Security Review #221

This blog post shares the story of the first backdoor in OpenSSH - back in 2002, and what we can learn from an attack that happened over two decades ago.

In this blog post, I'll examine the differences between traditional SWIFT MT messages, ISO 20022, BESP, and CIPS in anticipation of more technical details about BRICS Pay. This analysis will also serve as a useful reference for tracking current fintech developments and gaining insights into the future of financial forensics and AML.

This article highlights XMSS and SPHINCS+, two digital signature algorithms which rely on the well-known robustness of hash functions against quantum computers. However, each one comes with its set of precautions and blind spots, which must be kept in mind when incorporating them in your software.

This post describes vulnerability in Microsoft 365 Copilot that allowed the theft of a user's emails and other personal information. This vulnerability warrants a deep dive, because it combines a variety of novel attack techniques that are not even two years old.

Manipulating the execution flow of a legitimate process to execute malicious code through a "Time-of-Check to Time-of-Use" (TOCTOU) attack involves exploiting the time gap between when a system checks a condition and when it acts on that condition. This blog post documents some of my workflows to achieve this, along with a sample execution example.

We successfully compromised the Western Digital MyCloudHome connected hard drive via a 0-day in the Netatalk daemon. Our exploit was unusual because triggering the vulnerability required to mess with the remote TCP stack, so we wrote our own. This blog post will provide some technical details about it.

This short blog post will talk through what a DLL is, types of common DLL attacks, along with some of the known functions required/used to execute malicious code.

This research will discuss an overlooked attack surface that allowed us to find more than ten vulnerabilities within two months. Additionally, we will delve into a proxy-based logical vulnerability type that allows us to bypass most validations, enabling us to successfully exploit Windows 11.

Homepage is an open-source customizable web application dashboard with integrations for over 100 services. This blog post explains how I could exploit the vulnerabilities I found in Homepage to fully compromise a Jellyfin server achieving remote code execution by deploying a custom plugin, among other vulnerabilities.

We have discovered a vulnerability where just one insecure API endpoint was enough to take control over an entire application: Honeywell's BEDQ system.

This article will dissect the HexaLocker ransomware sample to uncover its capabilities and help organizations that could be impacted by this new strain.

This blog post explains how to modify a mobile application to discover all the API endpoints that exist to find vulnerabilities in the mobile APIs and understand the IoT system as a whole.

The vulnerabilities disclosed here relate to how these Python frameworks retrieve files. Specifically, in Python, any file system operation performed on insufficiently validated input can lead to the leakage of NTLMv2 hashes. Along the way we'll also cover an interesting Python bug affecting older versions of Python on Windows that could assist in NTLMv2 hash theft.

Windows 11 24H2 and Windows Server 2025 include a dozen new SMB features that make your data, your users, and your organization safer - and most are on by default. In this post, I'll explain their usefulness, share some demos, and point to further details.

This article discusses the basics of prompt injection - a form of attack that targets AI models, particularly those using large language models (LLMs) - and mitigation techniques.

File upload vulnerabilities can lead to severe security breaches if not handled properly. This article provides examples of vulnerable code, how it can be exploited and how to secure it.

This article summarizes my research aiming at analyzing and exploiting macOS userland vulnerabilities to identify fuzzing targets. o far, over 40 exploitable logic vulnerabilities have been discovered.

In this blog post I would like to explain in detail how Content Delivery Networks (CDNs) can be used in conjunction with a C2-domain and Nginx as a reverse proxy in the context of Cobalt Strike for C2 communications. We will cover the 'how', 'what' and 'why' of this topic in detail for a better understanding.

SLUBStick is a novel kernel exploitation method that converts a limited kernel heap vulnerability into an arbitrary read-and-write primitive, making privilege escalation easier. This article provides defensive measures specifically targeted towards embedded systems.

On Windows 11, Notepad stores a cache of recently opened files. This cache contains valuable information, such as file paths, file contents, and other useful data. In this article, we will examine the structure of the Notepad cache and provide a custom parser to extract this information for forensic investigations.

We have uncovered PG_MEM, a new PostgreSQL malware, that brute forces its way into PostgreSQL databases, delivers payloads to hide its operations, and mines cryptocurrency. In this blog, we explain this attack, the techniques used by the threat actor, and how to detect and protect your environments.

In this first part of the series, we'll examine Linux persistence mechanisms in detail, starting with common or straightforward methods and moving toward more complex or obscure techniques.

An attacker with access to a vulnerable Microsoft Azure Kubernetes Services cluster could have escalated privileges and accessed credentials for services used by the cluster.

We identified a new memory-only dropper using a complex, multi-stage infection process. This memory-only dropper decrypts and executes a PowerShell-based downloader. This PowerShell-based downloader is being tracked as PEAKLIGHT.

Many organizations set up their internal Microsoft authentication systems years ago using domain names in TLDs that didn't exist at the time. Meaning, they are continuously sending their Windows usernames and passwords to domain names they do not control and which are freely available for anyone to register.

