MetaStealer is a new information stealer variant designed to fill the void following Racoon stealer suspending operations in March of this year.
(The version of Ghidra used in this article is 10.1.2. For the Go string recovery tool release, skip ahead to Ghostrings Release.) Introduction A well-known issue with reverse engineering Go programs is that the lack of null terminators in Go strings makes recovering string definitions from compiled binaries difficult. Within a compiled Go program, many … Continue reading earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts
Introduction Ghostrings is a collection of Ghidra scripts for recovering string definitions in Go binaries with P-Code analysis. A well-known issue with reverse engineering Go programs is that the lack of null terminators in Go strings makes recovering string definitions from compiled binaries difficult. Within a compiled Go program, many of the constant string values … Continue reading Tool Release – Ghostrings
Vendor: Kwikset/Weiser (Spectrum Brands) Vendor URLs: https://www.kwikset.com/kevo/smart-lock, https://www.weiserlock.com/en/kevo/default Versions Affected: All versions. Attack tested on Kevo Generation 2 hardware with firmware v1.9.49 and Android application version Kevo 220.127.116.1165p. Systems Affected: Kevo smart locks, including Kevo Contemporary Author: Sultan Qasim Khan Risk: <6.8 CVSS v3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N> - An attacker within BLE signal range of a smartphone … Continue reading Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks
Vendor: Tesla, Inc. Vendor URL: https://www.tesla.com Versions affected: Attack tested with vehicle software v11.0 (2022.8.2 383989fadeea) and iOS app 4.6.1-891 (3784ebe63). Systems Affected: Attack tested on Model 3. Model Y is likely also affected. Author: Sultan Qasim Khan <sultan.qasimkhan[at]nccgroup[dot]com> Risk: <6.8 CVSS v3.1 AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N> An attacker within Bluetooth signal range of a mobile device configured … Continue reading Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks
Vendor: Bluetooth SIG, Inc. Vendor URL: https://www.bluetooth.com Versions Affected: Specification versions 4.0 to 5.3 Systems Affected: Any systems relying on the presence of a Bluetooth LE connection as confirmation of physical proximity, regardless of whether link layer encryption is used Author: <Sultan Qasim Khan> <sultan.qasimkhan[at]nccgroup[dot]com> Risk: An attacker can falsely indicate the proximity of Bluetooth … Continue reading Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
Vendor: Ruby on Rails Vendor URL: https://rubyonrails.org Versions affected: versions prior to 18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52 Operating Systems Affected: ALL Author: Álvaro Martín Fraguas <alvaro.martin[at]nccgroup[dot]com> Advisory URLs: - https://groups.google.com/g/rubyonrails-security/c/Yg2tEh2UUqc - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777 Accepted commit for the fix in the official master branch: - https://github.com/rails/rails/commit/649516ce0feb699ae06a8c5e81df75d460cc9a85 Risk: Medium (XSS vulnerability in some cases for some Rails methods). Summary … Continue reading Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)
This blog post documents some of the actions taken during the initial access phase for an attack attributed to Lazarus, along with analysis of the malware that was utilised during this phase.
BUMBLEBEE is a new malicious loader that is being used by several threat actors and has been observed to download different malicious samples. This post provides our initial analysis
This post describes the techniques, tactics and procedures we observed during recent LAPSUS$ incidents.