Security Review #223

Persistent VPN authentication tokens are equally as vulnerable to session hijacking as browser session cookies and other device-resident credential material.

By looking at how LOLBins are used for both legitimate and malicious purposes, we can begin to see valuable detection opportunities. Discerning the difference between legitimate and malicious use of native utilities, and exploiting these differences for detection opportunities, allows us to disrupt the threat actor's activities much earlier in the attack chain.

In this post, we explain how we took control of a chunk of the Internet's infrastructure, opened up a big slab of juicy attack surface, and found a neat way of undermining TLS/SSL - the fundamental protocol that allows for secure communication on the web.

We observed many large-scale phishing campaigns that used a refresh entry in the HTTP response header. These attacks use the response header sent by a server, which occurs before the processing of the HTML content. Malicious links direct the browser to automatically refresh or reload a webpage immediately, without requiring user interaction.

In order to detect C2 agents activity we are goig to focus on two issues seen in the stack (in the context of stack spoofing): truncated or abruptly ending stack, and thread start address not present in stack.

In this article I will show how SSSD stores passwords when the Domain Controller is not available, how keyrings works and how we can dump keys of other processes with keydump.

GDB loses significant functionality when debugging binaries that lack debugging symbols (also known as "stripped binaries"). I extended Pwndbg with two new features to bring the stripped debugging experience closer to what you'd expect from a debugger in an IDE.

Microsoft Graph activity logs provides a history of all Microsoft Graph API requests. In this blog, we'll go over collection and analysis of these logs and share a few detection/hunting ideas. The goal is to create general awareness of this log source and show how it can be used effectively.

We have examined the Windows TCP/IP network stack flaw that could grant adversaries remote access with maximum privileges. Exploiting CVE-2024-38063 does not imply any action on the part of the user. In the article, we explain how we were able to contain the vulnerability by comparing two versions of the driver and developed an attack chain

Forensic acquisition of ChromeOS devices, such as Chromebooks, requires specialized knowledge and tools due to the operating system's reliance on cloud services and its built-in security measures like disk encryption and sandboxing. Traditional forensic methods often fall short, necessitating a different approach to effectively gather and analyze data.

Whether you're a seasoned cybersecurity professional or new to the field, understanding the dangers of cherry picking is crucial for conducting thorough and accurate investigations. Let's dive in and explore why a holistic approach to evidence gathering and analysis is essential in today's complex threat landscape.

Sometimes in digital forensics there is a need to gain access to encrypted data sources. This can come in many forms including zip files, TrueCrypt/VeraCrypt, KeePass and BitLocker. OneDrive's Personal Vault is no exception. It is important to gain access to these encrypted containers because they can contain information that is important to our investigation.

In this part we're going to tackle the more "ephemeral" Session Storage data (and find out how ephemeral it actually is), but this task will require us to first learn a bit more about how Firefox handles storing and restoring a browsing session.

This article explores the basic differences in telemetry between Windows and Linux using examples like authentication logs and process execution logs. We will also examine how these differences affect monitoring effectiveness, incident response, and overall system management.

This post illustrates the exploitation of CVE-2024-38212 via LNK stomping technique.

This article provides a short review of the main crypters, software programs designed to encrypt, obfuscate and manipulate malware to ensure it can bypass security software and controls.

This article is a technical analysis of Luxy, both stealer and ransomware. The stealer is similar to Umbral stealer that tries to collect user password, browser details using Telegram and the ransomware encrypts all the files and leaves a ransomware note having the decryption key.

Abyss Locker ransomware emerged as a critical cybersecurity threat, aggressively targeting Windows and Linux systems across industries like finance, manufacturing, and technology.

While Atomic macOS Stealer (AMOS) is not the only player in town, it is one of the most prominent, so we've put together a brief guide on what AMOS is and how it works, to help defenders get a handle on this increasingly prevalent malware.

We discovered a new multiplatform backdoor written in Golang, named KTLVdoor, which has both Microsoft Windows and Linux versions. It is a highly obfuscated malware that masquerades as different system utilities, allowing attackers to carry out a variety of tasks including file manipulation, command execution, and remote port scanning.

