logo
Overkill Security  Because Nothing Says 'Security' Like a Dozen Firewalls and a Biometric Scanner
О проекте Просмотр Уровни подписки Фильтры Обновления проекта Контакты Поделиться Метки
Все проекты
О проекте
A blog about all things techy! Not too much hype, just a lot of cool analysis and insight from different sources.

📌Not sure what level is suitable for you? Check this explanation https://sponsr.ru/overkill_security/55291/Paid_Content/

All places to read, listen and watch content:
➡️Text and other media: TG, Boosty, Teletype.in, VK, X.com
➡️Audio: Mave, you find here other podcast services, e.g. Youtube Podcasts, Spotify, Apple or Amazon
➡️Video: Youtube

The main categories of materials — use tags:
📌news
📌digest

QA — directly or via email overkill_qa@outlook.com
Публикации, доступные бесплатно
Уровни подписки
Единоразовый платёж

Your donation fuels our mission to provide cutting-edge cybersecurity research, in-depth tutorials, and expert insights. Support our work today to empower the community with even more valuable content.

*no refund, no paid content

Помочь проекту
Promo 750₽ месяц
Доступны сообщения

For a limited time, we're offering our Level "Regular" subscription at an unbeatable price—50% off!

Dive into the latest trends and updates in the cybersecurity world with our in-depth articles and expert insights

Offer valid until the end of this month.

Оформить подписку
Regular Reader 1 500₽ месяц 16 200₽ год
(-10%)
При подписке на год для вас действует 10% скидка. 10% основная скидка и 0% доп. скидка за ваш уровень на проекте Overkill Security
Доступны сообщения

Ideal for regular readers who are interested in staying informed about the latest trends and updates in the cybersecurity world without.

Оформить подписку
Pro Reader 3 000₽ месяц 30 600₽ год
(-15%)
При подписке на год для вас действует 15% скидка. 15% основная скидка и 0% доп. скидка за ваш уровень на проекте Overkill Security
Доступны сообщения

Designed for IT professionals, cybersecurity experts, and enthusiasts who seek deeper insights and more comprehensive resources. + Q&A

Оформить подписку
Фильтры
Пн
Вт
Ср
Чт
Пт
Сб
Вс
28
29
30
31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
1
Обновления проекта
Поделиться
Метки
overkillsecurity 142 overkillsecuritypdf 52 news 47 keypoints 38 nsa 26 fbi 25 adapt tactics 11 Living Off the Land 11 LOTL 11 unpacking 10 vulnerability 9 cyber security 8 Digest 8 edge routers 8 Essential Eight Maturity Model 8 malware 8 Maturity Model 8 Monthly Digest 8 research 8 ubiquiti 8 IoT 7 lolbin 7 lolbins 7 Cyber Attacks 6 phishing 6 Forensics 5 Ransomware 5 soho 5 authToken 4 BYOD 4 MDM 4 OAuth 4 Energy Consumption 3 IoMT 3 medical 3 ai 2 AnonSudan 2 authentication 2 av 2 battery 2 Buffer Overflow 2 console architecture 2 cve 2 cybersecurity 2 energy 2 Google 2 incident response 2 MITM 2 mqtt 2 Passkeys 2 Retro 2 Velociraptor 2 video 2 Vintage 2 vmware 2 windows 2 1981 1 5g network research 1 8-bit 1 Ad Removal 1 Ad-Free Experience 1 ADCS 1 advisory 1 airwatch 1 AlphV 1 AMSI 1 android 1 Android15 1 announcement 1 antiPhishing 1 AntiPhishStack 1 antivirus 1 Apple 1 Atlassian 1 Attack 1 AttackGen 1 BatBadBut 1 Behavioral Analytics 1 BianLian 1 bias 1 Biocybersecurity 1 Biometric 1 bite 1 bitlocker 1 bitlocker bypass 1 Black Lotus Labs 1 blackberry 1 blizzard 1 botnet 1 Browser Data Theft 1 BucketLoot 1 CellularSecurity 1 checkpoint 1 china 1 chisel 1 cisa 1 CloudSecurity 1 CloudStorage 1 content 1 content category 1 cpu 1 Credential Dumping 1 CVE-2023-22518 1 CVE-2023-35080 1 CVE-2023-38043 1 CVE-2023-38543 1 CVE-2024-0204 1 CVE-2024-21111 1 CVE-2024-21345 1 cve-2024-21447 1 CVE-2024-24919 1 CVE-2024-26218 1 cve-2024-27129 1 cve-2024-27130 1 cve-2024-27131 1 cve-2024-3400 1 cvss 1 cyber operations 1 Cyber Toufan Al-Aqsa 1 cyberops 1 D-Link 1 dark pink apt 1 data leakage 1 dcrat 1 Demoscene 1 DevSecOps 1 Dex 1 disassembler 1 DOS 1 e8mm 1 EDR 1 Embedded systems 1 Employee Training 1 EntraID 1 ESC8 1 Event ID 4663 1 Event ID 4688 1 Event ID 5145 1 Evilginx 1 EvilLsassTwin 1 Facebook 1 FBI IC3 1 FIDO2 1 filewave 1 Firebase 1 Firmware 1 Fortra's GoAnywhere MFT 1 france 1 FraudDetection 1 fuxnet 1 fuzzer 1 game console 1 gamification 1 GeminiNanoAI 1 genzai 1 go 1 GoogleIO2024 1 GooglePlayProtect 1 GoPhish 1 gpu 1 ICS 1 ICSpector 1 IDA 1 IncidentResponse 1 Industrial Control Systems 1 jazzer 1 jetbrains 1 jvm 1 KASLR 1 KillNet 1 LeftOverLocals 1 Leviathan 1 lg smart tv 1 lockbit 1 LSASS 1 m-trends 1 Machine Learning Integration 1 Mallox 1 MalPurifier 1 mandiant 1 MediHunt 1 Meta Pixel 1 ML 1 mobile network analysis 1 mobileiron 1 nes 1 nexus 1 NGO 1 Nim 1 Nimfilt 1 NtQueryInformationThread 1 OFGB 1 oracle 1 paid content 1 panos 1 Passwordless 1 Phishing Resilience 1 PingFederate 1 Platform Lock-in Tool 1 PlayIntegrityAPI 1 PlayStation 1 playstation 2 1 playstation 3 1 plc 1 podcast 1 Privilege Escalation 1 ps2 1 ps3 1 PulseVPN 1 qcsuper 1 qemu 1 qualcomm diag protocol 1 radio frame capture 1 Raytracing 1 Real-time Attack Detection 1 Red Team 1 Registry Modification 1 Risk Mitigation 1 RiskManagement 1 rodrigo copetti 1 rooted android devices 1 Router 1 rust 1 Sagemcom 1 sandworm 1 ScamCallDetection 1 security 1 Security Awareness 1 session hijacking 1 SharpADWS 1 SharpTerminator 1 shellcode 1 SIEM 1 Siemens 1 skimming 1 Smart Devices 1 snes 1 SSO 1 stack overflow 1 TA427 1 TA547 1 TDDP 1 telecom security 1 Telegram 1 telerik 1 TeleTracker 1 TEMP.Periscope 1 Terminator 1 Think Tanks 1 Threat 1 threat intelligence 1 threat intelligence analysis 1 Threat Simulation 1 tool 1 toolkit 1 tp-link 1 UK 1 UserManagerEoP 1 uta0218 1 virtualbox 1 VPN 1 vu 1 wargame 1 Web Authentication 1 WebAuthn 1 webos 1 What2Log 1 Windows 11 1 Windows Kernel 1 Windstream 1 women 1 WSUS 1 wt-2024-0004 1 wt-2024-0005 1 wt-2024-0006 1 xbox 1 xbox 360 1 xbox original 1 xss 1 Yubico 1 Z80A 1 ZX Spectrum 1 Больше тегов
Читать: 1+ мин
logo Overkill Security

The Never-Ending Fuzzing Time Nightmare

Jazzer ‎is‏ ‎a ‎coverage-guided, ‎in-process ‎fuzzer ‎for‏ ‎the ‎JVM‏ ‎platform‏ ‎developed ‎by ‎Code‏ ‎Intelligence. ‎It‏ ‎is ‎based ‎on ‎libFuzzer‏ ‎and‏ ‎brings ‎many‏ ‎of ‎its‏ ‎instrumentation-powered ‎mutation ‎features ‎to ‎the‏ ‎JVM.

Key‏ ‎Features

📌Coverage-Guided ‎Fuzzing: Uses‏ ‎instrumentation-powered ‎mutation‏ ‎features ‎to ‎guide ‎fuzzing.

📌In-Process ‎Fuzzing:‏ ‎Runs‏ ‎within‏ ‎the ‎JVM‏ ‎process, ‎reducing‏ ‎overhead.

📌Platform ‎Support: Supports‏ ‎Linux‏ ‎x86_64, ‎macOS‏ ‎12+ ‎x86_64 ‎& ‎arm64, ‎and‏ ‎Windows ‎x86_64.

📌Autofuzz‏ ‎Mode: Automatically‏ ‎generates ‎arguments ‎to‏ ‎a ‎given‏ ‎Java ‎function ‎and ‎reports‏ ‎unexpected‏ ‎exceptions ‎and‏ ‎detected ‎security‏ ‎issues.


Читать: 3+ мин
logo Overkill Security

Think Tanks and NGOs: The Perfect Cover for Cyber Espionage

TA427, ‎also‏ ‎known ‎as ‎Leviathan ‎or ‎TEMP.Periscope, is‏ ‎a ‎cyber‏ ‎espionage‏ ‎group ‎believed ‎to‏ ‎be ‎linked‏ ‎to ‎North ‎Korea. ‎Their‏ ‎primary‏ ‎goal ‎is‏ ‎to ‎gather‏ ‎intelligence ‎on ‎foreign ‎policy ‎matters‏ ‎related‏ ‎to ‎the‏ ‎U.S., ‎South‏ ‎Korea, ‎and ‎other ‎countries ‎of‏ ‎strategic‏ ‎interest‏ ‎to ‎the‏ ‎North ‎Korean‏ ‎regime. ‎TA427‏ ‎employs‏ ‎a ‎sophisticated‏ ‎attack ‎flow ‎that ‎involves ‎multiple‏ ‎stages:

Reconnaissance ‎and‏ ‎Information‏ ‎Gathering

📌TA427 ‎conducts ‎extensive‏ ‎open-source ‎intelligence‏ ‎(OSINT) ‎gathering ‎to ‎identify‏ ‎potential‏ ‎targets, ‎such‏ ‎as ‎foreign‏ ‎policy ‎experts, ‎think ‎tanks, ‎and‏ ‎academic‏ ‎institutions.

📌They ‎leverage‏ ‎publicly ‎available‏ ‎information ‎to ‎craft ‎tailored ‎lure‏ ‎content‏ ‎and‏ ‎personas ‎that‏ ‎appear ‎legitimate‏ ‎to ‎their‏ ‎targets.

Initial‏ ‎Contact ‎and‏ ‎Social ‎Engineering

📌TA427 ‎initiates ‎contact ‎with‏ ‎targets ‎through‏ ‎spear-phishing‏ ‎emails ‎that ‎appear‏ ‎to ‎be‏ ‎from ‎trusted ‎sources ‎or‏ ‎personas‏ ‎related ‎to‏ ‎North ‎Korean‏ ‎research.

📌The ‎emails ‎often ‎contain ‎timely‏ ‎and‏ ‎relevant ‎content,‏ ‎such ‎as‏ ‎invitations ‎to ‎events, ‎requests ‎for‏ ‎research‏ ‎papers,‏ ‎or ‎questions‏ ‎about ‎foreign‏ ‎policy ‎topics.

📌The‏ ‎goal‏ ‎is ‎to‏ ‎establish ‎a ‎rapport ‎with ‎the‏ ‎targets ‎and‏ ‎engage‏ ‎them ‎in ‎long-term‏ ‎conversations ‎over‏ ‎weeks ‎or ‎months.

DMARC ‎Abuse‏ ‎and‏ ‎Email ‎Spoofing

📌To‏ ‎increase ‎the‏ ‎credibility ‎of ‎their ‎emails, ‎TA427‏ ‎exploits‏ ‎weak ‎DMARC‏ ‎(Domain-based ‎Message‏ ‎Authentication, ‎Reporting ‎& ‎Conformance) ‎policies‏ ‎to‏ ‎spoof‏ ‎trusted ‎domains‏ ‎and ‎personas.

📌Techniques‏ ‎like ‎typosquatting,‏ ‎private‏ ‎email ‎account‏ ‎spoofing, ‎and ‎the ‎use ‎of‏ ‎free ‎email‏ ‎addresses‏ ‎are ‎employed ‎to‏ ‎impersonate ‎legitimate‏ ‎individuals ‎or ‎organizations.

Profiling ‎and‏ ‎Reconnaissance

📌TA427‏ ‎incorporates ‎web‏ ‎beacons ‎in‏ ‎their ‎emails ‎to ‎gather ‎basic‏ ‎information‏ ‎about ‎the‏ ‎targets, ‎such‏ ‎as ‎confirming ‎if ‎their ‎email‏ ‎accounts‏ ‎are‏ ‎active.

📌This ‎initial‏ ‎reconnaissance ‎helps‏ ‎the ‎group‏ ‎tailor‏ ‎their ‎subsequent‏ ‎interactions ‎and ‎gather ‎intelligence ‎on‏ ‎the ‎target‏ ‎organization.

Malware‏ ‎Deployment ‎(Optional)

📌While ‎not‏ ‎always ‎necessary,‏ ‎TA427 ‎may ‎attempt ‎to‏ ‎deliver‏ ‎malware ‎or‏ ‎credential ‎harvesters‏ ‎to ‎compromised ‎targets.

📌Techniques ‎like ‎malicious‏ ‎attachments‏ ‎or ‎links‏ ‎may ‎be‏ ‎used ‎to ‎gain ‎further ‎access‏ ‎to‏ ‎the‏ ‎target’s ‎systems‏ ‎or ‎steal‏ ‎sensitive ‎data.

Data‏ ‎Exfiltration‏ ‎and ‎Intelligence‏ ‎Collection

📌The ‎primary ‎objective ‎of ‎TA427‏ ‎is ‎to‏ ‎gather‏ ‎intelligence ‎on ‎foreign‏ ‎policy ‎matters‏ ‎through ‎the ‎conversations ‎and‏ ‎information‏ ‎shared ‎by‏ ‎the ‎targets.

📌Any‏ ‎stolen ‎data ‎or ‎credentials ‎may‏ ‎also‏ ‎be ‎exfiltrated‏ ‎for ‎further‏ ‎exploitation ‎or ‎intelligence ‎purposes.


Scenarios ‎and‏ ‎Real-World‏ ‎Examples

📌Targeting‏ ‎Foreign ‎Policy‏ ‎Experts: ‎TA427‏ ‎has ‎directly‏ ‎solicited‏ ‎opinions ‎from‏ ‎foreign ‎policy ‎experts ‎on ‎topics‏ ‎such ‎as‏ ‎nuclear‏ ‎disarmament, ‎U.S.-South ‎Korea‏ ‎policies, ‎and‏ ‎sanctions ‎through ‎benign ‎conversation-starting‏ ‎emails.

📌Spoofing‏ ‎Think ‎Tanks‏ ‎and ‎NGOs:‏ ‎To ‎legitimize ‎their ‎emails ‎and‏ ‎increase‏ ‎the ‎chances‏ ‎of ‎engagement,‏ ‎TA427 ‎has ‎impersonated ‎personas ‎related‏ ‎to‏ ‎think‏ ‎tanks ‎and‏ ‎non-governmental ‎organizations‏ ‎(NGOs).

📌Timely ‎Lure‏ ‎Content:‏ ‎TA427 ‎crafts‏ ‎lure ‎content ‎based ‎on ‎real-world‏ ‎events ‎and‏ ‎international‏ ‎press ‎reporting, ‎making‏ ‎their ‎emails‏ ‎appear ‎highly ‎relevant ‎and‏ ‎credible‏ ‎to ‎the‏ ‎targets.

📌Long-term ‎Engagement:‏ ‎TA427 ‎engages ‎targets ‎over ‎extended‏ ‎periods,‏ ‎constantly ‎rotating‏ ‎aliases ‎and‏ ‎personas ‎to ‎maintain ‎the ‎conversation‏ ‎on‏ ‎similar‏ ‎subject ‎matters.

📌Potential‏ ‎Cryptocurrency ‎Targeting:‏ ‎While ‎not‏ ‎a‏ ‎primary ‎focus,‏ ‎TA427 ‎has ‎shown ‎interest ‎in‏ ‎targeting ‎cryptocurrency‏ ‎platforms‏ ‎like ‎http://blockchain.com in ‎the‏ ‎past, ‎likely‏ ‎for ‎financial ‎gain.


Читать: 2+ мин
logo Overkill Security

Skipping Authentication: Telerik Report Server’s New Feature?

The ‎Progress‏ ‎Telerik ‎Report ‎Server ‎pre-authenticated ‎Remote‏ ‎Code ‎Execution‏ ‎(RCE)‏ ‎chain, ‎identified ‎as‏ ‎CVE-2024-4358 and ‎CVE-2024-1800, involves‏ ‎a ‎critical ‎vulnerability ‎that‏ ‎allows‏ ‎unauthenticated ‎attackers‏ ‎to ‎execute‏ ‎arbitrary ‎code ‎on ‎affected ‎servers.

