Security Review #263

We present an attack that uses the the Tesla Wall Connector as the entry point, communicating with the charger using a non-standard protocol. We exploit a logic flaw to install a vulnerable firmware on the device. This article explains how we studied the device, how we built a Tesla car simulator to communicate with the charger, and how we exploited this logic bug.

I've always been interested in TXT records because they seem to be a useful way of storing arbitrary data, and in this blog post I'll discuss how I got to almost a protocol sort of method for storing an image on a domain name.

A deep-dive analysis into the static characteristics of malware and benign binaries ("goodware") using a massive dataset.

This post thoroughly explains what MCP is and why it makes LLMs more powerful. It also provides a comprehensive threat model analysis and reviews the fundamental security vulnerabilities.

We leverage Chrome's drag-and-drop feature to trick users into interacting with a seemingly harmless image, eventually leading to NTLM hashes leak.

We developed Jitter-Trap, a new technique to detect one of the most evasive steps in the cyberattack lifecycle: post-exploitation and C2 communication. Our analysis demonstrates how patterns of randomness, often employed for evasion, can be leveraged to uncover the presence of such traffic.

Packet sniffing on Linux can be used for a variety of legitimate reasons, but sometimes it's used by malware for traffic monitoring to steal information and activate covert backdoors. In this article we're going to show you how to search the /proc/net/packet file on your Linux systems to find suspicious processes that may be grabbing traffic.

This second part is about pivoting from just a SecureBoot bypass into arbitrary code execution during firmware update and taking over the DXE volume.

HTTP headers might seem boring on the surface, but when you dig in - they're loaded with useful info. From persistent connections to User-Agent strings to caching behavior and time syncing - every bit tells you something.

In this article, we'll uncover what makes SSTI vulnerabilities so dangerous and walk you through the techniques to identify, exploit, and weaponize them effectively. We'll also explore advanced and unique exploitation scenarios across different template engines.

The x5u and x5c JSON Web Signature (JWS) make use of X.509 certificates and define where the public key is stored to validate the JWS integrity. An attacker could sign the token with their own private key and modify the header value to specify their public key for signature verification, thus having full access to modify the token claims.

We explore the immense value that call stacks bring to malware detection and why we consider them to be vital Windows endpoint telemetry despite the architectural limitations.

Some of the same features that make wallets like Apple Pay and GPay so convenient also open up serious attack paths. If your phone is stolen or misconfigured, it can become a direct gateway to your money. No card skimmer required. Let's break down what attackers are doing right now.

We identified a new, rebranded stealer based on ACR Stealer called Amatera Stealer. It is delivered via web injects featuring sophisticated attack and interesting anti-analysis features, improving the sophistication of the malware.

We start this series with the basics to give you a feel for using a debugger and also get the main exploitable program compiled and mess with it some.

Some XSS vulnerability require complex actions within an account, effectively making it only reproducible on the attacker's account and thus losing its practical value. The purpose of this article is to demonstrate that what is commonly perceived as Stored Self-XSS can actually be transformed into a regular Stored XSS using modern browser capabilities.

We discovered a multistage campaign targeting Minecraft users via the distribution as a service (DaaS) Stargazers Ghost Network, which operates on GitHub. The malware impersonates, among others, Oringo and Taunahi, which are "Scripts & Macro" tools (a.k.a cheats).

We detail how Symantec IT Management Suite works, how ACCs are stored locally, and methods to retrieve them as both an administrator and a low-privileged user, leveraging PrivescCheck privilege escalation tool.

This third version marks a decisive turning point in the future of the project: nothing is done in user mode any more, but rather in kernel mode via a dedicated kernel driver, making it possible to exploit the Windows kernel telemetry capabilities that are far more powerful. The aim of this article is to discuss the detection methods and the architectural changes.

We discovered a method to bypass authentication and delete arbitrary files in the Zyxel NWA50AX Pro WiFi 6 access point.

We repurposed the Pico W, which features the Infineon CYW43439 Bluetooth controller, to use it as a Bluetooth dongle. We provide instructions for installing the necessary software, building the project, and flashing the Pico W to function as a Bluetooth controller.

This article outlines the mechanics and security implications of serverless authentication across major cloud platforms. Attackers target serverless functions developped with insecure code and misconfigured cloud functions. Successful exploits of these weaknesses enable attackers to obtain credentials that can then be abused.

In this article, we explore key risks associated with improper configuration or architectural design while using the AWS IAM Roles Anywhere service. We analyze these risks from both a threat actor’s perspective and an organization’s perspective.

