Notes

A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit ARM & 64-bit ARM architectures. Reverse Engineering tutorial

The iControl REST API of BIG-IP contains a flaw with a CVE score of 9.8 that sending a request to the auth-backend will bypass the authentication and can execute arbitrary system commands, create or delete files. PoC for CVE-2022-1388_F5_BIG-IP

One place for all the default credentials to assist the pentesters during an engagement, this document has a several products default credentials that are gathered from several sources.

Most of the credentials are extracted from the changeme, routersploit and Seclists projects. Default Credentials Cheat Sheet

Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator or Interact.sh

Used for penetration testing and/or red-teaming etc. I created this tool because i needed a third party tool to generate a bunch of PDF files with various links. Malicious PDF Generator

Trojans from the Trojan.AndroidOS.Jocker family can intercept codes sent in text messages and bypass anti-fraud solutions. They’re usually spread on Google Play, where scammers download legitimate apps from the store, add malicious code to them and re-upload them to the store under a different name. The trojanized apps fulfill their original purposes in most cases, and the user won’t suspect they are a source of threats.

To bypass vetting on Google Play, the Trojan monitors whether it’s gone live. The malicious payload will remain dormant while the app is stalled at the vetting stage. Mobile subscription Trojans and their little tricks

“Raspberry Robin” is Red Canary’s name for a cluster of activity we first observed in September 2021 involving a worm that is often installed via USB drive. This activity cluster relies on msiexec.exe to call out to its infrastructure, often compromised QNAP devices, using HTTP requests that contain a victim’s user and device names. We also observed Raspberry Robin use TOR exit nodes as additional command and control (C2) infrastructure.

Like most activity clusters we track, Raspberry Robin began as a handful of detections with similar characteristics that we saw in multiple customers’ environments, first noticed by Jason Killam from Red Canary’s Detection Engineering team. We saw Raspberry Robin activity as far back as September 2021, though most related activity occurred during or after January 2022. As we observed additional activity, we couldn’t find public reporting to corroborate our analysis, aside from some findings on VirusTotal that we suspected were related based on overlap in C2 domains. Raspberry Robin gets the worm early

Sophos webmin portal auth bypass and rce all in one script; The vulnerability affects Sophos Firewall v18.5 MR3 (18.5.3) and older. CVE-2022-1040-sophos-rce-poc

Avast’s “Anti Rootkit” driver (also used by AVG) has been found to be vulnerable to two high severity attacks that could potentially lead to privilege escalation by running code in the kernel from a non-administrator user. Avast and AVG are widely deployed products, and these flaws have potentially left many users worldwide vulnerable to cyber attacks.

Given that these products run as privileged services on Windows devices, such bugs in the very software that is intended to protect users from harm present both an opportunity to attackers and a grave threat to users. Vulnerabilities in Avast And AVG Put Millions At Risk

Google isn’t a search engine anymore but some kind of an index of promotional websites.

In February 2022 we observed the technique of putting the shellcode into Windows event logs for the first time “in the wild” during the malicious campaign. It allows the “fileless” last stage Trojan to be hidden from plain sight in the file system. Such attention to the event logs in the campaign isn’t limited to storing shellcodes. Dropper modules also patch Windows native API functions, related to event tracing (ETW) and anti-malware scan interface (AMSI), to make the infection process stealthier.

Besides event logs there are numerous other techniques in the actor’s toolset. Among them let us distinguish how the actor takes initial recon into consideration while developing the next malicious stages: the C2 web domain name mimicking the legitimate one and the name in use belonging to the existing and software used by the victim. For hosting the attacker uses virtual private servers on Linode, Namecheap, DreamVPS. A new secret stash for ‘fileless’ malware

People are afraid of being wrong. And in a world where more and more of what you say and do is connected to your digital “profile” you just aren’t incentivised to ask creative questions or propose creative answers. It limits human knowledge but people fear being associated with a “bad” answer.

Literal fire could be raining from the sky as buildings crumble to dust and some will still be claiming we’re going to the stars in 5 years.

PoC + vulnerability details for CVE-2022-25262 | JetBrains Hub single-click SAML response takeover.

The weakness consists of 2 parts:

• Usage of OAuth2 authorization code pool for “OAuth2 -> SAML” exchange process.
• Authorization code takeover using YouTrack Konnector integration.

CVE-2022-25262 - JetBrains Hub single-click SAML response takeover

Some Google dorks to find vulnerable CCTV cameras:

intitle:"Toshiba Network Camera" user login

intitle:"EvoCam" inurl:"webcam.html"

intitle:"Live View / – AXIS"

inurl:axis-cgi/mjpg (motion-JPEG) (disconnected)

inurl:axis-cgi/jpg

intitle:"sony network camera"

For a bird born in captivity, flight is a mental illness.

We are especially proud to present you Tails 5.0, the first version of Tails based on Debian 11 (Bullseye). It brings new versions of a lot of the software included in Tails and new OpenPGP tools. Tails 5.0 is out

geOSINT is a script that searches for geo-tagged photos on social media and plots them on a map. This can be used to perform OSINT on a physical location. If an image is found, a red marker is placed on the map. By clicking on this marker you can view the identified image.

geOSINT uses FourSquare, Flickr, and Twitter APIs to search for photos posted within a certain distance of the supplied address. At least one API key is required required for geOSINT to return any results.

Optionally, if you want to use an aerial map, similar to Google Earth, a Mapbox API is required. geOSINT - Search physical locations for geo-tagged photos

→ in reply to @note#1649689652

VMware Workspace ONE Access and Identity Manager contain a remote code execution vulnerability due to server-side template injection. A malicious actor with network access can trigger a server-side template injection that may result in remote code execution.

On April 6, 2022, VMware published VMSA-2022-0011, which discloses multiple vulnerabilities discovered by Steven Seeley of Qihoo 360 Vulnerability Research Institute. The most critical of the CVEs published in VMSA-2022-0011 is CVE-2022-22954, which is a server-side template injection issue with a CVSSv3 base score of 9.8. The vulnerability allows an unauthenticated user with network access to the web interface to execute an arbitrary shell command as the VMware user. CVE-2022-22954 - VMware Workspace ONE Access and Identity Manager vulnerability

→ in reply to @note#1649155709

While the name “BoratRAT” might bring a certain comedian to mind, this threat is nothing to laugh at. BoratRAT is an all-in-one malware toolkit that is capable of a variety of destructive activities, including acting as a ransomware, and performing credential theft.

BoratRAT was first analyzed by researchers at Cyble, which gave us our first deep dive into this malware’s full range of features. In researching this threat further, we discovered some intriguing connections between BoratRAT, SantaRAT, and AsyncRAT. Threat Thursday: BoratRAT