top of page

Last Week in Security - 2025-02-06


We're Hiring!


Immediate Open Positions:

Maryland Applicants:

Virginia Applicants:

For more open positions visit: https://www.sixgen.io/careers


Last Week in Security is a summary of the interesting cybersecurity news, techniques, tools, and exploits from the past week. This post covers 2025-01-27 to 2025-02-03.

News

  • Wiz Research Uncovers Exposed DeepSeek Database Leaking Sensitive Information, Including Chat History - Wiz Research discovered an unsecured ClickHouse database owned by DeepSeek, a prominent AI startup, exposing over a million log entries containing sensitive data such as user chat histories, API keys, and backend details. The database, accessible without authentication, allowed full control via arbitrary SQL queries, posing severe risks of data breaches or system manipulation. DeepSeek promptly secured the database after disclosure. The incident highlights critical infrastructure security gaps in rapidly evolving AI sectors, underscoring the need for robust safeguards alongside technological innovation.

  • Cracked and Nulled Marketplaces Disrupted in International Cyber Operation - A multinational law enforcement effort, led by the U.S. Department of Justice and supported by agencies from multiple countries, has taken down the cybercrime marketplaces Cracked and Nulled. These platforms were notorious for selling stolen credentials, hacking tools, and other illegal digital services. Authorities seized their infrastructure in a bid to disrupt cybercriminal activities and prevent further harm to victims.

  • Infrastructure Laundering: Blending in with the Cloud - A study reveals that hackers are abusing major cloud services like AWS and Azure for "infrastructure laundering," hiding malicious activity behind legitimate platforms. One case involves Funnull, a Chinese network using cloud providers to host phishing sites and fake trading apps, making detection and enforcement more challenging.

  • Exclusive: The 23-year-old who infiltrated a North Korean laptop farm - A 23-year-old cybersecurity researcher went undercover to expose a major cybercrime marketplace, gathering intelligence on its illegal activities, including stolen data sales and hacking tools. The investigation reveals the inner workings of cybercriminal networks and highlights the risks of covert cyber operations.

  • Almost one in 10 people use the same four-digit PIN - A recent analysis reveals that nearly 10% of individuals use "1234" as their four-digit PIN, making it the most common choice by a significant margin. This widespread usage of easily guessable PINs poses substantial security risks, as such simple combinations are more susceptible to unauthorized access. The findings underscore the importance of selecting more complex and unique PINs to enhance personal security.

  • A Tumultuous Week for Federal Cybersecurity Efforts - In a tumultuous week for U.S. federal cybersecurity under Trump's renewed administration, key actions included dismissing the bipartisan Cyber Safety Review Board mid-investigation into Chinese telecom hacks, reversing Biden-era AI safety regulations, and pushing crypto initiatives that align with Trump’s personal investments in volatile memecoins like $TRUMP. New DHS Director Kristi Noem criticized CISA’s focus, advocating a narrowed mission, while executive orders pardoned Jan. 6 convicts and curtailed disinformation oversight, stoking fears of weakened cyber defenses and politically motivated regulatory shifts. Trump also fired multiple inspectors general, risking accountability, though Biden’s last-minute critical infrastructure security order remained intact. Experts warned these moves prioritize ideology over systemic cybersecurity needs, leaving vulnerabilities unaddressed.

  • The Fake IT Worker Triangle: Pyongyang, Moscow, and Beijing - North Korea is deploying IT workers to Russia and China, where they pose as non-North Korean nationals to secure employment with Western tech companies. Operating remotely, these workers conceal their true identities and funnel earnings back to Pyongyang, circumventing international sanctions. This strategy not only generates revenue for North Korea's regime but also provides potential access to sensitive information within Western firms. The collaboration between Pyongyang, Moscow, and Beijing in facilitating these operations raises significant cybersecurity and geopolitical concerns.

  • FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang - The FBI and Dutch police have disrupted a phishing gang called "Manipulaters" operating out of Pakistan. The gang's service, advertised as "Fully Un-Detectable," targeted victims worldwide, including Dutch citizens. The group primarily sold phishing kits and tools for cybercrime activities such as business email compromise schemes. Authorities seized servers and domains, and investigations are ongoing. Other cybercrime forums and services were also targeted in a multi-country operation.

Techniques and Write-ups

  • Abusing multicast poisoning for pre-authenticated Kerberos relay over HTTP with Responder and krbrelayx - This article discusses a technique discovered by James Forshaw that allows for Kerberos relaying over HTTP by exploiting local name resolution poisoning. The attack involves manipulating DNS responses to redirect Kerberos authentication requests to an attacker's machine. The article provides a detailed implementation using Responder and krbrelayx tools, highlighting the potential impact on privilege escalation in Active Directory environments. It also outlines the limitations and use cases of this attack vector, emphasizing the importance of mitigating local name resolution protocols like LLMNR to prevent such attacks.

  • Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware - The intrusion involving LockBit ransomware began with the download and execution of a Cobalt Strike beacon that impersonated a Windows Media Configuration Utility. The threat actor used Rclone for data exfiltration, with failed FTP attempts before successfully exfiltrating data via FTP. They created persistent backdoors using various methods and deployed the LockBit ransomware on the 11th day of the intrusion, achieving a Time to Ransomware of nearly 239 hours. The threat actor used various tactics such as process injections, privilege escalation, and credential access during the intrusion.

