Security Review #201

This article reviews the recently discovered FalseFont backdoor. This article focuses on analysis of the backdoor and its capabilities. Lastly, we'll discuss ways to detect and prevent this targeted backdoor.

Assuming that most of you are hackers that already familiar with testing upload functions in the "traditional ways" (file extensions, content-type, magic number, etc), this writeup will cover the less traditional upload vulnerabilities.

In this blog we examine the three types of poisoned pipeline execution (PPE) attacks, explore methods to exploit these vulnerabilities, and discuss preventive measures for such misconfigurations. We will also dive into real-world scenarios where attackers used PPE attacks to achieve remote code execution (RCE) on CI/CD environments and explain how those attacks could have been prevented.

In this article, I detail a method to successfully implement DLL side-loading in the original process while always avoiding DllMain and its deadlock limitation.

In this post, I illustrate a critical security issue that allows third party user to record audio from Bluetooth speaker with built-in microphone in vicinity, even when it is already paired and connected with another device.

In this blog, I will be testing the shell of Parlor City MUSH, a text-based Multi-User Dungeon (MUD), from reading file to restricted shell escape.

This blog post is the first part of a series, where I plan to showcase various anti-rootkit techniques, known through anti-rootkits or anti-cheats, and their implementations in unKover - a small anti-rootkit tool, that implements some techniques to detect rootkits, especially those manually mapped to memory.

This is a technical analysis of AsukaStealer malware, that includes capabilities to deploy additional payloads on infected computers, configure FileGrabber settings, and facilitate log delivery via Telegram, among other features.

Through the example of AsyncRAT we show that all is not lost when malware uses HTTPS to communicate with its C2 server. In some cases, a default SSL certificate is used, and this server literally announces itself as a component of the malware framework.

In this post, we detail how threat actors can exploit CVE-2024-27198 to perform a variety of malicious operations, such as dropping the Jasmin ransomware, deploying the XMRig cryptocurrency miner, Cobalt Strike beacons, SparkRAT backdoor or executing domain discovery and persistence commands.

This article details the potential attack vectors and security risks associated with Docker environments. This includes involves exploiting vulnerabilities, misconfigurations, and weaknesses in various components of the Docker ecosystem, including Docker Engine, container images, orchestration platforms, and the underlying host system.

This blog post introduces a new GitHub Action that automates the validation of Sigma rules against a previously developed JSON Schema. We'll delve into the tool's history and how it came to be, and then walk through how to integrate it into your GitHub Actions' workflows.

This post will dive into a Latrodectus loader that leverages junk comments and wmi commands to obfuscate functionality and download a remote .msi file.

A tale about exploiting KernelCTF Mitigation, Debian, and Ubuntu instances with a double-free in nf_tables in the Linux kernel, using novel techniques like Dirty Pagedirectory. All without even having to recompile the exploit for different kernel targets once.

This blog post aims to present an in-depth analysis of Tycoon 2FA and the recent developments we spotted in the phishing kit. Additionally, this report provides tracking opportunities to actively monitor the infrastructure and mitigate risks associated with Tycoon 2FA.

This article discusses how I used Frida to instrument the code and call Java classes arbitrarily while investigating serialized objects used in a Java applet communication.

In this post, we will look in-depth into the much faster forms of device I/O transactions and begin to form an understanding of how software device drivers actually interface with PCIe devices to do useful work.

In this post, I detail how I found and built an exploit for CVE-2023-42931, a local privilege escalation allowing anyone with an access to a local account (including the "guest") to elevate his privilege to root.

This article discusses how we discovered a vulnerability in the Microsoft Edge browser, designated CVE-2024-21388. This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to covertly install additional browser extensions with broad permissions without the user's knowledge.

In this second part, we will explore the use of implants in turnstiles for conducting replay attacks, a method that allows a malicious individual to gain unauthorized access by impersonating another person.

In this blog post, we describe a malvertising campaign with a new loader. The program is written in the Go language and uses an interesting technique to deploy its follow-up payload, the Rhadamanthys stealer.

In this article we will demonstrate DNS pivoting and analysis techniques for uncovering Malicious infrastructure.

