Emulating inline decryption for triaging C++ malware #C++ #Malware #ReverseEngineering #InlineDecryption #Emulation https://viuleeenz.github.io/posts/2024/05/emulating-inline-decryption-for-triaging-c-malware/
Security Undisguised
Emulating inline decryption for triaging C++ malware
What we need to know? C and C++ binaries share several commonalities, however, some additional features and complexities introduced by C++ can make reverse engineering C++ binaries more challenging compared to C binaries. Some of the most important features…
“Beeeeeeeeep!”. How Malware Uses the Beep WinAPI Function for Anti-Analysis #Malware #BeepFunction #AntiAnalysis #SecurityLiterate #WinAPI https://securityliterate.com/beeeeeeeeep-how-malware-uses-the-beep-winapi-function-for-anti-analysis/
Kyle Cucci's Cyber Ramblings
“Beeeeeeeeep!”. How Malware Uses the Beep WinAPI Function for Anti-Analysis
I was recently analyzing a malware sample that abuses the Beep function as an interesting evasion tactic. The Beep function basically plays an audible tone notification for the user. The Beep funct…
CVE-2024-4040-SSTI-LFI-PoC: CVE-2024-4040 CrushFTP SSTI LFI & Auth Bypass | Full Server Takeover | Wordlist Support #GitHub #CVE-2024-4040 #SSTI #LFI #PoC https://github.com/Stuub/CVE-2024-4040-SSTI-LFI-PoC
GitHub
GitHub - Stuub/CVE-2024-4040-SSTI-LFI-PoC: CVE-2024-4040 CrushFTP SSTI LFI & Auth Bypass | Full Server Takeover | Wordlist Support
CVE-2024-4040 CrushFTP SSTI LFI & Auth Bypass | Full Server Takeover | Wordlist Support - Stuub/CVE-2024-4040-SSTI-LFI-PoC
system32 important files #OffensiveSecurity #SystemIntegrity #MalwareDetection #FileAbuse https://redteamrecipe.com/system32-important-files
ExpiredDomains.com
redteamrecipe.com is for sale! Check it out on ExpiredDomains.com
Buy redteamrecipe.com for 100 on GoDaddy via ExpiredDomains.com. This premium expired .com domain is ideal for establishing a strong online identity.
🥱1
Leveraging DNS Tunneling for Tracking and Scanning #DNSTunneling #Tracking #Scanning #Security #ThreatResearch https://unit42.paloaltonetworks.com/three-dns-tunneling-campaigns/
Unit 42
Leveraging DNS Tunneling for Tracking and Scanning
We provide a walkthrough of how attackers leverage DNS tunneling for tracking and scanning, an expansion of the way this technique is usually exploited.
CFG in Windows 11 24H2 #CFG #Windows11 #Hotpatching #SCPCFG #Reversing https://ynwarcs.github.io/Win11-24H2-CFG
###
CFG in Windows 11 24H2
Hotpatching has been looming over Windows 11 for a while now, having already been shipped on the server & cloud deployments. It first came out in March that the first major version to include it will be 24H2, which can now be confirmed in a few minutes of…
🔥1
HiddenArt – A Russian-linked SS7 Threat Actor #HiddenArt #RussianSS7Threat #EneaSolutions #NetworkSecurity #CyberSecurity https://www.enea.com/insights/the-hunt-for-hiddenart/
Enea
HiddenArt - A Russian-linked SS7 Threat Actor
From research on how SS7 network attacks could be used in hybrid warfare we reveal the Russian-connected HiddenArt mobile threat actor
Hunting for Unauthenticated n-days in Asus Routers #Shielder #AsusRouters #Exploit #Vulnerability #IoTSecurity https://www.shielder.com/blog/2024/01/hunting-for-~~un~~authenticated-n-days-in-asus-routers/
Shielder
Shielder - Hunting for ~~Un~~authenticated n-days in Asus Routers
Notes on patch diffing, reverse engineering and exploiting CVE-2023-39238, CVE-2023-39239, and CVE-2023-39240.
CVE-2023-34992: Fortinet FortiSIEM Command Injection Deep-Dive #Fortinet #CVE-2023-34992 #CommandInjection #Horizon3ai #NodeZero https://www.horizon3.ai/attack-research/disclosures/cve-2023-34992-fortinet-fortisiem-command-injection-deep-dive/
Horizon3.ai
CVE-2023-34992: Fortinet FortiSIEM Command Injection Deep-Dive
CVE-2023-34992 Fortinet FortiSIEM Command Injection Deep-Dive and Indicators of Compromise. This blog details a command injection vulnerability which allows an unauthenticated attacker to access the FortiSIEM server as root to execute arbitrary commands.
