Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations https://billdemirkapi.me/abusing-windows-implementation-of-fork-for-stealthy-memory-operations/?s=09
Bill Demirkapi's Blog
Abusing Windows’ Implementation of Fork() for Stealthy Memory Operations
Note: Another researcher recently tweeted about the technique discussed in this blog post, this is addressed in the last section of the blog (warning, spoilers!). To access information about a running process, developers generally have to open a handle to…
Exploiting OAuth: Journey to Account Takeover https://blog.dixitaditya.com/2021/11/19/account-takeover-chain.html
Nice analysis on low-level details of x86 assembly associated to memset/memcpy https://twitter.com/nadavrot/status/1464364562409422852?t=xuCmg9OLp5gy7wdzdVKKIg&s=09
Twitter
Nadav Rotem
I spent some time optimizing memset and memcpy in x86 assembly. Here are a few interesting things about memset and memcpy. 1/
CONTInuing the Bazar Ransomware Story https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/
The DFIR Report
CONTInuing the Bazar Ransomware Story
In this report we will discuss a case from early August where we witnessed threat actors utilizing BazarLoader and Cobalt Strike to accomplish their mission of encrypting systems with Conti ransomware.
ScarCruft surveilling North Korean defectors and human rights activists https://securelist.com/scarcruft-surveilling-north-korean-defectors-and-human-rights-activists/105074/
Securelist
ScarCruft surveilling North Korean defectors and human rights activists
The ScarCruft group (also known as APT37 or Temp.Reaper) is a nation-state sponsored APT actor. Recently, we had an opportunity to perform a deeper investigation on a host compromised by this group.
The Water Bear that Wasn’t: Tardigrade https://medium.com/@semisi.ganon/the-water-bear-that-wasnt-tardigrade-6d3ed4d8e86b
Medium
The Water Bear that Wasn’t: Tardigrade
In mid November 2021 the world’s tech commentators including Wired, The Washington Post, Bleeping Computer and Tripwire lit up with news of…
POC of Linux Kernel TIPC remote code execution (CVE-2021-43267) flaw has been disclosed https://securityonline.info/cve-2021-43267-poc/
Daily CyberSecurity
POC of Linux Kernel TIPC remote code execution (CVE-2021-43267) flaw has been disclosed
The POC of Linux Kernel TIPC remote code execution (CVE-2021-43267) vulnerability has been disclosed, the vulnerability level is serious
Discovering Full Read SSRF in Jamf (CVE-2021-39303 & CVE-2021-40809) https://blog.assetnote.io/2021/11/30/jamf-ssrf/
An Illustrated Guide to Elliptic Curve Cryptography Validation https://research.nccgroup.com/2021/11/18/an-illustrated-guide-to-elliptic-curve-cryptography-validation/
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
Nice write-up (in Korean) » Virtualbox 6.1.18 0-day(였던) http://blog.howdays.kr/index.php/2021/11/26/virtualbox-6-1-18-0-day/
What does APT Activity Look Like on macOS? https://themittenmac.com/what-does-apt-activity-look-like-on-macos/
The Mitten Mac
What does APT Activity Look Like on MacOS?
What does APT Activity Look Like on macOS?I often get asked what Advanced Persistent Activity (APT) or nation state hacking looks like on a macOS system. This is a great question and the answer is no
Tracking a P2P network related to TA505
https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/
https://research.nccgroup.com/2021/12/01/tracking-a-p2p-network-related-with-ta505/
Nccgroup
Cyber Security Research
Cutting-edge cyber security research from NCC Group. Find public reports, technical advisories, analyses, & other novel insights from our global experts.
This shouldn't have happened: A vulnerability postmortem https://googleprojectzero.blogspot.com/2021/12/this-shouldnt-have-happened.html
projectzero.google
This shouldn't have happened: A vulnerability postmortem - Project Zero
Posted by Tavis Ormandy, Project Zero Introduction This is an unusual blog post. I normally write posts to highlight some hidden attack surface or interest...
Popping iOS <=14.7 with IOMFB https://jsherman212.github.io/2021/11/28/popping_ios14_with_iomfb.html
Justin’s Blog
Popping iOS <=14.7 with IOMFB
During the last two weeks of my summer (as of writing, summer 2021), I decided to try and take a crack at iOS 14 kernel exploitation with the IOMobileFramebuffer OOB pointer read (CVE-2021-30807). Unfortunately, a couple days after I moved back into school…
All our team wishes you and yours a Happy New Year! ❤️
The Re-Emergence of Emotet https://www.deepinstinct.com/blog/the-re-emergence-of-emotet
Deep Instinct
The Re-Emergence of Emotet | Deep Instinct
Emotet, the malware botnet, has resurfaced after almost 10 months. The operation was originally taken down by multiple international law enforcement agencies this past January. These agencies took control of the infrastructure and scheduled an un-installation…
Unpacking and decryption tools for the Emotet malware https://github.com/deepinstinct/DeMotet
GitHub
GitHub - deepinstinct/DeMotet: Unpacking and decryption tools for the Emotet malware
Unpacking and decryption tools for the Emotet malware - deepinstinct/DeMotet
Protecting Windows Credentials against Network Attacks https://securitycafe.ro/2021/12/02/protecting-windows-credentials-against-network-attacks/
Security Café
Protecting Windows Credentials against Network Attacks
Over the years I’ve seen a lot of misconfigurations or a lack of configurations when it comes to protecting Windows credentials, hashes or Kerberos tickets. The main difficulty here comes fro…
Impact of an Insecure Deep Link https://securityflow.io/impact-of-an-insecure-deep-link/