research.nccgroup.com
Open in
urlscan Pro
192.0.78.199
Public Scan
URL:
https://research.nccgroup.com/2022/08/19/back-in-black-unlocking-a-lockbit-3-0-ransomware-attack/
Submission: On January 24 via manual from IN — Scanned from DE
Submission: On January 24 via manual from IN — Scanned from DE
Form analysis 1 forms found in the DOM
<form id="jp-carousel-comment-form">
<label for="jp-carousel-comment-form-comment-field" class="screen-reader-text">Write a Comment...</label>
<textarea name="comment" class="jp-carousel-comment-form-field jp-carousel-comment-form-textarea" id="jp-carousel-comment-form-comment-field" placeholder="Write a Comment..."></textarea>
<div id="jp-carousel-comment-form-submit-and-info-wrapper">
<div id="jp-carousel-comment-form-commenting-as">
<fieldset>
<label for="jp-carousel-comment-form-email-field">Email (Required)</label>
<input type="text" name="email" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-email-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-author-field">Name (Required)</label>
<input type="text" name="author" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-author-field">
</fieldset>
<fieldset>
<label for="jp-carousel-comment-form-url-field">Website</label>
<input type="text" name="url" class="jp-carousel-comment-form-field jp-carousel-comment-form-text-field" id="jp-carousel-comment-form-url-field">
</fieldset>
</div>
<input type="submit" name="submit" class="jp-carousel-comment-form-button" id="jp-carousel-comment-form-button-submit" value="Post Comment">
</div>
</form>Text Content
* Rust for Security and Correctness in the embedded world
* Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise
* Retro Gaming Vulnerability Research: Warcraft 2
* Public Report – Security Review of RSA Blind Signatures with Public Metadata
* Reverse, Reveal, Recover: Windows Defender Quarantine Forensics
* Public Report – Aleo snarkVM Implementation Review
* Technical Advisory – Multiple Vulnerabilities in Nagios XI
* NCC Group’s 2022 & 2023 Research Report
* Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked
setenv() call
* Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100
* Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets
* Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape
from NCC Group
* The Spelling Police: Searching for Malicious HTTP Servers by Identifying
Typos in HTTP Responses
* Public Report – WhatsApp Auditable Key Directory (AKD) Implementation Review
* Don’t throw a hissy fit; defend against Medusa
* Demystifying Cobalt Strike’s “make_token” Command
* Tool Release: Magisk Module – Conscrypt Trust User Certs
* Post-exploiting a compromised etcd – Full control over the cluster and its
nodes
* D0nut encrypt me, I have a wife and no backups
* Popping Blisters for research: An overview of past payloads and exploring
recent developments
* Technical Advisory: Insufficient Proxyman HelperTool XPC Validation
* Unveiling the Dark Side: A Deep Dive into Active Ransomware Families
* Public Report – Zcash FROST Security Assessment
* Technical Advisory – Multiple Vulnerabilities in Connectize G6 AC2100 Dual
Band Gigabit WiFi Router (CVE-2023-24046, CVE-2023-24047, CVE-2023-24048,
CVE-2023-24049, CVE-2023-24050, CVE-2023-24051, CVE-2023-24052)
* Public Report – Caliptra Security Assessment
* Introduction to AWS Attribute-Based Access Control
* On Multiplications with Unsaturated Limbs
* From ERMAC to Hook: Investigating the technical differences between two
Android malware variants
* Ruling the rules
* HITB Phuket 2023 – Exploiting the Lexmark PostScript Stack
* Public Report – Entropy/Rust Cryptography Review
* SIAM AG23: Algebraic Geometry with Friends
* 5G security – how to minimise the threats to a 5G network
* Real World Cryptography Conference 2023 – Part II
* Technical Advisory – SonicWall Global Management System (GMS) & Analytics –
Multiple Critical Vulnerabilities
* LeaPFRogging PFR Implementations
* Dancing Offbit: The Story of a Single Character Typo that Broke a
ChaCha-Based PRNG
* Public Report – Penumbra Labs R1CS Implementation Review
* Demystifying Multivariate Cryptography
* Building Intuition for Lattice-Based Signatures – Part 2: Fiat-Shamir with
Aborts
* Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
* SysPWN – VR for Pwn2Own
* Intel BIOS Advisory – Memory Corruption in HID Drivers
* Building Intuition for Lattice-Based Signatures – Part 1: Trapdoor Signatures
* Tool Release: Cartographer
* Tool Release – ScoutSuite 5.13.0
* Overview of Modern Memory Security Concerns
* Technical Advisory – Nullsoft Scriptable Installer System (NSIS) – Insecure
Temporary Directory Usage
* Public Report – Zcash Zebra Security Assessment
* Getting per-user Conditional Access MFA status in Azure
* Exploiting Noisy Oracles with Bayesian Inference
* New Sources of Microsoft Office Metadata – Tool Release MetadataPlus
* Dynamic Linq Injection Remote Code Execution Vulnerability (CVE-2023-32571)
* Defeating Windows DEP With A Custom ROP Chain
* Machine Learning 104: Breaking AES With Power Side-Channels
* A Brief Review of Bitcoin Locking Scripts and Ordinals
* How to Spot and Prevent an Eclipse Attack
* Eurocrypt 2023: Death of a KEM
* Reverse Engineering Coin Hunt World’s Binary Protocol
* Technical Advisory – Multiple Vulnerabilities in Faronics Insight
(CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347,
CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351,
CVE-2023-28352, CVE-2023-28353)
* Tool Release: Code Query (cq)
* CowCloud
* OffensiveCon 2023 – Exploit Engineering – Attacking the Linux Kernel
* Tool Release: Code Credential Scanner (ccs)
* Exploring Overfitting Risks in Large Language Models
* The Paillier Cryptosystem with Applications to Threshold ECDSA
* Rigging the Vote: Uniqueness in Verifiable Random Functions
* Medical Devices: A Hardware Security Perspective
* NETGEAR Routers: A Playground for Hackers?
* Real World Cryptography Conference 2023 – Part I
* Public Report – AWS Nitro System API & Security Claims
* State of DNS Rebinding in 2023
* Machine Learning 103: Exploring LLM Code Generation
* HITBAMS – Your Not so “Home” Office – Soho Hacking at Pwn2Own
* Public Report – Kubernetes 1.24 Security Audit
* Public Report – Solana Program Library ZK-Token Security Assessment
* Stepping Insyde System Management Mode
* Breaking Pedersen Hashes in Practice
* A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
* Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run
Payloads
* A Primer On Slowable Encoders
* Threat Spotlight – Hydra
* Rustproofing Linux (Part 4/4 Shared Memory)
* Rustproofing Linux (Part 3/4 Integer Overflows)
* Security Code Review With ChatGPT
* Rustproofing Linux (Part 2/4 Race Conditions)
* Readable Thrift
* Building WiMap the Wi-Fi Mapping Drone
* Fuzzing the Easy Way Using Zulu
* Exploiting CVE-2014-0282
* Exploiting CVE-2014-0282
* Rustproofing Linux (Part 1/4 Leaking Addresses)
* Machine Learning 102: Attacking Facial Authentication with Poisoned Data
* Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
* Using Semgrep with Jupyter Notebook files
* Announcing NCC Group’s Cryptopals Guided Tour: Set 2
* Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB
DFU (CVE-2022-2347)
* Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store
(CVE-2023-21433, CVE-2023-21434)
* Project Bishop: Clustering Web Pages
* Puckungfu: A NETGEAR WAN Command Injection
* MeshyJSON: A TP-Link tdpServer JSON Stack Overflow
* Machine Learning 101: The Integrity of Image (Mis)Classification?
* Replicating CVEs with KLEE
* Public Report – VPN by Google One Security Assessment
* Public Report – Confidential Space Security Review
* Exploring Prompt Injection Attacks
* Impersonating Gamers With GPT-2
* So long and thanks for all the 0day
* A jq255 Elliptic Curve Specification, and a Retrospective
* Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
* Tool Release – Web3 Decoder Burp Suite Extension
* Tales of Windows detection opportunities for an implant framework
* Check out our new Microcorruption challenges!
* Toner Deaf – Printing your next persistence (Hexacon 2022)
* Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and
Related Classes
* Public Report – IOV Labs powHSM Security Assessment
* Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and
CSF Tampering on NXP i.MX Devices
* A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a
ShadowPad intrusion
* Detecting Mimikatz with Busylight
* Whitepaper – Project Triforce: Run AFL On Everything (2017)
* Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
* Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router
(CVE-2022-37413, CVE-2022-37414)
* A Guide to Improving Security Through Infrastructure-as-Code
* Tool Release – ScoutSuite 5.12.0
* Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter
Selection Review
* Tool Release – Monkey365
* Sharkbot is back in Google Play
* Constant-Time Data Processing At a Secret Offset, Privacy and QUIC
* There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
* Conference Talks – September/October 2022
* SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
* Writing FreeBSD Kernel Modules in Rust
* NCC Con Europe 2022 – Pwn2Own Austin Presentations
* Tool Release – JWT-Reauth
* Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
* Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
* Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
* Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
* Top of the Pops: Three common ransomware entry techniques
* NCC Group Research at Black Hat USA 2022 and DEF CON 30
* Tool Release – insject: A Linux Namespace Injector
* Technical Advisory – Multiple vulnerabilities in Nuki smart locks
(CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507,
CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508,
CVE-2022-32505)
* NIST Selects Post-Quantum Algorithms for Standardization
* Climbing Mount Everest: Black-Byte Bytes Back?
* Five Essential Machine Learning Security Papers
* Whitepaper – Practical Attacks on Machine Learning Systems
* Flubot: the evolution of a notorious Android Banking Malware
* A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would
have prevented
* Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control
link
* Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities
in U-Boot (CVE-2022-30790, CVE-2022-30552)
* Understanding the Impact of Ransomware on Patient Outcomes – Do We Know
Enough?
* Public Report – Threshold ECDSA Cryptography Review
* Exception Handling and Data Integrity in Salesforce
* Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi
Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328,
CVE-2022-30329)
* Shining the Light on Black Basta
* Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790,
CVE-2022-30552)
* NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible
Reports through the Intel Circuit Breaker program
* Conference Talks – June 2022
* Hardware Security By Design: ESP32 Guidance
* Public Report – Lantern and Replica Security Assessment
* NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher
Leaderboard
* Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 –
Unauthenticated Command Injection ( CVE-2022-31794 and CVE-2022-31795)
* Public Report – go-cose Security Assessment
* Technical Advisory – SerComm h500s – Authenticated Remote Command Execution
(CVE-2021-44080)
* Metastealer – filling the Racoon void
* earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s
decompiler internals to make automatic P-Code analysis scripts
* Tool Release – Ghostrings
* Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo
Smart Locks Vulnerable to Relay Attacks
* Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to
Relay Attacks
* Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
* Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView
tag helpers (CVE-2022-27777)
* North Korea’s Lazarus: their initial access trade-craft using social media
and social engineering
* Adventures in the land of BumbleBee – a new malicious loader
* LAPSUS$: Recent techniques, tactics and procedures
* Real World Cryptography Conference 2022
* Mitigating the top 10 security threats to GCP using the CIS Google Cloud
Platform Foundation Benchmark
* A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
* Public Report – Google Enterprise API Security Assessment
* Conti-nuation: methods and techniques observed in operations post the leaks
* Whitepaper – Double Fetch Vulnerabilities in C and C++
* Mining data from Cobalt Strike beacons
* Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
* Tool Release – ScoutSuite 5.11.0
* Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)
* Microsoft announces the WMIC command is being retired, Long Live PowerShell
* SharkBot: a “new” generation Android banking Trojan being distributed on
Google Play Store
* Estimating the Bit Security of Pairing-Friendly Curves
* Detecting anomalous Vectored Exception Handlers on Windows
* BrokenPrint: A Netgear stack overflow
* Conference Talks – March 2022
* Hardware & Embedded Systems: A little early effort in security can return a
huge payoff
* Public Report – O(1) Labs Mina Client SDK, Signature Library and Base
Components Cryptography and Implementation Review
* Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark
MC3224i printer (part 2)
* Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5
Attacks vs the CIS Microsoft 365 Foundation Benchmark
* Bypassing software update package encryption – extracting the Lexmark MC3224i
printer firmware (part 1)
* Detecting Karakurt – an extortion focused threat actor
* BAT: a Fast and Small Key Encapsulation Mechanism
* Testing Infrastructure-as-Code Using Dynamic Tooling
* Machine Learning for Static Analysis of Malware – Expansion of Research Scope
* 10 real-world stories of how we’ve compromised CI/CD pipelines
* NCC Group’s 2021 Annual Research Report
* On the malicious use of large language models like GPT-3
* Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination
Programs
* Tool Update – ruby-trace: A Low-Level Tracer for Ruby
* Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches
* Technical Advisory – Lenovo ImController Local Privilege Escalation
(CVE-2021-3922, CVE-2021-3969)
* Choosing the Right MCU for Your Embedded Device — Desired Security Features
of Microcontrollers
* FPGAs: Security Through Obscurity?
* Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
* log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
* Log4Shell: Reconnaissance and post exploitation network detection
* Announcing NCC Group’s Cryptopals Guided Tour!
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary
File Deletion
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
* Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated
Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
* Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote
Command Execution (CVE-2021-20044)
* Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow
(CVE-2021-20043)
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload
Path Traversal (CVE-2021-20040)
* Why IoT Security Matters
* Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom
CA Network Flow Analysis (CVE-2021-44050)
* Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates
with the Half-Space-Trees Algorithm
* Tracking a P2P network related to TA505
* Conference Talks – December 2021
* Public Report – Zendoo Proof Verifier Cryptography Review
* An Illustrated Guide to Elliptic Curve Cryptography Validation
* Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
* POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
* Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router
(CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
* “We wait, because we know you.” Inside the ransomware negotiation economics.
* Detection Engineering for Kubernetes clusters
* Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
* Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA
Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568,
CVE-2021-43571)
* TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial
access
* Public Report – Zcash NU5 Cryptography Review
* The Next C Language Standard (C23)
* Conference Talks – November 2021
* Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
* Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
* Cracking RDP NLA Supplied Credentials for Threat Intelligence
* Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the
Internet
* Enterprise-scale seamless onboarding and deployment of Azure Sentinel using
Lighthouse for multi-tenant environments
* Cracking Random Number Generators using Machine Learning – Part 2: Mersenne
Twister
* Cracking Random Number Generators using Machine Learning – Part 1:
xorshift128
* NCC Group placed first in global 5G Cyber Security Hack competition
* Paradoxical Compression with Verifiable Delay Functions
* A Look At Some Real-World Obfuscation Techniques
* SnapMC skips ransomware, steals data
* The Challenges of Fuzzing 5G Protocols
* Reverse engineering and decrypting CyberArk vault credential files
* Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session
Establishment on UPF (CVE-2021-41794)
* Assessing the security and privacy of Vaccine Passports
* Technical Advisory – NULL Pointer Derefence in McAfee Drive
Encryption (CVE-2021-23893)
* Conference Talks – October 2021
* Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
* Detecting and Hunting for the PetitPotam NTLM Relay Attack
* Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI
(CVE-2021-39307)
* Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
* CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
* NSA & CISA Kubernetes Security Guidance – A Critical Review
* Technical Advisory – New York State Excelsior Pass Vaccine Passport
Credential Forgery
* Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner
App Sends Data to a Third Party not Specified in Privacy Policy
* Conference Talks – September 2021
* The ABCs of NFC chip security
* CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
* Disabling Office Macros to Reduce Malware Infections
* Some Musings on Common (eBPF) Linux Tracing Bugs
* Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive
Extraction – CVE-2021-22937 (Patch Bypass)
* Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection
(CVE-2021-36380)
* Practical Considerations of Right-to-Repair Legislation
* Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
* Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log
Server (CVE-2021-35478,CVE-2021-35479)
* Detecting and Hunting for the Malicious NetFilter Driver
* CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
* NCC Group Research at Black Hat USA 2021 and DEF CON 29
* Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
* Software-Based Fault Injection Countermeasures (Part 2/3)
* An Introduction to Fault Injection (Part 1/3)
* Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite
(CVE-2021-21586, CVE-2021-21587)
* Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare
vCenter Server 7.0
* Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
* Tool Release – Reliably-checked String Library Binding
* Are you oversharing (in Salesforce)? Our new tool could sniff it out!
