Our research team is committed to continuously identifying potential security vulnerabilities and techniques that threat actors may exploit to bypass existing security controls. In this blog post, our team is detailing on a comprehensive research specifically focused on process injection techniques utilized by attackers to deceive robust security products integrated into the security stack, such as EDRs and XDRs. Throughout the blog post, we will delve into various process injection techniques e
There are two Linux system calls for loading a kernel module - init_module and finit_module. By leveraging init_module, I bypassed a filesystem-based SELinux rule that prevented me from loading a kernel module through traditional means (e.g., insmod). I then disabled SELinux from kernel-space. Proof of concept code can be found on my GitHub.
A new vulnerability, which we refer to as “Migraine” for its involvement with macOS migration, could allow an attacker with root access to automatically bypass System Integrity Protection (SIP) in macOS and perform arbitrary operations on a device
On May 21, 2023, an online persona named spyboy began advertising an endpoint defense evasion tool for the Windows operating system via the Russian-language forum Ramp. The author claims that the software — seen in a demonstration video as being titled “Terminator” — can bypass twenty three (23) EDR and AV controls. At time of writing, spyboy is pricing the software from $300 USD (single bypass) to $3,000 USD (all-in-one bypass).
Endpoint Detection & Response systems (EDR),
delivered by in-house teams or as part of a managed
service, are a feature of modern intrusion detection
and remediation operations. This success is a problem
for attackers, and malicious actors have worked to
find new ways to evade EDR detection capabilities.
Shlayer malware bypasses Gatekeeper security protections on macOS to execute unauthorized software without requiring approval.
Cyble Global Sensor Intelligence detects exploitation attempts of CVE-2022-40684, and CRIL observes Fortinet Access distribution in cybercrime forums.
Windows ZIP extraction bug (CVE-2022-41049) lets attackers craft ZIP files, which evade warnings on attempts to execute packaged files, even if ZIP file was downloaded from the Internet.
There are many security solutions available today that rely on the Extended Berkeley Packet Filter (eBPF) features of the Linux kernel to monitor kernel functions. Such a paradigm shift in the latest monitoring technologies is being driven by a variety of reasons
Read how macOS vulnerability in Archive Utility could lead to the execution of an unsigned and unnotarized application without displaying security prompts.
Following the recent Twilio hack leading to the leakage of 2FA (OTP) codes, cybercriminals continue to upgrade their attack arsenal to orchestrate advanced phishing campaigns targeting users worldwide. Resecurity has recently identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised in the Dark Web. On some sources the alternative name is Moloch, which has some connection to a phishing-kit developed by several notable underground actors who targeted the financial institutions and e-commerce sector before.
A new wave of phishing is currently circulating (a related story from derstandard.at newspaper can be found here). Documents are said to have been sent to you from a scanner, which you can allegedly download, as can be seen in the following image
