From Windows drivers to a almost fully working EDR #LearningThroughExperimentations #WindowsKernelDriver #EDRCallbacks #SSDT https://blog.whiteflag.io/blog/from-windows-drivers-to-a-almost-fully-working-edr/
blog.whiteflag.io
From Windows drivers to a almost fully working EDR
In this article we will see how Windows drivers work, how to create one and, in the end, we will develope a custom EDR that will rely on kernel callback functions, static analysis and API hooking.
Issue 2547: Telegram for Android: Use-after-free in Connection::onReceivedData https://bugs.chromium.org/p/project-zero/issues/detail?id=2547
There is no fix for Intel’s crashing 13th and 14th Gen CPUs — any damage is permanent #IntelCPUcrash #PermanentDamage #NoRecall #BiosUpdate #InvisibleDegradation https://www.theverge.com/2024/7/26/24206529/intel-13th-14th-gen-crashing-instability-cpu-voltage-q-a
The Verge
There is no fix for Intel’s crashing 13th and 14th Gen CPUs — any damage is permanent
We got some answers from Intel, and more are on the way.
😡1
CVE-2021-4440: A Linux CNA Case Study #LinuxCNA #CVE2021-4440 #LinuxKernel #VulnerabilityManagement https://grsecurity.net/cve-2021-4440_linux_cna_case_study
grsecurity.net
grsecurity - CVE-2021-4440: A Linux CNA Case Study
This blog serves as a case study into how the newly-formed Linux CNA (CVE Numbering Authority) has affected Linux kernel vulnerability management, through the mishandling of a vulnerability we reported this year in the upstream 5.10 LTS kernel.
Onyx Sleet uses array of malware to gather intelligence for North Korea #RiskIQ #CommunityEdition #Cybersecurity #ThreatIntelligence #FreeProtection https://community.riskiq.com/article/31828df1
Engineering Learnings from the CrowdStrike Falcon Outage #EngineeringLearnings #CrowdStrikeOutage #PreventionThroughEngineering #EngineeringCultures #TestingPractices https://mazinahmed.net/blog/crowdstrike-incident-engineering-learnings/
Mazin Ahmed
Engineering Learnings from the CrowdStrike Falcon Outage
🤡2
CVE-2023-42929: Why do we need the App Container Protection #CVE2023-42929 #AppContainerProtection #SecurityVulnerability #ApplePatch #BypassMethods https://jhftss.github.io/CVE-2023-42929-Why-Do-We-Need-The-App-Container-Protection/
jhftss.github.io
CVE-2023-42929: Why do we need the App Container Protection
Starting with macOS Sonoma 14.0, Apple has introduced a new TCC category kTCCServiceSystemPolicyAppData to protect the App Container Data. This is designed to address one of my reports (aka CVE-2023-42929):
UNC4393 Goes Gently into the SILENTNIGHT #UNC4393 #Silentnight #Ransomware #Malware #Extortion https://cloud.google.com/blog/topics/threat-intelligence/unc4393-goes-gently-into-silentnight
Google Cloud Blog
UNC4393 Goes Gently into the SILENTNIGHT | Google Cloud Blog
We detail the evolution of UNC4393's operational tactics and malware usage throughout its active lifespan.
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption #RansomwareOperatos #ESXiVulnerability #MicrosoftSecurityBlog #MassEncryption #HypervisorVulnerability https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
Microsoft News
Ransomware operators exploit ESXi hypervisor vulnerability for mass encryption
Microsoft Security researchers have observed a vulnerability used by various ransomware operators to get full administrative access to domain-joined ESXi hypervisors and encrypt the virtual machines running on them. The vulnerability involves creating a group…
From Limited file read to full access on Jenkins (CVE-2024-23897) #JenkinsVulnerability #CVE202423897 #RedTeam #BinaryFileRead #BruteForceDecryption https://xphantom.nl/posts/crypto-attack-jenkins/
Ahmed Sherif
From Limited file read to full access on Jenkins (CVE-2024-23897)
TL;DR:
DeadPotato: DeadPotato is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges. This script has been customized from the original GodPotato source code by BeichenDream. #DeadPotato #Windows #PrivilegeEscalation #SeImpersonate #CustomizedCode https://github.com/lypd0/DeadPotato
GitHub
GitHub - lypd0/DeadPotato: DeadPotato is a windows privilege escalation utility from the Potato family of exploits, leveraging…
DeadPotato is a windows privilege escalation utility from the Potato family of exploits, leveraging the SeImpersonate right to obtain SYSTEM privileges. This script has been customized from ...
