RatVermin Spyware Targets Ukraine Gov Agencies

Researchers have uncovered an ongoing spear-phishing campaign, targeting the Ukraine government and military with emails aiming to distribute the RatVermin malware, which carries out various info-gathering activities. Researchers said that an infrastructure analysis of the attack indicates that t...

Windows Zero-Day Emerges in Active Exploits

A just-patched vulnerability in the Windows operating system that was previously unknown up until last week is being actively exploited in the wild; it opens the door for full system takeover. Discovered by Vasily Berdnikov and Boris Larin of Kaspersky Lab on St. Patrick’s Day this year, the flaw...

Spear Phishing Campaign Targets Ukraine Government and Military; Infrastructure Reveals Potential Link to So-Called Luhansk People's Republic

In early 2019, FireEye Threat Intelligence identified a spear phishing email targeting government entities in Ukraine. The spear phishing email included a malicious LNK file with PowerShell script to download the second-stage payload from the command and control C&C server. The email was received...

New zero-day vulnerability CVE-2019-0859 in win32k.sys

In March 2019, our automatic Exploit Prevention EP systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day vulnerability in win32k.sys. It was the fifth consecutive exploited Local Privilege...

CredsLeaker v3 - Tool to Display A Powershell Credentials Box

This script used to display a powershell credentials box asked the user for credentials. However, That was highly noticeable. Now it's time to utilize Windows Security popup! As before, The box cannot be closed only by killing the process will keeps checking the credentials against the DC. When...

Analysis of a targeted attack exploiting the WinRAR CVE-2018-20250 vulnerability

In early March, we discovered a cyberattack that used an exploit for CVE-2018-20250, an old WinRAR vulnerability disclosed just several weeks prior, and targeted organizations in the satellite and communications industry. A complex attack chain incorporating multiple code execution techniques...

PT-2019-1817 · Microsoft · Windows

Name of the Vulnerable Software and Affected Versions: Windows affected versions not specified Description: The issue is related to a component of the Windows operating system, specifically the Win32k component, which has insufficient access restrictions. This can be exploited by an attacker to...

PowerShellArsenal - A PowerShell Module Dedicated To Reverse Engineering

PowerShellArsenal is a PowerShell module used to aid a reverse engineer. The module can be used to disassemble managed and unmanaged code, perform .NET malware analysis, analyze/scrape memory, parse file formats and memory structures, obtain internal system information, etc. PowerShellArsenal is...

Commando VM — Turn Your Windows Computer Into A Hacking Machine

FireEye today released Commando VM, which according to the company, is a "first of its kind Windows-based security distribution for penetration testing and red teaming." When it comes to the best-operating systems for hackers, Kali Linux is always the first choice for penetration testers and...

WinPwn - Automation For Internal Windows Penetrationtest

In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. For this reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensi...

Lazarus Group Widens Tactics in Cryptocurrency Attacks

North Korea-linked APT Lazarus Group has been spotted targeting the cryptocurrency business again, adding Apple users to the mix by using PowerShell scripts to control macOS malware, and honing its Windows strategy. The campaign has been active since at least November 2018, according to an analys...

Thomson Reuters Concourse & Firm Central 2.13.0097 Directory Traversal / Local File Inclusion

Exploit for windows platform in category web applications ''' Exploit Title: Thomson Reuters Concourse & Firm Central 2.13.0097 - Directory Traversal & Local File Inclusion Exploit Author: 0v3rride Vendor Homepage: https://www.thomsonreuters.com/en.html Software Link: Firm Central...

Thomson Reuters Concourse Firm Central 2.13.0097 - Directory Traversal Local File Inclusion

Thomson Reuters Concourse Firm Central 2.13.0097 - Directory Traversal Local File Inclusion ''' Exploit Title: Thomson Reuters Concourse & Firm Central 2.13.0097 - Directory Traversal & Local File Inclusion Date: 02/13/2019 Exploit Author: 0v3rride Vendor Homepage:...

Real World Examples Demonstrating the Need for Mature Threat Hunting

A recent article discussed the keys to becoming a level 4 maturity threat hunting program. This article will bring these concepts into the real world by discussing examples of attacks that required that high level of threat hunting maturity to find them and defend against them. The case studies...

Cryptocurrency businesses still being targeted by Lazarus

It's hardly news to anyone who follows cyberthreat intelligence that the Lazarus APT group targets financial entities, especially cryptocurrency exchanges. Financial gain remains one of the main goals for Lazarus, with its tactics, techniques, and procedures constantly evolving to avoid detection...

PostgreSQL COPY FROM PROGRAM Command Execution

Installations running Postgres 9.3 and above have functionality which allows for the superuser and users with 'pgexecuteserverprogram' to pipe to and from an external program using COPY. This allows arbitrary command execution as though you have console access. This module attempts to create a ne...

BMC Patrol Agent - Privilege Escalation Cmd Execution Exploit

This Metasploit module leverages the remote command execution feature provided by the BMC Patrol Agent software. It can also be used to escalate privileges on Windows hosts as the software runs as SYSTEM but only verifies that the password of the provided user is correct. This also means if the...

BMC Patrol Agent Privilege Escalation / Command Execution Exploit

This Metasploit module leverages the remote command execution feature provided by the BMC Patrol Agent software. It can also be used to escalate privileges on Windows hosts as the software runs as SYSTEM but only verifies that the password of the provided user is correct. This also means if the...

Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing

Introduction Malware authors attempt to evade detection by executing their payload without having to write the executable file on the disk. One of the most commonly seen techniques of this "fileless" execution is code injection. Rather than executing the malware directly, attackers inject the...

BMC Patrol Agent Privilege Escalation / Command Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'zlib' class MetasploitModule Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Powershell @deflater = nil...