Tracking a P2P network related to TA505
https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/
https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
This shouldn't have happened: A vulnerability postmortem https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html
Blogspot
This shouldn't have happened: A vulnerability postmortem
Posted by Tavis Ormandy, Project Zero Introduction This is an unusual blog post. I normally write posts to highlight some hidden att...
Popping iOS <=14.7 with IOMFB https://jsherman212.github.io/2021/11/28/popping_ios14_with_iomfb.html
Justin’s Blog
Popping iOS <=14.7 with IOMFB
During the last two weeks of my summer (as of writing, summer 2021), I decided to try and take a crack at iOS 14 kernel exploitation with the IOMobileFramebuffer OOB pointer read (CVE-2021-30807). Unfortunately, a couple days after I moved back into school…
All our team wishes you and yours a Happy New Year! ❤️
The Re-Emergence of Emotet https://www.deepinstinct.com/blog/the-re-emergence-of-emotet
Deep Instinct
The Re-Emergence of Emotet | Deep Instinct
Emotet, the malware botnet, has resurfaced after almost 10 months. The operation was originally taken down by multiple international law enforcement agencies this past January. These agencies took control of the infrastructure and scheduled an un-installation…
Unpacking and decryption tools for the Emotet malware https://github.com/deepinstinct/DeMotet
GitHub
GitHub - deepinstinct/DeMotet: Unpacking and decryption tools for the Emotet malware
Unpacking and decryption tools for the Emotet malware - deepinstinct/DeMotet
Protecting Windows Credentials against Network Attacks https://securitycafe.ro/2021/12/02/protecting-windows-credentials-against-network-attacks/
Security Café
Protecting Windows Credentials against Network Attacks
Over the years I’ve seen a lot of misconfigurations or a lack of configurations when it comes to protecting Windows credentials, hashes or Kerberos tickets. The main difficulty here comes fro…
Impact of an Insecure Deep Link https://securityflow.io/impact-of-an-insecure-deep-link/
Just another analysis of the njRAT malware – A step-by-step approach https://cybergeeks.tech/just-another-analysis-of-the-njrat-malware-a-step-by-step-approach/
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
https://www.mandiant.com/resources/sabbath-ransomware-affiliate
https://www.mandiant.com/resources/sabbath-ransomware-affiliate
Google Cloud Blog
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again | Google Cloud Blog
[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver https://syst3mfailure.io/sixpack-slab-out-of-bounds
[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver
CVE-2021-42008 is a Slab-Out-Of-Bounds Write vulnerability in the Linux 6pack driver caused by a missing size validation check in the decode_data function. A malicious input from a process with CAP_NET_ADMIN capability can lead to an overflow in the cooked_buf…
Hakluke: Creating the Perfect Bug Bounty Automation https://labs.detectify.com/2021/11/30/hakluke-creating-the-perfect-bug-bounty-automation/
Labs Detectify
Hakluke: Creating the perfect bug bounty automation - Labs Detectify
Bug Bounty Automation is the key to success for many expert bug bounty hunters including Hakluke. He walks through how he does it.
Windows 10 RCE: The exploit is in the link https://positive.security/blog/ms-officecmd-rce
positive.security
Windows 10 RCE: The exploit is in the link | Positive Security
Chaining a misconfiguration in IE11/Edge Legacy with an argument injection in a Windows 10/11 default URI handler and a bypass for a previous Electron patch, we developed a drive-by RCE exploit for Windows 10. The main vulnerability in the ms-officecmd URI…
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html
Trend Micro
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
We have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools (RATs) — namely TeamViewer — for some time now. While previous versions of the malware have been covered by other researchers, our blog entry focuses…
CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/
SentinelOne
CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
SentinelLabs has discovered a heap overflow vulnerability in the TIPC module of the Linux Kernel which can allow attackers to compromise an entire system.
Resources to help get started with IoT Pentesting https://github.com/adi0x90/IoT-Pentesting-Methodology
GitHub
GitHub - adi0x90/IoT-Pentesting-Methodology: Resources to help get started with IoT Pentesting
Resources to help get started with IoT Pentesting - GitHub - adi0x90/IoT-Pentesting-Methodology: Resources to help get started with IoT Pentesting
Local PoC exploit for CVE-2021-43267 (Linux TIPC) https://github.com/ohnonoyesyes/CVE-2021-43267
Investigating the Emerging Access-as-a-Service Market https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/investigating-the-emerging-access-as-a-service-market
Trendmicro
Investigating the Emerging Access-as-a-Service Market
We examine an emerging business model that involves access brokers selling direct access to organizations and stolen credentials to other malicious actors.
The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
Extracting passwords from hiberfil.sys and memory dumps https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
diverto.github.io
Extracting passwords from hiberfil.sys and memory dumps
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials.
While this can usually be the way to go, it can pose a huge challenge, as the result can depend on the…
While this can usually be the way to go, it can pose a huge challenge, as the result can depend on the…
A new StrongPity variant hides behind Notepad++ installation https://blog.minerva-labs.com/a-new-strongpity-variant-hides-behind-notepad-installation