Loading...
Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Internet Explorer Remote Code Execution 0-Day (CVE-2020-0674)

2020 is not starting out quietly for Microsoft, it seems. After the first Patch Tuesday of 2020 addressing a vulnerability in CryptoAPI last week, Microsoft released an advisory for an Internet Explorer 0-Day, assigned CVE-2020-0674, scheduled to be fixed in the upcoming Patch Tuesday.

ModSecurity Denial of Service Details - CVE-2019-19886

ModSecurity is an open-source WAF engine maintained by Trustwave. As a lively open-source project, we constantly work together with the community on reported bugs, feature requests, and other issues on the ModSecurity GitHub.

Windows CryptoAPI Spoofing Vulnerability - CVE-2020-0601

One of the most notable vulnerabilities patched during Microsoft's first Patch Tuesday of 2020 was a spoofing vulnerability in the Windows CryptoAPI. This has been issued CVE-2020-0601 and has also been referred to as the "Curveball" or "Chain of Fools" vulnerability.

Citrix ADC/Netscaler - CVE-2019-19781

The Citrix vulnerability (CVE-2019-19781) was first identified in December of 2019.  This vulnerability is a directory traversal attack that can lead to remote code execution.

ModSecurity v3.0.4 Released!

It is a pleasure to announce the release of ModSecurity version 3.0.4 (libModSecurity). This version contains a number of improvements in different areas. These include cleanups, better practices for improved code readability, resilience and overall performance and security fixes.

Patch Tuesday, January 2020

Happy 2020! Microsoft is helping you celebrate the new decade with patches for 49 CVEs. Of those CVEs, eight are rated as "Critical," and 41 are rated as "Important." Among the "Critical" CVEs are four Remote Code Execution (RCE) vulnerabilities in the .NET Framework, and three RCE vulnerabilities in Remote Desktop (two for the client and one for the gateway). Ever since BlueKeep, RDP has been getting a monthly going through with a fine-toothed comb and a magnifying glass.

Using the InterPlanetary File System For Offensive Operations

In this blog post, I intend to provide some insight into using the InterPlanetary File System for offensive purposes. I’ll cover what it is, why we may want to use it, some quick history, and walk through a few examples.

Leveraging Disk Imaging Tools to Deliver RATs

This year we observed a notable uptick in disc imaging software (like .ISO) being used as a container for serving malware via email, with .ISO archives attributing to 6% of all malware attachment archives seen this year.

Undressing the REvil

Recently, we got a chance to investigate a REvil Ransomware sample from one of our DFIR investigations. During analysis, we encountered a few stumbling blocks that made the investigation a little tricky, namely unpacking and string deobfuscation. In this blog, we will show how we manually unpacked the malware and then how we deobfuscated the strings used by the ransomware.

Anyone Can Check for Magecart with Just the Browser

In the past, there have been plenty of articles and blog posts recommending the use of Content Security Policy (CSP) and Sub Resource Integrity (SRI) to prevent the insidious skimming malware from taking hold of a website. However, what can a small business owner do if resources are limited and implementing these countermeasures is just not feasible? What can a normal everyday user do to check and see if their favorite shopping site is compromised? In this blog post, I will go over a few steps that don’t require any security training to perform.

Typosquatting in Python Repositories

Python's popularity is amazing and constantly growing. For the first time, Python has overtaken Java to take second place in GitHub general rankings. The more developers use that language in their projects, the more they enjoy the interest of cybercriminals using typosquatting tactics in library names. Thanks to Lukas Martini's recent finding,  two packages were removed from PyPi (Python Package Index) repository (perhaps the 'pip' command is more familiar to most of you).

Patch Tuesday, December 2019

December's Patch Tuesday is upon us, and, as in years gone by, it's a rather light month. All told there are 35 CVEs patched, including six rated "Critical," 28 rated as "Important," and one rated "Moderate."

SCshell: Fileless Lateral Movement Using Service Manager

During red team engagements, lateral movement in a network is crucial. In addition, as a critical part of exploit chains, security solutions put a lot of effort to detect this movement. Techniques such as remote WMI and PsExec are fairly well detected. In the case of WMI, WmiPrvSe.exe will be the parent process responsible for spawning the process, making the detection a bit easier. PsExec on its end will push a file on the remote system and register a new service. Detecting the file and service creation may prevent the attack from succeeding.

Introducing Password Cracking Manager: CrackQ

Today we are releasing CrackQ, a queuing system to manage password cracking that I've been working on for about a year. It is primarily for offensive security teams during red teaming and pentesting engagements. It's an intuitive interface for Hashcat served by a REST API and a JavaScript front-end web application for ease of use.

Time Windows for Penetration Testing

Often when penetration tests are scheduled, it will be requested that testing occurs during off-peak hours, such as late evening to early morning. For example, requested hours for testing could be 7pm – 7am, or even 11pm – 6am.

CVE-2019-15652: SatLink VSAT Vulnerabilities

Back in May of this year, I discovered a few vulnerabilities in the SatLink 2000 VSAT modem, which affected other models as well. This VSAT modem was vulnerable to reflected cross-site scripting, and it only supported insecure protocols for management.

Fake Windows Update Spam Leads to Cyborg Ransomware and Its Builder

Recently, fake Microsoft Windows Update emails were spammed. The email, claiming to be from Microsoft, contains just one sentence in its email body which starts with two capital letters. It directs the recipient’s attention to the attachment as the “latest critical update”.

Stay Connected


Subscribe

Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.


Trending Topics