AWS S3 (Simple Storage Service) buckets are a popular storage service used by software companies and organizations to store public as well as sensitive data. In this article, we will cover some of the most common security misconfigurations in AWS S3 buckets.

In this article, we offer a thorough analysis of the private packer that we named "PackXOR", as well as an unpacking tool. Additionally, while investigating the packer usage, we determined that PackXOR might not be exclusively leveraged by FIN7.

What can you do with a cheap Linux machine with limited flash and only a single free GPIO line? Probably not much, but sometimes, just getting root to prove you can is the main goal of a project. If that happens to lead somewhere useful, well, that's just icing on the cake.

Let's examine the tools that will enhance your hardware hacking expertise and enable you to navigate this dynamic field with confidence and precision.

We're going to look at CVE-2024-40711 - multiple bugs that can be chained together to gain RCE on Veeam Backup & Replication solution - through patch-diffing.

This blog post is about a Windows Kernel Paged Pool Overflow going by the identifier CVE-2021-31956 and how to exploit it from a Low Integrity point of view. We don't cover any novel exploitation techniques, but if you are curious about a Kernel Heap Overflow and how an exploit and all the required steps might look like, you're at the right address.

We noticed that Chrome fixed a V8 vulnerability that was being exploited in the wild. We quickly pinpointed the fix for this vulnerability and discovered that it was a rare bug in the Parser module, which piqued our interest greatly.

This blog post has an analysis of a Race Condition vulnerability caused by the incorrect use of an RCU (Read-Copy-Update) API and a technique to reliably trigger it.

In this post, we explore a vulnerability in the Windows IOMap64.sys driver (CVE-2024-41498). We perform a technical analysis of the IOMap64.sys driver, cover the software fault leading to the vulnerability which under the hood allow a malicious user to read / write the entire physical memory (RAM), and finally provide a PoC to demonstrate exploitability.

Armed with valid credentials for aCitrix infrastructure, I was able to scrutinize the authentication process in detail, and it didn't take long to identify a significant misconfiguration - one that could allow an attacker to bypass multi-factor authentication (MFA) with a surprisingly simple method.

This article demonstrates that it is possible to chain few functionalities and misconfigurations together in order to achieve Cross-Site (XS) leak with HTML injection, while strict Content-Security-Policy (CSP) is present.

This article details an approach to find vulnerable DLLs that could be used to leverage mockingjay injection technique.

We review techniques used to dump browser secrets protected with the Data Protection API (DPAPI), and how such activity can be detected in the Windows event log.

While several blog posts have shown how to retrieve credentials through this vulnerability, we decided to dig deeper and see whether it was possible to execute arbitrary code through this issue.

In this blog I'll introduce SQL Server credential objects and discuss how they can be abused by threat actors to execute code as either a SQL Server login, local Windows user, or Domain user. I'll also cover how to enable logging that can be used to detect the associated behavior.

Sigma correlations are a great new way to hunt, detect, and research threats. This article has show Sigma newcomers how easy it is to get started taking novel research (like the Morphisec Cicada3301 report) and generating useful, interesting detection rule concepts.

In this blog post, we will continue to explore more of the new edges we have introduced with ADCS support in BloodHound. More specifically, we will cover how we have incorporated the ESC6, ESC9, and ESC10 domain escalation techniques.

We identified an unclassified Android banking Trojan. Subsequent analyses revealed that the malware was a variant of TrickMo, albeit with newly incorporated anti-analysis mechanisms.

Microsoft fixed several ntoskrnl.exe bugs, and one of them (CVE-2024-38106) being exploited in the wild. As anything ITW always require closer attention, we attempt to create a POC for it by.

In this blog post, we lay some groundwork for understanding bytecode - based exploitation on Android. Most importantly, we discuss the execution environment and how to set up gdb and frida.

In this blog post, we peek into various Android fundamentals, always driven by the goal of bytecode-based exploitation. First, bytecode basics are discussed, then a more practical view on Android's fork server architecture is given. All major memory analysis steps used throughout this blog series are discussed.

