logo
Overkill Security  Because Nothing Says 'Security' Like a Dozen Firewalls and a Biometric Scanner
О проекте Просмотр Уровни подписки Фильтры Обновления проекта Контакты Поделиться Метки
Все проекты
О проекте
A blog about all things techy! Not too much hype, just a lot of cool analysis and insight from different sources.

📌Not sure what level is suitable for you? Check this explanation https://sponsr.ru/overkill_security/55291/Paid_Content/

The main categories of materials — use tags:
📌news
📌digest

QA — directly or via email overkill_qa@outlook.com
Публикации, доступные бесплатно
Уровни подписки
Единоразовый платёж

Your donation fuels our mission to provide cutting-edge cybersecurity research, in-depth tutorials, and expert insights. Support our work today to empower the community with even more valuable content.

*no refund, no paid content

Помочь проекту
Promo 750₽ месяц

For a limited time, we're offering our Level "Regular" subscription at an unbeatable price—50% off!

Dive into the latest trends and updates in the cybersecurity world with our in-depth articles and expert insights

Offer valid until the end of this month.

Оформить подписку
Regular Reader 1 500₽ месяц 16 200₽ год
(-10%)
При подписке на год для вас действует 10% скидка. 10% основная скидка и 0% доп. скидка за ваш уровень на проекте Overkill Security

Ideal for regular readers who are interested in staying informed about the latest trends and updates in the cybersecurity world without.

Оформить подписку
Pro Reader 3 000₽ месяц 30 600₽ год
(-15%)
При подписке на год для вас действует 15% скидка. 15% основная скидка и 0% доп. скидка за ваш уровень на проекте Overkill Security

Designed for IT professionals, cybersecurity experts, and enthusiasts who seek deeper insights and more comprehensive resources. + Q&A

Оформить подписку
Фильтры
Обновления проекта
Поделиться
Метки
overkillsecurity 85 overkillsecuritypdf 42 news 41 malware 8 vulnerability 7 Digest 6 Monthly Digest 6 phishing 6 unpacking 6 Cyber Attacks 5 Ransomware 5 nsa 4 research 4 fbi 3 Forensics 3 IoT 3 ai 2 authentication 2 av 2 console architecture 2 cve 2 cyber security 2 Google 2 incident response 2 MITM 2 mqtt 2 Passkeys 2 Retro 2 Velociraptor 2 Vintage 2 vmware 2 windows 2 1981 1 5g network research 1 8-bit 1 Ad Removal 1 Ad-Free Experience 1 adapt tactics 1 ADCS 1 AlphV 1 AMSI 1 android 1 Android15 1 AnonSudan 1 antiPhishing 1 AntiPhishStack 1 antivirus 1 Apple 1 Atlassian 1 Attack 1 AttackGen 1 BatBadBut 1 Behavioral Analytics 1 BianLian 1 bias 1 Biocybersecurity 1 Biometric 1 bite 1 bitlocker 1 bitlocker bypass 1 Black Lotus Labs 1 blizzard 1 botnet 1 Browser Data Theft 1 BucketLoot 1 Buffer Overflow 1 CellularSecurity 1 china 1 chisel 1 CloudSecurity 1 CloudStorage 1 content 1 content category 1 cpu 1 CVE-2023-22518 1 CVE-2023-35080 1 CVE-2023-38043 1 CVE-2023-38543 1 CVE-2024-0204 1 CVE-2024-21111 1 CVE-2024-21345 1 cve-2024-21447 1 CVE-2024-26218 1 cve-2024-3400 1 cvss 1 Cyber Toufan Al-Aqsa 1 cybersecurity 1 D-Link 1 dark pink apt 1 data leakage 1 dcrat 1 Demoscene 1 DevSecOps 1 Dex 1 disassembler 1 DOS 1 edge routers 1 EDR 1 Embedded systems 1 Employee Training 1 Energy Consumption 1 EntraID 1 ESC8 1 Essential Eight Maturity Model 1 Event ID 4663 1 Event ID 4688 1 Event ID 5145 1 Evilginx 1 Facebook 1 FBI IC3 1 FIDO2 1 Firebase 1 Firmware 1 Fortra's GoAnywhere MFT 1 france 1 FraudDetection 1 fuxnet 1 game console 1 gamification 1 GeminiNanoAI 1 genzai 1 go 1 GoogleIO2024 1 GooglePlayProtect 1 GoPhish 1 gpu 1 ICS 1 ICSpector 1 IDA 1 IncidentResponse 1 Industrial Control Systems 1 IoMT 1 jetbrains 1 KASLR 1 KillNet 1 LeftOverLocals 1 lg smart tv 1 Living Off the Land 1 lockbit 1 LOTL 1 m-trends 1 Machine Learning Integration 1 Mallox 1 MalPurifier 1 mandiant 1 Maturity Model 1 medical 1 MediHunt 1 Meta Pixel 1 ML 1 mobile network analysis 1 nes 1 nexus 1 Nim 1 Nimfilt 1 NtQueryInformationThread 1 OFGB 1 oracle 1 paid content 1 panos 1 Passwordless 1 Phishing Resilience 1 PingFederate 1 Platform Lock-in Tool 1 PlayIntegrityAPI 1 PlayStation 1 playstation 2 1 playstation 3 1 plc 1 Privilege Escalation 1 ps2 1 ps3 1 PulseVPN 1 qcsuper 1 qemu 1 qualcomm diag protocol 1 radio frame capture 1 Raytracing 1 Real-time Attack Detection 1 Red Team 1 Registry Modification 1 Risk Mitigation 1 RiskManagement 1 rodrigo copetti 1 rooted android devices 1 Router 1 rust 1 Sagemcom 1 sandworm 1 ScamCallDetection 1 Security Awareness 1 session hijacking 1 SharpADWS 1 SharpTerminator 1 shellcode 1 SIEM 1 Siemens 1 skimming 1 Smart Devices 1 snes 1 soho 1 SSO 1 TA547 1 TDDP 1 telecom security 1 Telegram 1 TeleTracker 1 Terminator 1 Threat 1 threat intelligence 1 threat intelligence analysis 1 Threat Simulation 1 tool 1 toolkit 1 tp-link 1 ubiquiti 1 UK 1 UserManagerEoP 1 uta0218 1 virtualbox 1 VPN 1 vu 1 wargame 1 Web Authentication 1 WebAuthn 1 webos 1 What2Log 1 Windows 11 1 Windows Kernel 1 Windstream 1 women 1 WSUS 1 xbox 1 xbox 360 1 xbox original 1 Yubico 1 Z80A 1 ZX Spectrum 1 Больше тегов
Читать: 2+ мин
logo Overkill Security

Root Privileges for Dummies: Just Exploit CVE-2024-3400

CVE-2024-3400 (+ url + github ‎url#1, url#2) is‏ ‎a ‎critical ‎command ‎injection ‎vulnerability‏ ‎in ‎Palo‏ ‎Alto‏ ‎Networks' ‎PAN-OS ‎software,‏ ‎specifically ‎affecting‏ ‎the ‎GlobalProtect ‎feature. ‎This‏ ‎vulnerability‏ ‎allows ‎an‏ ‎unauthenticated, ‎remote‏ ‎attacker ‎to ‎execute ‎arbitrary ‎code‏ ‎with‏ ‎root ‎privileges‏ ‎on ‎the‏ ‎affected ‎firewall. ‎The ‎vulnerability ‎impacts‏ ‎PAN-OS‏ ‎versions‏ ‎10.2, ‎11.0,‏ ‎and ‎11.1‏ ‎when ‎configured‏ ‎with‏ ‎GlobalProtect ‎gateway‏ ‎or ‎GlobalProtect ‎portal.

Initial ‎Discovery ‎and‏ ‎Exploitation:

📌The ‎vulnerability‏ ‎was‏ ‎first ‎identified ‎by‏ ‎Volexity, ‎who‏ ‎observed ‎zero-day ‎exploitation ‎attempts‏ ‎on‏ ‎March ‎26,‏ ‎2024.

📌Attackers, ‎identified‏ ‎as ‎the ‎state-backed ‎group ‎UTA0218,‏ ‎exploited‏ ‎the ‎vulnerability‏ ‎to ‎gain‏ ‎unauthorized ‎access ‎to ‎firewall ‎devices.

Attack‏ ‎Vector:

📌The‏ ‎vulnerability‏ ‎is ‎exploited‏ ‎via ‎a‏ ‎command ‎injection‏ ‎flaw‏ ‎in ‎the‏ ‎GlobalProtect ‎feature. ‎Attackers ‎can ‎manipulate‏ ‎the ‎SESSID‏ ‎cookie‏ ‎to ‎create ‎arbitrary‏ ‎files ‎on‏ ‎the ‎system, ‎which ‎can‏ ‎then‏ ‎be ‎used‏ ‎to ‎execute‏ ‎commands ‎with ‎root ‎privileges.

📌The ‎attack‏ ‎does‏ ‎not ‎require‏ ‎authentication, ‎making‏ ‎it ‎highly ‎dangerous ‎and ‎easily‏ ‎exploitable.


Exploitation‏ ‎Flow:

Step‏ ‎1: ‎Reconnaissance:

📌Attackers‏ ‎scan ‎for‏ ‎vulnerable ‎PAN-OS‏ ‎devices‏ ‎configured ‎with‏ ‎GlobalProtect ‎gateway ‎or ‎portal.

📌They ‎use‏ ‎simple ‎commands‏ ‎to‏ ‎place ‎zero-byte ‎files‏ ‎on ‎the‏ ‎system ‎to ‎validate ‎the‏ ‎vulnerability.

Step‏ ‎2: ‎Initial‏ ‎Exploitation:

📌Attackers ‎send‏ ‎specially ‎crafted ‎network ‎requests ‎to‏ ‎the‏ ‎vulnerable ‎device,‏ ‎manipulating ‎the‏ ‎SESSID ‎cookie ‎to ‎create ‎a‏ ‎file‏ ‎in‏ ‎a ‎specific‏ ‎directory.

📌Example: ‎Cookie:‏ ‎SESSID=/./././var/appweb/sslvpndocs/global-protect/portal/images/poc.txt.

Step ‎3:‏ ‎Command‏ ‎Execution:

📌The ‎created‏ ‎file ‎is ‎used ‎to ‎inject‏ ‎and ‎execute‏ ‎arbitrary‏ ‎commands ‎with ‎root‏ ‎privileges.

📌Attackers ‎establish‏ ‎a ‎reverse ‎shell ‎and‏ ‎install‏ ‎additional ‎tools,‏ ‎such ‎as‏ ‎a ‎custom ‎Python ‎backdoor ‎named‏ ‎UPSTYLE,‏ ‎to ‎maintain‏ ‎persistent ‎access.

Step‏ ‎4: ‎Post-Exploitation:

📌Attackers ‎exfiltrate ‎sensitive ‎data,‏ ‎including‏ ‎the‏ ‎firewall’s ‎running‏ ‎configuration ‎and‏ ‎credentials.

📌They ‎may‏ ‎also‏ ‎use ‎the‏ ‎compromised ‎device ‎to ‎move ‎laterally‏ ‎within ‎the‏ ‎network,‏ ‎targeting ‎other ‎systems.


Observed‏ ‎Malicious ‎Activity:

📌An‏ ‎uptick ‎in ‎malicious ‎activity‏ ‎was‏ ‎observed ‎soon‏ ‎after ‎the‏ ‎public ‎disclosure ‎of ‎the ‎vulnerability‏ ‎and‏ ‎the ‎release‏ ‎of ‎an‏ ‎exploit ‎script ‎on ‎GitHub.

📌Attackers ‎used‏ ‎the‏ ‎UPSTYLE‏ ‎backdoor ‎to‏ ‎interact ‎with‏ ‎the ‎compromised‏ ‎device‏ ‎indirectly, ‎sending‏ ‎commands ‎via ‎error ‎logs ‎and‏ ‎receiving ‎output‏ ‎through‏ ‎a ‎publicly ‎accessible‏ ‎stylesheet.


Читать: 1+ мин
logo Overkill Security

Breaking News: Chinese AVs Outwitted by Go Code

The ‎GitHub‏ ‎repository ‎«darkPulse» ‎by ‎user ‎«fdx-xdf» is‏ ‎a ‎shellcode‏ ‎packer‏ ‎written ‎in ‎Go.

📌Purpose: darkPulse‏ ‎is ‎designed‏ ‎to ‎generate ‎various ‎shellcode‏ ‎loaders‏ ‎that ‎can‏ ‎evade ‎detection‏ ‎by ‎Chinese ‎antivirus ‎software ‎such‏ ‎as‏ ‎Huorong ‎and‏ ‎360 ‎Total‏ ‎Security.

📌Shellcode ‎Loader ‎Generation: Generates ‎different ‎types‏ ‎of‏ ‎shellcode‏ ‎loaders.

📌Antivirus ‎Evasion: Focuses‏ ‎on ‎evading‏ ‎detection ‎by‏ ‎popular‏ ‎Chinese ‎antivirus‏ ‎programs ‎like ‎Huorong ‎and ‎360‏ ‎Total ‎Security.

📌Encryption‏ ‎and‏ ‎Obfuscation: Supports ‎AES ‎and‏ ‎XOR ‎encryption,‏ ‎and ‎UUID/words ‎obfuscation ‎to‏ ‎reduce‏ ‎entropy.

📌Loading ‎Techniques:‏ ‎Supports ‎multiple‏ ‎loading ‎techniques ‎including ‎callback, ‎fiber,‏ ‎and‏ ‎earlybird. ‎These‏ ‎can ‎be‏ ‎used ‎in ‎indirect ‎syscall ‎and‏ ‎unhook‏ ‎modes.

📌Encoding: Utilizes‏ ‎the ‎Shikata‏ ‎ga ‎nai‏ ‎encoder, ‎ported‏ ‎into‏ ‎Go ‎with‏ ‎several ‎improvements.

📌SysWhispers3: Uses ‎SysWhispers3 ‎for ‎indirect‏ ‎syscall ‎implementation.



Читать: 2+ мин
logo Overkill Security

AMSI Bypass: The Malware’s Express Lane

The GitHub ‎repository‏ ‎«V-i-x-x/AMSI-BYPASS» provides ‎information ‎about ‎a ‎vulnerability‏ ‎known ‎as‏ ‎«AMSI‏ ‎WRITE ‎RAID» ‎that‏ ‎can ‎be‏ ‎exploited ‎to ‎bypass ‎the‏ ‎Antimalware‏ ‎Scan ‎Interface‏ ‎(AMSI).

📌Vulnerability ‎Description: The‏ ‎«AMSI ‎WRITE ‎RAID» ‎vulnerability ‎allows‏ ‎attackers‏ ‎to ‎overwrite‏ ‎specific ‎writable‏ ‎entries ‎in ‎the ‎AMSI ‎call‏ ‎stack,‏ ‎effectively‏ ‎bypassing ‎AMSI’s‏ ‎protections.

📌Writable ‎Entries: The‏ ‎repository ‎highlights‏ ‎that‏ ‎multiple ‎entries‏ ‎in ‎the ‎AMSI ‎call ‎stack‏ ‎are ‎writable‏ ‎and‏ ‎can ‎be ‎targeted‏ ‎to ‎achieve‏ ‎the ‎bypass. ‎These ‎entries‏ ‎are‏ ‎detailed ‎in‏ ‎images ‎such‏ ‎as ‎«vulnerable_entries.png» ‎and ‎«writable_entries_part_1.png» ‎provided‏ ‎in‏ ‎the ‎repository.

📌Proof‏ ‎of ‎Concept: The‏ ‎repository ‎includes ‎a ‎PDF ‎document‏ ‎(Amsi.pdf)‏ ‎that‏ ‎elaborates ‎on‏ ‎the ‎vulnerability,‏ ‎providing ‎a‏ ‎comprehensive‏ ‎explanation ‎and‏ ‎proof ‎of ‎concept ‎for ‎how‏ ‎the ‎AMSI‏ ‎bypass‏ ‎can ‎be ‎executed.

📌Impact: Successfully‏ ‎exploiting ‎this‏ ‎vulnerability ‎allows ‎malicious ‎code‏ ‎to‏ ‎evade ‎detection‏ ‎by ‎AMSI,‏ ‎which ‎is ‎a ‎significant ‎security‏ ‎concern‏ ‎as ‎AMSI‏ ‎is ‎designed‏ ‎to ‎provide ‎an ‎additional ‎layer‏ ‎of‏ ‎defense‏ ‎against ‎malware.

Impact‏ ‎on ‎Industries

📌Increased‏ ‎Risk ‎of‏ ‎Malware‏ ‎Infections: AMSI ‎bypass‏ ‎techniques ‎allow ‎attackers ‎to ‎execute‏ ‎malicious ‎code‏ ‎undetected,‏ ‎increasing ‎the ‎risk‏ ‎of ‎malware‏ ‎infections, ‎including ‎ransomware ‎and‏ ‎fileless‏ ‎attacks. ‎This‏ ‎is ‎particularly‏ ‎concerning ‎for ‎industries ‎with ‎sensitive‏ ‎data,‏ ‎such ‎as‏ ‎finance, ‎healthcare,‏ ‎and ‎government ‎sectors.

📌Compromised ‎Security ‎Posture: Bypassing‏ ‎AMSI‏ ‎can‏ ‎lead ‎to‏ ‎a ‎compromised‏ ‎security ‎posture,‏ ‎as‏ ‎traditional ‎antivirus‏ ‎and ‎endpoint ‎detection ‎and ‎response‏ ‎(EDR) ‎solutions‏ ‎may‏ ‎fail ‎to ‎detect‏ ‎and ‎prevent‏ ‎malicious ‎activities. ‎This ‎can‏ ‎result‏ ‎in ‎data‏ ‎breaches, ‎financial‏ ‎losses, ‎and ‎damage ‎to ‎reputation.

📌Operational‏ ‎Disruptions: Successful‏ ‎AMSI ‎bypass‏ ‎attacks ‎can‏ ‎cause ‎significant ‎operational ‎disruptions, ‎especially‏ ‎in‏ ‎critical‏ ‎infrastructure ‎sectors‏ ‎like ‎energy,‏ ‎transportation, ‎and‏ ‎utilities.‏ ‎These ‎disruptions‏ ‎can ‎have ‎cascading ‎effects ‎on‏ ‎service ‎delivery‏ ‎and‏ ‎public ‎safety.


Читать: 4+ мин
logo Overkill Security

MS-DOS: For those who think modern OSes are too user-friendly

The ‎release‏ ‎of ‎the ‎MS-DOS ‎source ‎code is‏ ‎significant ‎for‏ ‎educational‏ ‎purposes, ‎historical ‎preservation,‏ ‎community ‎engagement,‏ ‎and ‎as ‎a ‎technical‏ ‎reference,‏ ‎making ‎it‏ ‎a ‎valuable‏ ‎resource ‎even ‎in ‎the ‎modern‏ ‎era.

