Cybercriminals are continuously evolving their tools, tactics, and techniques to evade spam detection systems. We recently observed some spam campaigns that heavily relied on URL obfuscation in email messages.

On September 14th, researchers at security firm Secura published a white paper detailing a complete unauthenticated compromise of domain controllers by subverting the Netlogon cryptography. The vulnerability, dubbed “Zerologon” (CVE-2020-1472) is a privilege escalation bug with a CVSSv3 score of 10.0 and allows a remote attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) and take over Windows Servers running as Domain Controllers.

This blog post will discuss that tradeoff in the context of regular expressions in ModSecurity. It will cover an issue raised by a member of the community as a security issue (assigned CVE-2020-15598), which we disputed, and some tips for how to avoid the more problematic aspects of regular expressions in ModSecurity.

The Qua or Quaverse Remote Access Trojan (QRAT) is a Java-based RAT that can be used to gain complete control over a system.

Capture The Flag (CTF) competitions are globally popular among both professionals and enthusiasts in information security. CTF competitions are often great fun, but they also play an invaluable role in improving the skills of security specialists. A tournament will usually take anywhere from a day to a couple of days and is conducted over the internet or face to face in the “olden times”. During that time teams try to solve as many security and hacking-related challenges as possible, each challenge is considered a “flag” and each flag is typically worth a range of points depending on the complexity of the challenge.

I’ve recently blogged about a shared memory vulnerability in Cisco WebEx Meetings Client on Windows where any user can read memory dedicated to trace data. It turns out that this is a common problem. IBM Db2 is affected by the exact same type of problem. Developers forgot to put explicit memory protections around the shared memory used by the Db2 trace facility. This allows any local users read and write access to that memory area.

SSRF is a neat bug because it jumps trust boundaries. You go from being the user of a web application to someone on the inside, someone who can reach out and touch things on behalf of the vulnerable server. Exploiting SSRF beyond a proof-of-concept callback is often tricky because the impact is largely dependent on the environment you’re making that internal request in.

Last week, security researcher Amir Etemadieh (aka Zenoflex) disclosed that vBulletin’s patch for CVE-2019-16759 (an unauthenticated remote code execution vulnerability) was incomplete. That CVE was exploited in the wild, for example, the Comodo Forums that exposed the data of 245,000 Users or the botnet activity targeting vulnerable vBulletin sites. This new vulnerability was given the identifier CVE-2020-7373.

Trustwave identified a significant malicious campaign on mandatory tax invoice software, which is required to conduct business in China. The campaign, we dubbed GoldenSpy, is an embedded backdoor in the software package, which allows full remote command and control of the victim’s system via arbitrary code execution.

A good way to keep an eye on attackers and get insight on their techniques and tactics is to use a honeypot.  A honeypot is a purposefully vulnerable system with fake data that you actually want attackers to breach. This gives you a bit of a safe sandbox where you can monitor the attacker's activity. Today I want to discuss how to set up a Microsoft SQL honeypot for the purpose of luring automated bots.

August's Patch Tuesday is here with 120 CVEs patched. That includes 100 rated as "Important" and 20 rated as "Critical". The bulk of the "Critical" list is made up of various media libraries and codecs where a Remote Code Execution vulnerability can be exploited simply by opening or playing a maliciously generated image, video, or sound file.

During this global pandemic COVID-19 situation, there has been an increasing trend of video conferencing solutions, Trustwave SpiderLabs are exercising extra vigilance in monitoring the video conferencing traffics.

In a previous post we explored the importance of scanning hostnames instead of IP addresses in order to avoid missing certain content and we also briefly touched upon the behavior of some common scanning tools.

Recently ASUS patched two issues I discovered in the RT-AC1900P router firmware update functionality. These vulnerabilities could allow for complete compromise of the router and all traffic that traverses it.

Email scammers always seem to invent new ways of trickery to gain cash from their victims. We recently came across a case where the scammer reused some existing scripts to phish and scam - copy and paste style. With a bit of modification, the script works like ransomware, without the hassle of having to compile a portable executable.

Directly preceding GoldenSpy, another malware family was used to covertly access the networks of companies doing business in China. This is the story of GoldenHelper.

July's Patch Tuesday is here with another large list of CVEs. It includes 20 CVEs rated "Critical" while the other 103 are rated as "Important". The list of Critical CVEs includes a Remote Code Execution vulnerability in the Windows DNS Server (CVE-2020-1350).

At the beginning of June 2020, we were contacted about a Magento website breach that caused a leak of credit card numbers. A thorough analysis of the website identified the webpage’s footer had malicious code added to it.

New detection for Trustwave SWG (which is also part of Blended Threat Module for select Trustwave SEG customers). The detection was specifically crafted to target this kit using Trustwave’s SWG dynamic analysis feature.

The traditional approach to a vulnerability scan or penetration test is to find the IP addresses that you want tested, throw them in and kick things off. But doing a test based purely on IP addresses is a bad idea and can often miss things.