#Threat_Research
1. Reveal Intrusion Campaign Targeting Telco and BPO Companies
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies
2. Moobot Uses a Fake Vulnerability (CVE-2022-28958)
https://vulncheck.com/blog/moobot-uses-fake-vulnerability
1. Reveal Intrusion Campaign Targeting Telco and BPO Companies
https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies
2. Moobot Uses a Fake Vulnerability (CVE-2022-28958)
https://vulncheck.com/blog/moobot-uses-fake-vulnerability
CrowdStrike.com
Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies
CrowdStrike Services analyzes a recent intrusion campaign targeting telecom and business process outsourcing companies and shares how to defend against this attack.
#Red_Team_Tactics
1. Red Team Notes 2.0
https://dmcxblue.gitbook.io/red-team-notes-2-0
2. Bypassing MFA with the Pass-the-Cookie Attack
https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack
3. RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass
https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass
1. Red Team Notes 2.0
https://dmcxblue.gitbook.io/red-team-notes-2-0
2. Bypassing MFA with the Pass-the-Cookie Attack
https://blog.netwrix.com/2022/11/29/bypassing-mfa-with-pass-the-cookie-attack
3. RCE via SSTI on Spring Boot Error Page with Akamai WAF Bypass
https://h1pmnh.github.io/post/writeup_spring_el_waf_bypass
dmcxblue.gitbook.io
Introduction | Red Team Notes 2.0
#tools
#Offensive_security
GOAD (Game Of Active Directory)
Part 1 - 5:
Part 6 - ADCS
https://mayfly277.github.io/posts/GOADv2-pwning-part6
Part 7 - MSSQL
https://mayfly277.github.io/posts/GOADv2-pwning-part7
Part 8 - Privilege escalation
https://mayfly277.github.io/posts/GOADv2-pwning-part8
Part 9 - Lateral move
https://mayfly277.github.io/posts/GOADv2-pwning-part9
Part 10 - Delegations
https://mayfly277.github.io/posts/GOADv2-pwning-part10
Part 11 - ACL
https://mayfly277.github.io/posts/GOADv2-pwning-part11
]-> GOAD (ver. 2) Tool: https://mayfly277.github.io/posts/GOADv2
#Offensive_security
GOAD (Game Of Active Directory)
Part 1 - 5:
Part 6 - ADCS
https://mayfly277.github.io/posts/GOADv2-pwning-part6
Part 7 - MSSQL
https://mayfly277.github.io/posts/GOADv2-pwning-part7
Part 8 - Privilege escalation
https://mayfly277.github.io/posts/GOADv2-pwning-part8
Part 9 - Lateral move
https://mayfly277.github.io/posts/GOADv2-pwning-part9
Part 10 - Delegations
https://mayfly277.github.io/posts/GOADv2-pwning-part10
Part 11 - ACL
https://mayfly277.github.io/posts/GOADv2-pwning-part11
]-> GOAD (ver. 2) Tool: https://mayfly277.github.io/posts/GOADv2
Mayfly
GOAD - part 6 - ADCS
In the previous post (Goad pwning part5) we tried some attacks with a user account on the domain. On this part we will try attacks when an ADCS is setup in the domain. First we will use petitpotam unauthenticated and ESC8 attack to get domain admin on essos.local…
tesi.pdf
2.1 MB
#Research
"Reinforcement Learning-aided Dynamic Analysis of Evasive Malware" 2022.
"Reinforcement Learning-aided Dynamic Analysis of Evasive Malware" 2022.