  • Process Hollowing on Windows 11 24H2 - Process Hollowing, also known as RunPE, is a common process impersonation technique used to run a malicious executable under the guise of a benign process. However, on the latest Windows 11 24H2 release, this technique may not work due to changes in the Windows loader causing an error during loading. Solutions to this issue include using alternative techniques that store the implant as MEM_IMAGE instead of MEM_PRIVATE, or patching the NTDLL to bypass the check. Alternative techniques such as Process Doppelganging and Process Ghosting offer improvements in mapping the implant as MEM_IMAGE, making them potential replacements for classic RunPE.

  • CVE-2024-53704 Analysis - CVE-2024-53704 involves an authentication bypass in SonicWall appliances that allows a remote attacker to hijack SSLVPN sessions. This vulnerability, credited to Daan Keuper, Thijs Alkemade, and Khaled Nassar of Computest Security, is exploitable in the default SSLVPN configuration and bypasses multi-factor authentication. The attacker can manipulate session cookies to leak and hijack authenticated sessions, gaining access to the internal network. A PoC exploit demonstrates how an attacker can gain connectivity for lateral movement within the network. This activity may go undetected as user activity by the SSLVPN server, allowing sustained exploitation.

  • Next.js, cache, and chains: the stale elixir - The author conducted new research on Next.js, focusing on caching vulnerabilities, and their impact on bug bounty programs. By exploiting cache poisoning, the author was able to trigger denial of service attacks and stored cross-site scripting vulnerabilities. They found that the vulnerabilities were present in Next.js versions between 13.5.1 and 14.2.9, affecting non-dynamic server-side rendered routes. The Vercel team responded quickly by issuing a fix and security advisory. The author recommends caution when testing these vulnerabilities on sensitive platforms due to their potential impact on availability and confidentiality.

  • Active Directory Domain Services Elevation of Privilege Vulnerability (CVE-2025-21293) - During a customer engagement, security researcher BirkeP came across the "Network Configuration Operators" group in Active Directory, leading to the discovery of a privilege escalation vulnerability. By exploiting specific Registry keys and leveraging Performance Counters, he was able to execute code with SYSTEM privileges. Microsoft addressed this vulnerability in a January security update. Reflecting on this experience as a valuable learning opportunity, the researcher plans to further explore Windows internals for future investigations.

  • I Found a Game Exploit That Lets Hackers Take Over Your PC - The article discusses a security vulnerability in the online game Marvel Rivals that allows hackers to take over players' PCs through an exploit known as Remote Code Execution (RCE). The game lacks proper verification for its hotfix patching system and runs with admin privileges, making it susceptible to attacks. The author criticizes game developers for their lack of security awareness and emphasizes the importance of reporting vulnerabilities to ensure player safety.

  • Developing a Docker 1-Click RCE chain for fun - In this blog post, the author explores the potential of abusing Docker's API to achieve a 1-click Remote Code Execution (RCE) chain. By enabling a specific setting in Docker, users can become vulnerable to RCE attacks. The author details how to exploit the Docker API to create containers, escalate privileges, and execute commands on the host system, ultimately demonstrating a method for exploiting an exposed Docker API through a browser. The post concludes with a Dockerfile exploit that allows for mounting a container to the host and running commands by submitting a form on a website.

  • Windows Exploitation Tricks: Trapping Virtual Memory Access (2025 Update) - The Project Zero team at Google has released an update on Windows exploitation tricks, specifically focusing on trapping virtual memory access. The update highlights a new feature in Windows 11 24H2 that allows for exploiting vulnerabilities locally using the SMB file server. By changing the client port to one not in use, it is now possible to perform the exploit without needing administrator access. However, this feature can be disabled through Group Policy, but is enabled by default.

  • Windows Bug Class: Accessing Trapped COM Objects with IDispatch - The Project Zero team at Google released an update on a Windows bug class involving trapped COM objects with IDispatch, highlighting the potential security risks associated with accessing certain objects across process and security boundaries. The blog post discusses scenarios where unsafe objects can be inadvertently shared, leading to privilege escalation or remote code execution. The post also delves into the potential for exploiting type libraries and registry settings to inject code into a Windows Protected Process, demonstrating the complexity and challenges in exploiting such vulnerabilities. While the research did not result in privilege escalation, it shed light on the intricacies of exploiting object-oriented remoting technologies for potential security implications.

  • SlackPirate Set Sails Again! Or: How to Send the Entire “Bee Movie” Script to Your Friends in Slack - The article discusses how to use SlackPirate to send the entire "Bee Movie" script to friends in Slack by utilizing stolen cookies to access a target organization's Slack instance. The author describes the process of accessing Slack's API through the Slack client via Chrome remote debugging and how changes in the API authentication process were identified and resolved. Updates to the SlackPirate script to include tokens in addition to cookies for programmatic access are also highlighted, along with changes to focus on finding credential material and targeting AWS and Azure data. Lastly, the article emphasizes the convenience of using dedicated clients like Slack for longer-lasting tokens and cookies.

  • Phishing for Refresh Tokens - The article discusses the use of phishing for refresh tokens in Microsoft 365 security. It describes a method to steal authorization codes and exchange them for access and refresh tokens. The process involves intercepting the authentication flow and using the stolen tokens to access different Microsoft resources. The article also mentions the development of a tool in Cloudflare Workers for this purpose and provides tips for detecting such attacks. Zolder, an applied security research organization, is mentioned as working on digital protection for future technologies.

  • Common OAuth Vulnerabilities - OAuth2 is a popular target for attackers due to its complexity and the potential for misconfigurations. Doyensec's Blog provides a comprehensive guide on known attacks against OAuth implementations, including common flows like Implicit Flow, Authorization Code Flow, and Client Credentials Flow. They also highlight vulnerabilities such as CSRF attacks, Scope Upgrade attacks, and Redirect Scheme Hijacking. The post includes recommended remediation strategies for these vulnerabilities and a comprehensive OAuth Security Cheat Sheet for developers and testers.

