Security Review #213

In this blog post, I will explore a new way of exploiting the vulnerability on PHP, using direct calls to iconv(), and illustrate the vulnerability by targeting Roundcube, a popular PHP webmail. Again, I will demonstrate the impact on the ecosystem, by revealing unexpected ways of reaching iconv() when using mbstring.

ScriptBlock Smuggling allows an attacker to spoof any arbitrary message into the ScriptBlock logs while bypassing AMSI. To make things more interesting, it also does not require any reflection or memory patching to be executed. AMSI patching in particular, has started to be targeted by a lot of AV and EDR solutions so this is a major perk of the technique.

This short blog post will run through a few ways the IT/Security teams can configure their existing Windows environment in order to improve forensics readiness using existing operating system capabilities. We will focus on critical forensics readiness artifacts and logs which incident response (IR) teams can utilize for quick triage and accurate remediation.

What data is inside the barcode of a mobile ticket, and how do they work? Could people who aren't ticket inspectors get the data out of them? It turns out that the answer is a bit more interesting than I initially expected!

In this blog post, we'll review Apple's Private Cloud Compute (PCC), both good and bad, focusing on the context of AI/ML security.

In this blog I want to discuss about a vulnerability that is rarely talked and often stays under the hood, yet represents a significant security issue once it's found: 'Type Juggling' Vulnerability.

Hugging Face disclosed a potential breach where attackers may have gained unauthorized access to secrets stored in their Spaces platform. This post walks through the vulnerabilities and their impact.

This post highlights how the GitHub Copilot Chat VS Code Extension was vulnerable to data exfiltration via prompt injection when analyzing untrusted source code.

CVE-2024-20693 vulnerability allows manipulating the cached signature signing level of an executable or DLL. In this post, we'll describe how we found this issue and what the impact could be on Windows 11.

In this article, we provide an overview of the Windows event logs, how to enrich them with Sysmon, and how to react with Chainsaw.

In this article, we'll delve into the analysis of a real phishing email delivering malware capable of forging electronic signatures on uploaded documents. Despite not being a professional digital forensics investigator, I'll demonstrate how publicly available tools and techniques can be utilized to dissect and understand threats.

In this second part of the series, we will take a broader view of the topics. Specifically, we will explore who the Threat Actors (TAs) behind ransomware actually are and who is writing these programs.

We have identified a new cryptojacking campaign targeting publicly exposed Docker Engine hosts for initial access. We discovered two novel binary payloads and an unusual persistence mechanism by modifying existing systemd services and using the ExecStartPost configuration option to execute malicious commands.

CVE-2024-4577 is a critical argument-injection vulnerability in PHP that affects Windows deployments and leads to a remote code execution. this blog post will take a closer look at the few peculiar payloads we've seen.

We recently discovered a security weakness in the AWS EC2 import process when relying on Sysrep: additional files aren't sanitized during the initial Sysprep first boot, which could leave cleartext credentials readable by all users who have access to the affected system.

We decided to write a blog about a special Azure log. This log, often referred to as the Directory Activity Log or Tenant Activity Log, can be of importance during an incident response investigation.

In this blog post, we'll discuss the practical challenges of performing a mass password reset, how to prepare to carry one out, and best practices in performing them.

In this post, I will go through the references on the APT41 MITRE page and showcase hunting opportunities.

In this article, we will explore a newly identified technique to bypass Okta's passwordless MFA solution. We will provide a detailed technical analysis of the method and a demonstration, as well as offer strategies for mitigation and detection.

This article will provide an overview of what we have observed when Microsoft Remote Desktop Web Access portal is abused, add insight into how we conduct these investigations, and give some recommendations and mitigating strategies to help anyone else that might be encountering (or simply anticipating) the same situation.

We have detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. Let's break down the HTML and the Windows search code to better understand their roles in the attack chain.

In this second part of the series, we will detail how to setup a DNS tunneling mechanism working on AWS even though all outgoing traffic is blocked. I will also detail how such mechanism can be blocked through Toute 53 DNS firewalling.

With physical access to Android device with enabled ADB debugging running Android 12 or 13, it is possible to access internal data of any user installed app by misusing CVE-2024-0044 vulnerability.

Learn how the threat actors behind the 2023 DERO cryptojacking campaign have adapted their techniques to evade detection, and the best practices for mitigation.