Educational‏ ‎Value:

📌Learning ‎Tool: The‏ ‎source ‎code‏ ‎provides ‎a ‎valuable ‎resource ‎for‏ ‎students‏ ‎and‏ ‎new ‎programmers‏ ‎to ‎study‏ ‎the ‎fundamentals‏ ‎of‏ ‎operating ‎system‏ ‎development. ‎It ‎offers ‎insights ‎into‏ ‎low-level ‎programming,‏ ‎particularly‏ ‎in ‎assembly ‎language,‏ ‎which ‎is‏ ‎crucial ‎for ‎understanding ‎how‏ ‎early‏ ‎operating ‎systems‏ ‎managed ‎hardware‏ ‎and ‎resources. ‎Because ‎nothing ‎says‏ ‎«cutting-edge‏ ‎education» ‎like‏ ‎studying ‎an‏ ‎operating ‎system ‎that ‎predates ‎the‏ ‎internet.‏ ‎Who‏ ‎needs ‎Python‏ ‎or ‎JavaScript‏ ‎when ‎you‏ ‎can‏ ‎wrestle ‎with‏ ‎assembly ‎language?

📌Historical ‎Study: Researchers ‎and ‎historians‏ ‎can ‎analyze‏ ‎the‏ ‎code ‎to ‎understand‏ ‎the ‎evolution‏ ‎of ‎software ‎development ‎practices‏ ‎and‏ ‎the ‎technological‏ ‎advancements ‎of‏ ‎the ‎1980s ‎and ‎1990s.  ‎For‏ ‎those‏ ‎who ‎find‏ ‎ancient ‎relics‏ ‎fascinating, ‎like ‎archaeologists ‎of ‎the‏ ‎digital‏ ‎age.‏ ‎Why ‎study‏ ‎modern ‎software‏ ‎when ‎you‏ ‎can‏ ‎dig ‎through‏ ‎the ‎code ‎of ‎a ‎system‏ ‎that ‎ran‏ ‎on‏ ‎floppy ‎disks?

Preservation ‎of‏ ‎Digital ‎History:

📌Archival‏ ‎Importance: By ‎making ‎the ‎source‏ ‎code‏ ‎publicly ‎available,‏ ‎Microsoft ‎helps‏ ‎preserve ‎a ‎significant ‎piece ‎of‏ ‎computing‏ ‎history. ‎This‏ ‎ensures ‎that‏ ‎future ‎generations ‎can ‎access ‎and‏ ‎learn‏ ‎from‏ ‎the ‎software‏ ‎that ‎played‏ ‎a ‎pivotal‏ ‎role‏ ‎in ‎the‏ ‎personal ‎computing ‎revolution. ‎Because ‎preserving‏ ‎the ‎source‏ ‎code‏ ‎of ‎an ‎ancient‏ ‎OS ‎is‏ ‎clearly ‎more ‎important ‎than,‏ ‎say,‏ ‎addressing ‎climate‏ ‎change ‎or‏ ‎curing ‎diseases. ‎Future ‎generations ‎will‏ ‎surely‏ ‎thank ‎us‏ ‎for ‎this‏ ‎invaluable ‎contribution.

📌Documentation ‎of ‎Technological ‎Progress: The‏ ‎release‏ ‎includes‏ ‎not ‎just‏ ‎the ‎source‏ ‎code ‎but‏ ‎also‏ ‎original ‎documentation‏ ‎and ‎binaries, ‎providing ‎a ‎comprehensive‏ ‎view ‎of‏ ‎the‏ ‎software’s ‎development ‎and‏ ‎its ‎context‏ ‎within ‎the ‎broader ‎history‏ ‎of‏ ‎computing. ‎And‏ ‎to ‎show‏ ‎just ‎how ‎far ‎we’ve ‎come.‏ ‎Look,‏ ‎kids, ‎this‏ ‎is ‎what‏ ‎we ‎used ‎before ‎we ‎had‏ ‎smartphones‏ ‎and‏ ‎cloud ‎computing.‏ ‎Marvel ‎at‏ ‎the ‎simplicity!

Community‏ ‎Engagement‏ ‎and ‎Innovation:

📌Open-Source‏ ‎Contributions: The ‎release ‎under ‎the ‎MIT‏ ‎license ‎allows‏ ‎tech‏ ‎enthusiasts ‎and ‎developers‏ ‎to ‎explore,‏ ‎experiment, ‎and ‎potentially ‎repurpose‏ ‎the‏ ‎code ‎for‏ ‎modern ‎applications.‏ ‎This ‎can ‎lead ‎to ‎innovative‏ ‎uses‏ ‎of ‎old‏ ‎technology ‎in‏ ‎new ‎contexts. ‎For ‎all ‎those‏ ‎tech‏ ‎enthusiasts‏ ‎who ‎have‏ ‎nothing ‎better‏ ‎to ‎do‏ ‎than‏ ‎tinker ‎with‏ ‎obsolete ‎code. ‎Maybe ‎someone ‎will‏ ‎finally ‎figure‏ ‎out‏ ‎how ‎to ‎make‏ ‎MS-DOS ‎run‏ ‎on ‎a ‎smart ‎fridge.

📌Digital‏ ‎Archeology: Enthusiasts‏ ‎and ‎digital‏ ‎preservationists ‎can‏ ‎use ‎the ‎source ‎code ‎to‏ ‎run‏ ‎and ‎test‏ ‎the ‎software‏ ‎on ‎both ‎original ‎hardware ‎and‏ ‎modern‏ ‎emulators,‏ ‎ensuring ‎that‏ ‎the ‎knowledge‏ ‎and ‎functionality‏ ‎of‏ ‎MS-DOS ‎are‏ ‎not ‎lost. ‎Because ‎some ‎people‏ ‎just ‎can’t‏ ‎let‏ ‎go ‎of ‎the‏ ‎past. ‎Let’s‏ ‎spend ‎our ‎weekends ‎running‏ ‎MS-DOS‏ ‎on ‎emulators‏ ‎instead ‎of‏ ‎enjoying ‎modern ‎gaming ‎consoles.

Technical ‎Reference:

📌Understanding‏ ‎Legacy‏ ‎Systems: For ‎developers‏ ‎working ‎with‏ ‎legacy ‎systems ‎or ‎those ‎interested‏ ‎in‏ ‎the‏ ‎history ‎of‏ ‎software ‎engineering,‏ ‎the ‎MS-DOS‏ ‎source‏ ‎code ‎provides‏ ‎a ‎reference ‎for ‎how ‎early‏ ‎operating ‎systems‏ ‎were‏ ‎structured ‎and ‎functioned.‏ ‎This ‎can‏ ‎be ‎particularly ‎useful ‎for‏ ‎maintaining‏ ‎or ‎interfacing‏ ‎with ‎older‏ ‎systems ‎still ‎in ‎use ‎today.‏ ‎For‏ ‎those ‎poor‏ ‎souls ‎still‏ ‎maintaining ‎ancient ‎hardware ‎in ‎the‏ ‎backrooms‏ ‎of‏ ‎some ‎forgotten‏ ‎office. ‎It’s‏ ‎like ‎being‏ ‎a‏ ‎mechanic ‎for‏ ‎a ‎Model ‎T ‎in ‎the‏ ‎age ‎of‏ ‎electric‏ ‎cars.

📌Comparison ‎with ‎Modern‏ ‎Systems: Analyzing ‎the‏ ‎MS-DOS ‎source ‎code ‎allows‏ ‎for‏ ‎a ‎comparison‏ ‎with ‎modern‏ ‎operating ‎systems, ‎highlighting ‎the ‎advancements‏ ‎in‏ ‎software ‎engineering‏ ‎and ‎system‏ ‎design ‎over ‎the ‎past ‎few‏ ‎decades.‏ ‎To‏ ‎appreciate ‎how‏ ‎much ‎better‏ ‎we ‎have‏ ‎it‏ ‎now. ‎Look‏ ‎at ‎this, ‎kids, ‎and ‎be‏ ‎grateful ‎you‏ ‎don’t‏ ‎have ‎to ‎type‏ ‎commands ‎to‏ ‎open ‎a ‎file.


Читать: 3+ мин
logo Overkill Security

Why Bother with Cybersecurity? Just Let Event Logs Do All the Work, Google said

By ‎leveraging Windows‏ ‎Event ‎Logs ‎and ‎integrating ‎with‏ ‎advanced ‎detection‏ ‎systems,‏ ‎organizations ‎can ‎better‏ ‎protect ‎themselves‏ ‎against ‎the ‎growing ‎threat‏ ‎of‏ ‎browser ‎data‏ ‎theft.

Technical ‎Keypoints

📌Windows‏ ‎Event ‎Logs: The ‎method ‎leverages ‎Windows‏ ‎Event‏ ‎Logs ‎to‏ ‎detect ‎suspicious‏ ‎activities ‎that ‎may ‎indicate ‎browser‏ ‎data‏ ‎theft.‏ ‎This ‎includes‏ ‎monitoring ‎specific‏ ‎event ‎IDs‏ ‎and‏ ‎patterns ‎that‏ ‎are ‎indicative ‎of ‎malicious ‎behavior.

📌Event‏ ‎IDs: ‎Key‏ ‎event‏ ‎IDs ‎to ‎monitor‏ ‎include ‎Event‏ ‎ID ‎4688 ‎to ‎Tracks‏ ‎process‏ ‎creation, ‎which‏ ‎can ‎help‏ ‎identify ‎when ‎a ‎browser ‎or‏ ‎related‏ ‎process ‎is‏ ‎started; ‎Event‏ ‎ID ‎5145 ‎to ‎Monitors ‎file‏ ‎access,‏ ‎which‏ ‎can ‎be‏ ‎used ‎to‏ ‎detect ‎unauthorized‏ ‎access‏ ‎to ‎browser‏ ‎data ‎files; ‎and ‎Event ‎ID‏ ‎4663 ‎to‏ ‎Tracks‏ ‎object ‎access, ‎useful‏ ‎for ‎identifying‏ ‎attempts ‎to ‎read ‎or‏ ‎modify‏ ‎browser ‎data‏ ‎files.

📌Behavioral ‎Analysis: The‏ ‎approach ‎involves ‎analyzing ‎the ‎behavior‏ ‎of‏ ‎processes ‎and‏ ‎their ‎interactions‏ ‎with ‎browser ‎data ‎files. ‎This‏ ‎includes‏ ‎looking‏ ‎for ‎unusual‏ ‎patterns ‎such‏ ‎as ‎processes‏ ‎that‏ ‎do ‎not‏ ‎typically ‎access ‎browser ‎data ‎files‏ ‎suddenly ‎doing‏ ‎so,‏ ‎high ‎frequency ‎of‏ ‎access ‎to‏ ‎browser ‎data ‎files ‎by‏ ‎non-browser‏ ‎processes.

📌Integration ‎with‏ ‎SIEM: ‎The‏ ‎method ‎can ‎be ‎integrated ‎with‏ ‎Security‏ ‎Information ‎and‏ ‎Event ‎Management‏ ‎(SIEM) ‎systems ‎to ‎automate ‎the‏ ‎detection‏ ‎and‏ ‎alerting ‎process.‏ ‎This ‎allows‏ ‎for ‎real-time‏ ‎monitoring‏ ‎and ‎quicker‏ ‎response ‎to ‎potential ‎data ‎theft‏ ‎incidents.

📌Machine ‎Learning:‏ ‎The‏ ‎use ‎of ‎machine‏ ‎learning ‎models‏ ‎to ‎enhance ‎detection ‎capabilities‏ ‎by‏ ‎identifying ‎anomalies‏ ‎and ‎patterns‏ ‎that ‎are ‎not ‎easily ‎detectable‏ ‎through‏ ‎rule-based ‎systems‏ ‎alone.

Impact ‎on‏ ‎Industries

📌Enhanced ‎Security ‎Posture: By ‎implementing ‎this‏ ‎detection‏ ‎method,‏ ‎organizations ‎can‏ ‎significantly ‎enhance‏ ‎their ‎security‏ ‎posture‏ ‎against ‎browser‏ ‎data ‎theft. ‎This ‎is ‎particularly‏ ‎important ‎for‏ ‎industries‏ ‎that ‎handle ‎sensitive‏ ‎information, ‎such‏ ‎as ‎finance, ‎healthcare, ‎and‏ ‎legal‏ ‎sectors.

📌Compliance ‎and‏ ‎Regulatory ‎Requirements: Many‏ ‎industries ‎are ‎subject ‎to ‎strict‏ ‎compliance‏ ‎and ‎regulatory‏ ‎requirements ‎regarding‏ ‎data ‎protection. ‎This ‎method ‎helps‏ ‎organizations‏ ‎meet‏ ‎these ‎requirements‏ ‎by ‎providing‏ ‎a ‎robust‏ ‎mechanism‏ ‎for ‎detecting‏ ‎and ‎preventing ‎data ‎breaches.

📌Incident ‎Response:‏ ‎The ‎ability‏ ‎to‏ ‎detect ‎browser ‎data‏ ‎theft ‎in‏ ‎real-time ‎allows ‎for ‎quicker‏ ‎incident‏ ‎response, ‎minimizing‏ ‎the ‎potential‏ ‎damage ‎and ‎reducing ‎the ‎time‏ ‎attackers‏ ‎have ‎access‏ ‎to ‎sensitive‏ ‎data.

📌Cost ‎Savings: ‎Early ‎detection ‎and‏ ‎prevention‏ ‎of‏ ‎data ‎theft‏ ‎can ‎lead‏ ‎to ‎significant‏ ‎cost‏ ‎savings ‎by‏ ‎avoiding ‎the ‎financial ‎and ‎reputational‏ ‎damage ‎associated‏ ‎with‏ ‎data ‎breaches.

📌Trust ‎and‏ ‎Reputation: ‎For‏ ‎industries ‎that ‎rely ‎heavily‏ ‎on‏ ‎customer ‎trust,‏ ‎such ‎as‏ ‎e-commerce ‎and ‎online ‎services, ‎demonstrating‏ ‎a‏ ‎strong ‎commitment‏ ‎to ‎data‏ ‎security ‎can ‎enhance ‎reputation ‎and‏ ‎customer‏ ‎confidence.


Читать: 3+ мин
logo Overkill Security

Nimfilt: Because Authors Needed Another Language to Complicate Our Lives

Key ‎Features

📌Function‏ ‎and ‎Package ‎Names: ‎Nimfilt ‎demangles‏ ‎Nim-specific ‎function‏ ‎and‏ ‎package ‎names, ‎making‏ ‎them ‎more‏ ‎readable ‎and ‎easier ‎to‏ ‎analyze.

📌Package‏ ‎Init ‎Function‏ ‎Names: ‎It‏ ‎also ‎demangles ‎the ‎initialization ‎function‏ ‎names‏ ‎of ‎Nim‏ ‎packages.

📌Nim ‎Strings:‏ ‎Nimfilt ‎applies ‎C-style ‎structs ‎to‏ ‎Nim‏ ‎strings,‏ ‎which ‎helps‏ ‎in ‎interpreting‏ ‎the ‎data‏ ‎structures‏ ‎within ‎the‏ ‎binary. ‎This ‎includes ‎identifying ‎the‏ ‎length ‎and‏ ‎payload‏ ‎of ‎the ‎strings.

📌IDA‏ ‎Plugin: ‎Nimfilt‏ ‎can ‎be ‎used ‎as‏ ‎an‏ ‎IDA ‎plugin,‏ ‎where ‎it‏ ‎organizes ‎functions ‎into ‎directories ‎based‏ ‎on‏ ‎their ‎package‏ ‎name ‎or‏ ‎path. ‎This ‎helps ‎in ‎structuring‏ ‎the‏ ‎analysis‏ ‎process.

📌Automatic ‎Execution:‏ ‎The ‎plugin‏ ‎can ‎be‏ ‎set‏ ‎to ‎automatically‏ ‎execute ‎when ‎a ‎Nim ‎binary‏ ‎is ‎loaded‏ ‎by‏ ‎setting ‎the ‎AUTO_RUN‏ ‎global ‎variable‏ ‎to ‎True.

📌Identifying ‎Nim ‎Binaries:‏ ‎Nimfilt‏ ‎uses ‎heuristics‏ ‎to ‎identify‏ ‎if ‎a ‎loaded ‎file ‎is‏ ‎a‏ ‎Nim ‎binary‏ ‎by ‎checking‏ ‎for ‎specific ‎strings ‎and ‎function‏ ‎names‏ ‎associated‏ ‎with ‎Nim.

📌YARA‏ ‎Rules: ‎It‏ ‎includes ‎YARA‏ ‎rules‏ ‎to ‎identify‏ ‎Nim-compiled ‎ELF ‎and ‎PE ‎binaries.

📌Command‏ ‎Line ‎Interface‏ ‎(CLI):‏ ‎Python ‎Script: ‎Nimfilt‏ ‎can ‎be‏ ‎run ‎as ‎a ‎Python‏ ‎script‏ ‎on ‎the‏ ‎command ‎line,‏ ‎providing ‎a ‎subset ‎of ‎its‏ ‎functionality‏ ‎outside ‎of‏ ‎IDA.

📌Organizing ‎Functions: Directory‏ ‎Structure: ‎In ‎IDA, ‎Nimfilt ‎creates‏ ‎directories‏ ‎in‏ ‎the ‎Functions‏ ‎window ‎to‏ ‎organize ‎functions‏ ‎according‏ ‎to ‎their‏ ‎package ‎name ‎or ‎path, ‎enhancing‏ ‎the ‎readability‏ ‎and‏ ‎manageability ‎of ‎the‏ ‎analysis.

Scenarios

Nimfilt ‎has‏ ‎been ‎employed ‎in ‎various‏ ‎real-world‏ ‎scenarios, ‎particularly‏ ‎in ‎the‏ ‎analysis ‎of ‎malware ‎written ‎in‏ ‎the‏ ‎Nim ‎programming‏ ‎language.

Sednit ‎Group:

📌Background: The‏ ‎Sednit ‎group, ‎also ‎known ‎as‏ ‎APT28‏ ‎or‏ ‎Fancy ‎Bear,‏ ‎is ‎a‏ ‎well-known ‎cyber-espionage‏ ‎group.‏ ‎They ‎have‏ ‎been ‎active ‎since ‎at ‎least‏ ‎2004 ‎and‏ ‎are‏ ‎responsible ‎for ‎several‏ ‎high-profile ‎attacks,‏ ‎including ‎the ‎Democratic ‎National‏ ‎Committee‏ ‎(DNC) ‎hack‏ ‎in ‎2016.

📌Use‏ ‎of ‎Nim: In ‎2019, ‎Sednit ‎was‏ ‎observed‏ ‎using ‎a‏ ‎malicious ‎downloader‏ ‎written ‎in ‎Nim. ‎This ‎marked‏ ‎one‏ ‎of‏ ‎the ‎early‏ ‎instances ‎of‏ ‎Nim ‎being‏ ‎used‏ ‎in ‎malware‏ ‎development.