  • Linux hacking part 4: Measuring cache hit and cache miss times in linux. - In this post, the author discusses the importance of measuring cache hit and cache miss times in Linux for performance optimization and security research. The difference between cache hits and cache misses can significantly impact the speed of execution. The post includes a practical example in C code that demonstrates measuring the access time for cached and non-cached memory locations. This technique is also used in side-channel attacks to infer sensitive data. The post concludes with a reminder that the information is for educational purposes only.

  • Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated… - Team82's investigation into the CONTEC CMS8000 patient monitors found that the alert from CISA and FDA about a Chinese backdoor was actually an insecure design issue, not a hidden backdoor. The hardcoded IP address in the device's firmware is used for firmware updates as instructed in the manual, but poses a security risk as it connects to a public IP address. Team82 demonstrated a proof-of-concept attack at the Claroty Nexus Conference, showing how malicious code could be executed on the patient monitor. It is recommended to block access to the subnet, apply network segmentation, or replace the monitors with more secure devices to prevent potential vulnerabilities.

  • Mali-cious Intent: Exploiting GPU Vulnerabilities (CVE-2022-22706 / CVE-2021-39793) - The article discusses the exploitation of GPU vulnerabilities (CVE-2022-22706 / CVE-2021-39793) found in Mali GPUs, commonly used in Android devices, allowing unprivileged apps to gain root access. The vulnerabilities involve flaws in the Mali GPU kernel driver, specifically in the GPU write permissions check. By exploiting these vulnerabilities, attackers can manipulate memory, inject malicious code into privileged processes, and ultimately gain root access. The exploit involves steps such as bypassing SELinux enforcement, loading malicious kernel modules, and establishing a root reverse shell, showcasing the potential for full system compromise. Users are advised to update their devices to protect against these vulnerabilities.

  • 0x08 - Modern Windows Kernel Race Conditions - The article discusses exploiting race conditions in the modern Windows kernel, transitioning from Windows 7 (x86) to Windows 11 (x64). It explains the vulnerable handler and structures used, focusing on the Double Fetch vulnerability. A proof of concept is provided for crafting an exploit and gaining code execution. The process involves triggering a buffer overflow and crafting a ROP chain to bypass memory protections. The article also highlights the challenges faced in finding suitable gadgets for the exploit and the strategy of jumping forward in the ROP chain.

  • Banshee Rust Rewrite? - Recently, a new infostealer written in Rust was identified on VirusTotal, exhibiting similar behaviors and targets as the leaked Objective-C code for the "Banshee" infostealer. The Rust-based application transmits captured files to localhost, suggesting it may still be in the testing or development phase. Analysis of this Rust-based infostealer compared to the leaked Banshee code provides insights into reverse-engineering Rust malware. The behavior of this potential new stealer, named Purrglar, focuses on capturing Chrome and Exodus wallet-related files, utilizing Security Framework APIs to query the macOS Keychain. This discovery highlights the importance of continuous monitoring and vigilance as macOS malware evolves.

  • The Tainted Voyage: Uncovering Voyager's Vulnerabilities - SonarQube Cloud's code analysis identified critical vulnerabilities in the Voyager project, including an arbitrary file write vulnerability that could lead to remote code execution. Despite efforts to reach out to project maintainers, the vulnerabilities remain unfixed. By leveraging SonarQube Cloud's advanced code analysis capabilities, organizations can proactively identify and address security vulnerabilities before they reach production. Users are advised to be cautious when using the Voyager project and to stay informed about security risks.

  • xWorm Extractor - Extracting Configs Without a Sandbox - The xWorm Extractor tool allows for the extraction of configuration details from the xWorm malware binary without needing to run it, enabling analysis and detection of its variants. The tool was developed in Python to assist in malware triage and can identify hardcoded strings and configurations within the binary. By decrypting obfuscated strings and identifying key configurations such as the C2, port, and persistence settings, researchers can gather valuable information about the malware without the need for a sandbox. The tool also includes logic to detect defensive bypasses, Telegram bot configurations, keyloggers, and other settings within the malware.

  • OneDrive Offline Mode (Recallish vibes) - In April 2024, Microsoft announced a new feature called Offline Mode for OneDrive for Business, allowing users to access files without an internet connection. The feature saves file metadata locally, but concerns have been raised about the lack of encryption and potential security risks. A tool has been developed to exfiltrate data from OneDrive Business, leading to discussions about the implications for privacy and data security. The community is debating the significance of these issues and whether action needs to be taken.

  • Diamond Ticket Attack: Abusing kerberos Trust - The Diamond Ticket attack is a sophisticated method of exploiting Active Directory by manipulating Kerberos tickets to gain unauthorized access or escalate privileges. Attackers can forge or modify Privilege Attribute Certificates (PACs) within tickets to impersonate privileged users. By decrypting and re-encrypting Ticket Granting Tickets (TGTs) with the KRBTGT AES hash, attackers can bypass normal access controls and gain elevated privileges. Detection and mitigation strategies, including monitoring for key event IDs and rotating KRBTGT account passwords regularly, can help protect against such attacks. The attack highlights the importance of securing Kerberos authentication in AD environments to prevent advanced threats.

