In this blog, we will use our lab set up on the first blog post and some techniques discussed in the second, so again, an excellent chance to put together some things we've learned from the last posts for some actual work.

Back in February, we reported on two Coronavirus-themed phishing emails. But just as the real virus spreads rapidly around the world, so too have the scams. Cyber criminals, proving beyond doubt they are completely devoid of morals, have ramped up their activities, unashamedly using all manner of Coronavirus lures to trick people. We are now seeing dozens of different email campaigns per day. Below are samples collected from our systems that some of what is currently out there.

In February, an Australian transportation company called Toll Group was hit by a ransomware attack that reportedly spread to over 1000 servers and caused major disruption for the company and its clients. Recently the same ransomware family was seen attached to phishing emails targeting people's fear of COVID-19, a trend we've also been seeing quite a bit of. We got a hold of a sample of the ransomware and decided to take a closer look to see what makes it tick.

We often talk about attackers targeting companies with social engineering attacks. These usually take the form of phishing attacks that attempt to trick the recipient into opening a malicious attachment or clicking on a malicious link. Less discussed are targeted attacks using physical media.

Last week Microsoft announced that there was a buffer overflow vulnerability in SMBv3 (CVE-2020-0796) as implemented in Windows 10 and Windows Server (versions 1903 and 1909). The CVE wasn't initially included in last week's Patch Tuesday, but after news of the vulnerability leaked, Microsoft was forced to release details and an "out of band" patch on Thursday, March 12th. All Windows administrators should check to see if they are vulnerable to this issue and patch as soon as possible where they are.

In the hustle and bustle of everyday work life we tend to look at the current issues we’re working to resolve, the next feature we want to develop, the next version release. We rarely take the time to look back and think about the work we’ve already done. On some rare occasions, however, something external makes you look back at them and it’s an opportunity to stop and appreciate what you’ve accomplished.

If you save wide Unicode brackets (i.e. ＜＞) into a char or varchar field, MSSQL Server will convert them into HTML brackets (i.e. <>). So, ＜img src=x onerror=alert('pxss')＞ will be converted to <img src=x onerror=alert('pxss')> compliments of the backend DB. This will likely help you sneak past server-side filters, WAFs, etc. and execute a persistent Cross-Site Scripting (PXSS) attack. As a bonus, .NET request validation will not detect it.

In light of the recent blog by my colleague Rodel Mendrez, we looked back at previous spam encountered over the past month which leverage Excel 4.0 macros and found some interesting samples. Both campaigns are using a fake invoice theme and both utilize Excel 4.0 macro to download malicious binaries.

Today marks Microsoft's March Patch Tuesday. While it may not be on the top of everyone's March priority list, 116 CVEs suggest that you don't ignore this Patch Tuesday.

A recent blog by Didier Steven’s showed how malicious Excel 4 macros can be stored in OOXML (Office Open XML) .xlsm – a macro specific file format. We found this very interesting because even though Microsoft long ago replaced Excel 4 macros with VBA (Visual Basic Application), Excel 4 macros still work and are still supported in the newer Excel 2017 XML format.

Hello again! We are back with more Windows internals and it's time to get real. We already covered how to set up an environment, WinDBG basics and discussed WinDBG Time Travel Debugging. In this part 4 of my blog series, I'll briefly describe an internal API that is widely used to leak kernel information for most of the Windows LPE (Local Privilege Escalation) exploits. We will talk about the function NTQuerySystemInformation.

The Remote Access Tool (RAT) is one of the malware types we often encounter with our Security Email Gateway (SEG). Late last year, we noticed spam campaigns leading to RATs via disk image files through attachment and link. More recently, we came across 2 RATs encrypted, packed, and hidden in PNG files - using disk image files again and redirectors as arrival vectors.

Credential phishing is one of the leading threats faced by organizations today. Threat actors use phishing emails to harvest corporate account credentials that they use to gain a foothold in an organization using ever-evolving and innovative techniques to evade detection.

Inevitably, and sadly, bad guys take advantage of such events using fear to trick victims into opening attachments or clicking links that they usually would not. Closely monitoring our systems, we found a couple of phishing examples that seek to take advantage of this event.

February's Patch Tuesday is here and brings with it patches for 98 CVEs. These are split between 13 CVEs rated as "Critical" and 85 CVEs rated as "Important." Among the "Critical" patches, Remote Code Execution (RCE) vulnerabilities in the Scripting Engine make up more than half of the list. It's a regular piece of software patched pretty much every Patch Tuesday.

Picture the scene - you’re on a penetration test, somehow you’ve got hold of a bunch of .NET assemblies for the application you’re assessing, be it a web application or thick client. On a thick client test, getting a hold of these files is somewhat trivial as they’re right there in front of you. On a web application test, however, things are not as easy - but it still is possible, depending on permissions and such. I won’t go into "the how-to" in order get these in this blog post, instead I will assume you’re sitting there, a cup of coffee in hand, staring at a bunch of .DLL files decompiled in something like dotPeek, ILSpy, etc.

2020 is not starting out quietly for Microsoft, it seems. After the first Patch Tuesday of 2020 addressing a vulnerability in CryptoAPI last week, Microsoft released an advisory for an Internet Explorer 0-Day, assigned CVE-2020-0674, scheduled to be fixed in the upcoming Patch Tuesday.

ModSecurity is an open-source WAF engine maintained by Trustwave. As a lively open-source project, we constantly work together with the community on reported bugs, feature requests, and other issues on the ModSecurity GitHub.

One of the most notable vulnerabilities patched during Microsoft's first Patch Tuesday of 2020 was a spoofing vulnerability in the Windows CryptoAPI. This has been issued CVE-2020-0601 and has also been referred to as the "Curveball" or "Chain of Fools" vulnerability.

The Citrix vulnerability (CVE-2019-19781) was first identified in December of 2019.  This vulnerability is a directory traversal attack that can lead to remote code execution.