📌Nimfilt’s ‎Role: Nimfilt ‎was ‎used ‎to‏ ‎reverse-engineer ‎this‏ ‎Nim-compiled‏ ‎malware, ‎helping ‎analysts‏ ‎understand ‎the‏ ‎structure ‎and ‎functionality ‎of‏ ‎the‏ ‎downloader ‎by‏ ‎demangling ‎function‏ ‎and ‎package ‎names ‎and ‎applying‏ ‎appropriate‏ ‎data ‎structures‏ ‎to ‎strings.

Mustang‏ ‎Panda ‎APT ‎Group:

📌Background: ‎Mustang ‎Panda‏ ‎is‏ ‎a‏ ‎China-aligned ‎Advanced‏ ‎Persistent ‎Threat‏ ‎(APT) ‎group‏ ‎known‏ ‎for ‎its‏ ‎cyber-espionage ‎activities. ‎They ‎have ‎been‏ ‎using ‎Nim‏ ‎to‏ ‎create ‎custom ‎loaders‏ ‎for ‎their‏ ‎Korplug ‎backdoor.

📌Specific ‎Incident: In ‎August‏ ‎2023,‏ ‎Mustang ‎Panda‏ ‎used ‎a‏ ‎malicious ‎DLL ‎written ‎in ‎Nim‏ ‎as‏ ‎part ‎of‏ ‎their ‎campaign‏ ‎against ‎a ‎governmental ‎organization ‎in‏ ‎Slovakia.‏ ‎This‏ ‎DLL ‎was‏ ‎part ‎of‏ ‎their ‎classic‏ ‎trident‏ ‎Korplug ‎loader.

📌Nimfilt’s‏ ‎Role: ‎Nimfilt ‎was ‎instrumental ‎in‏ ‎analyzing ‎this‏ ‎DLL.‏ ‎By ‎demangling ‎the‏ ‎names ‎and‏ ‎organizing ‎functions ‎into ‎directories,‏ ‎Nimfilt‏ ‎made ‎it‏ ‎easier ‎for‏ ‎researchers ‎to ‎dissect ‎the ‎malware‏ ‎and‏ ‎understand ‎its‏ ‎behavior.

General ‎Malware‏ ‎Analysis:

📌Nim’s ‎Popularity: The ‎Nim ‎programming ‎language‏ ‎has‏ ‎become‏ ‎increasingly ‎attractive‏ ‎to ‎malware‏ ‎developers ‎due‏ ‎to‏ ‎its ‎robust‏ ‎compiler ‎and ‎ability ‎to ‎work‏ ‎seamlessly ‎with‏ ‎other‏ ‎languages ‎like ‎C,‏ ‎C++, ‎and‏ ‎JavaScript. ‎This ‎has ‎led‏ ‎to‏ ‎a ‎rise‏ ‎in ‎malware‏ ‎written ‎in ‎Nim.

📌Nimfilt’s ‎Contribution: For ‎researchers‏ ‎tasked‏ ‎with ‎reverse-engineering‏ ‎such ‎binaries,‏ ‎Nimfilt ‎provides ‎a ‎powerful ‎tool‏ ‎to‏ ‎speed‏ ‎up ‎the‏ ‎analysis ‎process.‏ ‎It ‎helps‏ ‎by‏ ‎demangling ‎names,‏ ‎applying ‎structs ‎to ‎strings, ‎and‏ ‎organizing ‎functions,‏ ‎thereby‏ ‎making ‎the ‎reverse-engineering‏ ‎process ‎more‏ ‎efficient ‎and ‎focused.

Читать: 1+ мин
logo Overkill Security

Inside of Windows: How a Double-Fetch Vulnerability Leads to SYSTEM Access

24H2 ‎NT‏ ‎Kernel ‎Exploit ‎[POC]

📌Target: NT ‎kernel ‎in‏ ‎Windows ‎11‏ ‎24H2‏ ‎Insider ‎Preview.

📌Vulnerabilities: Multiple ‎kernel‏ ‎vulnerabilities ‎in‏ ‎ntoskrnl.exe.

Exploit ‎Technique:

📌Uses ‎process ‎token‏ ‎swap‏ ‎to ‎gain‏ ‎NT ‎AUTHORITY\SYSTEM‏ ‎privileges.

📌Walks ‎the ‎PsActiveProcessHead ‎list ‎to‏ ‎find‏ ‎a ‎privileged‏ ‎process ‎and‏ ‎its ‎token.

📌Replaces ‎the ‎token ‎of‏ ‎the‏ ‎exploit‏ ‎process ‎with‏ ‎the ‎privileged‏ ‎token.

📌Spawns ‎a‏ ‎new‏ ‎command ‎prompt‏ ‎with ‎SYSTEM ‎privileges.

Bypassing ‎KASLR:

📌Uses ‎side-channel‏ ‎attacks ‎to‏ ‎locate‏ ‎the ‎kernel ‎base‏ ‎address.

📌Highlights ‎weaknesses‏ ‎in ‎the ‎new ‎KASLR‏ ‎implementation.

Components:

📌teb_nt_poc.c: The‏ ‎main ‎exploit‏ ‎code.

📌prefetch_asm.asm ‎and‏ ‎prefetch_leak.h: Used ‎for ‎side-channel ‎attacks ‎to‏ ‎bypass‏ ‎kernel ‎ASLR.

📌find_nt_offsets.h‏ ‎and ‎find_nt_offsets.c: Finds‏ ‎non-exported ‎globals ‎in ‎NT ‎using‏ ‎Capstone.

📌ntos.h: Contains‏ ‎miscellaneous‏ ‎non-public ‎structs‏ ‎and ‎functions‏ ‎related ‎to‏ ‎NT.


CVE-2024-21345‏ ‎[POC]

📌Vulnerability: Proof-of-Concept ‎(PoC)‏ ‎for ‎CVE-2024-21345.

📌Target: Specific ‎vulnerability ‎in ‎a‏ ‎software ‎component

Exploit‏ ‎Details:

📌The‏ ‎vulnerability ‎involves ‎a‏ ‎double-fetch ‎issue‏ ‎in ‎NtQueryInformationThread, ‎leading ‎to‏ ‎an‏ ‎arbitrary ‎write.

📌Exploitation‏ ‎can ‎result‏ ‎in ‎high ‎integrity ‎and ‎confidentiality‏ ‎impacts,‏ ‎with ‎availability‏ ‎also ‎rated‏ ‎as ‎high.


CVE-2024-26218 ‎[POC]

📌Vulnerability: Proof-of-Concept ‎(PoC) ‎for‏ ‎CVE-2024-26218.

📌Target: Specific‏ ‎vulnerability‏ ‎in ‎a‏ ‎software ‎component.

Exploit‏ ‎Details:

📌The ‎vulnerability‏ ‎allows‏ ‎attackers ‎to‏ ‎elevate ‎their ‎privileges ‎to ‎SYSTEM‏ ‎level, ‎which‏ ‎can‏ ‎lead ‎to ‎full‏ ‎control ‎over‏ ‎the ‎affected ‎system.


Читать: 4+ мин
logo Overkill Security

Passkeys: Making Phishing Scams Work a Little Harder

The ‎introduction‏ ‎and ‎support ‎of ‎passkeys ‎by‏ ‎Apple ‎and‏ ‎Google mark‏ ‎a ‎significant ‎step‏ ‎towards ‎a‏ ‎more ‎secure ‎and ‎user-friendly‏ ‎authentication‏ ‎method. ‎This‏ ‎technology ‎is‏ ‎poised ‎to ‎have ‎a ‎substantial‏ ‎impact‏ ‎on ‎various‏ ‎industries ‎by‏ ‎enhancing ‎security, ‎improving ‎user ‎experience,‏ ‎and‏ ‎driving‏ ‎the ‎adoption‏ ‎of ‎passwordless‏ ‎authentication ‎solutions.

Technical‏ ‎Key‏ ‎Points

Passkeys ‎Overview:

📌Passkeys‏ ‎are ‎digital ‎credentials ‎that ‎enable‏ ‎passwordless ‎authentication‏ ‎using‏ ‎private ‎cryptographic ‎keys.‏ ‎They ‎are‏ ‎designed ‎to ‎be ‎more‏ ‎secure‏ ‎and ‎user-friendly‏ ‎than ‎traditional‏ ‎passwords.

📌Passkeys ‎use ‎biometric ‎identification ‎(e.g.,‏ ‎fingerprint,‏ ‎face ‎scan)‏ ‎or ‎a‏ ‎screen ‎lock ‎PIN ‎to ‎authenticate‏ ‎users,‏ ‎making‏ ‎them ‎resistant‏ ‎to ‎phishing‏ ‎attacks.

Apple’s ‎Implementation:

📌Apple‏ ‎has‏ ‎introduced ‎an‏ ‎API ‎that ‎allows ‎passkeys ‎to‏ ‎work ‎with‏ ‎third-party‏ ‎software, ‎enhancing ‎their‏ ‎usability ‎across‏ ‎different ‎applications ‎and ‎platforms.

📌Passkeys‏ ‎are‏ ‎supported ‎on‏ ‎Safari ‎and‏ ‎can ‎be ‎synchronized ‎across ‎Apple‏ ‎devices‏ ‎using ‎iCloud‏ ‎Keychain. ‎This‏ ‎synchronization ‎ensures ‎that ‎passkeys ‎are‏ ‎available‏ ‎on‏ ‎all ‎devices‏ ‎signed ‎into‏ ‎the ‎same‏ ‎iCloud‏ ‎account.

📌Managed ‎Apple‏ ‎IDs ‎support ‎passkey ‎synchronization, ‎allowing‏ ‎third-party ‎password‏ ‎managers‏ ‎like ‎1Password ‎and‏ ‎Dashlane ‎to‏ ‎save ‎and ‎exchange ‎passkeys‏ ‎across‏ ‎iOS, ‎iPadOS,‏ ‎and ‎macOS.

Google’s‏ ‎Implementation:

📌Google ‎has ‎rolled ‎out ‎passkey‏ ‎support‏ ‎across ‎Google‏ ‎Accounts ‎on‏ ‎all ‎major ‎platforms, ‎providing ‎an‏ ‎additional‏ ‎sign-in‏ ‎option ‎alongside‏ ‎passwords ‎and‏ ‎2-Step ‎Verification‏ ‎(2SV).

📌Passkeys‏ ‎can ‎be‏ ‎created ‎and ‎used ‎on ‎multiple‏ ‎devices, ‎and‏ ‎they‏ ‎are ‎backed ‎up‏ ‎and ‎synchronized‏ ‎across ‎devices ‎that ‎support‏ ‎them,‏ ‎such ‎as‏ ‎those ‎using‏ ‎the ‎same ‎Google ‎account.

📌Google ‎Workspace‏ ‎and‏ ‎Google ‎Cloud‏ ‎users ‎can‏ ‎now ‎log ‎into ‎their ‎accounts‏ ‎using‏ ‎passkeys,‏ ‎enhancing ‎security‏ ‎for ‎business‏ ‎users.

Cross-Platform ‎Support:

📌Chrome‏ ‎on‏ ‎macOS ‎now‏ ‎supports ‎passkeys ‎stored ‎in ‎iCloud‏ ‎Keychain, ‎allowing‏ ‎users‏ ‎to ‎create ‎and‏ ‎use ‎passkeys‏ ‎across ‎different ‎browsers ‎and‏ ‎devices‏ ‎within ‎the‏ ‎Apple ‎ecosystem.

📌The‏ ‎API ‎behaviors ‎for ‎passkeys ‎are‏ ‎consistent‏ ‎across ‎Safari‏ ‎and ‎Chrome,‏ ‎ensuring ‎a ‎seamless ‎user ‎experience.


Impact‏ ‎on‏ ‎Industries

Enhanced‏ ‎Security:

📌Passkeys ‎provide‏ ‎a ‎higher‏ ‎level ‎of‏ ‎security‏ ‎compared ‎to‏ ‎traditional ‎passwords ‎and ‎even ‎some‏ ‎multifactor ‎authentication‏ ‎(MFA)‏ ‎methods. ‎They ‎are‏ ‎resistant ‎to‏ ‎phishing ‎and ‎other ‎online‏ ‎attacks,‏ ‎reducing ‎the‏ ‎risk ‎of‏ ‎credential ‎theft.

📌By ‎eliminating ‎the ‎need‏ ‎for‏ ‎passwords, ‎passkeys‏ ‎reduce ‎the‏ ‎likelihood ‎of ‎password-related ‎security ‎breaches,‏ ‎such‏ ‎as‏ ‎those ‎caused‏ ‎by ‎weak‏ ‎or ‎reused‏ ‎passwords.

Improved‏ ‎User ‎Experience:

📌Passkeys‏ ‎streamline ‎the ‎authentication ‎process, ‎making‏ ‎it ‎faster‏ ‎and‏ ‎more ‎convenient ‎for‏ ‎users ‎to‏ ‎log ‎in ‎to ‎their‏ ‎accounts.‏ ‎For ‎example,‏ ‎Google ‎reported‏ ‎that ‎users ‎could ‎authenticate ‎with‏ ‎passkeys‏ ‎in ‎an‏ ‎average ‎of‏ ‎14.9 ‎seconds, ‎compared ‎to ‎30.4‏ ‎seconds‏ ‎with‏ ‎passwords.

📌The ‎use‏ ‎of ‎biometric‏ ‎authentication ‎(e.g.,‏ ‎Face‏ ‎ID, ‎Touch‏ ‎ID) ‎simplifies ‎the ‎login ‎process,‏ ‎reducing ‎the‏ ‎cognitive‏ ‎load ‎on ‎users‏ ‎who ‎no‏ ‎longer ‎need ‎to ‎remember‏ ‎complex‏ ‎passwords.

Adoption ‎by‏ ‎Enterprises:

📌Enterprises ‎can‏ ‎benefit ‎from ‎the ‎enhanced ‎security‏ ‎and‏ ‎user ‎experience‏ ‎provided ‎by‏ ‎passkeys. ‎For ‎instance, ‎Google ‎Workspace‏ ‎and‏ ‎Google‏ ‎Cloud ‎users‏ ‎can ‎now‏ ‎use ‎passkeys‏ ‎for‏ ‎secure ‎and‏ ‎efficient ‎access ‎to ‎their ‎accounts.

📌The‏ ‎integration ‎of‏ ‎passkeys‏ ‎into ‎third-party ‎applications‏ ‎and ‎password‏ ‎managers ‎allows ‎businesses ‎to‏ ‎adopt‏ ‎this ‎technology‏ ‎without ‎significant‏ ‎changes ‎to ‎their ‎existing ‎infrastructure.

Industry‏ ‎Momentum:

📌The‏ ‎collaboration ‎between‏ ‎major ‎tech‏ ‎companies ‎like ‎Apple, ‎Google, ‎and‏ ‎Microsoft,‏ ‎along‏ ‎with ‎the‏ ‎FIDO ‎Alliance,‏ ‎is ‎driving‏ ‎the‏ ‎adoption ‎of‏ ‎passkeys ‎across ‎the ‎industry. ‎This‏ ‎collective ‎effort‏ ‎is‏ ‎likely ‎to ‎accelerate‏ ‎the ‎transition‏ ‎to ‎a ‎passwordless ‎future.

📌The‏ ‎support‏ ‎for ‎passkeys‏ ‎in ‎popular‏ ‎browsers ‎and ‎operating ‎systems ‎ensures‏ ‎broad‏ ‎compatibility ‎and‏ ‎encourages ‎more‏ ‎organizations ‎to ‎adopt ‎this ‎technology.

Читать: 3+ мин
logo Overkill Security

Android Live Threat Detection: 200 billion Scans a Day Still Won’t Catch Everything

The ‎security‏ ‎updates ‎announced at ‎Google ‎I/O ‎2024‏ ‎are ‎poised‏ ‎to‏ ‎enhance ‎the ‎security‏ ‎and ‎privacy‏ ‎of ‎Android ‎devices ‎significantly,‏ ‎impacting‏ ‎various ‎industries‏ ‎by ‎reducing‏ ‎fraud, ‎protecting ‎sensitive ‎data, ‎and‏ ‎fostering‏ ‎greater ‎trust‏ ‎in ‎mobile‏ ‎technologies.

Key ‎Points

Google ‎Play ‎Protect ‎Live‏ ‎Threat‏ ‎Detection:

📌Functionality:‏ ‎Scans ‎200‏ ‎billion ‎Android‏ ‎apps ‎daily‏ ‎using‏ ‎on-device ‎AI‏ ‎to ‎detect ‎and ‎mitigate ‎malware‏ ‎and ‎fraudulent‏ ‎apps.

📌Implementation:‏ ‎Uses ‎Private ‎Compute‏ ‎Core ‎for‏ ‎privacy-preserving ‎analysis.

📌Deployment: ‎Available ‎on‏ ‎devices‏ ‎from ‎manufacturers‏ ‎like ‎Google‏ ‎Pixel, ‎Honor, ‎Lenovo, ‎Nothing, ‎OnePlus,‏ ‎Oppo,‏ ‎Sharp, ‎and‏ ‎Transsion.

Stronger ‎Protections‏ ‎Against ‎Fraud ‎and ‎Scams:

📌Scam ‎Call‏ ‎Detection:‏ ‎Uses‏ ‎Gemini-Nano ‎AI‏ ‎to ‎detect‏ ‎and ‎alert‏ ‎users‏ ‎about ‎potential‏ ‎scam ‎calls ‎in ‎real-time.

📌Screen ‎Sharing‏ ‎Safeguards: ‎Enhanced‏ ‎controls‏ ‎to ‎prevent ‎social‏ ‎engineering ‎attacks‏ ‎during ‎screen ‎sharing.

📌Advanced ‎Cellular‏ ‎Security:‏ ‎New ‎protections‏ ‎against ‎cell‏ ‎site ‎simulators ‎to ‎prevent ‎surveillance‏ ‎and‏ ‎SMS-based ‎fraud.

Private‏ ‎Space ‎Feature:

📌Functionality:‏ ‎Allows ‎users ‎to ‎create ‎a‏ ‎secure,‏ ‎siloed‏ ‎portion ‎of‏ ‎the ‎OS‏ ‎for ‎sensitive‏ ‎information,‏ ‎similar ‎to‏ ‎Incognito ‎mode.

📌Developer ‎Access: ‎Available ‎for‏ ‎developers ‎to‏ ‎experiment‏ ‎with, ‎with ‎a‏ ‎bug ‎fix‏ ‎expected ‎soon.

