ON24 presenter mode requires you to install a plugin that is used to share your screen. For the macOS app (DesktopScreenShare.app), the plugin is started automatically once a user logs on.

Anyone who has ever read a vulnerability scan report will know that scanners often include a large number of findings they classify as "Info". Typically this is meant to convey general information about the target systems which does not pose any risk.

We're a little over halfway through the year now as July's Patch Tuesday is released and it's been a rough year so far for Microsoft. From the HAFNIUM zero-day campaign targeting Exchange back in March to the accidental zero-day release last month for PrintNightmare.

ModSecurity is an open-source WAF engine maintained by Trustwave. This blog post discusses an input interpretation bug in ModSecurity v3 related to URI fragments that was identified during a recent internal security review.

On, July 2nd, a massive ransomware attack was launched against roughly 60 managed services providers (MSPs) by criminals associated with the REvil ransomware-as-a-service (RaaS) group. The attack leveraged the on-premises servers deployed by IT Management Software vendor Kaseya.

Sometimes when pen-testing a large network you come across a few exposed web hosts running out-of-the-box software. In this example, I found a small, yet interesting vulnerability within the SolarWinds Serv-U FTP Server. Although the initial vector requires authentication, a low privileged user is able to create a publicly accessible URL that triggers an XSS payload when visited.

The use of novel disk image files to encapsulate malware distributed via spam has been a theme that we have highlighted over the past couple of years. As anticipated, we have seen more disk image file formats being used, in addition to .ISO, .IMG, and .DAA which we blogged about.

On May 25th, 2021, VMWare released patches to address VMSA-2021-0010, a critical security advisory for VMWare vCenter Server addressing two vulnerabilities. One of them was a remote code execution (RCE) in the vSphere Client (CVE-2021-21985) that exists due to a lack of input validation in the Virtual SAN Health Check plug-in, which is enabled by default in the vCenter Server.

Summer is officially here and with it June's Patch Tuesday. This is a surprisingly light month with only 49 CVEs being patched and only five of those rated as "Critical". The list of "Critical" includes a Remote Code Execution (RCE) Microsoft's anti-malware software, Defender. It's always a double hit when the software meant to protect your system ends up being a threat that can cause compromise. In addition, you'll find RCEs in the MS Scripting Engine, SharePoint, and VP9 Video Extensions on that list. Most concerning is an RCE vulnerability in the MSHTML Platform (CVE-2021-33742). This CVE has been publicly disclosed and exploited in the wild in targeted campaigns.

In today's world, more and more devices are connected to the Internet for on-the-go connectivity. Huawei has a mobile broadband service that allows Internet connectivity via cellular networks by using a small USB dongle. The device itself – Huawei LTE USB Stick E3372 – looks like a USB thumb drive and comes with software to install on macOS called HiLink.

Until recently, I really didn't care about web applications on an internal penetration test. Whether it was as an entry point or target, I was not interested, since I typically had  far better targets and could compromise the networks anyway. However, the times have changed, internal environments are much more restricted, not many services are exposed, and applications are the main reason for the tests. This is not supposed to be a guide to analyze web applications, but some thoughts regarding web apps during internal pentests.

In the May 2021 Microsoft update, Microsoft patched an HTTP.sys vulnerability that has the ability to become a wormable remote code execution exploit.  This vulnerability is being tracked as CVE-2021-31166.  A proof of concept quickly emerged showing a denial of service attack and while this isn’t an RCE exploit it can be developed to disrupt Windows-based web servers.

This story started during one of my recent assessments when I was assigned for a test of an on-premise internal Sharepoint 2016 site. Initial enumeration showed that the target runs Sharepoint version 16.0.0.4681. I assumed this based on the response header MicrosoftSharePointTeamServices returned by the application (and you can estimate that version was released somewhere in April 2018).  At that point, I started looking for publicly known exploits and research papers. Last year brought some publicly known exploits for Sharepoint.

May's Patch Tuesday is upon us and probably the most surprising thing about the release is that somehow it's already May. Otherwise, this is a pretty light release of "only" 55 CVE compared to the recent months of zero-day campaigns and mass patches. With only three CVEs rated "Critical", 50 rated "Important", and two "Moderate", this release contains just a little over half the number of CVEs patched in previous releases this year.

In this post, we analyze a piece of malware that we encountered during a recent breach investigation. What caught our attention was how the malware achieved persistence, how it used ICMP tunneling for its backdoor communications, and how it operated with different modes to increase its chances of a successful attack.

The following blog post does not include any novel attack vectors. On the contrary, it serves as a humble reminder that the same software bugs discovered more than a decade ago are also found in commercial software products in 2021. It also highlights once more the necessity of conducting security assessments on a regular basis.

April's Patch Tuesday is upon us and it is showering us with patches for a total of 108 CVEs. This includes 20 CVEs rated a "Critical", 87 rated as "Important", and one single CVE rated as "Moderate".

This blog investigates an interesting phishing campaign we encountered recently. In this campaign, the email subject pertains to a price revision followed by numbers. There is no email body but there is an attachment about an ”investment”.

Umbraco version 8.9.0 (also seen in 8.6.3) has a privilege escalation issue in the core administrative screens which allows a low privileged user to access various resources otherwise limited to higher privileged users.  The issue exists in an API endpoint that does not properly check the user’s authorization prior to returning results found in the application’s logging section.

From time to time, we all receive some unexpected messages. Either through social media or email. Usually, these are harmless, meant to advertise a product or a service. However, sometimes they can be malicious, with an intent to steal our data and eventually our money, this is a so-called “phishing” attack.