Security Review #256

Github has some holes in their basic security which allow some tampering and spoofing. This had and will again help APTs to run campaigns through spoofing commit authors, spoofing contributors, hidden payloads hosting or abusing issues for phishing.

We discovered that Chrome extensions can communicate with MCP servers running on local machines, bypassing security measures like Chrome’s sandbox model. This unrestricted access allows extensions to exploit MCP tools without authentication, potentially leading to full system compromise.

Two CI/CD vulnerabilities in the nodejs/node GitHub repository exposed Node.js to remote code execution on Jenkins agents and the potential to merge unreviewed code to the main branch of the repository.

This blog documents techniques for hijacking both the .NET Global Assembly Cache (GAC) and Native Image Cache (NIC) for lateral movement, elevated persistence, and other nefarious things.

In this post, we explore how to bypass AMSI's scanning logic by hijacking the RPC layer it depends on - specifically the NdrClientCall3 stub used to invoke remote AMSI scan calls.

In this blog we present our technical analysis on how Lumma performs the below objectives: infection chain, code flow obfuscation, API hash resolving, heaven's gate, disabling ETWTi callbacks, anti-sandox techniques, command and control, exfiltration.

We analyze a sophisticated attack on critical infrastructure by ToyMaker and Cactus, using the LAGTOY backdoor to orchestrate a relentless double extortion scheme.

Docker is a prime target for malware, with new strains emerging daily. This blog explores a novel campaign showcasing advanced obfuscation and cryptojacking techniques.

A lot of bloat in an EXE file is just the statically linked C runtime. Link dynamically to msvcrt.dll plus a 40-line stub, and depending on the size of the program, you can shrink the whole EXE to ~3 KB. You keep the convenience of normal C code while matching BOF-level size - perfect for in-memory execution and low-bandwidth beacons.

Shadow roles in AWS defaults can expose hidden attack paths enabling privilege escalation, cross-service access, and even account compromise. In this blog, we'll walk through multiple real-world scenarios and demonstrate how a single default role can ultimately lead to full control of an AWS account.

The combination of Ghidra, GhidraMCP, Ollama, and OpenWeb-UI puts cutting-edge AI-assisted reverse engineering capabilities within reach, all while maintaining data privacy. While configuring the full end-to-end tool calling might require some extra steps, this stack provides the foundation.

Many MCP environments store long-term API keys for third-party services in plaintext on the local filesystem, often with insecure, world-readable permissions. Exploitation of this vulnerability could touch every system connected to your LLM app; the more powerful your MCP environment, the greater the risk of insecurely stored credentials.

You've heard of vibe coding, but have you considered vibe hacking? I tried thinking less to find an authentication bypass and RCE in OpenGamePanel.

In this article we describe a basic deobfuscation technique that leverages code snippet substitution. For concrete examples we'll analyse a publicly available Lumma sample using Ghidra.

In this hands-on lab, we'll dive into the world of cybersecurity persistence detection by building an automated defense system using powerful open-source tools.

We detail CVE-2025-24091, a vulnerability in iOS Darwin notifications, making it possible for any application to trigger events from the OS, leading to iPhone misbehavior and Denial of Service.

We discuss vulnerabilities found in industrial network switches from Planet Technology: command injection flaws, authentication bypass, and hardcoded credentials within network management tools.

The post explains the process of finding and exploiting three vulnerabilities found in the IXON VPN client. These vulnerabilities results in Local Privilege Escalation on Windows and Linux.

In this post, we'll look at the way Firefox handles the multipart/x-mixed-replace content type. As it renders it as HTML, it can have implications for security, leading to cross-site scripting (XSS).

We provide technical details about HRSword, a component of a security software suite abused to monitor the process of the target system and to delete software related to security and logging. It has been abused historically in numerous ransomware infections for disabling EDRs due to the force-termination capability.

We explain how one can abuse misconfiguration of the firewall for the Azure Blob Storage service to tunnel traffic to a target's internal network. To demonstrate that we build a SOCKS5 proxy that uses blobs for traffic tunneling.

We discovered a new set of vulnerabilities in Apple's AirPlay protocol and SDK. We detail zero-click RCEs, ACL bypasses, and wormable exploits that can be chained by attackers to potentially take control of devices that support AirPlay - including both Apple devices and third-party devices that leverage the AirPlay SDK.

In this article, you'll learn how to use GitLab Secret Detection to scan a repository’s full commit history, including all branches, to detect sensitive secrets. In addition, you will discover how to view the results directly within the GitLab UI without the need for any integration.

In this post, I will outline a relatively trivial method for dumping sleep obfuscated implants in a decrypted state using tools that already exist on most Windows machines.

I've identified some security vulnerabilities in the Zyxel uOS Linux-based operating system distributed with these appliances, that allow local users with access to a Linux OS shell to escalate privileges to root. They were collectively assigned CVE-2025-1731.

This blog from Microsoft Security explores the evolving threat landscape for Kubernetes and containerized assets. It highlights how threat actors exploit unsecured workload identities by investigating the case of a password spray attack that compromised cloud tenants, allowing attackers to create over 200 containers for cryptomining.

This report describes one of the latest observed infection chains (delivering AsyncRAT) relying on the Cloudflare tunnel infrastructure and the attacker's tactics, techniques and procedures (TTPs), with a principal focus on detection opportunities.