Attack‏ ‎Flow

📌Initial‏ ‎Access: The ‎attacker‏ ‎identifies ‎a‏ ‎vulnerable ‎Telerik ‎Report ‎Server ‎instance.

📌Exploitation‏ ‎of‏ ‎CVE-2024-4358: The‏ ‎attacker ‎sends‏ ‎a ‎crafted‏ ‎request ‎to‏ ‎the‏ ‎/Startup/Register ‎endpoint‏ ‎to ‎create ‎a ‎new ‎administrator‏ ‎account.

📌Privilege ‎Escalation:‏ ‎The‏ ‎attacker ‎logs ‎in‏ ‎using ‎the‏ ‎newly ‎created ‎administrator ‎account.

📌Exploitation‏ ‎of‏ ‎CVE-2024-1800: The ‎attacker‏ ‎creates ‎a‏ ‎malicious ‎report ‎that ‎exploits ‎the‏ ‎deserialization‏ ‎vulnerability ‎to‏ ‎execute ‎arbitrary‏ ‎code.

📌Command ‎Execution: ‎The ‎attacker ‎executes‏ ‎arbitrary‏ ‎commands‏ ‎on ‎the‏ ‎server, ‎achieving‏ ‎remote ‎code‏ ‎execution.


Attack‏ ‎Scenario

Target ‎Identification:

📌The‏ ‎attacker ‎identifies ‎a ‎vulnerable ‎instance‏ ‎of ‎the‏ ‎Telerik‏ ‎Report ‎Server, ‎typically‏ ‎by ‎scanning‏ ‎for ‎publicly ‎exposed ‎instances‏ ‎using‏ ‎tools ‎like‏ ‎Shodan.

Authentication ‎Bypass‏ ‎(CVE-2024-4358):

📌The ‎attacker ‎exploits ‎an ‎authentication‏ ‎bypass‏ ‎vulnerability ‎in‏ ‎the ‎Telerik‏ ‎Report ‎Server’s ‎setup ‎wizard. ‎This‏ ‎vulnerability‏ ‎allows‏ ‎the ‎attacker‏ ‎to ‎create‏ ‎a ‎new‏ ‎administrator‏ ‎account ‎without‏ ‎any ‎prior ‎authentication.

📌The ‎specific ‎endpoint‏ ‎exploited ‎is‏ ‎Telerik.ReportServer.Web.dll!‏ ‎Telerik.ReportServer.Web.Controllers.StartupController.Register, ‎which ‎does‏ ‎not ‎verify‏ ‎if ‎the ‎setup ‎process‏ ‎has‏ ‎already ‎been‏ ‎completed.

📌The ‎attacker‏ ‎sends ‎a ‎crafted ‎HTTP ‎request‏ ‎to‏ ‎the ‎/Startup/Register‏ ‎endpoint ‎to‏ ‎create ‎a ‎new ‎administrator ‎account:

curl‏ ‎'http://TARGET_HERE/Startup/Register'‏ ‎-d‏ ‎'Username=USERNAME_HERE& ‎Password=PASSWORD_HERE&‏ ‎ConfirmPassword=PASSWORD_HERE& ‎Email=backdoor%http://40admin.com&‏ ‎FirstName=backdoor& ‎LastName=user'

Account‏ ‎Creation‏ ‎and ‎Authentication:

📌Upon‏ ‎successful ‎exploitation, ‎the ‎attacker ‎gains‏ ‎high-privileged ‎access‏ ‎to‏ ‎the ‎Telerik ‎Report‏ ‎Server ‎by‏ ‎using ‎the ‎newly ‎created‏ ‎administrator‏ ‎account.

📌The ‎attacker‏ ‎logs ‎in‏ ‎using ‎the ‎credentials ‎of ‎the‏ ‎backdoor‏ ‎account ‎created‏ ‎in ‎the‏ ‎previous ‎step.

Deserialization ‎Exploit ‎(CVE-2024-1800):

📌With ‎administrative‏ ‎access,‏ ‎the‏ ‎attacker ‎leverages‏ ‎a ‎deserialization‏ ‎vulnerability ‎in‏ ‎the‏ ‎Telerik ‎Report‏ ‎Server ‎to ‎execute ‎arbitrary ‎code‏ ‎on ‎the‏ ‎server.

📌The‏ ‎attacker ‎creates ‎a‏ ‎malicious ‎report‏ ‎that ‎triggers ‎the ‎deserialization‏ ‎flaw,‏ ‎allowing ‎them‏ ‎to ‎run‏ ‎arbitrary ‎commands ‎on ‎the ‎server.

📌The‏ ‎PoC‏ ‎script ‎automates‏ ‎this ‎process,‏ ‎including ‎generating ‎random ‎usernames ‎and‏ ‎passwords‏ ‎for‏ ‎the ‎backdoor‏ ‎account ‎and‏ ‎creating ‎a‏ ‎malicious‏ ‎report:

python ‎http://CVE-2024-4358.py --target‏ ‎http://192.168.253.128:83 -c ‎«whoami»


Читать: 2+ мин
logo Overkill Security

The Dark Side of LSASS: How Evil Twins Bypass Security Measures

The ‎EvilLsassTwin‏ ‎project ‎on ‎GitHub, found ‎in ‎the‏ ‎Nimperiments ‎repository,‏ ‎focuses‏ ‎on ‎a ‎specific‏ ‎technique ‎for‏ ‎extracting ‎credentials ‎from ‎the‏ ‎Local‏ ‎Security ‎Authority‏ ‎Subsystem ‎Service‏ ‎(LSASS) ‎process ‎on ‎Windows ‎systems.

📌Objective: The‏ ‎project‏ ‎aims ‎to‏ ‎demonstrate ‎a‏ ‎method ‎for ‎credential ‎dumping ‎from‏ ‎the‏ ‎LSASS‏ ‎process, ‎which‏ ‎is ‎a‏ ‎common ‎target‏ ‎for‏ ‎attackers ‎seeking‏ ‎to ‎obtain ‎sensitive ‎information ‎such‏ ‎as ‎passwords‏ ‎and‏ ‎tokens.

📌Technique: The ‎method ‎involves‏ ‎creating ‎a‏ ‎«twin» ‎of ‎the ‎LSASS‏ ‎process.‏ ‎This ‎twin‏ ‎process ‎is‏ ‎used ‎to ‎bypass ‎certain ‎security‏ ‎mechanisms‏ ‎that ‎protect‏ ‎the ‎original‏ ‎LSASS ‎process ‎from ‎being ‎accessed‏ ‎directly.

📌Implementation: The‏ ‎project‏ ‎provides ‎a‏ ‎detailed ‎implementation‏ ‎of ‎the‏ ‎technique,‏ ‎including ‎the‏ ‎necessary ‎code ‎and ‎steps ‎to‏ ‎replicate ‎the‏ ‎process.‏ ‎This ‎includes ‎creating‏ ‎a ‎duplicate‏ ‎of ‎the ‎LSASS ‎process,‏ ‎using‏ ‎the ‎duplicate‏ ‎process ‎to‏ ‎read ‎the ‎memory ‎of ‎the‏ ‎original‏ ‎LSASS ‎process,‏ ‎extracting ‎credentials‏ ‎from ‎the ‎memory ‎of ‎the‏ ‎original‏ ‎LSASS‏ ‎process.

📌Security ‎Implications:‏ ‎The ‎project‏ ‎highlights ‎the‏ ‎potential‏ ‎security ‎risks‏ ‎associated ‎with ‎this ‎technique, ‎emphasizing‏ ‎the ‎need‏ ‎for‏ ‎robust ‎security ‎measures‏ ‎to ‎protect‏ ‎the ‎LSASS ‎process ‎and‏ ‎prevent‏ ‎unauthorized ‎access.

📌Code‏ ‎Availability: The ‎full‏ ‎source ‎code ‎and ‎documentation ‎are‏ ‎available‏ ‎on ‎the‏ ‎GitHub ‎page,‏ ‎allowing ‎users ‎to ‎explore ‎and‏ ‎understand‏ ‎the‏ ‎technique ‎in‏ ‎detail.

Industry ‎Impact‏ ‎and ‎Consequences

📌Increased‏ ‎Risk‏ ‎of ‎Credential‏ ‎Theft: The ‎EvilLsassTwin ‎technique ‎highlights ‎the‏ ‎vulnerability ‎of‏ ‎the‏ ‎LSASS ‎process, ‎which‏ ‎stores ‎sensitive‏ ‎information ‎such ‎as ‎encrypted‏ ‎passwords,‏ ‎NT ‎hashes,‏ ‎LM ‎hashes,‏ ‎and ‎Kerberos ‎tickets. ‎Attackers ‎exploiting‏ ‎this‏ ‎technique ‎can‏ ‎gain ‎unauthorized‏ ‎access ‎to ‎these ‎credentials, ‎leading‏ ‎to‏ ‎potential‏ ‎data ‎breaches‏ ‎and ‎unauthorized‏ ‎access ‎to‏ ‎critical‏ ‎systems.

📌Lateral ‎Movement‏ ‎and ‎Privilege ‎Escalation: ‎Once ‎attackers‏ ‎obtain ‎credentials‏ ‎from‏ ‎the ‎LSASS ‎process,‏ ‎they ‎can‏ ‎use ‎them ‎to ‎move‏ ‎laterally‏ ‎within ‎the‏ ‎network, ‎escalating‏ ‎their ‎privileges ‎and ‎compromising ‎additional‏ ‎systems.‏ ‎This ‎can‏ ‎lead ‎to‏ ‎a ‎widespread ‎compromise ‎of ‎the‏ ‎network,‏ ‎making‏ ‎it ‎difficult‏ ‎for ‎organizations‏ ‎to ‎contain‏ ‎the‏ ‎attack.

📌Real-World ‎Examples‏ ‎and ‎Case ‎Studies: ‎The ‎BlackCat‏ ‎ransomware ‎attack‏ ‎is‏ ‎a ‎notable ‎example‏ ‎where ‎attackers‏ ‎used ‎LSASS ‎memory ‎dumping‏ ‎to‏ ‎extract ‎credentials.‏ ‎They ‎modified‏ ‎the ‎WDigest ‎configuration ‎to ‎read‏ ‎user‏ ‎account ‎passwords‏ ‎and ‎used‏ ‎tools ‎like ‎Mimikatz ‎to ‎perform‏ ‎the‏ ‎dump,‏ ‎enabling ‎them‏ ‎to ‎gain‏ ‎further ‎access‏ ‎and‏ ‎move ‎laterally‏ ‎within ‎the ‎network.

Читать: 3+ мин
logo Overkill Security

Check Point’s 'Best Security' Slogan Meets Reality: CVE-2024-24919

The ‎technical‏ ‎details ‎and ‎real-world ‎exploitation ‎of‏ ‎CVE-2024-24919 highlight ‎the‏ ‎critical‏ ‎nature ‎of ‎this‏ ‎vulnerability ‎and‏ ‎the ‎importance ‎of ‎prompt‏ ‎remediation‏ ‎to ‎protect‏ ‎against ‎potential‏ ‎data ‎breaches ‎and ‎network ‎compromises.

Vulnerability‏ ‎Description

📌CVE-2024-24919‏ ‎is ‎an‏ ‎information ‎disclosure‏ ‎vulnerability ‎that ‎allows ‎an ‎unauthenticated‏ ‎remote‏ ‎attacker‏ ‎to ‎read‏ ‎the ‎contents‏ ‎of ‎arbitrary‏ ‎files‏ ‎on ‎the‏ ‎affected ‎appliance.

📌It ‎is ‎categorized ‎as‏ ‎an ‎«Exposure‏ ‎of‏ ‎Sensitive ‎Information ‎to‏ ‎an ‎Unauthorized‏ ‎Actor» ‎vulnerability.

📌The ‎vulnerability ‎affects‏ ‎systems‏ ‎with ‎the‏ ‎Remote ‎Access‏ ‎VPN ‎or ‎Mobile ‎Access ‎software‏ ‎blades‏ ‎enabled.

Affected ‎Products

📌CloudGuard‏ ‎Network

📌Quantum ‎Maestro

📌Quantum‏ ‎Scalable ‎Chassis

📌Quantum ‎Security ‎Gateways

📌Quantum ‎Spark‏ ‎Appliances

Exploitation‏ ‎Details

📌The‏ ‎vulnerability ‎can‏ ‎be ‎exploited‏ ‎by ‎sending‏ ‎a‏ ‎crafted ‎request‏ ‎to ‎the ‎/clients/MyCRL ‎endpoint, ‎which‏ ‎is ‎designed‏ ‎to‏ ‎serve ‎static ‎files‏ ‎from ‎the‏ ‎filesystem.

📌By ‎including ‎path ‎traversal‏ ‎sequences‏ ‎like ‎././etc/passwd‏ ‎in ‎the‏ ‎request ‎body, ‎an ‎attacker ‎can‏ ‎read‏ ‎sensitive ‎files‏ ‎like ‎/etc/shadow‏ ‎to ‎obtain ‎password ‎hashes.

📌The ‎vulnerability‏ ‎allows‏ ‎reading‏ ‎any ‎file‏ ‎on ‎the‏ ‎system, ‎not‏ ‎just‏ ‎specific ‎files‏ ‎mentioned ‎by ‎the ‎vendor.

Proof-of-Concept ‎(PoC)

📌Security‏ ‎researchers ‎have‏ ‎published‏ ‎a ‎public ‎PoC‏ ‎exploit ‎for‏ ‎CVE-2024-24919, ‎providing ‎technical ‎details‏ ‎on‏ ‎how ‎to‏ ‎exploit ‎the‏ ‎vulnerability.

📌The ‎PoC ‎demonstrates ‎the ‎ability‏ ‎to‏ ‎read ‎arbitrary‏ ‎files, ‎including‏ ‎extracting ‎password ‎hashes ‎and ‎other‏ ‎sensitive‏ ‎information.

Observed‏ ‎Exploitation

📌Check ‎Point‏ ‎has ‎observed‏ ‎active ‎exploitation‏ ‎of‏ ‎this ‎vulnerability‏ ‎in ‎the ‎wild ‎since ‎early‏ ‎April ‎2024.

📌Threat‏ ‎actors‏ ‎have ‎been ‎leveraging‏ ‎the ‎vulnerability‏ ‎to ‎extract ‎password ‎hashes,‏ ‎move‏ ‎laterally ‎within‏ ‎networks, ‎and‏ ‎compromise ‎Active ‎Directory ‎servers ‎by‏ ‎extracting‏ ‎the ‎ntds.dit‏ ‎file.

Understanding ‎the‏ ‎Decompiled ‎Code

Initial ‎Analysis:

📌The ‎vulnerable ‎code‏ ‎performs‏ ‎file‏ ‎I/O ‎operations,‏ ‎indicated ‎by‏ ‎references ‎to‏ ‎functions‏ ‎like ‎_fopen‏ ‎and ‎_fread.

📌The ‎code ‎compares ‎the‏ ‎requested ‎URL‏ ‎with‏ ‎a ‎list ‎of‏ ‎hardcoded ‎strings‏ ‎from ‎a ‎string ‎table‏ ‎to‏ ‎determine ‎if‏ ‎the ‎file‏ ‎can ‎be ‎served.

String ‎Comparison ‎Bug:

📌The‏ ‎code‏ ‎uses ‎the‏ ‎strstr ‎function‏ ‎to ‎check ‎if ‎the ‎requested‏ ‎URL‏ ‎contains‏ ‎any ‎of‏ ‎the ‎strings‏ ‎from ‎the‏ ‎table.‏ ‎This ‎function‏ ‎searches ‎for ‎a ‎substring ‎rather‏ ‎than ‎performing‏ ‎a‏ ‎strict ‎comparison.

📌This ‎allows‏ ‎for ‎potential‏ ‎abuse ‎by ‎including ‎a‏ ‎valid‏ ‎substring ‎within‏ ‎a ‎path‏ ‎traversal ‎sequence, ‎such ‎as ‎http://icsweb.cab/././etc/passwd.

Path‏ ‎Traversal‏ ‎Exploitation:

📌The ‎initial‏ ‎attempts ‎to‏ ‎exploit ‎the ‎path ‎traversal ‎by‏ ‎including‏ ‎sequences‏ ‎like ‎././etc/passwd‏ ‎in ‎the‏ ‎URL ‎failed‏ ‎because‏ ‎the ‎OS‏ ‎correctly ‎identified ‎the ‎path ‎as‏ ‎invalid.

📌A ‎second‏ ‎string‏ ‎table ‎was ‎found,‏ ‎containing ‎entries‏ ‎that ‎suggested ‎directory ‎paths,‏ ‎such‏ ‎as ‎CSHELL/.

Successful‏ ‎Exploitation:

📌By ‎crafting‏ ‎a ‎request ‎that ‎included ‎the‏ ‎directory‏ ‎string ‎CSHELL/‏ ‎followed ‎by‏ ‎a ‎path ‎traversal ‎sequence, ‎the‏ ‎researchers‏ ‎were‏ ‎able ‎to‏ ‎bypass ‎the‏ ‎checks.

📌The ‎successful‏ ‎request‏ ‎was:

POST ‎/clients/MyCRL‏ ‎HTTP/1.1
Host: ‎<redacted>
Content-Length: ‎39
aCSHELL/./././././././etc/shadow

📌This ‎request ‎returned‏ ‎the ‎contents‏ ‎of‏ ‎the ‎/etc/shadow ‎file,‏ ‎confirming ‎an‏ ‎arbitrary ‎file ‎read ‎vulnerability.