Windows AppLocker Driver LPE Vulnerability – CVE-2024-21338 #WindowsAppLocker #DriverLPEVulnerability #CVE202421338 #Crowdfense #ExploitCode https://www.crowdfense.com/windows-applocker-driver-lpe-vulnerability-cve-2024-21338/
Crowdfense
Windows AppLocker Driver LPE Vulnerability - CVE-2024-21338 - Crowdfense
In-depth analysis of CVE-2024-21338, a Windows Kernel Elevation of Privileges vulnerability, its root cause, exploitation challenges and POC
Bypassing Rockwell Automation Logix Controllers’ Local Chassis Security Protection #RockwellAutomation #LocalChassisSecurity #Vulnerability #CIPRouting #SecurityBypass https://claroty.com/team82/research/bypassing-rockwell-automation-logix-controllers-local-chassis-security-protection
Claroty
Bypassing Rockwell Automation Logix Controllers’ Local Chassis Security Protection
Team82 has uncovered a security bypass vulnerability in a Rockwell Automation ControlLogix 1756 local chassis security feature called the trusted slot, which is designed to deny untrusted communication from untrusted network cards on the chassis plane.
SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea #SideWinder #ThreatHunting #Espionage #Cybersecurity #MediterraneanSea https://blogs.blackberry.com/en/2024/07/sidewinder-targets-ports-and-maritime-facilities-in-the-mediterranean-sea
BlackBerry
SideWinder Utilizes New Infrastructure to Target Ports and Maritime Facilities in the Mediterranean Sea
As part of our continuous threat hunting efforts, the BlackBerry Threat Research and Intelligence team has discovered a new campaign by the threat actor SideWinder, targeting ports and maritime facilities in the Indian Ocean and Mediterranean Sea.
Pumping Iron on the Musl Heap – Real World CVE-2022-24834 Exploitation on an Alpine mallocng Heap #NCCGroup #RealWorldCVE #SecurityResearch #ThreatAdvisory https://research.nccgroup.com/2024/06/11/pumping-iron-on-the-musl-heap-real-world-cve-2022-24834-exploitation-on-an-alpine-mallocng-heap/
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit #SinglePacketAttack #SequenceSync #LimitOverrun #SecurityResearch #ExploitDetection https://flatt.tech/research/posts/beyond-the-limit-expanding-single-packet-race-condition-with-first-sequence-sync/
GMO Flatt Security Research
Beyond the Limit: Expanding single-packet race condition with a first sequence sync for breaking the 65,535 byte limit
Introduction
Hello, I’m RyotaK (@ryotkak
), a security engineer at Flatt Security Inc.
In 2023, James Kettle
of PortSwigger published an excellent paper
titled Smashing the state machine: the true potential of web race conditions.
In the paper, he introduced…
Hello, I’m RyotaK (@ryotkak
), a security engineer at Flatt Security Inc.
In 2023, James Kettle
of PortSwigger published an excellent paper
titled Smashing the state machine: the true potential of web race conditions.
In the paper, he introduced…
Let’s Go into the rabbit hole (part 2) — the challenges of dynamically hooking Golang programs #GolangDynamicHooking #RuntimeHooking #ForeignFunctionInterface #CGO #QuarkslabBlog https://blog.quarkslab.com/lets-go-into-the-rabbit-hole-part-2-the-challenges-of-dynamically-hooking-golang-program.html
Quarkslab
Let’s Go into the rabbit hole (part 2) — the challenges of dynamically hooking Golang programs - Quarkslab's blog
Golang is the most used programming language for developing cloud technologies. Tools such as Kubernetes, Docker, Containerd and gVisor are written in Go. Despite the fact that the code of these programs is open source, there is no way to analyze and extend…
Pixel_GPU_Exploit: Android 14 kernel exploit for Pixel7/8 Pro #GitHub #Pixel_GPU_Exploit #Android #Kernel #Vulnerabilities https://github.com/0x36/Pixel_GPU_Exploit
GitHub
GitHub - 0x36/Pixel_GPU_Exploit: Android 14 kernel exploit for Pixel7/8 Pro
Android 14 kernel exploit for Pixel7/8 Pro. Contribute to 0x36/Pixel_GPU_Exploit development by creating an account on GitHub.
prctl anon_vma_name: An Amusing Linux Kernel Heap Spray #LinuxKernelHeapSpray #prctlAnonVMAName #HeapSprayTechniques #KernelPwnCTF #STARLabs https://starlabs.sg/blog/2023/07-prctl-anon_vma_name-an-amusing-heap-spray/
STAR Labs
prctl anon_vma_name: An Amusing Linux Kernel Heap Spray
TLDR prctl PR_SET_VMA (PR_SET_VMA_ANON_NAME) can be used as a (possibly new!) heap spray method targeting the kmalloc-8 to kmalloc-96 caches. The sprayed object, anon_vma_name, is dynamically sized, and can range from larger than 4 bytes to a maximum of 84…
🔥1