  • Recent Jailbreaks Demonstrate Emerging Threat to DeepSeek - Unit 42 researchers have identified emerging threats to the DeepSeek AI models through jailbreaking techniques like Bad Likert Judge, Crescendo, and Deceptive Delight. These techniques were successful in bypassing DeepSeek's safety mechanisms and elicited harmful outputs like data exfiltration tools, phishing email templates, and instructions for creating dangerous items. These jailbreaking methods raise security concerns as they can potentially be exploited by malicious actors. Organizations can mitigate these risks by implementing security measures and monitoring the use of AI models. Palo Alto Networks offers solutions to address these threats.

  • Time Bandit ChatGPT jailbreak bypasses safeguards on sensitive topics - The Time Bandit ChatGPT jailbreak flaw bypasses safeguards on sensitive topics in OpenAI's ChatGPT model, allowing detailed instructions on dangerous topics. Meanwhile, 7-Zip vulnerability is being exploited in zero-day attacks in Ukraine, Netgear warns users to patch critical WiFi router vulnerabilities, and GrubHub data breach affects customers, drivers, and merchants. Additionally, the first Apple-notarized porn app is available in Europe, while Zyxel won't patch exploited flaws in end-of-life routers. Crypto-stealing apps are found in the Apple App Store, and cyber agencies share security guidance for network edge devices. This content also includes guides on virus removal, using the Tor Browser, Windows Registry Editor, enabling Kernel-mode Hardware-enforced Stack Protection in Windows 11, and more.

  • CVE-2024-46506: Unauthenticated RCE in NetAlertx - CVE-2024-46506 is an unauthenticated Remote Code Execution (RCE) vulnerability found in NetAlertX, an open-source LAN intrusion detection tool. This vulnerability allowed attackers to execute commands on the server without authentication, potentially compromising the LAN. Rhino Security Labs discovered and communicated the issue to NetAlertX, who promptly released patches to fix the vulnerability. This incident highlights the importance of regular security audits and prompt patching to protect against potential exploits.

  • AD Recon: Kerberos Username Bruteforce - This article explores the use of a Kerberos pre-authentication brute-force attack in Active Directory environments to obtain valid usernames and crack passwords. It details the steps of the Kerberos authentication process and explains how attackers exploit server responses to enumerate usernames and perform password cracking. Various tools like Kerbrute, Impacket, Rubeus, and Metasploit are discussed for extracting credentials. Organizations are advised to monitor event logs, enforce pre-authentication, implement strong password policies, monitor for anomalous behavior, use account lockout policies, and limit service accounts with SPNs to mitigate these risks.

  • CVE-2024-46507: Yeti Platform Server-Side Template Injection (SSTI) - CVE-2024-46507 is a Server-Side Template Injection (SSTI) vulnerability in the Yeti Platform, which could lead to unauthenticated remote code execution. The vulnerability was found in the codebase of Yeti, a Forensic Intelligence platform used by threat intelligence and DFIR teams. Additionally, CVE-2024-46508 was also discovered, which involved the use of a static insecure JWT secret in the application deployment process, allowing attackers to generate valid tokens and bypass authentication. Rhino Security Labs worked with the Yeti team to remediate these vulnerabilities and has provided a proof-of-concept exploit on their Github repository.

  • The Key to COMpromise - Abusing a TOCTOU race to gain SYSTEM, Part 2 - In Part 2 of the blog series "The Key to COMpromise - Abusing a TOCTOU race to gain SYSTEM," the author explores how COM hijacking can be used to exploit security products by gaining elevated privileges. The author discusses how an allow-listing mechanism initially disrupted their COM hijacking attempts, but they were able to bypass it by placing the DLL in a writable system directory. By reverse engineering the product's RPC calls, they were able to disable self-protection and trigger the update mechanism, ultimately escalating privileges to SYSTEM. The author also describes how they used a combination of junctions and OpLocks to bypass signature checks and load an unsigned DLL, further achieving privilege escalation.

  • Credential Dumping: AD User Comment - This article explores tools and techniques for enumerating Active Directory (AD) user passwords, which can help attackers gain unauthorized access within an organization. Vulnerabilities in AD and related services can lead to exposure of password-related information, increasing the risk of unauthorized access. Best practices to mitigate this risk include using strong encryption, limiting access to password attributes, auditing AD permissions, applying security patches, and monitoring for privilege escalation. The article also provides a detailed guide on how attackers can exploit these vulnerabilities and obtain sensitive information from an AD environment.

  • How-To: Linux Process Injection - In this blog post from GreyNoise Labs, the author explores the process of injecting code into a process on Linux. They share their journey of experimenting with process injection and developing a tool to load a shared library file into another process's memory space. The author also discusses the motivations behind process injection, its applications in malware, cheating in games, and reverse engineering. The post details the process of debugging a remote process, reading memory, and running arbitrary code using a trampoline method, ultimately demonstrating how to load a shared library into a target process.

  • Multiple vulnerabilities on iTop - Multiple vulnerabilities have been identified in iTop, an application used for ticketing purposes and device management. These vulnerabilities allow for SSRF through arbitrary PHP class instantiation, leak technical information, and perform user enumeration. These vulnerabilities have been acknowledged by iTop and advisories have been released. Exploiting these vulnerabilities could allow an attacker to perform HTTP requests on behalf of the server and leak information about the running environment of iTop. Additionally, unauthenticated users could perform user enumeration, making it easier to brute force a valid account.

  • Endless Exploits: The Saga of a macOS Vulnerability Struck Nine Times - The blog post discusses the discovery and exploitation of a macOS vulnerability in the PackageKit framework that allowed for escalating privileges, bypassing system protections, and circumventing controls. The author found and exploited multiple variants of the vulnerability, leading Apple to release 9 patches to address the issue. The post also includes details on the exploitation process, patches released by Apple, and a variant vulnerability that allowed for root privilege escalation when installing third-party software packages. The author highlights the need for Apple to improve their checks on destination paths during installations to prevent similar vulnerabilities in the future.

