Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

GO SMS Pro Vulnerable to Media File Theft

The GO SMS Pro application is a popular messenger app with over 100 million downloads and was discovered to publicly expose media transferred between users of the app. This exposure includes private voice messages, video messages, and photos. This means any sensitive media shared between users of this messenger app is at risk of being compromised by an unauthenticated attacker or curious user.

Massive US Voters and Consumers Databases Circulate Among Hackers

Voting in the U.S. elections started recently and there is a real concern over interference and disinformation campaigns that might impact their outcome. During investigations around the elections, the Trustwave SpiderLabs team discovered massive databases with detailed information about U.S. voters and consumers offered for sale on several hacker forums.

Bad Neighbors Can Break Windows (CVE-2020-16898)

The vulnerability, codenamed “Bad Neighbor”, is a bug in the IPv6 Neighbor Discovery Protocol, particularly it’s improper handling of ICMPv6 Router Advertisement Packets. While publicly available proof of concept (PoC) code results in a denial of service, attackers can exploit this bug to perform remote code execution (RCE).

Patch Tuesday, October 2020

October's Patch Tuesday is upon us and with it comes patches for 102 CVEs. This release includes 13 hair-raising "Critical" vulnerabilities, 88 spooky "Important" bugs, and one creepy "Moderate" issue.

Evasive URLs in Spam: Part 2

A URL can be completely valid, yet still misleading. In this blog, we will present another technique with URLs that we observed in a recent malicious spam campaign. This is the continuation of an earlier blog that discussed how valid URL formats can be used in evading detection.

Network Detection for ZeroLogon (CVE-2020-1472)

ZeroLogon has quickly become popular and well known because of multiple proofs of concept and exploits implemented in Python, .NET, Powershell, and Mimikatz implemented a module for it. So if you are an attacker or need to test your environment then you have plenty of options. As defenders, we also have options for detection on the network. If you aren’t familiar with ZeroLogon and need a quick overview then please check out our ZeroLogon Blog.

SAP ASE Information Leaks: CVE-2020-6295 and CVE-2020-6317

Today I'd like to discuss two information disclosure vulnerabilities that occur in SAP Adaptive Server Enterprise installation process. These days it’s quite common to discover sensitive information in application log files given the amount of data being processed and complexity of today’s products. Adaptive Server Enterprise is a quite complex product having multiple subsystems and some of them are involved in the vulnerabilities discussed below.

Evasive URLs in Spam

Cybercriminals are continuously evolving their tools, tactics, and techniques to evade spam detection systems. We recently observed some spam campaigns that heavily relied on URL obfuscation in email messages.

Hijacking a Domain Controller with Netlogon RPC (aka Zerologon: CVE-2020-1472)

On September 14th, researchers at security firm Secura published a white paper detailing a complete unauthenticated compromise of domain controllers by subverting the Netlogon cryptography. The vulnerability, dubbed “Zerologon” (CVE-2020-1472) is a privilege escalation bug with a CVSSv3 score of 10.0 and allows a remote attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) and take over Windows Servers running as Domain Controllers.

ModSecurity, Regular Expressions and Disputed CVE-2020-15598

This blog post will discuss that tradeoff in the context of regular expressions in ModSecurity. It will cover an issue raised by a member of the community as a security issue (assigned CVE-2020-15598), which we disputed, and some tips for how to avoid the more problematic aspects of regular expressions in ModSecurity.

RATs and Spam: The Node.JS QRAT

The Qua or Quaverse Remote Access Trojan (QRAT) is a Java-based RAT that can be used to gain complete control over a system.

SpiderLabs Capture the Flag 2020 Results

Capture The Flag (CTF) competitions are globally popular among both professionals and enthusiasts in information security. CTF competitions are often great fun, but they also play an invaluable role in improving the skills of security specialists. A tournament will usually take anywhere from a day to a couple of days and is conducted over the internet or face to face in the “olden times”. During that time teams try to solve as many security and hacking-related challenges as possible, each challenge is considered a “flag” and each flag is typically worth a range of points depending on the complexity of the challenge.

IBM Db2 Shared Memory Vulnerability (CVE-2020-4414)

I’ve recently blogged about a shared memory vulnerability in Cisco WebEx Meetings Client on Windows where any user can read memory dedicated to trace data. It turns out that this is a common problem. IBM Db2 is affected by the exact same type of problem. Developers forgot to put explicit memory protections around the shared memory used by the Db2 trace facility. This allows any local users read and write access to that memory area.

From SSRF to Compromise: Case Study

SSRF is a neat bug because it jumps trust boundaries. You go from being the user of a web application to someone on the inside, someone who can reach out and touch things on behalf of the vulnerable server. Exploiting SSRF beyond a proof-of-concept callback is often tricky because the impact is largely dependent on the environment you’re making that internal request in.

vBulletin Remote Code Execution (CVE-2020-7373)

Last week, security researcher Amir Etemadieh (aka Zenoflex) disclosed that vBulletin’s patch for CVE-2019-16759 (an unauthenticated remote code execution vulnerability) was incomplete. That CVE was exploited in the wild, for example, the Comodo Forums that exposed the data of 245,000 Users or the botnet activity targeting vulnerable vBulletin sites. This new vulnerability was given the identifier CVE-2020-7373.

GoldenSpy Chapter 5 : Multiple GoldenSpy Uninstaller Variants Discovered

Trustwave identified a significant malicious campaign on mandatory tax invoice software, which is required to conduct business in China. The campaign, we dubbed GoldenSpy, is an embedded backdoor in the software package, which allows full remote command and control of the victim’s system via arbitrary code execution.

Playdate with Bots: Microsoft SQL Honeypots

A good way to keep an eye on attackers and get insight on their techniques and tactics is to use a honeypot.  A honeypot is a purposefully vulnerable system with fake data that you actually want attackers to breach. This gives you a bit of a safe sandbox where you can monitor the attacker's activity. Today I want to discuss how to set up a Microsoft SQL honeypot for the purpose of luring automated bots.

Patch Tuesday, August 2020

August's Patch Tuesday is here with 120 CVEs patched. That includes 100 rated as "Important" and 20 rated as "Critical". The bulk of the "Critical" list is made up of various media libraries and codecs where a Remote Code Execution vulnerability can be exploited simply by opening or playing a maliciously generated image, video, or sound file.

Microsoft Teams Updater Living off the Land

During this global pandemic COVID-19 situation, there has been an increasing trend of video conferencing solutions, Trustwave SpiderLabs are exercising extra vigilance in monitoring the video conferencing traffics.

Stay Connected


Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.

Trending Topics