* Exploit mitigations: keeping up with evolving and complex software/hardware
* NCC Group co-signs the Electronic Frontier Foundation’s Statement on DMCA Use
Against Security Researchers
* Handy guide to a new Fivehands ransomware variant
* On the Use of Pedersen Commitments for Confidential Payments
* Incremental Machine Learning by Example: Detecting Suspicious Activity with
Zeek Data Streams, River, and JA3 Hashes
* Testing Two-Factor Authentication
* Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
* Research Paper – Machine Learning for Static Malware Analysis, with
University College London
* Conference Talks – June 2021
* Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and
Implementation Review
* iOS User Enrollment and Trusted Certificates
* Detecting Rclone – An Effective Tool for Exfiltration
* Supply Chain Security Begins with Secure Software Development
* Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re
cryptographically random)
* Public Report – Dell Secured Component Verification
* RM3 – Curiosities of the wildest banking malware
* Conference Talks – May 2021
* A Census of Deployed Pulse Connect Secure (PCS) Versions
* NCC Group’s Upcoming Trainings at Black Hat USA 2021
* Public Report – VPN by Google One: Technical Security & Privacy Assessment
* Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s
servers on startup
* Tool Release – Principal Mapper v1.1.0 Update
* SAML XML Injection
* The Future of C Code Review
* RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API
vulnerabilities CVE-2021-22986
* Tool Release – Solitude: A privacy analysis tool
* Deception Engineering: exploring the use of Windows Installer Packages
against first stage payloads
* Lending a hand to the community – Covenant v0.7 Updates
* Technical Advisory: Dell SupportAssist Local Privilege Escalation
(CVE-2021-21518)
* Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus
JGS516PE / GS116Ev2 Switches
* Deception Engineering: exploring the use of Windows Service Canaries against
ransomware
* Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
* Technical Advisory: Administrative Passcode Recovery and Authenticated Remote
Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309,
CVE-2021-25306)
* Cryptopals: Exploiting CBC Padding Oracles
* Investigating Potential Security Vulnerability Manifestation through Various
Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be
Improved)
* NCC Group’s 2020 Annual Research Report
* Conference Talks – February/March 2021
* Software Verification and Analysis Using Z3
* Technical Advisory – Linksys WRT160NL – Authenticated Command Injection
(CVE-2021-25310)
* Real World Cryptography Conference 2021: A Virtual Experience
* RIFT: Analysing a Lazarus Shellcode Execution Method
* MSSQL Lateral Movement
* Public Report – BLST Cryptographic Implementation Review
* Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
* Building an RDP Credential Catcher for Threat Intelligence
* Double-odd Elliptic Curves
* Using AWS and Azure for Cost Effective Log Ingestion with Data Processing
Pipelines for SIEMs
* Domestic IoT Nightmares: Smart Doorbells
* Technical Advisory: OS Command Injection in Silver Peak EdgeConnect
Appliances (CVE-2020-12148, CVE-2020-12149)
* Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot
Configuration Auditing Introduced in Depthcharge v0.2.0
* An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered
Harmful
* ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
* Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP
Signatures
* ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial
and Business Networks
* Tool Release – Carnivore: Microsoft External Assessment Tool
* Technical Advisory: containerd – containerd-shim API Exposed to Host Network
Containers (CVE-2020-15257)
* Conference Talks – December 2020
* TA505: A Brief History Of Their Time
* Decrypting OpenSSH sessions for fun and profit
* Past, Present and Future of Effective C
* Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS)
Vulnerabilities in Oracle Communications Diameter Signaling Router
(CVE-2020-14787, CVE-2020-14788)
* Technical Advisory: Command Injection
* Conference Talks – November 2020
* Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon
Message (CVE-2020-8255)
* Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip
Extraction (CVE-2020-8260)
* Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code
Execution (CVE-2020-27162)
* Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation
Bypass (CVE-2020-27161)
* Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
* Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow
(CVE-2020-26561)
* There’s A Hole In Your SoC: Glitching The MediaTek BootROM
* RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and
CVE-2020-8196 honeypot data release
* Technical Advisory – Pulse Connect Secure – RCE via Template Injection
(CVE-2020-8243)
* Tool – Windows Executable Memory Page Delta Reporter
* Salesforce Security with Remote Working
* Tool Release – ScoutSuite 5.10
* Conference Talks – October 2020
* Tool Release – ICPin, an integrity-check and anti-debug detection pintool
* Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
* Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP
Method Interchange (CVE-2020-13658)
* Online Casino Roulette – A guideline for penetration testers and security
researchers
* Extending a Thinkst Canary to become an interactive honeypot
* StreamDivert: Relaying (specific) network connections
* Public Report – Electric Coin Company NU4 Cryptographic Specification and
Implementation Review
* Machine learning from idea to reality: a PowerShell case study
* Conference Talks – September 2020
* Whitepaper – Exploring the Security of KaiOS Mobile Applications
* Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack
(CVE-2020-24613)
* Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS
Pre-installed Mobile Applications
* Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP
application
* Immortalising 20 Years of Epic Research
* Pairing over BLS12-381, Part 3: Pairing!
* Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
* NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers
in 2020
* Lights, Camera, HACKED! An insight into the world of popular IP Cameras
* Conference Talks – August 2020
* Tool Release – Winstrument: An Instrumentation Framework for Windows
Application Assessments
* Tool Release: Sinking U-Boots with Depthcharge
* Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to
device compromise on TP-Link C200 IP Camera
* Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
* Pairing over BLS12-381, Part 2: Curves
* Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability
CVE-2020-5902
* RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and
CVE-2020-8196 Intelligence
* An offensive guide to the Authorization Code grant
* Technical Advisory – KwikTag Web Admin Authentication Bypass
* Pairing over BLS12-381, Part 1: Fields
* RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
Intelligence
* Experiments in Extending Thinkst Canary – Part 1
* Tool Release – ScoutSuite 5.9.0
* Technical Advisory – macOS Installer Local Root Privilege Escalation
(CVE-2020-9817)
* Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to
make threat actors work harder and fail more often
* How-to: Importing WStalker CSV (and more) into Burp Suite via Import to
Sitemap Extension
* Tool: WStalker – an easy proxy to support Web API assessments
* Security Considerations of zk-SNARK Parameter Multi-Party Computation
* WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
* Tool Release – Socks Over RDP Now Works With Citrix
* Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
* Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
* Cyber Security of New Space Paper
* In-depth analysis of the new Team9 malware family
* Common Insecure Practices with Configuring and Extending Salesforce
* Dangers of Kubernetes IAM Integrations
* Exploring DeepFake Capabilities & Mitigation Strategies with University
College London
* Game Security
* Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
* Research Report – Zephyr and MCUboot Security Assessment
* CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a
better read/write primitive
* CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read
and write primitive
* Using SharePoint as a Phishing Platform
* Public Report – Coda Cryptographic Review
* Shell Arithmetic Expansion and Evaluation Abuse
* CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition
and debugging tricks
* Tool Release – Socks Over RDP
* Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
* CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic
triggering
* Practical Machine Learning for Random (Filename) Detection
* Curve9767 and Fast Signature Verification
* CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
* The Extended AWS Security Ramp-Up Guide
* Code Patterns for API Authorization: Designing for Security
* Order Details Screens and PII
* How cryptography is used to monitor the spread of COVID-19
* Rise of the Sensors: Securing LoRaWAN Networks
* C Language Standards Update – Zero-size Reallocations are Undefined Behavior
* IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
* Exploring Verifiable Random Functions in Code
* Crave the Data: Statistics from 1,300 Phishing Campaigns
* Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
* Tool Release – ScoutSuite 5.8.0
* Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level
Vulnerabilities
* Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
* LDAPFragger: Bypassing network restrictions using LDAP attributes
* Threat Actors: exploiting the pandemic
* A Survey of Istio’s Network Security Features
* Conference Talks – March 2020
* Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation
Review
* Reviewing Verifiable Random Functions
* CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for
fun and exploitation
* Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
* Improving Software Security through C Language Standards
* Whitepaper – A Tour of Curve 25519 in Erlang
* Deep Dive into Real-World Kubernetes Threats
* Technical Advisory – playSMS Pre-Authentication Remote Code Execution
(CVE-2020-8644)
* Interfaces.d to RCE
* Properly Signed Certificates on CPE Devices
* Conference Talks – February 2020
* Tool Release – Collaborator++
* Public Report – Electric Coin Company NU3 Specification and Blossom
Implementation Audit
* Tool Release – Enumerating Docker Registries with go-pillage-registries
* Conference Talks – January 2020
* Passive Decryption of Ethereum Peer-to-Peer Traffic
* On Linux’s Random Number Generation
* Demystifying AWS’ AssumeRole and sts:ExternalId
* Welcome to the new NCC Group Global Research blog
* Technical Advisory: Gaining root access on Sumpple S610 IP Camera via Telnet;
and Unprotected client and server data transmission between Android and IOS
clients
* Security impact of IoT on the Enterprise
* Secure Device Provisioning Best Practices: Heavy Truck Edition
* CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device
Host Service and the Update Orchestrator Service
* Padding the struct: How a compiler optimization can disclose stack memory
* Embedded Device Security Certifications
* An Introduction to Ultrasound Security Research
* PhanTap (Phantom Tap): Making networks spookier one packet at a time
* An Introduction to Quantum Computing for Security Professionals
* Sniffle: A Sniffer for Bluetooth 5
* Compromising a Hospital Network for £118 (Plus Postage & Packaging)
* Getting Shell with XAMLX Files
* Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to
a Privilege Escalation
* Technical Advisory: CyberArk EPM Non-paged Pool Buffer Overflow
* Technical Advisory: Unauthenticated SQL Injection in Lansweeper
* Jenkins Plugins and Core Technical Summary Advisory
* Technical Advisory: Multiple Vulnerabilities in Ricoh Printers
* Technical Advisory: Multiple Vulnerabilities in Brother Printers
* Technical Advisory: Multiple Vulnerabilities in Xerox Printers
* Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and
Next Steps
* Technical Advisory: Multiple Vulnerabilities in HP Printers
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 9: Adventures with Expert Systems
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 8: Development of Prototype #4 – Building on
Takaesu’s Approach with Focus on XSS
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 7: Development of Prototype #3 – Adventures in
Anomaly Detection
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 5: Development of Prototype #1 – Text Processing and
Semantic Relationships
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 4: Architecture and Design
* Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 3: Understanding Existing Approaches and Attempts
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in
Social Engineering
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 1: Understanding the Basics and What Platforms and
Frameworks Are Available
* Technical Advisory: Multiple Vulnerabilities in Lexmark Printers
* Technical Advisory: Intel Driver Support & Assistance – Local Privilege
Escalation
* Technical Advisory: Citrix Workspace / Receiver Remote Code Execution
Vulnerability
* The Sorry State of Aftermarket Head Unit Security
* Cyber Security in UK Agriculture
* NCC Group Connected Health Whitepaper July 2019
* Story of a Hundred Vulnerable Jenkins Plugins
* Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s
TrustZone
* Technical Advisory: Multiple Vulnerabilities in SmarterMail
* Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
* eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
* Chafer backdoor analysis
* Finding and Exploiting .NET Remoting over HTTP using Deserialisation
* Technical Advisory: Multiple Vulnerabilities in MailEnable
* Assessing Unikernel Security
* Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
* Zcash Overwinter Consensus and Sapling Cryptography Review
* Xendbg: A Full-Featured Debugger for the Xen Hypervisor
* Use of Deserialisation in .NET Framework Methods and Classes
* Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
* Nine years of bugs at NCC Group
* The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations
* Third party assurance
* Turla PNG Dropper is back
* Public cloud
* Android Cloud Backup/Restore
* Spectre on a Television
* RokRat Analysis
* Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook
* Technical Advisory: Authentication Bypass in libSSH
* Securing Google Cloud Platform – Ten best practices
* Public Report – Android Cloud Backup/Restore
* Much Ado About Hardware Implants
* NCC Group’s Exploit Development Capability: Why and What
* Technical Advisory: Bypassing Workflows Protection Mechanisms – Remote Code
Execution on SharePoint
* Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability
* Improving Your Embedded Linux Security Posture With Yocto
* How I did not get a shell
* Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw
* Singularity of Origin
* Proxy Re-Encryption Protocol: IronCore Public Report
* Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms
using Deserialisation of Untrusted Data
* Jackson Deserialization Vulnerabilities
* Celebrating NCC Con Europe 2018
* The disadvantages of a blacklist-based approach to input validation
* Securing Teradata Database
* Technical Advisory: Unauthenticated Remote Command Execution through Multiple
Vulnerabilities in Virgin Media Hub 3.0
* Ethics in Security Testing
* Freddy: An extension for automatically identifying deserialisation issues in
Java and .NET applications
* Sobelow Update
* House
* Principal Mapper (pmapper)
* Return of the hidden number problem
* Technical advisory: “ROHNP”- key extraction side channel in multiple crypto
libraries
* CVE-2017-8570 RTF and the Sisfader RAT
* Mallory: Transparent TCP and UDP Proxy
* Mallory and Me: Setting up a Mobile Mallory Gateway
* CyberVillainsCA
* DECTbeacon
* Fuzzbox
* Gizmo
* HTTP Profiler
* Intent Sniffer
* Intent Fuzzer
* iSEC Partners Releases SSLyze
* Jailbreak
* Manifest Explorer
* Package Play
* ProxMon
* pySimReader
* SAML Pummel
* SecureBigIP
* SecureCisco
* SecureCookies
* SecureIE.ActiveX
* WebRATS
* AWS Inventory: A tool for mapping AWS resources
* Extractor
* CMakerer: A small tool to aid CLion’s indexing
* Emissary Panda – A potential new malicious tool
* SMB hash hijacking & user tracking in MS Outlook
* Testing HTTP/2 only web services
* Windows IPC Fuzzing Tools
* WSBang
* WSMap
* Nerve
* Ragweed
* File Fuzzers
* Kivlad
* Android SSL Bypass
* Hiccupy
* iOS SSL Killswitch
* The SSL Conservatory
* TLSPretense — SSL/TLS Client Testing Framework
* tcpprox
* YoNTMA
* Tattler
* PeachFarmer
* Android-KillPermAndSigChecks
* Android-OpenDebug
* Android-SSL-TrustKiller
* Introspy for Android
* RtspFuzzer
* SSLyze v0.8
* NCLoader
* IG Learner Walkthrough
* Forensic Fuzzing Tools
* Security First Umbrella
* Autochrome
* WSSiP: A Websocket Manipulation Proxy
* AssetHook
* Call Map: A Tool for Navigating Call Graphs in Python
* Sobelow: Static analysis for the Phoenix Framework
* G-Scout
* Decoder Improved Burp Suite Plugin
* Python Class Informer: an IDAPython plugin for viewing run-time type
information (RTTI)
* AutoRepeater: Automated HTTP Request Repeating With Burp Suite
* TPM Genie
* Open Banking: Security considerations & potential risks
* scenester
* port-scan-automation
* Windows DACL Enum Project
* umap
* Shocker
* Zulu
* whitebox
* vlan-hopping
* tybocer
* xcavator
* WindowsJobLock
* Azucar
* Introducing Azucar
* Readable Thrift
* Decoding network data from a Gh0st RAT variant
* Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central
* Discovering Smart Contract Vulnerabilities with GOATCasino
* BLEBoy
* APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
* TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus
* Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple
Microsoft Products
* Technical Advisory: Code Execution by Viewing Resource Files in .NET
Reflector
* Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in
Jenkins Delivery Pipeline plugin
* Spectre and Meltdown: What you Need to Know
* The economics of defensive security
* HIDDEN COBRA Volgmer: A Technical Analysis
* Integrity destroying malicious code for financial or geopolitical gain: A
vision of the future?
