#byovd — Public Fediverse posts

📢 Rétro-ingénierie de gdrv3.sys (Gigabyte) : 13 primitives d'accès matériel exploitables en BYOVD
📝 ## 🔍 Contexte

Article de recherche publié le 02 mai 2026 sur le blog personnel d'Aaron Haymore (zonifer.dev).
📖 cyberveille : https://cyberveille.ch/posts/2026-04-05-retro-ingenierie-de-gdrv3-sys-gigabyte-13-primitives-d-acces-materiel-exploitables-en-byovd/
🌐 source : https://zonifer.dev/posts/byovd-kernel-driver-hardware-primitives.html
#BYOVD #Gigabyte #Cyberveille

BYOVD-атаки на ядро Windows через драйверы: разбираю механику, воспроизвожу, строю защиту

Вы настроили Sysmon, у вас работает EDR, события летят в SIEM. Создаётся процесс, вы видите Event ID 1. Загружается DLL, Event ID 7. Всё под контролем. А теперь кто-то загружает в систему один .sys-файл. Обычный, подписанный, из прошлого века. И события пропадают. Не потому что Sysmon упал или EDR отключили. Они работают. Просто ядро Windows больше не считает нужным им что-то рассказывать. Я залез внутрь, чтобы понять, как это устроено. Поднял WinDbg, подключился к ядру, нашёл структуры, где хранятся callback'и мониторинга. Обнулил их, повторив технику руткита Lazarus. Sysmon на месте, PID живой, но лог пустой. Меня зовут Роман Мгоев, я специалист по анализу киберугроз в Альфа-Банке, в статье пройду этот путь целиком: начиная с архитектуры колец защиты Windows, byte-патчей в памяти ядра и разбора FudModule от Lazarus обеих версий, до свежих техник zerosalarium и разбора публичных тулкитов, а в конце поделюсь семью направлениями детектирования с готовыми правилами для SIEM. Отдельный блок — про аудит драйверов, которых ещё нет ни в одной базе.

https://habr.com/ru/companies/alfa/articles/1011302/

#BYOVD #EDR #Windows_kernel #Sysmon #SIEM #Lazarus #ransomware #reverse_engineering #SOC #detection_engineering

10 популярных техник обхода EDR

Алексей Баландин, Security Vision На сегодняшний день невозможно представить защиту конечных точек без системы EDR, которая, в отличие от устаревшего антивируса, основана в первую очередь на поведенческом анализе происходящих в системе событий. Потребность в этой системе резко возросла за последние 10 лет в связи с тем, что угрозы совершенствуются из года в год. Давно стало очевидно, что эффективно противостоять атакующим можно не столько за счет статического анализа кода, сигнатурного метода, сколько за счет изучения, анализа и блокировки их поведенческих паттернов, используемых тактик, техник и процедур. Этим и занимается класс продуктов EDR и активно развивается за счет постоянного пополнения базы знаний о новых методах атак. Обратной стороной медали является то, что атакующие не стоят на месте и разрабатывают все новые способы обхода и противодействия EDR. Далее рассмотрим техники обхода EDR, которые были наиболее популярны у атакующих за последние 5 лет.

https://habr.com/ru/companies/securityvison/articles/973172/

#edr #byovd #lolbas #обход_защиты #обход_антивируса

[Перевод] Техники обхода систем обнаружения: маскировка путей и BYOVD

Вакансии по пентесту всё чаще требуют не только понимания принципов работы ключевых СЗИ (WAF, EDR, NAC), но и практических навыков их обхода. То же самое касается EDR/AV. В реальных отчётах о кибератаках также регулярно упоминается, как злоумышленники обходят средства защиты и остаются незамеченными. Предлагаем рассмотреть пару приемов таких обходов и проверить, готовы ли ваши системы защиты к подобным вызовам.

https://habr.com/ru/companies/cloud4y/articles/962456/

#информационная_безопасность #edr #системы_защиты #мониторинг #маскировка_путей #byovd #символические_ссылки

State of ransomware in 2025 – Source: securelist.com https://ciso2ciso.com/state-of-ransomware-in-2025-source-securelist-com/ #rssfeedpostgeneratorecho #APT(Targetedattacks) #Crossplatformmalware #CyberSecurityNews #MalwareStatistics #Financialthreats #MicrosoftWindows #Targetedattacks #DataEncryption #securelistcom #Publications #ransomware #Lockbit #BYOVD #RaaS #APT #LLM #AI

