Security Operations

Good Day Ransomware malware analysis::Good Day ransomware technical malware analysis

How to detect Wi-Fi deauthentication attack and even receive notification on your smartphone::A Wi-Fi deauthentication attack, also known as a "deauth attack" or "disassociation attack," is a type of denial-of-service that targets wireless networks. The primary goal of this attack is to disconnect or deauthenticate devices (such as smartphones, laptops, cameras or IoT devices) from a Wi-Fi network. This can be done by anyone with a Wi-Fi

How I made a heap overflow in curl::undefined

curl - SOCKS5 heap buffer overflow::undefined

CVE-2023-44487 - HTTP/2 Rapid Reset Attack Impacting F5 NGINX Products::Update your NGINX configuration to mitigate a possible denial-of-service attack implemented on the server-side portion of the HTTP/2 specification.

Microsoft is finally deprecating vbscript::Review the list of features that Microsoft is no longer actively developing in Windows 10 and Windows 11.

Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641)::CVE-2023-43641 is a vulnerability in libcue, which can lead to code execution by downloading a file on GNOME.

Hacking GTA V RP Servers Using Web Exploitation Techniques::A technical blog

WatchGuard Firewall Clientless SSO sends out its password hashes to random devices on the network.::Picture this: a feature from a security appliance that willingly dispatches its password hashes to any device on the network. That is precisely what WatchGuard's SSO does under certain circumstances. Does a bad feature warrant filing a CVE? I'm not sure.

Python scanner for critical Atlassian Confluence vulnerability (CVE-2023-22515)::Scanner for CVE-2023-22515 - Broken Access Control Vulnerability in Atlassian Confluence - GitHub - ErikWynter/CVE-2023-22515-Scan: Scanner for CVE-2023-22515 - Broken Access Control Vulnerability in Atlassian Confluence

Predator Files: Technical deep-dive into Intellexa Alliance's surveillance products::An expose the Intellexa Alliance's surveillance capabilities including advanced spyware, mass surveillance platforms, and tactical systems for targeting and intercepting nearby devices.

Curl: Severity HIGH security problem to be announced with curl 8.4.0::Severity HIGH security problem to be announced with curl 8.4.0 on Oct 11

PoC exploit for CVE-2023-4911 "Looney Tunables"::PoC for CVE-2023-4911. Contribute to leesh3288/CVE-2023-4911 development by creating an account on GitHub.

root with a single command: sudo logrotate::The scenario is this: a brand new Ubuntu 22.04 server has an account which is restricted to running sudo logrotate *. Can we get root? Short answer: Yes. I couldn’t find much online about this type of exploitation of logrotate, so let’s document something for future use.

Microsoft Defender flags Tor Browser as a Trojan and removes it from the system::Windows users have recently begun mass-reporting that Microsoft's Defender antivirus program, which is integrated into Windows 10 and 11 by default, is

cloudgrep: cloudgrep is grep for cloud storage::cloudgrep is grep for cloud storage. Contribute to cado-security/cloudgrep development by creating an account on GitHub.

Six 0day exploits were filed against Exim by ZDI, including several RCE. After days of silence, Exim has filed this public detail::undefined

Someone tried baiting people into downloading malware on r/cybersecurity:: Are there Darwin awards for skids burning their C2 infrastructure?

Lazarus luring employees with trojanized coding challenges: The case of a Spanish aerospace company::ESET researchers uncover a Lazarus attack against an aerospace company in Spain, where the group deployed several tools, including a publicly undocumented backdoor we named LightlessCan.

You Can't Control Your Data in the Cloud::undefined

Wifi without internet on a Southwest flight:: I spent a recent flight finding out what I could do with an connection to the flight’s wifi, but without access to the internet. I was on my...

Cisco advisory: Reports about bad Actors Hiding in Router Firmware::On September 27, 2023, the U.S. National Security Agency (NSA), the U.S. Federal Bureau of Investigation (FBI), the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Japan National Police Agency (NPA), and the Japan National Center of Incident Readiness and Strategy for Cybersecurity (NISC) released a joint cybersecurity advisory (CSA) detailing activities of the cyber actors known as BlackTech.  For a description of this report, see People's Republic of China-Linked Cyber Actors Hide in Router Firmware. Cisco has reviewed the report. Cisco would like to highlight the following key facts:

The most prevalent initial access vector in these attacks involves stolen or weak administrative credentials. As outlined in the report, certain configuration changes, such as disabling logging and downloading firmware, require administrative credentials. There is no indication that any Cisco vulnerabilities were exploited. Attackers used compromised credentials to perform administrative-level configuration and software changes. Modern Cisco devices include secure boot capabilities, which do not allow the loading and executing of modified software images. For more information on secure boot, see the Cisco Trustworthy Technologies Data Sheet.   The stolen code-signing certificates mentioned in the report are not from Cisco. Cisco does not have any knowledge of code-signing certificates being stolen to perform any attack against Cisco infrastructure devices. 

These key points align with the Cisco consistent stance and messaging that advises customers to follow best practices as described in the Cisco blog post: Attackers Continue to Target Legacy Devices. Modern network infrastructure devices now contain numerous security features and capabilities that mitigate the aforementioned attacks. The Cisco Secure Development Lifecycle (SDL) applies industry-leading practices and technology to build trustworthy solutions that have fewer field-discovered product security incidents. As part of our ongoing commitment to network reliability, Cisco has recently launched an effort focused on network resiliency. For more information on this effort, see the Cisco Network Resilience portal. This advisory is available at the following link:https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csa-cyber-report-sept-2023

How to get persistent reverse shell from Android app without visible permissions to DoS device::This blog will introduce you how it is possible to write a persistent reverse shell app on Android without any user requested and visible permissions. Since such application has no permissions, it shouldn’t be able to perform any task. Well, that isn’t true. We will take a quick look on how Android permissions system works,

A tale about a Red Team exercise and the Forcepoint Endpoint One DLP client - vsociety::Introduction

I was preparing for a Red Team exercise. I cannot share the client or certain details of the exercise. Getting Initial Access was part of the task...

Analysis of CVE-2023-38831 Zero-Day vulnerability in WinRAR::A new WinRAR vulnerability, CVE-2023-38831 could allow attackers to take control of your computer so it's important to take action now