Research Blog
Insights and research from our global cybersecurity team.
Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets
Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underlying operating system, and configure central config server settings.
Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group
Author: Alex Jessop (@ThisIsFineChief) Summary Tl;dr This post will delve into a recent incident response engagement handled by NCC Group’s Cyber Incident Response Team (CIRT) involving the Ransomware-as-a-Service known as NoEscape. Below provides a summary of findings which are presented in this blog post: NoEscape NoEscape is a new financially…
The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses
At Fox-IT (part of NCC Group) identifying servers that host nefarious activities is a critical aspect of our threat intelligence. One approach involves looking for anomalies in responses of HTTP servers. Sometimes cybercriminals that host malicious servers employ tactics that involve mimicking the responses of legitimate software to evade detection.…
Public Report – WhatsApp Auditable Key Directory (AKD) Implementation Review
In August 2023, Meta engaged NCC Group’s Cryptography Services practice to perform an implementation review of their Auditable Key Directory (AKD) library, which provides an append-only directory of public keys mapped to user accounts and a framework for efficient cryptographic validation of this directory by an auditor. The library is…
Don’t throw a hissy fit; defend against Medusa
Unveiling the Dark Side: A Deep Dive into Active Ransomware Families Author: Molly Dewis Intro Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements. In case you missed it, our last…
Demystifying Cobalt Strike’s “make_token” Command
Introduction If you are a pentester and enjoy tinkering with Windows, you have probably come across the following post by Raphael Mudge: Windows Access Tokens and Alternate Credentials In this post, he explains how the Windows program runas works and how the netonly flag allows the creation of processes where…
Tool Release: Magisk Module – Conscrypt Trust User Certs
Overview Android 14 introduced a new feature which allows to remotely install CA certificates. This change implies that instead of using the /system/etc/security/cacerts directory to check the trusted CA’s, this new feature uses the com.android.conscrypt APEX module, and reads the certificates from the directory /apex/com.android.conscrypt/cacerts. Inspired by this blog post by Tim Perry,…
Post-exploiting a compromised etcd – Full control over the cluster and its nodes
Kubernetes is essentially a framework of various services that make up its typical architecture, which can be divided into two roles: the control-plane, which serves as a central control hub and hosts most of the components, and the nodes or workers, where containers and their respective workloads are executed. Within…
D0nut encrypt me, I have a wife and no backups
Unveiling the Dark Side: A Deep Dive into Active Ransomware Families Author: Ross Inman (@rdi_x64) Introduction Our technical experts have written a blog series focused on Tactics, Techniques and Procedures (TTP’s) deployed by four ransomware families recently observed during NCC Group’s incident response engagements. In case you missed it, last…
Popping Blisters for research: An overview of past payloads and exploring recent developments
Summary Blister is a piece of malware that loads a payload embedded inside it. We provide an overview of payloads dropped by the Blister loader based on 137 unpacked samples from the past one and a half years and take a look at recent activity of Blister. The overview shows…
No Results Found :(
View articles by category
Most popular posts
Most recent posts
- Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets
- Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group
- The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses
- Public Report – WhatsApp Auditable Key Directory (AKD) Implementation Review
- Don’t throw a hissy fit; defend against Medusa