* Kubernetes Security: Consider Your Threat Model
* Mobile & web browser credential management: Security implications, attack
cases & mitigations
* SOC maturity & capability
* Automated Reverse Engineering of Relationships Between Data Structures in C++
Binaries
* Pointer Sequence Reverser (PSR)
* Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over
IKEv1
* Bypassing Android’s Network Security Configuration
* Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
* Cisco ASA series part seven: Checkheaps
* Adversarial Machine Learning: Approaches & defences
* eBook: Breach notification under GDPR – How to communicate a personal data
breach
* Cisco ASA series part six: Cisco ASA mempools
* The Update Framework (TUF) Security Assessment
* Cisco ASA series part five: libptmalloc gdb plugin
* Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
* Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
* Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco
ASA
* Decoder Improved Burp Suite plugin release part two
* Cisco ASA series part three: Debugging Cisco ASA firmware
* Managing PowerShell in a modern corporate environment
* Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
* Cisco ASA series part one: Intro to the Cisco ASA
* EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
* Technical Advisory: Authentication rule bypass
* Technical Advisory – play-pac4j Authentication rule bypass
* Decoder Improved Burp Suite plugin release part one
* Technical advisory: Remote shell commands execution in ttyd
* Poison Ivy string decryption
* Securing the continuous integration process
* Signaturing an Authenticode anomaly with Yara
* Analysing a recent Poison Ivy sample
* Endpoint connectivity
* DeLux Edition: Getting root privileges on the eLux Thin Client OS
* UK government cyber security guidelines for connected & autonomous vehicles
* Smuggling HTA files in Internet Explorer/Edge
* Database Security Brief: The Oracle Critical Patch Update for April 2007
* Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention
Mechanisms (XPMs) on the Windows platform
* Data-mining with SQL Injection and Inference
* The Pharming Guide – Understanding and preventing DNS related attacks by
phishers
* Weak Randomness Part I – Linear Congruential Random Number Generators
* Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
* Blind Exploitation of Stack Overflow Vulnerabilities
* Slotting Security into Corporate Development
* Creating Arbitrary Shellcode In Unicode Expanded Strings
* Violating Database – Enforced Security Mechanisms
* Hacking the Extensible Firmware Interface
* Advanced Exploitation of Oracle PL/SQL Flaws
* Firmware Rootkits: The Threat to the Enterprise
* Database Security: A Christmas Carol
* Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft
Windows 2003 Server
* Non-flood/non-volumetric Distributed Denial of Service (DDoS)
* VoIP Security Methodology and Results
* E-mail Spoofing and CDONTS.NEWMAIL
* Dangling Cursor Snarfing: A New Class of Attack in Oracle
* Database Servers on Windows XP and the unintended consequences of simple file
sharing
* DNS Pinning and Web Proxies
* Technical advisory: CVE-2017-8592 – XMLHttpRequest in IE followed 307
redirections with additional or customised headers
* Which database is more secure? Oracle vs. Microsoft
* Variations in Exploit methods between Linux and Windows
* Using graph databases to assess the security of thingernets based on the
thingabilities and thingertivity of things
* Live Incident Blog: June Global Ransomware Outbreak
* Beyond data loss prevention
* How to protect yourself & your organisation from phishing attacks
* Rise of the machines: Machine Learning & its cyber security applications
* Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input
Streams (LAOIS)
* A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow –
CVE-2016-1287
* Latest threats to the connected car & intelligent transport ecosystem
* Network Attached Security: Attacking a Synology NAS
* Accessing Private Fields Outside of Classes in Java
* Understanding the insider threat & how to mitigate it
* Matty McMattface: Security implications, mitigations & testing strategies for
biometric facial recognition systems
* Setting a New Standard for Kubernetes Deployments
* Encryption at rest: Not the panacea to data protection
* Applying normalised compression distance for architecture classification
* Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and
Signatures
* D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow
* Fix Bounty
* Unauthenticated XML eXternal Entity (XXE) vulnerability
* General Data Protection Regulation: Knowing your data
* Technical Advisory: Shell Injection in MacVim mvim URI Handler
* Technical Advisory: Shell Injection in SourceTree
* SCOMplicated? – Decrypting SCOM “RunAs” credentials
* Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer
Appliance
* ISM RAT
* Mergers & Acquisitions (M&A) cyber security due diligence
* Advisory-CraigSBlackie-CVE-2016-9795
* Best practices with BYOD
* Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows
Decryption of Stored Credentials
* Compromising Apache Tomcat via JMX access
* Berserko: Kerberos Authentication for Burp Suite
* Java RMI Registry.bind() Unvalidated Deserialization
* NCC CON Europe 2017
* Understanding cyber risk management vs uncertainty with confidence in 2017
* iOS MobileSlideShow USB Image Class arbitrary code execution.txt
* Denial of Service in Parsing a URL by ierutil.dll
* U plug, we play
* SSL checklist for pentesters
* Dissecting social engineering attacks
* External Enumeration and Exploitation of Email and Web Security Solutions
* Social Engineering
* Phishing Stories
* Automating extraction from malware and recent campaign analysis
* DDoS Common Approaches and Failings
* Absolute Security
* How much training should staff have on cyber security?
* USB under the bonnet: Implications of USB security vulnerabilities in vehicle
systems
* Cyber Essentials Scheme
* Webinar – PCI Version 3.0: Are you ready?
* Webinar: 4 Secrets to a Robust Incident Response Plan
* Cloud Security Presentation
* Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
* Revealing Embedded Fingerprints: Deriving intelligence from USB stack
interactions
* Memory Gap
* 44Con2013Game
* creep-web-app-scanner
* ncccodenavi
* Pip3line
* typofinder
* DIBF – Updated
* IODIDE
* CECSTeR
* cisco-SNMP-enumeration
* dotnetpaddingoracle
* dotnetpefuzzing
* easyda
* EDIDFuzzer
* Fat-Finger
* firstexecution
* grepify
* FrisbeeLite
* State-of-the-art email risk
* Ransomware: what organisations can do to survive
* hostresolver
* lapith
* metasploitavevasion
* Maritime Cyber Security: Threats and Opportunities
* IP-reputation-snort-rule-generator
* The L4m3ne55 of Passw0rds: Notes from the field
* Mature Security Testing Framework
* Exporting non-exportable RSA keys
* Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
* The role of security research in improving cyber security
* Self-Driving Cars- The future is now…
* They Ought to Know Better: Exploiting Security Gateways via their Web
Interfaces
* Mobile apps and security by design
* The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
* When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate
Pinning
* USB Undermining Security Barriers:further adventures with USB
* Software Security Austerity Security Debt in Modern Software Development
* RSA Conference – Mobile Threat War Room
* Finding the weak link in binaries
* To dock or not to dock, that is the question: Using laptop docking stations
as hardware-based attack platforms
* Harnessing GPUs Building Better Browser Based Botnets
* The Browser Hacker’s Handbook
* SQL Server Security
* The Database Hacker’s Handbook
* Social Engineering Penetration Testing
* Public Report – Matrix Olm Cryptographic Review
* Research Insights Volume 8 – Hardware Design: FPGA Security Risks
* Zcash Cryptography and Code Review
* Optimum Routers: Researching Managed Routers
* Peeling back the layers on defence in depth…knowing your onions
* End-of-life pragmatism
* iOS Instrumentation Without Jailbreak
* The Password is Dead, Long Live the Password!
* Microsoft Office Memory Corruption Vulnerability
* Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode
* Elephant in the Boardroom Survey 2016
* A Peek Behind the Great Firewall of Russia
* Avoiding Pitfalls Developing with Electron
* Flash local-with-filesystem Bypass in navigateToURL
* D-Link routers vulnerable to Remote Code Execution (RCE)
* iOS Application Security: The Definitive Guide for Hackers and Developers
* The Mobile Application Hacker’s Handbook
* Research Insights Volume 9 – Modern Security Vulnerability Discovery
* Post-quantum cryptography overview
* The CIS Security Standard for Docker available now
* An adventure in PoEKmon NeutriGo land
* The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd
Edition
* How will GDPR impact your communications?
* Potential false redirection of web site content in Internet in SAP NetWeaver
web applications
* Multiple security vulnerabilities in SAP NetWeaver BSP Logon
* The Automotive Threat Modeling Template
* My name is Matt – My voice is my password
* Ransomware: How vulnerable is your system?
* NCC Group WhitepaperUnderstanding and HardeningLinux ContainersJune 29, 2016
– Version 1.1
* My Hash is My Passport: Understanding Web and Mobile Authentication
* Project Triforce: Run AFL on Everything!
* Writing Exploits for Win32 Systems from Scratch
* How to Backdoor Diffie-Hellman
* Local network compromise despite good patching
* Sakula: an adventure in DLL planting
* When a Trusted Site in Internet Explorer was Anything But
* GSM/GPRS Traffic Interception for Penetration Testing Engagements
* An Adaptive-Ciphertext Attack Against “I ⊕ C” Block Cipher Modes With an
Oracle
* Creating a Safer OAuth User Experience
* Attacking Web Service Security: Message Oriented Madness, XML Worms and Web
Service Security Sanity
* Aurora Response Recommendations
* Blind Security Testing – An Evolutionary Approach
* Building Security In: Software Penetration Testing
* Cleaning Up After Cookies
* Command Injection in XML Signatures and Encryption
* Common Flaws of Distributed Identity and Authentication Systems
* Cross Site Request Forgery: An Introduction to a Common Web Application
Weakness
* Developing Secure Mobile Applications for Android
* Exposing Vulnerabilities in Media Software
* Hunting SQL Injection Bugs
* IAX Voice Over-IP Security
* ProxMon: Automating Web Application Penetration Testing
* iSEC’s Analysis of Microsoft’s SDL and its ROI
* Secure Application Development on Facebook
* Secure Session Management With Cookies for Web Applications
* Security Compliance as an Engineering Discipline
* Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
* Exploiting Rich Content
* HTML5 Security The Modern Web Browser Perspective
* An Introduction to Authenticated Encryption
* Attacks on SSL
* Content Security Policies Best Practices
* Windows Phone 7 Application Security Survey
* Browser Extension Password Managers
* Introducing idb-Simplified Blackbox iOS App Pentesting
* Login Service Security
* The factoring dead: Preparing for the cryptopocalypse
* Auditing Enterprise Class Applications and Secure Containers on Android
* Early CCS Attack Analysis
* Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver
URSA
* Perfect Forward Security
* Internet of Things Security
* Secure Messaging for Normal People
* Understanding and Hardening Linux Containers
* Adventures in Windows Driver Development: Part 1
* Private sector cyber resilience and the role of data diodes
* From CSV to CMD to qwerty
* General Data Protection Regulation – are you ready?
* Business Insights: Cyber Security in the Financial Sector
* The Importance of a Cryptographic Review
* osquery Application Security Assessment Public Report
* Sysinternals SDelete: When Secure Delete Fails
* Ricochet Security Assessment Public Report
* Breaking into Security Research at NCC Group
* Building Systems from Commercial Components
* Modernizing Legacy Systems: Software Technologies, Engineering Processes, and
Business Practices
* Secure Coding in C and C++
* CERT Oracle Secure Coding Standard for Java
* CERT C Secure Coding Standard
* Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
* Professional C Programming LiveLessons, (Video Training) Part I: Writing
Robust, Secure, Reliable Code
* Secure Coding in C and C++, 2nd Edition
* The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe,
Reliable, and Secure Systems
* Secure Coding Rules for Java LiveLessons, Part 1
* Hacking Displays Made Interesting
* What the HEC? Security implications of HDMI Ethernet Channel and other
related protocols
* 44CON Workshop – How to assess and secure iOS apps
* Payment Card Industry Data Security Standard (PCI DSS) A Navigation and
Explanation of Changes from v2.0 to v3.0
* Mobile World Congress – Mobile Internet of Things
* Practical SME security on a shoestring
* BlackHat Asia USB Physical Access
* How we breach network infrastructures and protect them
* Hacking a web application
* Batten down the hatches: Cyber threats facing DP operations
* Threats and vulnerabilities within the Maritime and shipping sectors
* Distributed Ledger (Blockchain) Security and Quantum Computing Implications
* Building WiMap the Wi-Fi Mapping Drone
* Abusing Privileged and Unprivileged Linux Containers
* A few notes on usefully exploiting libstagefright on Android 5.x
* NCC Con Europe 2016
* Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
* Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify
External Emails
* Car Parking Apps Vulnerable To Hacks
* eBook – Do you know how your organisation would react in a real-world attack
scenario?
* Erlang Security 101
* SysAid Helpdesk blind SQL injection
* SysAid Helpdesk stored XSS
* Virtual Access Monitor Multiple SQL Injection Vulnerabilities
* Whatsupgold Premium Directory traversal
* Windows remote desktop memory corruptoin leading to RCE on XPSP3
* Windows USB RNDIS driver kernel pool overflow
* Drones: Detect, Identify, Intercept, and Hijack
* Introducing Chuckle and the Importance of SMB Signing
* Threat Intelligence: Benefits for the Enterprise
* Best Practices for the use of Static Code Analysis within a Real-World Secure
Development Lifecycle
* Secure Device Manufacturing: Supply Chain Security Resilience
* eBook – Planning a robust incident response process
* HDMI Ethernet Channel
* Advanced SQL Injection in SQL Server Applications
* USB keyboards by post – use of embedded keystroke injectors to bypass autorun
restrictions on modern desktop operating systems
* ASP.NET Security and the Importance of KB2698981 in Cloud Environments
* Xen HYPERVISOR_xen_version stack memory revelation
* Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
* SysAid Helpdesk Pro – Blind SQL Injection
* Symantec Messaging Gateway SSH with backdoor user account + privilege
escalation to root due to very old Kernel
* Symantec Messaging Gateway Out of band stored XSS delivered by email
* Symantec Messaging Gateway Easy CSRF to add a backdoor-administrator (for
example)
* Symantec Messaging Gateway Arbitrary file download is possible with a crafted
URL (authenticated)
* Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom
Reports
* Symantec Backup Exec 2012 – OS version and service pack information leak
* Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
* Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs
* Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding
Groups, Servers and Computers
* Squiz CMS File Path Traversal
* Solaris 11 USB Hub Class descriptor kernel stack overflow
* SmarterMail – Stored XSS in emails
* Remote code execution in ImpressPages CMS
* OS X 10.6.6 Camera Raw Library Memory Corruption
* Oracle Java Installer Adds a System Path Which is Writable by All
* Oracle Hyperion 11 Directory Traversal
* Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
* Nessus Authenticated Scan – Local Privilege Escalation
* NCC Group Malware Technical Note
* Nagios XI Network Monitor – Stored and Reflective XSS
* Multiple Vulnerabilities in MailEnable
* Microsoft Internet Explorer CMarkup Use-After-Free
* McAfee Email and Web Security Appliance v5.6 – Session hijacking (and
bypassing client-side session timeouts)
* McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked
* McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is
possible with a crafted URL, when logged in as any user
* McAfee Email and Web Security Appliance v5.6 – Any logged-in user can bypass
controls to reset passwords of other administrators
* McAfee Email and Web Security Appliance v5.6 – Active session tokens of other
users are disclosed within the UI
* iOS 7 arbitrary code execution in kernel mode
* Understanding Microsoft Word OLE Exploit Primitives
* Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642
Microsoft Office CTaskSymbol Use-After-Free Vulnerability
* Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using
the TD-8817
* Vehicle Emissions and Cyber Security
* Research Insights Volume 6: Common Issues with Environment Breakouts
* Does TypeScript Offer Security Improvements Over JavaScript?
