notes, honeypot, and exploit demo for the xz backdoor (CVE-2024-3094) - amlweems/xzbot
esterday Andres Freund emailed oss-security@ informing the community of the discovery of a backdoor in xz/liblzma, which affected OpenSSH server (huge respect for noticing and investigating this). Andres' email is an amazing summary of the whole drama, so I'll skip that. While admittedly most juicy and interesting part is the obfuscated binary with the backdoor, the part that caught my attention – and what this blogpost is about – is the initial part in bash and the simple-but-clever obfuscation methods used there. Note that this isn't a full description of what the bash stages do, but rather a write down of how each stage is obfuscated and extracted.
Lass Security's recent research on AI Package Hallucinations extends the attack technique to GPT-3.5-Turbo, GPT-4, Gemini Pro (Bard), and Coral (Cohere).
Tycoon 2FA has become one of the most widespread adversary-in-The-Middle (AiTM) phishing kits over the last few months.
We unravel the details of two large-scale StrelaStealer campaigns from 2023 and 2024. This email credential stealer has a new variant delivered through zipped JScript.
#2024 #Campaign #EN #JScript #StrelaStealer #analysis #paloaltonetworks
Bishop Fox examines the iSoon data disclosure from an offensive security perspective and an analysis of the platform's capabilities, design, features.
Overview The SonicWall Capture Labs threat research team recently observed an interesting variant of StopCrypt ransomware. The ransomware executes its malicious activities by utilizing multi-stage shellcodes before launching a final payload that contains the file […]
Learn about key concepts and different crypters-related activities as well as the lucrative ecosystem of malicious groups that exploit them.
Read this blog on the anatomy of an ALPHA SPIDER ransomware attack to better understand how they operate and how to better protect your business.
Learn about NoName057(16), a pro-Russian hacktivist group behind Project DDoSia targeting entities supporting Ukraine. Discover an overview of the changes made by the group, both from the perspective of the software shared by the group to generate DDoS attacks and the specifics of the evolution of the C2 servers. It also provides an overview of the country and sectors targeted by the group for 2024.
Discover the techniques, tactics (TTPs) used by Scattered Spider intrusion set, including social engineering and targeted phishing campaigns.
Data from a Chinese cybersecurity vendor that works for the Chinese government exposed a range of hacking tools and services.
In 2021, Ivanti patched a vulnerability that they called “code injection”. Rumors say it was a backdoor in an open source project. Let’s find out what actually happened!
Cyble analyzes the increasing incidences of vulnerabilities in Fortinet, highlighting the impact they have on Critical Infrastructure.
Evidence of a pre-existing exploit was rendered when the Huntress agent was added to an endpoint. Within minutes, and in part through the use of previously published threat intelligence, analysts were able to identify the issue and make recommendations to the customer to remediate the root cause.
Bitdefender researchers have discovered a new backdoor targeting Mac OS users.
In this excerpt of a Trend Micro Vulnerability Research Service vulnerability report, Lucas Miller and Dusan Stevanovic of the Trend Micro Research Team detail a recently patched remote code execution vulnerability in the Ivanti Avalanche enterprise mobility management program. Other Ivanti products
Analysis of ransomware gang leak site data reveals significant activity over 2023. As groups formed — or dissolved — and tactics changed, we synthesize our findings.
Arctic Wolf Labs has discovered, based on recent intrusion observations, a new Go-based malware loader named CherryLoader