An APT group exploited ESET flaw to execute malware – Source: securityaffairs.com https://ciso2ciso.com/an-apt-group-exploited-eset-flaw-to-execute-malware-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #BreakingNews #SecurityNews #hackingnews #ToddyCatAPT #Security #hacking #BYOVD #eset #APT

How ToddyCat tried to hide behind AV software – Source: securelist.com https://ciso2ciso.com/how-toddycat-tried-to-hide-behind-av-software-source-securelist-com/ #Vulnerabilitiesandexploits #AntivirusVulnerabilities #rssfeedpostgeneratorecho #zerodayvulnerabilities #APT(Targetedattacks) #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #Defenseevasion #Windowsmalware #securelistcom #Encryption #Incidents #ToddyCat #Drivers #Malware #Trojan #BYOVD #APT #CVE #DLL

How ToddyCat tried to hide behind AV software – Source: securelist.com https://ciso2ciso.com/how-toddycat-tried-to-hide-behind-av-software-source-securelist-com/ #Vulnerabilitiesandexploits #AntivirusVulnerabilities #rssfeedpostgeneratorecho #zerodayvulnerabilities #APT(Targetedattacks) #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #Defenseevasion #Windowsmalware #securelistcom #Encryption #Incidents #ToddyCat #Drivers #Malware #Trojan #BYOVD #APT #CVE #DLL

How ToddyCat tried to hide behind AV software – Source: securelist.com https://ciso2ciso.com/how-toddycat-tried-to-hide-behind-av-software-source-securelist-com/ #Vulnerabilitiesandexploits #AntivirusVulnerabilities #rssfeedpostgeneratorecho #zerodayvulnerabilities #APT(Targetedattacks) #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #Defenseevasion #Windowsmalware #securelistcom #Encryption #Incidents #ToddyCat #Drivers #Malware #Trojan #BYOVD #APT #CVE #DLL

How ToddyCat tried to hide behind AV software – Source: securelist.com https://ciso2ciso.com/how-toddycat-tried-to-hide-behind-av-software-source-securelist-com/ #Vulnerabilitiesandexploits #AntivirusVulnerabilities #rssfeedpostgeneratorecho #zerodayvulnerabilities #APT(Targetedattacks) #MalwareDescriptions #MalwareTechnologies #CyberSecurityNews #Defenseevasion #Windowsmalware #securelistcom #Encryption #Incidents #ToddyCat #Drivers #Malware #Trojan #BYOVD #APT #CVE #DLL

Canon Printer Drivers Flaw Could Let Hackers Run Malicious Code – Source:hackread.com https://ciso2ciso.com/canon-printer-drivers-flaw-could-let-hackers-run-malicious-code-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #Vulnerability #Microsoft #Hackread #security #Printer #BYOVD #Canon #IoT

Canon Printer Drivers Flaw Could Let Hackers Run Malicious Code https://hackread.com/canon-printer-drivers-flaw-hackers-run-malicious-code/ #Cybersecurity #Vulnerability #Microsoft #Security #Printer #BYOVD #Canon #IoT

Checkpoint ZoneAlarm Driver Flaw Exposes Users to Credential Theft – Source:hackread.com https://ciso2ciso.com/checkpoint-zonealarm-driver-flaw-exposes-users-to-credential-theft-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #Vulnerability #0CISO2CISO #CheckPoint #ZoneAlarm #Hackread #security #Windows #BYOVD

Checkpoint ZoneAlarm Driver Flaw Exposes Users to Credential Theft https://hackread.com/checkpoint-zonealarm-driver-flaw-user-credential-theft/ #Cybersecurity #Vulnerability #CheckPoint #ZoneAlarm #Security #Windows #BYOVD

#BYOVD Attack: Researchers found a flaw in Checkpoint’s ZoneAlarm antivirus driver that could let attackers bypass Windows security and steal data.