* Common Security Issues in Financially-Oriented Web Applications
* Research Insights Volume 3 – How are we breaking in: Mobile Security
* Build Your Own Wi-Fi Mapping Drone Capability
* Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
* Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
* Password and brute-force mitigation policies
* Understanding Ransomware: Impact, Evolution and Defensive Strategies
* libtalloc: A GDB plugin for analysing the talloc heap
* Lumension Device Control (formerly Sanctuary) remote memory corruption
* LibAVCodec AMV Out of Array Write
* Increased exploitation of Oracle GlassFish Server Administration Console
Remote Authentication Bypass
* Flash security restrictions bypass: File upload by URLRequest
* Immunity Debugger Buffer Overflow
* DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout,
Privilege Escalation and Full Disk Decryption
* Cups-filters remote code execution
* Critical Risk Vulnerability in SAP Message Server (Heap Overflow)
* Critical Risk Vulnerability in SAP DB Web Server (Stack Overflow)
* Critical Risk Vulnerability in Ingres (Pointer Overwrite 2)
* Critical Risk Vulnerability in Ingres (Pointer Overwrite 1)
* Cisco VPN Client Privilege Escalation
* Cisco IPSec VPN Implementation Group Name Enumeration
* Blue Coat BCAAA Remote Code Execution Vulnerability
* BlackBerry Link WebDav Server Bound to the BlackBerry VPN Adapter
* Bit51 Better Security WP Security Plugin – Unauthenticated Stored XSS to RCE
* Back Office Web Administration Authentication Bypass
* AtHoc Toolbar
* ASE 12.5.1 datatype overflow
* Archived Technical Advisories
* Apple QuickTime Player m4a Processing Buffer Overflow
* Apple OSX/iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow
* Apple Mac OS X ImageIO TIFF Integer Overflow
* Apple CoreAnimation Heap Overflow
* Writing Small Shellcode
* Writing Secure ASP Scripts
* Windows 2000 Format String Vulnerabilities
* The Pentesters Guide to Akamai
* Adobe flash sandbox bypass to navigate to local drives
* Adobe Flash Player Cross Domain Policy Bypass
* Adobe Acrobat Reader XML Forms Data Format Buffer Overflow
* Tool Release: Introducing opinel: Scout2’s favorite tool
* Broadcasting your attack – DAB security
* Adam Roberts
* Anthony Ferrillo
* Aaron Greetham
* Aaron Haymore
* Akshat Joshi
* Alberto Verza
* Aleksandar Kircanski
* Alessandro Fanio Gonzalez
* Alessandro Fanio González
* Alex Plaskett
* Alex Zaviyalov
* Alvaro Martin Fraguas
* Álvaro Martín Fraguas
* Andrea Shirley-Bellande
* Drew Wade
* Andy Davis
* Andy Grant
* Antonis Terefos
* anvesh3752
* Alexander Smye
* aschmitz
* Austin Peavy
* Ava Howell
* Andrew Whistlecroft
* balazs.bucsay
* Nicolas Bidron
* NCC Group Physical Breach Team
* Rich Warren
* Caleb Watt
* Clinton Carpene
* Cedric Halbronn
* chrisanley
* Christo Butcher
* christopherjamesbury
* Clayton Lowell
* Clint Gibler
* cnevncc
* corancc
* Corey Arthur
* Christian Powills
* Craig Blackie
* Catalin Visinescu
* Ken Wolstencroft
* Damon Small
* Dan Hastings
* Dave G.
* David Tulis
* David Cash
* Daniele Costa
* destoken
* Diana Dragusin
* Diego Gomez Maranon
* Diego Gómez Marañon
* Domen Puncer Kugler
* Daniel Romero
* Deni
* David Young
* Edward Torkington
* Exploit Development Group
* Elena Bakos Lang
* Eli Sohl
* epliuncc
* Erik Schamper
* Erik Steringer
* Eric Schorn
* evaestebanmolina
* Fernando Gallego
* Aaron Adams
* Gavin Cotter (Temp)
* Gerald Doussot
* Gérald Doussot
* Giacomo Pope
* Global Threat Intelligence
* Guy Morley
* William Handy
* Liew hock lai
* Hollie Mowatt
* Heather Overcash
* Rob Wood
* Iain Smart
* Izzy Whistlecroft
* Jacob Heath
* Jameson Hyde
* Phillip Langlois and Edward Torkington
* Jashan Benawra
* Jason Kielpinski
* Javed Samuel
* James Chambers
* Jelle Vergeer
* Jennifer Reed
* Jeremy Boone
* Jerome Smith
* Jesus Calderon Marin
* Jesús Calderón Marín
* Jay Houppermans
* Jack Leadford
* Joshua Makinen
* John Redford
* Joost Jansen
* Joshua Dow
* Jose Selvi
* Kenneth Yu
* Kat Sommer
* Katarina Dabler
* Ben Lister
* Krijn de Mik
* Lars Behrens
* Lawrence Munro
* Liam Glanfield
* Liam Stevenson
* Liyun Li
* Lucas Rosevear
* Luis Toro Puig
* Luke Paris
* Matt Lewis
* Manuel Gines
* Margit Hazenbroek
* Marie-Sarah Lacharite
* Mario Rivas
* NCC Group & Fox-IT Data Science Team
* Max Groot
* McCaulay Hudson
* Michael Gough
* Mick Koomen
* Mostafa Hassan
* Matthew Pettitt
* Frank Gifford
* Michelle Simpson
* Neil Bergman
* NCC Group
* NCC Group Publication Archive
* Bill Marquette
* Daniel Lopezjimenez
* nccdavid
* Dan Helton
* RIFT: Research and Intelligence Fusion Team
* R.Rivera
* NCC Group Red Team
* Ilya Zhuravlev
* Jennifer Fernick
* ncckai
* Lewis Lockwood
* Jon Szymaniak
* Mark Manning
* Mark Tedman
* Michael Sandee
* Simon Palmer
* nccricardomr
* Stefano Antenucci
* Simone Salucci and Daniel Lopez Jimenez
* Samuel Siu
* Tanner Prynn
* Yun Zheng Hu
* Stephen Tomkinson
* Nicolas Guigo
* Nick Galloway
* Nick Muir
* Nick Dunn
* Nick Sirris
* Nikolaos Pantazopoulos
* Oliver Brooks
* Ollie Whitehouse
* Ollie Wen
* Parnian Alimi
* Paul Bottinelli
* Peter Scopes
* Peter Hannay
* philipmarsdennccgroupcom
* Pixel Kicks
* Pixel Kicks
* pixelkicks-fiona
* pixelkicks-fred
* pixelkicks-matt.hamer
* pixelkicks-turhan
* pixelkicks-will
* pqueenncc
* Philipp Schaefer
* qkchambers
* Rory McCune
* Ralph Andalis
* Rami McCarthy
* Ray Lai
* Robert C. Seacord
* Rennie deGraaf
* Chris Nevin
* Richard Appleby
* Rick Veldhoven
* Fumik0_
* Rindert Kramer
* Rob Ince
* robertgrimes123
* Robert Wessen
* Ross Bradley
* Robert Schwass
* ruud-fox-it
* sampeate
* Roger Meyer
* schlopeckincc
* scottleitch53e8989cc3
* Siddarth Adukia
* Sam Leonard (they/them)
* smarkelon
* Spencer Michaels
* sean.morland@nccgroup.com
* Sander de Jong
* Stuart Kurutac
* Subscriber Test
* Sultan Khan
* Swathi Nagarajan
* Simon Watson
* Jeff Dileo
* Thomas Marshall
* Ivan Reedman
* Thomas Pornin
* Jeremy Boone
* Viktor Gazdag
* Vishtasp Jokhi
* Wouter Jansen
* William Groesbeck
* whoughtonncc
* wolawola123
* Wordpress SSO Test
* Xavier Cervilla
* Xavier Garceau-Aranda
* Ken Gannon
* Kevin Henry
* 5G Security & Smart Environments
* Academic Partnership
* Annual Research Report
* Asia Pacific Research
* Awards & Recognition
* Blockchain
* Books
* Business Insights
* Cloud & Containerization
* Cloud Security
* Conferences
* Corporate
* Cryptography
* CTFs/Microcorruption
* Current events
* Cyber as a Science
* Cyber Security
* Detection and Threat Hunting
* Digital Forensics and Incident Response (DFIR)
* Disclosure Policy
* Emerging Technologies
* Engineering
* Fox-IT
* Fox-IT and European Research
* Gaming & Media
* Hardware & Embedded Systems
* Intern Projects
* iSec Partners
* Machine Learning
* Managed Detection & Response
* Misinformation, Deepfakes, & Synthetic Media
* North American Research
* Offensive Security & Artificial Intelligence
* Patch notifications
* Presentations
* protocol_name
* Public interest technology
* Public interest technology
* Public Reports
* Public tools
* Reducing Vulnerabilities at Scale
* Research
* Research Paper
* Resources
* Reverse Engineering
* Risk Management & Governance
* Standards
* Technical advisories
* Technology Policy
* Threat briefs
* Threat Intelligence
* Tool Release
* Transport
* Tutorial/Study Guide
* UK Research
* Uncategorized
* Virtualization, Emulation, & Containerization
* VSR
* Vulnerability
* Vulnerability Research
* Whitepapers
Enter a search term
Search
* Rust for Security and Correctness in the embedded world
* Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise
* Retro Gaming Vulnerability Research: Warcraft 2
* Public Report – Security Review of RSA Blind Signatures with Public Metadata
* Reverse, Reveal, Recover: Windows Defender Quarantine Forensics
* Public Report – Aleo snarkVM Implementation Review
* Technical Advisory – Multiple Vulnerabilities in Nagios XI
* NCC Group’s 2022 & 2023 Research Report
* Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked
setenv() call
* Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100
* Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets
* Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape
from NCC Group
* The Spelling Police: Searching for Malicious HTTP Servers by Identifying
Typos in HTTP Responses
* Public Report – WhatsApp Auditable Key Directory (AKD) Implementation Review
* Don’t throw a hissy fit; defend against Medusa
* Demystifying Cobalt Strike’s “make_token” Command
* Tool Release: Magisk Module – Conscrypt Trust User Certs
* Post-exploiting a compromised etcd – Full control over the cluster and its
nodes
* D0nut encrypt me, I have a wife and no backups
* Popping Blisters for research: An overview of past payloads and exploring
recent developments
* Technical Advisory: Insufficient Proxyman HelperTool XPC Validation
* Unveiling the Dark Side: A Deep Dive into Active Ransomware Families
* Public Report – Zcash FROST Security Assessment
* Technical Advisory – Multiple Vulnerabilities in Connectize G6 AC2100 Dual
Band Gigabit WiFi Router (CVE-2023-24046, CVE-2023-24047, CVE-2023-24048,
CVE-2023-24049, CVE-2023-24050, CVE-2023-24051, CVE-2023-24052)
* Public Report – Caliptra Security Assessment
* Introduction to AWS Attribute-Based Access Control
* On Multiplications with Unsaturated Limbs
* From ERMAC to Hook: Investigating the technical differences between two
Android malware variants
* Ruling the rules
* HITB Phuket 2023 – Exploiting the Lexmark PostScript Stack
* Public Report – Entropy/Rust Cryptography Review
* SIAM AG23: Algebraic Geometry with Friends
* 5G security – how to minimise the threats to a 5G network
* Real World Cryptography Conference 2023 – Part II
* Technical Advisory – SonicWall Global Management System (GMS) & Analytics –
Multiple Critical Vulnerabilities
* LeaPFRogging PFR Implementations
* Dancing Offbit: The Story of a Single Character Typo that Broke a
ChaCha-Based PRNG
* Public Report – Penumbra Labs R1CS Implementation Review
* Demystifying Multivariate Cryptography
* Building Intuition for Lattice-Based Signatures – Part 2: Fiat-Shamir with
Aborts
* Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
* SysPWN – VR for Pwn2Own
* Intel BIOS Advisory – Memory Corruption in HID Drivers
* Building Intuition for Lattice-Based Signatures – Part 1: Trapdoor Signatures
* Tool Release: Cartographer
* Tool Release – ScoutSuite 5.13.0
* Overview of Modern Memory Security Concerns
* Technical Advisory – Nullsoft Scriptable Installer System (NSIS) – Insecure
Temporary Directory Usage
* Public Report – Zcash Zebra Security Assessment
* Getting per-user Conditional Access MFA status in Azure
* Exploiting Noisy Oracles with Bayesian Inference
* New Sources of Microsoft Office Metadata – Tool Release MetadataPlus
* Dynamic Linq Injection Remote Code Execution Vulnerability (CVE-2023-32571)
* Defeating Windows DEP With A Custom ROP Chain
* Machine Learning 104: Breaking AES With Power Side-Channels
* A Brief Review of Bitcoin Locking Scripts and Ordinals
* How to Spot and Prevent an Eclipse Attack
* Eurocrypt 2023: Death of a KEM
* Reverse Engineering Coin Hunt World’s Binary Protocol
* Technical Advisory – Multiple Vulnerabilities in Faronics Insight
(CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347,
CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351,
CVE-2023-28352, CVE-2023-28353)
* Tool Release: Code Query (cq)
* CowCloud
* OffensiveCon 2023 – Exploit Engineering – Attacking the Linux Kernel
* Tool Release: Code Credential Scanner (ccs)
* Exploring Overfitting Risks in Large Language Models
* The Paillier Cryptosystem with Applications to Threshold ECDSA
* Rigging the Vote: Uniqueness in Verifiable Random Functions
* Medical Devices: A Hardware Security Perspective
* NETGEAR Routers: A Playground for Hackers?
* Real World Cryptography Conference 2023 – Part I
* Public Report – AWS Nitro System API & Security Claims
* State of DNS Rebinding in 2023
* Machine Learning 103: Exploring LLM Code Generation
* HITBAMS – Your Not so “Home” Office – Soho Hacking at Pwn2Own
* Public Report – Kubernetes 1.24 Security Audit
* Public Report – Solana Program Library ZK-Token Security Assessment
* Stepping Insyde System Management Mode
* Breaking Pedersen Hashes in Practice
* A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
* Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run
Payloads
* A Primer On Slowable Encoders
* Threat Spotlight – Hydra
* Rustproofing Linux (Part 4/4 Shared Memory)
* Rustproofing Linux (Part 3/4 Integer Overflows)
* Security Code Review With ChatGPT
* Rustproofing Linux (Part 2/4 Race Conditions)
* Readable Thrift
* Building WiMap the Wi-Fi Mapping Drone
* Fuzzing the Easy Way Using Zulu
* Exploiting CVE-2014-0282
* Exploiting CVE-2014-0282
* Rustproofing Linux (Part 1/4 Leaking Addresses)
* Machine Learning 102: Attacking Facial Authentication with Poisoned Data
* Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
* Using Semgrep with Jupyter Notebook files
* Announcing NCC Group’s Cryptopals Guided Tour: Set 2
* Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB
DFU (CVE-2022-2347)
* Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store
(CVE-2023-21433, CVE-2023-21434)
* Project Bishop: Clustering Web Pages
* Puckungfu: A NETGEAR WAN Command Injection
* MeshyJSON: A TP-Link tdpServer JSON Stack Overflow
* Machine Learning 101: The Integrity of Image (Mis)Classification?
