HackDig : Dig high-quality web security articles

BITS for Script Kiddies

Introduction Well, I finally popped a box, but the EDR keeps sucking up all my tools. There must be a way to do some basic things on the box without getting caught. How can I poke around and do some stuff without possibly burning all my tools? After all the hard work of getting onto a box, the endpoint security protection quarantines your hacking/malic
Publish At:2021-04-13 15:51 | Read:163 | Comments:0 | Tags:Research

Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild

While analyzing the CVE-2021-1732 exploit originally discovered by the DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we discovered another zero-day exploit we believe is linked to the same actor. We reported this new exploit to Microsoft in February and after confirmation that it is indeed a zero-day, it received the designation
Publish At:2021-04-13 13:57 | Read:160 | Comments:0 | Tags:Research Microsoft Windows Vulnerabilities and exploits Zero

COFFLoader: Building your own in memory loader or how to run BOFs

Intro Have you heard of the new Beacon Object File (BOF) hotness? Have you ever thought that you should be able to run those outside of Cobalt Strike? Well, if that’s the case, you came to the right place. In this post, we’ll go through the basic steps of understanding and building an in-memory loader for any type of format be that an Executab
Publish At:2021-02-22 14:00 | Read:272 | Comments:0 | Tags:Research

Front, Validate, and Redirect

In the age of threat hunting, automated mass scanning, and the occasionally curious SOC, properly securing your command and control (C2) infrastructure is key to any engagement. While many setups today include a CDN Domain Front with a custom Nginx or Apache ruleset sprinkled on top, I wanted to share my recipe for success. Fully (ab)using the services provi
Publish At:2021-02-16 13:42 | Read:364 | Comments:0 | Tags:Penetration Testing Red Team Adversarial Attack Simulation R

Group Policy for Script Kiddies

Introduction I’ve finally moved up in the world and am pwning companies instead of n00bs, but all the workstations are locked down. What is this Group Policy thing? Why is it harshing my mellow? So, you’ve finally moved up into the big leagues. You’re no longer wasting your time hacking your friends, parents, or that camping scrub from Fort
Publish At:2021-02-11 12:48 | Read:310 | Comments:0 | Tags:Research

Tailoring Cobalt Strike on Target

We’ve all been there: you’ve completed your initial recon, sent in your emails to gather those leaked HTTP headers, spent an age configuring your malleable profile to be just right, set up your CDNs, and spun up your redirectors. Then it’s time, you send in your email aaaaaand…nothing. You can see from your DNS diagnostic callbacks that
Publish At:2021-01-28 13:24 | Read:303 | Comments:0 | Tags:Penetration Testing Red Team Adversarial Attack Simulation R

Elaborate Scam App Impersonates Leading Asian Bank; Victims Duped into ‘Investing’

Campaign is still active and growing; second bank app identified Zimperium, in collaboration with a leading Asian bank, have uncovered the early stages of a coordinated effort by scammers to defraud existing and new bank customers. In this blog, we will: Alert the general public about the scam before it gains traction;  Outline the entire scam around the f
Publish At:2021-01-20 14:02 | Read:519 | Comments:0 | Tags:App Security apps banking apps Research scamware zLabs

SolarWinds Backdoor (Sunburst) Incident Response Playbook

Over the last several days, TrustedSec has received queries on the best ways to contain, eradicate, and remediate the SolarWinds backdoor (aka #solarigate aka Sunburst). The TrustedSec Incident Response team has put together a playbook of recommended actions to provide some level of assurance that your organization is no longer affected by the backdoor. T
Publish At:2020-12-17 19:06 | Read:530 | Comments:0 | Tags:Incident Response Incident Response & Forensics Research Sec

Dox, steal, reveal. Where does your personal data end up?

The technological shift that we have been experiencing for the last few decades is astounding, not least because of its social implications. Every year the online and offline spheres have become more and more connected and are now completely intertwined, leading to online actions having real consequences in the physical realm — both good and bad. One of the
Publish At:2020-12-01 07:19 | Read:611 | Comments:0 | Tags:Featured Research Cyberbullying Cybercrime Darknet Data leak

On the trail of the XMRig miner

As protection methods improve, the developers of miners have had to enhance their own creations, often turning to non-trivial solutions. Several such solutions (previously unseen by us) were detected during our analysis of the open source miner XMRig. How it all began: ransominer Alongside well-known groups that make money from data theft and ransomware (for
Publish At:2020-10-22 07:54 | Read:634 | Comments:0 | Tags:Featured Research Cryptocurrencies Financial malware Miner T

GravityRAT: The spy returns

In 2018, researchers at Cisco Talos published a post on the spyware GravityRAT, used to target the Indian armed forces. The Indian Computer Emergency Response Team (CERT-IN) first discovered the Trojan in 2017. Its creators are believed to be Pakistani hacker groups. According to our information, the campaign has been active since at least 2015, and previous
Publish At:2020-10-19 06:59 | Read:671 | Comments:0 | Tags:Featured Research Cyber espionage Phishing Phishing websites

Setting the ‘Referer’ Header Using JavaScript

Or, “I’m Sorry, You Said You’re from Where Again?” In a prior webinar on creating weaponized Cross-Site Scripting (XSS) payloads, I mentioned that XSS payloads (written in JavaScript) could not change the HTTP Referer header. Malicious requests made through an XSS payload will often have an unexpected Referer header that does not generally make sense in t
Publish At:2020-09-30 11:38 | Read:573 | Comments:0 | Tags:Application Security Assessment Mobile Security Assessment P

Looking for sophisticated malware in IoT devices

One of the motivations for this post is to encourage other researchers who are interested in this topic to join in, to share ideas and knowledge and to help build more capabilities in order to better protect our smart devices. Research background Smart watches, smart home devices and even smart cars – as more and more connected devices join the IoT ecosystem
Publish At:2020-09-30 10:56 | Read:766 | Comments:0 | Tags:Featured Research Firmware Internet of Things Linux Malware

Operation PowerFall: CVE-2020-0986 and variants

In August 2020, we published a blog post about Operation PowerFall. This targeted attack consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer 11 and an elevation of privilege exploit targeting the latest builds of Windows 10. While we already described the exploit for Internet Explorer in the original blog post, we also p
Publish At:2020-09-02 06:35 | Read:2034 | Comments:0 | Tags:Featured Research Malware Technologies Microsoft Windows Vul

Internet Explorer and Windows zero-day exploits used in Operation PowerFall

Executive summary In May 2020, Kaspersky technologies prevented an attack on a South Korean company by a malicious script for Internet Explorer. Closer analysis revealed that the attack used a previously unknown full chain that consisted of two zero-day exploits: a remote code execution exploit for Internet Explorer and an elevation of privilege exploit for
Publish At:2020-08-12 03:19 | Read:1504 | Comments:0 | Tags:Featured Research Malware Technologies Microsoft Internet Ex