Security Review #216

In this article, we explain what is compiled V8 JavaScript, how attackers can leverage it in their malware and, most importantly, how it appears in the wild, as used by real threat actors.

We discovered that threat actors have been using novel tricks to lure Windows users for remote code execution. Specifically, the attackers used special Windows Internet Shortcut files (.url extension name), which, when clicked, would call the retired Internet Explorer (IE) to visit the attacker-controlled URL.

In this article, we will show you how to create a hybrid PDF that abuses widget annotations to create render discrepancies, and share the code so you can generate your own.

This article introduces a previously-unnamed class of Windows vulnerability that demonstrates the dangers of assumption and describes some unintended security consequences.

This post will explain how we found a GitHub PAT that provided access to the entire Python infrastructure and prevented a supply chain disaster. Using this case, we will discuss the importance of (also) shifting right in secrets detection - searching for secrets in binaries and production artifacts, not just on source code.

This post examines a variant of CloudChat, a macOS staeler, that has a significantly reduced feature set. The malware no longer exports files using a C2, Telegram bot, or FTP, and instead solely relies on replacing wallet addresses in the users clipboard.

This article delves into the details of GPO "Deny Logon" policies bypass via SSH.

In this post, we look at security issues we found in Ask Astro, an open-source retrieval augmented generation (RAG) application, that could lead to chatbot output poisoning, inaccurate document ingestion, and potential denial of service.

In this article, we're going to open the black box, understand how a PRNG (Pseudo-Random Number Generator) works, and find out whether this is truly something to be concerned about.

In this blog, we will understand how attackers exploit vulnerabilities in cloud secret repositories, and discuss what organizations and cyber-defenders can do to protect against such threats.

This post details Mailcow's XSS and file overwrite vulnerabilities that allow attackers to inject code, hijack sessions, and execute commands, highlighting critical security risks.

In thios blog, I am publishing the security research project I recently conducted. This project led to the discovery of 7 CVEs, which affected over 7 million WordPress websites.

In this article, I'm talking about leveraging Sysmon's log telemetry for building detection. I'm not speaking about forensics or any post-incident use case.

In this article, I will delve into smokeyobfuscator tool functions and demonstrate how to use it to efficiently obfuscate CSharp code.

By chaining various messaging APIs in browsers and browser extensions, I demonstrate how we can jump from web pages to "universal code execution", breaking both Same Origin Policy and the browser sandbox. I provide two new vulnerability disclosures and demonstrate how such vulnerabilities can be discovered at scale.

In this article, we will review the key component, functions and operations required to properly investigate Windows Registry.

In this article we'll take you through an introduction to GWT, writing your own Hello World! application, and exploring 2 different HTML smuggling scenarios.

This post explores how we can effectively leverage alternative tracing methods available on older kernels to ensure that all Linux environments, regardless of age, are fortified against unauthorized changes and potential security breaches.

Learn how to detect AS-REP roasting attacks in part two of a special five-part series on critical Active Directory (AD) attack detections & misconfigurations.

Learn how to detect Kerberoast attacks in part one of a special five-part series on critical Active Directory (AD) attack detections & misconfigurations.

In this article, I present a new technique involving signed minifilters to disable EDR systems.

Microsoft Entra ID's cross tenant synchronization feature allows an attacker the ability to laterally move to a partner tenant - opening an attack path for tenant-to-tenant lateral movement. This blog post will cover how the attack works, and how to approach the detection methodology.

We have uncovered a persistence attack vector, Shadow Linking, which allows threat actors to gain persistent access to victims' SaaS accounts via OpenID Connect (OIDC) login.

A sharp increase of DDoS attacks have been observed since the beginning of 2023. A new trend is to send high packet rate attacks though. This article introduces the findings of our teams in order to bring new insights regarding this threat.

This report highlights Medusa Ransomware Group's reliance on common tactics, techniques, and procedures (TTPs), such as living-off-the-land (LoTL) techniques, PowerShell for credential dumping, and service installations for persistence.

In this blog entry, we will discuss how the Jenkins Script Console can be weaponized by attackers for cryptomining activity if not configured properly.

This article provides technical anamysis of a new Mallox ransomware variant, using custom python scripts for the purpose of payload delivery and victim's information exfiltration.

Central to enterprise Wi-Fi security is the Extensible Authentication Protocol (EAP), a versatile framework for securely authenticating users and devices. This post explores various EAP methods, authentication mechanisms, and EAP modes that form the foundation of enterprise Wi-Fi security.

I will share a technique that can be used to evade EDR products. I hesitate to call it a "new" technique, as I drew inspiration from existing projects and techniques. However, it is not a typical evasion method like sleep obfuscation, stack obfuscation, or syscall manipulation. Instead, it exploits oversights in detection mechanisms.

I discovered an unauthenticated path traversal against the latest version of progress whatsup gold and turned it into a pre-auth RCE. This article details how I did it.

This is a short writeup about a trivial privilege escalation vulnerability against the latest version of progress whatsup gold.

I created a raw UDRL-less Cobalt Strike Beacon, using a specific cna script, allowing a direct IAT Sleep hook on the Beacon and a quicker way to prototye two techniques, dubbed MemoryBouncing and MemoryHopping. This way, I amanged to overcome Elastic EtwTI-FluctuationMonitor tool that bakes a detection for sleep obfuscation techniques.

In this blog post we'll see how Falcon was blocking me and why it is still possible to dump these secrets exploiting decorrelation attacks! As a bonus, I'll show you a fancy way of retrieving the Windows boot key without having to dump the SYSTEM hive.

