Security Review #205

We provide technical details of several botnets using CVE-2023-1389, a command injection vulnerability in the web management interface of the TP-Link Archer AX21, to propagate.

This aims at providing visibility and in-depth information on each component of a compromise by the threat actor APT29. In this first part, we will focus on the initial access and detail the infection chain.

In this second part of the series, we will conduct dynamic shellcode analysis to dump from memory the next stage of the malware infection chain(NativeZone DLL) and examine closely the export of interest, which will lead to the next stage of the attack.

In this adventure, the Cisco C195 device family was jailbroken in order to run unintended code. This includes the discovery of a vulnerability in the CIMC body management controller, whereby an authenticated high privilege user can obtain underlying root access to the server's BMC (CVE-2024-20356).

One of the most common MFA bypass techniques is a response tampering attack. In this blog, I'll cover two real-world MFA bypass techniques via response tampering that I have found in the Synack Platform, starting from the easiest to more complicated.

Successful exploitation of OU ACLs could lead to the compromise of all OU child objects, and thus to high-impact privilege escalation scenarios. This article will present how an attack based on the manipulation of the gPLink attribute of Organizational Units could be exploitable through several common OU ACLs.

In this article we will be reverse engineering code that has 2 checks which validates if a username entered is correct and then if the serial number entered is also valid.

We recently identified the distribution of a modified version of "mimeTools.dll", a default Notepad++ plug-in, toi trigger a malware connecting to a C2. In this article, we will analyze this malicious plugin as well as the malware, and provide related IoCs.

This blog post presents a very manual approach to modifying application code in order to to backdoor a dotnet application. The goal is to introduce new functionality into an existing dotnet application or dll without any application errors.

Reverse engineering dotnet applications can be useful to discover how the application works without access to the source code. In this blog post I will show you the basics, including tooling and binary modification.

This write-up discusses using ScareCrow to create payload frameworks for side loading (not injecting) into a legitimate Windows process, bypassing Application Whitelisting controls.

This article provides guidelines to prevent common vulnerabilities found in NodeJS applications code.

Pwned Passwords is an interesting example of the dangers of designing a cryptographic protocol with a deemed acceptable risk. In this article, we demonstrate that for an entity able to spy on Pwned Passwords API usage by Passbolt while a user types in a new password of 11 chars or more, it is surprisingly doable to recover the password.

Hard disks are the containers that hold our evidence files "from the investigator's perspective", understanding them is mandatory for every forensic analyst as they can provide valuable information within the investigation. In this article, we are going to discuss how the Hard disk is structured from a hardware and a logical point of view.

How many of us responders know how to investigate a Google Workspace incident? Whether it's investigating a suspected malicious email or a compromised user, do you know what logs exist? Are you familiar with the capabilities of your license? Do you know how to use the dashboard? If not, then this blog post is for you!

To help defenders further understand the security implications of manipulating the SD registry value for a scheduled task, we performed further research to expand on potential techniques to hide scheduled tasks that evade the current detection guidance and highlight additional telemetry gaps in traditional auditing mechanisms.

Analysis of Remote Access Applications activity can indicate if a system is compromised by threat actors. In this blog, we conduct such analysis in order to identify potential threats.

In this article, we will discuss the shortcomings of existing malicious code recovery techniques and offer an alternative forensic solution for dumping PE (EXE or DLL) images that neither relies on collecting files nor parsing attacker-controlled memory regions.

A Comprehensive Methodology for Email Threat Detection and Classification

In this blog post, we are going to introduce how to implement real time MISP IoC matching in Kunai, in a very short amount of time.

We identified four core M365 product areas and mapped 34 native security capabilities to ATT&CK, resulting in 518 mappings of native M365 capabilities to adversary behaviors. M365 users now have a collection of independent assessments and a comprehensive view of how M365 security capabilities can be used to mitigate real-world threats.

In this article, we will see how we bypassed the anti-tampering mechanism of a leading EDR to execute malicious code within one of the EDR's own processes and altered the mechanism to gain unique, persistent, and fully undetectable capabilities.

This short article will present the main logs sources for AWS, along with some relevant events defenders could use to detect attackers. This is overall non exhaustive and is more targeted for detection engineers that are just starting with AWS.

In this article, we describe a vulnerability in ibc-go, the reference implementation of the Cosmos Inter-Blockchain Communication (IBC) protocol. A reentrancy vulnerability during the handling of timeout messages could have allowed an attacker to mint an infinite amount of IBC tokens on affected Cosmos chains.

We observed a threat actor weaponizing a cluster of domains masquerading as legitimate IP scanner software sites to distribute a previously unseen backdoor. In this blog, we will examine the campaign details, threat actor's infrastructure, and a detailed technical analysis of the backdoor.

Pupy is a RAT malware strain that offers cross-platform support. Because it is an open-source program published on GitHub, it is continuously being used by various threat actors including APT groups. This post will provide a basic overview of Pupy RAT and cover attack cases identified during the analysis process.

Deception tech involves deploying decoy systems, data, or networks to deceive and trap attackers, enhancing threat detection and response capabilities. In this blog post, we ask and answer two questions. How can we stack different deception tools? Why would we even want to do that?

We demonstrate how credential delegation settings can allow to retrieve cleartext passwords without affecting the LSASS process or even being subject to administrator rights (limited only by the current user's password)!

This article will review the differences between Process Injection and Process Hollowing, and briefly introduces other injection techniques. Following this, we will analyze two malware samples.

