Security Review #206

In this article we provide technical analysis and IoCs for Line Dancer and Line Runner, a memory implant and a backdoor found on Cisco devices abused via CVE-2024-20353 and CVE-2024-20359.

We provide full technical analysis of GuptiMiner, a malware campaign hijacking an eScan antivirus update mechanism to distribute backdoors and coinminers.

This article reviews the main persistence techniques that can be used on a compromised Windows system.

In this article we will focus on a mobile Trojan targeting both iOS and Android users in order to collect identity documents, SMS, pictures and other data related to the compromised phones. We will analyse the IPA file, and then describe how the malware connects to the C2 websocket server.

We identified an arbitrary file move vulnerability in the VirtualBox system service service that could facilitate privilege escalation; here we'll outline the steps used to discover and exploit this issue.

This blog post showcases a pretty old (2019) vulnerability I found in VirtualBox, which allowed a guest-to-host escape. I will walk you through my chain of thought, from the beginning until the end, showing my young self's thinking process that led me to this finding.

In this blog post I explain how reply URLs in Azure Applications can be used as a vector for phishing. The impact of this can range from data leaks to complete tenant takeover; just by luring a victim into clicking on a link.

Using syzkaller, with our added support for the NVMe-oF/TCP subsystem, we found five new vulnerabilities. This blog post explores our research methodology, milestones, and, ultimately, the results.

This blog post is going to discuss how to collect a triage image of a nix box. This is a tool that you need to add to your toolkit and have at the ready when it comes to triaging nix systems.

In this article, we will discuss the components of a jump list and how they relate to the digital forensic investigation of a computer.

In this blog post, we'll delve into methods to detect the Sliver framework and explore how to hunt for threat actors who have leveraged the Sliver framework to achieve their objectives.

In this article we will detail the steps to create a PoC for disabling telemetry in Windows, allowing to bypass most of the EDR detections.

We present the JA4T fingerprint technique. In addition we provide some tools and review some of their use to create mitigation rules.

In this blog we will dive into some unexpected techniques that allow an Azure user with Storage Account permissions to abuse them for privilege escalation and lateral movement. We will discuss prior work on storage to Azure Cloud Shell & Azure Function App and share a new technique around Azure Standard Logic App.

This post covers the process of discovering multiple kernel vulnerabilities introduced in 24H2 and writing an exploit, including bypassing new hardening to kernel ASLR (KASLR).

Instead of just showing how to crack passwords, I intend to focus on key parts of the methodology and really demonstrate some important steps to the overall recovery process.

In this blog post, we detail a logging bypass vulnerability in Microsoft Graph that allowed attackers to perform password-spray attacks undetected.

A significant amount of high-quality analysis reports have been published regarding the xz-utils backdoor. Building upon these analysis reports, this article will focus on analyzing and researching the xz-utils backdoor code section to understand the attackers' technical approach and implementation details.

In this report, we detail the steps of an intrusion that started with a phishing campaign using PrometheusTDS to distribute IcedID.

In this article, I am going to share several reconnaissance techniques that proved to be particularly helpful in pentest engagements.

We detail vulnerabilities in Judge0 that allows an adversary with sufficient access to perform a sandbox escape and obtain root permissions on the host machine. These vulnerabilities were assigned CVE-2024-29021, CVE-2024-28185 and CVE-2024-28189.

In this article, we give a small journey inside the implementation of networking interfaces exposed by iOS when connected via USB. These are used for sharing a computer's connection with iPhone and sharing an iPhone's connection with a computer. USB networking even carries RemoteXPC packets which seems to be the future common ground for all Apple based cross-device communications.

This article takes an uncommon approach to security articles. Insteading of suggesting ways to enhance your application's security, this one aims to share insights we've gained through our experience dealing with a broad spectrum of threats targeting Lightricks apps. We'll also advise you on what NOT to do when securing your Android application.

In this article, we describe a simple scenario that made it possible to bypass MFA and access Azure Portal using 2 TGS tickets.

In this blog post, we will continue to explore more of the new edges we have introduced with ADCS support in BloodHound. More specifically, we will cover how we have incorporated the Golden Certificate and the ESC3 abuse technique.

This blog describes one set of signals for use by system administrators or endpoint detection agents that should reliably flag any access to the browser's protected data from another application on the system.

This blog focuses on items not covered in the first part of the series, as well as discuss some of the complexities of manually querying. The goal is to try to get a more accurate understanding of an AD environment and recognize some of the common issues that can arise from querying manually.

In this part of the series we will explore the distinctions and implementations, at a high-level overview, of RISC versus CISC architecture. This will help in understanding malwares' optimization strategies; disassembling, analyzing and deobfuscating the binary cod; and determining the intended target.

This article is a technical analysis of a previously undetected malicious Mach-O binary programmed to behave like a cross between spyware and an infostealer. We have named the malware Cuckoo, after the bird that lays its eggs in the nests of other birds and steals the host's resources for the gain of its young.

We present a novel approach to evade EDR, relying on the ability to automate the modification of the .text section, thereby complicating static analysis and requiring EDR solutions to continuously monitor for changes in code behavior.

The idea behind this article is to see how someone could use Tailscale VPN as part of getting persistence on a compromised system to keep access in a relatively stealthy fashion.

In this post, we will summarize some ongoing research we have been conducting on the use of web2 components in web3 systems, that led to the identification and prompt mitigation of several web-based attack paths in popular node management framework Dappnode.

Zloader is a modular trojan based on leaked ZeuS source code. Most recently, it has reintroduced an anti-analysis feature similar to one that was present in the original ZeuS 2.x code. In this article, we explore the technical intricacies of this anti-analysis feature.

Phishing attacks are alarmingly effective. They play on human weaknesses to trick people into dangerous actions. Let's dissect a phishing attempt. We'll expose the attacker's methods and learn how to defend ourselves.

In this writeup we will talk about methods for API reconnaissance in order to get a good picture of our attack surface.

This blog post is the continuation of our series on Operation Triangulation. In this post, we will focus on the audio module, which is in charge of recording the device microphone.

At a high level, the xz attack is split in two pieces: a shell script and an object file. There is an injection of shell code during configure, which injects the shell code into make. The shell code during make adds the object file to the build. This post examines the shell script.

In this short blogpost we will discuss how named pipes and Powershell oneliners could be used for creating Windows bind / reverse shell using Windows SMB port.

This article is about greybox fuzzing of userland targets that can be encountered in Android using AFL++ and its Frida mode. We also discuss how to target JNI functions, to test the native features invoked by Java code.

I've been looking to try my hand at IC decapsulation for years, and finally got the time to do it. The process took plenty of trial and error, so this post will document most of my failures and successes, and detail the methodologies used for each attempt.