#Threat_Research
1. RCE bug in JWT Secret Poisoning (CVE-2022-23529)
https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerability-cve-2022-23529
2. Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic
3. Navigating the Vast Ocean of Sandbox Evasions
https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection
1. RCE bug in JWT Secret Poisoning (CVE-2022-23529)
https://unit42.paloaltonetworks.com/jsonwebtoken-vulnerability-cve-2022-23529
2. Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security
https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic
3. Navigating the Vast Ocean of Sandbox Evasions
https://unit42.paloaltonetworks.com/sandbox-evasion-memory-detection
Unit 42
Security Issue in JWT Secret Poisoning (Updated)
We discovered a new high-severity vulnerability (CVE-2022-23529) in the popular JsonWebToken open source project.
⚡1
Forwarded from Cyber security intelligent program
🕵️♂️StrongPity espionage campaign targeting Android users
ESET researchers identified an active campaign that we have attributed to the StrongPity APT group. Active since November 2021, the campaign has distributed a malicious app through a website impersonating Shagle – a random-video-chat service that provides encrypted communications between strangers. Unlike the entirely web-based, genuine Shagle site that doesn’t offer an official mobile app to access its services, the copycat site only provides an Android app to download and no web-based streaming is possible.
ESET researchers identified an active campaign that we have attributed to the StrongPity APT group. Active since November 2021, the campaign has distributed a malicious app through a website impersonating Shagle – a random-video-chat service that provides encrypted communications between strangers. Unlike the entirely web-based, genuine Shagle site that doesn’t offer an official mobile app to access its services, the copycat site only provides an Android app to download and no web-based streaming is possible.
📡Совсем скоро будет представлена эффективная и безопасная система система AARTOS DDS для обнаружения дронов, причем есть защита, которая подбирается индивидуально под заказчика. Сие чуда будет показано на выставке Perimeter Protection с 17 по 19 января 2023 года
Forwarded from 卩ro 爪Cracker
SpyDialer
Free search contact information by phone number, name, address or email.
Even shows the names of the neighbors, but the information displayed by the service requires additional verification.
https://spydialer.com
#osint #humint #usa
Free search contact information by phone number, name, address or email.
Even shows the names of the neighbors, but the information displayed by the service requires additional verification.
https://spydialer.com
#osint #humint #usa
Forwarded from 卩ro 爪Cracker
When searching for geolocation information, don't forget to check the whois. At https://iqwhois.com/advanced-search STREET name you can find all the sites registered to people who live there.
It's possible also search by city and zip code.
#osint #geoint
It's possible also search by city and zip code.
#osint #geoint
Forwarded from 卩ro 爪Cracker
A new feature in*huntintel.io:
1. Open Instagram Username Search Tool
2. Enter the name of the account.
3. Wait (if you think you are waiting too long, refresh the page)
4. See the geotagged user's posts on the world map!
1 month/1 check a day free (code CYBER100)
1. Open Instagram Username Search Tool
2. Enter the name of the account.
3. Wait (if you think you are waiting too long, refresh the page)
4. See the geotagged user's posts on the world map!
1 month/1 check a day free (code CYBER100)
Forwarded from 卩ro 爪Cracker
Secret Handshake
A prototype malware C2 channel using x509 certificates over mTLS
I always wondered if threat actors ever used x509 certificates as part of their C2 communication, not to encrypt the network traffic but to actually embed the C2 communication in the x509 cert. After searching for something like this in the wild for 5 years I finally decided to just code it myself to see if it's possible...it is
https://github.com/jconwell/secret_handshake
#malware
A prototype malware C2 channel using x509 certificates over mTLS
I always wondered if threat actors ever used x509 certificates as part of their C2 communication, not to encrypt the network traffic but to actually embed the C2 communication in the x509 cert. After searching for something like this in the wild for 5 years I finally decided to just code it myself to see if it's possible...it is
https://github.com/jconwell/secret_handshake
#malware
YouTube
Secret Handshake
Secret Handshake
A prototype malware C2 channel using x509 certificates over mTLS
I always wondered if threat actors ever used x509 certificates as part of their C2 communication, not to encrypt the network traffic but to actually embed the C2 communication…
A prototype malware C2 channel using x509 certificates over mTLS
I always wondered if threat actors ever used x509 certificates as part of their C2 communication, not to encrypt the network traffic but to actually embed the C2 communication…
❤1
Forwarded from 卩ro 爪Cracker
Exfiltration Over a Blocked Port on a Next-Gen Firewall
https://ift.tt/fUmqaGz
Submitted January 12, 2023 at 02:37PM by cuptugout
via reddit https://ift.tt/OtUCM2b
https://ift.tt/fUmqaGz
Submitted January 12, 2023 at 02:37PM by cuptugout
via reddit https://ift.tt/OtUCM2b
Cymulate
Exfiltration Over a Blocked Port on a Next-Gen Firewall
How Does Cymulate Assess for Data Exfiltration? Learn more in this blog post by security advisor David Kellerman.