  • CRLF injection via TryAddWithoutValidation in .NET - The article discusses CRLF injection vulnerabilities in the RestSharp and Refit .NET libraries, which were awarded two CVEs. The vulnerabilities were discovered through research on the TryAddWithoutValidation method in .NET, which is susceptible to CRLF injection. The author outlines the process of identifying vulnerable APIs in the libraries and demonstrates the impact with command line applications. The vulnerabilities were reported to the libraries, fixed, and assigned CVEs, although real-world exploitation cases were not found. The author recommends checking .NET codebases for vulnerabilities and emphasizes the importance of proper validation to prevent CRLF injections.

  • Get FortiRekt, I Am The Super_Admin Now - Fortinet FortiOS Authentication Bypass CVE-2024-55591 - A critical Authentication Bypass affecting Fortinet's flagship SSLVPN appliance, the FortiGate, allows attackers to add a new administrative account. The vulnerability resides in a GUI feature to execute CLI commands inside FortiOS’s management interface, granting super-admin privileges. The exploit involves manipulating the authentication process through WebSocket connections, allowing unauthorized access to the CLI. A chain of issues combined into one critical vulnerability replicates CVE-2024-55591, prompting users to patch and follow Fortinet's PSIRT recommendations. Arctic Wolf detected the vulnerability being exploited in the wild, leading to the publication of a detection script to identify vulnerable instances for immediate action.

  • CVE-2024-49138 Windows CLFS heap-based buffer overflow analysis – Part 1 - The article discusses the analysis of CVE-2024-49138, a Windows CLFS heap-based buffer overflow vulnerability detected by CrowdStrike as being exploited in the wild. The vulnerability is located in clfs.sys and allows for arbitrary read/write access in ring 0 on Windows 11 23H2 machines. The article provides detailed technical analysis, a proof of concept exploit, limitations, improvements, and the effects of the patch applied by Microsoft. It also includes information on the Common Log File System, data structures, and APIs involved. Additionally, it offers recommendations for fortifying security measures against such vulnerabilities.

Threat Intel and Defense

  • Tracking a Malicious Blogspot Redirection Campaign to ApateWeb - The article discusses tracking a malicious Blogspot redirection campaign to ApateWeb, focusing on investigating and analyzing the different techniques and tactics used by the attackers. The investigation involves dissecting a Windows phishing site, identifying malicious code, and exploring additional IOCs related to the campaign. The article also highlights the importance of collecting redirect targets and identifying additional TTPs used by the attackers. Tools and techniques for conducting investigations are shared, and the article concludes with references and indicators for further research.

  • ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator - Google Threat Intelligence Group (GTIG) has been tracking the ScatterBrain obfuscator used by POISONPLUG.SHADOW, a backdoor utilized by specific China-nexus threat actors since 2022. In an effort to combat this sophisticated threat, GTIG developed a deobfuscation tool to unravel the intricate protection mechanisms implemented by ScatterBrain. The deobfuscator successfully restores the original control flow and import tables of protected binaries, providing valuable insights and practical tools for cybersecurity professionals. The tool can be used to deobfuscate and analyze highly obfuscated malware like POISONPLUG.SHADOW, strengthening defenses against advanced threat actors.

  • Linux Detection Engineering - A Continuation on Persistence Mechanisms - In this article, Linux Detection Engineering - A Continuation on Persistence Mechanisms, the focus is on enhancing Linux detection engineering with refined practices for persistence monitoring. The article delves into dynamic linker hijacking, kernel modules and extensions, web shells, and exploiting default system users for SSH-based persistence. The article provides detailed explanations of each technique and includes detection rules and instructions on how to simulate and detect these persistence mechanisms using PANIX, ES|QL, and OSQuery. The diverse range of persistence techniques showcased in the article highlights the importance of robust defenses and tailored detection strategies for Linux systems.

  • Pushed Down the Rabbit Hole - Malicious adtech is being used on compromised websites to ensnare victims by pushing deceptive notifications to their devices. The adtech integration gives threat actors access to the victim's device and can lead to a cycle of malicious content being delivered to the user. This can result in fake virus alerts, scams, and fake apps being pushed to the victim. The ecosystem of adtech companies enabling this cybercrime is thriving, with scareware tactics being used to instill fear in users and convince them to purchase unnecessary security products or install fake apps.

  • One ClickFix and LummaStealer reCAPTCHA’s Our Attention - Part 1 - In 2024, RevEng.AI monitored LummaStealer being distributed through ClickFix, using fake reCAPTCHA pages to trick users into running malicious commands. The malware, focused on extracting sensitive data, continuously alters its code base to avoid detection. The analysis of a recent sample reveals a delivery chain involving fake reCAPTCHA pages, MSHTA execution, PowerShell scripts, and a .NET loader. By systematically decoding and analyzing each stage of the chain, analysts can understand the malware's behavior and ultimately reach the final objective. The next part of the series will explore how Lumma malware continues to be loaded within the chain.

  • No need to RSVP: a closer look at the Tria stealer campaign - The Tria stealer campaign targets Android users in Malaysia and Brunei by luring them with wedding invitations to install a malicious Android app named Tria Stealer. The campaign, likely operated by an Indonesian-speaking threat actor, collects SMS, call logs, messages, and email data, sending it to Telegram bots for exfiltration. The threat actor then exploits this data to hijack personal messaging accounts, request money transfers, and compromise accounts with other services. Kaspersky products detect this threat, which has been active since mid-2024 and continues to target victims in 2025. To protect against such threats, users are advised not to install apps from untrusted sources and to use reliable security solutions for mobile devices.

