Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Patch Tuesday, December 2019

December's Patch Tuesday is upon us, and, as in years gone by, it's a rather light month. All told there are 35 CVEs patched, including six rated "Critical," 28 rated as "Important," and one rated "Moderate."

SCshell: Fileless Lateral Movement Using Service Manager

During red team engagements, lateral movement in a network is crucial. In addition, as a critical part of exploit chains, security solutions put a lot of effort to detect this movement. Techniques such as remote WMI and PsExec are fairly well detected. In the case of WMI, WmiPrvSe.exe will be the parent process responsible for spawning the process, making the detection a bit easier. PsExec on its end will push a file on the remote system and register a new service. Detecting the file and service creation may prevent the attack from succeeding.

Introducing Password Cracking Manager: CrackQ

Today we are releasing CrackQ, a queuing system to manage password cracking that I've been working on for about a year. It is primarily for offensive security teams during red teaming and pentesting engagements. It's an intuitive interface for Hashcat served by a REST API and a JavaScript front-end web application for ease of use.

Time Windows for Penetration Testing

Often when penetration tests are scheduled, it will be requested that testing occurs during off-peak hours, such as late evening to early morning. For example, requested hours for testing could be 7pm – 7am, or even 11pm – 6am.

CVE-2019-15652: SatLink VSAT Vulnerabilities

Back in May of this year, I discovered a few vulnerabilities in the SatLink 2000 VSAT modem, which affected other models as well. This VSAT modem was vulnerable to reflected cross-site scripting, and it only supported insecure protocols for management.

Fake Windows Update Spam Leads to Cyborg Ransomware and Its Builder

Recently, fake Microsoft Windows Update emails were spammed. The email, claiming to be from Microsoft, contains just one sentence in its email body which starts with two capital letters. It directs the recipient’s attention to the attachment as the “latest critical update”.

A Call for Cooler Heads

One of the unfortunate parts of a business like ours is when disputes arise from penetration testing engagements, as has happened in Dallas County, Iowa. As we do thousands of tests in a year globally, while rare, they do happen.

Double Loaded Zip File Delivers Nanocore

Most malware sent via emails is packaged in archives such as ZIP, RAR, and 7z (7-Zip). Occasionally, we encounter some clever and creative ways these malicious archives are crafted. Here we will examine an example of an oddly formatted ZIP archive hiding the NanoCore malware.

Windows Debugging & Exploiting Part 1 - Environment Setup

In this blog series, I will try to set some base knowledge for Windows system debugging & exploitation and present how to setup an environment for remote kernel debugging. This environment will be useful for learning Windows internals and indispensable for our future posts about its exploitation. About Windows internals, I really recommend the training from Pavel Yosifovich on Pluralsight that will expand your familiarity with the system if you are new to the topic.

Messing with Azorult Part 2: Command and Control

As we mentioned in our earlier blog, Azorult is very popular in the underground hacking forum. Fairly easily, we were able to obtain and download the control panel and builder. We set up the control panel in our lab and redirected our sample bot command and control server to our web server. The control panel is written entirely in PHP and uses MySQL as its database.

Messing with Azorult Part 1: Malware Breakdown

In this blog series, we dive into an information stealing Trojan called Azorult that we analysed during a recent Digital Forensics and Incident Response (DFIR) investigation. During our analysis, we also take a look at the bot’s control panel and its vulnerability.

Patch Tuesday, October 2019

Microsoft’s security update for the month of October is one of the lightest patch Tuesdays of the year with the release of only 60 CVEs. However, it still packs a punch with 9 “Critical” CVEs and the remaining 51 CVEs are rated as “Important”. The good news is that none of these CVEs have publicly available exploits or been seen yet exploited in the wild.  Additionally, there are no rollup patch for Adobe Flash which is very uncommon. However, it shouldn’t be ruled out possibly an out-of-band roll-out for Adobe Flash later this month.

Chaining Low/Info Level Vulnerabilities for Pwnage

Early in my career, I got the fear put in me. The fear that a machine would take my job. The fear that I would be replaced by a piece of software. It’s been a serious source of motivation for me and one of the big reasons I was attracted to penetration testing: done well, it’s hard for a machine to replicate. One of the best examples of this is the chained-vulnerability

Documents with IRM Password Protection Lead to Remcos RAT

Documents attached to emails are commonly used as the initial vector to deliver malware into a system. To give an impression of security, attackers sometimes use document protection features and technology to hide their malicious code and behavior from email scanners.

Digital Canaries in a Coal Mine: Detecting Enumeration with DNS and AD

A fundamental part of any network is the Domain Name Service (DNS). Adversaries will likely want to enumerate computers in Active Directory and connect to them, and at some point, they will likely interact with DNS doing so. A simple example is attempting to access a remote share and the resulting DNS query.

Tracking the Chameleon Spam Campaign

In this blog, we draw attention to a persistent high-volume spam campaign that has been very prominent in our spam traps recently. The various campaigns emanate from the same spam botnet system and often resemble phishing messages, although they are typically not. The messages have randomized headers, and the templates often change, hence the moniker ‘Chameleon.’

Microsoft Internet Explorer Remote Code Execution 0-Day (CVE-2019-1367)

Microsoft released an out-of-band patch for a 0-day vulnerability in Internet Explorer yesterday. This memory corruption vulnerability in the Scripting Engine can lead to a Remote Code Execution (RCE) vulnerability, and, as implied by the fact that it’s a 0-day, is being exploited in-the-wild.

Stay Connected


Sign up to receive the latest security news and trends from Trustwave.

No spam, unsubscribe at any time.

Trending Topics