In this article (which is the first part of the report) we analyze common TTPs of implants used by threat actors to establish a persistent remote access channel into the infrastructure of...
Gain a deeper understanding of why it's essential to monitor non-standard pods and containers, including static pods, mirror pods, init containers, pause containers, and ephemeral containers...
In the earlier posts in this series, we showed not only how to get rid of unused access keys, but also how to minimize risk by applying a least-privilege strategy. In this final post, we’ll at...
It’s that time of year again where we head out to the desert, more specifically Las Vegas, for what is known as Hacker Summer Camp to attend Black Hat and DEF CON 31! Like previous years, the...
Howdy! I’m finally back with another malware deep dive report. This time we are digging into GCleaner. GCleaner is a Pay-Per-Install (PPI) loader first discovered in early 2019, it has been used...
In this protocol, it's a standard auction but the lowest price wins. If a user gets outbid, they get a refund but must call a function in order to perform the refund. The sale is considered ended...
On 2023-07-14, an incident was reported, involving TraderTraitor, gaining initial access via End-user compromise, to achieve Supply chain attack.
The authors knew about a potential RCE in Adobe ColdFusion. So, they went to the Java code and started diffing from the previous version. While doing this, they found the function...
Threat actor profiles are made for a range of reasons. An example trigger for creating a new profile can include after an incident, e.g., an internal detection or supply chain breach has been...
View CSAF 1. EXECUTIVE SUMMARY CVSS v3 8.2 ATTENTION: Low attack complexity Vendor: Becton, Dickinson and Company (BD) Equipment: Alaris PCU, Guardrails Editor, Systems Manager, Calculation...
A cloud attack campaign possibly orchestrated by the threat actor known as TeamTNT. The campaign primarily involves an aggressive cloud worm that targets JupyterLab and Docker APIs to deploy...
PyLoose is a newly discovered Python-based fileless malware targeting cloud workloads. Get a breakdown of how the attack unfolds and the steps to mitigate it.
On 2023-07-11, a campaign was reported, involving Storm-0558, gaining initial access via End-user compromise, while using Phishing, LSASS dumping, with unknown impact. The following tools were...
In mid-2023, an unknown financially-motivated threat actor began targeting publicly exposed Jupyter Notebook instances to hijack them for running cryptomining operations. The threat actor deployed...
On 2023-07-11, a campaign was reported, involving APT31, gaining initial access via ,. The following tools were observed: Rekoobe.
In July 2023, Microsoft disclosed that Storm-0558, a threat actor attributed to China, managed to acquire a signing key that allowed them to gain illicit access to Exchange and Outlook accounts....
In July 2023, details of recent activities related to ScarletEel were published, showing the advancement of the attacker over time. The threat actors expanded their arsenal to include new tools...
On red team engagements, I often use social engineering to get one of my client’s employees to run my malicious code on their machines, allowing me to get access to their system. A typical...
I’ve written a couple of blog posts in the past in which I explain how to use Marcus Mengs’ truly excellent P4wnP1. The most common deployment scenario involves a Raspberry Pi Zero W, or possibly...
Key findings and full report from the 6th year of the Active Cyber Defence (ACD) programme.
ERC777 is a well known token standard for Non-Fungible Token (NFT). There are hooks defined on these NFTs in order to allow for users to perform operations on either receiving or sending NFTs. How...
When the mmap() system call is made, the kernel generates a structure to represent this allocated memory in the Virtual Memory Area (VMA). The structure vm_area_struct contains various items for...
Dynamic linker hijacking via LD_PRELOAD is a Linux rootkit technique utilized by different threat actors in the wild. In part one of this series on Linux rootkits, we discuss this threat and...
Recently, I decided to take a look at Steampipe again. I like SQL and the structure it provides, and after playing around a bit I figured: “Wouldn’t it be cool to write a plugin for the immensely...
In June 2023, Storm-0978 launched a campaign exploiting the CVE-2023-36884 vulnerability, a remote code execution flaw in Microsoft Word documents. This campaign targeted defense and government...
Ubuntu accountsservice is a package that allows for the querying and manipulating of user account information. This is done via D-Bus interfaces, which is an IPC mechanism used by Linux desktops....
Libre Office is an open source Microsoft office alternative. Libre Office has a word processor, spreadsheet, presentation tool and a desktop database. The author decided to take a look at the...
The old Ethereum was proof of work. Now, the system is proof of stake, where stake is an amount of money they are putting as collateral if they act maliciously. Anybody can stake 32 ETH to become...
Silo Finance creates isolated lending markets. This is done by having every token asset in its own lending market. Additionally, it is paired against the bridge assets ETH and XAI (Silo's...
Move blockchains are pretty rare about this point. There are only Sui and Aptos that are using it to my knowledge. Move by itself is not completely safe from cross-contract alterations and other...