This blog post shows the first bytecode - based exploitation technique on Android: bytecode injection. This opens the door to many interesting exploits, where injected bytecode can function as a one - in - all solution or an intermediate stage.

Here, the more advanced bytecode reuse technique is discussed, along with fundamentals necessary to grasp all concepts described. Also, some security mechanisms that immediately come to mind are mentioned without taking into account performance impact.

We are talking about setting Windows hooks. This is a simple technique that can be used to log keystrokes or inject code into remote processes. We will be employing the use of SetWindowsHookEx to register a function to be called whenever an event is triggered.

ADB is invaluable for debugging Android applications, offering a unified way to execute shell commands, transfer files, install APKs, and much more. In this first blogpost, we will explore its underlying protocol between client and server and introduce a Rust crate called adb_client implementing it.

This research focuses on the importance of native audit logs in secure-by-design software, emphasizing the need for kernel-level ETW logging over user-mode hooks to enhance anti-tamper protections.

We have conducted in-depth research on ransomware operations, focusing on attacks targeting cloud infrastructures within the insurance and financial sectors. Based on the analysis, the infrastructure and methodologies observed - particularly the automated generation of phishing pages - strongly align with the SCATTERED SPIDER activity cluster.

This article explores how attackers can exploit Django's [DEBUG=True] setting and the top five valuable data types they can retrieve from a vulnerable application.

The ability to edit Group Policy Object (GPOs) from non-domain joined computers using the native Group Policy editor has been on my list for a long time. This blog post takes a deep dive into what steps were taken to find out why domain joined machines are needed in the first place and what options we had to trick the Group Policy Manager MMC snap-in into believing the computer was domain joined.

In this article, part one of the series, I describe the MultiValuedProperty exploitation primitive, which became fundamental for my further exploitation of Exchange PowerShell.

In this part, I describe the ApprovedApplicationCollection gadget, which was available for abuse because it did not appear on the deny list and could therefore be accessed via MultiValuedProperty. I am also presenting a path traversal in the Windows utility extrac32.exe, which allowed me to complete the chain for a full RCE in Exchange.

We perform a deep analysis of CVE-2024-30078, supposedly leading to Remote Code Execution (RCE). The impact of this vulnerability seems much less critical than what Microsoft anticipated. We can only overwrite another packet (limited number of bytes) if it is placed straight after our one.

We discovered the new BlankBot Android banking trojan. It features a range of malicious capabilities, which include customer injections, keylogging, screen recording and it communicates with a control server over a WebSocket connection.

In this article, I'll explain how I managed to hack and unlock the first MediaTek based Amazon tablet that went on sale, the Amazon Fire HD6 / HD7 2014.

This article summarizes EDR functionality and bypasses, with focus on undetected shellcode loader.

I would like to give an introduction in modern kernel exploitation on linux. This post describes how to build an debugging environment. It explains how to create an initramfs file, how to build the kernel and how to use qemu with newly build kernel and initramfs file.

The goal in userland exploitation is to gain code execution and trick the process to spawn a shell. In kernelland exploitation the main goal is to change the privileges of the current process. This second part of teh series shows an easy vulnerability in a custom kernel module, which is a stack-based buffer overlow, and describes how to exploit that vulnerability.

In this step-by-step tutorial on email header analysis, we will guide you through the process of examining an email header to gather crucial information and gain insight into the sender's identity, location, and intent.

The PEB, TEB and KUSER_SHARED_DATA structs are mapped into the memory space of every process. They provide a wealth of information to the process and can be accessed without having to perform syscalls. Using them for anti-debugging is widely known and documented. But they can also be used for stealthy anti-sandbox and anti-vm checks.

I researched the impact of using keystroke latency analysis to infer an SSH session's underlying commands being run by the client. As a part of this endeavour, I discovered a way to bypass the measures to mitigate a keystroke timing attack via traffic analysis introduced in OpenSSH.

Data or executables may be stored in New Technology File System (NTFS) partition metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus.

Visual Studio Tools for Office (VSTO) "add-in" applications can be installed in the context of a user profile without admin intervention and will run each time the respective targeted Office application is invoked. For defenders, this is (yet) another vector to monitor for possible abuse within the IT environment.