Enhanced ‎Developer ‎Tools:

📌Play‏ ‎Integrity‏ ‎API: ‎Updated‏ ‎to ‎include‏ ‎new ‎in-app ‎signals ‎to ‎help‏ ‎developers‏ ‎detect ‎and‏ ‎prevent ‎fraudulent‏ ‎or ‎risky ‎behavior.

📌Photo ‎Picker: ‎Improved‏ ‎to‏ ‎support‏ ‎cloud ‎storage‏ ‎services ‎and‏ ‎enforce ‎stricter‏ ‎permissions‏ ‎for ‎accessing‏ ‎photos ‎and ‎videos.


Impact ‎on ‎Industries

Financial‏ ‎Services:

📌Fraud ‎Prevention:‏ ‎Enhanced‏ ‎scam ‎call ‎detection‏ ‎and ‎advanced‏ ‎cellular ‎security ‎features ‎will‏ ‎significantly‏ ‎reduce ‎the‏ ‎risk ‎of‏ ‎financial ‎fraud ‎and ‎scams, ‎protecting‏ ‎both‏ ‎consumers ‎and‏ ‎financial ‎institutions.

📌Data‏ ‎Privacy: The ‎Private ‎Space ‎feature ‎ensures‏ ‎that‏ ‎sensitive‏ ‎financial ‎data‏ ‎remains ‎secure,‏ ‎fostering ‎greater‏ ‎trust‏ ‎in ‎mobile‏ ‎banking ‎and ‎financial ‎apps.

Healthcare:

📌Patient ‎Data‏ ‎Security: The ‎improved‏ ‎security‏ ‎measures, ‎including ‎live‏ ‎threat ‎detection‏ ‎and ‎Private ‎Space, ‎will‏ ‎help‏ ‎protect ‎sensitive‏ ‎patient ‎information‏ ‎stored ‎on ‎mobile ‎devices.

📌Telehealth: ‎Enhanced‏ ‎screen-sharing‏ ‎safeguards ‎will‏ ‎secure ‎telehealth‏ ‎sessions, ‎preventing ‎unauthorized ‎access ‎to‏ ‎patient‏ ‎data‏ ‎during ‎remote‏ ‎consultations.

E-commerce:

📌Transaction ‎Security: Scam‏ ‎call ‎detection‏ ‎and‏ ‎advanced ‎cellular‏ ‎security ‎will ‎protect ‎users ‎from‏ ‎phishing ‎and‏ ‎fraud‏ ‎attempts, ‎ensuring ‎safer‏ ‎online ‎transactions.

📌User‏ ‎Trust: Enhanced ‎privacy ‎controls ‎and‏ ‎secure‏ ‎app ‎environments‏ ‎will ‎increase‏ ‎user ‎confidence ‎in ‎mobile ‎shopping‏ ‎platforms.

Telecommunications:

📌Network‏ ‎Security: Advanced ‎cellular‏ ‎protections ‎will‏ ‎help ‎telecom ‎providers ‎safeguard ‎their‏ ‎networks‏ ‎from‏ ‎cell ‎site‏ ‎simulators ‎and‏ ‎other ‎surveillance‏ ‎tools.

📌Customer‏ ‎Safety: Real-time ‎scam‏ ‎detection ‎features ‎will ‎enhance ‎customer‏ ‎safety, ‎reducing‏ ‎the‏ ‎incidence ‎of ‎fraud-related‏ ‎complaints.

App ‎Development:

📌Security‏ ‎Integration: Developers ‎can ‎leverage ‎the‏ ‎updated‏ ‎Play ‎Integrity‏ ‎API ‎and‏ ‎other ‎security ‎tools ‎to ‎build‏ ‎more‏ ‎secure ‎apps,‏ ‎reducing ‎the‏ ‎risk ‎of ‎exploitation ‎and ‎abuse.

📌User‏ ‎Privacy: Stricter‏ ‎photo‏ ‎permissions ‎and‏ ‎the ‎Private‏ ‎Space ‎feature‏ ‎will‏ ‎help ‎developers‏ ‎ensure ‎compliance ‎with ‎privacy ‎regulations‏ ‎and ‎build‏ ‎user‏ ‎trust.

Читать: 2+ мин
logo Overkill Security

Why Clicking on 'Urgent Invoice' Emails is the Best Way to Make Friends with IT

The ‎blog‏ ‎post ‎titled ‎«On ‎Fire ‎Drills‏ ‎and ‎Phishing‏ ‎Tests» from‏ ‎the ‎Google ‎Security‏ ‎Blog ‎discusses‏ ‎the ‎importance ‎of ‎phishing‏ ‎tests‏ ‎and ‎fire‏ ‎drills ‎in‏ ‎enhancing ‎organizational ‎security.

Importance ‎of ‎Phishing‏ ‎Tests

📌Phishing‏ ‎Tests ‎as‏ ‎Training ‎Tools: Phishing‏ ‎tests ‎are ‎used ‎to ‎train‏ ‎employees‏ ‎to‏ ‎recognize ‎and‏ ‎respond ‎to‏ ‎phishing ‎attempts.‏ ‎They‏ ‎simulate ‎real-world‏ ‎phishing ‎attacks ‎to ‎help ‎employees‏ ‎identify ‎suspicious‏ ‎emails‏ ‎and ‎links.

📌Behavioral ‎Insights: These‏ ‎tests ‎provide‏ ‎insights ‎into ‎employee ‎behavior‏ ‎and‏ ‎the ‎effectiveness‏ ‎of ‎current‏ ‎training ‎programs. ‎They ‎help ‎identify‏ ‎which‏ ‎employees ‎or‏ ‎departments ‎are‏ ‎more ‎susceptible ‎to ‎phishing ‎attacks.

Fire‏ ‎Drills‏ ‎for‏ ‎Incident ‎Response

📌Simulated‏ ‎Incidents: Fire ‎drills‏ ‎involve ‎simulating‏ ‎security‏ ‎incidents ‎to‏ ‎test ‎the ‎organization’s ‎incident ‎response‏ ‎capabilities. ‎This‏ ‎includes‏ ‎how ‎quickly ‎and‏ ‎effectively ‎the‏ ‎team ‎can ‎detect, ‎respond‏ ‎to,‏ ‎and ‎mitigate‏ ‎security ‎threats.

📌Preparedness‏ ‎and ‎Improvement: Regular ‎fire ‎drills ‎help‏ ‎ensure‏ ‎that ‎the‏ ‎incident ‎response‏ ‎team ‎is ‎prepared ‎for ‎actual‏ ‎security‏ ‎incidents.‏ ‎They ‎also‏ ‎highlight ‎areas‏ ‎for ‎improvement‏ ‎in‏ ‎the ‎incident‏ ‎response ‎plan.

Integration ‎of ‎Phishing ‎Tests‏ ‎and ‎Fire‏ ‎Drills

📌Comprehensive‏ ‎Security ‎Training: Combining ‎phishing‏ ‎tests ‎with‏ ‎fire ‎drills ‎provides ‎a‏ ‎comprehensive‏ ‎approach ‎to‏ ‎security ‎training.‏ ‎It ‎ensures ‎that ‎employees ‎are‏ ‎not‏ ‎only ‎aware‏ ‎of ‎phishing‏ ‎threats ‎but ‎also ‎know ‎how‏ ‎to‏ ‎respond‏ ‎to ‎them‏ ‎effectively.

📌Realistic ‎Scenarios: By‏ ‎integrating ‎these‏ ‎two‏ ‎methods, ‎organizations‏ ‎can ‎create ‎more ‎realistic ‎and‏ ‎challenging ‎scenarios‏ ‎that‏ ‎better ‎prepare ‎employees‏ ‎for ‎real-world‏ ‎threats.

Metrics ‎and ‎Evaluation

📌Measuring ‎Effectiveness: Both‏ ‎phishing‏ ‎tests ‎and‏ ‎fire ‎drills‏ ‎should ‎be ‎evaluated ‎using ‎metrics‏ ‎to‏ ‎measure ‎their‏ ‎effectiveness. ‎This‏ ‎includes ‎tracking ‎the ‎number ‎of‏ ‎employees‏ ‎who‏ ‎fall ‎for‏ ‎phishing ‎tests‏ ‎and ‎the‏ ‎response‏ ‎times ‎during‏ ‎fire ‎drills.

📌Continuous ‎Improvement: The ‎data ‎collected‏ ‎from ‎these‏ ‎exercises‏ ‎should ‎be ‎used‏ ‎to ‎continuously‏ ‎improve ‎security ‎training ‎programs‏ ‎and‏ ‎incident ‎response‏ ‎plans.

Organizational ‎Culture

📌Promoting‏ ‎a ‎Security-First ‎Culture: Regular ‎phishing ‎tests‏ ‎and‏ ‎fire ‎drills‏ ‎help ‎promote‏ ‎a ‎culture ‎of ‎security ‎within‏ ‎the‏ ‎organization.‏ ‎They ‎reinforce‏ ‎the ‎importance‏ ‎of ‎security‏ ‎awareness‏ ‎and ‎preparedness‏ ‎among ‎employees.

📌Encouraging ‎Reporting: These ‎exercises ‎encourage‏ ‎employees ‎to‏ ‎report‏ ‎suspicious ‎activities ‎and‏ ‎potential ‎security‏ ‎incidents, ‎fostering ‎a ‎proactive‏ ‎security‏ ‎environment.


Читать: 5+ мин
logo Overkill Security

Firmware Overwrite: The New Trend in Router Fashion

The ‎Chalubo‏ ‎RAT ‎malware ‎campaign ‎targeted ‎specific‏ ‎models ‎of‏ ‎Actiontec‏ ‎and ‎Sagemcom ‎routers,‏ ‎primarily ‎affecting‏ ‎Windstream’s ‎network. ‎The ‎malware‏ ‎used‏ ‎brute-force ‎attacks‏ ‎to ‎gain‏ ‎access, ‎executed ‎payloads ‎in ‎memory‏ ‎to‏ ‎avoid ‎detection,‏ ‎and ‎communicated‏ ‎with ‎C2 ‎servers ‎using ‎encrypted‏ ‎channels.‏ ‎The‏ ‎attack ‎led‏ ‎to ‎a‏ ‎significant ‎outage,‏ ‎requiring‏ ‎the ‎replacement‏ ‎of ‎over ‎600,000 ‎routers, ‎highlighting‏ ‎the ‎need‏ ‎for‏ ‎robust ‎security ‎measures‏ ‎and ‎regular‏ ‎updates ‎to ‎prevent ‎such‏ ‎incidents.

Targets

ISP‏ ‎Impact:

📌Windstream: The ‎primary‏ ‎ISP ‎affected,‏ ‎with ‎over ‎600,000 ‎routers ‎rendered‏ ‎inoperable‏ ‎between ‎October‏ ‎25 ‎and‏ ‎October ‎27, ‎2023.

📌Affected ‎Models: Actiontec ‎T3200,‏ ‎T3260,‏ ‎and‏ ‎Sagemcom ‎F5380.

📌Impact: Approximately‏ ‎49% ‎of‏ ‎the ‎ISP’s‏ ‎modems‏ ‎were ‎taken‏ ‎offline, ‎requiring ‎hardware ‎replacements.

Global ‎Impact:

📌Botnet‏ ‎Activity: From ‎September‏ ‎to‏ ‎November ‎2023, ‎Chalubo‏ ‎botnet ‎panels‏ ‎interacted ‎with ‎up ‎to‏ ‎117,000‏ ‎unique ‎IP‏ ‎addresses ‎over‏ ‎a ‎30-day ‎period.

📌Geographic ‎Distribution: Most ‎infections‏ ‎were‏ ‎in ‎the‏ ‎US, ‎Brazil,‏ ‎and ‎China.

📌Operational ‎Silos: 95% of ‎bots ‎communicated‏ ‎with‏ ‎only‏ ‎one ‎control‏ ‎panel, ‎indicating‏ ‎distinct ‎operational‏ ‎silos.


Affected‏ ‎Routers

📌Targeted ‎Models: End-of-life‏ ‎business-grade ‎routers.

📌Actiontec ‎T3200 ‎and ‎T3260‏ ‎are ‎VDSL2‏ ‎wireless‏ ‎AC ‎gateway ‎routers‏ ‎approved ‎by‏ ‎Windstream.

📌Sagemcom ‎F5380 ‎is ‎a‏ ‎WiFi6‏ ‎(802.11ax) ‎router.

📌DrayTek‏ ‎Vigor ‎Models‏ ‎2960 ‎and ‎3900


Malware: ‎Chalubo ‎RAT

📌First‏ ‎Spotted: August‏ ‎2018 ‎by‏ ‎Sophos ‎Labs.

📌Primary‏ ‎Functions: DDoS ‎attacks, ‎execution ‎of ‎Lua‏ ‎scripts,‏ ‎and‏ ‎evasion ‎techniques‏ ‎using ‎ChaCha20‏ ‎encryption.

Technical ‎Details:

📌Initial‏ ‎Infection: Uses‏ ‎brute-force ‎attacks‏ ‎on ‎SSH ‎servers ‎with ‎weak‏ ‎credentials ‎(e.g.,‏ ‎root:‏ ‎admin).

📌Payload ‎Delivery:

📌First ‎Stage: A‏ ‎bash ‎script‏ ‎(«get_scrpc») ‎fetches ‎a ‎second‏ ‎script‏ ‎(«get_strtriiush») ‎which‏ ‎retrieves ‎and‏ ‎executes ‎the ‎primary ‎bot ‎payload‏ ‎(«Chalubo»‏ ‎or ‎«mips.elf»).

📌Execution: The‏ ‎malware ‎runs‏ ‎in ‎memory, ‎wipes ‎files ‎from‏ ‎the‏ ‎disk,‏ ‎and ‎changes‏ ‎the ‎process‏ ‎name ‎to‏ ‎avoid‏ ‎detection.

📌Communication:

📌C2 ‎Servers: Cycles‏ ‎through ‎hardcoded ‎C2s, ‎downloads ‎the‏ ‎next ‎stage,‏ ‎and‏ ‎decrypts ‎it ‎using‏ ‎ChaCha20.

📌Persistence: The ‎newer‏ ‎version ‎does ‎not ‎maintain‏ ‎persistence‏ ‎on ‎infected‏ ‎devices.


HiatusRAT ‎Malware

📌Port‏ ‎8816: HiatusRAT ‎checks ‎for ‎existing ‎processes‏ ‎on‏ ‎port ‎8816,‏ ‎kills ‎any‏ ‎existing ‎service, ‎and ‎opens ‎a‏ ‎listener‏ ‎on‏ ‎this ‎port.

📌Information‏ ‎Collection: Collects ‎host-based‏ ‎information ‎and‏ ‎sends‏ ‎it ‎to‏ ‎the ‎C2 ‎server ‎to ‎track‏ ‎the ‎infection‏ ‎status‏ ‎and ‎log ‎information‏ ‎about ‎the‏ ‎compromised ‎host.

📌Initial ‎Access: Through ‎exploiting‏ ‎vulnerabilities‏ ‎in ‎router‏ ‎firmware ‎or‏ ‎using ‎weak ‎credentials.

📌Persistence: Uses ‎a ‎bash‏ ‎script‏ ‎to ‎download‏ ‎and ‎execute‏ ‎HiatusRAT ‎and ‎the ‎packet-capture ‎binary

📌Prebuilt‏ ‎Functions:

📌config: Loads‏ ‎new‏ ‎configuration ‎values‏ ‎from ‎the‏ ‎C2 ‎node.

📌shell: Spawns‏ ‎a‏ ‎remote ‎shell‏ ‎on ‎the ‎infected ‎host.

📌file: Allows ‎reading,‏ ‎deleting, ‎or‏ ‎uploading‏ ‎files ‎to ‎the‏ ‎C2.

📌executor: Downloads ‎and‏ ‎executes ‎files ‎from ‎the‏ ‎C2.

📌script: Executes‏ ‎scripts ‎supplied‏ ‎by ‎the‏ ‎C2.

📌tcp_forward: Forwards ‎TCP ‎data ‎from ‎a‏ ‎specified‏ ‎port ‎to‏ ‎another ‎IP‏ ‎address ‎and ‎port.

📌socks5: Sets ‎up ‎a‏ ‎SOCKS5‏ ‎proxy‏ ‎on ‎the‏ ‎compromised ‎router.

📌quit: Ceases‏ ‎execution ‎of‏ ‎the‏ ‎malware.

📌Packet ‎Capture: A‏ ‎variant ‎of ‎tcpdump ‎is ‎deployed‏ ‎to ‎capture‏ ‎and‏ ‎monitor ‎router ‎traffic‏ ‎on ‎ports‏ ‎associated ‎with ‎email ‎and‏ ‎file-transfer‏ ‎communications



Black ‎Lotus‏ ‎Labs ‎Uncovers‏ ‎New ‎Router ‎Malware ‎Campaigns

📌Black ‎Lotus‏ ‎Labs,‏ ‎the ‎threat‏ ‎research ‎team‏ ‎at ‎Lumen ‎Technologies ‎(formerly ‎CenturyLink),‏ ‎has‏ ‎recently‏ ‎uncovered ‎two‏ ‎major ‎malware‏ ‎campaigns ‎targeting‏ ‎routers‏ ‎and ‎networking‏ ‎devices ‎from ‎different ‎manufacturers. ‎These‏ ‎discoveries ‎highlight‏ ‎the‏ ‎increasing ‎threats ‎faced‏ ‎by ‎internet‏ ‎infrastructure ‎and ‎the ‎need‏ ‎for‏ ‎better ‎security‏ ‎practices.

The ‎Hiatus‏ ‎Campaign

📌In ‎March ‎2023, ‎Black ‎Lotus‏ ‎Labs‏ ‎reported ‎on‏ ‎a ‎complex‏ ‎campaign ‎called ‎«Hiatus» ‎that ‎had‏ ‎been‏ ‎targeting‏ ‎business-grade ‎routers,‏ ‎primarily ‎DrayTek‏ ‎Vigor ‎models‏ ‎2960‏ ‎and ‎3900,‏ ‎since ‎June ‎2022.

📌The ‎threat ‎actors‏ ‎exploited ‎end-of-life‏ ‎DrayTek‏ ‎routers ‎to ‎establish‏ ‎long-term ‎persistence‏ ‎without ‎detection.

📌Around ‎4,100 ‎vulnerable‏ ‎DrayTek‏ ‎models ‎were‏ ‎exposed ‎on‏ ‎the ‎internet, ‎with ‎Hiatus ‎compromising‏ ‎approximately‏ ‎100 ‎of‏ ‎them ‎across‏ ‎Latin ‎America, ‎Europe, ‎and ‎North‏ ‎America.

📌Upon‏ ‎infection,‏ ‎the ‎malware‏ ‎intercepts ‎data‏ ‎transiting ‎the‏ ‎infected‏ ‎router ‎and‏ ‎deploys ‎a ‎Remote ‎Access ‎Trojan‏ ‎(RAT) ‎called‏ ‎«HiatusRAT»‏ ‎that ‎can ‎proxy‏ ‎malicious ‎traffic‏ ‎to ‎additional ‎networks.