In this post, we will first evaluate the security features of iOS and Android, focusing on theft prevention. We will then present a detailed attack scenario targeting the Monzo banking app in the event of device theft.

This post is about a new bug which affects only iTerm2 3.5.0 and 3.5.1, making it trivial to execute arbitrary code via the window title setting.

We identified an increasingly popular technique leveraging unique social engineering to run PowerShell and install malware. This article provides technical details and IoCs for some samples.

The privileged helper tool com.twitch.LauncherHelper, installed by Twitch Studio, has no checks built into its usage of XPC. This means an attacker could use methods defined in that helper app to move a file as root, which in turn could lead to privilege escalation.

In this article, we will briefly talk about how link filters work and then explore some ways we might be able to bypass them.

This blog will help in looking into malicious PDF files utilizing a variety of techniques and resources. We will talk about how to improve our investigation using OSINT methods.

Kubernetes security contexts allow you to configure security options at the pod or container level. While some parameters are well understood, others can be more obscure and confusing. In this post, we'll debunk myths about the allowPrivilegeEscalation option.

This article will delve into the intricacies of Active Directory and outline a comprehensive methodology for pentesting AD environments. Whether you're a beginner or an intermediate cybersecurity professional, this guide will equip you with the knowledge and tools to effectively pentest Active Directory, identify vulnerabilities, and enhance the overall security posture of an organization.

In this blog, we'll provide an in-depth analysis of recent LNK phishing campaigns, examining the tactics, techniques, and procedures (TTPs) employed by threat actors. We'll also introduce tools and techniques for simulating these phishing campaigns, helping defenders test their defenses against malicious LNK usage.

In this article, we will go through the key concepts of LAPS and provide a script to retrieve LAPS passwords.

While there exists a well-established body of public security research on Android GPU drivers, other chipset components may not be as frequently audited so this research sought to explore those drivers in greater detail.

In this article, we investigate the complexity induced by the use of Conditional Access Policies together with Privileged Identity Management in Entra ID. In particular, we will see what are the implications for offensive testing, defensive coverage, and even disaster recovery.

In this article, we provide an overview and a technical analysis of Rafel RAT. This malware is an open-source tool that operates stealthily on Android devices. It provides malicious actors with a powerful toolkit for remote administration and control, enabling a range of malicious activities from data theft to device manipulation.

I have always aspired to build my own 12-inch by 12-inch badge cloner. Now that day has finally come. Bear with me, as I have never built anything quite like this before. I welcome you to follow along my journey as I tackle this new puzzle. And perhaps my trials and tribulations will teach you something new as well.

If GraphQL is left incorrectly configured, developers risk introducing several security vulnerabilities, such as broken access controls, CSRFs, information disclosures, and much more. In this post, we'll go through some of the most common security vulnerabilities found in GraphQL in detail.

SCCM has a fairly rich set of logging and monitoring capabilities that can be used to hunt for malicious activity. The approach we are going to take is looking how to detect misconfiguration abuses utilizing Sysmon and built-in Windows Event Logs.

Kerberoasting allows attackers to determine sensitive passwords and the most common place for detecting this attack is on the domain controller. In this post, we will look into the details of Kerberoasting from a DFIR perspective.

SVGTranslate is vulnerable to unauthenticated remote code execution (RCE) due to improper handling of the language parameter in the PNG generation process. The vulnerability arises from how shell commands are constructed and executed in the rendering service.

In this first part of the series we looked at how an AWS Lambda-powered feature was exploited in a web app penetration test initially leading to RCE and further on with out-of-band data exfiltration via DNS.

In this blog post I detail a scenario where you can compromise a forest by having Certificate Manager permission in a CA that is implicitly trusted by your domain controllers, granted that you also have control over a non-privileged user account.

With Nintendo Switch, Nintendo announced being partnered with Nvidia for the console's SoC: the Nvidia Tegra X11. Like every console before it, a large amount of researchers were interested in seeing if they could find a way to run unverified code on the console, and this is where the story begins.

A memory scanner scans the memory of a process and attempts to identify non-standard attributes within a memory region in effort to determine if the process requires additional analysis and/or containment. In this blog, we will look at what a memory scanner is looking at and why, and then we will identify some low-hanging fruit from a Command & Control (C2) implant.

In this blog post I briefly introduce the vulnerabilities in the NPU driver and detail my journey through the exploitation process. I will focus on where previously published techniques fall short and how surprisingly old techniques remain applicable.