Implications:

📌The‏ ‎ability‏ ‎to ‎read‏ ‎the ‎/etc/shadow‏ ‎file ‎indicates ‎that ‎the ‎attacker‏ ‎has‏ ‎superuser ‎privileges,‏ ‎allowing ‎them‏ ‎to ‎read ‎any ‎file ‎on‏ ‎the‏ ‎filesystem.

📌This‏ ‎is ‎more‏ ‎severe ‎than‏ ‎the ‎vendor’s‏ ‎advisory,‏ ‎which ‎suggested‏ ‎limited ‎information ‎exposure.


Читать: 2+ мин
logo Overkill Security

CVE-2024-27130 in QNAP: When 'Secure' is Just a Marketing Term

The ‎article‏ ‎«QNAP ‎QTS ‎— ‎QNAPping ‎At‏ ‎The ‎Wheel‏ ‎(CVE-2024-27130‏ ‎and ‎friends)» from ‎WatchTowr‏ ‎Labs ‎provides‏ ‎a ‎detailed ‎analysis ‎of‏ ‎several‏ ‎vulnerabilities ‎found‏ ‎in ‎QNAP‏ ‎NAS ‎devices.

CVE-2024-27130. ‎Stack ‎Buffer ‎Overflow‏ ‎in‏ ‎share.cgi: ‎The‏ ‎vulnerability ‎arises‏ ‎from ‎the ‎unsafe ‎use ‎of‏ ‎the‏ ‎strcpy‏ ‎function ‎in‏ ‎the ‎No_Support_ACL‏ ‎function, ‎which‏ ‎is‏ ‎accessible ‎via‏ ‎the ‎get_file_size ‎function ‎in ‎share.cgi.‏ ‎This ‎leads‏ ‎to‏ ‎a ‎stack ‎buffer‏ ‎overflow, ‎which‏ ‎can ‎be ‎exploited ‎to‏ ‎achieve‏ ‎Remote ‎Code‏ ‎Execution ‎(RCE).


Attack‏ ‎Scenario:

📌Step ‎1: ‎Initial ‎Access: ‎An‏ ‎attacker‏ ‎needs ‎a‏ ‎valid ‎NAS‏ ‎user ‎account ‎to ‎exploit ‎this‏ ‎vulnerability.‏ ‎This‏ ‎could ‎be‏ ‎achieved ‎through‏ ‎phishing, ‎credential‏ ‎stuffing,‏ ‎or ‎exploiting‏ ‎another ‎vulnerability ‎to ‎gain ‎initial‏ ‎access.

📌Step ‎2:‏ ‎File‏ ‎Sharing: ‎The ‎attacker‏ ‎shares ‎a‏ ‎file ‎with ‎an ‎untrusted‏ ‎user.‏ ‎This ‎action‏ ‎triggers ‎the‏ ‎get_file_size ‎function ‎in ‎share.cgi.

📌Step ‎3:‏ ‎Exploitation:‏ ‎The ‎get_file_size‏ ‎function ‎calls‏ ‎No_Support_ACL, ‎which ‎uses ‎strcpy ‎unsafely,‏ ‎leading‏ ‎to‏ ‎a ‎stack‏ ‎buffer ‎overflow.‏ ‎The ‎attacker‏ ‎crafts‏ ‎a ‎payload‏ ‎that ‎overflows ‎the ‎buffer ‎and‏ ‎injects ‎malicious‏ ‎code.

📌Step‏ ‎4: ‎Remote ‎Code‏ ‎Execution: ‎The‏ ‎overflowed ‎buffer ‎allows ‎the‏ ‎attacker‏ ‎to ‎execute‏ ‎arbitrary ‎code‏ ‎on ‎the ‎NAS ‎device, ‎potentially‏ ‎gaining‏ ‎full ‎control‏ ‎over ‎the‏ ‎system.


Related ‎Vulnerabilities

📌CVE-2024-27129: Unsafe ‎use ‎of ‎strcpy‏ ‎in‏ ‎the‏ ‎get_tree ‎function‏ ‎of ‎utilRequest.cgi‏ ‎leading ‎to‏ ‎a‏ ‎static ‎buffer‏ ‎overflow ‎and ‎RCE ‎with ‎a‏ ‎requirement ‎of‏ ‎a‏ ‎valid ‎account ‎on‏ ‎the ‎NAS‏ ‎device.

📌CVE-2024-27131: Log ‎spoofing ‎via ‎x-forwarded-for‏ ‎allows‏ ‎users ‎to‏ ‎cause ‎downloads‏ ‎to ‎be ‎recorded ‎as ‎requested‏ ‎from‏ ‎an ‎arbitrary‏ ‎source ‎location‏ ‎with ‎a ‎requirement ‎of ‎the‏ ‎ability‏ ‎to‏ ‎download ‎a‏ ‎file.

📌WT-2024-0004: Stored ‎XSS‏ ‎via ‎remote‏ ‎syslog‏ ‎messages ‎with‏ ‎a ‎requirement ‎of ‎a ‎non-default‏ ‎configuration.

📌WT-2024-0005: Stored ‎XSS‏ ‎via‏ ‎remote ‎device ‎discovery‏ ‎with ‎no‏ ‎requirements

📌WT-2024-0006: Lack ‎of ‎rate-limiting ‎on‏ ‎the‏ ‎authentication ‎API‏ ‎with ‎no‏ ‎requirements


Mitigation ‎and ‎Patching

📌Patches ‎Available: The ‎first‏ ‎four‏ ‎vulnerabilities ‎(CVE-2024-27129,‏ ‎CVE-2024-27130, ‎CVE-2024-27131,‏ ‎and ‎WT-2024-0004) ‎have ‎been ‎patched‏ ‎in‏ ‎the‏ ‎following ‎versions:‏ ‎QTS ‎5.1.6.2722‏ ‎build ‎20240402‏ ‎and‏ ‎later, ‎QuTS‏ ‎hero ‎h5.1.6.2734 ‎build ‎20240414 ‎and‏ ‎later

📌Vendor ‎Response:‏ ‎The‏ ‎vendor ‎has ‎acknowledged‏ ‎the ‎vulnerabilities‏ ‎and ‎has ‎been ‎working‏ ‎on‏ ‎fixes, ‎although‏ ‎some ‎issues‏ ‎remain ‎under ‎extended ‎embargo ‎due‏ ‎to‏ ‎their ‎complexity.


Читать: 2+ мин
logo Overkill Security

Root Privileges for Dummies: Just Exploit CVE-2024-3400

CVE-2024-3400 (+ url + github ‎url#1, url#2) is‏ ‎a ‎critical ‎command ‎injection ‎vulnerability‏ ‎in ‎Palo‏ ‎Alto‏ ‎Networks' ‎PAN-OS ‎software,‏ ‎specifically ‎affecting‏ ‎the ‎GlobalProtect ‎feature. ‎This‏ ‎vulnerability‏ ‎allows ‎an‏ ‎unauthenticated, ‎remote‏ ‎attacker ‎to ‎execute ‎arbitrary ‎code‏ ‎with‏ ‎root ‎privileges‏ ‎on ‎the‏ ‎affected ‎firewall. ‎The ‎vulnerability ‎impacts‏ ‎PAN-OS‏ ‎versions‏ ‎10.2, ‎11.0,‏ ‎and ‎11.1‏ ‎when ‎configured‏ ‎with‏ ‎GlobalProtect ‎gateway‏ ‎or ‎GlobalProtect ‎portal.

Initial ‎Discovery ‎and‏ ‎Exploitation:

📌The ‎vulnerability‏ ‎was‏ ‎first ‎identified ‎by‏ ‎Volexity, ‎who‏ ‎observed ‎zero-day ‎exploitation ‎attempts‏ ‎on‏ ‎March ‎26,‏ ‎2024.

📌Attackers, ‎identified‏ ‎as ‎the ‎state-backed ‎group ‎UTA0218,‏ ‎exploited‏ ‎the ‎vulnerability‏ ‎to ‎gain‏ ‎unauthorized ‎access ‎to ‎firewall ‎devices.

Attack‏ ‎Vector:

📌The‏ ‎vulnerability‏ ‎is ‎exploited‏ ‎via ‎a‏ ‎command ‎injection‏ ‎flaw‏ ‎in ‎the‏ ‎GlobalProtect ‎feature. ‎Attackers ‎can ‎manipulate‏ ‎the ‎SESSID‏ ‎cookie‏ ‎to ‎create ‎arbitrary‏ ‎files ‎on‏ ‎the ‎system, ‎which ‎can‏ ‎then‏ ‎be ‎used‏ ‎to ‎execute‏ ‎commands ‎with ‎root ‎privileges.

📌The ‎attack‏ ‎does‏ ‎not ‎require‏ ‎authentication, ‎making‏ ‎it ‎highly ‎dangerous ‎and ‎easily‏ ‎exploitable.


Exploitation‏ ‎Flow:

Step‏ ‎1: ‎Reconnaissance:

📌Attackers‏ ‎scan ‎for‏ ‎vulnerable ‎PAN-OS‏ ‎devices‏ ‎configured ‎with‏ ‎GlobalProtect ‎gateway ‎or ‎portal.

📌They ‎use‏ ‎simple ‎commands‏ ‎to‏ ‎place ‎zero-byte ‎files‏ ‎on ‎the‏ ‎system ‎to ‎validate ‎the‏ ‎vulnerability.

Step‏ ‎2: ‎Initial‏ ‎Exploitation:

📌Attackers ‎send‏ ‎specially ‎crafted ‎network ‎requests ‎to‏ ‎the‏ ‎vulnerable ‎device,‏ ‎manipulating ‎the‏ ‎SESSID ‎cookie ‎to ‎create ‎a‏ ‎file‏ ‎in‏ ‎a ‎specific‏ ‎directory.

📌Example: ‎Cookie:‏ ‎SESSID=/./././var/appweb/sslvpndocs/global-protect/portal/images/poc.txt.

Step ‎3:‏ ‎Command‏ ‎Execution:

📌The ‎created‏ ‎file ‎is ‎used ‎to ‎inject‏ ‎and ‎execute‏ ‎arbitrary‏ ‎commands ‎with ‎root‏ ‎privileges.

📌Attackers ‎establish‏ ‎a ‎reverse ‎shell ‎and‏ ‎install‏ ‎additional ‎tools,‏ ‎such ‎as‏ ‎a ‎custom ‎Python ‎backdoor ‎named‏ ‎UPSTYLE,‏ ‎to ‎maintain‏ ‎persistent ‎access.

Step‏ ‎4: ‎Post-Exploitation:

📌Attackers ‎exfiltrate ‎sensitive ‎data,‏ ‎including‏ ‎the‏ ‎firewall’s ‎running‏ ‎configuration ‎and‏ ‎credentials.

📌They ‎may‏ ‎also‏ ‎use ‎the‏ ‎compromised ‎device ‎to ‎move ‎laterally‏ ‎within ‎the‏ ‎network,‏ ‎targeting ‎other ‎systems.


Observed‏ ‎Malicious ‎Activity:

📌An‏ ‎uptick ‎in ‎malicious ‎activity‏ ‎was‏ ‎observed ‎soon‏ ‎after ‎the‏ ‎public ‎disclosure ‎of ‎the ‎vulnerability‏ ‎and‏ ‎the ‎release‏ ‎of ‎an‏ ‎exploit ‎script ‎on ‎GitHub.

📌Attackers ‎used‏ ‎the‏ ‎UPSTYLE‏ ‎backdoor ‎to‏ ‎interact ‎with‏ ‎the ‎compromised‏ ‎device‏ ‎indirectly, ‎sending‏ ‎commands ‎via ‎error ‎logs ‎and‏ ‎receiving ‎output‏ ‎through‏ ‎a ‎publicly ‎accessible‏ ‎stylesheet.


Читать: 1+ мин
logo Overkill Security

Breaking News: Chinese AVs Outwitted by Go Code

The ‎GitHub‏ ‎repository ‎«darkPulse» ‎by ‎user ‎«fdx-xdf» is‏ ‎a ‎shellcode‏ ‎packer‏ ‎written ‎in ‎Go.

📌Purpose: darkPulse‏ ‎is ‎designed‏ ‎to ‎generate ‎various ‎shellcode‏ ‎loaders‏ ‎that ‎can‏ ‎evade ‎detection‏ ‎by ‎Chinese ‎antivirus ‎software ‎such‏ ‎as‏ ‎Huorong ‎and‏ ‎360 ‎Total‏ ‎Security.

📌Shellcode ‎Loader ‎Generation: Generates ‎different ‎types‏ ‎of‏ ‎shellcode‏ ‎loaders.

📌Antivirus ‎Evasion: Focuses‏ ‎on ‎evading‏ ‎detection ‎by‏ ‎popular‏ ‎Chinese ‎antivirus‏ ‎programs ‎like ‎Huorong ‎and ‎360‏ ‎Total ‎Security.

📌Encryption‏ ‎and‏ ‎Obfuscation: Supports ‎AES ‎and‏ ‎XOR ‎encryption,‏ ‎and ‎UUID/words ‎obfuscation ‎to‏ ‎reduce‏ ‎entropy.

📌Loading ‎Techniques:‏ ‎Supports ‎multiple‏ ‎loading ‎techniques ‎including ‎callback, ‎fiber,‏ ‎and‏ ‎earlybird. ‎These‏ ‎can ‎be‏ ‎used ‎in ‎indirect ‎syscall ‎and‏ ‎unhook‏ ‎modes.

📌Encoding: Utilizes‏ ‎the ‎Shikata‏ ‎ga ‎nai‏ ‎encoder, ‎ported‏ ‎into‏ ‎Go ‎with‏ ‎several ‎improvements.

📌SysWhispers3: Uses ‎SysWhispers3 ‎for ‎indirect‏ ‎syscall ‎implementation.



Читать: 2+ мин
logo Overkill Security

AMSI Bypass: The Malware’s Express Lane

The GitHub ‎repository‏ ‎«V-i-x-x/AMSI-BYPASS» provides ‎information ‎about ‎a ‎vulnerability‏ ‎known ‎as‏ ‎«AMSI‏ ‎WRITE ‎RAID» ‎that‏ ‎can ‎be‏ ‎exploited ‎to ‎bypass ‎the‏ ‎Antimalware‏ ‎Scan ‎Interface‏ ‎(AMSI).

📌Vulnerability ‎Description: The‏ ‎«AMSI ‎WRITE ‎RAID» ‎vulnerability ‎allows‏ ‎attackers‏ ‎to ‎overwrite‏ ‎specific ‎writable‏ ‎entries ‎in ‎the ‎AMSI ‎call‏ ‎stack,‏ ‎effectively‏ ‎bypassing ‎AMSI’s‏ ‎protections.

📌Writable ‎Entries: The‏ ‎repository ‎highlights‏ ‎that‏ ‎multiple ‎entries‏ ‎in ‎the ‎AMSI ‎call ‎stack‏ ‎are ‎writable‏ ‎and‏ ‎can ‎be ‎targeted‏ ‎to ‎achieve‏ ‎the ‎bypass. ‎These ‎entries‏ ‎are‏ ‎detailed ‎in‏ ‎images ‎such‏ ‎as ‎«vulnerable_entries.png» ‎and ‎«writable_entries_part_1.png» ‎provided‏ ‎in‏ ‎the ‎repository.

📌Proof‏ ‎of ‎Concept: The‏ ‎repository ‎includes ‎a ‎PDF ‎document‏ ‎(Amsi.pdf)‏ ‎that‏ ‎elaborates ‎on‏ ‎the ‎vulnerability,‏ ‎providing ‎a‏ ‎comprehensive‏ ‎explanation ‎and‏ ‎proof ‎of ‎concept ‎for ‎how‏ ‎the ‎AMSI‏ ‎bypass‏ ‎can ‎be ‎executed.

📌Impact: Successfully‏ ‎exploiting ‎this‏ ‎vulnerability ‎allows ‎malicious ‎code‏ ‎to‏ ‎evade ‎detection‏ ‎by ‎AMSI,‏ ‎which ‎is ‎a ‎significant ‎security‏ ‎concern‏ ‎as ‎AMSI‏ ‎is ‎designed‏ ‎to ‎provide ‎an ‎additional ‎layer‏ ‎of‏ ‎defense‏ ‎against ‎malware.

Impact‏ ‎on ‎Industries

📌Increased‏ ‎Risk ‎of‏ ‎Malware‏ ‎Infections: AMSI ‎bypass‏ ‎techniques ‎allow ‎attackers ‎to ‎execute‏ ‎malicious ‎code‏ ‎undetected,‏ ‎increasing ‎the ‎risk‏ ‎of ‎malware‏ ‎infections, ‎including ‎ransomware ‎and‏ ‎fileless‏ ‎attacks. ‎This‏ ‎is ‎particularly‏ ‎concerning ‎for ‎industries ‎with ‎sensitive‏ ‎data,‏ ‎such ‎as‏ ‎finance, ‎healthcare,‏ ‎and ‎government ‎sectors.

📌Compromised ‎Security ‎Posture: Bypassing‏ ‎AMSI‏ ‎can‏ ‎lead ‎to‏ ‎a ‎compromised‏ ‎security ‎posture,‏ ‎as‏ ‎traditional ‎antivirus‏ ‎and ‎endpoint ‎detection ‎and ‎response‏ ‎(EDR) ‎solutions‏ ‎may‏ ‎fail ‎to ‎detect‏ ‎and ‎prevent‏ ‎malicious ‎activities. ‎This ‎can‏ ‎result‏ ‎in ‎data‏ ‎breaches, ‎financial‏ ‎losses, ‎and ‎damage ‎to ‎reputation.