#exploit
1. CVE-2022-2414:
XXE in pki-core
https://github.com/amitlttwo/CVE-2022-2414-Proof-Of-Concept
2. CVE-2022-41057:
Windows: HTTP.SYS Kerberos PAC Verification Bypass EoP
https://bugs.chromium.org/p/project-zero/issues/detail?id=2346
3. CVE-2022-44638:
Integer overflow in pixman_sample_floor_y leads to heap out-of-bounds write
https://bugs.chromium.org/p/project-zero/issues/detail?id=234
1. CVE-2022-2414:
XXE in pki-core
https://github.com/amitlttwo/CVE-2022-2414-Proof-Of-Concept
2. CVE-2022-41057:
Windows: HTTP.SYS Kerberos PAC Verification Bypass EoP
https://bugs.chromium.org/p/project-zero/issues/detail?id=2346
3. CVE-2022-44638:
Integer overflow in pixman_sample_floor_y leads to heap out-of-bounds write
https://bugs.chromium.org/p/project-zero/issues/detail?id=234
GitHub
GitHub - amitlttwo/CVE-2022-2414-Proof-Of-Concept: A flaw was found in pki-core. Access to external entities when parsing XML documents…
A flaw was found in pki-core. Access to external entities when parsing XML documents can lead to XML external entity (XXE) attacks. This flaw allows a remote attacker to potentially retrieve the co...
#Analytics
#Malware_analysis
1. Top 10 macOS Malware Discoveries in 2022
https://www.sentinelone.com/blog/top-10-macos-malware-discoveries-in-2022
2. Technical Analysis of DanaBot Obfuscation Techniques
https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques
#Malware_analysis
1. Top 10 macOS Malware Discoveries in 2022
https://www.sentinelone.com/blog/top-10-macos-malware-discoveries-in-2022
2. Technical Analysis of DanaBot Obfuscation Techniques
https://www.zscaler.com/blogs/security-research/technical-analysis-danabot-obfuscation-techniques
SentinelOne
Top 10 macOS Malware Discoveries in 2022
Learn about all the new malware targeting macOS users in 2022 and how to stay safe from the latest Mac-focused campaigns.
To find XSS bugs in a website
You can follow these steps :👇
➡ Identify all the input fields on the website, such as text boxes, dropdown menus, and search boxes.
➡ Test each input field by entering different types of data, such as numbers, special characters, and long strings of text.
➡ Pay attention to how the website responds to your input. If the website echoes your input back to you in any way, such as in an error message or a search result, there may be a potential XSS vulnerability.
➡ If you suspect that a particular input field is vulnerable to XSS, try entering special characters, such as the "<" and ">" characters, to see if the website processes them in a way that could allow an attacker to inject malicious code.
➡ If you are able to successfully inject malicious code into the website, you have found an XSS vulnerability.
🌟 Keep in mind that finding XSS vulnerabilities requires a combination of technical skill and attention to detail.
• It is also important to test the website carefully and systematically, as some XSS vulnerabilities may be well-hidden and difficult to find.
• If you are unsure about how to proceed, you may want to seek help from an experienced security professional.
#bugbounty #bugbountytips #infosec #cybersecurity
You can follow these steps :👇
➡ Identify all the input fields on the website, such as text boxes, dropdown menus, and search boxes.
➡ Test each input field by entering different types of data, such as numbers, special characters, and long strings of text.
➡ Pay attention to how the website responds to your input. If the website echoes your input back to you in any way, such as in an error message or a search result, there may be a potential XSS vulnerability.
➡ If you suspect that a particular input field is vulnerable to XSS, try entering special characters, such as the "<" and ">" characters, to see if the website processes them in a way that could allow an attacker to inject malicious code.
➡ If you are able to successfully inject malicious code into the website, you have found an XSS vulnerability.
🌟 Keep in mind that finding XSS vulnerabilities requires a combination of technical skill and attention to detail.
• It is also important to test the website carefully and systematically, as some XSS vulnerabilities may be well-hidden and difficult to find.
• If you are unsure about how to proceed, you may want to seek help from an experienced security professional.
#bugbounty #bugbountytips #infosec #cybersecurity
👍2🥰1
#Offensive_security
1. Loading unsigned Windows drivers without reboot
https://v1k1ngfr.github.io/loading-windows-unsigned-driver
2. Python Based Crypter That Can Bypass Any Kinds Of Antivirus Products
https://github.com/machine1337/pycrypt
1. Loading unsigned Windows drivers without reboot
https://v1k1ngfr.github.io/loading-windows-unsigned-driver
2. Python Based Crypter That Can Bypass Any Kinds Of Antivirus Products
https://github.com/machine1337/pycrypt
vegvisir
Loading unsigned Windows drivers without reboot
Loading unsigned Windows drivers without reboot. Dive into gdrv-loader source code.
