Security Review #249

This article explores techniques to bypass the phishing safeguards of AI-powered email summarizers.

We discovered a way for malicious extensions to silently impersonate any extension installed on the victim's browser. Using password managers as an example, this blog will methodologically walk through how attackers would use a polymorphic extension to gain full access to the victim's password vault.

We demonstrate several ways to use Node.js and Electron to load DLLs. Since these binaries are signed and often allowlisted, attackers can exploit this to bypass AV and EDR products.

In this first part of the series, we will explain how a backdoor can be setup in a Diffie-Hellman implementation.

A technical exploration of modern phishing tactics, from basic HTML pages to advanced MFA-bypassing techniques, with analysis of infrastructure setup and delivery methods used by phishers in 2025.

This article examines obfuscation techniques used in popular malware families, and offers some insights into possible opportunities for automating unpacking of these malware samples. We will examine these behaviors, showing how to extract their configuration parameters through unpacking each stage.

An address confusion vulnerability in FindMy network, allows remote attacker exploits this vulnerability to turn your device - whether it's a desktop, smartphone, or smartwatch - into an AirTag-like tracker, enabling the attacker to track your location.

In this series of articles, we're going to focus on Samsung's exynos-implementation of their mobile hypervisor security platform. This first article will focus on the permission model, the plugins and their communication with the core.

In this blog post, I'll share the insights I gleaned from my test AD lab. It will start with a basic overview of the AD CS certificate request sequence and then pivot to the PKINIT authentication process. With the foundation established, it will showcase individual scenarios for how different error messages could occur.

In this guide, we'll transform raw reconnaissance into devastating exploitation. You'll learn to scout vulnerable endpoints, confirm SSTI with ruthless accuracy, craft payloads that pierce defenses, and scale your hunt with automation that leaves no parameter untested.

From a forensic standpoint, Chrome's artifacts are well-organized and primarily stored within the user's profile directory, making them a valuable resource for digital investigators.

In this article, we will dive into the exciting world of manual browser forensics.

Most browsers store some auto-complete data, but Chrome takes this to another level by recording a surprising amount of information. Whether it's search terms, form data, or login credentials, Chrome's databases capture nearly everything typed by the user.

Websites store increasing amounts of data directly on a user's device. This client-side storage has grown significantly, often surpassing the traditional browser cache. Despite its importance, forensic investigations have largely overlooked this area because analyzing browser storage can be challenging, and most forensic tools don't fully support it.

Chrome synchronization is a feature that allows users to access their browsing data across multiple devices using their Google account. This includes bookmarks, history, passwords, and even open tabs. While this feature is highly convenient for users, it also creates a rich source of forensic artifacts that can be examined during investigations.

In today's digital world, web browsers are a goldmine of information for forensic investigators. With many users relying on Chromium-based browsers like Google Chrome, Microsoft Edge, and Brave for daily activities, understanding how to analyze browser data is crucial.

When investigating digital evidence, a browser's history can be a goldmine of information. Firefox, like other modern browsers, maintains extensive records of user activity, storing this data in the places.sqlite database. This database can provide critical insights into a user's online behavior, revealing visited websites, timestamps, and other relevant metadata.

Rosetta 2 is Apple's translation technology for running x86-64 binaries on Apple Silicon (ARM64) macOS systems. It creates a cache of Ahead-Of-Time (AOT) files that can serve as valuable forensic artifacts. Analysis of AOT files, combined with FSEvents and Unified Logs (with a custom profile), can assist in investigating macOS intrusions.

AWS's flexibility is both a blessing and a curse. It gives us many ways to do the same thing, but choosing the best one can be hard. In this article, I analyze three options for detecting suspicious API calls.

This article goes through the most common LoL (living off the Land) techniques, an attack strategy where threat actors conduct malicious activities by exploiting legitimate tools and features already present in a target.

