release artifacts.

In this analysis, we will go through the steps and conditions of CVE-2024-23897, an arbitrary file read vulnerability in Jenkins.

We introduce AzureEnum, a tool that aims to provide a lightweight overview of the most relevant security configurations concerning the Azure environment.

In this article, we'll talk about a common High priority issue: excessive membership in Active Directory administration (AD Admin) groups due to Nested Groups.

Microsoft finally released a kernel patch for a class of vulnerabilities leading to elevation of privilege (EoP). In this blog, we will highlight the key points and then focus on how to check if any of the vulnerabilities have been exploited or if there have been any attempts to exploit them, and enumerate popular CVEs included in this vulnerable surface.

This blog post is intended to further practice with MITRE data as well as understand some OT attack techniques implemented by OT malware. For this we are going to look at Pipedream and Incontroller.

NTFS is always the place where every disk-related artifact will leave a trace. In this article, I will discuss what we can get out of analyzing NTFS Artifacts.

This post is about what to do when you observe a suspicious network logon session. We'll cover how you can take this first indicator and then gather more clues about what happened in the attack.

In this post, we will delve into a fairly newer artifact, but extremely valuable and important: the "Amcache" hive. We will see how the Amcache hive can be used to prove that a file had presence or existed on a system.

This article will provide you with an overview of the Cyber Kill Chain, why it is useful, and how to use it. You will see the kill chain in action as we go through a real-world case study focusing on Trigona ransomware.

In this post, we explore how the tracking of AWS Simple Notification Service (SNS) enumeration activity across multiple customer environments led to the takedown of a phishing site.

My idea was to try to hunt for the activity done by the application which dumps the memory of a process (lsass.exe in this example). Then the hunting query could be used to hunt the actual activity and not rely on the actual application which dumps the memory.

Advanced correlation and the analysis of authentication sequences can be used to combat sophisticated BEC threats. This includes using KQL for intricate session analysis and anomaly detection. We describe that suggested approach, along with two others that can form a comprehensive defense against BEC by enhancing the fidelity of detections.

In this blog post, we explore the Azure Batch capabilities before diving into the logs of an unpatched TeamCity server that an attacker exploited to deploy a CoinMiner.

In this post, we'll explain what an .htaccess file is and why it's such an attractive target for attackers. We'll also cover some common examples of .htaccess malware and how to detect and respond to these threats to help protect your website and visitors.

We discovered a malicious campaign using the blockchain-based Meson service to reap rewards ahead of the crypto token unlock. In this article, we cover what happened in the observed attack, further explain what the Meson Network is, and describe how the attacker was able to use it to their advantage.

In this post, I'll look at CVE-2023-6241, a vulnerability in the Arm Mali GPU that allows a malicious app to gain arbitrary kernel code execution and root on an Android phone. I'll show how this vulnerability can be exploited even when Memory Tagging Extension (MTE), a powerful mitigation, is enabled on the device.

In this post, I introduce Jigsaw, a tool that takes a raw shellcode input and outputs randomized shellcode, a lookup table, and a C/C++ stub to translate the randomized shellcode back to a usable format.

We identified generative AI ecosystems as a new interesting attack vector. Vulnerabilities found during this research on ChatGPT ecosystem could have granted access to accounts of users, including GitHub repositories, including 0-click attacks.

In this post, we detail the use of the Deployment Scripts as a method for "borrowing" User-Assigned Managed Identities. Depending on the permissions of the Managed Identity, this can be used for privilege escalation.

CVE-2024-25153, a critical Unsafe File Upload and Directory Traversal vulnerability in Fortra FileCatalyst, allows a remote unauthenticated attacker to gain Remote Code Execution (RCE) on the web server.

Among the arsenal of evasion tactics lies one of my favorite - Direct Pointer execution. This is a subtle yet powerful maneuver that holds the potential to evade even the most vigilant security mechanisms.

We provide background and a technical analysis of GlorySprout stealer, a clone of the Taurus Stealer project lacking key features such as anti-VM or keylogging.

We introduce Attacknet, a new tool that addresses the limitations of traditional runtime verification tools. Attacknet is intended to augment the Ethereum Foundation's current test methods by subjecting their execution and consensus clients to some of the most challenging network conditions imaginable.

From misconfigurations and insider threats to sophisticated cyber-attacks, we delve into the techniques employed by malicious actors to infiltrate, compromise, and exploit AWS infrastructures.

In this first part of the series, I will cover some basic theory as well as a simple practical example of how does ROP based Buffer Overflow works.

In this blog post we are going to explore the approach to exploit an SQL Injection in update query on PorstgeSQL databases.

