Blog

Abusing mshta.exe to Gain PowerShell Access

Background In my previous life, I spent a lot of time analyzing malware and figuring out how it worked in order to defend against it. One trend that has increased across the industry is the use of fileless malware and specifically mshta.exe as a method of infection. Now that I’m on offense, I wanted to […]

The Next Step of Social Engineering: Social Media Hoaxes

From Jonathan Swift’s fake almanac in 1708 to the modern Dihydrogen monoxide joke, hoaxes have been around for as long as humans have enjoyed deceiving each other for fun. The ease of communication via technology has made hoaxes and scams even more prevalent, evolving from word-of-mouth and chain email to Instagram, WhatsApp, and Facebook. Users are constantly falling […]

One Month Later: The Marriott Data Breach – What You Should Do

Just over a month ago, Marriott International, one of the world’s largest hotel chains, announced that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties on or before September 10, 2018. Among the hotels under the Starwood brand are the W Hotels, St. Regis, Sheraton, Westin, and Design […]

Phishing Attacks Today: DRIDEX and URSNIF Are Back

On the morning of December 12th, 2018, the CyberOne CYBERSOC began seeing the resurgence of a prolific phishing campaign. This campaign included malware variants such as DRIDEX & URSNIF, both common Banking Trojans used in macro-based attacks. These files are observed hiding with macro-enabled documents or downloaded after the code executes, requesting the host reach […]

PRTG Network Monitor Privilege Escalation

Background: Recently I’ve seen a decent number of privilege escalations occurring on Windows due to permission issues and using symlinks. The work from Ryan Hanson from Atredis on the Cylance privilege escalation and Windows Standard Collector privilege escalation really inspired me to research more into this issue and potentially find some myself. After several weeks of researching the usage of symlinks, […]

Cisco Umbrella Enterprise Roaming Client and Enterprise Roaming Module Privilege Escalation Vulnerability

CVE Numbers: CVE-2018-0437 – Cisco Umbrella ERC releases prior to 2.1.118 and Cisco Umbrella CVE-2018-0438 – Cisco Umbrella ERC releases prior to 2.1.127 Versions Tested: Umbrella Roaming Client 2.0.168 Security Advisories: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-priv https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180905-umbrella-file-read Binary Planting: The Umbrella Roaming Client from Cisco OpenDNS includes a service named Umbrella_RC which is executed as SYSTEM on startup. This service consumes several files within […]

Defending Layer 8

Security awareness training is broken. Read the news any day of the week and you can find articles talking about breaches, ransomware attacks, and countless records stolen resulting in identity theft victims. Our users are continuing to click suspicious links, open attachments they weren’t expecting, and falling for the call to action. Attackers know that […]

Unauthenticated Command Injection Vulnerability in VMware NSX SD-WAN by VeloCloud

Exploits for network devices including routers, switches, and firewalls have been around for as long as networking has been a thing. It seems like every week a researcher discloses a new vulnerability or publishes proof of concept (PoC) code online for these types of devices, and that is exactly what is happening in this article. […]

Fall of Sudo – A Pwnage Collection

Introduction Finding Linux servers heavily reliant on Sudo rules for daily management tasks is a common occurrence. While not necessarily bad, Sudo rules can quickly become security’s worst nightmare. Before discussing the security implications, let’s first discuss what Sudo is. Defining Sudo What is Sudo? Sudo, which stands for “superuser do!,” is a program that […]

Finding Enterprise Credentials in Data Breaches

In the age of the breach, it’s a safe assumption that almost every public account’s credentials have been exposed at some point. “Have I Been Pwned” (HIBP), is a database that contains usernames and other information about any compromise they come across.  While available for individuals to search against, certain protections have been put in place […]