Read: https://hackread.com/checkpoint-zonealarm-driver-flaw-user-credential-theft/

#CyberSecurity #ZoneAlarm #Checkpoint #AntiVirus

Vulnerable Paragon Driver Exploited in Ransomware Attacks – Source: www.securityweek.com https://ciso2ciso.com/vulnerable-paragon-driver-exploited-in-ransomware-attacks-source-www-securityweek-com/ #rssfeedpostgeneratorecho #privilegeescalation #CyberSecurityNews #vulnerabilities #securityweekcom #securityweek #ransomware #driver #BYOVD

BYOVD Attacks in Paragon Partition Manager: Zero-Day Exploited Revealed - https://www.redpacketsecurity.com/byovd-attacks-exploit-zero-day-in-paragon-partition-manager/

#threatintel #BYOVD #ransomware #vulnerabilities

BYOVD Attacks Exploit Zero-Day in Paragon Partition Manager – Source: www.infosecurity-magazine.com https://ciso2ciso.com/byovd-attacks-exploit-zero-day-in-paragon-partition-manager-source-www-infosecurity-magazine-com/ #rssfeedpostgeneratorecho #InfoSecurityMagazine #InfosecurityMagazine #CyberSecurityNews #BYOVD

Vulnerable Paragon Driver Exploited in Ransomware Attacks https://www.securityweek.com/vulnerable-paragon-driver-exploited-in-ransomware-attacks/ #privilegeescalation #Vulnerabilities #ransomware #driver #BYOVD

Vulnerable Paragon Driver Exploited in Ransomware Attacks https://www.securityweek.com/vulnerable-paragon-driver-exploited-in-ransomware-attacks/ #privilegeescalation #Vulnerabilities #ransomware #driver #BYOVD

#BYOVD attacks are slowly becoming more common for threat actors to escalate privilege and kill security tools.
Make sure you're #ThreatHunting for new Vulnerable Drivers!
Win 11 now has a Vulnerable Driver Blocklist feature, however, it's only updated in major updates so you still need to monitor for recently discovered Vulnerable Drivers.

Recent Vuln Driver: https://www.bleepingcomputer.com/news/security/ransomware-gangs-exploit-paragon-partition-manager-bug-in-byovd-attacks/

Known Vuln Drivers: https://www.loldrivers.io/

Vuln Driver Blocklist: https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/design/microsoft-recommended-driver-block-rules

#IncidentResponse #ransomware #ThreatDetection

Ransomware gangs exploit a Paragon Partition Manager BioNTdrv.sys driver zero-day – Source: securityaffairs.com https://ciso2ciso.com/ransomware-gangs-exploit-a-paragon-partition-manager-biontdrv-sys-driver-zero-day-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #BreakingNews #SecurityNews #hackingnews #CyberCrime #Cybercrime #hacking #Malware #BYOVD

Malware campaign abused flawed Avast Anti-Rootkit driver – Source: securityaffairs.com https://ciso2ciso.com/malware-campaign-abused-flawed-avast-anti-rootkit-driver-source-securityaffairs-com/ #MalwarecampaignabusedflawedAvastAntiRootkitdriver #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #BreakingNews #SecurityNews #hackingnews #CyberCrime #hacking #Malware #BYOVD

Advanced threat predictions for 2025 – Source: securelist.com https://ciso2ciso.com/advanced-threat-predictions-for-2025-source-securelist-com/ #Vulnerabilitiesandexploits #KasperskySecurityBulletin #rssfeedpostgeneratorecho #ArtificialIntelligence #APT(Targetedattacks) #CyberSecurityNews #Supplychainattack #internetofthings #machinelearning #Targetedattacks #GoogleAndroid #securelistcom #Triangulation #Hacktivists #deepfakes #AppleiOS #backdoor #botnets #Drivers #BYOVD #APT #XZ

Grzegorz Tworek na scenie OMH 2023 pojawił się dwukrotnie. W pierwszej prelekcji skupił się na BYOVD. Nawet jeżeli nie do końca wiemy, dlaczego tak jest, to powszechnie uważa się, że kernelowi wolno w systemie Windows więcej, więc nie każdy ma tam wstęp. W szczególności wcale nie chcemy wpuścić tam malware. A co, gdyby malware nie działał w trybie jądra i zamiast tego posłużył się zupełnie legalnym kawałkiem kodu, który już tam jest?

https://yt.elonego.com/watch?v=HrNe7SvNPMo

#OMH #OMHconf #OhMyHack #malware #BYOVD

The two drivers we've seen abused are known in the industry as #BYOVD payloads. One is a file called RentDrv2 (hosted on https://github.com/keowu/BadRentdrv2) and the other is named ThreatFireMonitor (also on Github, with a proof of concept at https://github.com/BlackSnufkin/BYOVD/tree/main/TfSysMon-Killer).