📌Black ‎Lotus‏ ‎Labs‏ ‎has ‎null-routed‏ ‎the ‎Hiatus‏ ‎command-and-control ‎(C2) ‎servers ‎across ‎Lumen’s‏ ‎global‏ ‎backbone ‎and‏ ‎added ‎the‏ ‎indicators ‎of ‎compromise ‎(IoCs) ‎to‏ ‎their‏ ‎Rapid‏ ‎Threat ‎Defense‏ ‎system ‎to‏ ‎block ‎threats‏ ‎before‏ ‎reaching ‎customer‏ ‎networks.

The ‎Pumpkin ‎Eclipse ‎Campaign

📌In ‎late‏ ‎October ‎2023,‏ ‎Black‏ ‎Lotus ‎Labs ‎investigated‏ ‎a ‎massive‏ ‎outage ‎affecting ‎specific ‎ActionTec‏ ‎(T3200s‏ ‎and ‎T3260s)‏ ‎and ‎Sagemcom‏ ‎(F5380) ‎gateway ‎models ‎within ‎a‏ ‎single‏ ‎internet ‎service‏ ‎provider’s ‎network.

📌Over‏ ‎600,000 ‎devices ‎displayed ‎a ‎static‏ ‎red‏ ‎light,‏ ‎indicating ‎a‏ ‎likely ‎firmware‏ ‎corruption ‎issue.

📌The‏ ‎attack‏ ‎was ‎confined‏ ‎to ‎a ‎specific ‎Autonomous ‎System‏ ‎Number ‎(ASN),‏ ‎impacting‏ ‎around ‎49% ‎of‏ ‎exposed ‎devices‏ ‎in ‎that ‎network.

📌Black ‎Lotus‏ ‎Labs‏ ‎discovered ‎a‏ ‎multi-stage ‎infection‏ ‎mechanism ‎that ‎installed ‎the ‎Chalubo‏ ‎RAT,‏ ‎a ‎botnet‏ ‎targeting ‎SOHO‏ ‎gateways ‎and ‎IoT ‎devices.

📌Black ‎Lotus‏ ‎Labs‏ ‎has‏ ‎added ‎the‏ ‎IoCs ‎from‏ ‎this ‎campaign‏ ‎and‏ ‎the ‎Chalubo‏ ‎malware ‎to ‎their ‎threat ‎intelligence‏ ‎feed, ‎fueling‏ ‎Lumen’s‏ ‎Connected ‎Security ‎portfolio.


Читать: 4+ мин
logo Overkill Security

ICSpector: Solving Forensics Problems You Didn’t Know You Had

The ‎Microsoft‏ ‎ICS ‎Forensics ‎Tools ‎framework, known ‎as‏ ‎ICSpector, ‎is‏ ‎an‏ ‎open-source ‎tool ‎designed‏ ‎to ‎facilitate‏ ‎the ‎forensic ‎analysis ‎of‏ ‎Industrial‏ ‎Control ‎Systems‏ ‎(ICS), ‎particularly‏ ‎focusing ‎on ‎Programmable ‎Logic ‎Controllers‏ ‎(PLCs).

Key‏ ‎Technical ‎Points‏ ‎of ‎ICSpector

Framework‏ ‎Composition ‎and ‎Architecture

📌Modular ‎Design: ICSpector ‎is‏ ‎composed‏ ‎of‏ ‎several ‎components‏ ‎that ‎can‏ ‎be ‎developed‏ ‎and‏ ‎executed ‎separately,‏ ‎allowing ‎for ‎flexibility ‎and ‎customization‏ ‎based ‎on‏ ‎specific‏ ‎needs. ‎Users ‎can‏ ‎also ‎add‏ ‎new ‎analyzers

📌Network ‎Scanner: Identifies ‎devices‏ ‎communicating‏ ‎via ‎supported‏ ‎OT ‎protocols‏ ‎and ‎ensures ‎they ‎are ‎responsive.‏ ‎It‏ ‎can ‎work‏ ‎with ‎a‏ ‎provided ‎IP ‎subnet ‎or ‎a‏ ‎specific‏ ‎IP‏ ‎list ‎exported‏ ‎from ‎OT‏ ‎security ‎products.

📌Data‏ ‎Extraction‏ ‎& ‎Analyzer: Extracts‏ ‎PLC ‎project ‎metadata ‎and ‎logic,‏ ‎converting ‎raw‏ ‎data‏ ‎into ‎a ‎human-readable‏ ‎form ‎to‏ ‎highlight ‎areas ‎that ‎may‏ ‎indicate‏ ‎malicious ‎activity.

Forensic‏ ‎Capabilities

📌Identification ‎of‏ ‎Compromised ‎Devices: Helps ‎in ‎identifying ‎compromised‏ ‎devices‏ ‎through ‎manual‏ ‎verification, ‎automated‏ ‎monitoring, ‎or ‎during ‎incident ‎response.

📌Snapshot‏ ‎Creation: Allows‏ ‎for‏ ‎the ‎creation‏ ‎of ‎snapshots‏ ‎of ‎controller‏ ‎projects‏ ‎to ‎compare‏ ‎changes ‎over ‎time, ‎aiding ‎in‏ ‎the ‎detection‏ ‎of‏ ‎tampering ‎or ‎anomalies.

📌Support‏ ‎for ‎Siemens‏ ‎PLCs: Currently ‎supports ‎Siemens ‎SIMATIC‏ ‎S7-300‏ ‎and ‎S7-400‏ ‎families, ‎with‏ ‎plans ‎to ‎support ‎other ‎PLC‏ ‎families‏ ‎in ‎the‏ ‎future.

Integration ‎with‏ ‎Other ‎Tools

📌Microsoft ‎Defender ‎for ‎IoT: Can‏ ‎be‏ ‎used‏ ‎alongside ‎Microsoft‏ ‎Defender ‎for‏ ‎IoT, ‎which‏ ‎provides‏ ‎network-layer ‎security,‏ ‎continuous ‎monitoring, ‎asset ‎discovery, ‎threat‏ ‎detection, ‎and‏ ‎vulnerability‏ ‎management ‎for ‎IoT/OT‏ ‎environments.

Use ‎Cases

📌Incident‏ ‎Response: Useful ‎for ‎incident ‎response‏ ‎operations‏ ‎to ‎detect‏ ‎compromised ‎devices‏ ‎and ‎understand ‎if ‎PLC ‎code‏ ‎was‏ ‎tampered ‎with.

📌Proactive‏ ‎Security: Helps ‎in‏ ‎proactive ‎incident ‎response ‎by ‎comparing‏ ‎PLC‏ ‎programs‏ ‎on ‎engineering‏ ‎workstations ‎with‏ ‎those ‎on‏ ‎the‏ ‎actual ‎devices‏ ‎to ‎detect ‎unauthorized ‎changes.

Industries

📌Nuclear, ‎Thermal,‏ ‎and ‎Hydroelectric‏ ‎Power‏ ‎Plants: Power ‎plants ‎rely‏ ‎heavily ‎on‏ ‎Industrial ‎Control ‎Systems ‎(ICS)‏ ‎to‏ ‎manage ‎critical‏ ‎operations. ‎ICSpector‏ ‎can ‎be ‎used ‎to ‎ensure‏ ‎the‏ ‎integrity ‎of‏ ‎Programmable ‎Logic‏ ‎Controllers ‎(PLCs) ‎that ‎control ‎these‏ ‎processes.‏ ‎By‏ ‎detecting ‎any‏ ‎anomalous ‎indicators‏ ‎or ‎compromised‏ ‎configurations,‏ ‎ICSpector ‎helps‏ ‎prevent ‎disruptions ‎that ‎could ‎lead‏ ‎to ‎power‏ ‎outages‏ ‎or ‎safety ‎hazards.

📌Water‏ ‎Treatment ‎Plants: These‏ ‎facilities ‎use ‎ICS ‎to‏ ‎control‏ ‎the ‎treatment‏ ‎processes ‎that‏ ‎ensure ‎water ‎safety. ‎ICSpector ‎can‏ ‎help‏ ‎in ‎monitoring‏ ‎and ‎verifying‏ ‎the ‎integrity ‎of ‎PLCs, ‎ensuring‏ ‎that‏ ‎the‏ ‎water ‎treatment‏ ‎processes ‎are‏ ‎not ‎tampered‏ ‎with,‏ ‎which ‎is‏ ‎crucial ‎for ‎public ‎health ‎and‏ ‎safety.

📌Industrial ‎Manufacturing: In‏ ‎manufacturing‏ ‎environments, ‎ICS ‎are‏ ‎used ‎to‏ ‎control ‎machinery ‎and ‎production‏ ‎lines.‏ ‎ICSpector ‎can‏ ‎be ‎used‏ ‎to ‎detect ‎any ‎unauthorized ‎changes‏ ‎or‏ ‎anomalies ‎in‏ ‎the ‎PLCs,‏ ‎ensuring ‎consistent ‎product ‎quality ‎and‏ ‎preventing‏ ‎costly‏ ‎downtimes ‎due‏ ‎to ‎equipment‏ ‎failure.

📌Critical ‎Infrastructure‏ ‎Sectors: This‏ ‎includes ‎sectors‏ ‎like ‎energy, ‎water, ‎transportation, ‎and‏ ‎communication ‎systems.‏ ‎ICSpector‏ ‎can ‎be ‎used‏ ‎to ‎safeguard‏ ‎the ‎ICS ‎that ‎control‏ ‎these‏ ‎critical ‎infrastructures‏ ‎from ‎cyberattacks,‏ ‎ensuring ‎their ‎continuous ‎and ‎secure‏ ‎operation.

📌Chemical‏ ‎Processing ‎Plants: These‏ ‎plants ‎use‏ ‎ICS ‎to ‎manage ‎complex ‎chemical‏ ‎processes.‏ ‎ICSpector‏ ‎can ‎help‏ ‎in ‎ensuring‏ ‎that ‎the‏ ‎PLCs‏ ‎controlling ‎these‏ ‎processes ‎are ‎secure ‎and ‎have‏ ‎not ‎been‏ ‎tampered‏ ‎with, ‎which ‎is‏ ‎vital ‎for‏ ‎preventing ‎hazardous ‎incidents.

📌Oil ‎and‏ ‎Gas‏ ‎Industry: ICS ‎are‏ ‎used ‎extensively‏ ‎in ‎the ‎oil ‎and ‎gas‏ ‎sector‏ ‎for ‎drilling,‏ ‎refining, ‎and‏ ‎distribution ‎processes. ‎ICSpector ‎can ‎be‏ ‎used‏ ‎to‏ ‎monitor ‎and‏ ‎verify ‎the‏ ‎integrity ‎of‏ ‎these‏ ‎systems, ‎preventing‏ ‎disruptions ‎that ‎could ‎lead ‎to‏ ‎significant ‎financial‏ ‎losses‏ ‎and ‎environmental ‎damage


Читать: 2+ мин
logo Overkill Security

Raytracing on a ZX Spectrum: Who Needs Modern GPUs When You Can Spend a Weekend Rendering a Single Frame to Prove That Masochism Can Be a Hobby?

ZX ‎Raytracer is‏ ‎project ‎not ‎only ‎demonstrates ‎the‏ ‎feasibility ‎of‏ ‎implementing‏ ‎a ‎raytracer ‎on‏ ‎the ‎ZX‏ ‎Spectrum ‎but ‎also ‎serves‏ ‎as‏ ‎an ‎educational‏ ‎resource, ‎a‏ ‎celebration ‎of ‎computing ‎history, ‎and‏ ‎an‏ ‎inspiration ‎for‏ ‎future ‎projects‏ ‎in ‎retro ‎computing, ‎embedded ‎systems,‏ ‎and‏ ‎optimization‏ ‎techniques

Key ‎Points‏ ‎& ‎Potential‏ ‎Uses

📌Implementing ‎a‏ ‎Raytracer‏ ‎on ‎Legacy‏ ‎Hardware: ‎The ‎project ‎demonstrates ‎the‏ ‎possibility ‎of‏ ‎implementing‏ ‎a ‎raytracer, ‎a‏ ‎computationally ‎intensive‏ ‎graphics ‎rendering ‎technique, ‎on‏ ‎the‏ ‎ZX ‎Spectrum,‏ ‎a ‎home‏ ‎computer ‎from ‎the ‎1980s ‎with‏ ‎very‏ ‎limited ‎hardware‏ ‎capabilities ‎(3.5MHz‏ ‎Z80A ‎CPU ‎and ‎often ‎only‏ ‎16KB‏ ‎RAM).

📌Overcoming‏ ‎Hardware ‎Limitations:‏ ‎Despite ‎the‏ ‎severe ‎hardware‏ ‎constraints,‏ ‎the ‎project‏ ‎overcame ‎challenges ‎like ‎attribute ‎clash‏ ‎(color ‎limitations),‏ ‎low‏ ‎resolution ‎(256×176 ‎pixels),‏ ‎and ‎slow‏ ‎performance ‎(initial ‎render ‎time‏ ‎of‏ ‎17 ‎hours‏ ‎per ‎frame)‏ ‎through ‎clever ‎optimizations ‎and ‎approximations.

📌Educational‏ ‎Tool: The‏ ‎project ‎could‏ ‎be ‎used‏ ‎as ‎a ‎teaching ‎aid ‎in‏ ‎computer‏ ‎science‏ ‎courses, ‎particularly‏ ‎those ‎focused‏ ‎on ‎computer‏ ‎graphics,‏ ‎optimization ‎techniques,‏ ‎or ‎low-level ‎programming.

📌Retro ‎Gaming ‎and‏ ‎Demoscene ‎Exhibitions:‏ ‎The‏ ‎raytracer ‎could ‎be‏ ‎showcased ‎at‏ ‎retro ‎computing ‎events, ‎demoscene‏ ‎parties,‏ ‎or ‎exhibitions‏ ‎celebrating ‎the‏ ‎achievements ‎of ‎vintage ‎hardware ‎and‏ ‎programming.

📌Embedded‏ ‎Systems ‎Development:‏ ‎The ‎optimization‏ ‎techniques ‎and ‎approximations ‎used ‎in‏ ‎this‏ ‎project‏ ‎could ‎inspire‏ ‎developers ‎working‏ ‎on ‎embedded‏ ‎systems‏ ‎or ‎resource-constrained‏ ‎devices, ‎where ‎efficient ‎use ‎of‏ ‎limited ‎resources‏ ‎is‏ ‎crucial.

📌Appreciation ‎of ‎Computing‏ ‎History: ‎The‏ ‎project ‎could ‎be ‎featured‏ ‎in‏ ‎museums ‎or‏ ‎exhibitions ‎dedicated‏ ‎to ‎the ‎history ‎of ‎computing,‏ ‎showcasing‏ ‎the ‎ingenuity‏ ‎and ‎creativity‏ ‎of ‎early ‎programmers ‎working ‎with‏ ‎limited‏ ‎hardware‏ ‎resources.

📌Inspiration ‎for‏ ‎Future ‎Projects:‏ ‎The ‎success‏ ‎of‏ ‎this ‎project‏ ‎could ‎motivate ‎others ‎to ‎explore‏ ‎the ‎limits‏ ‎of‏ ‎legacy ‎hardware ‎or‏ ‎undertake ‎similar‏ ‎challenging ‎projects, ‎pushing ‎the‏ ‎boundaries‏ ‎of ‎what‏ ‎is ‎possible‏ ‎on ‎vintage ‎systems.


Читать: 3+ мин
logo Overkill Security

FIDO2: Phishing-Resistant, But Not Token-Resistant

The ‎article‏ ‎on ‎Silverfort’s ‎blog ‎explores ‎how‏ ‎MITM ‎attacks‏ ‎can‏ ‎bypass ‎FIDO2's ‎phishing-resistant‏ ‎protections. ‎It‏ ‎details ‎the ‎FIDO2 ‎authentication‏ ‎flow,‏ ‎highlights ‎vulnerabilities‏ ‎in ‎session‏ ‎token ‎handling, ‎and ‎provides ‎real-world‏ ‎examples‏ ‎involving ‎Entra‏ ‎ID ‎SSO,‏ ‎PingFederate, ‎and ‎Yubico ‎Playground, ‎concluding‏ ‎with‏ ‎mitigation‏ ‎strategies ‎to‏ ‎enhance ‎security.


FIDO2‏ ‎Background

📌FIDO2 ‎is‏ ‎a‏ ‎modern ‎passwordless‏ ‎authentication ‎standard ‎developed ‎by ‎the‏ ‎FIDO ‎Alliance‏ ‎to‏ ‎replace ‎passwords

📌It ‎aims‏ ‎to ‎protect‏ ‎against ‎phishing, ‎man-in-the-middle ‎(MITM),‏ ‎and‏ ‎session ‎hijacking‏ ‎attacks

📌The ‎authentication‏ ‎flow ‎involves ‎device ‎registration ‎and‏ ‎authentication‏ ‎steps ‎using‏ ‎public ‎key‏ ‎cryptography

FIDO2 ‎Security ‎Features

📌FIDO2 ‎is ‎designed‏ ‎to‏ ‎prevent‏ ‎phishing, ‎MITM,‏ ‎and ‎session‏ ‎hijacking ‎attacks

📌However,‏ ‎the‏ ‎research ‎found‏ ‎that ‎FIDO2 ‎implementations ‎often ‎do‏ ‎not ‎protect‏ ‎session‏ ‎tokens ‎after ‎successful‏ ‎authentication

Attacking ‎FIDO2‏ ‎with ‎MITM

📌The ‎author ‎investigated‏ ‎MITM‏ ‎attacks ‎on‏ ‎identity ‎providers‏ ‎(IdPs) ‎that ‎relay ‎communications ‎between‏ ‎devices

📌While‏ ‎MITM ‎is‏ ‎more ‎difficult‏ ‎with ‎TLS, ‎methods ‎like ‎DNS‏ ‎spoofing,‏ ‎ARP‏ ‎poisoning, ‎and‏ ‎certificate ‎theft‏ ‎can ‎achieve‏ ‎it

📌By‏ ‎performing ‎MITM‏ ‎on ‎the ‎IdP, ‎the ‎attacker‏ ‎can ‎hijack‏ ‎the‏ ‎session ‎token ‎after‏ ‎FIDO2 ‎authentication


Entra‏ ‎ID ‎SSO ‎(Microsoft)

📌Overview: Entra ‎ID‏ ‎SSO‏ ‎is ‎a‏ ‎single ‎sign-on‏ ‎solution ‎that ‎supports ‎various ‎SSO‏ ‎protocols‏ ‎and ‎modern‏ ‎authentication ‎methods,‏ ‎including ‎FIDO2.