* Replicating CVEs with KLEE
* Public Report – VPN by Google One Security Assessment
* Public Report – Confidential Space Security Review
* Exploring Prompt Injection Attacks
* Impersonating Gamers With GPT-2
* So long and thanks for all the 0day
* A jq255 Elliptic Curve Specification, and a Retrospective
* Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
* Tool Release – Web3 Decoder Burp Suite Extension
* Tales of Windows detection opportunities for an implant framework
* Check out our new Microcorruption challenges!
* Toner Deaf – Printing your next persistence (Hexacon 2022)
* Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and
Related Classes
* Public Report – IOV Labs powHSM Security Assessment
* Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and
CSF Tampering on NXP i.MX Devices
* A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a
ShadowPad intrusion
* Detecting Mimikatz with Busylight
* Whitepaper – Project Triforce: Run AFL On Everything (2017)
* Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
* Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router
(CVE-2022-37413, CVE-2022-37414)
* A Guide to Improving Security Through Infrastructure-as-Code
* Tool Release – ScoutSuite 5.12.0
* Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter
Selection Review
* Tool Release – Monkey365
* Sharkbot is back in Google Play
* Constant-Time Data Processing At a Secret Offset, Privacy and QUIC
* There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
* Conference Talks – September/October 2022
* SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
* Writing FreeBSD Kernel Modules in Rust
* NCC Con Europe 2022 – Pwn2Own Austin Presentations
* Tool Release – JWT-Reauth
* Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
* Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
* Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
* Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
* Top of the Pops: Three common ransomware entry techniques
* NCC Group Research at Black Hat USA 2022 and DEF CON 30
* Tool Release – insject: A Linux Namespace Injector
* Technical Advisory – Multiple vulnerabilities in Nuki smart locks
(CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507,
CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508,
CVE-2022-32505)
* NIST Selects Post-Quantum Algorithms for Standardization
* Climbing Mount Everest: Black-Byte Bytes Back?
* Five Essential Machine Learning Security Papers
* Whitepaper – Practical Attacks on Machine Learning Systems
* Flubot: the evolution of a notorious Android Banking Malware
* A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would
have prevented
* Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control
link
* Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities
in U-Boot (CVE-2022-30790, CVE-2022-30552)
* Understanding the Impact of Ransomware on Patient Outcomes – Do We Know
Enough?
* Public Report – Threshold ECDSA Cryptography Review
* Exception Handling and Data Integrity in Salesforce
* Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi
Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328,
CVE-2022-30329)
* Shining the Light on Black Basta
* Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790,
CVE-2022-30552)
* NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible
Reports through the Intel Circuit Breaker program
* Conference Talks – June 2022
* Hardware Security By Design: ESP32 Guidance
* Public Report – Lantern and Replica Security Assessment
* NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher
Leaderboard
* Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 –
Unauthenticated Command Injection ( CVE-2022-31794 and CVE-2022-31795)
* Public Report – go-cose Security Assessment
* Technical Advisory – SerComm h500s – Authenticated Remote Command Execution
(CVE-2021-44080)
* Metastealer – filling the Racoon void
* earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s
decompiler internals to make automatic P-Code analysis scripts
* Tool Release – Ghostrings
* Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo
Smart Locks Vulnerable to Relay Attacks
* Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to
Relay Attacks
* Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
* Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView
tag helpers (CVE-2022-27777)
* North Korea’s Lazarus: their initial access trade-craft using social media
and social engineering
* Adventures in the land of BumbleBee – a new malicious loader
* LAPSUS$: Recent techniques, tactics and procedures
* Real World Cryptography Conference 2022
* Mitigating the top 10 security threats to GCP using the CIS Google Cloud
Platform Foundation Benchmark
* A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
* Public Report – Google Enterprise API Security Assessment
* Conti-nuation: methods and techniques observed in operations post the leaks
* Whitepaper – Double Fetch Vulnerabilities in C and C++
* Mining data from Cobalt Strike beacons
* Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
* Tool Release – ScoutSuite 5.11.0
* Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)
* Microsoft announces the WMIC command is being retired, Long Live PowerShell
* SharkBot: a “new” generation Android banking Trojan being distributed on
Google Play Store
* Estimating the Bit Security of Pairing-Friendly Curves
* Detecting anomalous Vectored Exception Handlers on Windows
* BrokenPrint: A Netgear stack overflow
* Conference Talks – March 2022
* Hardware & Embedded Systems: A little early effort in security can return a
huge payoff
* Public Report – O(1) Labs Mina Client SDK, Signature Library and Base
Components Cryptography and Implementation Review
* Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark
MC3224i printer (part 2)
* Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5
Attacks vs the CIS Microsoft 365 Foundation Benchmark
* Bypassing software update package encryption – extracting the Lexmark MC3224i
printer firmware (part 1)
* Detecting Karakurt – an extortion focused threat actor
* BAT: a Fast and Small Key Encapsulation Mechanism
* Testing Infrastructure-as-Code Using Dynamic Tooling
* Machine Learning for Static Analysis of Malware – Expansion of Research Scope
* 10 real-world stories of how we’ve compromised CI/CD pipelines
* NCC Group’s 2021 Annual Research Report
* On the malicious use of large language models like GPT-3
* Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination
Programs
* Tool Update – ruby-trace: A Low-Level Tracer for Ruby
* Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches
* Technical Advisory – Lenovo ImController Local Privilege Escalation
(CVE-2021-3922, CVE-2021-3969)
* Choosing the Right MCU for Your Embedded Device — Desired Security Features
of Microcontrollers
* FPGAs: Security Through Obscurity?
* Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
* log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
* Log4Shell: Reconnaissance and post exploitation network detection
* Announcing NCC Group’s Cryptopals Guided Tour!
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary
File Deletion
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
* Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated
Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
* Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote
Command Execution (CVE-2021-20044)
* Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow
(CVE-2021-20043)
* Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload
Path Traversal (CVE-2021-20040)
* Why IoT Security Matters
* Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom
CA Network Flow Analysis (CVE-2021-44050)
* Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates
with the Half-Space-Trees Algorithm
* Tracking a P2P network related to TA505
* Conference Talks – December 2021
* Public Report – Zendoo Proof Verifier Cryptography Review
* An Illustrated Guide to Elliptic Curve Cryptography Validation
* Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
* POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
* Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router
(CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
* “We wait, because we know you.” Inside the ransomware negotiation economics.
* Detection Engineering for Kubernetes clusters
* Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
* Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA
Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568,
CVE-2021-43571)
* TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial
access
* Public Report – Zcash NU5 Cryptography Review
* The Next C Language Standard (C23)
* Conference Talks – November 2021
* Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
* Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
* Cracking RDP NLA Supplied Credentials for Threat Intelligence
* Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the
Internet
* Enterprise-scale seamless onboarding and deployment of Azure Sentinel using
Lighthouse for multi-tenant environments
* Cracking Random Number Generators using Machine Learning – Part 2: Mersenne
Twister
* Cracking Random Number Generators using Machine Learning – Part 1:
xorshift128
* NCC Group placed first in global 5G Cyber Security Hack competition
* Paradoxical Compression with Verifiable Delay Functions
* A Look At Some Real-World Obfuscation Techniques
* SnapMC skips ransomware, steals data
* The Challenges of Fuzzing 5G Protocols
* Reverse engineering and decrypting CyberArk vault credential files
* Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session
Establishment on UPF (CVE-2021-41794)
* Assessing the security and privacy of Vaccine Passports
* Technical Advisory – NULL Pointer Derefence in McAfee Drive
Encryption (CVE-2021-23893)
* Conference Talks – October 2021
* Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
* Detecting and Hunting for the PetitPotam NTLM Relay Attack
* Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI
(CVE-2021-39307)
* Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
* CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
* NSA & CISA Kubernetes Security Guidance – A Critical Review
* Technical Advisory – New York State Excelsior Pass Vaccine Passport
Credential Forgery
* Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner
App Sends Data to a Third Party not Specified in Privacy Policy
* Conference Talks – September 2021
* The ABCs of NFC chip security
* CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
* Disabling Office Macros to Reduce Malware Infections
* Some Musings on Common (eBPF) Linux Tracing Bugs
* Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive
Extraction – CVE-2021-22937 (Patch Bypass)
* Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection
(CVE-2021-36380)
* Practical Considerations of Right-to-Repair Legislation
* Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
* Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log
Server (CVE-2021-35478,CVE-2021-35479)
* Detecting and Hunting for the Malicious NetFilter Driver
* CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
* NCC Group Research at Black Hat USA 2021 and DEF CON 29
* Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
* Software-Based Fault Injection Countermeasures (Part 2/3)
* An Introduction to Fault Injection (Part 1/3)
* Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite
(CVE-2021-21586, CVE-2021-21587)
* Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare
vCenter Server 7.0
* Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
* Tool Release – Reliably-checked String Library Binding
* Are you oversharing (in Salesforce)? Our new tool could sniff it out!
* Exploit mitigations: keeping up with evolving and complex software/hardware
* NCC Group co-signs the Electronic Frontier Foundation’s Statement on DMCA Use
Against Security Researchers
* Handy guide to a new Fivehands ransomware variant
* On the Use of Pedersen Commitments for Confidential Payments
* Incremental Machine Learning by Example: Detecting Suspicious Activity with
Zeek Data Streams, River, and JA3 Hashes
* Testing Two-Factor Authentication
* Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
* Research Paper – Machine Learning for Static Malware Analysis, with
University College London
* Conference Talks – June 2021
* Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and
Implementation Review
* iOS User Enrollment and Trusted Certificates
* Detecting Rclone – An Effective Tool for Exfiltration
* Supply Chain Security Begins with Secure Software Development
* Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re
cryptographically random)
* Public Report – Dell Secured Component Verification
* RM3 – Curiosities of the wildest banking malware
* Conference Talks – May 2021
* A Census of Deployed Pulse Connect Secure (PCS) Versions
* NCC Group’s Upcoming Trainings at Black Hat USA 2021
* Public Report – VPN by Google One: Technical Security & Privacy Assessment
* Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s
servers on startup
* Tool Release – Principal Mapper v1.1.0 Update
* SAML XML Injection
* The Future of C Code Review
* RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API
vulnerabilities CVE-2021-22986
* Tool Release – Solitude: A privacy analysis tool
* Deception Engineering: exploring the use of Windows Installer Packages
against first stage payloads
* Lending a hand to the community – Covenant v0.7 Updates
* Technical Advisory: Dell SupportAssist Local Privilege Escalation
(CVE-2021-21518)
* Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus
JGS516PE / GS116Ev2 Switches
* Deception Engineering: exploring the use of Windows Service Canaries against
ransomware
* Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
* Technical Advisory: Administrative Passcode Recovery and Authenticated Remote
Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309,
CVE-2021-25306)
* Cryptopals: Exploiting CBC Padding Oracles
* Investigating Potential Security Vulnerability Manifestation through Various
Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be
Improved)
* NCC Group’s 2020 Annual Research Report
* Conference Talks – February/March 2021
* Software Verification and Analysis Using Z3
* Technical Advisory – Linksys WRT160NL – Authenticated Command Injection
(CVE-2021-25310)
* Real World Cryptography Conference 2021: A Virtual Experience
* RIFT: Analysing a Lazarus Shellcode Execution Method
* MSSQL Lateral Movement
* Public Report – BLST Cryptographic Implementation Review
* Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
* Building an RDP Credential Catcher for Threat Intelligence
* Double-odd Elliptic Curves
* Using AWS and Azure for Cost Effective Log Ingestion with Data Processing
Pipelines for SIEMs
* Domestic IoT Nightmares: Smart Doorbells
* Technical Advisory: OS Command Injection in Silver Peak EdgeConnect
Appliances (CVE-2020-12148, CVE-2020-12149)
* Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot
Configuration Auditing Introduced in Depthcharge v0.2.0
* An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered
Harmful
* ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
* Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP
Signatures
* ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial
and Business Networks
* Tool Release – Carnivore: Microsoft External Assessment Tool
* Technical Advisory: containerd – containerd-shim API Exposed to Host Network
Containers (CVE-2020-15257)
* Conference Talks – December 2020
* TA505: A Brief History Of Their Time
* Decrypting OpenSSH sessions for fun and profit
* Past, Present and Future of Effective C
* Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS)
Vulnerabilities in Oracle Communications Diameter Signaling Router
(CVE-2020-14787, CVE-2020-14788)
* Technical Advisory: Command Injection
* Conference Talks – November 2020
* Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon
Message (CVE-2020-8255)
* Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip
Extraction (CVE-2020-8260)
* Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code
Execution (CVE-2020-27162)
* Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation
Bypass (CVE-2020-27161)
* Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
* Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow
(CVE-2020-26561)
* There’s A Hole In Your SoC: Glitching The MediaTek BootROM
* RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and
CVE-2020-8196 honeypot data release
* Technical Advisory – Pulse Connect Secure – RCE via Template Injection
(CVE-2020-8243)
* Tool – Windows Executable Memory Page Delta Reporter
* Salesforce Security with Remote Working
* Tool Release – ScoutSuite 5.10
* Conference Talks – October 2020
* Tool Release – ICPin, an integrity-check and anti-debug detection pintool
* Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
* Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP
Method Interchange (CVE-2020-13658)
* Online Casino Roulette – A guideline for penetration testers and security
researchers
* Extending a Thinkst Canary to become an interactive honeypot
* StreamDivert: Relaying (specific) network connections
* Public Report – Electric Coin Company NU4 Cryptographic Specification and
Implementation Review
* Machine learning from idea to reality: a PowerShell case study
* Conference Talks – September 2020
* Whitepaper – Exploring the Security of KaiOS Mobile Applications
* Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack
(CVE-2020-24613)
* Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS
Pre-installed Mobile Applications
* Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP
application
* Immortalising 20 Years of Epic Research
* Pairing over BLS12-381, Part 3: Pairing!
* Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
* NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers
in 2020
* Lights, Camera, HACKED! An insight into the world of popular IP Cameras
* Conference Talks – August 2020
* Tool Release – Winstrument: An Instrumentation Framework for Windows
Application Assessments
* Tool Release: Sinking U-Boots with Depthcharge
* Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to
device compromise on TP-Link C200 IP Camera
* Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
* Pairing over BLS12-381, Part 2: Curves
* Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability
CVE-2020-5902
* RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and
CVE-2020-8196 Intelligence
* An offensive guide to the Authorization Code grant
* Technical Advisory – KwikTag Web Admin Authentication Bypass
* Pairing over BLS12-381, Part 1: Fields
* RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
Intelligence
* Experiments in Extending Thinkst Canary – Part 1
* Tool Release – ScoutSuite 5.9.0
* Technical Advisory – macOS Installer Local Root Privilege Escalation
(CVE-2020-9817)
* Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to
make threat actors work harder and fail more often
* How-to: Importing WStalker CSV (and more) into Burp Suite via Import to
Sitemap Extension
* Tool: WStalker – an easy proxy to support Web API assessments
* Security Considerations of zk-SNARK Parameter Multi-Party Computation
* WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
* Tool Release – Socks Over RDP Now Works With Citrix
* Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
* Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
* Cyber Security of New Space Paper
* In-depth analysis of the new Team9 malware family
* Common Insecure Practices with Configuring and Extending Salesforce
* Dangers of Kubernetes IAM Integrations
* Exploring DeepFake Capabilities & Mitigation Strategies with University
College London
* Game Security
* Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
* Research Report – Zephyr and MCUboot Security Assessment
* CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a
better read/write primitive
* CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read
and write primitive
* Using SharePoint as a Phishing Platform
* Public Report – Coda Cryptographic Review
* Shell Arithmetic Expansion and Evaluation Abuse
* CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition
and debugging tricks
* Tool Release – Socks Over RDP
* Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
* CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic
triggering
* Practical Machine Learning for Random (Filename) Detection
* Curve9767 and Fast Signature Verification
* CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
* The Extended AWS Security Ramp-Up Guide
* Code Patterns for API Authorization: Designing for Security
* Order Details Screens and PII
* How cryptography is used to monitor the spread of COVID-19
* Rise of the Sensors: Securing LoRaWAN Networks
* C Language Standards Update – Zero-size Reallocations are Undefined Behavior
* IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
* Exploring Verifiable Random Functions in Code
* Crave the Data: Statistics from 1,300 Phishing Campaigns
* Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
* Tool Release – ScoutSuite 5.8.0
* Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level
Vulnerabilities
* Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
* LDAPFragger: Bypassing network restrictions using LDAP attributes
* Threat Actors: exploiting the pandemic
* A Survey of Istio’s Network Security Features
* Conference Talks – March 2020
* Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation
Review
* Reviewing Verifiable Random Functions
* CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for
fun and exploitation
* Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
* Improving Software Security through C Language Standards
* Whitepaper – A Tour of Curve 25519 in Erlang
* Deep Dive into Real-World Kubernetes Threats
* Technical Advisory – playSMS Pre-Authentication Remote Code Execution
(CVE-2020-8644)
* Interfaces.d to RCE
* Properly Signed Certificates on CPE Devices
* Conference Talks – February 2020
* Tool Release – Collaborator++
* Public Report – Electric Coin Company NU3 Specification and Blossom
Implementation Audit
* Tool Release – Enumerating Docker Registries with go-pillage-registries
* Conference Talks – January 2020
* Passive Decryption of Ethereum Peer-to-Peer Traffic
* On Linux’s Random Number Generation
* Demystifying AWS’ AssumeRole and sts:ExternalId
* Welcome to the new NCC Group Global Research blog
* Technical Advisory: Gaining root access on Sumpple S610 IP Camera via Telnet;
and Unprotected client and server data transmission between Android and IOS
clients
* Security impact of IoT on the Enterprise
* Secure Device Provisioning Best Practices: Heavy Truck Edition
* CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device
Host Service and the Update Orchestrator Service
* Padding the struct: How a compiler optimization can disclose stack memory
* Embedded Device Security Certifications
* An Introduction to Ultrasound Security Research
* PhanTap (Phantom Tap): Making networks spookier one packet at a time
* An Introduction to Quantum Computing for Security Professionals
* Sniffle: A Sniffer for Bluetooth 5
* Compromising a Hospital Network for £118 (Plus Postage & Packaging)
* Getting Shell with XAMLX Files
* Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to
a Privilege Escalation
* Technical Advisory: CyberArk EPM Non-paged Pool Buffer Overflow
* Technical Advisory: Unauthenticated SQL Injection in Lansweeper
* Jenkins Plugins and Core Technical Summary Advisory
* Technical Advisory: Multiple Vulnerabilities in Ricoh Printers
* Technical Advisory: Multiple Vulnerabilities in Brother Printers
* Technical Advisory: Multiple Vulnerabilities in Xerox Printers
* Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and
Next Steps
* Technical Advisory: Multiple Vulnerabilities in HP Printers
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 9: Adventures with Expert Systems
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 8: Development of Prototype #4 – Building on
Takaesu’s Approach with Focus on XSS
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 7: Development of Prototype #3 – Adventures in
Anomaly Detection
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 5: Development of Prototype #1 – Text Processing and
Semantic Relationships
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 4: Architecture and Design
* Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 3: Understanding Existing Approaches and Attempts
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in
Social Engineering
* Project Ava: On the Matter of Using Machine Learning for Web Application
Security Testing – Part 1: Understanding the Basics and What Platforms and
Frameworks Are Available
* Technical Advisory: Multiple Vulnerabilities in Lexmark Printers
* Technical Advisory: Intel Driver Support & Assistance – Local Privilege
Escalation
* Technical Advisory: Citrix Workspace / Receiver Remote Code Execution
Vulnerability
* The Sorry State of Aftermarket Head Unit Security
* Cyber Security in UK Agriculture
* NCC Group Connected Health Whitepaper July 2019
* Story of a Hundred Vulnerable Jenkins Plugins
* Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s
TrustZone
* Technical Advisory: Multiple Vulnerabilities in SmarterMail
* Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
* eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
* Chafer backdoor analysis
* Finding and Exploiting .NET Remoting over HTTP using Deserialisation
* Technical Advisory: Multiple Vulnerabilities in MailEnable
* Assessing Unikernel Security
* Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
* Zcash Overwinter Consensus and Sapling Cryptography Review
* Xendbg: A Full-Featured Debugger for the Xen Hypervisor
* Use of Deserialisation in .NET Framework Methods and Classes
* Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
* Nine years of bugs at NCC Group
* The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations
* Third party assurance
* Turla PNG Dropper is back
* Public cloud
* Android Cloud Backup/Restore
* Spectre on a Television
* RokRat Analysis
* Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook
* Technical Advisory: Authentication Bypass in libSSH
* Securing Google Cloud Platform – Ten best practices
* Public Report – Android Cloud Backup/Restore
* Much Ado About Hardware Implants
* NCC Group’s Exploit Development Capability: Why and What
* Technical Advisory: Bypassing Workflows Protection Mechanisms – Remote Code
Execution on SharePoint
* Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability
* Improving Your Embedded Linux Security Posture With Yocto
* How I did not get a shell
* Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw
* Singularity of Origin
* Proxy Re-Encryption Protocol: IronCore Public Report
* Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms
using Deserialisation of Untrusted Data
* Jackson Deserialization Vulnerabilities
* Celebrating NCC Con Europe 2018
* The disadvantages of a blacklist-based approach to input validation
* Securing Teradata Database
* Technical Advisory: Unauthenticated Remote Command Execution through Multiple
Vulnerabilities in Virgin Media Hub 3.0
* Ethics in Security Testing
* Freddy: An extension for automatically identifying deserialisation issues in
Java and .NET applications
* Sobelow Update
* House
* Principal Mapper (pmapper)
* Return of the hidden number problem
* Technical advisory: “ROHNP”- key extraction side channel in multiple crypto
libraries
* CVE-2017-8570 RTF and the Sisfader RAT
* Mallory: Transparent TCP and UDP Proxy
* Mallory and Me: Setting up a Mobile Mallory Gateway
* CyberVillainsCA
* DECTbeacon
* Fuzzbox
* Gizmo
* HTTP Profiler
* Intent Sniffer
* Intent Fuzzer
* iSEC Partners Releases SSLyze
* Jailbreak
* Manifest Explorer
* Package Play
* ProxMon
* pySimReader
* SAML Pummel
* SecureBigIP
* SecureCisco
* SecureCookies
* SecureIE.ActiveX
* WebRATS
* AWS Inventory: A tool for mapping AWS resources
* Extractor
* CMakerer: A small tool to aid CLion’s indexing
* Emissary Panda – A potential new malicious tool
* SMB hash hijacking & user tracking in MS Outlook
* Testing HTTP/2 only web services
* Windows IPC Fuzzing Tools
* WSBang
* WSMap
* Nerve
* Ragweed
* File Fuzzers
* Kivlad
* Android SSL Bypass
* Hiccupy
* iOS SSL Killswitch
* The SSL Conservatory
* TLSPretense — SSL/TLS Client Testing Framework
* tcpprox
* YoNTMA
* Tattler
* PeachFarmer
* Android-KillPermAndSigChecks
* Android-OpenDebug
* Android-SSL-TrustKiller
* Introspy for Android
* RtspFuzzer
* SSLyze v0.8
* NCLoader
* IG Learner Walkthrough
* Forensic Fuzzing Tools
* Security First Umbrella
* Autochrome
* WSSiP: A Websocket Manipulation Proxy
* AssetHook
* Call Map: A Tool for Navigating Call Graphs in Python
* Sobelow: Static analysis for the Phoenix Framework
* G-Scout
* Decoder Improved Burp Suite Plugin
* Python Class Informer: an IDAPython plugin for viewing run-time type
information (RTTI)
* AutoRepeater: Automated HTTP Request Repeating With Burp Suite
* TPM Genie
* Open Banking: Security considerations & potential risks
* scenester
* port-scan-automation
* Windows DACL Enum Project
* umap
* Shocker
* Zulu
* whitebox
* vlan-hopping
* tybocer
* xcavator
* WindowsJobLock
* Azucar
* Introducing Azucar
* Readable Thrift
* Decoding network data from a Gh0st RAT variant
* Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central
* Discovering Smart Contract Vulnerabilities with GOATCasino
* BLEBoy
* APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
* TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus
* Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple
Microsoft Products
* Technical Advisory: Code Execution by Viewing Resource Files in .NET
Reflector
* Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in
Jenkins Delivery Pipeline plugin
* Spectre and Meltdown: What you Need to Know
* The economics of defensive security
* HIDDEN COBRA Volgmer: A Technical Analysis
* Integrity destroying malicious code for financial or geopolitical gain: A
vision of the future?
* Kubernetes Security: Consider Your Threat Model
* Mobile & web browser credential management: Security implications, attack
cases & mitigations
* SOC maturity & capability
* Automated Reverse Engineering of Relationships Between Data Structures in C++
Binaries
* Pointer Sequence Reverser (PSR)
* Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over
IKEv1
* Bypassing Android’s Network Security Configuration
* Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
* Cisco ASA series part seven: Checkheaps
* Adversarial Machine Learning: Approaches & defences
* eBook: Breach notification under GDPR – How to communicate a personal data
breach
* Cisco ASA series part six: Cisco ASA mempools
* The Update Framework (TUF) Security Assessment
* Cisco ASA series part five: libptmalloc gdb plugin
* Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
* Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
* Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco
ASA
* Decoder Improved Burp Suite plugin release part two
* Cisco ASA series part three: Debugging Cisco ASA firmware
* Managing PowerShell in a modern corporate environment
* Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
* Cisco ASA series part one: Intro to the Cisco ASA
* EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
* Technical Advisory: Authentication rule bypass
* Technical Advisory – play-pac4j Authentication rule bypass
* Decoder Improved Burp Suite plugin release part one
* Technical advisory: Remote shell commands execution in ttyd
* Poison Ivy string decryption
* Securing the continuous integration process
* Signaturing an Authenticode anomaly with Yara
* Analysing a recent Poison Ivy sample
* Endpoint connectivity
* DeLux Edition: Getting root privileges on the eLux Thin Client OS
* UK government cyber security guidelines for connected & autonomous vehicles
* Smuggling HTA files in Internet Explorer/Edge
* Database Security Brief: The Oracle Critical Patch Update for April 2007
* Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention
Mechanisms (XPMs) on the Windows platform
* Data-mining with SQL Injection and Inference
* The Pharming Guide – Understanding and preventing DNS related attacks by
phishers
* Weak Randomness Part I – Linear Congruential Random Number Generators
* Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
* Blind Exploitation of Stack Overflow Vulnerabilities
* Slotting Security into Corporate Development
* Creating Arbitrary Shellcode In Unicode Expanded Strings
* Violating Database – Enforced Security Mechanisms
* Hacking the Extensible Firmware Interface
* Advanced Exploitation of Oracle PL/SQL Flaws
* Firmware Rootkits: The Threat to the Enterprise
* Database Security: A Christmas Carol
* Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft
Windows 2003 Server
* Non-flood/non-volumetric Distributed Denial of Service (DDoS)
* VoIP Security Methodology and Results
* E-mail Spoofing and CDONTS.NEWMAIL
* Dangling Cursor Snarfing: A New Class of Attack in Oracle
* Database Servers on Windows XP and the unintended consequences of simple file
sharing
* DNS Pinning and Web Proxies
* Technical advisory: CVE-2017-8592 – XMLHttpRequest in IE followed 307
redirections with additional or customised headers
* Which database is more secure? Oracle vs. Microsoft
* Variations in Exploit methods between Linux and Windows
* Using graph databases to assess the security of thingernets based on the
thingabilities and thingertivity of things
* Live Incident Blog: June Global Ransomware Outbreak
* Beyond data loss prevention
* How to protect yourself & your organisation from phishing attacks
* Rise of the machines: Machine Learning & its cyber security applications
* Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input
Streams (LAOIS)
* A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow –
CVE-2016-1287
* Latest threats to the connected car & intelligent transport ecosystem
* Network Attached Security: Attacking a Synology NAS
* Accessing Private Fields Outside of Classes in Java
* Understanding the insider threat & how to mitigate it
* Matty McMattface: Security implications, mitigations & testing strategies for
biometric facial recognition systems
* Setting a New Standard for Kubernetes Deployments
* Encryption at rest: Not the panacea to data protection
* Applying normalised compression distance for architecture classification
* Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and
Signatures
* D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow
* Fix Bounty
* Unauthenticated XML eXternal Entity (XXE) vulnerability
* General Data Protection Regulation: Knowing your data
* Technical Advisory: Shell Injection in MacVim mvim URI Handler
* Technical Advisory: Shell Injection in SourceTree
* SCOMplicated? – Decrypting SCOM “RunAs” credentials
* Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer
Appliance
* ISM RAT
* Mergers & Acquisitions (M&A) cyber security due diligence
* Advisory-CraigSBlackie-CVE-2016-9795
* Best practices with BYOD
* Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows
Decryption of Stored Credentials
* Compromising Apache Tomcat via JMX access
* Berserko: Kerberos Authentication for Burp Suite
* Java RMI Registry.bind() Unvalidated Deserialization
* NCC CON Europe 2017
* Understanding cyber risk management vs uncertainty with confidence in 2017
* iOS MobileSlideShow USB Image Class arbitrary code execution.txt
* Denial of Service in Parsing a URL by ierutil.dll
* U plug, we play
* SSL checklist for pentesters
* Dissecting social engineering attacks
* External Enumeration and Exploitation of Email and Web Security Solutions
* Social Engineering
* Phishing Stories
* Automating extraction from malware and recent campaign analysis
* DDoS Common Approaches and Failings
* Absolute Security
* How much training should staff have on cyber security?
* USB under the bonnet: Implications of USB security vulnerabilities in vehicle
systems
* Cyber Essentials Scheme
* Webinar – PCI Version 3.0: Are you ready?
* Webinar: 4 Secrets to a Robust Incident Response Plan
* Cloud Security Presentation
* Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
* Revealing Embedded Fingerprints: Deriving intelligence from USB stack
interactions
* Memory Gap
* 44Con2013Game
* creep-web-app-scanner
* ncccodenavi
* Pip3line
* typofinder
* DIBF – Updated
* IODIDE
* CECSTeR
* cisco-SNMP-enumeration
* dotnetpaddingoracle
* dotnetpefuzzing
* easyda
* EDIDFuzzer
* Fat-Finger
* firstexecution
* grepify
* FrisbeeLite
* State-of-the-art email risk
* Ransomware: what organisations can do to survive
* hostresolver
* lapith
* metasploitavevasion
* Maritime Cyber Security: Threats and Opportunities
* IP-reputation-snort-rule-generator
* The L4m3ne55 of Passw0rds: Notes from the field
* Mature Security Testing Framework
* Exporting non-exportable RSA keys
* Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
* The role of security research in improving cyber security
* Self-Driving Cars- The future is now…
* They Ought to Know Better: Exploiting Security Gateways via their Web
Interfaces
* Mobile apps and security by design
* The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
* When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate
Pinning
* USB Undermining Security Barriers:further adventures with USB
* Software Security Austerity Security Debt in Modern Software Development
* RSA Conference – Mobile Threat War Room
* Finding the weak link in binaries
* To dock or not to dock, that is the question: Using laptop docking stations
as hardware-based attack platforms
* Harnessing GPUs Building Better Browser Based Botnets
* The Browser Hacker’s Handbook
* SQL Server Security
* The Database Hacker’s Handbook
* Social Engineering Penetration Testing
* Public Report – Matrix Olm Cryptographic Review
* Research Insights Volume 8 – Hardware Design: FPGA Security Risks
* Zcash Cryptography and Code Review
* Optimum Routers: Researching Managed Routers
* Peeling back the layers on defence in depth…knowing your onions
* End-of-life pragmatism
* iOS Instrumentation Without Jailbreak
* The Password is Dead, Long Live the Password!