No matter which driver gets used, #EDRKillShifter writes them out to the %temp% directory using a random 10-digit filename. 5/

As it executes, #EDRKillShifter loads an embedded, encrypted resource into memory. That code extracts the next layer of tool, the abusable #BYOVD driver and a #Go binary.

It uses a SHA-256 hash of the initial password (used to execute the tool) as a decryption key for these second-layer payloads. 4/

The #EDRKillShifter utility is a #malware loader designed to deploy one of several different exploitable, legitimate #BYOVD drivers and abuse them to kill a wide range of endpoint protection. We've observed it used in a few recent incidents, so we wanted to spotlight how it works. 2/

@meatlotion malicious software has existed on Microsoft Windows for a long time. It was not much of an issue under Windows 3.x as most of those viruses were "research viruses" that did not spread very well or were seen in the wild, but things kind of exploded when Windows 95 was released with its own TCP/IP stack for network connectivity built in, and again when persistent internet connectivity in the form of broadband internet began to appear.

Preventing computer viruses has been going on since the DOS and Classic Mac era, and the Morris Worm was pretty big news in 1988, too, but the internet was a lot smaller back then.

Anyways, one thing you might find interesting is the [mis|ab]use of legitimate device drivers for malicious activity, commonly referred to as "bring your own vulnerable driver," or #byovd for short.

@mindtunes Oh. Hallo. Hier. Aufmerksamkeit. Ich. Nimm meinen #byovd!

Death by a thousand PaperCuts, China's APT41 uses new tricks to skirt EDR, and a pair of no-patch vulnerabilities take the front page in this weeks newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

The #PaperCut vulnerability continues to garner interest, with Iran's Mint SandStorm (formerly #PHOSPHORUS) and Mango SandStorm (formerly #MERCURY) seen using it opportunistically. A completely new exploit chain demo'd by Vulncheck researchers highlights the limitations of detection rules for assurances, and why patching is a must.

Earth Longzhi - a subset of the Chinese #APT41 Threat Group - has emerged after months in the shadows with new techniques seen in recent campaigns. Using Windows #Defender to side-load malware; the BYOVD technique to kill #EDR processes, and a newly discovered technique called "stack rumbling" to ensure they can't recover - this one is definitely one to check out.

Fortinet have warned of a recent wave of exploitation of a 5-year-old vulnerability with no patches being exploited en masse in late April, while #Cisco reveal a CVSS 9.8 vulnerability they have no plans to patch in their End-of-Support #VoIP phone adapters.

There's a bunch of great write-ups for those in the #redteam, looking at bypassing WAF protections by running tools like SQLMap over #Tor, how to minimise the size of your #XSS payloads, and highlighting a bunch of lab/ctf-style environments to cut your teeth on Azure, AWS, Kubernetes, and more.

The #blueteam can brush up on commonly abused misconfigurations in Active Directory, #AzureAD, and #Microsoft365, as well as some excellent tips on hunting the Open Source Posh, Deimos, and Havoc C2 frameworks using #Shodan and #Censys.

Elastic Labs have also outdone themselves last week, releasing a suite of tools to decrypt, decompress, recompile, extract and/or parse various malware payloads distributed in recent #IcedID campaigns.

There's lots to dig through before starting your work week, so get started here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #exploitation #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #MangoSandstorm #MintSandstorm #Iran #EarthLongzhi #StackRumbling #clop #PoC #exploit #securityresearch #BYOVD #AWS #Azure #Kubernetes #GCP #PoshC2 #DeimosC2 #HavocC2

Death by a thousand PaperCuts, China's APT41 uses new tricks to skirt EDR, and a pair of no-patch vulnerabilities take the front page in this weeks newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

The #PaperCut vulnerability continues to garner interest, with Iran's Mint SandStorm (formerly #PHOSPHORUS) and Mango SandStorm (formerly #MERCURY) seen using it opportunistically. A completely new exploit chain demo'd by Vulncheck researchers highlights the limitations of detection rules for assurances, and why patching is a must.

Earth Longzhi - a subset of the Chinese #APT41 Threat Group - has emerged after months in the shadows with new techniques seen in recent campaigns. Using Windows #Defender to side-load malware; the BYOVD technique to kill #EDR processes, and a newly discovered technique called "stack rumbling" to ensure they can't recover - this one is definitely one to check out.