In this article, we deep dive into the complex reverse engineering process that lead to the discovery of several vulnerabilities in JustSystems' Ichitaro Word Processor. CVE-2023-35126 and its peers (CVE-2023-34366, CVE-2023-38127, and CVE-2023-38128) were each assessed as exploitable with the possibility of achieving arbitrary code execution.

If you gain local admin privilege access to a host with an EDR solution, you can potentially exploit a vulnerability by abusing a minifilter driver, such as Sysmon driver, to evade detection. This method blinds the EDR solution, which relies on kernel callbacks.

In this blog post, we delve into how the CcmExec service can be utilized for session hijacking and introduce CcmPwn, a tool designed to facilitate this technique. Finally, we will discuss detection strategies for security teams.

This post discusses a use-after-free vulnerability, CVE-2024-0582, in io_uring in the Linux kernel. It describes the data-only exploit strategy that we implemented, allowing a non-privileged user (and without the need of unprivileged user namespaces) to achieve root privileges on affected systems.

We discovered a cleartext Azure Access Token for a privileged Managed Identity. In this blog, we'll share the technical details around how we found and reported this vulnerability to Microsoft. Additionally, we'll cover how the finding was remediated.

We delve into the security implications that come with the integration of AI into our daily routines. This examination is particularly focused on how attackers could exploit OpenAI's ChatGPT to gain persistent access to user data and manipulate application behavior.

This article will show how to leverage Velociraptor features in order to perform forensic analysis of a VMware ESXi hypervisor.

I encountered an automation system that utilized the node-mysql2 library to connect to user databases and execute queries controlled by them. In this article, I want to discuss the issues it causes and provide you with their solutions.

For Malware development and security professionals, understanding the inner workings of Windows is crucial. Windows internals, the hidden world beneath the user interface, can harbor vulnerabilities if not properly secured. Let's dissect the key components and their security implications.

In this post, we introduce SharpConflux, a .NET application built to facilitate Confluence exploration. It allows Red Team operators to easily investigate Confluence instances with the goal of finding credential material and documentation relating to objectives without having to rely on SOCKS proxying.

This blog entry discusses the Agenda ransomware group's use of its latest Rust variant to propagate to VMWare vCenter and ESXi servers.

The goal of this blogpost is to obtain the content of an encrypted Hive without having access to the source code. We will create a Flutter app, understand the internals of the Hive framework, create a generic Hive reader, obtain the password of the encrypted Hive and recover deleted items.

In this article, we will study three GUI-based network scanners: NetScan, Angry IP Scanner & Advanced Port Scanner, with the aim of discovering forensics artifacts. The focus will be on the type of data they generate and how to exploit this data to find out how these tools have been used on an infrastructure.

This blog post will provide a general overview of malware that steals cookies (infostealer) and the prominent infostealer malware families. We'll cover common infection techniques and impacts as well as take a look at some examples.

In this blog post, we prove the severity of the bugs we identified while researching LogoFAIL by developing a PoC on a real device with modern firmware security features enabled (i.e. Intel Boot Guard and Secure Boot). In particular, we demonstrate how we turned one of the crashes found by our fuzzer into arbitrary code execution during the DXE phase.

In this blog post, I'll walk you through my discovery of two cross-site scripting (XSS) vulnerabilities in ChatGPT and a few other vulnerabilities. When chained together, these could lead to account takeover.

Considering inline hook is a major detection utilized by EDR products, bypassing them is an interesting topic to me. In this article I describe a new approach to bypass hook, hopefully, it can bring some improvements or advantages.

In this blog post, I'll explain how to Persist in Application Registration, how to create a Backdoor (kind of), and the potential of Privilege Escalation. I'll show you how the attack primitive works and show the PowerShell scripts that can be part of this persistence.

In this first blog of the series, we discuss ECAM and how configuration space accesses looked in both software and on the hardware packet network. We introduce the concepts of TLPs (Transaction Layer Packets) and how these packets move similar to Ethernet networks.

This article is an overview of Bit Hacks, some ingenious little programming tricks that manipulate integers in a smart and efficient manner.

This post presents the various techniques used to dynamically retrieve syscall identifiers used in Hell's Gate, Halo's Gate, FreshyCalls or Syswhispers2 and the difference between them.