Last week, one of my SpiderLabs colleagues was working on a PCI forensic triage for a website. During his investigation, he asked me to check out some HTTP traffic he captured during an online retail store checkout session.

With today's Patch Tuesday for February, things are back to normal with patches for 76 CVEs and four advisories. Twenty of the CVEs are rated "Critical," 53 are rated "Important," and three are rated "Moderate."

In the first two parts of our investigative series into the cybercriminal underground, we examined its social structure as well as the types of jobs and opportunities that exist for those with ill intent. We have learned that the dark web’s ecosystem is vast and well-coordinated, with a low barrier to entry due to widely available hacking and malware distribution tools for those with limited technical knowledge. But a life of digital crime by its very nature leaves a long trail for investigators – so what happens once a cybercriminal succeeds in their nefarious schemes and turns a profit?

While working on various vulnerability research projects, I encountered multiple Authenticated Remote OS Command Injection vulnerabilities in four Lifesize products:

Sextortion scams were a hit campaign last year and are continuing in  2019 with a new trick – the inclusion of an archive attachment which contains a malicious JavaScript downloader as “proof”.

CVE-2018-15982 is the Flash 0day that was patched by Adobe at the beginning of December. At the time it was used by an APT group with the delivery mechanism being an Office document with the malicious Flash file residing inside, Qihoo360 published a good analysis of this attack...

When an attacker uses tools native to the operating system it is referred to as Living off the Land. Personally, I think it should be called Living off the LAN because it’s a techy play on the acronym for Local Area Network. This blog post will cover Living off the Land activity associated with Carbanak/FIN7 that Trustwave SpiderLabs encountered during a recent investigation. The post will include:

Patch Tuesday, January 2019

In 2018 we saw a rise in sextortion scams in which cyber-criminals notified their victims via email that they have hacked or infected the victim’s computer with malware. Or the perpetrators had procured evidence in the form of personal recordings of the victim performing sexual acts or having illegal files of sexual content on their computer. The scammers then threatened to publicly expose the victim unless a ransom demand is paid in cryptocurrency (bitcoin) within a given time.

Trustwave recently reported a Kernel based vulnerability in a driver bundled along with IBM Trusteer Rapport for MacOS. The vulnerability is a signedness bug leading to a Kernel stack memory corruption issue in a call to memcpy. IBM Trusteer Rapport is security software advertised as an additional layer of security to anti-virus software. It is designed to protect confidential data, such as account credentials, from being stolen by malicious software (malware) and via phishing.

About a year ago webminers began to appear on more and more website. It was popularized by CoinHive and a couple of high-profile scandals revolving around ThePirateBay and Showtime and, in the span of a year, it has evolved into the most common consequence a compromised site suffers- a webminer injection, or “cryptojacking”.

We all shop online. How many times, just before placing an online order, have you noticed the Coupon Code option and wondered – Could I get it cheaper if I had a coupon code? Most of us will drop the order to go and look for an available coupon code. Some will skip this thought and continue with the purchase, feeling a bit gullible. A hacker, on the other hand, will probably have other ideas in mind...

The last Patch Tuesday of 2018 is here and we are easing into the New Year with only 40 CVEs to address. Nine of these are rated "Critical" with the other 31 rated "Important". The "Critical" list includes the typical Internet Explorer and the scripting engine vulnerabilities, but also include Remote Code Execution (RCE) vulnerabilities in the .NET Framework and the Windows DNS server. Another RCE exists in the Microsoft Text-To-Speech feature in the Windows OS.

This blog post offers insight into Magecart and offers advice on how t protect your systems from this threat using a number of methods including ModSecurity WAF rules.

Scavenger confronts a challenging issue typically faced by Penetration Testing consultants during internal penetration tests; the issue of having too much access to too many systems with limited days for testing.

We are happy to announce ModSecurity version 2.9.3!

During Thanksgiving week, we noticed this quite unusual XML-format MS Office Document file Figure 1: Email Sample Saving a Word document file as XML is a legitimate option but criminals had taken advantage of this file format to circumvent malware...

Sometimes pentesters and security researchers need to modify existing Java application but have no access to its source. For example, it might be necessary to adjust the logic a bit to see how the application works in certain specific conditions....

Hacker's Wish Come True After Infecting Visitors of Make-A-Wish Website With Cryptojacking After coming back from a vacation, the first thing to do is catch up with what happened while you were gone. That is what I did earlier this...

Whilst there is a wealth of information out there about how to build environments that can be used for training, offensive tradecraft development and blue team response detection, a vital part of these environments is hard to emulate. A computer...