We analyze Phantom Goblin, a malware operation that leverages social engineering tactics to distribute information-stealing malware, enabling credential theft.

The /public command-line option in MSTSC enables the "public mode," preventing RDP from storing credentials, session details, and cached images. This article explores its impact on security and forensic analysis.

This article dives into Silk Typhoon targeting common IT solutions like remote management tools and cloud applications to gain initial access. Silk Typhoon then uses the stolen keys and credentials to infiltrate customer networks where they can then abuse a variety of deployed applications.

In this article, our team details how Akira ransomware group was able to compromise an unsecured webcam in order to circumvent an Endpoint Detection and Response (EDR) tool and deploy ransomware.

SCCM forest discovery accounts can be decrypted including accounts used for managing untrusted forests. If the site server is a managed client, service account credentials can be decrypted via the Administration Service API.

We provide a detailed walkthrough of a cybersecurity lab which emulates an APT29 attack scenario exploiting CVE-2023-42793 in JetBrains TeamCity. We review the entire attack path and cover extensive forensic analysis, including log filtering, process tree reconstruction, and registry modifications.

We detail a credential phishing attack relying on nested attachments and a base64-encoded attack within an iframe.

This post examines different ESC vulnerabilities within the domains: ESC5, ESC7, ESC8 on kingslanding with kerberos relay, ESC9, ESC10, ESC11, ESC12, ESC13, ESC14, and ESC15 (CVE-2024-49019)

In this article we will detail how we can chain two vulnerabilities in Neverwinter Nights - a stack buffer overflow and an out of bound write - to obtain a remote code execution in multiplayer mode.

Strategies to detect kerberoasting include looking for spikes in TGS-REQs from a single source, or TGS-REQs for 'honeypot' SPNs. Another method of obtaining TGS-REPs could be to listen for them on the wire. However, in this short post, I'll show how an attacker can use service tickets that have already been requested legitimately by a user.

CVE-2025-1094 is a high-severity SQL injection vulnerability affecting PostgreSQL's escaping functions (PQescapeLiteral(), PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn()) and the interactive terminal psql. This vulnerability arises due to improper neutralization of quoting syntax, which allows attackers to bypass escaping mechanisms under specific conditions.

We found the undocumented APIs for Azure API Connections. In this post we examine the inner workings of the Connections allowing us to escalate privileges and read secrets in backend resources for services ranging from Key Vaults, Storage Blobs, Defender ATP, to Enterprise Jira and SalesForce servers.

The aim of this article is to analyze the CVE-2025-21333 vulnerability, a heap-based buffer overflow in Windows vkrnlintvsp.sys. We will develop a proof-of-concept (PoC) exploit using a variant of the I/O Ring technique to achieve arbitrary read/write in kernel space and escalate privileges to SYSTEM. We will also provide guidance for detection.

Analyzing macOS malware can be challenging, especially when dealing with macOS native file types like PKG files. In this article, I will guide you through the intricacies of PKG file analysis which will enhance your macOS Malware Analysis skills.

We'll walk through my premise that a standard user can modify the system routing table if they can reach a VPN server they control, and the implications this has for network and host security.

XML External Entity (XXE) vulnerabilities are one of the most overlooked yet impactful vulnerabilities in modern web applications. Their impact remains severe, allowing attackers to read internal files, reach internal-only networks, and even execute remote code. In this article, we will learn what XXE vulnerabilities are and how to identify and exploit them as well.

CVE-2025-24813 is an Apache Tomcat vulnerability that may result in information disclosure or corruption, and even remote code execution. This is a quick and dirty analysis explaining the parts of the picture that are not in the advisory or can't be deduced trivially from the source code.

We provide a methodology to develop a bluetooth device driver. Additionally, we demonstrate how to use hidden commands to unlock advanced functionalities, enabling direct and complete access to the ESP32's memory and execution from any hardware that utilizes this chip via HCI.

I helped a company recover their data from the Akira ransomware without paying the ransom. In this article, I'm sharing how I did it, along with the full source code.