* Microsoft Office Memory Corruption Vulnerability
* Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode
* Elephant in the Boardroom Survey 2016
* A Peek Behind the Great Firewall of Russia
* Avoiding Pitfalls Developing with Electron
* Flash local-with-filesystem Bypass in navigateToURL
* D-Link routers vulnerable to Remote Code Execution (RCE)
* iOS Application Security: The Definitive Guide for Hackers and Developers
* The Mobile Application Hacker’s Handbook
* Research Insights Volume 9 – Modern Security Vulnerability Discovery
* Post-quantum cryptography overview
* The CIS Security Standard for Docker available now
* An adventure in PoEKmon NeutriGo land
* The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd
Edition
* How will GDPR impact your communications?
* Potential false redirection of web site content in Internet in SAP NetWeaver
web applications
* Multiple security vulnerabilities in SAP NetWeaver BSP Logon
* The Automotive Threat Modeling Template
* My name is Matt – My voice is my password
* Ransomware: How vulnerable is your system?
* NCC Group WhitepaperUnderstanding and HardeningLinux ContainersJune 29, 2016
– Version 1.1
* My Hash is My Passport: Understanding Web and Mobile Authentication
* Project Triforce: Run AFL on Everything!
* Writing Exploits for Win32 Systems from Scratch
* How to Backdoor Diffie-Hellman
* Local network compromise despite good patching
* Sakula: an adventure in DLL planting
* When a Trusted Site in Internet Explorer was Anything But
* GSM/GPRS Traffic Interception for Penetration Testing Engagements
* An Adaptive-Ciphertext Attack Against “I ⊕ C” Block Cipher Modes With an
Oracle
* Creating a Safer OAuth User Experience
* Attacking Web Service Security: Message Oriented Madness, XML Worms and Web
Service Security Sanity
* Aurora Response Recommendations
* Blind Security Testing – An Evolutionary Approach
* Building Security In: Software Penetration Testing
* Cleaning Up After Cookies
* Command Injection in XML Signatures and Encryption
* Common Flaws of Distributed Identity and Authentication Systems
* Cross Site Request Forgery: An Introduction to a Common Web Application
Weakness
* Developing Secure Mobile Applications for Android
* Exposing Vulnerabilities in Media Software
* Hunting SQL Injection Bugs
* IAX Voice Over-IP Security
* ProxMon: Automating Web Application Penetration Testing
* iSEC’s Analysis of Microsoft’s SDL and its ROI
* Secure Application Development on Facebook
* Secure Session Management With Cookies for Web Applications
* Security Compliance as an Engineering Discipline
* Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
* Exploiting Rich Content
* HTML5 Security The Modern Web Browser Perspective
* An Introduction to Authenticated Encryption
* Attacks on SSL
* Content Security Policies Best Practices
* Windows Phone 7 Application Security Survey
* Browser Extension Password Managers
* Introducing idb-Simplified Blackbox iOS App Pentesting
* Login Service Security
* The factoring dead: Preparing for the cryptopocalypse
* Auditing Enterprise Class Applications and Secure Containers on Android
* Early CCS Attack Analysis
* Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver
URSA
* Perfect Forward Security
* Internet of Things Security
* Secure Messaging for Normal People
* Understanding and Hardening Linux Containers
* Adventures in Windows Driver Development: Part 1
* Private sector cyber resilience and the role of data diodes
* From CSV to CMD to qwerty
* General Data Protection Regulation – are you ready?
* Business Insights: Cyber Security in the Financial Sector
* The Importance of a Cryptographic Review
* osquery Application Security Assessment Public Report
* Sysinternals SDelete: When Secure Delete Fails
* Ricochet Security Assessment Public Report
* Breaking into Security Research at NCC Group
* Building Systems from Commercial Components
* Modernizing Legacy Systems: Software Technologies, Engineering Processes, and
Business Practices
* Secure Coding in C and C++
* CERT Oracle Secure Coding Standard for Java
* CERT C Secure Coding Standard
* Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
* Professional C Programming LiveLessons, (Video Training) Part I: Writing
Robust, Secure, Reliable Code
* Secure Coding in C and C++, 2nd Edition
* The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe,
Reliable, and Secure Systems
* Secure Coding Rules for Java LiveLessons, Part 1
* Hacking Displays Made Interesting
* What the HEC? Security implications of HDMI Ethernet Channel and other
related protocols
* 44CON Workshop – How to assess and secure iOS apps
* Payment Card Industry Data Security Standard (PCI DSS) A Navigation and
Explanation of Changes from v2.0 to v3.0
* Mobile World Congress – Mobile Internet of Things
* Practical SME security on a shoestring
* BlackHat Asia USB Physical Access
* How we breach network infrastructures and protect them
* Hacking a web application
* Batten down the hatches: Cyber threats facing DP operations
* Threats and vulnerabilities within the Maritime and shipping sectors
* Distributed Ledger (Blockchain) Security and Quantum Computing Implications
* Building WiMap the Wi-Fi Mapping Drone
* Abusing Privileged and Unprivileged Linux Containers
* A few notes on usefully exploiting libstagefright on Android 5.x
* NCC Con Europe 2016
* Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
* Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify
External Emails
* Car Parking Apps Vulnerable To Hacks
* eBook – Do you know how your organisation would react in a real-world attack
scenario?
* Erlang Security 101
* SysAid Helpdesk blind SQL injection
* SysAid Helpdesk stored XSS
* Virtual Access Monitor Multiple SQL Injection Vulnerabilities
* Whatsupgold Premium Directory traversal
* Windows remote desktop memory corruptoin leading to RCE on XPSP3
* Windows USB RNDIS driver kernel pool overflow
* Drones: Detect, Identify, Intercept, and Hijack
* Introducing Chuckle and the Importance of SMB Signing
* Threat Intelligence: Benefits for the Enterprise
* Best Practices for the use of Static Code Analysis within a Real-World Secure
Development Lifecycle
* Secure Device Manufacturing: Supply Chain Security Resilience
* eBook – Planning a robust incident response process
* HDMI Ethernet Channel
* Advanced SQL Injection in SQL Server Applications
* USB keyboards by post – use of embedded keystroke injectors to bypass autorun
restrictions on modern desktop operating systems
* ASP.NET Security and the Importance of KB2698981 in Cloud Environments
* Xen HYPERVISOR_xen_version stack memory revelation
* Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
* SysAid Helpdesk Pro – Blind SQL Injection
* Symantec Messaging Gateway SSH with backdoor user account + privilege
escalation to root due to very old Kernel
* Symantec Messaging Gateway Out of band stored XSS delivered by email
* Symantec Messaging Gateway Easy CSRF to add a backdoor-administrator (for
example)
* Symantec Messaging Gateway Arbitrary file download is possible with a crafted
URL (authenticated)
* Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom
Reports
* Symantec Backup Exec 2012 – OS version and service pack information leak
* Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
* Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs
* Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding
Groups, Servers and Computers
* Squiz CMS File Path Traversal
* Solaris 11 USB Hub Class descriptor kernel stack overflow
* SmarterMail – Stored XSS in emails
* Remote code execution in ImpressPages CMS
* OS X 10.6.6 Camera Raw Library Memory Corruption
* Oracle Java Installer Adds a System Path Which is Writable by All
* Oracle Hyperion 11 Directory Traversal
* Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
* Nessus Authenticated Scan – Local Privilege Escalation
* NCC Group Malware Technical Note
* Nagios XI Network Monitor – Stored and Reflective XSS
* Multiple Vulnerabilities in MailEnable
* Microsoft Internet Explorer CMarkup Use-After-Free
* McAfee Email and Web Security Appliance v5.6 – Session hijacking (and
bypassing client-side session timeouts)
* McAfee Email and Web Security Appliance v5.6 – Password hashes can be
recovered from a system backup and easily cracked
* McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is
possible with a crafted URL, when logged in as any user
* McAfee Email and Web Security Appliance v5.6 – Any logged-in user can bypass
controls to reset passwords of other administrators
* McAfee Email and Web Security Appliance v5.6 – Active session tokens of other
users are disclosed within the UI
* iOS 7 arbitrary code execution in kernel mode
* Understanding Microsoft Word OLE Exploit Primitives
* Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642
Microsoft Office CTaskSymbol Use-After-Free Vulnerability
* Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using
the TD-8817
* Vehicle Emissions and Cyber Security
* Research Insights Volume 6: Common Issues with Environment Breakouts
* Does TypeScript Offer Security Improvements Over JavaScript?
* Common Security Issues in Financially-Oriented Web Applications
* Research Insights Volume 3 – How are we breaking in: Mobile Security
* Build Your Own Wi-Fi Mapping Drone Capability
* Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
* Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
* Password and brute-force mitigation policies
* Understanding Ransomware: Impact, Evolution and Defensive Strategies
* libtalloc: A GDB plugin for analysing the talloc heap
* Lumension Device Control (formerly Sanctuary) remote memory corruption
* LibAVCodec AMV Out of Array Write
* Increased exploitation of Oracle GlassFish Server Administration Console
Remote Authentication Bypass
* Flash security restrictions bypass: File upload by URLRequest
* Immunity Debugger Buffer Overflow
* DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout,
Privilege Escalation and Full Disk Decryption
* Cups-filters remote code execution
* Critical Risk Vulnerability in SAP Message Server (Heap Overflow)
* Critical Risk Vulnerability in SAP DB Web Server (Stack Overflow)
* Critical Risk Vulnerability in Ingres (Pointer Overwrite 2)
* Critical Risk Vulnerability in Ingres (Pointer Overwrite 1)
* Cisco VPN Client Privilege Escalation
* Cisco IPSec VPN Implementation Group Name Enumeration
* Blue Coat BCAAA Remote Code Execution Vulnerability
* BlackBerry Link WebDav Server Bound to the BlackBerry VPN Adapter
* Bit51 Better Security WP Security Plugin – Unauthenticated Stored XSS to RCE
* Back Office Web Administration Authentication Bypass
* AtHoc Toolbar
* ASE 12.5.1 datatype overflow
* Archived Technical Advisories
* Apple QuickTime Player m4a Processing Buffer Overflow
* Apple OSX/iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow
* Apple Mac OS X ImageIO TIFF Integer Overflow
* Apple CoreAnimation Heap Overflow
* Writing Small Shellcode
* Writing Secure ASP Scripts
* Windows 2000 Format String Vulnerabilities
* The Pentesters Guide to Akamai
* Adobe flash sandbox bypass to navigate to local drives
* Adobe Flash Player Cross Domain Policy Bypass
* Adobe Acrobat Reader XML Forms Data Format Buffer Overflow
* Tool Release: Introducing opinel: Scout2’s favorite tool
* Broadcasting your attack – DAB security
* Adam Roberts
* Anthony Ferrillo
* Aaron Greetham
* Aaron Haymore
* Akshat Joshi
* Alberto Verza
* Aleksandar Kircanski
* Alessandro Fanio Gonzalez
* Alessandro Fanio González
* Alex Plaskett
* Alex Zaviyalov
* Alvaro Martin Fraguas
* Álvaro Martín Fraguas
* Andrea Shirley-Bellande
* Drew Wade
* Andy Davis
* Andy Grant
* Antonis Terefos
* anvesh3752
* Alexander Smye
* aschmitz
* Austin Peavy
* Ava Howell
* Andrew Whistlecroft
* balazs.bucsay
* Nicolas Bidron
* NCC Group Physical Breach Team
* Rich Warren
* Caleb Watt
* Clinton Carpene
* Cedric Halbronn
* chrisanley
* Christo Butcher
* christopherjamesbury
* Clayton Lowell
* Clint Gibler
* cnevncc
* corancc
* Corey Arthur
* Christian Powills
* Craig Blackie
* Catalin Visinescu
* Ken Wolstencroft
* Damon Small
* Dan Hastings
* Dave G.
* David Tulis
* David Cash
* Daniele Costa
* destoken
* Diana Dragusin
* Diego Gomez Maranon
* Diego Gómez Marañon
* Domen Puncer Kugler
* Daniel Romero
* Deni
* David Young
* Edward Torkington
* Exploit Development Group
* Elena Bakos Lang
* Eli Sohl
* epliuncc
* Erik Schamper
* Erik Steringer
* Eric Schorn
* evaestebanmolina
* Fernando Gallego
* Aaron Adams
* Gavin Cotter (Temp)
* Gerald Doussot
* Gérald Doussot
* Giacomo Pope
* Global Threat Intelligence
* Guy Morley
* William Handy
* Liew hock lai
* Hollie Mowatt
* Heather Overcash
* Rob Wood
* Iain Smart
* Izzy Whistlecroft
* Jacob Heath
* Jameson Hyde
* Phillip Langlois and Edward Torkington
* Jashan Benawra
* Jason Kielpinski
* Javed Samuel
* James Chambers
* Jelle Vergeer
* Jennifer Reed
* Jeremy Boone
* Jerome Smith
* Jesus Calderon Marin
* Jesús Calderón Marín
* Jay Houppermans
* Jack Leadford
* Joshua Makinen
* John Redford
* Joost Jansen
* Joshua Dow
* Jose Selvi
* Kenneth Yu
* Kat Sommer
* Katarina Dabler
* Ben Lister
* Krijn de Mik
* Lars Behrens
* Lawrence Munro
* Liam Glanfield
* Liam Stevenson
* Liyun Li
* Lucas Rosevear
* Luis Toro Puig
* Luke Paris
* Matt Lewis
* Manuel Gines
* Margit Hazenbroek
* Marie-Sarah Lacharite
* Mario Rivas
* NCC Group & Fox-IT Data Science Team
* Max Groot
* McCaulay Hudson
* Michael Gough
* Mick Koomen
* Mostafa Hassan
* Matthew Pettitt
* Frank Gifford
* Michelle Simpson
* Neil Bergman
* NCC Group
* NCC Group Publication Archive
* Bill Marquette
* Daniel Lopezjimenez
* nccdavid
* Dan Helton
* RIFT: Research and Intelligence Fusion Team
* R.Rivera
* NCC Group Red Team
* Ilya Zhuravlev
* Jennifer Fernick
* ncckai
* Lewis Lockwood
* Jon Szymaniak
* Mark Manning
* Mark Tedman
* Michael Sandee
* Simon Palmer
* nccricardomr
* Stefano Antenucci
* Simone Salucci and Daniel Lopez Jimenez
* Samuel Siu
* Tanner Prynn
* Yun Zheng Hu
* Stephen Tomkinson
* Nicolas Guigo
* Nick Galloway
* Nick Muir
* Nick Dunn
* Nick Sirris
* Nikolaos Pantazopoulos
* Oliver Brooks
* Ollie Whitehouse
* Ollie Wen
* Parnian Alimi
* Paul Bottinelli
* Peter Scopes
* Peter Hannay
* philipmarsdennccgroupcom
* Pixel Kicks
* Pixel Kicks
* pixelkicks-fiona
* pixelkicks-fred
* pixelkicks-matt.hamer
* pixelkicks-turhan
* pixelkicks-will
* pqueenncc
* Philipp Schaefer
* qkchambers
* Rory McCune
* Ralph Andalis
* Rami McCarthy
* Ray Lai
* Robert C. Seacord
* Rennie deGraaf
* Chris Nevin
* Richard Appleby
* Rick Veldhoven
* Fumik0_
* Rindert Kramer
* Rob Ince
* robertgrimes123
* Robert Wessen
* Ross Bradley
* Robert Schwass
* ruud-fox-it
* sampeate
* Roger Meyer
* schlopeckincc
* scottleitch53e8989cc3
* Siddarth Adukia
* Sam Leonard (they/them)
* smarkelon
* Spencer Michaels
* sean.morland@nccgroup.com
* Sander de Jong
* Stuart Kurutac
* Subscriber Test
* Sultan Khan
* Swathi Nagarajan
* Simon Watson
* Jeff Dileo
* Thomas Marshall
* Ivan Reedman
* Thomas Pornin
* Jeremy Boone
* Viktor Gazdag
* Vishtasp Jokhi
* Wouter Jansen
* William Groesbeck
* whoughtonncc
* wolawola123
* Wordpress SSO Test
* Xavier Cervilla
* Xavier Garceau-Aranda
* Ken Gannon
* Kevin Henry
* 5G Security & Smart Environments
* Academic Partnership
* Annual Research Report
* Asia Pacific Research
* Awards & Recognition
* Blockchain
* Books
* Business Insights
* Cloud & Containerization
* Cloud Security
* Conferences
* Corporate
* Cryptography
* CTFs/Microcorruption
* Current events
* Cyber as a Science
* Cyber Security
* Detection and Threat Hunting
* Digital Forensics and Incident Response (DFIR)
* Disclosure Policy
* Emerging Technologies
* Engineering
* Fox-IT
* Fox-IT and European Research
* Gaming & Media
* Hardware & Embedded Systems
* Intern Projects
* iSec Partners
* Machine Learning
* Managed Detection & Response
* Misinformation, Deepfakes, & Synthetic Media
* North American Research
* Offensive Security & Artificial Intelligence
* Patch notifications
* Presentations
* protocol_name
* Public interest technology
* Public interest technology
* Public Reports
* Public tools
* Reducing Vulnerabilities at Scale
* Research
* Research Paper
* Resources
* Reverse Engineering
* Risk Management & Governance
* Standards
* Technical advisories
* Technology Policy
* Threat briefs
* Threat Intelligence
* Tool Release
* Transport
* Tutorial/Study Guide
* UK Research
* Uncategorized
* Virtualization, Emulation, & Containerization
* VSR
* Vulnerability
* Vulnerability Research
* Whitepapers
* nccgroup.com
* Support
* 22/23 Research Report
* Public Reports
* Contact
Back
RIFT: Research and Intelligence Fusion Team
Digital Forensics and Incident Response (DFIR)
Threat Intelligence
August 19, 2022
5 mins read
BACK IN BLACK: UNLOCKING A LOCKBIT 3.0 RANSOMWARE ATTACK
This research was conducted by Ross Inman (@rdi_x64) from NCC Group Cyber
Incident Response Team. You can find more here Incident Response – NCC Group
SUMMARY
TL;DR
This post explores some of the TTPs employed by a threat actor who were observed
deploying LockBit 3.0 ransomware during an incident response engagement.