📌Vulnerability: The ‎research ‎demonstrated ‎that‏ ‎an‏ ‎attacker‏ ‎could ‎hijack‏ ‎sessions ‎by‏ ‎exploiting ‎the‏ ‎way‏ ‎Entra ‎ID‏ ‎handles ‎session ‎tokens.

📌Attack ‎Method: The ‎attacker‏ ‎does ‎not‏ ‎need‏ ‎to ‎relay ‎the‏ ‎entire ‎authentication‏ ‎process. ‎Instead, ‎they ‎can‏ ‎use‏ ‎a ‎signed‏ ‎token ‎provided‏ ‎by ‎the ‎IdP, ‎which ‎has‏ ‎an‏ ‎expiration ‎time‏ ‎of ‎one‏ ‎hour. ‎This ‎token ‎can ‎be‏ ‎reused‏ ‎within‏ ‎the ‎valid‏ ‎time ‎frame‏ ‎to ‎generate‏ ‎state‏ ‎cookies ‎for‏ ‎a ‎longer ‎period.

📌Example: The ‎native ‎Azure‏ ‎Management ‎portal‏ ‎application‏ ‎does ‎not ‎validate‏ ‎the ‎token‏ ‎granted ‎by ‎the ‎SSO,‏ ‎allowing‏ ‎an ‎attacker‏ ‎to ‎use‏ ‎a ‎stolen ‎token ‎to ‎gain‏ ‎unauthorized‏ ‎access.

PingFederate

📌Overview: PingFederate ‎is‏ ‎an ‎SSO‏ ‎solution ‎that ‎uses ‎third-party ‎adapters‏ ‎to‏ ‎perform‏ ‎authentication. ‎These‏ ‎adapters ‎can‏ ‎be ‎chained‏ ‎into‏ ‎an ‎authentication‏ ‎policy ‎flow.

📌Vulnerability: The ‎research ‎found ‎that‏ ‎if ‎the‏ ‎relying‏ ‎party ‎developer ‎does‏ ‎not ‎validate‏ ‎the ‎OIDC ‎token ‎(or‏ ‎SAML‏ ‎Response), ‎the‏ ‎MITM ‎attack‏ ‎can ‎be ‎successful.

📌Attack ‎Method: The ‎attack‏ ‎exploits‏ ‎the ‎weakest‏ ‎link ‎in‏ ‎the ‎authentication ‎chain. ‎Since ‎the‏ ‎SSO‏ ‎protocols‏ ‎rely ‎on‏ ‎granting ‎tokens‏ ‎that ‎can‏ ‎be‏ ‎reused ‎by‏ ‎different ‎devices, ‎an ‎attacker ‎can‏ ‎hijack ‎the‏ ‎session‏ ‎by ‎stealing ‎these‏ ‎tokens.

📌Example: The ‎PingOne‏ ‎adapter ‎can ‎be ‎used‏ ‎with‏ ‎FIDO2 ‎capabilities.‏ ‎If ‎the‏ ‎OIDC ‎token ‎is ‎not ‎validated,‏ ‎an‏ ‎attacker ‎can‏ ‎bypass ‎FIDO2‏ ‎protections ‎and ‎gain ‎unauthorized ‎access.

Yubico‏ ‎Playground

📌Overview: Yubico‏ ‎Playground‏ ‎is ‎a‏ ‎testing ‎environment‏ ‎for ‎FIDO‏ ‎security‏ ‎features ‎and‏ ‎keys.

📌Vulnerability: The ‎research ‎showed ‎that ‎a‏ ‎simple ‎session‏ ‎cookie‏ ‎generated ‎after ‎FIDO2‏ ‎authentication ‎can‏ ‎be ‎exploited.

📌Attack ‎Method: There ‎is‏ ‎no‏ ‎validation ‎on‏ ‎the ‎device‏ ‎that ‎requested ‎the ‎session ‎cookie.‏ ‎Any‏ ‎device ‎can‏ ‎use ‎this‏ ‎cookie ‎until ‎it ‎expires, ‎allowing‏ ‎an‏ ‎attacker‏ ‎to ‎bypass‏ ‎the ‎authentication‏ ‎step.

📌Example: ‎By‏ ‎acquiring‏ ‎the ‎session‏ ‎cookie, ‎an ‎attacker ‎can ‎access‏ ‎the ‎user’s‏ ‎private‏ ‎area ‎and ‎remove‏ ‎the ‎security‏ ‎key ‎from ‎the ‎user’s‏ ‎profile,‏ ‎demonstrating ‎a‏ ‎straightforward ‎session‏ ‎hijacking ‎scenario

Читать: 3+ мин
logo Overkill Security

Incident Response Made Easy: Using BucketLoot for Cloud Storage Forensics

BucketLoot’s ‎automated‏ ‎approach, ‎versatility ‎across ‎multiple ‎cloud‏ ‎platforms, ‎and‏ ‎comprehensive‏ ‎feature ‎set ‎make‏ ‎it ‎a‏ ‎valuable ‎addition ‎to ‎the‏ ‎toolbox‏ ‎of ‎security‏ ‎professionals, ‎DevOps‏ ‎teams, ‎and ‎organizations ‎seeking ‎to‏ ‎enhance‏ ‎their ‎cloud‏ ‎security ‎posture‏ ‎and ‎protect ‎sensitive ‎data ‎stored‏ ‎in‏ ‎cloud‏ ‎object ‎storage‏ ‎buckets.

Key ‎Features

📌Automated‏ ‎Cloud ‎Bucket‏ ‎Inspection: BucketLoot‏ ‎can ‎automatically‏ ‎scan ‎and ‎inspect ‎S3-compatible ‎cloud‏ ‎storage ‎buckets‏ ‎across‏ ‎multiple ‎platforms, ‎including‏ ‎Amazon ‎Web‏ ‎Services ‎(AWS), ‎Google ‎Cloud‏ ‎Storage‏ ‎(GCS), ‎DigitalOcean‏ ‎Spaces, ‎and‏ ‎custom ‎domains/URLs.

📌Asset ‎Extraction: ‎The ‎tool‏ ‎can‏ ‎extract ‎valuable‏ ‎assets ‎stored‏ ‎in ‎the ‎buckets, ‎such ‎as‏ ‎URLs,‏ ‎subdomains,‏ ‎and ‎domains,‏ ‎which ‎can‏ ‎be ‎useful‏ ‎for‏ ‎attack ‎surface‏ ‎management ‎and ‎reconnaissance.

📌Secret ‎Exposure ‎Detection: BucketLoot‏ ‎can ‎detect‏ ‎and‏ ‎flag ‎potential ‎secret‏ ‎exposures, ‎such‏ ‎as ‎API ‎keys, ‎access‏ ‎tokens,‏ ‎and ‎other‏ ‎sensitive ‎information,‏ ‎helping ‎organizations ‎identify ‎and ‎mitigate‏ ‎security‏ ‎risks.

📌Custom ‎Keyword‏ ‎and ‎Regex‏ ‎Searching: ‎Users ‎can ‎search ‎for‏ ‎specific‏ ‎keywords‏ ‎or ‎regular‏ ‎expressions ‎within‏ ‎the ‎bucket‏ ‎files,‏ ‎enabling ‎targeted‏ ‎searches ‎for ‎sensitive ‎data ‎or‏ ‎specific ‎types‏ ‎of‏ ‎information.

📌Efficient ‎Scanning: ‎BucketLoot‏ ‎focuses ‎on‏ ‎scanning ‎files ‎that ‎store‏ ‎data‏ ‎in ‎plain-text‏ ‎formats, ‎optimizing‏ ‎the ‎scanning ‎process ‎and ‎improving‏ ‎performance.

📌Flexible‏ ‎Scanning ‎Modes: The‏ ‎tool ‎offers‏ ‎a ‎guest ‎mode ‎for ‎initial‏ ‎scans‏ ‎without‏ ‎requiring ‎credentials,‏ ‎as ‎well‏ ‎as ‎a‏ ‎complete‏ ‎scan ‎mode‏ ‎with ‎platform ‎credentials ‎for ‎more‏ ‎comprehensive ‎analysis.

📌JSON‏ ‎Output: BucketLoot‏ ‎provides ‎its ‎output‏ ‎in ‎a‏ ‎JSON ‎format, ‎making ‎it‏ ‎easy‏ ‎to ‎parse‏ ‎and ‎integrate‏ ‎the ‎results ‎into ‎existing ‎workflows‏ ‎or‏ ‎other ‎security‏ ‎tools.

Usefulness ‎Across‏ ‎Industries ‎and ‎for ‎Security ‎Experts

📌Cybersecurity‏ ‎Professionals: BucketLoot‏ ‎is‏ ‎an ‎invaluable‏ ‎tool ‎for‏ ‎cybersecurity ‎professionals,‏ ‎such‏ ‎as ‎penetration‏ ‎testers, ‎bug ‎hunters, ‎and ‎security‏ ‎researchers, ‎as‏ ‎it‏ ‎aids ‎in ‎identifying‏ ‎potential ‎vulnerabilities‏ ‎and ‎data ‎exposures ‎in‏ ‎cloud‏ ‎storage ‎configurations.

📌Cloud‏ ‎Service ‎Providers: Organizations‏ ‎that ‎offer ‎cloud ‎services ‎can‏ ‎leverage‏ ‎BucketLoot ‎to‏ ‎ensure ‎the‏ ‎security ‎of ‎their ‎customers' ‎data‏ ‎stored‏ ‎in‏ ‎cloud ‎buckets‏ ‎and ‎maintain‏ ‎compliance ‎with‏ ‎industry‏ ‎standards.

📌DevSecOps ‎and‏ ‎DevOps ‎Teams: ‎By ‎integrating ‎BucketLoot‏ ‎into ‎their‏ ‎workflows,‏ ‎DevSecOps ‎and ‎DevOps‏ ‎teams ‎can‏ ‎proactively ‎identify ‎and ‎mitigate‏ ‎security‏ ‎risks ‎associated‏ ‎with ‎cloud‏ ‎storage, ‎promoting ‎secure ‎software ‎development‏ ‎practices.

📌Incident‏ ‎Response ‎and‏ ‎Forensics: ‎In‏ ‎the ‎event ‎of ‎a ‎data‏ ‎breach‏ ‎or‏ ‎security ‎incident,‏ ‎BucketLoot ‎can‏ ‎assist ‎incident‏ ‎response‏ ‎teams ‎and‏ ‎forensic ‎investigators ‎in ‎quickly ‎identifying‏ ‎exposed ‎data‏ ‎and‏ ‎potential ‎attack ‎vectors‏ ‎related ‎to‏ ‎cloud ‎storage ‎misconfigurations.

📌Compliance ‎and‏ ‎Risk‏ ‎Management: ‎Organizations‏ ‎subject ‎to‏ ‎regulatory ‎compliance ‎requirements, ‎such ‎as‏ ‎GDPR,‏ ‎HIPAA, ‎or‏ ‎PCI-DSS, ‎can‏ ‎use ‎BucketLoot ‎to ‎ensure ‎the‏ ‎secure‏ ‎handling‏ ‎of ‎sensitive‏ ‎data ‎stored‏ ‎in ‎cloud‏ ‎buckets‏ ‎and ‎demonstrate‏ ‎adherence ‎to ‎data ‎protection ‎standards.

📌Bug‏ ‎Bounty ‎Programs:‏ ‎Bug‏ ‎bounty ‎hunters ‎and‏ ‎researchers ‎can‏ ‎leverage ‎BucketLoot ‎to ‎uncover‏ ‎potential‏ ‎vulnerabilities ‎and‏ ‎data ‎exposures‏ ‎in ‎cloud ‎storage ‎configurations, ‎contributing‏ ‎to‏ ‎the ‎overall‏ ‎security ‎posture‏ ‎of ‎organizations ‎and ‎earning ‎rewards.

Читать: 4+ мин
logo Overkill Security

QCSuper: Eavesdropping on Device Becomes a Hobby

QCSuper is ‎a‏ ‎versatile ‎tool ‎that ‎serves ‎multiple‏ ‎purposes ‎across‏ ‎different‏ ‎sectors. ‎Its ‎ability‏ ‎to ‎capture‏ ‎and ‎analyze ‎raw ‎radio‏ ‎frames‏ ‎from ‎Qualcomm-based‏ ‎devices ‎makes‏ ‎it ‎indispensable ‎for ‎telecom ‎operators,‏ ‎security‏ ‎researchers, ‎network‏ ‎developers, ‎and‏ ‎educators.

Main ‎Features ‎of ‎QCSuper

📌Protocol ‎Support:‏ ‎Captures‏ ‎raw‏ ‎radio ‎frames‏ ‎for ‎2G‏ ‎(GSM), ‎2.5G‏ ‎(GPRS‏ ‎and ‎EDGE),‏ ‎3G ‎(UMTS), ‎and ‎4G ‎(LTE)‏ ‎networks. ‎Partial‏ ‎support‏ ‎for ‎5G ‎is‏ ‎available ‎for‏ ‎certain ‎models

📌Device ‎Compatibility: Works ‎with‏ ‎Qualcomm-based‏ ‎phones ‎and‏ ‎modems, ‎including‏ ‎rooted ‎Android ‎devices ‎and ‎USB‏ ‎dongles

📌Data‏ ‎Output: Generates ‎PCAP‏ ‎files ‎with‏ ‎GSMTAP ‎encapsulation, ‎which ‎can ‎be‏ ‎analyzed‏ ‎using‏ ‎Wireshark

📌Ease ‎of‏ ‎Use: Simple ‎commands‏ ‎to ‎start‏ ‎capturing‏ ‎data

📌Cross-Platform ‎Support:‏ ‎Can ‎be ‎installed ‎on ‎both‏ ‎Linux ‎and‏ ‎Windows‏ ‎systems, ‎with ‎detailed‏ ‎instructions ‎provided‏ ‎for ‎both ‎platforms

📌Research ‎and‏ ‎Analysis:‏ ‎Widely ‎used‏ ‎by ‎telecom,‏ ‎mobile, ‎and ‎security ‎researchers ‎for‏ ‎analyzing‏ ‎radio ‎communication‏ ‎exchanges

Hardware ‎Requirements‏ ‎for ‎Using ‎QCSuper

📌Qualcomm-Based ‎Devices: ‎The‏ ‎primary‏ ‎requirement‏ ‎is ‎a‏ ‎Qualcomm-based ‎phone‏ ‎or ‎modem.‏ ‎This‏ ‎is ‎because‏ ‎QCSuper ‎relies ‎on ‎the ‎Qualcomm‏ ‎Diag ‎protocol‏ ‎to‏ ‎capture ‎raw ‎radio‏ ‎frames

📌Rooted ‎Android‏ ‎Phone ‎or ‎USB ‎Modem: For‏ ‎Android‏ ‎phones, ‎the‏ ‎device ‎must‏ ‎be ‎rooted ‎to ‎access ‎the‏ ‎necessary‏ ‎diagnostic ‎interfaces

📌Operating‏ ‎System ‎Compatibility: QCSuper‏ ‎has ‎been ‎tested ‎on ‎Ubuntu‏ ‎LTS‏ ‎22.04‏ ‎and ‎Windows‏ ‎11. ‎It‏ ‎is ‎recommended‏ ‎to‏ ‎use ‎Linux‏ ‎for ‎better ‎compatibility

📌Wireshark: ‎Wireshark ‎is‏ ‎needed ‎to‏ ‎analyze‏ ‎the ‎PCAP ‎files‏ ‎generated ‎by‏ ‎QCSuper. ‎Different ‎versions ‎of‏ ‎Wireshark‏ ‎are ‎required‏ ‎depending ‎on‏ ‎the ‎type ‎of ‎frames ‎being‏ ‎captured‏ ‎(e.g., ‎Wireshark‏ ‎2.x ‎—‏ ‎4.x ‎for ‎2G/3G ‎frames, ‎Wireshark‏ ‎2.5.x‏ ‎for‏ ‎4G ‎frames,‏ ‎and ‎Wireshark‏ ‎3.6.x ‎for‏ ‎5G‏ ‎frames)

Limitations

🚫QCSuper ‎cannot‏ ‎be ‎used ‎with ‎non-Qualcomm ‎phones.‏ ‎The ‎tool‏ ‎specifically‏ ‎relies ‎on ‎the‏ ‎Qualcomm ‎Diag‏ ‎protocol ‎to ‎capture ‎raw‏ ‎radio‏ ‎frames, ‎which‏ ‎is ‎a‏ ‎proprietary ‎protocol ‎available ‎only ‎on‏ ‎Qualcomm-based‏ ‎devices. ‎Therefore,‏ ‎it ‎is‏ ‎not ‎compatible ‎with ‎phones ‎or‏ ‎modems‏ ‎that‏ ‎do ‎not‏ ‎use ‎Qualcomm‏ ‎chipsets

🚫QCSuper ‎cannot‏ ‎capture‏ ‎5G ‎radio‏ ‎frames ‎on ‎all ‎devices. ‎The‏ ‎ability ‎to‏ ‎capture‏ ‎5G ‎frames ‎is‏ ‎limited ‎to‏ ‎certain ‎models ‎of ‎Qualcomm-based‏ ‎devices.‏ ‎The ‎tool‏ ‎has ‎partial‏ ‎support ‎for ‎5G, ‎and ‎this‏ ‎functionality‏ ‎has ‎been‏ ‎tested ‎under‏ ‎specific ‎conditions ‎with ‎Wireshark ‎3.6.x.‏ ‎Therefore,‏ ‎not‏ ‎all ‎Qualcomm-based‏ ‎devices ‎will‏ ‎necessarily ‎support‏ ‎5G‏ ‎frame ‎capture,‏ ‎and ‎users ‎may ‎need ‎to‏ ‎verify ‎compatibility‏ ‎for‏ ‎their ‎specific ‎device‏ ‎model.

Application

Telecommunications ‎Industry:

📌Network‏ ‎Analysis: QCSuper ‎enables ‎telecom ‎operators‏ ‎to‏ ‎capture ‎and‏ ‎analyze ‎radio‏ ‎communication ‎exchanges ‎between ‎mobile ‎devices‏ ‎and‏ ‎the ‎network.‏ ‎This ‎helps‏ ‎in ‎understanding ‎network ‎performance, ‎diagnosing‏ ‎issues,‏ ‎and‏ ‎optimizing ‎network‏ ‎configurations.

📌Protocol ‎Compliance: By‏ ‎capturing ‎raw‏ ‎radio‏ ‎frames, ‎telecom‏ ‎companies ‎can ‎ensure ‎that ‎their‏ ‎networks ‎comply‏ ‎with‏ ‎industry ‎standards ‎and‏ ‎protocols, ‎such‏ ‎as ‎those ‎defined ‎by‏ ‎3GPP‏ ‎for ‎2G,‏ ‎3G, ‎4G,‏ ‎and ‎5G ‎networks.