In this blog post, we take the first steps of investigating memory corruption in Delphi by constructing several simple proof-of-concept code examples that demonstrate memory corruption vulnerability patterns.

We review how to use the pi-gen tool to generate an image for a Raspberry Pi that is pre-configured with many tools needed for basic hardware hacking.

In this post, we extract the firmware and maybe push modified firmware to an electric toothbrush.

Critical authentication bypass vulnerabilities (CVE-2025-25291 + CVE-2025-25292) were discovered in ruby-saml. In this blog post, we'll shed light on how these vulnerabilities that rely on a parser differential were uncovered.

This is a write-up of CVE-2024-12425 and CVE-2024-12426, two vulnerabilities in LibreOffice which respectively allow an attacker to write to a semi-arbitrary file in the filesystem, and remotely extract values from environment variables and from INI-like files in the filesystem.

This article details how I leveraged an SSRF vulnerability in Apache Solr to get a remote command execution (RCE) exploit.

We explore CVE-2025-21298, a security flaw which could let attackers remotely execute malicious code on Windows systems simply by sending a specially designed file. The issue directly impacts Microsoft Word and Outlook.

We'll look at how to set up Mythic C2 and its Apfell implant on MacOS. We will weaponize that implant to bypass EDRs using BallisKit DarwinOps. We will also show how to use the privilege escalation module to gain root access.

The current implementation of the shadow credentials attack in the Impacket framework leaves unique signatures on the NGC data structures written to the msDS-KeyCredentialLink LDAP attribute by malicious actors. We explain how heuristics could be used to identify most malicious NGC keys, regardless of the hacktool they were generated by.

I detail a code injection vulnerability via a pickle module found in MedPy, a library and collection of scripts targeted towards medical (i.e. high dimensional) image processing.

I discovered a vulnerability in smolagents, a lightweight framework for building AI agents, allowing for an attacker to escape the interpreter and execute commands on the underlying machine. Here we will take a walk through the analysis of the exploit and discuss the implication this has as a microcosm to AI agent security.

In this blog, we will explain how we used QEMU to emulate the relevant system components of Planet Technology Corp's WGS-804HPT Industrial switch, and how it was used to uncover three vulnerabilities that could allow an attacker to remotely execute code on a vulnerable device. The vulnerabilities include separate buffer and integer overflow vulnerabilities and an OS command injection flaw.

This blog covers an XML eXternal Entity (XXE) injection vulnerability that I found in SharePoint (CVE-2024-3004). It allows an attacker to read files with SharePoint Farm Service account permission, perform Server-side request forgery (SSRF) attacks, and perform NTLM Relaying.

This blog walks you through setting up an ADFS lab using Ludus and/or a flexible hybrid cloud environment for testing.

We discuss a technique of x64 return address spoofing, used to bypass security mechanisms like antivirus or Endpoint Detection and Response (EDR) systems. Return Address Spoofing is a method to manipulate the return address of a function to make it appear as though the function is being called from a trusted location, such as a system DLL.

We explore x64 call stack spoofing, a technique that involves manipulating the call stack to bypass AV or EDR detection.

In this part, we will document and practice some techniques relying on domain trust. The different techniques presented here need an active user to exploit them.

This article is a reference point for Electron post-exploitation for persistence. We review DLL Hijacking, Remote Debugging Protocol and Beemka methods.

We uncover vulnerabilities in SAP AI Core, allowing malicious actors to take over the service and access customer data.

In this article we introduce prototype pollution vulnerability that affects javascript. It can be thought of as a type of object injection. The prototype object is inherited by all objects so if we can modify it in one place it will be inherited by everything else. This can be used to overwrite functions, variables, and anything else.

CVE -2022 -1015 is a vulnerability in the Linux kernel's nf_tables module. It is caused by the stack crossing read and write because there is no reasonable limit on the integer range.