Linguistic Lumberjack: Attacking Cloud Services via Logging Endpoints (Fluent Bit - CVE-2024-4323) #LinguisticLumberjack #CloudServices #FluentBit #CVE20244323 #TenableBlog https://www.tenable.com/blog/linguistic-lumberjack-attacking-cloud-services-via-logging-endpoints-fluent-bit-cve-2024-4323
Tenable®
Linguistic Lumberjack: Attacking Cloud Services via Logging Endpoints (Fluent Bit - CVE-2024-4323)
Tenable Research has discovered a critical memory corruption vulnerability dubbed Linguistic Lumberjack in Fluent Bit, a core component in the monitoring infrastructure of many cloud services.
New SamsStealer Malware Targets Passwords in Windows Systems #SamsStealer #Malware #WindowsSystems #CYFIRMA #DataBreaches https://cyberinsider.com/new-samsstealer-malware-targets-passwords-in-windows-systems/
CyberInsider
New SamsStealer Malware Targets Passwords in Windows Systems
CYFIRMA researchers have identified a new information-stealing malware named "SamsStealer" that targets Windows systems.
Response Filter Denial of Service (RFDoS): shut down a website by triggering WAF rule #RFDoS #WebsiteShutdown #WAFRule #ResponseFilter #DenialofService https://blog.sicuranext.com/response-filter-denial-of-service-a-new-way-to-shutdown-a-website/
Sicuranext Blog
Response Filter Denial of Service (RFDoS): shut down a website by triggering WAF rule
TL;DR: Basically, if a target website is protected by a WAF using the OWASP Core Rule Set or Comodo Rule Set or Atomicorp Rule Set, you can send the string ORA-1234 or OracleDrive or ASL-CONFIG-FILE in a comment, product review, registration form, e-commerce…
CVE-2024-4367 – Arbitrary JavaScript execution in PDF.js #JavaScript #CVE-2024-4367 #ArbitraryExecution https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
codeanlabs
CVE-2024-4367 - Arbitrary JavaScript execution in PDF.js - Codean Labs
A vulnerability in PDF.js found by Codean Labs. PDF.js is a JavaScript-based PDF viewer maintained by Mozilla. This bug allows an attacker to execute arbitrary JavaScript code as soon as a malicious PDF file is opened. This affects all Firefox users (
Abusing url handling in iTerm2 and Hyper for code execution #TerminalEscapeSequences #iTerm2 #Hyper #Vulnerabilities #CodeExecution https://vin01.github.io/piptagole/escape-sequences/iterm2/hyper/url-handlers/code-execution/2024/05/21/arbitrary-url-schemes-terminal-emulators.html
Vin01’s Blog
Abusing url handling in iTerm2 and Hyper for code execution
What are escape sequences
Heap overflow in WebRtcAudioSink #Chromium https://issues.chromium.org/issues/41485743
Remote Desktop Protocol: The Series #RDP #IncidentResponse #RemoteDesktopProtocol #Cybersecurity #SophosNews https://news.sophos.com/en-us/2024/03/20/remote-desktop-protocol-the-series/
Sophos News
Remote Desktop Protocol: The Series
What is RDP, why is it a very nearly ubiquitous finding in incident response, and how can investigators run it to ground it when it goes wrong? An Active Adversary Special Report
Foxit PDF “Flawed Design” Exploitation #FoxitPDFexploitation #CheckPointResearch #PDFsecurity #maliciousPDF #threatintelligence https://research.checkpoint.com/2024/foxit-pdf-flawed-design-exploitation/
Check Point Research
Foxit PDF “Flawed Design” Exploitation - Check Point Research
Check Point Research has identified an unusual pattern of behavior involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive unsuspecting users into executing harmful commands. Check Point…
Random thoughts on physical security measures #PhysicalSecurity #AlarmBypass #Reconnaissance #CableVulnerabilities #SeeThroughWalls https://diablohorn.com/2024/05/21/random-thoughts-on-physical-security-measures/
DiabloHorn
Random thoughts on physical security measures
Lately, I’ve been drawn to do some desk research and limited hands-on testing of physical security measures. I’ve written about this subject before, you can find the article here. Howev…
Persistence Techniques That Persist #CyberArk #IdentitySecurity #RegistryPersistence #ThreatResearch #PersistenceTechniques https://www.cyberark.com/resources/threat-research-blog/persistence-techniques-that-persist
Cyberark
Persistence Techniques That Persist
Abstract Once threat actors gain a foothold on a system, they must implement techniques to maintain that access, even in the event of restarts, updates in credentials or any other type of change...