In Windows, the Task Scheduler service manages and executes these automated tasks, similar to cron jobs on Unix systems. Attackers can also abuse scheduled tasks to persist malicious code or execute unauthorized activities on a compromised system.

In this report, we examine how attackers repurpose Impacket features for malicious uses. While Impacket includes over 50 Python scripts, this report will specifically focus on three - psexec.py, smbexec.py, and wmiexec.py - that are frequently exploited and discussed by threat actors. We also offer practical defensive recommendations.

This report explores the vulnerabilities associated with service accounts, details the growing trends in security breaches involving these accounts, and provides actionable recommendations for security teams and leaders to mitigate these risks effectively.

In this article, I will walk you through the process of writing a fuzz harness for one of Meta's open source projects netconsd, a daemon for receiving and processing logs from the Linux Kernel.

This paper gives an incomplete review of existing sandbox solutions on the GNU/Linux operating system, which only covers the often-used or commonly-studied solutions.

In this post, I will cover the easiest way on how to detect and remove LKM KoviD rootkit.

In this writeup, I'll guide you through a technique that transformed my black box testing into a semi-white box testing. This approach led to the discovery of multiple vulnerabilities and eventually resulted in achieving remote code execution on the system.

CVE hunting in WordPress plugins is more accessible than many realise, and the methodology outlined here requires only a bit of coding knowledge.

We discovered active exploitation of a zero-day vulnerability in Versa Director servers, identified as CVE-2024-39717. A custom-tailored web shell that is tied to this vulnerability. Its primary purpose is to intercept and harvest credentials which would enable access into downstream customers' networks as an authenticated user.

In this post, we will show you how we bypassed the sanitization attempts of the popular learning platform Moodle to achieve remote code execution.

Initial access is a set of techniques that exploit different entry points to gain an initial foothold in an organisation's network. We review the main techniques and prevention mechanism.

The Unified Extensible Firmware Interface (UEFI) is a specification that defines the architecture of firmware used for booting computers. Let's delve into some firmware samples and demonstrate how Binary Ninja and our official EFI Resolver plugin can automate the analysis of UEFI binaries.

We observed a botnet campaign that is abusing several previously exploited vulnerabilities, as well as a zero-day vulnerability. This vulnerability (CVE-2024-7029) is a command injection vulnerability found in the brightness function of AVTECH closed-circuit television (CCTV) cameras that allows for remote code execution (RCE).

In this blog post, we describe multiple vulnerabilities we discovered in an open source LLM application called PR-Agent and how they impact projects using it.

In this blog post we are going to analyze the advisory for the CVE-2024-43044, an arbitrary file read vulnerability in Jenkins. We will demonstrate how we could escalate this to achieve remote code execution on the Jenkins controller if we manage to hijack a Jenkins agent.

Trying to reverse engineer CVE-2024-38063 (a CVSS 9.8 score vulnerability in tcpip.sys) is extremely challenging, but a good learning experience.

If you still want to leverage Velociraptor's collection and post-processing of artifacts, this blog will guide the reader through the steps needed to integrate an already-run "Offline Collector" artifact package into your Velociraptor server, and showcase artifacts that come from a macOS host for quick, preliminary triage.

We have created SeamlessPass, a tool that utilizes Microsoft's Seamless SSO feature to acquire access tokens for Microsoft 365 services by leveraging on-premises Active Directory Kerberos tickets. These access tokens can be further used with tools like ROADTools and AADInternals for enumeration or offensive exploitation.

This article provides guidance on identifying and investigating malicious attacks on one or more applications in an Azure tenant.

In this first article of the series we'll discuss some ways to find subdomains, including one ultimate method.

A quick review of the most useful payloads to prove the vast majority of Cross Site Scripting (XSS) vulnerabilities out there.

We discovered that Microsoft Azure enables cloud to on-premises lateral movement via Azure Arc. Due to the nature of Azure Arc, this lateral movement can also allow a threat actor to pivot from an organization's Azure tenant to the organization's on-premises Google Cloud Platform (GCP) or Amazon Web Services (AWS) environments.

Analysis of the Key PEB Techniques for Malware Analysis and Reverse Engineering

An Application Consent attack, also known as an Illicit Consent Grant attack, is a type of phishing attack in which a malicious actor gains access to an application and then exploits permissions that have been granted to that app.

I decided to explore a free VPN from android play store in hopes to find something interesting, solve some riddle and just have fun. For this experiment I chose "BD NET VPN", a freely available VPN application for any android phone.

We recently discovered a critical Cross-Site Scripting (XSS) vulnerability in Roundcube, a popular open-source webmail software.

In this blog post we'll see how to abuse a common feature in Antivirus and EDRs that's not much talked about. Unlike more aggressive methods of AV/EDR evasion that might trigger alerts or leave obvious traces, abusing exclusions allows malicious activities to fly under the radar.

In this blog post, I'll share my process for developing SlackEnum - a new tool that can enumerate a large quantity of users and collect their names and email addresses for further action, while bypassing Slack's rate-limiting controls intended to prevent this abuse.