  • CL-STA-0048: An Espionage Operation Against High-Value Targets in South Asia - The Threat Research Center identified an espionage operation targeting high-value targets in South Asia, originating in China. The threat actors used rare techniques such as Hex Staging and exfiltration over DNS to steal sensitive data from government employees and organizations. The campaign exploited vulnerabilities in IIS, Apache Tomcat, and MSSQL servers, demonstrating a methodical approach to network penetration. Organizations are advised to patch vulnerabilities, improve IT hygiene, and remain vigilant against advanced persistent threats like CL-STA-0048. Palo Alto Networks products provide protection against the threats posed by this campaign.

  • ScatterBrain: Unmasking the Shadow of PoisonPlug's Obfuscator - Google's Threat Intelligence Group (GTIG) has been tracking the ScatterBrain obfuscator used by China-nexus threat actors since 2022. The obfuscator, employed in the POISONPLUG.SHADOW backdoor, presents complex challenges for defenders. This blog post details the thorough analysis and deobfuscation process undertaken to reveal the original control flow and restore functionality in deobfuscated binaries. The process involves tracking and adjusting memory references, resolving import locations, and applying relocations to reconstruct a functional output binary. The final results show the successful deobfuscation of protected binaries, providing valuable insights and tools for cybersecurity professionals to counter sophisticated threats like POISONPLUG.SHADOW.

  • X Phishing | Campaign Targeting High Profile Accounts Returns, Promoting Crypto Scams - An active phishing campaign is targeting high-profile X accounts to promote crypto scams. The campaign targets a variety of individuals and organizations, including politicians, journalists, and technology companies. The attackers use phishing emails and websites to steal credentials and post fraudulent cryptocurrency opportunities. The attackers are adaptable, with a clear financial motive, and are not limited to a single social platform. It is recommended to use unique passwords, enable two-factor authentication, and be cautious of suspicious messages. SentinelOne welcomes reports of similar suspicious activity.

Tools and Exploits

  • OCRMe - GitHub repository for the tool OCRMe, which is designed to exfiltrate OneDrive Business OCR Data. The tool requires enabling offline mode on OneDrive Business and running a binary from CMD with the full path to Microsoft.ListSync.db file. There are no releases or packages published for this tool.

  • BRC4-BOF-Artillery - The GitHub repository "BRC4-BOF-Artillery" contains open-source and custom-built BOF tools that have been ported to Brute Ratel C4 for cybersecurity debugging activities. The tools are designed to work out of the box and have been tested for execution, but any existing bugs in the original open-source projects are not addressed. The repository focuses on porting and execution without modifying the original source code for stability. The tools were originally created by the author for features like Cryptvortex, shadowclone, and contact-harvester.

  • Adaptix Framework - Adaptix Framework is a post-exploitation and adversarial emulation framework designed for penetration testers. It includes a server written in Golang and a GUI client written in C++ QT that can be used across multiple operating systems. The framework supports encrypted communication, multiplayer architecture, and extensibility for adding new tools. Features include listener and agents as plugins, task and job storage, file and process browsers, and an HTTP/S beacon listener.

  • CVE-2024-55591 - GitHub repository watchtowrlabs/fortios-auth-bypass-poc-CVE-2024-55591 contains a Proof of Concept for CVE-2024-55591, demonstrating an authentication bypass vulnerability in Fortinet FortiOS management interfaces. The script allows for unauthenticated execution of FortiOS CLI commands by exploiting a race condition through WebSocket connections. The vulnerability affects FortiOS versions 7.0.0 through 7.0.16 and FortiProxy versions 7.0.0 through 7.0.19 and 7.2.0 through 7.2.12. The script is not designed for FortiProxy devices, but the underlying technique may be applicable.

  • Ptrace Shellcode Injection Example - This GitHub repository demonstrates how to perform shellcode injection into a remote Linux process using Rust. It provides instructions on how to attach to a target process, allocate memory, write shellcode, and execute it by modifying the target process's registers. The project requires Rust, root privileges to execute the program, and includes an example shellcode to execute a system call. It also emphasizes the use of AI-powered tools to write better code, find vulnerabilities, and automate workflows.

  • deepseek-r1 - DeepSeek has developed first-generation reasoning models that perform comparably to OpenAI-o1, with the creation of six dense models distilled from DeepSeek-R1 based on Llama and Qwen. The team has shown that larger model reasoning patterns can be distilled into smaller models for improved performance. The models have been fine-tuned against commonly used dense models in the research community and have shown exceptional performance on various benchmarks. The model weights are under the MIT License, allowing for commercial use and modifications.

  • JS Snitch - JS Snitch is a command-line tool that scans remote JavaScript files using Trufflehog and Semgrep to detect leaked secrets, such as API keys and tokens. It automates the process of downloading and analyzing scripts from a target domain. The tool is designed for penetration testers, bug bounty hunters, and security engineers to quickly identify potential security vulnerabilities. JS Snitch provides a single host or list of hosts to scan, leverages Trufflehog and Semgrep for secret detection, and consolidates findings into a single report for easy analysis. The tool also allows for verification of detected secrets and provides detailed output files for further manual analysis.

  • Stuxnet - This GitHub repository contains a proof of concept WMI virus that is designed to be stored within the Windows Management Instrumentation (WMI) system and never touch the disk. The virus can extract itself from the WMI using PowerShell and contains a privilege escalation technique and other evasion methods to avoid detection by antivirus software. The author also mentions a potential security vulnerability in the WMI that could allow for accessing kernelspace and loading an unsigned device driver.

