New post on the blog… Exploiting CVE-2024-21111 : Local Privilege Escalation in Oracle VirtualBox by Filip Dragovic mdsec.co.uk/2024/04/cve-20…

The Talos and NCSC UK write-ups on arcane door are very good and worth a read, the troubling bit is the lack of details around the initial execution vector... Not sure enough noise is being made about this... ncsc.gov.uk/static-assets/… blog.talosintelligence.com/arcanedoor-new…

A Glance into the Spyware Industry
github.com/blackorbird/AP…

The NCSC has issued advice to help network defenders mitigate malicious activity targeting some Cisco firewall devices used globally.

We encourage network defenders to read the Cisco advisory and latest NCSC reports to help mitigate this threat 👇
ncsc.gov.uk/news/exploitat…

Released a new version of OleViewDotNet (v1.14) on the PS gallery. A big change is better source code formatting for proxies and typelibs in IDL format rather than the old pseudo C# one. The video below also shows an example of dynamic parsing and display of source in the UI.

Did you know that LSASS has the ability to execute arbitrary kernel-mode addresses? I wrote a small proof of concept that allows administrators to execute unsigned code in the kernel if LSA Protection is disabled.

github.com/floesen/KExecDD

Analyzing APT28 custom post-compromise tool for exploiting CVE-2022-38028 to obtain credentials
(Windows Print Spooler Elevation of Privilege Vulnerability)
microsoft.com/en-us/security…

Think I've discovered a covert offensive cyber HQ...

If anyone is looking for an operator & researcher centered around Windows, Unix, and UEFI, I am available & Looking for work!

I'm happy to email my resume, and my general GitHub / research was ( mostly ) done under github.com/realoriginal

🚨WithSecures discovers a novel Russian APT backdoor🚨

Mohammad Kazem, one of our W/Intelligence researchers, links the backdoor to the Sandworm group, a notorious Russian nation-state actor.

🔗labs.withsecure.com/publications/k…

#Malware #Kapeka #Research

On March 25, the FBI released an indictment of APT31 hackers. We read it carefully to find new intel, and managed to connect a few dots (including about the RAWDOOR malware family).

Full article and IOCs: harfanglab.io/en/insidethela…

This is a long time coming. 🇷🇺APT44: Unearthing Sandworm: services.google.com/fh/files/misc/…

I just published a blog and tool for the LSA Whisperer work that was presented at the SpecterOps Conference (SOCON) back in March.

If you are interested in getting credentials from LSASS without accessing its memory, check it out!
medium.com/specter-ops-po…

APT44: Unearthing #Sandworm Group
pdf:
github.com/blackorbird/AP…
IOCs:
virustotal.com/gui/collection…

Full Rapid7 analysis of PAN-OS CVE-2024-3400 now available from Stephen Fewer and our stellar new research teammate ryan emmons! Spoiler: It's a two-vuln exploit chain. attackerkb.com/topics/SSTk336…

Our threat brief on Operation MidnightEclipse, tracking exploitation of #CVE20243400 , now has new indicators as well as lists of commands seen in exploitation attempts: bit.ly/43YOECb

#ISFB #LDR4 - url > .zip > .js > CobaltStrike

Interesting campaign this week purporting to be Hays Recruitment.

DocuSign lure that leads to a site that drops a zip file that contains a .js loader for #CobaltStrike

(1/3)👇IOC's continued

Malicious activity tracked under the campaign #OperationMidnightEclipse is targeting CVE-2024-3400, which exploits a vulnerability in certain versions of PAN-OS software. This threat brief covers mitigations and product protections: bit.ly/3vPUngM

🚩Palo Alto Networks has released workaround guidance for a command injection vulnerability (CVE-2024-3400) affecting PAN-OS versions 10.2, 11.0 & 11.1. Apply workarounds asap 👉 cisa.gov/news-events/al…

Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)

172.233.228[.]93

volexity.com/blog/2024/04/1…