Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again
https://www.mandiant.com/resources/sabbath-ransomware-affiliate
https://www.mandiant.com/resources/sabbath-ransomware-affiliate
Google Cloud Blog
Kitten.gif: Meet the Sabbath Ransomware Affiliate Program, Again | Google Cloud Blog
[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver https://syst3mfailure.io/sixpack-slab-out-of-bounds
[CVE-2021-42008] Exploiting A 16-Year-Old Vulnerability In The Linux 6pack Driver
CVE-2021-42008 is a Slab-Out-Of-Bounds Write vulnerability in the Linux 6pack driver caused by a missing size validation check in the decode_data function. A malicious input from a process with CAP_NET_ADMIN capability can lead to an overflow in the cooked_buf…
Hakluke: Creating the Perfect Bug Bounty Automation https://labs.detectify.com/2021/11/30/hakluke-creating-the-perfect-bug-bounty-automation/
Labs Detectify
Hakluke: Creating the perfect bug bounty automation - Labs Detectify
Bug Bounty Automation is the key to success for many expert bug bounty hunters including Hakluke. He walks through how he does it.
Windows 10 RCE: The exploit is in the link https://positive.security/blog/ms-officecmd-rce
positive.security
Windows 10 RCE: The exploit is in the link | Positive Security
Chaining a misconfiguration in IE11/Edge Legacy with an argument injection in a Windows 10/11 default URI handler and a bypass for a previous Electron patch, we developed a drive-by RCE exploit for Windows 10. The main vulnerability in the ms-officecmd URI…
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites https://www.trendmicro.com/en_us/research/21/k/campaign-abusing-rats-uses-fake-websites.html
Trend Micro
Campaign Abusing Legitimate Remote Administrator Tools Uses Fake Cryptocurrency Websites
We have been tracking a campaign involving the SpyAgent malware that abuses well-known remote access tools (RATs) — namely TeamViewer — for some time now. While previous versions of the malware have been covered by other researchers, our blog entry focuses…
CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution https://www.sentinelone.com/labs/tipc-remote-linux-kernel-heap-overflow-allows-arbitrary-code-execution/
SentinelOne
CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution
SentinelLabs has discovered a heap overflow vulnerability in the TIPC module of the Linux Kernel which can allow attackers to compromise an entire system.
Resources to help get started with IoT Pentesting https://github.com/adi0x90/IoT-Pentesting-Methodology
GitHub
GitHub - adi0x90/IoT-Pentesting-Methodology: Resources to help get started with IoT Pentesting
Resources to help get started with IoT Pentesting - GitHub - adi0x90/IoT-Pentesting-Methodology: Resources to help get started with IoT Pentesting
Local PoC exploit for CVE-2021-43267 (Linux TIPC) https://github.com/ohnonoyesyes/CVE-2021-43267
Investigating the Emerging Access-as-a-Service Market https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/investigating-the-emerging-access-as-a-service-market
Trendmicro
Investigating the Emerging Access-as-a-Service Market
We examine an emerging business model that involves access brokers selling direct access to organizations and stolen credentials to other malicious actors.
The hidden side of Seclogon part 2: Abusing leaked handles to dump LSASS memory https://splintercod3.blogspot.com/p/the-hidden-side-of-seclogon-part-2.html
Extracting passwords from hiberfil.sys and memory dumps https://diverto.github.io/2019/11/05/Extracting-Passwords-from-hiberfil-and-memdumps
diverto.github.io
Extracting passwords from hiberfil.sys and memory dumps
When in password hunting mode and having access to the filesystem of the target, most people would reach out to SAM and/or extracting cached credentials.
While this can usually be the way to go, it can pose a huge challenge, as the result can depend on the…
While this can usually be the way to go, it can pose a huge challenge, as the result can depend on the…
A new StrongPity variant hides behind Notepad++ installation https://blog.minerva-labs.com/a-new-strongpity-variant-hides-behind-notepad-installation
CSPM, CIEM, CWPP, and CNAPP: Guess who in cloud security landscape https://sysdig.com/blog/cnapp-cloud-security-sysdig/
Sysdig
Who’s Who in Cloud Security? CSPM, CIEM, CWPP & CNAPP Explained
CNAPP platforms – are steadily gaining traction as the best solutions to address Cloud Native security. This blog will explain them in depth.
Pwn2Own Local Escalation of Privilege Category — Ubuntu Desktop Exploit https://flatt.tech/assets/reports/210401_pwn2own/whitepaper.pdf
Process Ghosting https://pentestlaboratories.com/2021/12/08/process-ghosting/
Pentest Laboratories
Process Ghosting
Understanding how endpoint products work to identify malicious actions can lead to the discovery of security gaps which can be used for evasion during red team operations. The technique Process Her…
Nice explanation on the basics » A simple x86_64 stack based buffer overflow exploitation with gdb https://oxagast.org/posts/simple-buffer-overflow-exploitation-walkthrough-gdb/
oxagast.org oxasploits
A simple x86_64 stack based buffer overflow exploitation with gdb
Background
Malicious IFilter: a DLL waiting patiently (not even loaded) until the file with a particular extension appears, then it executes as the LOCALSYSTEM https://github.com/gtworek/PSBits/tree/master/IFilter
GitHub
PSBits/IFilter at master · gtworek/PSBits
Simple (relatively) things allowing you to dig a bit deeper than usual. - gtworek/PSBits
FIN13: A Cybercriminal Threat Actor Focused on Mexico https://www.mandiant.com/resources/fin13-cybercriminal-mexico
Google Cloud Blog
FIN13: A Cybercriminal Threat Actor Focused on Mexico | Mandiant | Google Cloud Blog
Threat news: TeamTNT stealing credentials using EC2 Instance Metadata https://sysdig.com/blog/teamtnt-aws-credentials/
Sysdig
Threat news: TeamTNT stealing credentials using EC2 Instance Metadata
TeamTNT malware targeted a Kubernetes Pod and attempted to steal AWS credentials using the EC2 instance metadata.
Is your web browser vulnerable to data theft? XS-Leak explained https://blog.malwarebytes.com/explained/2021/12/is-your-web-browser-vulnerable-to-data-theft-xs-leak-explained/
Malwarebytes Labs
Is your web browser vulnerable to data theft? XS-Leak explained
IT security researchers recently exposed new cross-site leak (XS-Leak) attacks against modern-day browsers. But what is XS-Leak anyway?
Driver-Based Attacks: Past and Present https://www.rapid7.com/blog/post/2021/12/13/driver-based-attacks-past-and-present/
Rapid7
Driver-Based Attacks: Past and Present | Rapid7 Blog