Fortinet have warned of a recent wave of exploitation of a 5-year-old vulnerability with no patches being exploited en masse in late April, while #Cisco reveal a CVSS 9.8 vulnerability they have no plans to patch in their End-of-Support #VoIP phone adapters.

There's a bunch of great write-ups for those in the #redteam, looking at bypassing WAF protections by running tools like SQLMap over #Tor, how to minimise the size of your #XSS payloads, and highlighting a bunch of lab/ctf-style environments to cut your teeth on Azure, AWS, Kubernetes, and more.

The #blueteam can brush up on commonly abused misconfigurations in Active Directory, #AzureAD, and #Microsoft365, as well as some excellent tips on hunting the Open Source Posh, Deimos, and Havoc C2 frameworks using #Shodan and #Censys.

Elastic Labs have also outdone themselves last week, releasing a suite of tools to decrypt, decompress, recompile, extract and/or parse various malware payloads distributed in recent #IcedID campaigns.

There's lots to dig through before starting your work week, so get started here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #exploitation #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #MangoSandstorm #MintSandstorm #Iran #EarthLongzhi #StackRumbling #clop #PoC #exploit #securityresearch #BYOVD #AWS #Azure #Kubernetes #GCP #PoshC2 #DeimosC2 #HavocC2

Death by a thousand PaperCuts, China's APT41 uses new tricks to skirt EDR, and a pair of no-patch vulnerabilities take the front page in this weeks newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

The #PaperCut vulnerability continues to garner interest, with Iran's Mint SandStorm (formerly #PHOSPHORUS) and Mango SandStorm (formerly #MERCURY) seen using it opportunistically. A completely new exploit chain demo'd by Vulncheck researchers highlights the limitations of detection rules for assurances, and why patching is a must.

Earth Longzhi - a subset of the Chinese #APT41 Threat Group - has emerged after months in the shadows with new techniques seen in recent campaigns. Using Windows #Defender to side-load malware; the BYOVD technique to kill #EDR processes, and a newly discovered technique called "stack rumbling" to ensure they can't recover - this one is definitely one to check out.

Fortinet have warned of a recent wave of exploitation of a 5-year-old vulnerability with no patches being exploited en masse in late April, while #Cisco reveal a CVSS 9.8 vulnerability they have no plans to patch in their End-of-Support #VoIP phone adapters.

There's a bunch of great write-ups for those in the #redteam, looking at bypassing WAF protections by running tools like SQLMap over #Tor, how to minimise the size of your #XSS payloads, and highlighting a bunch of lab/ctf-style environments to cut your teeth on Azure, AWS, Kubernetes, and more.

The #blueteam can brush up on commonly abused misconfigurations in Active Directory, #AzureAD, and #Microsoft365, as well as some excellent tips on hunting the Open Source Posh, Deimos, and Havoc C2 frameworks using #Shodan and #Censys.

Elastic Labs have also outdone themselves last week, releasing a suite of tools to decrypt, decompress, recompile, extract and/or parse various malware payloads distributed in recent #IcedID campaigns.

There's lots to dig through before starting your work week, so get started here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #exploitation #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #MangoSandstorm #MintSandstorm #Iran #EarthLongzhi #StackRumbling #clop #PoC #exploit #securityresearch #BYOVD #AWS #Azure #Kubernetes #GCP #PoshC2 #DeimosC2 #HavocC2

Death by a thousand PaperCuts, China's APT41 uses new tricks to skirt EDR, and a pair of no-patch vulnerabilities take the front page in this weeks newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

The #PaperCut vulnerability continues to garner interest, with Iran's Mint SandStorm (formerly #PHOSPHORUS) and Mango SandStorm (formerly #MERCURY) seen using it opportunistically. A completely new exploit chain demo'd by Vulncheck researchers highlights the limitations of detection rules for assurances, and why patching is a must.

Earth Longzhi - a subset of the Chinese #APT41 Threat Group - has emerged after months in the shadows with new techniques seen in recent campaigns. Using Windows #Defender to side-load malware; the BYOVD technique to kill #EDR processes, and a newly discovered technique called "stack rumbling" to ensure they can't recover - this one is definitely one to check out.

Fortinet have warned of a recent wave of exploitation of a 5-year-old vulnerability with no patches being exploited en masse in late April, while #Cisco reveal a CVSS 9.8 vulnerability they have no plans to patch in their End-of-Support #VoIP phone adapters.