We found an unauthenticated command injection vulnerability, which when coupled with a privilege escalation allows full compromise as root of the Flowmon server. This vulnerability was assigned CVE-2024-2389.

This blog post will highlight techniques to retrieve the PSK from a workstation post-compromise.

In this article, we have investigated how attackers from ToddyCat group obtain constant access to compromised infrastructure, what information on the hosts they are interested in, and what tools they use to extract it.

The DHEat denial-of-service vulnerability involves sending a large number of Diffie-Hellman (DH) public keys to a peer, causing it to perform many unnecessary modular exponentiations and wasting CPU resources. In this article, I analyze the impact of the DHEat attack against SSH services in cloud environments.

In this first blog post, we will describe the inner working of bootstrap tokens, the node authorization mode, signers and certificate controllers. Then we will show how to exploit a pod sharing the host network namespace in an AKS environment to leak such a token.

In this blog post we will be talking about creating a ROPDecoder from scratch as many people face issues in understand the automated process of it. We will be Starting from selecting our ROP Gadget, Going to encoding and decoding our shellcode manually, then moving further to automate the process in 2 ways.

We discovered an interesting bug in MXnet, a popular library for creating machine learning models. Mishandling of memory in a core, commonly used, function in MXnet leads to arbitrary code execution. In this blog post, we explain how this issue can lead to remote code execution

In this article, we provide full details of 18 vulnerabilities found in Brocade's SANnav Management Portal and SANnav Global View, ranging from clear text syslog traffic to hardcoded SSH keys access via multiple unsecure processes and configurations.

In this blog, we will discuss reflective loading into the current process. This technique is used to load a DLL into the memory of a process without having that DLL written disk. We will demonstrate this method in C and C#.

This post details the process of going from absolutely nothing to achieving a fully unauthenticated remote code execution exploit as root in a Mitel IP phone. We've discovered several zero-days which chained together gives the privilege of completely owning the phone.

In this blog post, we'll discuss automating cloud misconfiguration review, creating custom AWS checks, and sharing results on the PDCP Cloud for review.

Postman, the popular API testing platform, hosts the largest collection of public APIs. Unfortunately, it's become one of the largest public sources of leaked secrets. In this article, we share our research on credential exposure on Postman.

In this post, we show how extending Fuzzilli (a fuzzer implementing coverage-guided fuzzing) instrumentation could be helpful for more easily identifying vulnerabilities and providing more useful feedback to the fuzzer for further testing. Our aim is to demonstrate how we can modify the instrumentation and extract useful data for the fuzzing process.

We have identified a critical vulnerability in the Horacius software. This vulnerability poses a significant threat to system security, as it allows attackers with physical access to the device, without the need for access credentials, to gain full control over the Windows operating system.

MFA's promise is to secure all our logins while providing a relatively frictionless experience. But while MFA is certainly better than nothing, the experience is about as frictionless as sandpaper, and attackers keep finding new ways to poke holes in it. So let's talk about what happened to MFA, and how we can help it fulfill its original promise.

In this article, we'll see how malware utilize complex encryption algorithms like AES and "seemingly simpler" encryption methods like Base64 to conceal their functionalities.

Open Devin is a fully autonomous AI agent that can build entire software stacks starting from a single user prompt. I have identified path traversal and DNS rebinding vulnerabilities in the Open Devin application that could lead to the exfiltration of sensitive data from your system.

In 2024 NetNTLM leaking is still a thing! In this post we will cover some parts of coerce user authentication via NetNTLM, the mystery around HTTP.SYS, relaying without admin privileges, relaying with an active Windows firewall, SSH Port forwarding.

This post is going to be about the two vulnerabilities found by me in the VMWare hypervisor: a Denial-of-service vulnerability via Cortado ThinPrint (CVE-2022-22938), and a VMWare Workstation Out-of-bounds read vulnerability in the Cortado ThinPrint component TTC Parser (CVE-2021-21987).

We will dive into a fascinating case study where we escalated a seemingly simple DOM XSS into a sophisticated 1-click Account Takeover. In this first part we will focus on the OAuth login flow and the initial attack surface.

In this second part of the series, we will exploit the DOM XSS and escalating it to a 1-click Account Takeover.

In this report, we will conduct a comprehensive analysis of Gafgyt, which is an ELF malware. Our aim is to examine the malware's capabilities and determine its functions.

In this blog post we will explain how we broke the SecOC implementation of a 2021 RAV4 Prime by attacking the power steering ECU. The ultimate goal was to run openpilot on this car, but it can also be used to run other aftermarket devices.

We all know poor input validation is a critical attack vector for exploiting software. But did you know that a data set code named the Big List of Naughty Strings (BLNS) takes that to an entirely different level? Let me show you how to use these naughty strings to break APIs.

I spent some time looking into Consumer Control, a subset of USB functionality, which is what allows media keyboards to launch and control various applications over USB with the press of single buttons; so called Consumer Control Buttons (CCBs). This writeup describes my research on the matter, and what I have nicknamed the USB HID & Run attack.

In this post, we will explore the inner workings behind the async and await keywords, push them to the limits, and write an obfuscator that can turn programs into long chains of awaits.

Every Android application has a "manifest.xml" file located in the root directory of the APK that describes all of the components of the app, the application permissions, and the required hardware/software features. In this blog, we are going to walk through a sample of the fun things you can learn from an apps manifest file as a hacker.

If you don't have SIEM product or products that monitor who does what in Active Directory this command makes it very easy, even for people who don't have much experience in reading Event Logs.