  • NtCreateUserProcessBOF - This GitHub repository contains an Aggressor script that leverages NtCreateUserProcess to execute binaries. The script has a simple usage where it points to a binary and executes it using NtCreateUserProcess. The repository does not have any releases or packages published.

  • BloodHound Viewer - BloodHoundViewer is an addon for BloodHound Community Edition that enhances its features, including query history navigation, automatic query saving, and improved layout controls. The extension can be downloaded or cloned from the GitHub repository and installed in Chrome. Users can navigate through their query history, open the Neo4j browser, and use simplified layout controls for graph layouts. Contributions to the project are welcome, and the addon is inspired by the history feature from Legacy BloodHound.

  • HashBreaker Hashcat Control Panel - The Hashbreaker project on GitHub is a modern, web-based GUI for Hashcat that allows for intuitive hash cracking operations with features like real-time monitoring, performance metrics, drag-and-drop functionality, and detailed reporting capabilities. The application is designed for educational purposes only, and users must ensure they have permission for password recovery activities. The interface includes options for hash type selection, hash input methods, workload profile selection, and live cracking status updates. Users can configure the application paths in an administration panel and contribute to the project through GitHub.

  • ExtensionHound - ExtensionHound is a security analysis tool designed to identify DNS queries made by browser extensions, allowing security teams to detect and investigate suspicious activities. The tool analyzes Chrome's internal network state, correlates DNS requests with specific extensions, and provides detailed analysis of network connections. Additionally, ExtensionHound offers optional integrations with services like VirusTotal and Secure Annex for domain reputation checking and extension details. Users can run scans, analyze specific Chrome profiles, and utilize YARA rules for advanced extension signature detection. Contributions to the tool are welcome.

  • HExHTTP - GitHub repository for the HExHTTP tool, which is designed to test HTTP headers for vulnerabilities and interesting behaviors. The tool can be installed using pip and run using various command line options to analyze headers, user agents, authentication, and behaviors. It includes features like scanning only one domain, scanning multiple domains with behavior feature, adding custom user agents and headers, and identifying vulnerabilities like cache poisoning and server errors. Future improvements include code linting, optimization, different output formats, and expanding testing capabilities. Contributions and pull requests are welcomed.

  • SLAP and FLOP - SLAP and FLOP are speculative execution attacks that target Apple CPUs, specifically the M2/A15 and M3/A17 generations, respectively. SLAP exploits the Load Address Predictor (LAP) to access out-of-bounds data under speculative execution, while FLOP uses the Load Value Predictor (LVP) to perform computations on incorrect data values. These attacks can lead to the leakage of sensitive information from web browsers like Safari and Chrome on Apple devices. Apple plans to release security updates to address these vulnerabilities, and users are advised to enable automatic updates for protection.

New to Me and Miscellaneous

This section is for news, techniques, write-ups, tools, and off-topic items that weren't released last week but are new to me. Perhaps you missed them too!

  • Announcing the Elastic Bounty Program for Behavior Rule Protections - Elastic has announced the Elastic Bounty Program for Behavior Rule Protections, inviting researchers to test their SIEM and EDR rules to identify vulnerabilities and areas for improvement. The program, which expands their existing bug bounty program, focuses on external validation of their rules to enhance detection capabilities and resilience against evolving threats. The scope includes testing for evasion techniques on Windows endpoints, with rewards based on the impact and complexity of submissions. Researchers are encouraged to contribute to the continuous improvement of Elastic's security rulesets and help defend against various threats.

  • Browser Syncjacking: How Any Browser Extension can Be Used to Takeover Your Device - A vulnerability called browser syncjacking has been discovered by the SquareX research team, which allows attackers to take over a user's device through a malicious browser extension. This attack is carried out in multiple stages, starting with the victim installing a seemingly harmless extension from the Chrome Store. Once installed, the attacker can gain control of the victim's browser and eventually their entire device, giving them access to sensitive data and the ability to execute malicious activities. SquareX has developed a Browser Detection and Response solution to help defend against these types of attacks by analyzing extension behavior and implementing advanced security measures.

  • BYOVD to the next level. Blind EDR with Windows Symbolic Link - The article introduces a new method of exploiting the BYOVD technique by using Windows symbolic links to exploit drivers with file-writing capabilities. This method elevates the BYOVD technique to a new level, allowing for the potential manipulation of more drivers. A practical example is demonstrated to remove Windows Defender on Windows 11 using this new technique. By leveraging the file-writing function of drivers and symbolic links, threat actors can blind EDR systems and evade detection by disabling security measures. The new attack method expands the number of drivers that can be exploited and reduces the reliance on finding vulnerable drivers not yet on Microsoft's blocklist.

  • Exploiting the Docker daemon from an XSS perspective - This page discusses various methods of exploiting different systems and platforms for malicious purposes, such as using XSS to target the Docker daemon, phishing attacks with Quick-Assist, gaining Discord bot tokens by scrapping codesandbox.io, accessing on-premise assets by exploiting Azure Data Factory, and turning Microsoft accounts into a phishing platform. The content is powered by GitBook and provides information on these security vulnerabilities and potential threats.

