How I Met Your Beacon – Overview https://www.mdsec.co.uk/2022/07/part-1-how-i-met-your-beacon-overview/
MDSec
PART 1: How I Met Your Beacon - Overview - MDSec
Introduction Its no secret that MDSec provides a commercial command-and-control framework with a focus on evasion for covert operations. With this in mind, we are continuously performing on-going R&D in...
Malware analysis with IDA/Radare2 2 - From unpacking to config extraction to full reversing (IceID Loader) https://artik.blue/malware5
artik.blue
Malware analysis with IDA/Radare2 2 - From unpacking to config extraction to full reversing (IceID Loader)
All things cyber
Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists
Proofpoint
APTs Targeting Journalists & Media Organizations | Proofpoint US
APTs regularly target and pose as journalists and media organizations to advance their state-aligned initiatives. Learn more about Proofpoint's research.
Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials https://research.checkpoint.com/2022/check-point-research-exposes-an-iranian-phishing-campaign-targeting-former-israeli-foreign-minister-former-us-ambassador-idf-general-and-defense-industry-executives/
Check Point Research
Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials - Check Point Research
Introduction Check Point Research uncovers a recent Iranian-based spear-phishing operation aimed against former Israeli officials, high-ranking military personnel, research fellows in research institutions, think tanks, and against Israeli citizens. The attacks…
Attackers target Ukraine using GoMet backdoor https://blog.talosintelligence.com/2022/07/attackers-target-ukraine-using-gomet.html
Cisco Talos Blog
Attackers target Ukraine using GoMet backdoor
Executive summary
Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine…
Since the Russian invasion of Ukraine began, Ukrainians have been under a nearly constant barrage of cyber attacks. Working jointly with Ukrainian organizations, Cisco Talos has discovered a fairly uncommon piece of malware targeting Ukraine…
Why the Equation Group (EQGRP) is NOT the NSA https://xorl.wordpress.com/2022/07/06/why-the-equation-group-eqgrp-is-not-the-nsa/
xorl %eax, %eax
Why the Equation Group (EQGRP) is NOT the NSA
I had covered this topic in my 2021 talk “In nation-state actor’s shoes” but after my recent blog post I saw again people referring to the EQGRP as the NSA which is not entirely c…
Let's code a TCP/IP stack, 1: Ethernet & ARP https://www.saminiir.com/lets-code-tcp-ip-stack-1-ethernet-arp/
saminiir's hacker blog
Let's code a TCP/IP stack, 1: Ethernet & ARP
Writing your own TCP/IP stack may seem like a daunting task. Indeed, TCP has accumulated many specifications over its lifetime of more than thirty years. The core specification, however, is seemingly compact[^tcp-roadmap] - the important parts being TCP header…
When Hypervisor Met Snapshot Fuzzing https://www.usmacd.com/2022/07/21/2022-07-21-When-Hypervisor-Met-Snapshot-Fuzzing/
The End of PPLdump https://itm4n.github.io/the-end-of-ppldump/
itm4n’s blog
The End of PPLdump
A few days ago, an issue was opened for PPLdump on GitHub, stating that it no longer worked on Windows 10 21H2 Build 19044.1826. I was skeptical at first so I fired up a new VM and started investigating. Here is what I found…
Attack Chain Déjà-vu: The infection vector used by SVCReady, Gozi and IcedID https://medium.com/@DCSO_CyTec/attack-chain-d%C3%A9j%C3%A0-vu-the-infection-vector-used-by-svcready-gozi-and-icedid-585bb326a666
Medium
Attack Chain Déjà-vu: The infection vector used by SVCReady, Gozi and IcedID
Technical analysis of the SVCReady, Gozi and IcedID attack chain
CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit https://securelist.com/cosmicstrand-uefi-firmware-rootkit/106973/
Securelist
CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit
In this report, we present a UEFI firmware rootkit that we called CosmicStrand and attribute to an unknown Chinese-speaking threat actor.
Zyxel authentication bypass patch analysis (CVE-2022-0342) https://security.humanativaspa.it/zyxel-authentication-bypass-patch-analysis-cve-2022-0342/
hn security
Zyxel authentication bypass patch analysis (CVE-2022-0342) - hn security
A few months ago, new firmware […]
Winshark - Wireshark plugin to work with Event Tracing for Windows https://hakin9.org/winshark-wireshark-plugin-to-work-with-event-tracing-for-windows/
Hakin9 - IT Security Magazine
Winshark - Wireshark plugin to work with Event Tracing for Windows
Windows Kernel Exploitation – HEVD x64 Use-After-Free https://vulndev.io/2022/07/14/windows-kernel-exploitation-hevd-x64-use-after-free/
Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products https://blog.talosintelligence.com/2022/07/vulnerability-spotlight-how-code-re-use.html
Cisco Talos Blog
Vulnerability Spotlight: How a code re-use issue led to vulnerabilities across multiple products
Recently, I was performing some research on a wireless router and noticed the following piece of code:
This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check…
This unescape function will revert the URL encoded bytes to its original form. But something specifically caught my attention: There was no size check…
How to analyze Linux malware – A case study of Symbiote https://cybergeeks.tech/how-to-analyze-linux-malware-a-case-study-of-symbiote/
CVE-2022-31813: Forwarding addresses is hard https://www.synacktiv.com/publications/cve-2022-31813-forwarding-addresses-is-hard.html
Synacktiv
CVE-2022-31813: Forwarding addresses is hard
Extracting Ghidra Decompiler Output with Python https://medium.com/tenable-techblog/extracting-ghidra-decompiler-output-with-python-a737e9ed8fce
Medium
Extracting Ghidra Decompiler Output with Python
Ghidra’s decompiler, while not perfect, is pretty darn handy. Ghidra’s user interface, however, leaves a lot to be desired. I often find…
Manipulating Windows Tokens with Go https://fourcore.io/blogs/manipulating-windows-tokens-with-golang
FourCore
Manipulating Windows Tokens with Go
Windows Tokens are used for authentication and assigning privileges to windows programs. Understanding token manipulation is essential to detect malicious behaviours. Security professionals can use the wintoken library for token manipulation.