Windows Event Logs are a critical tool for threat hunters. By focusing on specific Event IDs, Threat Hunters can identify suspicious behaviors related to user authentication, process execution, file access, and log tampering. This blog post provides a concise guide to key Windows Event IDs and practical strategies for using them in threat hunting.

We're exploring Sitecore’s Experience Platform (XP), demonstrating a pre-auth RCE chain. We are going to walk you through three vulnerabilities: CVE-2025-34509 - hardcoded credentials, CVE-2025-34510 - Post-Auth RCE via path traversal, and CVE-2025-34511 - Post-Auth RCE via Sitecore PowerShell extension.

GitHub device code phishing represents a natural evolution of attack techniques. Compromising a target's GitHub account takes five steps: code generation, social engineering, user authentication, token retrieval, own everything... We'll break down this entire flow and then provide a tool that security teams can use to automate the process.

We’re diving into the world of hunting through APIs. These APIs can enhance security operations, automate threat detection, and enable bigger automation potential. We will specially focus on available data, permissions, API limitations, and hunting through PowerShell.

In this post, we'll touch on how past research was adapted to obtain a foothold on Sonos Era 300, a high-end smart speaker, providing us the necessary introspection to discover and exploit a powerful memory corruption vulnerability (CVE-2025-1050) in remotely accessible, unauthenticated attack surface.

In this post, we are going to look at how we can find zero-days in .NET assemblies using Model Context Protocol (MCP).

In this post, we'll dive into why creating a single, accurate timeline is both an art and a pain, discuss the tools that help, the technical hurdles (from timestamp discrepancies to outright time trickery), and strategies for stitching events together into a sensible story.

We explore the attack chain, malware, and techniques of a Web3 macOS intrusion initiated by a malicious Zoom extension download.

This is the story of how we stumbled upon a serious security issue in the Insomnia API Client. We found that by simply importing a malicious collection file or sending an API request to a malicious server, arbitrary code execution could be triggered via template injection within the Insomnia API Client.

AntiDot is an Android botnet malware that lets cybercriminals control their victim devices with high capability. Its features include screen recording through accessibility service abuse, SMS interception, and log theft from installed applications. The malware also employs WebView injection and overlay attacks to steal credentials, making it a serious threat to user privacy and device security.

This blog post provides Microsoft Entra administrators with detailed, step-by-step guidance and a robust PowerShell script to audit and report on the MFA protection status of all privileged accounts within your tenant.

CVE-2025-4318 is a critical vulnerability in the @aws-amplify/codegen-ui package, a core part of AWS Amplify Studio's UI generation process. The issue arises from improper input sanitization of JavaScript property expressions, resulting in remote code execution (RCE) during build or render time.

In this article, we explore the design and implementation of Rust-based hypervisors for memory introspection and reverse engineering on Windows. We cover two projects - illusion-rs, a UEFI-based hypervisor, and matrix-rs, a Windows kernel driver-based hypervisor. Both leverage Extended Page Tables (EPT) to implement stealthy control flow redirection without modifying guest memory.

We apply different reconnaissance techniques with and without user, and add a computer with PXE.

In this part we start SCCM exploitation with low user credentials: relay and NAA credentials theft.

In this part we will exploit SCCM with an admin access on one VM, impersonating users, adding new admin, pivoting and executing commands.

The Best EDR Of The Market (BEOTM) is an open source EDR designed to serve as a testing ground for understanding and bypassing some of the detection mechanisms employed by many well-known EDRs. The purpose of this first article is to give a brief overview of how these mechanisms are implemented in BEOTM.

An overview of the SCCM lab infrastructure and exposed vulnerabilities.

In this second part I'll demonstrate how to create and modify detection rules via Google SecOps' API.

This second part details more extensive BEOTM's capabilities. It now offers active hooks, analyzes process's heap, in-memory regions, abnormal system calls, and much more. All this, coupled with the integration of YARA rules, increases the tool's capabilities and maneuverability.

This first post of the series provides an overview of the principles and benefits of managing detection rules as code and a typical detection engineering workflow used by security teams. I will configure a CI/CD pipeline in GitHub Actions to pull the latest version of my existing rules via Google SecOps' API and commit them to a GitHub repo.

In this blog, I share 3 of my reports which describe the less known tricks and bug chains involving CSS injection, clickjacking, drag & drop and self xss, cookie bombs, csrf and oauth abuses, all leading to account takeover.