Below provides a summary of findings which are presented in this blog post:
* Initial access via SocGholish.
* Establishing persistence to run Cobalt Strike beacon.
* Disabling of Windows Defender and Sophos.
* Use of information gathering tools such as Bloodhound and Seatbelt.
* Lateral movement leveraging RDP and Cobalt Strike.
* Use of 7zip to collect data for exfiltration.
* Cobalt Strike use for Command and Control.
* Exfiltration of data to Mega.
* Use of PsExec to push out ransomware.
LOCKBIT 3.0
LockBit 3.0 aka “LockBit Black”, noted in June of this year has coincided with a
large increase of victims being published to the LockBit leak site, indicating
that the past few months has heralded a period of intense activity for the
LockBit collective.
In the wake of the apparent implosion of previous prolific ransomware group
CONTI [1], it seems that the LockBit operators are looking to fill the void;
presenting a continued risk of encryption and data exfiltration to organizations
around the world.
TTPS
INITIAL ACCESS
Initial access into the network was gained via a download of a malware-laced zip
file containing SocGholish. Once executed, the download of a Cobalt Strike
beacon was initiated which was created in the folder C:ProgramDataVGAuthService
with the filename VGAuthService.dll. Along with this, the Windows command-line
utility rundll32.exe is copied to the folder and renamed to VGAuthService.exe
and used to execute the Cobalt Strike DLL.
PowerShell commands were also executed by the SocGholish malware to gather
system and domain information:
* powershell /c nltest /dclist: ; nltest /domain_trusts ; cmdkey /list ; net
group 'Domain Admins' /domain ; net group 'Enterprise Admins' /domain ; net
localgroup Administrators /domain ; net localgroup Administrators ;
* powershell /c Get-WmiObject win32_service -ComputerName localhost |
Where-Object {$_.PathName -notmatch 'c:win'} | select Name, DisplayName,
State, PathName | findstr 'Running'
PERSISTENCE
A persistence mechanism was installed by SocGholish using the startup folder of
the infected user to ensure execution at user logon. The shortcut file
C:\Users\<user>\AppData\Roaming\Microsoft\Windows\Start
MenuProgramsStartupVGAuthService.lnk was created and configured to execute the
following command which will run the Cobalt Strike beacon deployed to the host:
C:\ProgramData\VGAuthService\VGAuthService.exe
C:\ProgramData\VGAuthService\VGAuthService.dll,DllRegisterServer
DEFENCE EVASION
Deployment of a batch script named 123.bat was observed on multiple hosts and
was deployed via PsExec. The script possessed the capabilities to uninstall
Sophos, disable Windows Defender and terminate running services where the
service name contained specific strings. The contents of the batch script are
provided below:
Figure1: 123.bat contents
The ransomware binary used also clears key Windows event log files including
Application, System and Security. It also prevents any further events from being
written by targeting the EventLog service.
DISCOVERY
Bloodhound was executed days after the initial SocGholish infection on the
patient zero host. The output file was created in the C:\ProgramData directory
and had the file extension .bac instead of the usual .zip, however this file was
still a zip archive.
A TGS ticket for a single account was observed on patient zero in a text file
under C:\ProgramData. It is highly likely the threat actor was gathering the
ticket to attempt to crack the password, associated with the account, offline.
Seatbelt [2] was also executed on the patient zero host alongside Bloodhound.
Security-orientated information about the host gathered by Seatbelt was
outputted to the file C:\ProgramData\seat.txt.
LATERAL MOVEMENT
The following methods were utilized to move laterally throughout the victim
network:
* Cobalt Strike remotely installed temporary services on targeted hosts which
executed a Cobalt Strike beacon. An example command line of what the services
were configured to run is provided below:
rundll32.exe c:\programdata\svchost1.dll,DllRegisterServer
* RDP sessions were established using a high privileged account the threat
actor had compromised prior.
COLLECTION
7zip was deployed by the adversary to compress and stage data from folders of
interest which had been browsed during RDP sessions.
COMMAND AND CONTROL
Cobalt Strike was the primary C2 framework utilized by the threat actor to
maintain their presence on the estate as well as laterally move.
EXFILTRATION USING MEGASYNC
Before deploying the ransomware to the network, the threat actor began to
exfiltrate data to Mega, a cloud storage provider. This was achieved by
downloading Mega sync software onto compromised hosts, allowing for direct
upload of data to Mega.
IMPACT
The ransomware was pushed out to the endpoints using PsExec and impacted both
servers and end-user devices. The ransomware executable was named zzz.exe and
was located in the following folders:
* C:\Windows
* C:\ProgramData
* C:\Users\<user>\Desktop
RECOMMENDATIONS
1. Ensure that both online and offline backups are taken and test the backup
plan regularly to identify any weak points that could be exploited by an
adversary.
2. Restrict internal RDP and SMB traffic so that only hosts that are required
to communicate via these protocols are allowed to.
3. Monitor firewalls for anomalous spikes in data leaving the network.
4. Block traffic to cloud storage services such as Mega which have no
legitimate use in a corporate environment.
5. Provide regular security awareness training.
If you have been impacted by LockBit, or currently have an incident and would
like support, please contact our Cyber Incident Response Team on +44 161 209
5148 or email cirt@nccgroup.com.
INDICATORS OF COMPROMISE
IOC ValueIndicator TypeDescriptionorangebronze[.]comDomainCobalt Strike C2
server194.26.29[.]13IP AddressCobalt Strike C2 serverC:\ProgramData\svchost1.dll
C:\ProgramData\conhost.dll C:\ProgramData\svchost.dllFile PathCobalt Strike
beaconsC:\ProgramData\VGAuthService\VGAuthService.dllFile PathCobalt Strike
beacon deployed by SocGholishC:\Windows\zzz.exe C:\ProgramData\zzz.exe
C:\Users\<user>\Desktop\zzz.exeFile PathRansomware
Executablec:\users\<user>\appdata\local\megasync\megasync.exeFile PathMega sync
softwareC:\ProgramData\PsExec.exeFile PathPsExecC:\ProgramData\123.batFile
PathBatch script to tamper with security software and
servicesD826A846CB7D8DE539F47691FE2234F0FC6B4FA0SHA1 HashC:ProgramData123.bat
Figure 2: Indicators of Compromise
MITRE ATT CK®
TacticTechniqueIDDescriptionInitial AccessDrive-by CompromiseT1189Initial access
was gained via infection of SocGholish malware caused by a
drive-by-downloadExecutionCommand and Scripting Interpreter: Windows Command
ShellT1059.003A batch script was utilized to execute malicious
commandsExecutionCommand and Scripting Interpreter:
PowerShellT1059.001PowerShell was utilized to execute malicious
commandsExecutionSystem Services: Service ExecutionT1569.002Cobalt Strike
remotely created services to execute its payloadExecutionSystem Services:
Service ExecutionT1569.002PsExec creates a service to perform it’s
executionPersistenceBoot or Logon Autostart Execution: Registry Run Keys /
Startup FolderT1547.001SocGholish established persistence through a startup
folder Defence EvasionImpair Defenses: Disable or Modify ToolsT1562.001123.bat
disabled and uninstalled Anti-Virus softwareDefence EvasionIndicator Removal on
Host: Clear Windows Event LogsT1070.001The ransomware executable cleared Windows
event log filesDiscoveryDomain Trust DiscoveryT1482The threat actor executed
Bloodhound to map out the AD environmentDiscoveryDomain Trust DiscoveryT1482A
TGS ticket for a single account was observed in a text file created by the
threat actorDiscoverySystem Information DiscoveryT1082Seatbelt was ran to gather
information on patient zeroLateral MovementSMB/Admin Windows
SharesT1021.002Cobalt Strike targeted SMB shares for lateral movementLateral
MovementRemote Services: Remote Desktop ProtocolT1021.001RDP was used to
establish sessions to other hosts on the networkCollectionArchive Collected
Data: Archive via UtilityT1560.0017zip was utilized to create archives
containing data from folders of interestCommand and ControlApplication Layer
Protocol: Web ProtocolsT1071.001Cobalt Strike communicated with its C2 over
HTTPSExfiltrationExfiltration Over Web Service: Exfiltration to Cloud
StorageT1567.002The threat actor exfiltrated data to Mega cloud
storageImpactData Encrypted for ImpactT1486Ransomware was deployed to the estate
and impacted both servers and end-user devices
1. https://www.bleepingcomputer.com/news/security/conti-ransomware-finally-shuts-down-data-leak-negotiation-sites/
2. https://github.com/GhostPack/Seatbelt
NCC Group Incident Response services provide specialists to help guide and
support you through incident handling, triage and analysis, all the way through
to providing remediation guidance
SHARE THIS:
* Twitter
* Reddit
* LinkedIn
* Facebook
*
LIKE THIS:
Like Loading...
Published by RIFT: Research and Intelligence Fusion Team
Published by RIFT: Research and Intelligence Fusion Team
View all posts by RIFT: Research and Intelligence Fusion Team ->
HERE ARE SOME RELATED ARTICLES YOU MAY FIND INTERESTING
RUST FOR SECURITY AND CORRECTNESS IN THE EMBEDDED WORLD
Increasingly large companies are utilising Rust in their systems, either
existing or new. Most uses focus on how it can help in managed environments,
such as within a system with a running OS to handle memory allocations, allowing
for an increased level of abstraction and useful tooling that can take advantage
of functionality…
Emerging Technologies
January 9, 2024
8 mins read
TECHNICAL ADVISORY – MULTIPLE VULNERABILITIES IN PANDORAFMS ENTERPRISE
Introduction This is the third Technical Advisory post in a series wherein I
audit the security of popular Remote Monitoring and Management (RMM) tools. The
first post in the series can be found at Multiple Vulnerabilities in Faronics
Insight, the second post can be found at Multiple Vulnerabilities in Nagios…
Technical advisories
Vulnerability
January 2, 2024
19 mins read
RETRO GAMING VULNERABILITY RESEARCH: WARCRAFT 2
This blog post is part one in a short series on learning some basic game hacking
techniques. I’ve chosen Warcraft 2 for a variety of reasons: With those things
in mind, most older RTS games work in a similar manner, and you should be able
to apply these techniques to…
Gaming & Media
Tutorial/Study Guide
December 19, 2023
13 mins read
Previous post Next post
VIEW ARTICLES BY CATEGORY
* 5G Security & Smart Environments (10)
* Academic Partnership (3)
* Annual Research Report (3)
* Asia Pacific Research (1)
* Awards & Recognition (4)
* Blockchain (4)
* Books (17)
* Business Insights (6)
* Cloud & Containerization (34)
* Cloud Security (18)
* Conferences (37)
* Corporate (7)
* Cryptography (114)
* CTFs/Microcorruption (1)
* Current events (1)
* Cyber as a Science (6)
* Cyber Security (402)
* Detection and Threat Hunting (16)
* Digital Forensics and Incident Response (DFIR) (20)
* Disclosure Policy (1)
* Emerging Technologies (12)
* Engineering (5)
* Fox-IT (16)
* Fox-IT and European Research (6)
* Gaming & Media (9)
* Hardware & Embedded Systems (105)
* Intern Projects (2)
* iSec Partners (52)
* Machine Learning (28)
* Managed Detection & Response (22)
* Misinformation, Deepfakes, & Synthetic Media (2)
* North American Research (28)
* Offensive Security & Artificial Intelligence (13)
* Patch notifications (35)
* Presentations (55)
* protocol_name (1)
* Public interest technology (10)
* Public interest technology (1)
* Public Reports (45)
* Public tools (105)
* Reducing Vulnerabilities at Scale (22)
* Research (363)
* Research Paper (20)
* Resources (1)
* Reverse Engineering (47)
* Risk Management & Governance (6)
* Standards (13)
* Technical advisories (218)
* Technology Policy (1)
* Threat briefs (3)
* Threat Intelligence (67)
* Tool Release (106)
* Transport (16)
* Tutorial/Study Guide (47)
* UK Research (9)
* Uncategorized (26)
* Virtualization, Emulation, & Containerization (10)
* VSR (32)
* Vulnerability (166)
* Vulnerability Research (6)
* Whitepapers (239)
MOST POPULAR POSTS
MOST RECENT POSTS
* Rust for Security and Correctness in the embedded world
* Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise
* Retro Gaming Vulnerability Research: Warcraft 2
* Public Report – Security Review of RSA Blind Signatures with Public Metadata
* Reverse, Reveal, Recover: Windows Defender Quarantine Forensics
CALL US BEFORE YOU NEED US.
Our experts will help you.
Get in touch
Call us on:
General Number:
441612095200
24/7 Emergency Incident Response:
443316300690
Terms and Conditions Privacy Policy Contact Us Accessibility Disclosure Policy
Assessment & Advisory Detection and Response Compliance Remediation Training
Software Resilience
© NCC Group 2024. All rights reserved.
Loading Comments...
Write a Comment...
Email (Required) Name (Required) Website
%d