Mobile ‎Security:

📌Security ‎Research: Security‏ ‎researchers‏ ‎can ‎use‏ ‎QCSuper ‎to‏ ‎study ‎vulnerabilities ‎in ‎mobile ‎networks.‏ ‎By‏ ‎analyzing‏ ‎the ‎captured‏ ‎frames, ‎they‏ ‎can ‎identify‏ ‎potential‏ ‎security ‎flaws‏ ‎and ‎develop ‎mitigation ‎strategies.

📌Penetration ‎Testing: QCSuper‏ ‎is ‎useful‏ ‎for‏ ‎conducting ‎penetration ‎tests‏ ‎on ‎mobile‏ ‎networks. ‎It ‎allows ‎security‏ ‎professionals‏ ‎to ‎simulate‏ ‎attacks ‎and‏ ‎assess ‎the ‎resilience ‎of ‎the‏ ‎network‏ ‎against ‎various‏ ‎threats.

Network ‎Research‏ ‎and ‎Development:

📌Protocol ‎Analysis: Researchers ‎can ‎use‏ ‎QCSuper‏ ‎to‏ ‎capture ‎and‏ ‎analyze ‎signaling‏ ‎information ‎and‏ ‎user‏ ‎data ‎at‏ ‎different ‎layers ‎of ‎the ‎mobile‏ ‎network ‎stack.‏ ‎This‏ ‎is ‎crucial ‎for‏ ‎developing ‎new‏ ‎protocols ‎and ‎improving ‎existing‏ ‎ones.

📌5G‏ ‎Research: With ‎partial‏ ‎support ‎for‏ ‎5G, ‎QCSuper ‎is ‎instrumental ‎in‏ ‎studying‏ ‎the ‎latest‏ ‎advancements ‎in‏ ‎mobile ‎technology. ‎Researchers ‎can ‎analyze‏ ‎5G‏ ‎frames‏ ‎to ‎understand‏ ‎the ‎new‏ ‎features ‎and‏ ‎challenges‏ ‎associated ‎with‏ ‎5G ‎networks.

Educational ‎and ‎Training ‎Purposes:

📌Training‏ ‎Programs: QCSuper ‎is‏ ‎used‏ ‎in ‎training ‎programs‏ ‎to ‎educate‏ ‎telecom ‎and ‎security ‎professionals‏ ‎about‏ ‎mobile ‎network‏ ‎protocols ‎and‏ ‎security. ‎It ‎provides ‎hands-on ‎experience‏ ‎in‏ ‎capturing ‎and‏ ‎analyzing ‎real-world‏ ‎network ‎traffic.

📌Academic ‎Research: Universities ‎and ‎research‏ ‎institutions‏ ‎can‏ ‎leverage ‎QCSuper‏ ‎for ‎academic‏ ‎projects ‎and‏ ‎research,‏ ‎helping ‎students‏ ‎and ‎researchers ‎gain ‎practical ‎insights‏ ‎into ‎mobile‏ ‎network‏ ‎operations.

Читать: 4+ мин
logo Overkill Security

TP-Link TDDP Buffer Overflow Vulnerability

The ‎article provides‏ ‎a ‎detailed ‎analysis ‎of ‎a‏ ‎specific ‎vulnerability‏ ‎in‏ ‎TP-Link ‎devices ‎that‏ ‎was ‎reported‏ ‎in ‎2020 ‎but ‎did‏ ‎not‏ ‎receive ‎a‏ ‎CVE ‎assignment.

Causes‏ ‎of ‎the ‎TP-Link ‎TDDP ‎Buffer‏ ‎Overflow‏ ‎Vulnerability

The ‎TP-Link‏ ‎TDDP ‎(TP-LINK‏ ‎Device ‎Debug ‎Protocol) ‎buffer ‎overflow‏ ‎vulnerability‏ ‎primarily‏ ‎stems ‎from‏ ‎the ‎protocol’s‏ ‎handling ‎of‏ ‎UDP‏ ‎packets. ‎TDDP,‏ ‎a ‎binary ‎protocol ‎used ‎for‏ ‎debugging ‎purposes,‏ ‎processes‏ ‎packets ‎through ‎a‏ ‎single ‎UDP‏ ‎packet, ‎which ‎is ‎prone‏ ‎to‏ ‎security ‎risks‏ ‎if ‎not‏ ‎properly ‎handled. ‎The ‎specific ‎cause‏ ‎of‏ ‎the ‎buffer‏ ‎overflow ‎is‏ ‎the ‎lack ‎of ‎proper ‎verification‏ ‎of‏ ‎data‏ ‎length ‎during‏ ‎the ‎parsing‏ ‎of ‎these‏ ‎UDP‏ ‎packets. ‎This‏ ‎oversight ‎allows ‎for ‎memory ‎overflow,‏ ‎which ‎corrupts‏ ‎the‏ ‎memory ‎structure ‎of‏ ‎the ‎device

Impacts‏ ‎of ‎the ‎Vulnerability

The ‎primary‏ ‎impact‏ ‎of ‎the‏ ‎TP-Link ‎TDDP‏ ‎buffer ‎overflow ‎vulnerability ‎is ‎a‏ ‎denial‏ ‎of ‎service‏ ‎(DoS). ‎This‏ ‎occurs ‎when ‎the ‎overflow ‎corrupts‏ ‎the‏ ‎memory‏ ‎structure, ‎causing‏ ‎the ‎device‏ ‎to ‎crash‏ ‎or‏ ‎become ‎unresponsive.‏ ‎Additionally, ‎there ‎is ‎a ‎potential‏ ‎for ‎remote‏ ‎code‏ ‎execution, ‎which ‎could‏ ‎allow ‎an‏ ‎attacker ‎to ‎execute ‎arbitrary‏ ‎code‏ ‎on ‎the‏ ‎device. ‎This‏ ‎could ‎lead ‎to ‎unauthorized ‎access‏ ‎to‏ ‎the ‎network,‏ ‎data ‎theft,‏ ‎or ‎further ‎exploitation ‎of ‎network‏ ‎resources

Exploitation‏ ‎Techniques

Exploitation‏ ‎of ‎the‏ ‎TP-Link ‎TDDP‏ ‎buffer ‎overflow‏ ‎vulnerability‏ ‎involves ‎sending‏ ‎crafted ‎UDP ‎packets ‎that ‎exceed‏ ‎the ‎buffer‏ ‎limits‏ ‎set ‎by ‎the‏ ‎protocol. ‎This‏ ‎can ‎be ‎achieved ‎by‏ ‎manipulating‏ ‎the ‎packet’s‏ ‎data ‎length‏ ‎to ‎be ‎longer ‎than ‎what‏ ‎the‏ ‎buffer ‎can‏ ‎handle, ‎leading‏ ‎to ‎overflow. ‎Tools ‎like ‎Shambles‏ ‎can‏ ‎be‏ ‎used ‎to‏ ‎identify, ‎reverse,‏ ‎emulate, ‎and‏ ‎validate‏ ‎such ‎buffer‏ ‎overflow ‎conditions. ‎Successful ‎exploitation ‎could‏ ‎allow ‎attackers‏ ‎to‏ ‎cause ‎a ‎denial‏ ‎of ‎service‏ ‎or ‎potentially ‎execute ‎arbitrary‏ ‎code‏ ‎on ‎the‏ ‎device

Mitigation ‎Strategies

📌Firmware‏ ‎Updates: Regularly ‎updating ‎the ‎firmware ‎of‏ ‎TP-Link‏ ‎devices ‎to‏ ‎the ‎latest‏ ‎version ‎can ‎help ‎patch ‎vulnerabilities‏ ‎and‏ ‎improve‏ ‎security.

📌Network ‎Segmentation: Placing‏ ‎critical ‎devices‏ ‎on ‎separate‏ ‎network‏ ‎segments ‎can‏ ‎limit ‎the ‎spread ‎of ‎potential‏ ‎attacks.

📌Firewall ‎Rules: Configuring‏ ‎firewalls‏ ‎to ‎restrict ‎incoming‏ ‎traffic ‎on‏ ‎UDP ‎port ‎1040, ‎which‏ ‎is‏ ‎used ‎by‏ ‎TDDP, ‎can‏ ‎prevent ‎unauthorized ‎access.

📌Vulnerability ‎Scanners: ‎Using‏ ‎security‏ ‎tools ‎to‏ ‎regularly ‎scan‏ ‎for ‎vulnerabilities ‎can ‎help ‎identify‏ ‎and‏ ‎mitigate‏ ‎them ‎before‏ ‎they ‎are‏ ‎exploited

Overview ‎of‏ ‎TDDP

📌TP-Link‏ ‎Device ‎Debug‏ ‎Protocol ‎(TDDP): ‎A ‎binary ‎protocol‏ ‎used ‎primarily‏ ‎for‏ ‎debugging ‎purposes ‎that‏ ‎operates ‎through‏ ‎a ‎single ‎UDP ‎packet.‏ ‎This‏ ‎protocol ‎is‏ ‎documented ‎in‏ ‎patent ‎CN102096654A.

📌Packet ‎Structure: The ‎TDDP ‎packet‏ ‎includes‏ ‎fields ‎such‏ ‎as ‎Version,‏ ‎Type, ‎Code, ‎ReplyInfo, ‎PktLength, ‎PktID,‏ ‎SubType,‏ ‎Reserve,‏ ‎and ‎MD5‏ ‎Digest, ‎which‏ ‎are ‎crucial‏ ‎for‏ ‎the ‎protocol’s‏ ‎operation.

Vulnerability ‎Analysis ‎/ ‎Function ‎Analysis:

📌tddpEntry‏ ‎(sub_4045f8 ‎0×004045F8):‏ ‎This‏ ‎function ‎continuously ‎checks‏ ‎for ‎incoming‏ ‎data ‎using ‎the ‎recvfrom‏ ‎function‏ ‎and ‎passes‏ ‎the ‎data‏ ‎to ‎TddpPktInterfaceFunction ‎without ‎validating ‎the‏ ‎received‏ ‎data ‎size.

📌GetTddpMaxPktBuff‏ ‎(sub_4042d0 ‎0×004042D0):‏ ‎Returns ‎a ‎buffer ‎size ‎of‏ ‎0×14000.

📌tddp_versionTwoOpt‏ ‎(sub_404b40‏ ‎0×00405990) ‎and‏ ‎tddp_deCode ‎(sub_404fa4‏ ‎0×00405014): ‎Functions‏ ‎involved‏ ‎in ‎processing‏ ‎and ‎decoding ‎the ‎TDDP ‎packet.‏ ‎They ‎handle‏ ‎data‏ ‎decryption ‎using ‎DES‏ ‎and ‎verify‏ ‎the ‎integrity ‎of ‎the‏ ‎decrypted‏ ‎data.

Exploitation ‎Mechanism

📌Buffer‏ ‎Overflow ‎Trigger:‏ ‎The ‎vulnerability ‎is ‎triggered ‎when‏ ‎the‏ ‎packet ‎length‏ ‎specified ‎in‏ ‎the ‎TDDP ‎packet ‎exceeds ‎the‏ ‎buffer‏ ‎size‏ ‎(0×14000), ‎leading‏ ‎to ‎a‏ ‎buffer ‎overflow.

📌Decryption‏ ‎and‏ ‎MD5 ‎Verification: The‏ ‎des_min_do ‎function ‎is ‎used ‎for‏ ‎decryption, ‎and‏ ‎the‏ ‎MD5 ‎digest ‎of‏ ‎the ‎packet‏ ‎is ‎verified ‎against ‎the‏ ‎MD5‏ ‎digest ‎of‏ ‎the ‎data.‏ ‎If ‎the ‎packet ‎length ‎is‏ ‎manipulated‏ ‎to ‎exceed‏ ‎the ‎buffer‏ ‎size, ‎it ‎leads ‎to ‎memory‏ ‎corruption‏ ‎and‏ ‎a ‎denial‏ ‎of ‎service‏ ‎(DoS).

Proof ‎of‏ ‎Concept‏ ‎(PoC)

📌Setup: ‎The‏ ‎PoC ‎involves ‎setting ‎up ‎a‏ ‎virtual ‎machine‏ ‎(VM)‏ ‎with ‎the ‎firmware‏ ‎and ‎running‏ ‎the ‎tddpd ‎service.

📌Exploit ‎Code:‏ ‎The‏ ‎document ‎includes‏ ‎Python ‎code‏ ‎that ‎crafts ‎a ‎TDDP ‎packet‏ ‎with‏ ‎specific ‎fields‏ ‎manipulated ‎to‏ ‎trigger ‎the ‎buffer ‎overflow.

📌Result: ‎Executing‏ ‎the‏ ‎PoC‏ ‎results ‎in‏ ‎the ‎tddpd‏ ‎program ‎crashing,‏ ‎confirming‏ ‎the ‎vulnerability.

Conclusion

📌Impact:‏ ‎The ‎vulnerability ‎leads ‎to ‎a‏ ‎denial ‎of‏ ‎service‏ ‎and ‎potentially ‎allows‏ ‎for ‎remote‏ ‎code ‎execution ‎if ‎further‏ ‎exploited.

📌Recommendations:‏ ‎Regular ‎updates‏ ‎and ‎patches,‏ ‎network ‎segmentation, ‎and ‎proper ‎validation‏ ‎of‏ ‎incoming ‎data‏ ‎are ‎recommended‏ ‎to ‎mitigate ‎such ‎vulnerabilities.

Читать: 2+ мин
logo Overkill Security

QEMU to emulate IoT firmware

The ‎article provides‏ ‎a ‎detailed ‎guide ‎on ‎using‏ ‎QEMU ‎to‏ ‎emulate‏ ‎IoT ‎firmware, ‎specifically‏ ‎focusing ‎on‏ ‎a ‎practical ‎example ‎involving‏ ‎the‏ ‎emulation ‎of‏ ‎a ‎router’s‏ ‎firmware. ‎The ‎author ‎shares ‎insights‏ ‎and‏ ‎detailed ‎steps‏ ‎on ‎how‏ ‎to ‎effectively ‎use ‎QEMU ‎for‏ ‎security‏ ‎research‏ ‎and ‎testing‏ ‎purposes.

Overview ‎of‏ ‎QEMU

📌QEMU ‎stands‏ ‎for‏ ‎«Quick ‎EMUlator»‏ ‎and ‎is ‎utilized ‎to ‎emulate‏ ‎various ‎hardware‏ ‎architectures,‏ ‎making ‎it ‎a‏ ‎valuable ‎tool‏ ‎for ‎security ‎researchers ‎who‏ ‎need‏ ‎to ‎test‏ ‎software ‎in‏ ‎a ‎controlled ‎environment ‎without ‎physical‏ ‎hardware.

📌The‏ ‎guide ‎emphasizes‏ ‎the ‎use‏ ‎of ‎Ubuntu ‎18.04 ‎for ‎setting‏ ‎up‏ ‎QEMU‏ ‎due ‎to‏ ‎its ‎ease‏ ‎of ‎managing‏ ‎interfaces‏ ‎on ‎this‏ ‎particular ‎distribution.

Initial ‎Setup ‎and ‎Installation

📌The‏ ‎document ‎outlines‏ ‎the‏ ‎initial ‎steps ‎to‏ ‎install ‎QEMU‏ ‎and ‎its ‎dependencies ‎on‏ ‎Ubuntu‏ ‎18.04, ‎including‏ ‎the ‎installation‏ ‎of ‎libraries ‎and ‎tools ‎necessary‏ ‎for‏ ‎network ‎bridging‏ ‎and ‎debugging‏ ‎with ‎pwndbg.

Firmware ‎Analysis ‎and ‎Preparation

Binwalk‏ ‎is‏ ‎used‏ ‎to ‎analyze‏ ‎and ‎extract‏ ‎the ‎contents‏ ‎of‏ ‎the ‎firmware.‏ ‎The ‎guide ‎details ‎how ‎to‏ ‎use ‎Binwalk‏ ‎to‏ ‎identify ‎and ‎decompress‏ ‎the ‎components‏ ‎of ‎the ‎firmware, ‎focusing‏ ‎on‏ ‎the ‎squashfs‏ ‎file ‎system‏ ‎which ‎is ‎crucial ‎for ‎the‏ ‎emulation‏ ‎process.

Emulation ‎Process

📌Chroot‏ ‎Environment: ‎This‏ ‎involves ‎copying ‎the ‎qemu-mips-static ‎binary‏ ‎to‏ ‎the‏ ‎firmware ‎directory‏ ‎and ‎using‏ ‎chroot ‎to‏ ‎run‏ ‎the ‎firmware’s‏ ‎web ‎server ‎directly.

📌System ‎Mode ‎Emulation:‏ ‎This ‎method‏ ‎uses‏ ‎a ‎script ‎and‏ ‎additional ‎downloads‏ ‎(like ‎vmlinux ‎and ‎a‏ ‎Debian‏ ‎image) ‎to‏ ‎create ‎a‏ ‎more ‎stable ‎and ‎integrated ‎emulation‏ ‎environment.

Debugging‏ ‎and ‎Network‏ ‎Configuration

📌Detailed ‎steps‏ ‎are ‎provided ‎on ‎setting ‎up‏ ‎network‏ ‎bridges‏ ‎and ‎interfaces‏ ‎to ‎allow‏ ‎the ‎emulated‏ ‎firmware‏ ‎to ‎communicate‏ ‎with ‎the ‎host ‎system.

📌The ‎guide‏ ‎also ‎covers‏ ‎the‏ ‎mounting ‎of ‎various‏ ‎directories ‎(/dev,‏ ‎/proc, ‎/sys) ‎to ‎ensure‏ ‎the‏ ‎emulated ‎system‏ ‎has ‎access‏ ‎to ‎necessary ‎resources.

Running ‎and ‎Interacting‏ ‎with‏ ‎the ‎Emulated‏ ‎Firmware

📌Once ‎the‏ ‎setup ‎is ‎complete, ‎the ‎firmware‏ ‎is‏ ‎run,‏ ‎and ‎the‏ ‎user ‎can‏ ‎interact ‎with‏ ‎the‏ ‎emulated ‎web‏ ‎server ‎through ‎a ‎browser. ‎The‏ ‎guide ‎includes‏ ‎troubleshooting‏ ‎tips ‎for ‎common‏ ‎issues ‎like‏ ‎incorrect ‎paths ‎or ‎missing‏ ‎files‏ ‎that ‎might‏ ‎cause ‎the‏ ‎server ‎to ‎fail.

Security ‎Testing ‎and‏ ‎Reverse‏ ‎Engineering

The ‎document‏ ‎concludes ‎with‏ ‎insights ‎into ‎using ‎the ‎emulation‏ ‎setup‏ ‎for‏ ‎security ‎testing‏ ‎and ‎reverse‏ ‎engineering. ‎It‏ ‎mentions‏ ‎tools ‎like‏ ‎Burp ‎Suite ‎for ‎capturing ‎web‏ ‎requests ‎and‏ ‎Ghidra‏ ‎for ‎analyzing ‎binaries.