#exploit
1. Linux Kernel Exploit Development: 1-day case study
https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study
2. CVE-2021-38003:
Vulnerability that exists in the V8 Javascript engine
https://starlabs.sg/blog/2022/12-the-hole-new-world-how-a-small-leak-will-sink-a-great-browser-cve-2021-38003
3. CVE-2022-41128:
Type confusion in Internet Explorer's JScript9 engine
https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-41128.html
1. Linux Kernel Exploit Development: 1-day case study
https://blog.hacktivesecurity.com/index.php/2022/06/13/linux-kernel-exploit-development-1day-case-study
2. CVE-2021-38003:
Vulnerability that exists in the V8 Javascript engine
https://starlabs.sg/blog/2022/12-the-hole-new-world-how-a-small-leak-will-sink-a-great-browser-cve-2021-38003
3. CVE-2022-41128:
Type confusion in Internet Explorer's JScript9 engine
https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-41128.html
STAR Labs
TheHole New World - how a small leak will sink a great browser (CVE-2021-38003)
Introduction CVE-2021-38003 is a vulnerability that exists in the V8 Javascript engine. The vulnerability affects the Chrome browser before stable version 95.0.4638.69, and was disclosed in October 2021 in google’s chrome release blog, while the bug report…
sniper_backdoor.pdf
933.9 KB
#Research
"Sniper Backdoor: Single Client Targeted Backdoor Attack in Federated Learning", 2022.
"Sniper Backdoor: Single Client Targeted Backdoor Attack in Federated Learning", 2022.
#tools
#Red_Team_Tactics
BlackHat Europe 2022:
Shoggoth - Asmjit Based Polymorphic Shellcode Encryptor
https://github.com/frkngksl/Shoggoth
#Red_Team_Tactics
BlackHat Europe 2022:
Shoggoth - Asmjit Based Polymorphic Shellcode Encryptor
https://github.com/frkngksl/Shoggoth
GitHub
GitHub - frkngksl/Shoggoth: Shoggoth: Asmjit Based Polymorphic Encryptor
Shoggoth: Asmjit Based Polymorphic Encryptor. Contribute to frkngksl/Shoggoth development by creating an account on GitHub.
WebSpec.pdf
950.7 KB
#WebApp_Security
"WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms", 2022.
]-> Tool: https://github.com/secpriv/webspec
"WebSpec: Towards Machine-Checked Analysis of Browser Security Mechanisms", 2022.
]-> Tool: https://github.com/secpriv/webspec
#Threat_Research
1. Hooking System Calls in Windows 11 22H2: bug in copying the process handle on the current latest version of Avast Free Antivirus (22.11.6041 build 22.11.7716.762)
https://the-deniss.github.io/posts/2022/12/08/hooking-system-calls-in-windows-11-22h2-like-avast-antivirus.html
2. Kubernetes Threat Matrix v.3
https://www.microsoft.com/en-us/security/blog/2022/12/07/mitigate-threats-with-the-new-threat-matrix-for-kubernetes
1. Hooking System Calls in Windows 11 22H2: bug in copying the process handle on the current latest version of Avast Free Antivirus (22.11.6041 build 22.11.7716.762)
https://the-deniss.github.io/posts/2022/12/08/hooking-system-calls-in-windows-11-22h2-like-avast-antivirus.html
2. Kubernetes Threat Matrix v.3
https://www.microsoft.com/en-us/security/blog/2022/12/07/mitigate-threats-with-the-new-threat-matrix-for-kubernetes
the-deniss.github.io
Hooking System Calls in Windows 11 22H2 like Avast Antivirus. Research, analysis and bypass
In this post I’ll show Avast self-defense bypass: how I discovered a new undocumented way to intercept all system calls without a hypervisor and PatchGuard triggered BSOD, and, finally, based on the knowledge gained, implemented a bypass
BlackProxies service is gaining popularity among hackers
⚡️IB researchers from DomainTools found a new market of resident proxies, where, according to advertising, they sell access to a million proxy addresses around the world. Experts warn that BlackProxies is quickly gaining popularity among hackers, phishers, merchants and fraudsters, although it supposedly prohibits harmful and illegal actions.