📌Operational‏ ‎Disruptions: Successful‏ ‎AMSI ‎bypass‏ ‎attacks ‎can‏ ‎cause ‎significant ‎operational ‎disruptions, ‎especially‏ ‎in‏ ‎critical‏ ‎infrastructure ‎sectors‏ ‎like ‎energy,‏ ‎transportation, ‎and‏ ‎utilities.‏ ‎These ‎disruptions‏ ‎can ‎have ‎cascading ‎effects ‎on‏ ‎service ‎delivery‏ ‎and‏ ‎public ‎safety.


Читать: 4+ мин
logo Overkill Security

MS-DOS: For those who think modern OSes are too user-friendly

The ‎release‏ ‎of ‎the ‎MS-DOS ‎source ‎code is‏ ‎significant ‎for‏ ‎educational‏ ‎purposes, ‎historical ‎preservation,‏ ‎community ‎engagement,‏ ‎and ‎as ‎a ‎technical‏ ‎reference,‏ ‎making ‎it‏ ‎a ‎valuable‏ ‎resource ‎even ‎in ‎the ‎modern‏ ‎era.

Educational‏ ‎Value:

📌Learning ‎Tool: The‏ ‎source ‎code‏ ‎provides ‎a ‎valuable ‎resource ‎for‏ ‎students‏ ‎and‏ ‎new ‎programmers‏ ‎to ‎study‏ ‎the ‎fundamentals‏ ‎of‏ ‎operating ‎system‏ ‎development. ‎It ‎offers ‎insights ‎into‏ ‎low-level ‎programming,‏ ‎particularly‏ ‎in ‎assembly ‎language,‏ ‎which ‎is‏ ‎crucial ‎for ‎understanding ‎how‏ ‎early‏ ‎operating ‎systems‏ ‎managed ‎hardware‏ ‎and ‎resources. ‎Because ‎nothing ‎says‏ ‎«cutting-edge‏ ‎education» ‎like‏ ‎studying ‎an‏ ‎operating ‎system ‎that ‎predates ‎the‏ ‎internet.‏ ‎Who‏ ‎needs ‎Python‏ ‎or ‎JavaScript‏ ‎when ‎you‏ ‎can‏ ‎wrestle ‎with‏ ‎assembly ‎language?

📌Historical ‎Study: Researchers ‎and ‎historians‏ ‎can ‎analyze‏ ‎the‏ ‎code ‎to ‎understand‏ ‎the ‎evolution‏ ‎of ‎software ‎development ‎practices‏ ‎and‏ ‎the ‎technological‏ ‎advancements ‎of‏ ‎the ‎1980s ‎and ‎1990s.  ‎For‏ ‎those‏ ‎who ‎find‏ ‎ancient ‎relics‏ ‎fascinating, ‎like ‎archaeologists ‎of ‎the‏ ‎digital‏ ‎age.‏ ‎Why ‎study‏ ‎modern ‎software‏ ‎when ‎you‏ ‎can‏ ‎dig ‎through‏ ‎the ‎code ‎of ‎a ‎system‏ ‎that ‎ran‏ ‎on‏ ‎floppy ‎disks?

Preservation ‎of‏ ‎Digital ‎History:

📌Archival‏ ‎Importance: By ‎making ‎the ‎source‏ ‎code‏ ‎publicly ‎available,‏ ‎Microsoft ‎helps‏ ‎preserve ‎a ‎significant ‎piece ‎of‏ ‎computing‏ ‎history. ‎This‏ ‎ensures ‎that‏ ‎future ‎generations ‎can ‎access ‎and‏ ‎learn‏ ‎from‏ ‎the ‎software‏ ‎that ‎played‏ ‎a ‎pivotal‏ ‎role‏ ‎in ‎the‏ ‎personal ‎computing ‎revolution. ‎Because ‎preserving‏ ‎the ‎source‏ ‎code‏ ‎of ‎an ‎ancient‏ ‎OS ‎is‏ ‎clearly ‎more ‎important ‎than,‏ ‎say,‏ ‎addressing ‎climate‏ ‎change ‎or‏ ‎curing ‎diseases. ‎Future ‎generations ‎will‏ ‎surely‏ ‎thank ‎us‏ ‎for ‎this‏ ‎invaluable ‎contribution.

📌Documentation ‎of ‎Technological ‎Progress: The‏ ‎release‏ ‎includes‏ ‎not ‎just‏ ‎the ‎source‏ ‎code ‎but‏ ‎also‏ ‎original ‎documentation‏ ‎and ‎binaries, ‎providing ‎a ‎comprehensive‏ ‎view ‎of‏ ‎the‏ ‎software’s ‎development ‎and‏ ‎its ‎context‏ ‎within ‎the ‎broader ‎history‏ ‎of‏ ‎computing. ‎And‏ ‎to ‎show‏ ‎just ‎how ‎far ‎we’ve ‎come.‏ ‎Look,‏ ‎kids, ‎this‏ ‎is ‎what‏ ‎we ‎used ‎before ‎we ‎had‏ ‎smartphones‏ ‎and‏ ‎cloud ‎computing.‏ ‎Marvel ‎at‏ ‎the ‎simplicity!

Community‏ ‎Engagement‏ ‎and ‎Innovation:

📌Open-Source‏ ‎Contributions: The ‎release ‎under ‎the ‎MIT‏ ‎license ‎allows‏ ‎tech‏ ‎enthusiasts ‎and ‎developers‏ ‎to ‎explore,‏ ‎experiment, ‎and ‎potentially ‎repurpose‏ ‎the‏ ‎code ‎for‏ ‎modern ‎applications.‏ ‎This ‎can ‎lead ‎to ‎innovative‏ ‎uses‏ ‎of ‎old‏ ‎technology ‎in‏ ‎new ‎contexts. ‎For ‎all ‎those‏ ‎tech‏ ‎enthusiasts‏ ‎who ‎have‏ ‎nothing ‎better‏ ‎to ‎do‏ ‎than‏ ‎tinker ‎with‏ ‎obsolete ‎code. ‎Maybe ‎someone ‎will‏ ‎finally ‎figure‏ ‎out‏ ‎how ‎to ‎make‏ ‎MS-DOS ‎run‏ ‎on ‎a ‎smart ‎fridge.

📌Digital‏ ‎Archeology: Enthusiasts‏ ‎and ‎digital‏ ‎preservationists ‎can‏ ‎use ‎the ‎source ‎code ‎to‏ ‎run‏ ‎and ‎test‏ ‎the ‎software‏ ‎on ‎both ‎original ‎hardware ‎and‏ ‎modern‏ ‎emulators,‏ ‎ensuring ‎that‏ ‎the ‎knowledge‏ ‎and ‎functionality‏ ‎of‏ ‎MS-DOS ‎are‏ ‎not ‎lost. ‎Because ‎some ‎people‏ ‎just ‎can’t‏ ‎let‏ ‎go ‎of ‎the‏ ‎past. ‎Let’s‏ ‎spend ‎our ‎weekends ‎running‏ ‎MS-DOS‏ ‎on ‎emulators‏ ‎instead ‎of‏ ‎enjoying ‎modern ‎gaming ‎consoles.

Technical ‎Reference:

📌Understanding‏ ‎Legacy‏ ‎Systems: For ‎developers‏ ‎working ‎with‏ ‎legacy ‎systems ‎or ‎those ‎interested‏ ‎in‏ ‎the‏ ‎history ‎of‏ ‎software ‎engineering,‏ ‎the ‎MS-DOS‏ ‎source‏ ‎code ‎provides‏ ‎a ‎reference ‎for ‎how ‎early‏ ‎operating ‎systems‏ ‎were‏ ‎structured ‎and ‎functioned.‏ ‎This ‎can‏ ‎be ‎particularly ‎useful ‎for‏ ‎maintaining‏ ‎or ‎interfacing‏ ‎with ‎older‏ ‎systems ‎still ‎in ‎use ‎today.‏ ‎For‏ ‎those ‎poor‏ ‎souls ‎still‏ ‎maintaining ‎ancient ‎hardware ‎in ‎the‏ ‎backrooms‏ ‎of‏ ‎some ‎forgotten‏ ‎office. ‎It’s‏ ‎like ‎being‏ ‎a‏ ‎mechanic ‎for‏ ‎a ‎Model ‎T ‎in ‎the‏ ‎age ‎of‏ ‎electric‏ ‎cars.

📌Comparison ‎with ‎Modern‏ ‎Systems: Analyzing ‎the‏ ‎MS-DOS ‎source ‎code ‎allows‏ ‎for‏ ‎a ‎comparison‏ ‎with ‎modern‏ ‎operating ‎systems, ‎highlighting ‎the ‎advancements‏ ‎in‏ ‎software ‎engineering‏ ‎and ‎system‏ ‎design ‎over ‎the ‎past ‎few‏ ‎decades.‏ ‎To‏ ‎appreciate ‎how‏ ‎much ‎better‏ ‎we ‎have‏ ‎it‏ ‎now. ‎Look‏ ‎at ‎this, ‎kids, ‎and ‎be‏ ‎grateful ‎you‏ ‎don’t‏ ‎have ‎to ‎type‏ ‎commands ‎to‏ ‎open ‎a ‎file.


Читать: 3+ мин
logo Overkill Security

Why Bother with Cybersecurity? Just Let Event Logs Do All the Work, Google said

By ‎leveraging Windows‏ ‎Event ‎Logs ‎and ‎integrating ‎with‏ ‎advanced ‎detection‏ ‎systems,‏ ‎organizations ‎can ‎better‏ ‎protect ‎themselves‏ ‎against ‎the ‎growing ‎threat‏ ‎of‏ ‎browser ‎data‏ ‎theft.

Technical ‎Keypoints

📌Windows‏ ‎Event ‎Logs: The ‎method ‎leverages ‎Windows‏ ‎Event‏ ‎Logs ‎to‏ ‎detect ‎suspicious‏ ‎activities ‎that ‎may ‎indicate ‎browser‏ ‎data‏ ‎theft.‏ ‎This ‎includes‏ ‎monitoring ‎specific‏ ‎event ‎IDs‏ ‎and‏ ‎patterns ‎that‏ ‎are ‎indicative ‎of ‎malicious ‎behavior.

📌Event‏ ‎IDs: ‎Key‏ ‎event‏ ‎IDs ‎to ‎monitor‏ ‎include ‎Event‏ ‎ID ‎4688 ‎to ‎Tracks‏ ‎process‏ ‎creation, ‎which‏ ‎can ‎help‏ ‎identify ‎when ‎a ‎browser ‎or‏ ‎related‏ ‎process ‎is‏ ‎started; ‎Event‏ ‎ID ‎5145 ‎to ‎Monitors ‎file‏ ‎access,‏ ‎which‏ ‎can ‎be‏ ‎used ‎to‏ ‎detect ‎unauthorized‏ ‎access‏ ‎to ‎browser‏ ‎data ‎files; ‎and ‎Event ‎ID‏ ‎4663 ‎to‏ ‎Tracks‏ ‎object ‎access, ‎useful‏ ‎for ‎identifying‏ ‎attempts ‎to ‎read ‎or‏ ‎modify‏ ‎browser ‎data‏ ‎files.

📌Behavioral ‎Analysis: The‏ ‎approach ‎involves ‎analyzing ‎the ‎behavior‏ ‎of‏ ‎processes ‎and‏ ‎their ‎interactions‏ ‎with ‎browser ‎data ‎files. ‎This‏ ‎includes‏ ‎looking‏ ‎for ‎unusual‏ ‎patterns ‎such‏ ‎as ‎processes‏ ‎that‏ ‎do ‎not‏ ‎typically ‎access ‎browser ‎data ‎files‏ ‎suddenly ‎doing‏ ‎so,‏ ‎high ‎frequency ‎of‏ ‎access ‎to‏ ‎browser ‎data ‎files ‎by‏ ‎non-browser‏ ‎processes.

📌Integration ‎with‏ ‎SIEM: ‎The‏ ‎method ‎can ‎be ‎integrated ‎with‏ ‎Security‏ ‎Information ‎and‏ ‎Event ‎Management‏ ‎(SIEM) ‎systems ‎to ‎automate ‎the‏ ‎detection‏ ‎and‏ ‎alerting ‎process.‏ ‎This ‎allows‏ ‎for ‎real-time‏ ‎monitoring‏ ‎and ‎quicker‏ ‎response ‎to ‎potential ‎data ‎theft‏ ‎incidents.

📌Machine ‎Learning:‏ ‎The‏ ‎use ‎of ‎machine‏ ‎learning ‎models‏ ‎to ‎enhance ‎detection ‎capabilities‏ ‎by‏ ‎identifying ‎anomalies‏ ‎and ‎patterns‏ ‎that ‎are ‎not ‎easily ‎detectable‏ ‎through‏ ‎rule-based ‎systems‏ ‎alone.

Impact ‎on‏ ‎Industries

📌Enhanced ‎Security ‎Posture: By ‎implementing ‎this‏ ‎detection‏ ‎method,‏ ‎organizations ‎can‏ ‎significantly ‎enhance‏ ‎their ‎security‏ ‎posture‏ ‎against ‎browser‏ ‎data ‎theft. ‎This ‎is ‎particularly‏ ‎important ‎for‏ ‎industries‏ ‎that ‎handle ‎sensitive‏ ‎information, ‎such‏ ‎as ‎finance, ‎healthcare, ‎and‏ ‎legal‏ ‎sectors.

📌Compliance ‎and‏ ‎Regulatory ‎Requirements: Many‏ ‎industries ‎are ‎subject ‎to ‎strict‏ ‎compliance‏ ‎and ‎regulatory‏ ‎requirements ‎regarding‏ ‎data ‎protection. ‎This ‎method ‎helps‏ ‎organizations‏ ‎meet‏ ‎these ‎requirements‏ ‎by ‎providing‏ ‎a ‎robust‏ ‎mechanism‏ ‎for ‎detecting‏ ‎and ‎preventing ‎data ‎breaches.

📌Incident ‎Response:‏ ‎The ‎ability‏ ‎to‏ ‎detect ‎browser ‎data‏ ‎theft ‎in‏ ‎real-time ‎allows ‎for ‎quicker‏ ‎incident‏ ‎response, ‎minimizing‏ ‎the ‎potential‏ ‎damage ‎and ‎reducing ‎the ‎time‏ ‎attackers‏ ‎have ‎access‏ ‎to ‎sensitive‏ ‎data.

📌Cost ‎Savings: ‎Early ‎detection ‎and‏ ‎prevention‏ ‎of‏ ‎data ‎theft‏ ‎can ‎lead‏ ‎to ‎significant‏ ‎cost‏ ‎savings ‎by‏ ‎avoiding ‎the ‎financial ‎and ‎reputational‏ ‎damage ‎associated‏ ‎with‏ ‎data ‎breaches.

📌Trust ‎and‏ ‎Reputation: ‎For‏ ‎industries ‎that ‎rely ‎heavily‏ ‎on‏ ‎customer ‎trust,‏ ‎such ‎as‏ ‎e-commerce ‎and ‎online ‎services, ‎demonstrating‏ ‎a‏ ‎strong ‎commitment‏ ‎to ‎data‏ ‎security ‎can ‎enhance ‎reputation ‎and‏ ‎customer‏ ‎confidence.


Читать: 3+ мин
logo Overkill Security

Nimfilt: Because Authors Needed Another Language to Complicate Our Lives

Key ‎Features

📌Function‏ ‎and ‎Package ‎Names: ‎Nimfilt ‎demangles‏ ‎Nim-specific ‎function‏ ‎and‏ ‎package ‎names, ‎making‏ ‎them ‎more‏ ‎readable ‎and ‎easier ‎to‏ ‎analyze.

📌Package‏ ‎Init ‎Function‏ ‎Names: ‎It‏ ‎also ‎demangles ‎the ‎initialization ‎function‏ ‎names‏ ‎of ‎Nim‏ ‎packages.

📌Nim ‎Strings:‏ ‎Nimfilt ‎applies ‎C-style ‎structs ‎to‏ ‎Nim‏ ‎strings,‏ ‎which ‎helps‏ ‎in ‎interpreting‏ ‎the ‎data‏ ‎structures‏ ‎within ‎the‏ ‎binary. ‎This ‎includes ‎identifying ‎the‏ ‎length ‎and‏ ‎payload‏ ‎of ‎the ‎strings.

📌IDA‏ ‎Plugin: ‎Nimfilt‏ ‎can ‎be ‎used ‎as‏ ‎an‏ ‎IDA ‎plugin,‏ ‎where ‎it‏ ‎organizes ‎functions ‎into ‎directories ‎based‏ ‎on‏ ‎their ‎package‏ ‎name ‎or‏ ‎path. ‎This ‎helps ‎in ‎structuring‏ ‎the‏ ‎analysis‏ ‎process.

📌Automatic ‎Execution:‏ ‎The ‎plugin‏ ‎can ‎be‏ ‎set‏ ‎to ‎automatically‏ ‎execute ‎when ‎a ‎Nim ‎binary‏ ‎is ‎loaded‏ ‎by‏ ‎setting ‎the ‎AUTO_RUN‏ ‎global ‎variable‏ ‎to ‎True.