Due to the wide-scale usage of Microsoft Configuration Manager, I’ve decided to document the most common easy wins for attackers. This post will attempt to combine explanatory and practical example focused tradecraft together which combines high commonality with incredible impact from low-privilege contexts, and what you can do to prevent them.

The official XPRL (Ripple) NPM package was compromised by sophisticated attackers who put in a backdoor to steal cryptocurrency private keys and gain access to cryptocurrency wallets. This is technical breakdown of how we discovered the attack.

In this blog we demonstrate how ANSI terminal escape codes can be used to obfuscate malicious payloads in MCP server tool descriptions.

I introduce a novel technique that leverages the well-known Device Code phishing approach. It defeats the 10-minute FIDO token validity limitation and eliminates the need for the victim to manually perform actions, elevating the efficiency of the attack to a new level.

In this article, we will dive deeper into identifying and exploiting advanced NoSQL injections. We will also examine several examples to better understand NoSQLi attacks.

This blog post focuses on the recent changes in StealC V2, a popular information stealer and malware downloader. We describe the improvements in payload delivery, encryption, control panel functionality, and the updated communication protocol.

I will briefly explain what MCP is, outline security-focused design considerations, and describe my MCP implementation to augment Claude LLM for interacting with Elasticsearch to assist with threat identification.

Discover advanced phishing techniques bypassing email security. We investigate threats hidden in SVGs, PDFs, OneDrive, and OpenXML files.

In this post, we discuss various aspects of the SparkRAT framework, from its login mechanics to C2 communications. Our exploration includes leveraging sandbox results to confirm our suspicions and identify an active controller in the wild. We also provide the related IoCs.

This is a quick post on the different errors you might encounter, what the root cause of them is and what you might want to do to fix your commands.

This blog post introduces coverage-guided fuzzing with QBDI and libFuzzer targeting Windows ARM64.

We successfully exploited the Synology DiskStation DS1823xs+ to obtain remote code execution as root. This issue has been fixed as CVE-2024-10442. This post will detail our experience researching the Synology DiskStation and writing an exploit against it.

This blogpost provides a walkthrough of designing a POC for exploiting CVE-2020-12446, a vulnerability affecting the eneio64.sys driver (Trident Z Lighting Control) which offers read/write access on physical memory and remains compatible with HVCI.

In this article we will be tackling an overflow with Structured Exception Handling (SEH) in place. This introduces a new layer of complexity but also an excellent opportunity to level up our exploit development skills.

In this tutorial, we exploit a buffer overflow vulnerability in Vulnserver and demonstrate key steps in buffer overflow exploitation, from initial recon to shellcode execution.

Lumma Stealer initial access evolved from cracked software to Clickfix, and usage of multiple legit platforms to distribute it from Google Drive to GitHub. We will not go through them in detail, as they are extensively covered, and we will look at the core functionality after the initial payload is delivered.

This in-depth blog reveals how threat actors exploit legitimate platforms and deploy cloaking methods to disguise malicious links, allowing them to evade detection by security solutions.

In this attack simulation scenario we will see how we can uncover actions taken by threat actors from only the Master File Table (MFT) of the endpoint.

In Python, if dirty Arbitrary File Write (AFW) vulnerability exists in the application, it is possible to gain RCE via writing shared object files or overwriting bytecode files. It can be very powerful if you can only write files into the source code's directory, like /app, and the web application has a strict rule over the filename, such as cannot use the underscore character.

In this article I detail CVE-2024-27876, an arbitrary file write vulnerability in iOS libAppleArchive. I will explain how I found it, made it reliable and attempted to bypass Gatekeeper.

We delve into the inner workings of Riot Vanguard, the anti-cheat system used in VALORANT. Unlike conventional anti-cheats that launch alongside games, Vanguard operates at the kernel level, loading at boot time to inspect every driver loaded afterward.

This blog discloses new vulnerabilities and techniques we found in the the Task Scheduler Service in Windows, covering UAC bypass, Metadata Poisoning, Task Event Log Overflow, and Security Event Logs Overwrite, adding the technique to a new tactic category, Defense Evasion, and reinforcing the Privilege Escalation category regarding Elevation Control Mechanism Abuse.

We discovered a fatal exploit chain in DJI remote control devices, leading to the complete compromise of the security defenses within the DJI remote controller.

In this beginner-friendly guide, I’ll introduce you to fresh tools and methods you can use to unlock the power of Reddit for OSINT investigations. You’ll learn how to search effectively, track conversations, and even analyze patterns , all while keeping it simple enough for newbies.

We will describe the OS features that facilitate process injection in Linux, and the different injection primitives they allow. We will cover techniques that have been previously described, and also highlight injection variants that were previously not documented. We will conclude by covering detection and mitigation strategies for the highlighted techniques.

This is the first post in a series on malware memory forensics and bypassing defensive scanners. First, I will detail the DLL hollowing technique, and then introduce to one of my own variations of this technique which I call phantom DLL hollowing.

In this part, I will first introduce my pseudo-malicious memory artifacts kit tool. Then we will discuss using this tool to investigate the weak points of several defensive memory scanners, and finally by explore what I deem to be the most valuable stealth techniques and concepts from an attack perspective based on the results of this investigation.

In this second part of the series, I will introduce my open source memory scanner tool Moneta, and explore the topic of legitimate dynamic code allocation, false positives and stealth potential therein discovered through use of this scanner.