  • Lifting Binaries, Part 0: Devirtualizing VMProtect and Themida: It's Just Flattening? - This blog post discusses the author's decision to use compiler techniques for reverse engineering purposes, focusing on devirtualizing VMProtect and Themida. The author started by creating a basic executable with VMProtect applied to it and analyzed the generated code blocks. They then explored different approaches, including using Triton and Unicorn Engine, before settling on using LLVM for devirtualization. The author encountered challenges such as memory tracking and value concretization but was able to optimize their lifter and achieve a significant speedup. The blog post concludes by mentioning the potential for creating a generic deobfuscator for commercial VM-based obfuscations.

  • CVSS is dead to us - The author expresses frustration with the Common Vulnerability Scoring System (CVSS) and its limitations in accurately assessing the severity of vulnerabilities in computing systems. They argue that CVSS is not well-suited for projects like curl, which are used in a wide variety of environments. The author criticizes the reliance on CVSS scores by security tools and organizations, highlighting the lack of expertise and understanding behind the scoring process. Despite these challenges, the curl project has chosen to set their own severity levels based on their knowledge of the codebase. The author advocates for a more nuanced approach to assessing security risks beyond the limitations of CVSS.

  • nt-load-order Part 1: WinDbg'ing our way into the Windows bootloader - In this two-part blog series, the author explores the Windows driver load order by using WinDbg to debug the Windows bootloader. The first part delves into the fundamentals of WinDbg, the Windows driver load order, and introduces the nt-load-order crate. The post covers the importance of understanding the Windows boot process, setting up a debugging environment with WinDbg and a virtual machine, and using WinDbg scripts and JavaScript to explore the boot loader's structures. The author shares insights on the Windows driver load order and provides tools and techniques for debugging the bootloader.

  • Stage, But Verify - The project focuses on building a stager shellcode that sends an authentication token to the server before executing the second stage payload. The staged payload retrieves the main payload over the network when executed. The project also covers downloading the stage payload, dynamically resolving functions, creating a sacrificial DLL, and executing the shellcode. The backend is implemented in Python to automate the process of generating the stager shellcode and setting up a web server for communication.

  • The Art of Linux Kernel Rootkits - The article discusses the intricacies of Linux kernel rootkits, including detection methods and hooking techniques. It delves into userland and kernel land rootkits, as well as modern hooking techniques like ftrace, kprobe, and eBPF. The importance of LKM rootkit detection and visibility is emphasized, along with techniques for making rootkits visible and completely useless. The power of eBPF in detecting rootkits is highlighted, and protection strategies against rootkit hunters are outlined. The article concludes with final considerations on the complexity of rootkit detection and mitigation. The inferi.club project aims to share information and knowledge in the field of computer science and information security.

  • dde-api-proxy: Authentication Bypass in Deepin D-Bus Proxy Service (CVE-2025-23222) - An authentication bypass issue was discovered in the Deepin D-Bus Proxy Service, allowing local users to escalate privileges. The issue was reported to Deepin security but an incomplete bugfix was released. Possible bugfix approaches include dropping privileges, reimplementing authentication checks, or implementing legacy interfaces in affected services. Upstream released a bugfix that implemented redundant Polkit authorization checks, but it introduced a new security flaw due to deprecated code usage. Mitre assigned CVE-2025-23222 to track the issue. Possible workarounds include removing dde-api-proxy from the system.

  • Browser Extensions: The Infostealers Nobody is Watching Out For - Browser extensions have become a new avenue for cybercriminals to steal sensitive data such as credentials, personal information, and financial records. These extensions operate within web browsers and can capture various types of data without the need for downloads or malware. Traditional security tools are ineffective against extension-based threats, as they operate entirely within the browser and can mask their malicious intent. A case study at DEFCON32 demonstrated how malicious extensions can steal video feeds from platforms like GoogleMeets. SquareX Labs offers a Browser Detection and Response solution to combat extension-based infostealers, using advanced analysis techniques and a policy library to detect and prevent malicious behavior.

  • Debugging An Undebuggable App - The author discusses encountering an app that is difficult to debug due to various protections in place, such as blocking debuggers from attaching, crashing the phone if run with a jailbreak, and preventing code injection. They provide detailed explanations of how these protections work and how to circumvent them, including setting breakpoints to skip certain functions and creating frameworks to override certain methods. Ultimately, they are able to successfully debug the app and inject code to aid in their analysis.

  • Offensive CGO - An ELF Loader - The article discusses how the author developed an ELF loader using CGO in Go for their Offensive C2 framework. They address the challenges of using CGO and provide examples of calling C functions in Go, as well as cross-compiling for different platforms. The ELF loader allows for executing ELF binaries in memory, with a focus on security and red teaming activities. The author is still working on improving the output capture functionality of the loader.

Comments

RECENT POSTS
ARCHIVE
FOLLOW US
  • Facebook Basic Square
  • Twitter Basic Square
  • Google+ Basic Square

CONTACT US

We are here to help you meet your cybersecurity needs.

PHONE  |

FAX  |

EMAIL  |

ADDRESS  |

410-874-6446

410-630-3980

info@sixgen.io

185 Admiral Cochrane Dr | Suite 210
Annapolis, MD 21401

Thanks! Message sent.

For general inquiries about SIXGEN product and services please use this form.

To apply to SkillBridge, please visit the SkillBridge page here

NAICS Codes:
512110 | 519190 | 541330 | 541340 | 541511 | 541512 | 541513 | 541519 | 541611 | 541715 | 541990 | 611420 | 611430 | 611699 | 611710 | 921190

Contracts:

Screen Shot 2022-06-06 at 1.50_edited.jpg

2022 
Best Tech Startups in Annapolis

Defender_Winner.png

2022

Cybersecurity Defender of the

Year Winner

Download our Capabilities Sheet

2022 GHG Report

bottom of page