There's a bunch of great write-ups for those in the #redteam, looking at bypassing WAF protections by running tools like SQLMap over #Tor, how to minimise the size of your #XSS payloads, and highlighting a bunch of lab/ctf-style environments to cut your teeth on Azure, AWS, Kubernetes, and more.

The #blueteam can brush up on commonly abused misconfigurations in Active Directory, #AzureAD, and #Microsoft365, as well as some excellent tips on hunting the Open Source Posh, Deimos, and Havoc C2 frameworks using #Shodan and #Censys.

Elastic Labs have also outdone themselves last week, releasing a suite of tools to decrypt, decompress, recompile, extract and/or parse various malware payloads distributed in recent #IcedID campaigns.

There's lots to dig through before starting your work week, so get started here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #exploitation #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #MangoSandstorm #MintSandstorm #Iran #EarthLongzhi #StackRumbling #clop #PoC #exploit #securityresearch #BYOVD #AWS #Azure #Kubernetes #GCP #PoshC2 #DeimosC2 #HavocC2

Death by a thousand PaperCuts, China's APT41 uses new tricks to skirt EDR, and a pair of no-patch vulnerabilities take the front page in this weeks newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

The #PaperCut vulnerability continues to garner interest, with Iran's Mint SandStorm (formerly #PHOSPHORUS) and Mango SandStorm (formerly #MERCURY) seen using it opportunistically. A completely new exploit chain demo'd by Vulncheck researchers highlights the limitations of detection rules for assurances, and why patching is a must.

Earth Longzhi - a subset of the Chinese #APT41 Threat Group - has emerged after months in the shadows with new techniques seen in recent campaigns. Using Windows #Defender to side-load malware; the BYOVD technique to kill #EDR processes, and a newly discovered technique called "stack rumbling" to ensure they can't recover - this one is definitely one to check out.

Fortinet have warned of a recent wave of exploitation of a 5-year-old vulnerability with no patches being exploited en masse in late April, while #Cisco reveal a CVSS 9.8 vulnerability they have no plans to patch in their End-of-Support #VoIP phone adapters.

There's a bunch of great write-ups for those in the #redteam, looking at bypassing WAF protections by running tools like SQLMap over #Tor, how to minimise the size of your #XSS payloads, and highlighting a bunch of lab/ctf-style environments to cut your teeth on Azure, AWS, Kubernetes, and more.

The #blueteam can brush up on commonly abused misconfigurations in Active Directory, #AzureAD, and #Microsoft365, as well as some excellent tips on hunting the Open Source Posh, Deimos, and Havoc C2 frameworks using #Shodan and #Censys.

Elastic Labs have also outdone themselves last week, releasing a suite of tools to decrypt, decompress, recompile, extract and/or parse various malware payloads distributed in recent #IcedID campaigns.

There's lots to dig through before starting your work week, so get started here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-01052023-07052023

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #exploitation #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #MangoSandstorm #MintSandstorm #Iran #EarthLongzhi #StackRumbling #clop #PoC #exploit #securityresearch #BYOVD #AWS #Azure #Kubernetes #GCP #PoshC2 #DeimosC2 #HavocC2

Another week, another newsletter - catch up on the week's infosec news here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

#Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

#FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

#LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

Have a great week ahead folks, I hope this newsletter proves helpful!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

#infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

Another week, another newsletter - catch up on the week's infosec news here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

#Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

#FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

#LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

Have a great week ahead folks, I hope this newsletter proves helpful!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

#infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

Another week, another newsletter - catch up on the week's infosec news here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

#Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

#FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

#LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

Have a great week ahead folks, I hope this newsletter proves helpful!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

#infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

Another week, another newsletter - catch up on the week's infosec news here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

#Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

#FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

#LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

Have a great week ahead folks, I hope this newsletter proves helpful!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

#infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

Another week, another newsletter - catch up on the week's infosec news here:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

Researchers have found that nearly two years on, 2 in 3 installs of #Apache #Superset are still using default Flask Secret Keys - a configuration flaw which would allow an attacker to forge session cookies and access said servers with full administrative privileges.

#Kritec is a commodity #skimmer found installed on compromised #Magecart sites, with its code heavily obfuscated and customised to match the site's aesthetic in order to con users out of credit card details.

