Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/
Unit 42
Mespinoza Ransomware Gang Calls Victims “Partners,” Attacks with Gasket, "MagicSocks" Tools
The Gasket and MagicSocks tools were used in an attack that delivered the Mespinoza ransomware (also known as PYSA)...other tools were discovered to facilitate latter parts of the attacks.
When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure https://www.microsoft.com/security/blog/2021/07/22/when-coin-miners-evolve-part-1-exposing-lemonduck-and-lemoncat-modern-mining-malware-infrastructure/
Microsoft News
When coin miners evolve, Part 1: Exposing LemonDuck and LemonCat, modern mining malware infrastructure
LemonDuck, an actively updated and robust malware that’s primarily known for its botnet and cryptocurrency mining objectives, adopted more sophisticated behavior and escalated its operations. Today, beyond using resources for its traditional bot and mining…
WebContent->EL1 LPE: OOBR in AppleCLCD / IOMobileFrameBuffer https://saaramar.github.io/IOMobileFrameBuffer_LPE_POC/
New PetitPotam attack allows take over of Windows domains https://www.bleepingcomputer.com/news/microsoft/new-petitpotam-attack-allows-take-over-of-windows-domains/
BleepingComputer
New PetitPotam attack allows take over of Windows domains
A new NTLM relay attack called PetitPotam has been discovered that allows threat actors to take over a domain controller, and thus an entire Windows domain.
UAC bypass through Trusted Folder abuse https://redteamer.tips/uac-bypass-through-trusted-folder-abuse/
New PetitPotam NTLM Relay Attack Lets Hackers Take Over Windows Domains https://thehackernews.com/2021/07/new-petitpotam-ntlm-relay-attack-lets.html
TRIDROID - Android Application Exploitation https://fineas.github.io/FeDEX/post/tridroid.html
Windows Command-Line Obfuscation https://www.wietzebeukema.nl/blog/windows-command-line-obfuscation
www.wietzebeukema.nl
Windows Command-Line Obfuscation
Many Windows applications have multiple ways in which the same command line can be expressed, usually for compatibility or ease-of-use reasons. As a result, command-line arguments are implemented inconsistently making detecting specific commands harder due…
CVE-2021-3122 | How We Caught a Threat Actor Exploiting NCR POS Zero Day https://www.sentinelone.com/blog/cve-2021-3122-how-we-caught-a-threat-actor-exploiting-ncr-pos-zero-day/
SentinelOne
CVE-2021-3122 | How We Caught a Threat Actor Exploiting NCR POS Zero Day
Read how this IR team discovered a zero day in popular Aloha Point of Sale software while engaging with a threat actor compromising a live system.
A case against security nihilism https://blog.cryptographyengineering.com/2021/07/20/a-case-against-security-nihilism/
A Few Thoughts on Cryptographic Engineering
A case against security nihilism
This week a group of global newspapers is running a series of articles detailing abuses of NSO Group’s Pegasus spyware. If you haven’t seen any of these articles, they’re worth re…
Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909) https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909
Qualys
Sequoia: A Local Privilege Escalation Vulnerability in Linux’s Filesystem Layer (CVE-2021-33909) | Qualys
The Qualys Research Team has discovered a size_t-to-int type conversion vulnerability in the Linux Kernel’s filesystem layer affecting most Linux operating systems. Any unprivileged user can gain root…
CVE-2021-3438: 16 Years In Hiding – Millions of Printers Worldwide Vulnerable https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/
SentinelOne
CVE-2021-3438: 16 Years In Hiding - Millions of Printers Worldwide Vulnerable - SentinelLabs
A high severity flaw in HP, Samsung and Xerox printer drivers has existed since 2005 and could lead to an escalation of privilege.
Windows Print Spooler Elevation of Privilege vulnerability (CVE-2021-1675) explained https://thalpius.com/2021/07/16/windows-print-spooler-elevation-of-privilege-vulnerability-cve-2021-1675-explained/
Microsoft Security Blog
Microsoft Windows Print Spooler Elevation of Privilege vulnerability (CVE-2021-1675) explained
I guess most of you heard about the Windows Print Spooler Elevation of Privilege vulnerability (CVE-2021-1675) in the last couple of weeks. It is a vulnerability that gives an attacker high privile…
Utilizing .htaccess for exploitation purposes https://blog.0xffff.info/2021/06/23/utilizing-htaccess-for-exploitation-purposes/
0xFFFF@blog:~$
Utilizing .htaccess for exploitation purposes
This is the first of a two-part series regarding uses of htaccess for exploitation purposes. I will cover some basic and somewhat well-known methods here, along with a few lesser known me…
From JavaScript to Kernel - Google CTF 2021 Quals "Full Chain" Writeup https://ptr-yudai.hatenablog.com/entry/2021/07/26/225308
CTFするぞ
From JavaScript to Kernel - Google CTF 2021 Quals "Full Chain" Writeup - CTFするぞ
I played Google CTF 2021 Quals in zer0pts and I worked on several tasks. In the 6 pwnable challenges I solved during the CTF I liked "Full Chain" the most. This…
Hunting IcedID and unpacking automation with Qiling https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html
VMware Security Blog
Hunting IcedID and unpacking automation with Qiling
In our previous blog post “Detecting IcedID” we provided a global overview of the IcedID threat, its multiple stages and capabilities. This new blog post is focused on how to be proactive and hunt for IcedID DLL components to extract network IOCs. It will…
Portable Executable Injection Study https://malwareunicorn.org/workshops/peinjection.html#0
malwareunicorn.org
Portable Executable Injection Study
This workshop will go over the reverse engineering steps for looking at Cryptowall malware for the purposes of extracting information on the code injection technique in order to replicate for red team operation use.