Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Evasive URLs in Spam

Cybercriminals are continuously evolving their tools, tactics, and techniques to evade spam detection systems. We recently observed some spam campaigns that heavily relied on URL obfuscation in email messages.

Hijacking a Domain Controller with Netlogon RPC (aka Zerologon: CVE-2020-1472)

On September 14th, researchers at security firm Secura published a white paper detailing a complete unauthenticated compromise of domain controllers by subverting the Netlogon cryptography. The vulnerability, dubbed “Zerologon” (CVE-2020-1472) is a privilege escalation bug with a CVSSv3 score of 10.0 and allows a remote attacker to establish a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC) and take over Windows Servers running as Domain Controllers.

ModSecurity, Regular Expressions and Disputed CVE-2020-15598

This blog post will discuss that tradeoff in the context of regular expressions in ModSecurity. It will cover an issue raised by a member of the community as a security issue (assigned CVE-2020-15598), which we disputed, and some tips for how to avoid the more problematic aspects of regular expressions in ModSecurity.

RATs and Spam: The Node.JS QRAT

The Qua or Quaverse Remote Access Trojan (QRAT) is a Java-based RAT that can be used to gain complete control over a system.

SpiderLabs Capture the Flag 2020 Results

Capture The Flag (CTF) competitions are globally popular among both professionals and enthusiasts in information security. CTF competitions are often great fun, but they also play an invaluable role in improving the skills of security specialists. A tournament will usually take anywhere from a day to a couple of days and is conducted over the internet or face to face in the “olden times”. During that time teams try to solve as many security and hacking-related challenges as possible, each challenge is considered a “flag” and each flag is typically worth a range of points depending on the complexity of the challenge.

IBM Db2 Shared Memory Vulnerability (CVE-2020-4414)

I’ve recently blogged about a shared memory vulnerability in Cisco WebEx Meetings Client on Windows where any user can read memory dedicated to trace data. It turns out that this is a common problem. IBM Db2 is affected by the exact same type of problem. Developers forgot to put explicit memory protections around the shared memory used by the Db2 trace facility. This allows any local users read and write access to that memory area.

From SSRF to Compromise: Case Study

SSRF is a neat bug because it jumps trust boundaries. You go from being the user of a web application to someone on the inside, someone who can reach out and touch things on behalf of the vulnerable server. Exploiting SSRF beyond a proof-of-concept callback is often tricky because the impact is largely dependent on the environment you’re making that internal request in.

vBulletin Remote Code Execution (CVE-2020-7373)

Last week, security researcher Amir Etemadieh (aka Zenoflex) disclosed that vBulletin’s patch for CVE-2019-16759 (an unauthenticated remote code execution vulnerability) was incomplete. That CVE was exploited in the wild, for example, the Comodo Forums that exposed the data of 245,000 Users or the botnet activity targeting vulnerable vBulletin sites. This new vulnerability was given the identifier CVE-2020-7373.

GoldenSpy Chapter 5 : Multiple GoldenSpy Uninstaller Variants Discovered

Trustwave identified a significant malicious campaign on mandatory tax invoice software, which is required to conduct business in China. The campaign, we dubbed GoldenSpy, is an embedded backdoor in the software package, which allows full remote command and control of the victim’s system via arbitrary code execution.

Playdate with Bots: Microsoft SQL Honeypots

A good way to keep an eye on attackers and get insight on their techniques and tactics is to use a honeypot.  A honeypot is a purposefully vulnerable system with fake data that you actually want attackers to breach. This gives you a bit of a safe sandbox where you can monitor the attacker's activity. Today I want to discuss how to set up a Microsoft SQL honeypot for the purpose of luring automated bots.

Patch Tuesday, August 2020

August's Patch Tuesday is here with 120 CVEs patched. That includes 100 rated as "Important" and 20 rated as "Critical". The bulk of the "Critical" list is made up of various media libraries and codecs where a Remote Code Execution vulnerability can be exploited simply by opening or playing a maliciously generated image, video, or sound file.

Microsoft Teams Updater Living off the Land

During this global pandemic COVID-19 situation, there has been an increasing trend of video conferencing solutions, Trustwave SpiderLabs are exercising extra vigilance in monitoring the video conferencing traffics.

Are You Really Scanning What You Think?

In a previous post we explored the importance of scanning hostnames instead of IP addresses in order to avoid missing certain content and we also briefly touched upon the behavior of some common scanning tools.

Lockscreen Ransomware Phishing Leads To Google Play Card Scam

Email scammers always seem to invent new ways of trickery to gain cash from their victims. We recently came across a case where the scammer reused some existing scripts to phish and scam - copy and paste style. With a bit of modification, the script works like ransomware, without the hassle of having to compile a portable executable.

Patch Tuesday, July 2020

July's Patch Tuesday is here with another large list of CVEs. It includes 20 CVEs rated "Critical" while the other 103 are rated as "Important". The list of Critical CVEs includes a Remote Code Execution vulnerability in the Windows DNS Server (CVE-2020-1350).

Injecting Magecart into Magento Global Config

At the beginning of June 2020, we were contacted about a Magento website breach that caused a leak of credit card numbers. A thorough analysis of the website identified the webpage’s footer had malicious code added to it.

Hackers Leverage Cloud Platforms to Spread Phishing Under the Radar

New detection for Trustwave SWG (which is also part of Blended Threat Module for select Trustwave SEG customers). The detection was specifically crafted to target this kit using Trustwave’s SWG dynamic analysis feature.

Still Scanning IP Addresses? You’re Doing it Wrong

The traditional approach to a vulnerability scan or penetration test is to find the IP addresses that you want tested, throw them in and kick things off. But doing a test based purely on IP addresses is a bad idea and can often miss things.

Stay Connected


Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.

Trending Topics