Security Review #203

In this Article, we will dive into some practical approaches on HOW exactly to perform LLM Red Teaming and see how state-of-the-art Chatbots respond to typical AI Attacks.

In this article, I will share a shortcut of all the different techniques to leverage web cache vulnerabilities.

In this article we detail two security issues in GOG Galaxy 2.0: a Denial-of-Service, assigned CVE-2023-50915, and a Local Privilege Escalation, assigned CVE-2023-50914. They are both related to underlying filesystem and the IPC between its client process and its privileged service.

In this article, I detail my research into time-based secrets. Starting from on some vulnerabilties found in common frameworks, I will theorize and implement a generic approach: the Sandwich attack.

In this short blog we will leverage the power of C programming, and uncover how simple yet powerful techniques can be employed to manipulate registry keys, ensuring that our desired configurations persist across system reboots and updates.

This article details the operating model and provides IoC for a malware strain being distributed by using the Google Ads tracking feature.

This article provides technical analysis of a malware distributed through malvertizing and targeting security analysts.

This article is dedicated to a series of tricks utilizing the modern capabilities of IPv6 and the shortcomings of address parser implementations in standard libraries of popular programming languages.

In this short blog we will see that ps is not giving us the full story, but with additional info from /proc we can differentiate orphaned processes with PPID one from processes that were actually started by systemd.

This article will delve into the details of DSync attacks and provide different approach and techniques to mitigate them.

In this article, we provide an initial analysis of the XZ Utility backdoor, including YARA rules, osquery, and KQL searches to identify potential compromises.

With this post I would like to provide a technical dive and considerations about the recently disclosed XZ BackDoor vulnerability (CVE-2024-3094). This vulnerability, which affects the XZ Utils library, a widely used data compression utility in Linux distributions, had the potential for severe consequences, including remote code execution (RCE) and unauthorized access to impacted systems.

During analysis of an Ivanti Connect Secure appliance compromised by UNC5221, we discovered four distinct malware families that work closely together to create a stealthy and persistent backdoor on an infected appliance. We assesses that these malware families are designed to enable long-term access and avoid detection.

Guided by The Matrix's "Trainman", we walk through some of the more obscure passageways into accessing Microsoft Azure, and how to detect their usage.

Most documentation concerning SSH and offensive security relates to brute forcing SSH logins or creating tunnels for port forwarding; but when combined with other tradecraft, SSH offers some exciting possibilities as part of an unconventional initial access vector.

Attackers are using a new method for malware persistence on Magento servers. We discovered a cleverly crafted layout template in the database, which was used to automatically inject malware.

This research aims to explore the details of stealers threats and by increasing knowledge and awareness in the cybersecurity field, assist in developing a more effective strategy against malicious software.

This blog post is an in-depth walkthrough on how we perform security research leveraging GitHub features, including code scanning, CodeQL, and Codespaces.

This article explores an example of how Microsoft Entra workload identities can inadvertently extend the security boundary of a Entra tenant to a foreign tenant.

This article summarizes main attack vectors against Azure and demonstrate how to increase security of common operations.

We present InSpectre Gadget, an in-depth Spectre gadget inspector that uses symbolic execution to accurately reason about exploitability of usable gadgets. Our tool performs generic constraint analysis and models knowledge of advanced exploitation techniques to accurately reason over gadget exploitability in an automated way.

Several programming languages that allowed an attacker to perform command injection on Windows when the specific conditions were satisfied. In this blog, I am documenting the details to provide more information about the vulnerabilities and minimize the confusion regarding the high CVSS score.

In this last post, we will review a few additional attributes that we thought had value, particularly regarding detection and baselining opportunities. For each of them we will detail the background, the attack and the related detection queries.

This article will mainly focus on the Advanced Static Analysis stage, once we performed Basic Static Analysis (extracting information without running the malware) and Basic Dynamic Analysis (execute the malware to see how it runs "live").

The Havoc command and control (C2) framework is a flexible post-exploitation framework. This article aims to empower defenders to detect the presence of Havoc, analyze its proprietary agents, known as Demons, and enhance organizational resilience against modern post-exploitation attack flows.

In this blog post, we will discuss how to use Frida for memory manipulation operations using Javascript API and analysis of Native Android libraries. In this tutorial, we will focus on some of the API's used for scanning, reading and writing, copying, and patching process memory.

In this blog, we will use passive DNS tooling to cross-examine historical domains and identify common infrastructure and patterns in Vultur banking trojan infrastructure naming schemes. We will leverage these as pivot points to identify 13 new domains in use by the Vultur developers.

In this article, I will detail how I identified a race condition in the World ID SDK that would have enabled an attacker to bypass the preset verification limit on a cloud-based implementation.

This article provides guidance on identifying and investigating phishing attacks within your organization. The step-by-step instructions help you take the required remedial action to protect information and minimize further risks.

This article will demonstrate one situation that allows to pivot from a Microsoft cloud environment to on-premise machines via PSRemoting.

In this blog we want to dig deeper into Passkeys technology and see how some of the existing solutions work in practice and to compare them to hardware security keys.

Without pretension this article reintroduces the already known concept of Property Oriented Programming chain (POP chain) or gadget chain in PHP. The first part of the article explains the basic ideas associated with gadget chain whereas the second part details how we were able to identify a new one within Laravel.

Microsoft Teams, contains a webhook feature that is susceptible to abuse. The end result for attackers is a variety of ways to abuse Teams for post-exploitation, mainly to send phishing messages. This article will explore these vulnerabilities in detail, discussing their implications for organizations.

In this blog posts series, we will describe how to best leverage MITRE's Attack Framework for threat hunting. This first part will provide a basic overview of the techniques.

In this second part we will drill into some more advanced threat hunting uses cases, using the MITRE's ATT&CK framework

In the final part of the series, we will focus on some of the more critical threat signatures that can be used for hunting retroactively in your environment. These particular techniques I'd consider to be higher fidelity and should ultimately be constructed into alarms for immediate response.

This blog post provides a walktrough on dynamically bypassing anti-debugging and anti-reversing defences in iOS applications. Furthermore, this blog post is using resources from OWASP MASTG and provides a comprehensive guide that discusses about mobile applications security testing and reverse engineering.