📌Identifying ‎Nim ‎Binaries:‏ ‎Nimfilt‏ ‎uses ‎heuristics‏ ‎to ‎identify‏ ‎if ‎a ‎loaded ‎file ‎is‏ ‎a‏ ‎Nim ‎binary‏ ‎by ‎checking‏ ‎for ‎specific ‎strings ‎and ‎function‏ ‎names‏ ‎associated‏ ‎with ‎Nim.

📌YARA‏ ‎Rules: ‎It‏ ‎includes ‎YARA‏ ‎rules‏ ‎to ‎identify‏ ‎Nim-compiled ‎ELF ‎and ‎PE ‎binaries.

📌Command‏ ‎Line ‎Interface‏ ‎(CLI):‏ ‎Python ‎Script: ‎Nimfilt‏ ‎can ‎be‏ ‎run ‎as ‎a ‎Python‏ ‎script‏ ‎on ‎the‏ ‎command ‎line,‏ ‎providing ‎a ‎subset ‎of ‎its‏ ‎functionality‏ ‎outside ‎of‏ ‎IDA.

📌Organizing ‎Functions: Directory‏ ‎Structure: ‎In ‎IDA, ‎Nimfilt ‎creates‏ ‎directories‏ ‎in‏ ‎the ‎Functions‏ ‎window ‎to‏ ‎organize ‎functions‏ ‎according‏ ‎to ‎their‏ ‎package ‎name ‎or ‎path, ‎enhancing‏ ‎the ‎readability‏ ‎and‏ ‎manageability ‎of ‎the‏ ‎analysis.

Scenarios

Nimfilt ‎has‏ ‎been ‎employed ‎in ‎various‏ ‎real-world‏ ‎scenarios, ‎particularly‏ ‎in ‎the‏ ‎analysis ‎of ‎malware ‎written ‎in‏ ‎the‏ ‎Nim ‎programming‏ ‎language.

Sednit ‎Group:

📌Background: The‏ ‎Sednit ‎group, ‎also ‎known ‎as‏ ‎APT28‏ ‎or‏ ‎Fancy ‎Bear,‏ ‎is ‎a‏ ‎well-known ‎cyber-espionage‏ ‎group.‏ ‎They ‎have‏ ‎been ‎active ‎since ‎at ‎least‏ ‎2004 ‎and‏ ‎are‏ ‎responsible ‎for ‎several‏ ‎high-profile ‎attacks,‏ ‎including ‎the ‎Democratic ‎National‏ ‎Committee‏ ‎(DNC) ‎hack‏ ‎in ‎2016.

📌Use‏ ‎of ‎Nim: In ‎2019, ‎Sednit ‎was‏ ‎observed‏ ‎using ‎a‏ ‎malicious ‎downloader‏ ‎written ‎in ‎Nim. ‎This ‎marked‏ ‎one‏ ‎of‏ ‎the ‎early‏ ‎instances ‎of‏ ‎Nim ‎being‏ ‎used‏ ‎in ‎malware‏ ‎development.

📌Nimfilt’s ‎Role: Nimfilt ‎was ‎used ‎to‏ ‎reverse-engineer ‎this‏ ‎Nim-compiled‏ ‎malware, ‎helping ‎analysts‏ ‎understand ‎the‏ ‎structure ‎and ‎functionality ‎of‏ ‎the‏ ‎downloader ‎by‏ ‎demangling ‎function‏ ‎and ‎package ‎names ‎and ‎applying‏ ‎appropriate‏ ‎data ‎structures‏ ‎to ‎strings.

Mustang‏ ‎Panda ‎APT ‎Group:

📌Background: ‎Mustang ‎Panda‏ ‎is‏ ‎a‏ ‎China-aligned ‎Advanced‏ ‎Persistent ‎Threat‏ ‎(APT) ‎group‏ ‎known‏ ‎for ‎its‏ ‎cyber-espionage ‎activities. ‎They ‎have ‎been‏ ‎using ‎Nim‏ ‎to‏ ‎create ‎custom ‎loaders‏ ‎for ‎their‏ ‎Korplug ‎backdoor.

📌Specific ‎Incident: In ‎August‏ ‎2023,‏ ‎Mustang ‎Panda‏ ‎used ‎a‏ ‎malicious ‎DLL ‎written ‎in ‎Nim‏ ‎as‏ ‎part ‎of‏ ‎their ‎campaign‏ ‎against ‎a ‎governmental ‎organization ‎in‏ ‎Slovakia.‏ ‎This‏ ‎DLL ‎was‏ ‎part ‎of‏ ‎their ‎classic‏ ‎trident‏ ‎Korplug ‎loader.

📌Nimfilt’s‏ ‎Role: ‎Nimfilt ‎was ‎instrumental ‎in‏ ‎analyzing ‎this‏ ‎DLL.‏ ‎By ‎demangling ‎the‏ ‎names ‎and‏ ‎organizing ‎functions ‎into ‎directories,‏ ‎Nimfilt‏ ‎made ‎it‏ ‎easier ‎for‏ ‎researchers ‎to ‎dissect ‎the ‎malware‏ ‎and‏ ‎understand ‎its‏ ‎behavior.

General ‎Malware‏ ‎Analysis:

📌Nim’s ‎Popularity: The ‎Nim ‎programming ‎language‏ ‎has‏ ‎become‏ ‎increasingly ‎attractive‏ ‎to ‎malware‏ ‎developers ‎due‏ ‎to‏ ‎its ‎robust‏ ‎compiler ‎and ‎ability ‎to ‎work‏ ‎seamlessly ‎with‏ ‎other‏ ‎languages ‎like ‎C,‏ ‎C++, ‎and‏ ‎JavaScript. ‎This ‎has ‎led‏ ‎to‏ ‎a ‎rise‏ ‎in ‎malware‏ ‎written ‎in ‎Nim.

📌Nimfilt’s ‎Contribution: For ‎researchers‏ ‎tasked‏ ‎with ‎reverse-engineering‏ ‎such ‎binaries,‏ ‎Nimfilt ‎provides ‎a ‎powerful ‎tool‏ ‎to‏ ‎speed‏ ‎up ‎the‏ ‎analysis ‎process.‏ ‎It ‎helps‏ ‎by‏ ‎demangling ‎names,‏ ‎applying ‎structs ‎to ‎strings, ‎and‏ ‎organizing ‎functions,‏ ‎thereby‏ ‎making ‎the ‎reverse-engineering‏ ‎process ‎more‏ ‎efficient ‎and ‎focused.

Читать: 1+ мин
logo Overkill Security

Inside of Windows: How a Double-Fetch Vulnerability Leads to SYSTEM Access

24H2 ‎NT‏ ‎Kernel ‎Exploit ‎[POC]

📌Target: NT ‎kernel ‎in‏ ‎Windows ‎11‏ ‎24H2‏ ‎Insider ‎Preview.

📌Vulnerabilities: Multiple ‎kernel‏ ‎vulnerabilities ‎in‏ ‎ntoskrnl.exe.

Exploit ‎Technique:

📌Uses ‎process ‎token‏ ‎swap‏ ‎to ‎gain‏ ‎NT ‎AUTHORITY\SYSTEM‏ ‎privileges.

📌Walks ‎the ‎PsActiveProcessHead ‎list ‎to‏ ‎find‏ ‎a ‎privileged‏ ‎process ‎and‏ ‎its ‎token.

📌Replaces ‎the ‎token ‎of‏ ‎the‏ ‎exploit‏ ‎process ‎with‏ ‎the ‎privileged‏ ‎token.

📌Spawns ‎a‏ ‎new‏ ‎command ‎prompt‏ ‎with ‎SYSTEM ‎privileges.

Bypassing ‎KASLR:

📌Uses ‎side-channel‏ ‎attacks ‎to‏ ‎locate‏ ‎the ‎kernel ‎base‏ ‎address.

📌Highlights ‎weaknesses‏ ‎in ‎the ‎new ‎KASLR‏ ‎implementation.

Components:

📌teb_nt_poc.c: The‏ ‎main ‎exploit‏ ‎code.

📌prefetch_asm.asm ‎and‏ ‎prefetch_leak.h: Used ‎for ‎side-channel ‎attacks ‎to‏ ‎bypass‏ ‎kernel ‎ASLR.

📌find_nt_offsets.h‏ ‎and ‎find_nt_offsets.c: Finds‏ ‎non-exported ‎globals ‎in ‎NT ‎using‏ ‎Capstone.

📌ntos.h: Contains‏ ‎miscellaneous‏ ‎non-public ‎structs‏ ‎and ‎functions‏ ‎related ‎to‏ ‎NT.


CVE-2024-21345‏ ‎[POC]

📌Vulnerability: Proof-of-Concept ‎(PoC)‏ ‎for ‎CVE-2024-21345.

📌Target: Specific ‎vulnerability ‎in ‎a‏ ‎software ‎component

Exploit‏ ‎Details:

📌The‏ ‎vulnerability ‎involves ‎a‏ ‎double-fetch ‎issue‏ ‎in ‎NtQueryInformationThread, ‎leading ‎to‏ ‎an‏ ‎arbitrary ‎write.

📌Exploitation‏ ‎can ‎result‏ ‎in ‎high ‎integrity ‎and ‎confidentiality‏ ‎impacts,‏ ‎with ‎availability‏ ‎also ‎rated‏ ‎as ‎high.


CVE-2024-26218 ‎[POC]

📌Vulnerability: Proof-of-Concept ‎(PoC) ‎for‏ ‎CVE-2024-26218.

📌Target: Specific‏ ‎vulnerability‏ ‎in ‎a‏ ‎software ‎component.

Exploit‏ ‎Details:

📌The ‎vulnerability‏ ‎allows‏ ‎attackers ‎to‏ ‎elevate ‎their ‎privileges ‎to ‎SYSTEM‏ ‎level, ‎which‏ ‎can‏ ‎lead ‎to ‎full‏ ‎control ‎over‏ ‎the ‎affected ‎system.


Читать: 4+ мин
logo Overkill Security

Passkeys: Making Phishing Scams Work a Little Harder

The ‎introduction‏ ‎and ‎support ‎of ‎passkeys ‎by‏ ‎Apple ‎and‏ ‎Google mark‏ ‎a ‎significant ‎step‏ ‎towards ‎a‏ ‎more ‎secure ‎and ‎user-friendly‏ ‎authentication‏ ‎method. ‎This‏ ‎technology ‎is‏ ‎poised ‎to ‎have ‎a ‎substantial‏ ‎impact‏ ‎on ‎various‏ ‎industries ‎by‏ ‎enhancing ‎security, ‎improving ‎user ‎experience,‏ ‎and‏ ‎driving‏ ‎the ‎adoption‏ ‎of ‎passwordless‏ ‎authentication ‎solutions.

Technical‏ ‎Key‏ ‎Points

Passkeys ‎Overview:

📌Passkeys‏ ‎are ‎digital ‎credentials ‎that ‎enable‏ ‎passwordless ‎authentication‏ ‎using‏ ‎private ‎cryptographic ‎keys.‏ ‎They ‎are‏ ‎designed ‎to ‎be ‎more‏ ‎secure‏ ‎and ‎user-friendly‏ ‎than ‎traditional‏ ‎passwords.

📌Passkeys ‎use ‎biometric ‎identification ‎(e.g.,‏ ‎fingerprint,‏ ‎face ‎scan)‏ ‎or ‎a‏ ‎screen ‎lock ‎PIN ‎to ‎authenticate‏ ‎users,‏ ‎making‏ ‎them ‎resistant‏ ‎to ‎phishing‏ ‎attacks.

Apple’s ‎Implementation:

📌Apple‏ ‎has‏ ‎introduced ‎an‏ ‎API ‎that ‎allows ‎passkeys ‎to‏ ‎work ‎with‏ ‎third-party‏ ‎software, ‎enhancing ‎their‏ ‎usability ‎across‏ ‎different ‎applications ‎and ‎platforms.

📌Passkeys‏ ‎are‏ ‎supported ‎on‏ ‎Safari ‎and‏ ‎can ‎be ‎synchronized ‎across ‎Apple‏ ‎devices‏ ‎using ‎iCloud‏ ‎Keychain. ‎This‏ ‎synchronization ‎ensures ‎that ‎passkeys ‎are‏ ‎available‏ ‎on‏ ‎all ‎devices‏ ‎signed ‎into‏ ‎the ‎same‏ ‎iCloud‏ ‎account.

📌Managed ‎Apple‏ ‎IDs ‎support ‎passkey ‎synchronization, ‎allowing‏ ‎third-party ‎password‏ ‎managers‏ ‎like ‎1Password ‎and‏ ‎Dashlane ‎to‏ ‎save ‎and ‎exchange ‎passkeys‏ ‎across‏ ‎iOS, ‎iPadOS,‏ ‎and ‎macOS.

Google’s‏ ‎Implementation:

📌Google ‎has ‎rolled ‎out ‎passkey‏ ‎support‏ ‎across ‎Google‏ ‎Accounts ‎on‏ ‎all ‎major ‎platforms, ‎providing ‎an‏ ‎additional‏ ‎sign-in‏ ‎option ‎alongside‏ ‎passwords ‎and‏ ‎2-Step ‎Verification‏ ‎(2SV).

📌Passkeys‏ ‎can ‎be‏ ‎created ‎and ‎used ‎on ‎multiple‏ ‎devices, ‎and‏ ‎they‏ ‎are ‎backed ‎up‏ ‎and ‎synchronized‏ ‎across ‎devices ‎that ‎support‏ ‎them,‏ ‎such ‎as‏ ‎those ‎using‏ ‎the ‎same ‎Google ‎account.

📌Google ‎Workspace‏ ‎and‏ ‎Google ‎Cloud‏ ‎users ‎can‏ ‎now ‎log ‎into ‎their ‎accounts‏ ‎using‏ ‎passkeys,‏ ‎enhancing ‎security‏ ‎for ‎business‏ ‎users.

Cross-Platform ‎Support:

📌Chrome‏ ‎on‏ ‎macOS ‎now‏ ‎supports ‎passkeys ‎stored ‎in ‎iCloud‏ ‎Keychain, ‎allowing‏ ‎users‏ ‎to ‎create ‎and‏ ‎use ‎passkeys‏ ‎across ‎different ‎browsers ‎and‏ ‎devices‏ ‎within ‎the‏ ‎Apple ‎ecosystem.

📌The‏ ‎API ‎behaviors ‎for ‎passkeys ‎are‏ ‎consistent‏ ‎across ‎Safari‏ ‎and ‎Chrome,‏ ‎ensuring ‎a ‎seamless ‎user ‎experience.


Impact‏ ‎on‏ ‎Industries

Enhanced‏ ‎Security:

📌Passkeys ‎provide‏ ‎a ‎higher‏ ‎level ‎of‏ ‎security‏ ‎compared ‎to‏ ‎traditional ‎passwords ‎and ‎even ‎some‏ ‎multifactor ‎authentication‏ ‎(MFA)‏ ‎methods. ‎They ‎are‏ ‎resistant ‎to‏ ‎phishing ‎and ‎other ‎online‏ ‎attacks,‏ ‎reducing ‎the‏ ‎risk ‎of‏ ‎credential ‎theft.

📌By ‎eliminating ‎the ‎need‏ ‎for‏ ‎passwords, ‎passkeys‏ ‎reduce ‎the‏ ‎likelihood ‎of ‎password-related ‎security ‎breaches,‏ ‎such‏ ‎as‏ ‎those ‎caused‏ ‎by ‎weak‏ ‎or ‎reused‏ ‎passwords.

Improved‏ ‎User ‎Experience:

📌Passkeys‏ ‎streamline ‎the ‎authentication ‎process, ‎making‏ ‎it ‎faster‏ ‎and‏ ‎more ‎convenient ‎for‏ ‎users ‎to‏ ‎log ‎in ‎to ‎their‏ ‎accounts.‏ ‎For ‎example,‏ ‎Google ‎reported‏ ‎that ‎users ‎could ‎authenticate ‎with‏ ‎passkeys‏ ‎in ‎an‏ ‎average ‎of‏ ‎14.9 ‎seconds, ‎compared ‎to ‎30.4‏ ‎seconds‏ ‎with‏ ‎passwords.

📌The ‎use‏ ‎of ‎biometric‏ ‎authentication ‎(e.g.,‏ ‎Face‏ ‎ID, ‎Touch‏ ‎ID) ‎simplifies ‎the ‎login ‎process,‏ ‎reducing ‎the‏ ‎cognitive‏ ‎load ‎on ‎users‏ ‎who ‎no‏ ‎longer ‎need ‎to ‎remember‏ ‎complex‏ ‎passwords.

Adoption ‎by‏ ‎Enterprises:

📌Enterprises ‎can‏ ‎benefit ‎from ‎the ‎enhanced ‎security‏ ‎and‏ ‎user ‎experience‏ ‎provided ‎by‏ ‎passkeys. ‎For ‎instance, ‎Google ‎Workspace‏ ‎and‏ ‎Google‏ ‎Cloud ‎users‏ ‎can ‎now‏ ‎use ‎passkeys‏ ‎for‏ ‎secure ‎and‏ ‎efficient ‎access ‎to ‎their ‎accounts.

📌The‏ ‎integration ‎of‏ ‎passkeys‏ ‎into ‎third-party ‎applications‏ ‎and ‎password‏ ‎managers ‎allows ‎businesses ‎to‏ ‎adopt‏ ‎this ‎technology‏ ‎without ‎significant‏ ‎changes ‎to ‎their ‎existing ‎infrastructure.

