β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦from few days Multi-stage APT attack uses C2 function to reduce Cobalt Strike
#UndercodeNews
1οΈβ£Multi-stage APT attack uses C2 function to reduce Cobalt Strike
2οΈβ£On June 10, we found a malicious Word document disguised as a resume, which used template injection to delete a Net Loader. This is a part of what we think is an APT attack. In the final stage, the threat actor uses Cobalt Strike's C2 feature to download the final payload and perform C2 communication.
3οΈβ£The attack was particularly smart because of its evasion skills. As we observe, there is an intentional delay in executing the payload from the malicious Word macro. In addition, by hiding the shell code in a harmless JavaScript and loading it without touching the disk, APT can further prevent security detection.
@UndercodeNews
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦from few days Multi-stage APT attack uses C2 function to reduce Cobalt Strike
#UndercodeNews
1οΈβ£Multi-stage APT attack uses C2 function to reduce Cobalt Strike
2οΈβ£On June 10, we found a malicious Word document disguised as a resume, which used template injection to delete a Net Loader. This is a part of what we think is an APT attack. In the final stage, the threat actor uses Cobalt Strike's C2 feature to download the final payload and perform C2 communication.
3οΈβ£The attack was particularly smart because of its evasion skills. As we observe, there is an intentional delay in executing the payload from the malicious Word macro. In addition, by hiding the shell code in a harmless JavaScript and loading it without touching the disk, APT can further prevent security detection.
@UndercodeNews
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Microsoft Edge silently imports Firefox data without permission
#UndercodeNews
> Some users found that the new version of Edge updated to the device through Windows Update will import data from Firefox, even if the user does not authorize Edge to do this.
> According to krankie 's description, Microsoft designed some elements in the UI to "deceive and mislead" users. After updating the system, after the Edge installation is complete, Microsoft will display a maximized Edge window to the user, but it will first pop up a modal dialog box containing only the "Get Started" button.
> Therefore, the user cannot close Edge directly or close the modal dialog box. The only option is to use the task manager to kill this process. But even if you close it, Edge will be automatically fixed to the taskbar.
> Finally, he also mentioned that the new version of Edge imports data from other browsers without user permission.
"Unless you close it through the task manager instead of performing a forced setting, it will copy the data anyway, the worst thing is that most people will never know what Edge is doing, because they will never open it again."
> In addition, Microsoft will cancel the system's default browser settings, so when the user clicks on a URL, they need to re-select the default browser.
> Microsoft has been silent on this. Therefore, although the original wizard was actually manually killed by the user, so far, the reason for importing Edge data into Firefox data is still unknown.
@UndercodeNews
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Microsoft Edge silently imports Firefox data without permission
#UndercodeNews
> Some users found that the new version of Edge updated to the device through Windows Update will import data from Firefox, even if the user does not authorize Edge to do this.
> According to krankie 's description, Microsoft designed some elements in the UI to "deceive and mislead" users. After updating the system, after the Edge installation is complete, Microsoft will display a maximized Edge window to the user, but it will first pop up a modal dialog box containing only the "Get Started" button.
> Therefore, the user cannot close Edge directly or close the modal dialog box. The only option is to use the task manager to kill this process. But even if you close it, Edge will be automatically fixed to the taskbar.
> Finally, he also mentioned that the new version of Edge imports data from other browsers without user permission.
"Unless you close it through the task manager instead of performing a forced setting, it will copy the data anyway, the worst thing is that most people will never know what Edge is doing, because they will never open it again."
> In addition, Microsoft will cancel the system's default browser settings, so when the user clicks on a URL, they need to re-select the default browser.
> Microsoft has been silent on this. Therefore, although the original wizard was actually manually killed by the user, so far, the reason for importing Edge data into Firefox data is still unknown.
@UndercodeNews
β β β Uππ»βΊπ«Δπ¬πβ β β β
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Developers added a series of RISC-V UEFI support patches for Linux
#UndercodeNews
> Earlier this year, the UEFI code in Linux has been cleaned up, and then a series of early patches for RISC-V UEFI support were proposed to form a more comprehensive patch set for enabling RISC-V UEFI support under Linux. Recently, some developers have submitted a series of patches to solve a large number of problems while adding some new capabilities to support RISC-V UEFI under Linux.