In this blog post, we're going to take a generic look at identity providers, to see just what works, and what new things we need to be aware of as pentesters.

In this blogpost we will explore a new exploitation technique that can be used to completely compromise a web application using TRACE - an ancient HTTP method that's more widely supported than you might think.

To mitigate race conditions, operating systems rely on synchronization primitives such as mutexes, spinlocks, etc. In this article, we present GhostRace, the first security analysis of these primitives on speculatively executed code paths.

This article will present a few tricks regarding the gadgets that were used to exploit arbitrary deserialization vulnerability on other similar targets, which allowed us to exfiltrate data from the compromised applications without being noticed.

In this blog, we are going to be covering the topic of proxying DLL loads using the Windows thread pool API with C++/assembly. This specific example is going to use an I/O completion callback.

In this article, we detail an undesirable behaviour that allowed an attacker to bypass USB security policies when the Gnome desktop was deployed on a host with USBGuard, or when certain USBGuard rule configuration was in place.

In this article, I aim to elucidate a deficiency in the implementation of DOMPurify that I recently uncovered. While it may not pertain to the most common use cases of this library, I found it to be a compelling discovery worthy of exploration.

TP-Link's TDDP programs listening on UDP port 1040, fails to properly verify data length during parsing, leading to memory overflow destroying the memory structure and causing a denial of service.

This post, is the first in the series and will aim to provide an overview of the protocol, from its beginnings to the different (ab)use techniques.

With the Sysmon EID such as File Block Execution you can not only prevent suspicious executable being blocked from the download folder, but you can also prevent malicious drivers, remote desktop tools and the execution of macros.

This series will be diving into offensive security against turnstiles used in physical access control systems. In this first part, we will focus on facial recognition aspects and the physical security of turnstiles.

We discovered a new privilege escalation technique affecting Active Directory (AD) environments that leverages the DHCP administrators group. In cases where the DHCP server role is installed on a Domain Controller (DC), this could enable them to gain domain admin privileges.

This post will focus on analysing a DLL file that was downloaded using a PowerShell script.

This blog post is currently only meant to create an active discussion about the overarching concept of a new approach to implant building for Command & Control frameworks.

In this article, we discuss how on-premises MS Exchange compromises Active Directory and what organizations can do to prevent that.

This article details the use of legitimate digital document publishing (DDP) sites for phishing, credential theft and session token theft.

The Navigation library from the Android Jetpack suite facilitates work with fragments. The library contains a flaw that allows a malicious actor to launch any fragments in a navigation graph associated with an exported activity.

In this post I will show the trickiest SQL injection I have ever exploited. Some tools like sqlmap were able to detect the vulnerability but not to exploit it, so I performed the exploitation.

This article details how to detect phishing websites both accurately and at scale through automation. Although Nuclei didn't support such templates initially, I opted to create them, as the process appeared straightforward given the simplicity of template creation.

We discovered an unauthenticated command injection in the administrator web interface of the appliance. This allowed full compromise of the LoadMaster if you could reach the administrator web user interface (WUI).

In this blog post, we start with a Chrome renderer exploit, the first one in the exploit chain. The exploited vulnerability is CVE-2023-3079, a type confusion bug in V8.

In this article, I delve into the case of a developer who concealed malicious code within their open-source tool. The analysis part will deal with first-hand code obfuscation using different techniques. Then we will see how doing forensic analysis on a Git repository (repo), can lead to interesting conclusions.

I went down several rabbitholes when it comes to in memory evasion, both from an offensive and defensive perspective. The technique presented here is rather primitive and if anything, very silly; this does prove one thing, even the more cutting edge and scaleable detections can be juked very easily.

Repo-jacking is a specific type of supply chain attack. This blog post explains what it is, what the risk is, and what you can do to stay safe.

Using AI is a great way to accelerate the discovery of vulnerabilities in an API. In this article, I will explain how to use Postman's Postbot feature to write full test scripts from a simple AI prompt. Use this in conjunction with Postman's collection runner and you have a killer combination.

We analyze, recent variants of MoqHao malware that use a very dangerous technique: while the app is installed, their malicious activity starts automatically.

This article introduces the concept of Advanced Hunting for Group Policy settings and how it can transform management and security in IT infrastructures.

In this first blog post, I will display possible ways to quickly triage PCAP data, extracting key pieces of information and enriching that information with additional context.

During this post I'm going to assume we've identified the infected machines based on the PCAP data we analysed and using a bit of prior knowledge walk through the first two stages of the infection routine.

I was interested in how a recursive DNS server resolves DNS queries in detail. For this I made two simple DNS queries to my recursive DNS server which resulted in more than 100 DNS packets at all.