Industry‏ ‎Momentum:

📌The‏ ‎collaboration ‎between‏ ‎major ‎tech‏ ‎companies ‎like ‎Apple, ‎Google, ‎and‏ ‎Microsoft,‏ ‎along‏ ‎with ‎the‏ ‎FIDO ‎Alliance,‏ ‎is ‎driving‏ ‎the‏ ‎adoption ‎of‏ ‎passkeys ‎across ‎the ‎industry. ‎This‏ ‎collective ‎effort‏ ‎is‏ ‎likely ‎to ‎accelerate‏ ‎the ‎transition‏ ‎to ‎a ‎passwordless ‎future.

📌The‏ ‎support‏ ‎for ‎passkeys‏ ‎in ‎popular‏ ‎browsers ‎and ‎operating ‎systems ‎ensures‏ ‎broad‏ ‎compatibility ‎and‏ ‎encourages ‎more‏ ‎organizations ‎to ‎adopt ‎this ‎technology.

Читать: 3+ мин
logo Overkill Security

Android Live Threat Detection: 200 billion Scans a Day Still Won’t Catch Everything

The ‎security‏ ‎updates ‎announced at ‎Google ‎I/O ‎2024‏ ‎are ‎poised‏ ‎to‏ ‎enhance ‎the ‎security‏ ‎and ‎privacy‏ ‎of ‎Android ‎devices ‎significantly,‏ ‎impacting‏ ‎various ‎industries‏ ‎by ‎reducing‏ ‎fraud, ‎protecting ‎sensitive ‎data, ‎and‏ ‎fostering‏ ‎greater ‎trust‏ ‎in ‎mobile‏ ‎technologies.

Key ‎Points

Google ‎Play ‎Protect ‎Live‏ ‎Threat‏ ‎Detection:

📌Functionality:‏ ‎Scans ‎200‏ ‎billion ‎Android‏ ‎apps ‎daily‏ ‎using‏ ‎on-device ‎AI‏ ‎to ‎detect ‎and ‎mitigate ‎malware‏ ‎and ‎fraudulent‏ ‎apps.

📌Implementation:‏ ‎Uses ‎Private ‎Compute‏ ‎Core ‎for‏ ‎privacy-preserving ‎analysis.

📌Deployment: ‎Available ‎on‏ ‎devices‏ ‎from ‎manufacturers‏ ‎like ‎Google‏ ‎Pixel, ‎Honor, ‎Lenovo, ‎Nothing, ‎OnePlus,‏ ‎Oppo,‏ ‎Sharp, ‎and‏ ‎Transsion.

Stronger ‎Protections‏ ‎Against ‎Fraud ‎and ‎Scams:

📌Scam ‎Call‏ ‎Detection:‏ ‎Uses‏ ‎Gemini-Nano ‎AI‏ ‎to ‎detect‏ ‎and ‎alert‏ ‎users‏ ‎about ‎potential‏ ‎scam ‎calls ‎in ‎real-time.

📌Screen ‎Sharing‏ ‎Safeguards: ‎Enhanced‏ ‎controls‏ ‎to ‎prevent ‎social‏ ‎engineering ‎attacks‏ ‎during ‎screen ‎sharing.

📌Advanced ‎Cellular‏ ‎Security:‏ ‎New ‎protections‏ ‎against ‎cell‏ ‎site ‎simulators ‎to ‎prevent ‎surveillance‏ ‎and‏ ‎SMS-based ‎fraud.

Private‏ ‎Space ‎Feature:

📌Functionality:‏ ‎Allows ‎users ‎to ‎create ‎a‏ ‎secure,‏ ‎siloed‏ ‎portion ‎of‏ ‎the ‎OS‏ ‎for ‎sensitive‏ ‎information,‏ ‎similar ‎to‏ ‎Incognito ‎mode.

📌Developer ‎Access: ‎Available ‎for‏ ‎developers ‎to‏ ‎experiment‏ ‎with, ‎with ‎a‏ ‎bug ‎fix‏ ‎expected ‎soon.

Enhanced ‎Developer ‎Tools:

📌Play‏ ‎Integrity‏ ‎API: ‎Updated‏ ‎to ‎include‏ ‎new ‎in-app ‎signals ‎to ‎help‏ ‎developers‏ ‎detect ‎and‏ ‎prevent ‎fraudulent‏ ‎or ‎risky ‎behavior.

📌Photo ‎Picker: ‎Improved‏ ‎to‏ ‎support‏ ‎cloud ‎storage‏ ‎services ‎and‏ ‎enforce ‎stricter‏ ‎permissions‏ ‎for ‎accessing‏ ‎photos ‎and ‎videos.


Impact ‎on ‎Industries

Financial‏ ‎Services:

📌Fraud ‎Prevention:‏ ‎Enhanced‏ ‎scam ‎call ‎detection‏ ‎and ‎advanced‏ ‎cellular ‎security ‎features ‎will‏ ‎significantly‏ ‎reduce ‎the‏ ‎risk ‎of‏ ‎financial ‎fraud ‎and ‎scams, ‎protecting‏ ‎both‏ ‎consumers ‎and‏ ‎financial ‎institutions.

📌Data‏ ‎Privacy: The ‎Private ‎Space ‎feature ‎ensures‏ ‎that‏ ‎sensitive‏ ‎financial ‎data‏ ‎remains ‎secure,‏ ‎fostering ‎greater‏ ‎trust‏ ‎in ‎mobile‏ ‎banking ‎and ‎financial ‎apps.

Healthcare:

📌Patient ‎Data‏ ‎Security: The ‎improved‏ ‎security‏ ‎measures, ‎including ‎live‏ ‎threat ‎detection‏ ‎and ‎Private ‎Space, ‎will‏ ‎help‏ ‎protect ‎sensitive‏ ‎patient ‎information‏ ‎stored ‎on ‎mobile ‎devices.

📌Telehealth: ‎Enhanced‏ ‎screen-sharing‏ ‎safeguards ‎will‏ ‎secure ‎telehealth‏ ‎sessions, ‎preventing ‎unauthorized ‎access ‎to‏ ‎patient‏ ‎data‏ ‎during ‎remote‏ ‎consultations.

E-commerce:

📌Transaction ‎Security: Scam‏ ‎call ‎detection‏ ‎and‏ ‎advanced ‎cellular‏ ‎security ‎will ‎protect ‎users ‎from‏ ‎phishing ‎and‏ ‎fraud‏ ‎attempts, ‎ensuring ‎safer‏ ‎online ‎transactions.

📌User‏ ‎Trust: Enhanced ‎privacy ‎controls ‎and‏ ‎secure‏ ‎app ‎environments‏ ‎will ‎increase‏ ‎user ‎confidence ‎in ‎mobile ‎shopping‏ ‎platforms.

Telecommunications:

📌Network‏ ‎Security: Advanced ‎cellular‏ ‎protections ‎will‏ ‎help ‎telecom ‎providers ‎safeguard ‎their‏ ‎networks‏ ‎from‏ ‎cell ‎site‏ ‎simulators ‎and‏ ‎other ‎surveillance‏ ‎tools.

📌Customer‏ ‎Safety: Real-time ‎scam‏ ‎detection ‎features ‎will ‎enhance ‎customer‏ ‎safety, ‎reducing‏ ‎the‏ ‎incidence ‎of ‎fraud-related‏ ‎complaints.

App ‎Development:

📌Security‏ ‎Integration: Developers ‎can ‎leverage ‎the‏ ‎updated‏ ‎Play ‎Integrity‏ ‎API ‎and‏ ‎other ‎security ‎tools ‎to ‎build‏ ‎more‏ ‎secure ‎apps,‏ ‎reducing ‎the‏ ‎risk ‎of ‎exploitation ‎and ‎abuse.

📌User‏ ‎Privacy: Stricter‏ ‎photo‏ ‎permissions ‎and‏ ‎the ‎Private‏ ‎Space ‎feature‏ ‎will‏ ‎help ‎developers‏ ‎ensure ‎compliance ‎with ‎privacy ‎regulations‏ ‎and ‎build‏ ‎user‏ ‎trust.

Читать: 2+ мин
logo Overkill Security

Why Clicking on 'Urgent Invoice' Emails is the Best Way to Make Friends with IT

The ‎blog‏ ‎post ‎titled ‎«On ‎Fire ‎Drills‏ ‎and ‎Phishing‏ ‎Tests» from‏ ‎the ‎Google ‎Security‏ ‎Blog ‎discusses‏ ‎the ‎importance ‎of ‎phishing‏ ‎tests‏ ‎and ‎fire‏ ‎drills ‎in‏ ‎enhancing ‎organizational ‎security.

Importance ‎of ‎Phishing‏ ‎Tests

📌Phishing‏ ‎Tests ‎as‏ ‎Training ‎Tools: Phishing‏ ‎tests ‎are ‎used ‎to ‎train‏ ‎employees‏ ‎to‏ ‎recognize ‎and‏ ‎respond ‎to‏ ‎phishing ‎attempts.‏ ‎They‏ ‎simulate ‎real-world‏ ‎phishing ‎attacks ‎to ‎help ‎employees‏ ‎identify ‎suspicious‏ ‎emails‏ ‎and ‎links.

📌Behavioral ‎Insights: These‏ ‎tests ‎provide‏ ‎insights ‎into ‎employee ‎behavior‏ ‎and‏ ‎the ‎effectiveness‏ ‎of ‎current‏ ‎training ‎programs. ‎They ‎help ‎identify‏ ‎which‏ ‎employees ‎or‏ ‎departments ‎are‏ ‎more ‎susceptible ‎to ‎phishing ‎attacks.

Fire‏ ‎Drills‏ ‎for‏ ‎Incident ‎Response

📌Simulated‏ ‎Incidents: Fire ‎drills‏ ‎involve ‎simulating‏ ‎security‏ ‎incidents ‎to‏ ‎test ‎the ‎organization’s ‎incident ‎response‏ ‎capabilities. ‎This‏ ‎includes‏ ‎how ‎quickly ‎and‏ ‎effectively ‎the‏ ‎team ‎can ‎detect, ‎respond‏ ‎to,‏ ‎and ‎mitigate‏ ‎security ‎threats.

📌Preparedness‏ ‎and ‎Improvement: Regular ‎fire ‎drills ‎help‏ ‎ensure‏ ‎that ‎the‏ ‎incident ‎response‏ ‎team ‎is ‎prepared ‎for ‎actual‏ ‎security‏ ‎incidents.‏ ‎They ‎also‏ ‎highlight ‎areas‏ ‎for ‎improvement‏ ‎in‏ ‎the ‎incident‏ ‎response ‎plan.

Integration ‎of ‎Phishing ‎Tests‏ ‎and ‎Fire‏ ‎Drills

📌Comprehensive‏ ‎Security ‎Training: Combining ‎phishing‏ ‎tests ‎with‏ ‎fire ‎drills ‎provides ‎a‏ ‎comprehensive‏ ‎approach ‎to‏ ‎security ‎training.‏ ‎It ‎ensures ‎that ‎employees ‎are‏ ‎not‏ ‎only ‎aware‏ ‎of ‎phishing‏ ‎threats ‎but ‎also ‎know ‎how‏ ‎to‏ ‎respond‏ ‎to ‎them‏ ‎effectively.

📌Realistic ‎Scenarios: By‏ ‎integrating ‎these‏ ‎two‏ ‎methods, ‎organizations‏ ‎can ‎create ‎more ‎realistic ‎and‏ ‎challenging ‎scenarios‏ ‎that‏ ‎better ‎prepare ‎employees‏ ‎for ‎real-world‏ ‎threats.

Metrics ‎and ‎Evaluation

📌Measuring ‎Effectiveness: Both‏ ‎phishing‏ ‎tests ‎and‏ ‎fire ‎drills‏ ‎should ‎be ‎evaluated ‎using ‎metrics‏ ‎to‏ ‎measure ‎their‏ ‎effectiveness. ‎This‏ ‎includes ‎tracking ‎the ‎number ‎of‏ ‎employees‏ ‎who‏ ‎fall ‎for‏ ‎phishing ‎tests‏ ‎and ‎the‏ ‎response‏ ‎times ‎during‏ ‎fire ‎drills.

📌Continuous ‎Improvement: The ‎data ‎collected‏ ‎from ‎these‏ ‎exercises‏ ‎should ‎be ‎used‏ ‎to ‎continuously‏ ‎improve ‎security ‎training ‎programs‏ ‎and‏ ‎incident ‎response‏ ‎plans.

Organizational ‎Culture

📌Promoting‏ ‎a ‎Security-First ‎Culture: Regular ‎phishing ‎tests‏ ‎and‏ ‎fire ‎drills‏ ‎help ‎promote‏ ‎a ‎culture ‎of ‎security ‎within‏ ‎the‏ ‎organization.‏ ‎They ‎reinforce‏ ‎the ‎importance‏ ‎of ‎security‏ ‎awareness‏ ‎and ‎preparedness‏ ‎among ‎employees.

📌Encouraging ‎Reporting: These ‎exercises ‎encourage‏ ‎employees ‎to‏ ‎report‏ ‎suspicious ‎activities ‎and‏ ‎potential ‎security‏ ‎incidents, ‎fostering ‎a ‎proactive‏ ‎security‏ ‎environment.


Читать: 5+ мин
logo Overkill Security

Firmware Overwrite: The New Trend in Router Fashion

The ‎Chalubo‏ ‎RAT ‎malware ‎campaign ‎targeted ‎specific‏ ‎models ‎of‏ ‎Actiontec‏ ‎and ‎Sagemcom ‎routers,‏ ‎primarily ‎affecting‏ ‎Windstream’s ‎network. ‎The ‎malware‏ ‎used‏ ‎brute-force ‎attacks‏ ‎to ‎gain‏ ‎access, ‎executed ‎payloads ‎in ‎memory‏ ‎to‏ ‎avoid ‎detection,‏ ‎and ‎communicated‏ ‎with ‎C2 ‎servers ‎using ‎encrypted‏ ‎channels.‏ ‎The‏ ‎attack ‎led‏ ‎to ‎a‏ ‎significant ‎outage,‏ ‎requiring‏ ‎the ‎replacement‏ ‎of ‎over ‎600,000 ‎routers, ‎highlighting‏ ‎the ‎need‏ ‎for‏ ‎robust ‎security ‎measures‏ ‎and ‎regular‏ ‎updates ‎to ‎prevent ‎such‏ ‎incidents.

Targets

ISP‏ ‎Impact:

📌Windstream: The ‎primary‏ ‎ISP ‎affected,‏ ‎with ‎over ‎600,000 ‎routers ‎rendered‏ ‎inoperable‏ ‎between ‎October‏ ‎25 ‎and‏ ‎October ‎27, ‎2023.

📌Affected ‎Models: Actiontec ‎T3200,‏ ‎T3260,‏ ‎and‏ ‎Sagemcom ‎F5380.

📌Impact: Approximately‏ ‎49% ‎of‏ ‎the ‎ISP’s‏ ‎modems‏ ‎were ‎taken‏ ‎offline, ‎requiring ‎hardware ‎replacements.

Global ‎Impact:

📌Botnet‏ ‎Activity: From ‎September‏ ‎to‏ ‎November ‎2023, ‎Chalubo‏ ‎botnet ‎panels‏ ‎interacted ‎with ‎up ‎to‏ ‎117,000‏ ‎unique ‎IP‏ ‎addresses ‎over‏ ‎a ‎30-day ‎period.

📌Geographic ‎Distribution: Most ‎infections‏ ‎were‏ ‎in ‎the‏ ‎US, ‎Brazil,‏ ‎and ‎China.

📌Operational ‎Silos: 95% of ‎bots ‎communicated‏ ‎with‏ ‎only‏ ‎one ‎control‏ ‎panel, ‎indicating‏ ‎distinct ‎operational‏ ‎silos.


Affected‏ ‎Routers

📌Targeted ‎Models: End-of-life‏ ‎business-grade ‎routers.

📌Actiontec ‎T3200 ‎and ‎T3260‏ ‎are ‎VDSL2‏ ‎wireless‏ ‎AC ‎gateway ‎routers‏ ‎approved ‎by‏ ‎Windstream.

📌Sagemcom ‎F5380 ‎is ‎a‏ ‎WiFi6‏ ‎(802.11ax) ‎router.

📌DrayTek‏ ‎Vigor ‎Models‏ ‎2960 ‎and ‎3900


Malware: ‎Chalubo ‎RAT

📌First‏ ‎Spotted: August‏ ‎2018 ‎by‏ ‎Sophos ‎Labs.

📌Primary‏ ‎Functions: DDoS ‎attacks, ‎execution ‎of ‎Lua‏ ‎scripts,‏ ‎and‏ ‎evasion ‎techniques‏ ‎using ‎ChaCha20‏ ‎encryption.

Technical ‎Details:

📌Initial‏ ‎Infection: Uses‏ ‎brute-force ‎attacks‏ ‎on ‎SSH ‎servers ‎with ‎weak‏ ‎credentials ‎(e.g.,‏ ‎root:‏ ‎admin).

📌Payload ‎Delivery:

📌First ‎Stage: A‏ ‎bash ‎script‏ ‎(«get_scrpc») ‎fetches ‎a ‎second‏ ‎script‏ ‎(«get_strtriiush») ‎which‏ ‎retrieves ‎and‏ ‎executes ‎the ‎primary ‎bot ‎payload‏ ‎(«Chalubo»‏ ‎or ‎«mips.elf»).