#FIN7 look to be popping instances of the #Veeam backup software that are unpatched for a recent vulnerability; a revised #ViperSoftX #infostealer now targets #1password and #keepass password vaults, and #TA505 deliver a new infostealer through a #GoogleAds campaign

#LockBit & #CL0P ransomware affiliates have been abusing a month-old vulnerability in the #PaperCut print management software to drop ransomware. With the cat out of the bag, security researchers have decided now is a great time to drop a PoC exploit on Github - I mean, why not let the skiddies get in on the action too, right?

The #blueteam have some great research worth reading on #Smishing via #AWS; detections for #SliverC2 and different implementations of #PsExec, as well as #Sigma integration for #SentinelOne and a #KQL hack for monitoring LOLDrivers.

Have a great week ahead folks, I hope this newsletter proves helpful!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-240423-300423

#infosec #cyber #news #newsletter #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #affiliate #dfir #soc #threatintel #threatintelligence #threathunting #detection #threatdetection #detectionengineering #flask #python #fraud #malvertising #clop #PoC #exploit #securityresearch #LOLBAS #LOLBIN #BYOVD

It's been a heck of a week, with tonnes of great research and tooling that I'm sure you're going to get a kick out of - check out our wrap-up for all the news!:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-16042023

Kaspersky researchers shone a light on the Dark Web trade in Google Play Loaders - a service to help inject malware into legitimate, and supposedly vetted apps, with guarantees of >1 week up-time and the option to boost your spread with targeted Ads.

#Nokoyawa ransomware have clearly got some talent on their team, having abused a #CLFS 0-day prior to Microsoft patching it last week - one of 5 different exploits they've used, mind you - and they appear to have a new, distinct ransomware strain in rotation, too.

There's heaps more great threat reporting, including a report that #FIN7 and former #Conti (#FIN12/#WizardSpider) members are collaborating on a new backdoor, and a crypto-mining campaign that may be the canary in the coal mine, indicating broader uptake of BYOVD and IPFS by low-level operators.

The #QueueJumper vulnerability from last week looks primed to explode in coming days, with a no-fix vulnerability in Microsoft Intune capping off a lousy week for Windows admins struggling to keep their networks secure.

TOOLING. Ooooh boy, this was a good week for tooling and tradecraft, ladies and gentlemen.

The #redteam have a new port of the SharpHound AD enumeration tool for Cobalt Strike; a great reference piece on leveraging stolen Office tokens to bypass MFA and access cloud workloads, and a list of keywords to avoid when crafting stealthy PowerShell scripts.

The #blueteam have a script to help tweak VM settings to circumvent malware anti-analysis checks; Procmon for macOS, and a lightweight bastion host to help redirect and record traffic sent to honeypots in your network.

This was a fun one to write up, with heaps of interesting reads and takeaways to be had. Get amongst it!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-16042023

#infosec #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #soc #threatintel #threatintelligence #darkweb #microsoft #azure #mfa #mfabypass #cobaltstrike #bloodhound #sharphound #byovd #ipfs #intune #GooglePlay #Android #zeroday #0day

I've read and analysed last week's infosec news, so you don't have to - get up to speed on the latest in hacks, malware, tradecraft and more with this week's newsletter:

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-d72?sd=pf

A vulnerability in the widely-used, open-source JsonWebToken package has highlighted the continued reliance on vendors for supply chain security.

It's not just APTs - cyber crims are eyeing off kernel space, with #ScatteredSpider/#UNC3944 abusing the #BYOVD technique in an attempt to load their malicious driver into kernel space and subvert EDR controls.

We take a look at research into #RaspberryRobin infrastructure - it's multi-tiered, growing, and highly flexible...but also vulnerable to takeover. Will this be the next #Andromeda, still spreading and hijacked by a 3rd-party in 10 years time?

#Fortinet warns an unknown, stealth-conscious actor with a "deep understanding of #FortiOS" has been seen exploiting the month-old FortiOS vulnerability (CVE-2022-42475) to drop additional malware & subvert logging.

There's a tonne more interesting reporting and tradecraft that I can't get to in this post, but you can find them in the newsletter - check it out, and subscribe to get the latest issues straight to your inbox, and support my work!

https://opalsec.substack.com/p/soc-goulash-weekend-wrap-up-d72?sd=pf

#infosec #CyberAttack #Hacked #cyber #news #cybernews #infosec #infosecnews #informationsecurity #cybersecurity #hacking #security #technology #hacker #vulnerability #vulnerabilities #malware #ransomware #dfir #redteam #soc