Practical‏ ‎Demonstration

📌A ‎practical‏ ‎demonstration ‎of ‎finding ‎and‏ ‎exploiting‏ ‎a ‎command‏ ‎injection ‎vulnerability‏ ‎in ‎the ‎emulated ‎firmware ‎is‏ ‎provided,‏ ‎showcasing ‎how‏ ‎QEMU ‎can‏ ‎be ‎used ‎to ‎test ‎and‏ ‎develop‏ ‎proofs‏ ‎of ‎concept‏ ‎for ‎security‏ ‎vulnerabilities.

Читать: 4+ мин
logo Overkill Security

Botnet targets decade-old flaw in unpatched D-Link devices

Botnet, ‎named‏ ‎«Goldoon, ‎» ‎has ‎been ‎targeting‏ ‎a ‎decade-old‏ ‎vulnerability‏ ‎in ‎unpatched ‎D-Link‏ ‎devices.

📌Vulnerability ‎Exploited:‏ ‎Goldoon ‎exploits ‎CVE-2015-2051, ‎a‏ ‎critical‏ ‎security ‎flaw‏ ‎with ‎a‏ ‎CVSS ‎score ‎of ‎9.8, ‎affecting‏ ‎D-Link‏ ‎DIR-645 ‎routers.‏ ‎This ‎vulnerability‏ ‎allows ‎remote ‎attackers ‎to ‎execute‏ ‎arbitrary‏ ‎commands‏ ‎via ‎specially‏ ‎crafted ‎HTTP‏ ‎requests.

📌Botnet ‎Activities: Once‏ ‎a‏ ‎device ‎is‏ ‎compromised, ‎attackers ‎gain ‎complete ‎control,‏ ‎enabling ‎them‏ ‎to‏ ‎extract ‎system ‎information,‏ ‎establish ‎communication‏ ‎with ‎a ‎command-and-control ‎(C2)‏ ‎server,‏ ‎and ‎use‏ ‎the ‎devices‏ ‎to ‎launch ‎further ‎attacks, ‎such‏ ‎as‏ ‎distributed ‎denial-of-service‏ ‎(DDoS) ‎attacks.

📌DDoS‏ ‎Attack ‎Methods: ‎The ‎Goldoon ‎botnet‏ ‎is‏ ‎capable‏ ‎of ‎launching‏ ‎a ‎variety‏ ‎of ‎DDoS‏ ‎attacks‏ ‎using ‎methods‏ ‎such ‎as ‎TCP ‎flooding, ‎ICMP‏ ‎flooding, ‎and‏ ‎more‏ ‎specialized ‎attacks ‎like‏ ‎Minecraft ‎DDoS.

📌Propagation‏ ‎and ‎Stealth: ‎The ‎botnet‏ ‎initiates‏ ‎its ‎attack‏ ‎by ‎exploiting‏ ‎CVE-2015-2051 ‎to ‎deploy ‎a ‎«dropper»‏ ‎script‏ ‎from ‎a‏ ‎malicious ‎server.‏ ‎This ‎script ‎is ‎designed ‎to‏ ‎be‏ ‎self-erasing‏ ‎to ‎avoid‏ ‎detection ‎and‏ ‎operates ‎across‏ ‎various‏ ‎Linux ‎system‏ ‎architectures. ‎The ‎dropper ‎downloads ‎and‏ ‎executes ‎a‏ ‎file,‏ ‎setting ‎the ‎stage‏ ‎for ‎further‏ ‎malicious ‎activities.

📌Mitigation ‎and ‎Prevention:‏ ‎Users‏ ‎are ‎urged‏ ‎to ‎update‏ ‎their ‎D-Link ‎devices ‎promptly. ‎Additionally,‏ ‎implementing‏ ‎network ‎monitoring‏ ‎solutions, ‎establishing‏ ‎strong ‎firewall ‎rules, ‎and ‎staying‏ ‎informed‏ ‎about‏ ‎the ‎latest‏ ‎security ‎bulletins‏ ‎and ‎patches‏ ‎are‏ ‎crucial ‎steps‏ ‎in ‎staying ‎ahead ‎of ‎evolving‏ ‎threats.

📌Impact ‎and‏ ‎Severity: The‏ ‎exploitation ‎of ‎CVE-2015-2051‏ ‎by ‎the‏ ‎Goldoon ‎botnet ‎presents ‎a‏ ‎low‏ ‎attack ‎complexity‏ ‎but ‎has‏ ‎a ‎critical ‎security ‎impact ‎that‏ ‎can‏ ‎lead ‎to‏ ‎remote ‎code‏ ‎execution. ‎The ‎botnet’s ‎activity ‎spiked‏ ‎in‏ ‎April‏ ‎2024, ‎almost‏ ‎doubling ‎the‏ ‎usual ‎frequency.

📌Recommendations:‏ ‎Fortinet‏ ‎recommends ‎applying‏ ‎patches ‎and ‎updates ‎whenever ‎possible‏ ‎due ‎to‏ ‎the‏ ‎ongoing ‎development ‎and‏ ‎introduction ‎of‏ ‎new ‎botnets. ‎Organizations ‎are‏ ‎also‏ ‎advised ‎to‏ ‎go ‎through‏ ‎Fortinet’s ‎free ‎cybersecurity ‎training ‎module‏ ‎to‏ ‎help ‎end‏ ‎users ‎learn‏ ‎how ‎to ‎identify ‎and ‎protect‏ ‎themselves‏ ‎from‏ ‎phishing ‎attacks.


Affected‏ ‎Industries

📌Home ‎and‏ ‎Small ‎Business‏ ‎Networks:‏ ‎These ‎are‏ ‎directly ‎impacted ‎as ‎D-Link ‎routers‏ ‎are ‎commonly‏ ‎used‏ ‎in ‎these ‎environments.‏ ‎The ‎compromise‏ ‎of ‎these ‎routers ‎can‏ ‎lead‏ ‎to ‎network‏ ‎disruptions ‎and‏ ‎unauthorized ‎access ‎to ‎network ‎traffic.

📌Internet‏ ‎Service‏ ‎Providers ‎(ISPs): ISPs‏ ‎may ‎face‏ ‎increased ‎pressure ‎to ‎assist ‎customers‏ ‎in‏ ‎updating‏ ‎or ‎replacing‏ ‎vulnerable ‎devices,‏ ‎and ‎they‏ ‎may‏ ‎experience ‎increased‏ ‎network ‎load ‎from ‎DDoS ‎attacks‏ ‎originating ‎from‏ ‎compromised‏ ‎routers.

📌Cybersecurity ‎Firms: ‎These‏ ‎organizations ‎may‏ ‎see ‎an ‎increased ‎demand‏ ‎for‏ ‎security ‎services,‏ ‎including ‎threat‏ ‎detection, ‎system ‎hardening, ‎and ‎response‏ ‎to‏ ‎incidents ‎involving‏ ‎compromised ‎routers.

📌E-commerce‏ ‎and ‎Online ‎Services: ‎Companies ‎in‏ ‎this‏ ‎sector‏ ‎could ‎be‏ ‎targets ‎of‏ ‎DDoS ‎attacks‏ ‎launched‏ ‎from ‎compromised‏ ‎devices, ‎potentially ‎leading ‎to ‎service‏ ‎disruptions ‎and‏ ‎financial‏ ‎losses.

📌Healthcare: ‎With ‎a‏ ‎growing ‎number‏ ‎of ‎healthcare ‎services ‎relying‏ ‎on‏ ‎internet ‎connectivity,‏ ‎compromised ‎routers‏ ‎could ‎pose ‎risks ‎to ‎patient‏ ‎data‏ ‎integrity ‎and‏ ‎availability ‎of‏ ‎critical ‎services.


Consequences

📌Network ‎Compromise ‎and ‎Data‏ ‎Breaches: Attackers‏ ‎can‏ ‎gain ‎complete‏ ‎control ‎over‏ ‎compromised ‎routers,‏ ‎potentially‏ ‎leading ‎to‏ ‎data ‎theft, ‎including ‎sensitive ‎personal‏ ‎and ‎financial‏ ‎information.

📌Distributed‏ ‎Denial-of-Service ‎(DDoS) ‎Attacks:‏ ‎The ‎botnet‏ ‎can ‎launch ‎various ‎DDoS‏ ‎attacks,‏ ‎which ‎could‏ ‎cripple ‎network‏ ‎infrastructure, ‎disrupt ‎services, ‎and ‎cause‏ ‎significant‏ ‎downtime ‎for‏ ‎affected ‎organizations.

📌Increased‏ ‎Operational ‎Costs: ‎Organizations ‎may ‎need‏ ‎to‏ ‎invest‏ ‎in ‎enhanced‏ ‎security ‎measures,‏ ‎conduct ‎widespread‏ ‎audits,‏ ‎and ‎replace‏ ‎or ‎update ‎vulnerable ‎devices, ‎leading‏ ‎to ‎increased‏ ‎operational‏ ‎expenses.

📌Reputational ‎Damage: Companies ‎affected‏ ‎by ‎attacks‏ ‎stemming ‎from ‎compromised ‎routers‏ ‎may‏ ‎suffer ‎reputational‏ ‎damage ‎if‏ ‎they ‎are ‎perceived ‎as ‎not‏ ‎adequately‏ ‎protecting ‎customer‏ ‎data ‎or‏ ‎ensuring ‎service ‎availability.

📌Regulatory ‎and ‎Legal‏ ‎Implications: Entities‏ ‎that‏ ‎fail ‎to‏ ‎secure ‎their‏ ‎networks ‎adequately‏ ‎may‏ ‎face ‎regulatory‏ ‎scrutiny ‎and ‎potential ‎legal ‎challenges,‏ ‎especially ‎if‏ ‎consumer‏ ‎data ‎is ‎compromised‏ ‎due ‎to‏ ‎negligence ‎in ‎addressing ‎known‏ ‎vulnerabilities.

Читать: 1+ мин
logo Overkill Security

UserManagerEoP / CVE-2024-21447

The ‎UserManager‏ ‎EoP ‎exploit ‎by ‎Wh04m1001 targets ‎a‏ ‎vulnerability ‎identified‏ ‎as‏ ‎CVE-2023-36047, ‎which ‎was‏ ‎later ‎tracked‏ ‎as ‎CVE-2024-21447 ‎after ‎additional‏ ‎fixes‏ ‎by ‎Microsoft.

UserManager‏ ‎EoP ‎Exploit

📌Vulnerability‏ ‎Discovery: The ‎exploit ‎was ‎discovered ‎by‏ ‎the‏ ‎repository ‎owner‏ ‎last ‎year‏ ‎and ‎affects ‎the ‎UserManager ‎service‏ ‎in‏ ‎Windows.

📌Nature‏ ‎of ‎Vulnerability: The‏ ‎flaw ‎involves‏ ‎the ‎UserManager‏ ‎service‏ ‎improperly ‎copying‏ ‎files ‎from ‎a ‎directory ‎that‏ ‎can ‎be‏ ‎controlled‏ ‎by ‎a ‎user,‏ ‎leading ‎to‏ ‎an ‎elevation ‎of ‎privilege‏ ‎(EoP).

📌Partial‏ ‎Fix ‎and‏ ‎Re-exploitation: Initially, ‎Microsoft‏ ‎addressed ‎only ‎the ‎write ‎aspect‏ ‎of‏ ‎the ‎file‏ ‎copy ‎operation.‏ ‎However, ‎the ‎read ‎operation ‎continued‏ ‎to‏ ‎be‏ ‎executed ‎with‏ ‎NT ‎AUTHORITY\SYSTEM‏ ‎privileges, ‎which‏ ‎was‏ ‎not ‎secured‏ ‎in ‎the ‎first ‎patch.

📌Exploit ‎Mechanism:‏ ‎The ‎exploit‏ ‎takes‏ ‎advantage ‎of ‎the‏ ‎unsecured ‎read‏ ‎operation ‎to ‎access ‎critical‏ ‎system‏ ‎files ‎like‏ ‎SAM, ‎SYSTEM,‏ ‎and ‎SECURITY ‎hives ‎from ‎a‏ ‎shadow‏ ‎copy.

📌Final ‎Resolution:‏ ‎The ‎vulnerability‏ ‎was ‎fully ‎addressed ‎by ‎Microsoft‏ ‎recently‏ ‎and‏ ‎is ‎now‏ ‎cataloged ‎under‏ ‎a ‎new‏ ‎identifier,‏ ‎CVE-2024-21447.

Code ‎Analysis

The‏ ‎GitHub ‎repository ‎contains ‎exploit ‎code‏ ‎that ‎demonstrates‏ ‎how‏ ‎to ‎manipulate ‎the‏ ‎UserManager ‎service’s‏ ‎file ‎handling ‎to ‎escalate‏ ‎privileges.

📌Identifying‏ ‎Vulnerable ‎Operations: Code‏ ‎to ‎identify‏ ‎and ‎target ‎the ‎specific ‎vulnerable‏ ‎read‏ ‎operation ‎performed‏ ‎by ‎the‏ ‎UserManager.

📌Exploiting ‎the ‎Flaw: Scripts ‎or ‎commands‏ ‎that‏ ‎manipulate‏ ‎the ‎file‏ ‎operations ‎to‏ ‎redirect ‎or‏ ‎access‏ ‎unauthorized ‎data.

📌Leveraging‏ ‎System ‎Privileges: Utilizing ‎the ‎elevated ‎privileges‏ ‎gained ‎from‏ ‎the‏ ‎exploit ‎to ‎perform‏ ‎unauthorized ‎actions,‏ ‎such ‎as ‎accessing ‎or‏ ‎modifying‏ ‎system ‎files‏ ‎and ‎settings.

Показать еще

Обновления проекта

Метки

overkillsecurity 85 overkillsecuritypdf 42 news 41 malware 8 vulnerability 7 Digest 6 Monthly Digest 6 phishing 6 unpacking 6 Cyber Attacks 5 Ransomware 5 nsa 4 research 4 fbi 3 Forensics 3 IoT 3 ai 2 authentication 2 av 2 console architecture 2 cve 2 cyber security 2 Google 2 incident response 2 MITM 2 mqtt 2 Passkeys 2 Retro 2 Velociraptor 2 Vintage 2 vmware 2 windows 2 1981 1 5g network research 1 8-bit 1 Ad Removal 1 Ad-Free Experience 1 adapt tactics 1 ADCS 1 AlphV 1 AMSI 1 android 1 Android15 1 AnonSudan 1 antiPhishing 1 AntiPhishStack 1 antivirus 1 Apple 1 Atlassian 1 Attack 1 AttackGen 1 BatBadBut 1 Behavioral Analytics 1 BianLian 1 bias 1 Biocybersecurity 1 Biometric 1 bite 1 bitlocker 1 bitlocker bypass 1 Black Lotus Labs 1 blizzard 1 botnet 1 Browser Data Theft 1 BucketLoot 1 Buffer Overflow 1 CellularSecurity 1 china 1 chisel 1 CloudSecurity 1 CloudStorage 1 content 1 content category 1 cpu 1 CVE-2023-22518 1 CVE-2023-35080 1 CVE-2023-38043 1 CVE-2023-38543 1 CVE-2024-0204 1 CVE-2024-21111 1 CVE-2024-21345 1 cve-2024-21447 1 CVE-2024-26218 1 cve-2024-3400 1 cvss 1 Cyber Toufan Al-Aqsa 1 cybersecurity 1 D-Link 1 dark pink apt 1 data leakage 1 dcrat 1 Demoscene 1 DevSecOps 1 Dex 1 disassembler 1 DOS 1 edge routers 1 EDR 1 Embedded systems 1 Employee Training 1 Energy Consumption 1 EntraID 1 ESC8 1 Essential Eight Maturity Model 1 Event ID 4663 1 Event ID 4688 1 Event ID 5145 1 Evilginx 1 Facebook 1 FBI IC3 1 FIDO2 1 Firebase 1 Firmware 1 Fortra's GoAnywhere MFT 1 france 1 FraudDetection 1 fuxnet 1 game console 1 gamification 1 GeminiNanoAI 1 genzai 1 go 1 GoogleIO2024 1 GooglePlayProtect 1 GoPhish 1 gpu 1 ICS 1 ICSpector 1 IDA 1 IncidentResponse 1 Industrial Control Systems 1 IoMT 1 jetbrains 1 KASLR 1 KillNet 1 LeftOverLocals 1 lg smart tv 1 Living Off the Land 1 lockbit 1 LOTL 1 m-trends 1 Machine Learning Integration 1 Mallox 1 MalPurifier 1 mandiant 1 Maturity Model 1 medical 1 MediHunt 1 Meta Pixel 1 ML 1 mobile network analysis 1 nes 1 nexus 1 Nim 1 Nimfilt 1 NtQueryInformationThread 1 OFGB 1 oracle 1 paid content 1 panos 1 Passwordless 1 Phishing Resilience 1 PingFederate 1 Platform Lock-in Tool 1 PlayIntegrityAPI 1 PlayStation 1 playstation 2 1 playstation 3 1 plc 1 Privilege Escalation 1 ps2 1 ps3 1 PulseVPN 1 qcsuper 1 qemu 1 qualcomm diag protocol 1 radio frame capture 1 Raytracing 1 Real-time Attack Detection 1 Red Team 1 Registry Modification 1 Risk Mitigation 1 RiskManagement 1 rodrigo copetti 1 rooted android devices 1 Router 1 rust 1 Sagemcom 1 sandworm 1 ScamCallDetection 1 Security Awareness 1 session hijacking 1 SharpADWS 1 SharpTerminator 1 shellcode 1 SIEM 1 Siemens 1 skimming 1 Smart Devices 1 snes 1 soho 1 SSO 1 TA547 1 TDDP 1 telecom security 1 Telegram 1 TeleTracker 1 Terminator 1 Threat 1 threat intelligence 1 threat intelligence analysis 1 Threat Simulation 1 tool 1 toolkit 1 tp-link 1 ubiquiti 1 UK 1 UserManagerEoP 1 uta0218 1 virtualbox 1 VPN 1 vu 1 wargame 1 Web Authentication 1 WebAuthn 1 webos 1 What2Log 1 Windows 11 1 Windows Kernel 1 Windstream 1 women 1 WSUS 1 xbox 1 xbox 360 1 xbox original 1 Yubico 1 Z80A 1 ZX Spectrum 1 Больше тегов

Фильтры

Подарить подписку

Будет создан код, который позволит адресату получить бесплатный для него доступ на определённый уровень подписки.

Оплата за этого пользователя будет списываться с вашей карты вплоть до отмены подписки. Код может быть показан на экране или отправлен по почте вместе с инструкцией.

Будет создан код, который позволит адресату получить сумму на баланс.

Разово будет списана указанная сумма и зачислена на баланс пользователя, воспользовавшегося данным промокодом.

Добавить карту
0/2048