⚡1
❤1👍1🏆1
#Offensive_security
1. SMB "Access is denied" caused by anti-NTLM relay protection
https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntlm-relay-protection-659c60089895
2. Implementation of Persistence via Recycle Bin by adding "open\command" subkey to the "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell" key and changing its value to the implant path
https://github.com/D1rkMtr/RecyclePersist
3. Vulnerabilities on redirected•com
https://dhakalbibek.medium.com/2022-a-year-of-fascinating-discoveries-d3277dfb006f
1. SMB "Access is denied" caused by anti-NTLM relay protection
https://medium.com/tenable-techblog/smb-access-is-denied-caused-by-anti-ntlm-relay-protection-659c60089895
2. Implementation of Persistence via Recycle Bin by adding "open\command" subkey to the "HKCR\CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\shell" key and changing its value to the implant path
https://github.com/D1rkMtr/RecyclePersist
3. Vulnerabilities on redirected•com
https://dhakalbibek.medium.com/2022-a-year-of-fascinating-discoveries-d3277dfb006f
Medium
SMB “Access is denied” Caused by Anti-NTLM Relay Protection
Explanations of the “Microsoft network server: Server SPN target name validation level” hardening policy: what it does, how to…
#Threat_Research
Open-source Cobalt Strike stager decoder
https://stairwell.com/news/stairwell-releases-open-source-cobalt-strike-stager-decoder
]-> https://github.com/stairwell-inc/cobalt-strike-stager-parser
Open-source Cobalt Strike stager decoder
https://stairwell.com/news/stairwell-releases-open-source-cobalt-strike-stager-decoder
]-> https://github.com/stairwell-inc/cobalt-strike-stager-parser
Apple_vs_EMA.pdf
14 MB
#Research
"Apple vs. EMA: Electromagnetic Side Channel Attacks on Apple CoreCrypto", 2022.
]-> A Potholing Tour in a SoC:
An electromagnetic-wave side-channel issue on ARMv8 AES instructions:
https://eshard.com/posts/sca-attacks-on-armv8
"Apple vs. EMA: Electromagnetic Side Channel Attacks on Apple CoreCrypto", 2022.
]-> A Potholing Tour in a SoC:
An electromagnetic-wave side-channel issue on ARMv8 AES instructions:
https://eshard.com/posts/sca-attacks-on-armv8
#exploit
1. CVE-2023-0210:
Unauthenticated remote DOS in ksmbd NTLMv2 authentication (Linux kernel)
https://seclists.org/oss-sec/2023/q1/4
2. CVE-2022-20452:
Privilege escalation on Android from installed app to system/another app via LazyValue using Parcel after recycle()
https://github.com/michalbednarski/LeakValue
1. CVE-2023-0210:
Unauthenticated remote DOS in ksmbd NTLMv2 authentication (Linux kernel)
https://seclists.org/oss-sec/2023/q1/4
2. CVE-2022-20452:
Privilege escalation on Android from installed app to system/another app via LazyValue using Parcel after recycle()
https://github.com/michalbednarski/LeakValue
seclists.org
oss-sec: Linux kernel: Unauthenticated remote DOS in ksmbd NTLMv2 authentication
#tools
#Malware_analysis
#Blue_Team_Techniques
Automating Malware Analysis Operations (MAOps)
https://blogs.jpcert.or.jp/en/2023/01/cloud_malware_analysis.html
]-> Malware C2 Monitoring:
https://github.com/JPCERTCC/Lucky-Visitor-Scam-IoC
]-> Malware Hunting using Cloud:
https://github.com/JPCERTCC/CobaltStrike-Config
]-> YARA CI/CD system:
https://github.com/JPCERTCC/HUILoader-research
]-> Surface Analysis System on Cloud:
https://github.com/JPCERTCC/SurfaceAnalysis-on-Cloud
]-> Memory Forensic on Cloud:
https://github.com/JPCERTCC/MemoryForensic-on-Cloud
#Malware_analysis
#Blue_Team_Techniques
Automating Malware Analysis Operations (MAOps)
https://blogs.jpcert.or.jp/en/2023/01/cloud_malware_analysis.html
]-> Malware C2 Monitoring:
https://github.com/JPCERTCC/Lucky-Visitor-Scam-IoC
]-> Malware Hunting using Cloud:
https://github.com/JPCERTCC/CobaltStrike-Config
]-> YARA CI/CD system:
https://github.com/JPCERTCC/HUILoader-research
]-> Surface Analysis System on Cloud:
https://github.com/JPCERTCC/SurfaceAnalysis-on-Cloud
]-> Memory Forensic on Cloud:
https://github.com/JPCERTCC/MemoryForensic-on-Cloud
JPCERT/CC Eyes
Automating Malware Analysis Operations (MAOps) - JPCERT/CC Eyes
I believe that automating analysis is a challenge that all malware analysts are working on for more efficient daily incident investigations. Cloud-based technologies (CI/CD, serverless, IaC, etc.) are great solutions that can automate MAOps efficiently. In…
#reversing
#IoT_Security
Reversing embedded device bootloader (U-Boot)
Part 1: https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.1
Part 2: https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.2
#IoT_Security
Reversing embedded device bootloader (U-Boot)
Part 1: https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.1
Part 2: https://www.shielder.com/blog/2022/03/reversing-embedded-device-bootloader-u-boot-p.2
Shielder
Shielder - Reversing embedded device bootloader (U-Boot) - p.1
In the course of these two articles, we will share an analysis of some aspects of reversing a low-level binary.
Forwarded from ㅤㅤㅤㅤㅤㅤ ㅤㅤㅤㅤㅤㅤ
Linux sysadmins, beware!
Hackers are exploiting a critical RCE vulnerability in Control Web Panel (CWP) to gain elevated privileges on web servers.
Read: https://thehackernews.com/2023/01/alert-hackers-actively-exploiting.html
Patch your servers ASAP!
Hackers are exploiting a critical RCE vulnerability in Control Web Panel (CWP) to gain elevated privileges on web servers.
Read: https://thehackernews.com/2023/01/alert-hackers-actively-exploiting.html
Patch your servers ASAP!