📌Execution: The‏ ‎malware ‎runs‏ ‎in ‎memory, ‎wipes ‎files ‎from‏ ‎the‏ ‎disk,‏ ‎and ‎changes‏ ‎the ‎process‏ ‎name ‎to‏ ‎avoid‏ ‎detection.

📌Communication:

📌C2 ‎Servers: Cycles‏ ‎through ‎hardcoded ‎C2s, ‎downloads ‎the‏ ‎next ‎stage,‏ ‎and‏ ‎decrypts ‎it ‎using‏ ‎ChaCha20.

📌Persistence: The ‎newer‏ ‎version ‎does ‎not ‎maintain‏ ‎persistence‏ ‎on ‎infected‏ ‎devices.


HiatusRAT ‎Malware

📌Port‏ ‎8816: HiatusRAT ‎checks ‎for ‎existing ‎processes‏ ‎on‏ ‎port ‎8816,‏ ‎kills ‎any‏ ‎existing ‎service, ‎and ‎opens ‎a‏ ‎listener‏ ‎on‏ ‎this ‎port.

📌Information‏ ‎Collection: Collects ‎host-based‏ ‎information ‎and‏ ‎sends‏ ‎it ‎to‏ ‎the ‎C2 ‎server ‎to ‎track‏ ‎the ‎infection‏ ‎status‏ ‎and ‎log ‎information‏ ‎about ‎the‏ ‎compromised ‎host.

📌Initial ‎Access: Through ‎exploiting‏ ‎vulnerabilities‏ ‎in ‎router‏ ‎firmware ‎or‏ ‎using ‎weak ‎credentials.

📌Persistence: Uses ‎a ‎bash‏ ‎script‏ ‎to ‎download‏ ‎and ‎execute‏ ‎HiatusRAT ‎and ‎the ‎packet-capture ‎binary

📌Prebuilt‏ ‎Functions:

📌config: Loads‏ ‎new‏ ‎configuration ‎values‏ ‎from ‎the‏ ‎C2 ‎node.

📌shell: Spawns‏ ‎a‏ ‎remote ‎shell‏ ‎on ‎the ‎infected ‎host.

📌file: Allows ‎reading,‏ ‎deleting, ‎or‏ ‎uploading‏ ‎files ‎to ‎the‏ ‎C2.

📌executor: Downloads ‎and‏ ‎executes ‎files ‎from ‎the‏ ‎C2.

📌script: Executes‏ ‎scripts ‎supplied‏ ‎by ‎the‏ ‎C2.

📌tcp_forward: Forwards ‎TCP ‎data ‎from ‎a‏ ‎specified‏ ‎port ‎to‏ ‎another ‎IP‏ ‎address ‎and ‎port.

📌socks5: Sets ‎up ‎a‏ ‎SOCKS5‏ ‎proxy‏ ‎on ‎the‏ ‎compromised ‎router.

📌quit: Ceases‏ ‎execution ‎of‏ ‎the‏ ‎malware.

📌Packet ‎Capture: A‏ ‎variant ‎of ‎tcpdump ‎is ‎deployed‏ ‎to ‎capture‏ ‎and‏ ‎monitor ‎router ‎traffic‏ ‎on ‎ports‏ ‎associated ‎with ‎email ‎and‏ ‎file-transfer‏ ‎communications



Black ‎Lotus‏ ‎Labs ‎Uncovers‏ ‎New ‎Router ‎Malware ‎Campaigns

📌Black ‎Lotus‏ ‎Labs,‏ ‎the ‎threat‏ ‎research ‎team‏ ‎at ‎Lumen ‎Technologies ‎(formerly ‎CenturyLink),‏ ‎has‏ ‎recently‏ ‎uncovered ‎two‏ ‎major ‎malware‏ ‎campaigns ‎targeting‏ ‎routers‏ ‎and ‎networking‏ ‎devices ‎from ‎different ‎manufacturers. ‎These‏ ‎discoveries ‎highlight‏ ‎the‏ ‎increasing ‎threats ‎faced‏ ‎by ‎internet‏ ‎infrastructure ‎and ‎the ‎need‏ ‎for‏ ‎better ‎security‏ ‎practices.

The ‎Hiatus‏ ‎Campaign

📌In ‎March ‎2023, ‎Black ‎Lotus‏ ‎Labs‏ ‎reported ‎on‏ ‎a ‎complex‏ ‎campaign ‎called ‎«Hiatus» ‎that ‎had‏ ‎been‏ ‎targeting‏ ‎business-grade ‎routers,‏ ‎primarily ‎DrayTek‏ ‎Vigor ‎models‏ ‎2960‏ ‎and ‎3900,‏ ‎since ‎June ‎2022.

📌The ‎threat ‎actors‏ ‎exploited ‎end-of-life‏ ‎DrayTek‏ ‎routers ‎to ‎establish‏ ‎long-term ‎persistence‏ ‎without ‎detection.

📌Around ‎4,100 ‎vulnerable‏ ‎DrayTek‏ ‎models ‎were‏ ‎exposed ‎on‏ ‎the ‎internet, ‎with ‎Hiatus ‎compromising‏ ‎approximately‏ ‎100 ‎of‏ ‎them ‎across‏ ‎Latin ‎America, ‎Europe, ‎and ‎North‏ ‎America.

📌Upon‏ ‎infection,‏ ‎the ‎malware‏ ‎intercepts ‎data‏ ‎transiting ‎the‏ ‎infected‏ ‎router ‎and‏ ‎deploys ‎a ‎Remote ‎Access ‎Trojan‏ ‎(RAT) ‎called‏ ‎«HiatusRAT»‏ ‎that ‎can ‎proxy‏ ‎malicious ‎traffic‏ ‎to ‎additional ‎networks.

📌Black ‎Lotus‏ ‎Labs‏ ‎has ‎null-routed‏ ‎the ‎Hiatus‏ ‎command-and-control ‎(C2) ‎servers ‎across ‎Lumen’s‏ ‎global‏ ‎backbone ‎and‏ ‎added ‎the‏ ‎indicators ‎of ‎compromise ‎(IoCs) ‎to‏ ‎their‏ ‎Rapid‏ ‎Threat ‎Defense‏ ‎system ‎to‏ ‎block ‎threats‏ ‎before‏ ‎reaching ‎customer‏ ‎networks.

The ‎Pumpkin ‎Eclipse ‎Campaign

📌In ‎late‏ ‎October ‎2023,‏ ‎Black‏ ‎Lotus ‎Labs ‎investigated‏ ‎a ‎massive‏ ‎outage ‎affecting ‎specific ‎ActionTec‏ ‎(T3200s‏ ‎and ‎T3260s)‏ ‎and ‎Sagemcom‏ ‎(F5380) ‎gateway ‎models ‎within ‎a‏ ‎single‏ ‎internet ‎service‏ ‎provider’s ‎network.

📌Over‏ ‎600,000 ‎devices ‎displayed ‎a ‎static‏ ‎red‏ ‎light,‏ ‎indicating ‎a‏ ‎likely ‎firmware‏ ‎corruption ‎issue.

📌The‏ ‎attack‏ ‎was ‎confined‏ ‎to ‎a ‎specific ‎Autonomous ‎System‏ ‎Number ‎(ASN),‏ ‎impacting‏ ‎around ‎49% ‎of‏ ‎exposed ‎devices‏ ‎in ‎that ‎network.

📌Black ‎Lotus‏ ‎Labs‏ ‎discovered ‎a‏ ‎multi-stage ‎infection‏ ‎mechanism ‎that ‎installed ‎the ‎Chalubo‏ ‎RAT,‏ ‎a ‎botnet‏ ‎targeting ‎SOHO‏ ‎gateways ‎and ‎IoT ‎devices.

📌Black ‎Lotus‏ ‎Labs‏ ‎has‏ ‎added ‎the‏ ‎IoCs ‎from‏ ‎this ‎campaign‏ ‎and‏ ‎the ‎Chalubo‏ ‎malware ‎to ‎their ‎threat ‎intelligence‏ ‎feed, ‎fueling‏ ‎Lumen’s‏ ‎Connected ‎Security ‎portfolio.


Читать: 4+ мин
logo Overkill Security

ICSpector: Solving Forensics Problems You Didn’t Know You Had

The ‎Microsoft‏ ‎ICS ‎Forensics ‎Tools ‎framework, known ‎as‏ ‎ICSpector, ‎is‏ ‎an‏ ‎open-source ‎tool ‎designed‏ ‎to ‎facilitate‏ ‎the ‎forensic ‎analysis ‎of‏ ‎Industrial‏ ‎Control ‎Systems‏ ‎(ICS), ‎particularly‏ ‎focusing ‎on ‎Programmable ‎Logic ‎Controllers‏ ‎(PLCs).

Key‏ ‎Technical ‎Points‏ ‎of ‎ICSpector

Framework‏ ‎Composition ‎and ‎Architecture

📌Modular ‎Design: ICSpector ‎is‏ ‎composed‏ ‎of‏ ‎several ‎components‏ ‎that ‎can‏ ‎be ‎developed‏ ‎and‏ ‎executed ‎separately,‏ ‎allowing ‎for ‎flexibility ‎and ‎customization‏ ‎based ‎on‏ ‎specific‏ ‎needs. ‎Users ‎can‏ ‎also ‎add‏ ‎new ‎analyzers

📌Network ‎Scanner: Identifies ‎devices‏ ‎communicating‏ ‎via ‎supported‏ ‎OT ‎protocols‏ ‎and ‎ensures ‎they ‎are ‎responsive.‏ ‎It‏ ‎can ‎work‏ ‎with ‎a‏ ‎provided ‎IP ‎subnet ‎or ‎a‏ ‎specific‏ ‎IP‏ ‎list ‎exported‏ ‎from ‎OT‏ ‎security ‎products.

📌Data‏ ‎Extraction‏ ‎& ‎Analyzer: Extracts‏ ‎PLC ‎project ‎metadata ‎and ‎logic,‏ ‎converting ‎raw‏ ‎data‏ ‎into ‎a ‎human-readable‏ ‎form ‎to‏ ‎highlight ‎areas ‎that ‎may‏ ‎indicate‏ ‎malicious ‎activity.

Forensic‏ ‎Capabilities

📌Identification ‎of‏ ‎Compromised ‎Devices: Helps ‎in ‎identifying ‎compromised‏ ‎devices‏ ‎through ‎manual‏ ‎verification, ‎automated‏ ‎monitoring, ‎or ‎during ‎incident ‎response.

📌Snapshot‏ ‎Creation: Allows‏ ‎for‏ ‎the ‎creation‏ ‎of ‎snapshots‏ ‎of ‎controller‏ ‎projects‏ ‎to ‎compare‏ ‎changes ‎over ‎time, ‎aiding ‎in‏ ‎the ‎detection‏ ‎of‏ ‎tampering ‎or ‎anomalies.

📌Support‏ ‎for ‎Siemens‏ ‎PLCs: Currently ‎supports ‎Siemens ‎SIMATIC‏ ‎S7-300‏ ‎and ‎S7-400‏ ‎families, ‎with‏ ‎plans ‎to ‎support ‎other ‎PLC‏ ‎families‏ ‎in ‎the‏ ‎future.

Integration ‎with‏ ‎Other ‎Tools

📌Microsoft ‎Defender ‎for ‎IoT: Can‏ ‎be‏ ‎used‏ ‎alongside ‎Microsoft‏ ‎Defender ‎for‏ ‎IoT, ‎which‏ ‎provides‏ ‎network-layer ‎security,‏ ‎continuous ‎monitoring, ‎asset ‎discovery, ‎threat‏ ‎detection, ‎and‏ ‎vulnerability‏ ‎management ‎for ‎IoT/OT‏ ‎environments.

Use ‎Cases

📌Incident‏ ‎Response: Useful ‎for ‎incident ‎response‏ ‎operations‏ ‎to ‎detect‏ ‎compromised ‎devices‏ ‎and ‎understand ‎if ‎PLC ‎code‏ ‎was‏ ‎tampered ‎with.

📌Proactive‏ ‎Security: Helps ‎in‏ ‎proactive ‎incident ‎response ‎by ‎comparing‏ ‎PLC‏ ‎programs‏ ‎on ‎engineering‏ ‎workstations ‎with‏ ‎those ‎on‏ ‎the‏ ‎actual ‎devices‏ ‎to ‎detect ‎unauthorized ‎changes.

Industries

📌Nuclear, ‎Thermal,‏ ‎and ‎Hydroelectric‏ ‎Power‏ ‎Plants: Power ‎plants ‎rely‏ ‎heavily ‎on‏ ‎Industrial ‎Control ‎Systems ‎(ICS)‏ ‎to‏ ‎manage ‎critical‏ ‎operations. ‎ICSpector‏ ‎can ‎be ‎used ‎to ‎ensure‏ ‎the‏ ‎integrity ‎of‏ ‎Programmable ‎Logic‏ ‎Controllers ‎(PLCs) ‎that ‎control ‎these‏ ‎processes.‏ ‎By‏ ‎detecting ‎any‏ ‎anomalous ‎indicators‏ ‎or ‎compromised‏ ‎configurations,‏ ‎ICSpector ‎helps‏ ‎prevent ‎disruptions ‎that ‎could ‎lead‏ ‎to ‎power‏ ‎outages‏ ‎or ‎safety ‎hazards.

📌Water‏ ‎Treatment ‎Plants: These‏ ‎facilities ‎use ‎ICS ‎to‏ ‎control‏ ‎the ‎treatment‏ ‎processes ‎that‏ ‎ensure ‎water ‎safety. ‎ICSpector ‎can‏ ‎help‏ ‎in ‎monitoring‏ ‎and ‎verifying‏ ‎the ‎integrity ‎of ‎PLCs, ‎ensuring‏ ‎that‏ ‎the‏ ‎water ‎treatment‏ ‎processes ‎are‏ ‎not ‎tampered‏ ‎with,‏ ‎which ‎is‏ ‎crucial ‎for ‎public ‎health ‎and‏ ‎safety.

📌Industrial ‎Manufacturing: In‏ ‎manufacturing‏ ‎environments, ‎ICS ‎are‏ ‎used ‎to‏ ‎control ‎machinery ‎and ‎production‏ ‎lines.‏ ‎ICSpector ‎can‏ ‎be ‎used‏ ‎to ‎detect ‎any ‎unauthorized ‎changes‏ ‎or‏ ‎anomalies ‎in‏ ‎the ‎PLCs,‏ ‎ensuring ‎consistent ‎product ‎quality ‎and‏ ‎preventing‏ ‎costly‏ ‎downtimes ‎due‏ ‎to ‎equipment‏ ‎failure.

📌Critical ‎Infrastructure‏ ‎Sectors: This‏ ‎includes ‎sectors‏ ‎like ‎energy, ‎water, ‎transportation, ‎and‏ ‎communication ‎systems.‏ ‎ICSpector‏ ‎can ‎be ‎used‏ ‎to ‎safeguard‏ ‎the ‎ICS ‎that ‎control‏ ‎these‏ ‎critical ‎infrastructures‏ ‎from ‎cyberattacks,‏ ‎ensuring ‎their ‎continuous ‎and ‎secure‏ ‎operation.

📌Chemical‏ ‎Processing ‎Plants: These‏ ‎plants ‎use‏ ‎ICS ‎to ‎manage ‎complex ‎chemical‏ ‎processes.‏ ‎ICSpector‏ ‎can ‎help‏ ‎in ‎ensuring‏ ‎that ‎the‏ ‎PLCs‏ ‎controlling ‎these‏ ‎processes ‎are ‎secure ‎and ‎have‏ ‎not ‎been‏ ‎tampered‏ ‎with, ‎which ‎is‏ ‎vital ‎for‏ ‎preventing ‎hazardous ‎incidents.

📌Oil ‎and‏ ‎Gas‏ ‎Industry: ICS ‎are‏ ‎used ‎extensively‏ ‎in ‎the ‎oil ‎and ‎gas‏ ‎sector‏ ‎for ‎drilling,‏ ‎refining, ‎and‏ ‎distribution ‎processes. ‎ICSpector ‎can ‎be‏ ‎used‏ ‎to‏ ‎monitor ‎and‏ ‎verify ‎the‏ ‎integrity ‎of‏ ‎these‏ ‎systems, ‎preventing‏ ‎disruptions ‎that ‎could ‎lead ‎to‏ ‎significant ‎financial‏ ‎losses‏ ‎and ‎environmental ‎damage


Читать: 2+ мин
logo Overkill Security

Raytracing on a ZX Spectrum: Who Needs Modern GPUs When You Can Spend a Weekend Rendering a Single Frame to Prove That Masochism Can Be a Hobby?

ZX ‎Raytracer is‏ ‎project ‎not ‎only ‎demonstrates ‎the‏ ‎feasibility ‎of‏ ‎implementing‏ ‎a ‎raytracer ‎on‏ ‎the ‎ZX‏ ‎Spectrum ‎but ‎also ‎serves‏ ‎as‏ ‎an ‎educational‏ ‎resource, ‎a‏ ‎celebration ‎of ‎computing ‎history, ‎and‏ ‎an‏ ‎inspiration ‎for‏ ‎future ‎projects‏ ‎in ‎retro ‎computing, ‎embedded ‎systems,‏ ‎and‏ ‎optimization‏ ‎techniques

Key ‎Points‏ ‎& ‎Potential‏ ‎Uses

📌Implementing ‎a‏ ‎Raytracer‏ ‎on ‎Legacy‏ ‎Hardware: ‎The ‎project ‎demonstrates ‎the‏ ‎possibility ‎of‏ ‎implementing‏ ‎a ‎raytracer, ‎a‏ ‎computationally ‎intensive‏ ‎graphics ‎rendering ‎technique, ‎on‏ ‎the‏ ‎ZX ‎Spectrum,‏ ‎a ‎home‏ ‎computer ‎from ‎the ‎1980s ‎with‏ ‎very‏ ‎limited ‎hardware‏ ‎capabilities ‎(3.5MHz‏ ‎Z80A ‎CPU ‎and ‎often ‎only‏ ‎16KB‏ ‎RAM).

