Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Getting Started With Azure DevOps

Recently, I set out to find a simple solution to manage the building of all my offensive C# tools in a central location. The main goal I had for this project was to find a solution that didn’t require a ton of infrastructure to set up. I quickly came across the Azure DevOps platform. It didn’t take long for me to build a pipeline from my GitHub repository and compile my first binary.

Multiple Vulnerabilities in Comba and D-Link Routers

There are five new credential leaking vulnerabilities discovered and disclosed by Simon Kenin. Two are in a D-Link DSL modem typically installed to connect a home network to an ISP. The other three are in multiple Comba Telecom WiFi devices. All the vulnerabilities involve insecure storage of credentials including three where cleartext credentials available to any user with network access to the device.

Patch Tuesday, September 2019

For September 2019, Microsoft is releasing 78 CVEs. Of these CVEs, 17 are rated "Critical", 60 rated "Important", and one rated "Moderate". Additionally, this release includes the regular rollup patch for critical vulnerabilities in Adobe Flash, but you're no longer using Flash right?

Lord EK: A New Exploit Kit with an Ambitious Name

After a bit of a lull in the world of exploit kits, a new exploit kit by the name of “Lord EK” has been discovered out in the wild. This blog post will give an overview of what’s already been talked about as well as add some insights that I believe have not yet been shared publicly and provide Trustwave customers with some additional information for relevant products.

Digging Deep into Magecart Malware Part II

Magecart is the name given to notorious groups of hackers that target online shopping carts, usually Magento. We provided an overview of the group's malware last year and earlier this year, we shared details of a specific Magecart malware case we encountered during the course of an investigation. In this second installment of “Digging Deep into Magecart Malware”, we highlight a couple more Magecart attacks that we encountered during investigations.

Patch Tuesday, August 2019

The August Patch Tuesday is here ringing in patches for a massive 97 CVEs. Across those CVEs 31 are rated as "Critical", 65 as "Important" and one as "Moderate".

Trustwave Wins the Threat Indicator Top Contributor Award from Microsoft

Microsoft recognized industry collaboration among their partners last week during a ceremony at the Black Hat USA Conference in Las Vegas, Nevada. There, the Trustwave SpiderLabs team was honored as the top contributor of threat indicators.

AttackSurfaceMapper - Automate and Simplify the OSINT Process

AttackSurfaceMapper (ASM) aims to greatly simplify the reconnaissance process by taking a single target domain or a list of IPv4 addresses as input, then analysing it using passive OSINT techniques and active reconnaissance methods.

SanDisk SSD Dashboard Vulnerabilities: CVE-2019-13466 & CVE-2019-13467

While recently upgrading my laptop with a new Solid State Drive (SSD), I installed a management utility that is used for SanDisk SSDs. A quick examination revealed a some potentially dangerous vulnerabilities in it. Now that these issues have gone through our responsible disclosure program and have been patched, we can discuss the details.

Hiding PHP Code in Image Files Revisited

Over five years ago, we published a blog detailing how a webshell’s backdoor code was hidden in an image file. With this method, an attacker inserts PHP backdoor code in the meta-data headers of an image to circumvent detection. Though not entirely a new tactic at that time, fast forward five years and we continue to encounter this type of attack. This blog outlines another similar case we recently uncovered.

Breaking Smart [Bank] Statements

In Mexico, it’s possible to receive your monthly bank statement via email. Mexico's banking and securities regulator (CNBV) says that security mechanisms must be applied to the bank statement to avoid an unauthorized third party.

HQL Injection Exploitation in MySQL

Are you familiar with an HQL injection exploitation? Chances are you’re not. While you may assume it’s intuitive since it’s related to SQL injection, you’re right, but it’s a little bit more complex.

Hardcoded Credentials in Uniguest Kiosk Software Lead to API Compromise

If you've traveled at all within North America, you've likely at some point noticed or even used the shared kiosk machines available in hotel lobbies. These are typically running a locked-down version of Windows, and chances are they are managed by Uniguest software.

Patch Tuesday, July 2019

Patch Tuesday for July is here and after the massive release in June, the 77 patches issued this month seem manageable. Sixteen of the CVEs patched are rated "Critical", sixty are rated as "Important", and one singular CVE rated as "Moderate".

“Sexfavor” Email Scam Delivers Danabot

Sextortion has been a widely used theme in spam campaigns since Q1 of 2018. From simple crafted emails containing just plain text, extortion scams have evolved – even to the point of adding malicious attachments in Q1 of 2019. Since then, we’ve seen more and more attackers use sextortion spam emails as the arrival vector of their malware.

Executing Code Using Microsoft Teams Updater

Red Teamers like to hunt for new methods of code execution through “legitimate” channels, and I’m no exception to that rule. This time Microsoft Teams was my target. Teams was an interesting candidate since it uses modern technology called Electron. Electron is basically nodejs embedded in an executable.  Let’s dive into the application whitelisting bypass using Update.exe that is shipped with Microsoft Teams.

UNC Path Injection with Microsoft Access

I’ve previously created a couple of blog post’s focused around phishing with Microsoft Access https://medium.com/@rvrsh3ll. This blog post continues down the path of utilizing features in Microsoft Access that an attacker or penetration tester may utilize to gain further access into an organization.

Necurs Spam uses DNS TXT Records for Redirection

Recently we noticed the Necurs botnet launching a small spam campaign with a HTML redirector as an attachment. The HTML is crafted to perform a DNS query to the spammer’s domain, obtain the DNS TXT Record and execute data within that record. This leads to redirection to unwanted advertisements and scam webpages. This is the first time we have seen this botnet delve into this strategy.

Patch Tuesday, June 2019

For June's Patch Tuesday, Microsoft is releasing four advisories and patches for a massive 91 CVEs, the largest Patch Tuesday release in well over a year. Twenty-one of those CVEs are rated "Critical," 69 are rated "Important," and one CVE was rated "Moderate."

Patch Tuesday, May 2019

May's Patch Tuesday is here and brings with it patches for 79 CVEs. Twenty-two of those CVEs are rated "Critical," 56 are rated "Important," and one single CVE was rated "Moderate."

Stay Connected


Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.

Trending Topics