I discovered an unauthenticated path traversal against the latest version of progress whatsup gold and I also turned it into a pre-auth RCE.

This article details cookie storage in main browsers, and provide techniques and tools used to steal and decrypt them.

This is the deep dive, full story with technical walkthrough for the PyTorch (TorchServe) ShellTorch vulnerabilities CVE-2023-43654 and CVE-2022-1471, providing complete, unrestricted access to thousands of exposed TorchServe instances.

Attacking Infrastructure as Code (IaC) methods involves exploiting vulnerabilities and misconfigurations in the automation scripts and tools used to provision and manage IT infrastructure. This guide details the main issues encountered with Terraform.

I discovered a neat little vulnerability in the kernel's TIPC networking stack. In this post I'm mainly going to be talking about the vulnerability itself, remediation and I'll go a little bit into exploitation.

In this article, I detail the process that led me to create a tool allowing complete Internet access from inflight WiFi.

In this security research, we explored a kernel driver belonging to Macrium Reflect to identify potential vulnerabilities. Several critical vulnerabilities were discovered including a kernel heap overflow, allowing unauthorised write access to kernel memory. This first part will focus on the details of the two vulnerabilities.

In this instalment, we delve deeper into the practical aspects of exploitation of the vulnerabilities found in a kernel driver belonging to Macrium Reflect. We will focus on understanding and utilizing multiple kernel heap exploitation primitives to build an effective exploit.

This piece will document my approach to creating a simple C program utilizing Apple's undocumented functions to compile SandboxProfileData. Eventually, we will build a SandBox Policy Language Compilator Wrapper in C.

In this blog post, we'll explore the various features of awsviz.dev, a small tool that turns IAM policies into simple graphs. We will review the problems they solve, and the benefits they bring to your AWS security and management workflows.

we were able to find a chain of vulnerabilities that allows full database access and full access to any ServiceNow Proxy (MID) servers configured.

In this post, I delve into Azure JWT and provide definition and usage of all the claims they contain.

In this article, I detail my journey to finding 2 vulnerabilities (CVE-2024-35248, CVE-2024-35249) in Dynamics 365 Business Central leading to privilege escalation and Remote Code Execution.

We have identified a significant vulnerability, CVE-2024-38021 - a zero-click remote code execution (RCE) vulnerability that impacts most Microsoft Outlook applications.

In this article, I provide technical details and impact of CVE-2024-38021, a vulnerability in Evernot that can lead to potential data breaches, unauthorized access, and other malicious activities.

This article explains how to perform a meta-analysis of C2 locations and provides tools to help you find your bearings.

This article will deep dive into a methodology for constructing a time-based attack for exploiting an ORM Leak vulnerability, using Prisma as an example; along with the release of a tool called plormber for assisting with the time-based exploitation of ORM Leak vulnerabilities.

In this blog, we are going to present our research, including advanced embedded exploitation techniques, and our approach and methodologies into discovering a new NAT bypass and IoT device vulnerabilities. In part one of this series, we explain our research and attack on TP-Link ER605 routers.

I have identified a way to silently install a Chrome extension avoiding the "common" IOC's attackers use today: no command line parameters, persistent, can be installed while in use, no registry edits.

This article explain how to make the contents of phishing sites and pages as benign as possible in order to trick proxies into thinking we are safe.

We detail another round of "Hiding in Plain Sight," exploring weird places to stash data or payloads. In this article, we are going to experiment with a method for hiding data - a "fileless" storage solution, in a sense.

This post aims shed light on a particular aspect of the complexity databases introduce which is often overlooked by developers, namely concurrency control.

This post details how I used Salad Cloud to build a distributed hashcat cracking setup for password cracking.

Along with credential protection, Windows 11 prioritized helping app developers better protect people from phishing attacks and malware. One of the key advances in this area is a feature called VBS enclaves. This blog post will describe VBS Enclaves, its internals and how to use VBS Enclaves as a developer.

This blog details 40vulnerabilities found in Toshiba e-STUDIO Multi-Function Printers (MFPs).

In this post we will dive into the internals of how it works by reverse engineering some eBPF-based programs.

In this short article, I mainly want to discuss a jailbreak protection found in mobile reversing.

There are PowerShell scripts where you have to authenticate and store passwords in PowerShell. In this article, you will learn how to securely store credentials with PowerShell.

This article details Cross-Origin Resource Sharing (CORS) concepts and implementation, explains the how to define proper CORS policy (and the risk of not doing so) and how it can protect against attacks such as CSRF.

Just like other Active Directory technologies, AD CS can be easily misconfigured for full Domain privilege escalation from Domain User to Domain Administrator, and can also allow machine and Domain persistence, and finally credential theft. This article will cover some AD CS misconfigurations and how to exploit most of them.

In this research, we demonstrate that vulnerabilities in UEFI on ARM are harder to exploit, but still not a big deal. In particular we found that UEFI NVRAM API is still misused in many cases and mitigations are restricted to limited usage.

A few years ago I released protodump, a CLI for extracting full source protobuf definitions from compiled binaries (regardless of the target architecture). This can come in handy if you're trying to reverse engineer an API used by a closed source binary, for instance. In this post I'll explain how it works.

This article explains all the steps needed to write a C++ program which dynamically generates encryption algorithms in x86 assembly code.

In this article, lift the veil on inner workings of trustlets, how different components work together to provide a Trusted Execution Environment, and how to attack them.