> Developer Atish Patra is from Western Digital. He submitted 11 patches last Thursday. According to his introduction, patches 1-6 are preparatory patches that fix some common efi and riscv issues; patches 7-9 add Efi stub support for RISC-V was submitted for review in April; patch 10 renamed arm-init so that the foundation can be used in different code; patch 11 adds runtime services for RISC-V.
π¦To sum up, the main contributions of this series of patches are:
βAdded full ioremap support.
βAdded efi runtime service support.
βFixed the mm problem.
> At present, the patch has been verified on Qemu using the bootefi command in U-Boot, and has passed the test on both RISC-V 32-bit and RISC-V 64-bit. However, some problems of EDK2 code on RISC-V are still being solved, mainly the problems related to SPI and network driver.
> This series of patches hits the Linux kernel 5.8-rc2 and is still in the PR state, waiting for the code review. If the related issues are resolved and finally accepted, then it should be visible when Linux 5.8 is released.
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
π¦Developers added a series of RISC-V UEFI support patches for Linux
#UndercodeNews
> Earlier this year, the UEFI code in Linux has been cleaned up, and then a series of early patches for RISC-V UEFI support were proposed to form a more comprehensive patch set for enabling RISC-V UEFI support under Linux. Recently, some developers have submitted a series of patches to solve a large number of problems while adding some new capabilities to support RISC-V UEFI under Linux.
> Developer Atish Patra is from Western Digital. He submitted 11 patches last Thursday. According to his introduction, patches 1-6 are preparatory patches that fix some common efi and riscv issues; patches 7-9 add Efi stub support for RISC-V was submitted for review in April; patch 10 renamed arm-init so that the foundation can be used in different code; patch 11 adds runtime services for RISC-V.
π¦To sum up, the main contributions of this series of patches are:
βAdded full ioremap support.
βAdded efi runtime service support.
βFixed the mm problem.
> At present, the patch has been verified on Qemu using the bootefi command in U-Boot, and has passed the test on both RISC-V 32-bit and RISC-V 64-bit. However, some problems of EDK2 code on RISC-V are still being solved, mainly the problems related to SPI and network driver.
> This series of patches hits the Linux kernel 5.8-rc2 and is still in the PR state, waiting for the code review. If the related issues are resolved and finally accepted, then it should be visible when Linux 5.8 is released.
Share usβ€οΈππ»
@UndercodeTesting
@UndercodeSecurity
@UndercodeHacking
β β β Uππ»βΊπ«6π¬πβ β β β
β β β Uππ»βΊπ«Δπ¬πβ β β β
π¦Microsoft releases emergency security update to fix security vulnerabilities in Windows 10/Server
#UndercodeNews
> There are about two weeks away from this month's patch Tuesday event day, but due to security vulnerabilities found in Windows 10 and Windows Server, today Microsoft released two emergency security updates. Microsoft said that although the two vulnerabilities have not been publicly disclosed and are less likely to be exploited by hackers, the company can't wait for the July 14 patch to release the update on Tuesday's event day.
> Microsoft wrote in a security bulletin: "There is a remote code execution vulnerability in the way Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information and further harm the user's system."
> It is reported that the affected versions of Windows include
Windows 10 version 1709
Windows 10 version 1803
Windows 10 version 1809
Windows 10 version 1903
Windows 10 version 1909
Windows 10 version 2004
Windows Server 2019
Windows Server version 1803
Windows Server version 1903
Windows Server version 1909
Windows Server version 2004
@UndercodeNews
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Microsoft releases emergency security update to fix security vulnerabilities in Windows 10/Server
#UndercodeNews
> There are about two weeks away from this month's patch Tuesday event day, but due to security vulnerabilities found in Windows 10 and Windows Server, today Microsoft released two emergency security updates. Microsoft said that although the two vulnerabilities have not been publicly disclosed and are less likely to be exploited by hackers, the company can't wait for the July 14 patch to release the update on Tuesday's event day.
> Microsoft wrote in a security bulletin: "There is a remote code execution vulnerability in the way Microsoft Windows Codecs Library handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information and further harm the user's system."
> It is reported that the affected versions of Windows include
Windows 10 version 1709
Windows 10 version 1803
Windows 10 version 1809
Windows 10 version 1903
Windows 10 version 1909
Windows 10 version 2004
Windows Server 2019
Windows Server version 1803
Windows Server version 1903
Windows Server version 1909
Windows Server version 2004
@UndercodeNews
β β β ο½ππ»βΊπ«Δπ¬πβ β β β