Notes

Lately, I came across with KernelCallbackTable which could be abused to inject shellcode in a remote process. This method of process injection was used by FinFisher/FinSpy and Lazarus.

This post walks through the journey I took and the hurdles I encountered to make process injection via KernelCallbackTable work according to what I wanted. Adventures with KernelCallbackTable Injection

Wow! Check out this SQL CoinsIO file, right there on their server, up for grabs. Any bets on how long it will take them to remove it?

Start with a domain, and we’ll find everything about it, outputs a handy .json file with all the data for further investigation.

Runs as fast as your computer/network/DNS resolver allows it to be. Test run for 10.000 subdomains tested all of them in ~20 seconds with concurrency set to 16 on a machine with 16 (logical) cores. Skanuvaty - dangerously fast dns/network/port scanner, all-in-one

Features:

• Finds subdomains from root domain
• Finds IPs for subdomains
• Checks what ports are open on those IPs (Notice: not yet implemented)

This is a report I created for one of the engagements I performed recently. The goal of the engagement was to find out if there is a way to steal credit card details by using client side vulnerabilities. Everything after this is a report as a whole.

I was engaged to perform a restricted depth first assessment of a web application “XYZ” to verify if there is a way to exploit client side vulnerabilities to steal credit card information of the users. As a result of the engagement, I was successful to exploit a self cross site scripting chained with cross site request forgery to steal the victims credit card details. This document details my approaches , findings and ways to remediate the vulnerabilities.How I chained two vulnerabilities to steal credit card details

About a year ago, when I started my first forays into HackerOne, I discovered one of the most impactful bugs I’ve ever come across. It was January 2021, when I received a private invitation to a VDP (Vulnerability Disclosure Program), it was from an airlines group. So I decided to try hacking in that program, because at that time I didn’t give much priority to bounties, due I wanted to learn and earn my first points on the platform.

After a few minutes investigating the scope of the page, I realized that they were using a unified login system for most of the companies that were in the scope, mostly airline websites, among others. I decided to analyze the “Forgot your password?” endpoint, first. So I entered my email and waited for the email where I would receive the link to change the password. How I hacked one of the biggest airlines group in the world

Brave is rolling out a new feature called De-AMP, which allows Brave users to bypass Google-hosted AMP pages, and instead visit the content’s publisher directly. AMP harms users’ privacy, security and internet experience, and just as bad, AMP helps Google further monopolize and control the direction of the Web.

Brave will protect users from AMP in several ways. Where possible, De-AMP will rewrite links and URLs to prevent users from visiting AMP pages altogether. And in cases where that is not possible, Brave will watch as pages are being fetched and redirect users away from AMP pages before the page is even rendered, preventing AMP/Google code from being loaded and executed. Brave De-AMP: Cutting Out Google and Enhancing Privacy

Killnet is playing with the NATO CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence) infrastructure.

NATO, WE’RE FUCKING YOU WHILE YOU’RE DOING A CYBER TOURNAMENT. LET’S PLAY FOR REAL 😚

They seem serious because they’re going for the Estonian airports infrastructure (they went for the Polish and Czech airports websites the days before), main Tallinn airport website is down.

I guess this calls for Anony🐭 to release another version of VLC Player.

Check Point Research discovered vulnerabilities in the ALAC format that could have led an attacker to remotely get access to its media and audio conversations.

MediaTek and Qualcomm, the two largest mobile chipset manufacturers in the world, used the ALAC audio coding in their widely distributed mobile handsets, putting millions of Android users’ privacy at risk.

Research, dubbed “ALHACK” finds Two thirds of all smartphones sold in 2021 are vulnerable.

Qualcomm and MediaTek acknowledged the vulnerabilities flagged by CPR, putting patches and fixes in response. Largest Mobile Chipset Manufacturers used Vulnerable Audio Decoder, 2/3 of Android users’ Privacy around the World were at Risk

If your recommended security “experts” are Amanda “malware unicorn” Rousseau, Marcus “malwaretech” Hutchins, Thomas “tfatcek” Ptacek or the South African asshole formerly known as thegrugq, you need to reconsider your career choices.

Same thing if you link to Bleepingshithole news crap.

My condolences to thegrugq, who went from selling 0days for “hundreds of thousands” bucks to begging for coffee money on Patreon.

Life sucks, doesn’t it, Tchad?

→ in reply to @note#1650460129

If a product has an ad, it’s money not spent on improving the product and is instead money spent on trying to psychologically manipulate people into buying your broken product.

If a site requires ads to survive then it would be better if it didn’t.

EvilSelenium is a new project that weaponizes Selenium to abuse Chromium-based browsers. EvilSelenium

Features:

• Steal stored credentials (via autofill)
• Steal cookies
• Take screenshots of websites
• Dump Gmail/O365 emails
• Dump WhatsApp messages
• Download & exfiltrate files
• Add SSH keys to GitHub

Visual Studio Tools for Office (VSTO) has the capability to export an Add-In which is embedded inside an Office document file (such as a Word DOCX). If this document is delivered in the right way (to avoid some inbuilt mitigations) it provides rich capabilities for attackers to phish users and gain code execution on a remote machine through the installation of a word Add-In.

Office itself even provides an automatic update capability, which can be used by attackers to update payloads remotely. Make phishing great again. VSTO office files are the new macro nightmare?

Moriarty tries to find important information about a specific phone number. Moriarty Project

Features

• Tries to find the owner of the phone number.
• Spam risk.
• Comments about the phone number.
• Linked social media platforms.
• Reports, searches, DuckDuckGo results etc.

Collection of most common WordPress malware collected over the years. Files are organized in directories by the day discovered by CXS or Imunify360. WordPress Malware

There are some files floating around the Dark Deep Hidden Black Web with personal (and not only) data from the NATO CCDCOE (NATO Cooperative Cyber Defence Centre of Excellence). Not much of a cyber defense, right?

Screw your apps. Screw your karma. Screw your need to know what we’re all about.

Twitter is only good for 3 things:

• Getting the opinions of porn stars on current events, reminding us that they too are people, albeit usually not on the upper end of the decision-making spectrum.
• Finding the latest political dispute that seems to be happening.
• Propaganda machine.

In a traditional patch Tuesday update, Microsoft fixed a total of 128 vulnerabilities in various products and components. Of those, at least 10 are critical, at least two were known before the release of the patches and at least one of them was already actively exploited by unknown attackers. This is why it is a good idea update the operating system and other products as soon as possible.

According to the information available at this moment, CVE-2022-24521 seems to be the most dangerous of the bunch. It is a vulnerability in the Windows Common Log File System (CLFS) driver and is associated with privilege elevation. Despite a not-so-impressive CVSS:3.1 rating (7.8), it’s fairly easy to exploit. Which, in fact, some unknown attackers are already doing. Microsoft patches 128 vulnerabilities in a list of products, including Windows and its components.