📌Overcoming‏ ‎Hardware ‎Limitations:‏ ‎Despite ‎the‏ ‎severe ‎hardware‏ ‎constraints,‏ ‎the ‎project‏ ‎overcame ‎challenges ‎like ‎attribute ‎clash‏ ‎(color ‎limitations),‏ ‎low‏ ‎resolution ‎(256×176 ‎pixels),‏ ‎and ‎slow‏ ‎performance ‎(initial ‎render ‎time‏ ‎of‏ ‎17 ‎hours‏ ‎per ‎frame)‏ ‎through ‎clever ‎optimizations ‎and ‎approximations.

📌Educational‏ ‎Tool: The‏ ‎project ‎could‏ ‎be ‎used‏ ‎as ‎a ‎teaching ‎aid ‎in‏ ‎computer‏ ‎science‏ ‎courses, ‎particularly‏ ‎those ‎focused‏ ‎on ‎computer‏ ‎graphics,‏ ‎optimization ‎techniques,‏ ‎or ‎low-level ‎programming.

📌Retro ‎Gaming ‎and‏ ‎Demoscene ‎Exhibitions:‏ ‎The‏ ‎raytracer ‎could ‎be‏ ‎showcased ‎at‏ ‎retro ‎computing ‎events, ‎demoscene‏ ‎parties,‏ ‎or ‎exhibitions‏ ‎celebrating ‎the‏ ‎achievements ‎of ‎vintage ‎hardware ‎and‏ ‎programming.

📌Embedded‏ ‎Systems ‎Development:‏ ‎The ‎optimization‏ ‎techniques ‎and ‎approximations ‎used ‎in‏ ‎this‏ ‎project‏ ‎could ‎inspire‏ ‎developers ‎working‏ ‎on ‎embedded‏ ‎systems‏ ‎or ‎resource-constrained‏ ‎devices, ‎where ‎efficient ‎use ‎of‏ ‎limited ‎resources‏ ‎is‏ ‎crucial.

📌Appreciation ‎of ‎Computing‏ ‎History: ‎The‏ ‎project ‎could ‎be ‎featured‏ ‎in‏ ‎museums ‎or‏ ‎exhibitions ‎dedicated‏ ‎to ‎the ‎history ‎of ‎computing,‏ ‎showcasing‏ ‎the ‎ingenuity‏ ‎and ‎creativity‏ ‎of ‎early ‎programmers ‎working ‎with‏ ‎limited‏ ‎hardware‏ ‎resources.

📌Inspiration ‎for‏ ‎Future ‎Projects:‏ ‎The ‎success‏ ‎of‏ ‎this ‎project‏ ‎could ‎motivate ‎others ‎to ‎explore‏ ‎the ‎limits‏ ‎of‏ ‎legacy ‎hardware ‎or‏ ‎undertake ‎similar‏ ‎challenging ‎projects, ‎pushing ‎the‏ ‎boundaries‏ ‎of ‎what‏ ‎is ‎possible‏ ‎on ‎vintage ‎systems.


Читать: 3+ мин
logo Overkill Security

FIDO2: Phishing-Resistant, But Not Token-Resistant

The ‎article‏ ‎on ‎Silverfort’s ‎blog ‎explores ‎how‏ ‎MITM ‎attacks‏ ‎can‏ ‎bypass ‎FIDO2's ‎phishing-resistant‏ ‎protections. ‎It‏ ‎details ‎the ‎FIDO2 ‎authentication‏ ‎flow,‏ ‎highlights ‎vulnerabilities‏ ‎in ‎session‏ ‎token ‎handling, ‎and ‎provides ‎real-world‏ ‎examples‏ ‎involving ‎Entra‏ ‎ID ‎SSO,‏ ‎PingFederate, ‎and ‎Yubico ‎Playground, ‎concluding‏ ‎with‏ ‎mitigation‏ ‎strategies ‎to‏ ‎enhance ‎security.


FIDO2‏ ‎Background

📌FIDO2 ‎is‏ ‎a‏ ‎modern ‎passwordless‏ ‎authentication ‎standard ‎developed ‎by ‎the‏ ‎FIDO ‎Alliance‏ ‎to‏ ‎replace ‎passwords

📌It ‎aims‏ ‎to ‎protect‏ ‎against ‎phishing, ‎man-in-the-middle ‎(MITM),‏ ‎and‏ ‎session ‎hijacking‏ ‎attacks

📌The ‎authentication‏ ‎flow ‎involves ‎device ‎registration ‎and‏ ‎authentication‏ ‎steps ‎using‏ ‎public ‎key‏ ‎cryptography

FIDO2 ‎Security ‎Features

📌FIDO2 ‎is ‎designed‏ ‎to‏ ‎prevent‏ ‎phishing, ‎MITM,‏ ‎and ‎session‏ ‎hijacking ‎attacks

📌However,‏ ‎the‏ ‎research ‎found‏ ‎that ‎FIDO2 ‎implementations ‎often ‎do‏ ‎not ‎protect‏ ‎session‏ ‎tokens ‎after ‎successful‏ ‎authentication

Attacking ‎FIDO2‏ ‎with ‎MITM

📌The ‎author ‎investigated‏ ‎MITM‏ ‎attacks ‎on‏ ‎identity ‎providers‏ ‎(IdPs) ‎that ‎relay ‎communications ‎between‏ ‎devices

📌While‏ ‎MITM ‎is‏ ‎more ‎difficult‏ ‎with ‎TLS, ‎methods ‎like ‎DNS‏ ‎spoofing,‏ ‎ARP‏ ‎poisoning, ‎and‏ ‎certificate ‎theft‏ ‎can ‎achieve‏ ‎it

📌By‏ ‎performing ‎MITM‏ ‎on ‎the ‎IdP, ‎the ‎attacker‏ ‎can ‎hijack‏ ‎the‏ ‎session ‎token ‎after‏ ‎FIDO2 ‎authentication


Entra‏ ‎ID ‎SSO ‎(Microsoft)

📌Overview: Entra ‎ID‏ ‎SSO‏ ‎is ‎a‏ ‎single ‎sign-on‏ ‎solution ‎that ‎supports ‎various ‎SSO‏ ‎protocols‏ ‎and ‎modern‏ ‎authentication ‎methods,‏ ‎including ‎FIDO2.

📌Vulnerability: The ‎research ‎demonstrated ‎that‏ ‎an‏ ‎attacker‏ ‎could ‎hijack‏ ‎sessions ‎by‏ ‎exploiting ‎the‏ ‎way‏ ‎Entra ‎ID‏ ‎handles ‎session ‎tokens.

📌Attack ‎Method: The ‎attacker‏ ‎does ‎not‏ ‎need‏ ‎to ‎relay ‎the‏ ‎entire ‎authentication‏ ‎process. ‎Instead, ‎they ‎can‏ ‎use‏ ‎a ‎signed‏ ‎token ‎provided‏ ‎by ‎the ‎IdP, ‎which ‎has‏ ‎an‏ ‎expiration ‎time‏ ‎of ‎one‏ ‎hour. ‎This ‎token ‎can ‎be‏ ‎reused‏ ‎within‏ ‎the ‎valid‏ ‎time ‎frame‏ ‎to ‎generate‏ ‎state‏ ‎cookies ‎for‏ ‎a ‎longer ‎period.

📌Example: The ‎native ‎Azure‏ ‎Management ‎portal‏ ‎application‏ ‎does ‎not ‎validate‏ ‎the ‎token‏ ‎granted ‎by ‎the ‎SSO,‏ ‎allowing‏ ‎an ‎attacker‏ ‎to ‎use‏ ‎a ‎stolen ‎token ‎to ‎gain‏ ‎unauthorized‏ ‎access.

PingFederate

📌Overview: PingFederate ‎is‏ ‎an ‎SSO‏ ‎solution ‎that ‎uses ‎third-party ‎adapters‏ ‎to‏ ‎perform‏ ‎authentication. ‎These‏ ‎adapters ‎can‏ ‎be ‎chained‏ ‎into‏ ‎an ‎authentication‏ ‎policy ‎flow.

📌Vulnerability: The ‎research ‎found ‎that‏ ‎if ‎the‏ ‎relying‏ ‎party ‎developer ‎does‏ ‎not ‎validate‏ ‎the ‎OIDC ‎token ‎(or‏ ‎SAML‏ ‎Response), ‎the‏ ‎MITM ‎attack‏ ‎can ‎be ‎successful.

📌Attack ‎Method: The ‎attack‏ ‎exploits‏ ‎the ‎weakest‏ ‎link ‎in‏ ‎the ‎authentication ‎chain. ‎Since ‎the‏ ‎SSO‏ ‎protocols‏ ‎rely ‎on‏ ‎granting ‎tokens‏ ‎that ‎can‏ ‎be‏ ‎reused ‎by‏ ‎different ‎devices, ‎an ‎attacker ‎can‏ ‎hijack ‎the‏ ‎session‏ ‎by ‎stealing ‎these‏ ‎tokens.

📌Example: The ‎PingOne‏ ‎adapter ‎can ‎be ‎used‏ ‎with‏ ‎FIDO2 ‎capabilities.‏ ‎If ‎the‏ ‎OIDC ‎token ‎is ‎not ‎validated,‏ ‎an‏ ‎attacker ‎can‏ ‎bypass ‎FIDO2‏ ‎protections ‎and ‎gain ‎unauthorized ‎access.

Yubico‏ ‎Playground

📌Overview: Yubico‏ ‎Playground‏ ‎is ‎a‏ ‎testing ‎environment‏ ‎for ‎FIDO‏ ‎security‏ ‎features ‎and‏ ‎keys.

📌Vulnerability: The ‎research ‎showed ‎that ‎a‏ ‎simple ‎session‏ ‎cookie‏ ‎generated ‎after ‎FIDO2‏ ‎authentication ‎can‏ ‎be ‎exploited.

📌Attack ‎Method: There ‎is‏ ‎no‏ ‎validation ‎on‏ ‎the ‎device‏ ‎that ‎requested ‎the ‎session ‎cookie.‏ ‎Any‏ ‎device ‎can‏ ‎use ‎this‏ ‎cookie ‎until ‎it ‎expires, ‎allowing‏ ‎an‏ ‎attacker‏ ‎to ‎bypass‏ ‎the ‎authentication‏ ‎step.

📌Example: ‎By‏ ‎acquiring‏ ‎the ‎session‏ ‎cookie, ‎an ‎attacker ‎can ‎access‏ ‎the ‎user’s‏ ‎private‏ ‎area ‎and ‎remove‏ ‎the ‎security‏ ‎key ‎from ‎the ‎user’s‏ ‎profile,‏ ‎demonstrating ‎a‏ ‎straightforward ‎session‏ ‎hijacking ‎scenario

Показать еще

Обновления проекта

Метки

overkillsecurity 142 overkillsecuritypdf 52 news 47 keypoints 38 nsa 26 fbi 25 adapt tactics 11 Living Off the Land 11 LOTL 11 unpacking 10 vulnerability 9 cyber security 8 Digest 8 edge routers 8 Essential Eight Maturity Model 8 malware 8 Maturity Model 8 Monthly Digest 8 research 8 ubiquiti 8 IoT 7 lolbin 7 lolbins 7 Cyber Attacks 6 phishing 6 Forensics 5 Ransomware 5 soho 5 authToken 4 BYOD 4 MDM 4 OAuth 4 Energy Consumption 3 IoMT 3 medical 3 ai 2 AnonSudan 2 authentication 2 av 2 battery 2 Buffer Overflow 2 console architecture 2 cve 2 cybersecurity 2 energy 2 Google 2 incident response 2 MITM 2 mqtt 2 Passkeys 2 Retro 2 Velociraptor 2 video 2 Vintage 2 vmware 2 windows 2 1981 1 5g network research 1 8-bit 1 Ad Removal 1 Ad-Free Experience 1 ADCS 1 advisory 1 airwatch 1 AlphV 1 AMSI 1 android 1 Android15 1 announcement 1 antiPhishing 1 AntiPhishStack 1 antivirus 1 Apple 1 Atlassian 1 Attack 1 AttackGen 1 BatBadBut 1 Behavioral Analytics 1 BianLian 1 bias 1 Biocybersecurity 1 Biometric 1 bite 1 bitlocker 1 bitlocker bypass 1 Black Lotus Labs 1 blackberry 1 blizzard 1 botnet 1 Browser Data Theft 1 BucketLoot 1 CellularSecurity 1 checkpoint 1 china 1 chisel 1 cisa 1 CloudSecurity 1 CloudStorage 1 content 1 content category 1 cpu 1 Credential Dumping 1 CVE-2023-22518 1 CVE-2023-35080 1 CVE-2023-38043 1 CVE-2023-38543 1 CVE-2024-0204 1 CVE-2024-21111 1 CVE-2024-21345 1 cve-2024-21447 1 CVE-2024-24919 1 CVE-2024-26218 1 cve-2024-27129 1 cve-2024-27130 1 cve-2024-27131 1 cve-2024-3400 1 cvss 1 cyber operations 1 Cyber Toufan Al-Aqsa 1 cyberops 1 D-Link 1 dark pink apt 1 data leakage 1 dcrat 1 Demoscene 1 DevSecOps 1 Dex 1 disassembler 1 DOS 1 e8mm 1 EDR 1 Embedded systems 1 Employee Training 1 EntraID 1 ESC8 1 Event ID 4663 1 Event ID 4688 1 Event ID 5145 1 Evilginx 1 EvilLsassTwin 1 Facebook 1 FBI IC3 1 FIDO2 1 filewave 1 Firebase 1 Firmware 1 Fortra's GoAnywhere MFT 1 france 1 FraudDetection 1 fuxnet 1 fuzzer 1 game console 1 gamification 1 GeminiNanoAI 1 genzai 1 go 1 GoogleIO2024 1 GooglePlayProtect 1 GoPhish 1 gpu 1 ICS 1 ICSpector 1 IDA 1 IncidentResponse 1 Industrial Control Systems 1 jazzer 1 jetbrains 1 jvm 1 KASLR 1 KillNet 1 LeftOverLocals 1 Leviathan 1 lg smart tv 1 lockbit 1 LSASS 1 m-trends 1 Machine Learning Integration 1 Mallox 1 MalPurifier 1 mandiant 1 MediHunt 1 Meta Pixel 1 ML 1 mobile network analysis 1 mobileiron 1 nes 1 nexus 1 NGO 1 Nim 1 Nimfilt 1 NtQueryInformationThread 1 OFGB 1 oracle 1 paid content 1 panos 1 Passwordless 1 Phishing Resilience 1 PingFederate 1 Platform Lock-in Tool 1 PlayIntegrityAPI 1 PlayStation 1 playstation 2 1 playstation 3 1 plc 1 podcast 1 Privilege Escalation 1 ps2 1 ps3 1 PulseVPN 1 qcsuper 1 qemu 1 qualcomm diag protocol 1 radio frame capture 1 Raytracing 1 Real-time Attack Detection 1 Red Team 1 Registry Modification 1 Risk Mitigation 1 RiskManagement 1 rodrigo copetti 1 rooted android devices 1 Router 1 rust 1 Sagemcom 1 sandworm 1 ScamCallDetection 1 security 1 Security Awareness 1 session hijacking 1 SharpADWS 1 SharpTerminator 1 shellcode 1 SIEM 1 Siemens 1 skimming 1 Smart Devices 1 snes 1 SSO 1 stack overflow 1 TA427 1 TA547 1 TDDP 1 telecom security 1 Telegram 1 telerik 1 TeleTracker 1 TEMP.Periscope 1 Terminator 1 Think Tanks 1 Threat 1 threat intelligence 1 threat intelligence analysis 1 Threat Simulation 1 tool 1 toolkit 1 tp-link 1 UK 1 UserManagerEoP 1 uta0218 1 virtualbox 1 VPN 1 vu 1 wargame 1 Web Authentication 1 WebAuthn 1 webos 1 What2Log 1 Windows 11 1 Windows Kernel 1 Windstream 1 women 1 WSUS 1 wt-2024-0004 1 wt-2024-0005 1 wt-2024-0006 1 xbox 1 xbox 360 1 xbox original 1 xss 1 Yubico 1 Z80A 1 ZX Spectrum 1 Больше тегов

Фильтры

Пн
Вт
Ср
Чт
Пт
Сб
Вс
28
29
30
31
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
1

Подарить подписку

Будет создан код, который позволит адресату получить бесплатный для него доступ на определённый уровень подписки.

Оплата за этого пользователя будет списываться с вашей карты вплоть до отмены подписки. Код может быть показан на экране или отправлен по почте вместе с инструкцией.

Будет создан код, который позволит адресату получить сумму на баланс.

Разово будет списана указанная сумма и зачислена на баланс пользователя, воспользовавшегося данным промокодом.

Добавить карту
0/2048