-
Technical Advisory – KwikTag Web Admin Authentication Bypass
Summary: KwikTag is a digital document management solution. KwikTag Web Admin is used to administrate accounts and permissions of the KwikTag instance. KwikTag Web Admin grants an active session without properly validating expired admin credentials. Location: ~/ktadmin/Default.aspx Impact: An attacker can gain administrative access to KwikTag Web Admin by logging in as an admin account… Read more
-
Pairing over BLS12-381, Part 1: Fields
This is the first of three code-centric blog posts on pairing based cryptography. The series will ultimately conclude with a detailed review of the popular BLS12-381 pairing operations found in a variety of applications such as BLS signatures [1]. Support for these operations in an Ethereum precompiled contract has been proposed [2], and support for… Read more
-
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
CVE-2020-5902 was disclosed on June 1, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. By June 3, 2020 NCC Group observed active exploitation. This blog is a summary of what we know as the situation develops.
-
Experiments in Extending Thinkst Canary – Part 1
The Thinkst Canary is best described as a digital tripwire for physical and virtual environments. It sits there waiting for a threat actor to tip you off they are mooching around your environment. What is less appreciated however is it is extensible with custom user modules. This post is the first in a series detailing our experiments in extending the product.
-
Tool Release – ScoutSuite 5.9.0
We’re proud to announce the release of a new version of our open-source, multi-cloud auditing tool ScoutSuite (on Github)! Since the release of 5.8.0 back in late March, we’ve had over 300 commits from 8 different contributors, and closed 30 PRs. Notable improvements and features include: AWS Added 4 new ELB and ELBv2 findings Added… Read more
-
Technical Advisory – macOS Installer Local Root Privilege Escalation (CVE-2020-9817)
A local macOS user or process may be able to modify or replace files executed by Installer. This could allow a low-privileged user or process to gain arbitrary code execution with root privileges, effectively leading to a full system compromise.
-
Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often
tl;dr Today we’ve released a whitepaper on the key techniques that continue to enable us to breach the largest and most sophisticated organisations on the planet. Organisations that prioritize these areas, and the mitigations we outline, will thwart attacks while making threat actors work harder and ultimately fail more often. Objective The purpose of this… Read more
-
How-to: Importing WStalker CSV (and more) into Burp Suite via Import to Sitemap Extension
In this post we show how to import WStalker output into Burp Suite and the Logger++ extension to build a sitemap from a recorded session for use in Intruder and Repeater.
-
Tool: WStalker – an easy proxy to support Web API assessments
Have you ever faced a situation where you have a number of web services to test but no one is able to provide full working examples of each API call? WStalker is a work aid to help developers / functional testers record API traffic to help facilitate security assessments by security testers and other tooling.
-
Security Considerations of zk-SNARK Parameter Multi-Party Computation
The secure generation of parameters for zk-SNARKs is a crucial step in the trustworthiness of the resulting proof system. By highlighting some potential pitfalls and important security considerations of these implementations, NCC Group hopes to provide helpful pointers to all implementers and avoid the introduction of vulnerabilities detrimental to the confidence users have in the different applications of these systems.
-
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox), Michael Sandee and in close collaboration with NCC’s RIFT. About the Research and Intelligence Fusion Team (RIFT):RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IOCs and detection capabilities to strategic reports on tomorrow’s threat landscape. Cyber security is an… Read more
-
Tool Release – Socks Over RDP Now Works With Citrix
Introduction A month ago, we released a new tool that made it possible to tunnel traffic over an existing Remote Desktop Connection without the need to alter the configuration of the environment. This tool enables penetration testers to conduct their assessments over Windows-based jump boxes. Remote Access technologies are quite diversified, although Remote Desktop Services… Read more
-
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
This vulnerability applied to a 5 year old end of life version of CobaltStrike and is being published in the spirit of archaeological interest in the vulnerability. tl;dr This blog looks at some of the communication and encryption internals of Cobalt Strike between Beacons and the Team Server in the 3.5 family. We then explore… Read more
-
Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
Vendor: ARM Vendor URL: https://os.mbed.com/ Versions affected: Prior to 5.15.2 Systems Affected: ARM Mbed OS Author: Ilya Zhuravlev Risk: High Summary: The ARM Mbed operating system contains a USB Mass Storage driver (USBMD), which allows emulation of a mass storage device over USB. This driver contains a three (3) memory safety vulnerabilities, allowing adversaries with… Read more
-
Cyber Security of New Space Paper
NCC Group’s Transport Security Practice has co-authored with the Surrey Center for Cyber Security and the Surrey Space Center a new paper titled ‘Cyber security in New Space’. It provides analysis of the threats, challenges and key technologies related to the satellite industry.