According to experts, the appearance of a large platform of this kind is a notable event, considering that over the past couple of years, law enforcement agencies have closed several similar services, including RESNET and INSORG.
In the report, it is noted that resident proxies, as a rule, use the IP address of ordinary users, and not the address space of data centers, which makes them ideal for launching trading bots, as well as for criminals who want to " hide" in ordinary traffic. Sometimes users become proxy servers voluntarily (for a separate fee), but more often it happens because their computers, IoT devices and routers are infected with malware.
Cybercriminals, as a rule, use resident proxies to increase the effectiveness of their attacks, hiding from law enforcement and agencies blockers.
BlackProxies operators claim that they have access to a pool of 1,000,000 IP addresses from around the world, all of them come from real users, which ensures the required unlocking, low detection rate and good speed. In addition, the service offers an automatic rotation system that automatically updates the IP address, guaranteeing that every request is executed from a new address.
Also, a control panel with real-time usage statistics and a REST API are provided to service clients to ensure flexibility and possibly resale opportunities.
The price of BlackProxies services is estimated at 14 dollars per day, 39 dollars per week or 89 dollars per month (the trial package costs 4.9 dollars).
DomainTools analysts studied the platform and found that claims about a huge pool of IP addresses are false. Actually, the service has approximately 180,000 available IP addresses. Researchers note that this is still not much and significantly surpasses the possibilities of many other platforms and botnets.
It is also noted in the report that one of the infrastructure IP-addresses of the service was previously connected to other shadow platforms.
Bleeping Computer reports that currently BlackProxies is active on hacker forums, in topics devoted to credential stuffing attacks and account capture.
https://www.domaintools.com/resources/blog/purpose-built-criminal-proxy-services-and-the-malicious-activity-they-enable/
⚡️IB researchers from DomainTools found a new market of resident proxies, where, according to advertising, they sell access to a million proxy addresses around the world. Experts warn that BlackProxies is quickly gaining popularity among hackers, phishers, merchants and fraudsters, although it supposedly prohibits harmful and illegal actions.
According to experts, the appearance of a large platform of this kind is a notable event, considering that over the past couple of years, law enforcement agencies have closed several similar services, including RESNET and INSORG.
In the report, it is noted that resident proxies, as a rule, use the IP address of ordinary users, and not the address space of data centers, which makes them ideal for launching trading bots, as well as for criminals who want to " hide" in ordinary traffic. Sometimes users become proxy servers voluntarily (for a separate fee), but more often it happens because their computers, IoT devices and routers are infected with malware.
Cybercriminals, as a rule, use resident proxies to increase the effectiveness of their attacks, hiding from law enforcement and agencies blockers.
BlackProxies operators claim that they have access to a pool of 1,000,000 IP addresses from around the world, all of them come from real users, which ensures the required unlocking, low detection rate and good speed. In addition, the service offers an automatic rotation system that automatically updates the IP address, guaranteeing that every request is executed from a new address.
Also, a control panel with real-time usage statistics and a REST API are provided to service clients to ensure flexibility and possibly resale opportunities.
The price of BlackProxies services is estimated at 14 dollars per day, 39 dollars per week or 89 dollars per month (the trial package costs 4.9 dollars).
DomainTools analysts studied the platform and found that claims about a huge pool of IP addresses are false. Actually, the service has approximately 180,000 available IP addresses. Researchers note that this is still not much and significantly surpasses the possibilities of many other platforms and botnets.
It is also noted in the report that one of the infrastructure IP-addresses of the service was previously connected to other shadow platforms.
Bleeping Computer reports that currently BlackProxies is active on hacker forums, in topics devoted to credential stuffing attacks and account capture.
https://www.domaintools.com/resources/blog/purpose-built-criminal-proxy-services-and-the-malicious-activity-they-enable/
Domaintools
Criminal Proxy Services & Malicious Use Cases
As demand for malicious proxy services continues, new players have entered the market. Black Proxies is marketed to other cybercriminals for their reliability, scope, and overwhelming number of IP addresses.