Archive

This page contains all published blog posts.

• Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
• Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414)
• A Guide to Improving Security Through Infrastructure-as-Code
• Tool Release – ScoutSuite 5.12.0
• Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review
• Tool Release – Monkey365
• Sharkbot is back in Google Play 
• Constant-Time Data Processing At a Secret Offset, Privacy and QUIC
• There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
• Conference Talks – September/October 2022
• SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
• Writing FreeBSD Kernel Modules in Rust
• NCC Con Europe 2022 – Pwn2Own Austin Presentations
• Tool Release – JWT-Reauth
• Back in Black: Unlocking a LockBit 3.0 Ransomware Attack 
• Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
• Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study 
• Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
• Top of the Pops: Three common ransomware entry techniques
• NCC Group Research at Black Hat USA 2022 and DEF CON 30
• Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505)
• NIST Selects Post-Quantum Algorithms for Standardization
• Climbing Mount Everest: Black-Byte Bytes Back?
• Five Essential Machine Learning Security Papers
• Whitepaper – Practical Attacks on Machine Learning Systems
• Flubot: the evolution of a notorious Android Banking Malware
• Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link
• Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
• Understanding the Impact of Ransomware on Patient Outcomes – Do We Know Enough?
• Public Report – Threshold ECDSA Cryptography Review
• Exception Handling and Data Integrity in Salesforce
• Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)
• Shining the Light on Black Basta
• Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
• NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible Reports through the Intel Circuit Breaker program
• Conference Talks – June 2022
• Hardware Security By Design: ESP32 Guidance
• Public Report – Lantern and Replica Security Assessment
• NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher Leaderboard
• Technical Advisory – FUJITSU CentricStor Control Center
• Public Report – go-cose Security Assessment
• Technical Advisory – SerComm h500s – Authenticated Remote Command Execution (CVE-2021-44080)
• Metastealer – filling the Racoon void
• earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts
• Tool Release – Ghostrings
• Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks
• Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks
• Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
• Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)
• North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
• Adventures in the land of BumbleBee – a new malicious loader
• LAPSUS$: Recent techniques, tactics and procedures
• Real World Cryptography Conference 2022
• Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark
• A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
• Public Report – Google Enterprise API Security Assessment
• Conti-nuation: methods and techniques observed in operations post the leaks
• Whitepaper – Double Fetch Vulnerabilities in C and C++
• Mining data from Cobalt Strike beacons
• Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
• Tool Release – ScoutSuite 5.11.0
• Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)
• Microsoft announces the WMIC command is being retired, Long Live PowerShell
• SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store
• BrokenPrint: A Netgear stack overflow
• Conference Talks – March 2022
• Hardware & Embedded Systems: A little early effort in security can return a huge payoff
• Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review
• Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2)
• Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5 Attacks vs the CIS Microsoft 365 Foundation Benchmark
• Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1)
• Detecting Karakurt – an extortion focused threat actor
• BAT: a Fast and Small Key Encapsulation Mechanism
• A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would have prevented
• Estimating the Bit Security of Pairing-Friendly Curves
• Testing Infrastructure-as-Code Using Dynamic Tooling
• Machine Learning for Static Analysis of Malware – Expansion of Research Scope
• 10 real-world stories of how we’ve compromised CI/CD pipelines
• Impersonating Gamers With GPT-2
• NCC Group’s 2021 Annual Research Report
• Tool Release – insject: A Linux Namespace Injector
• Detecting anomalous Vectored Exception Handlers on Windows
• On the malicious use of large language models like GPT-3
• Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination Programs
• Tool Update – ruby-trace: A Low-Level Tracer for Ruby
• Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches
• Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)
• Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers
• FPGAs: Security Through Obscurity?
• Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
• log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
• Log4Shell: Reconnaissance and post exploitation network detection
• Announcing NCC Group’s Cryptopals Guided Tour!
• Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion
• Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
• Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
• Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote Command Execution (CVE-2021-20044)
• Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow (CVE-2021-20043)
• Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload Path Traversal (CVE-2021-20040)
• Why IoT Security Matters
• Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050)
• Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
• Tracking a P2P network related to TA505
• Conference Talks – December 2021
• Public Report – Zendoo Proof Verifier Cryptography Review
• An Illustrated Guide to Elliptic Curve Cryptography Validation
• Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
• POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
• Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
• “We wait, because we know you.” Inside the ransomware negotiation economics.
• Detection Engineering for Kubernetes clusters
• Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
• Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571)
• TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
• Public Report – Zcash NU5 Cryptography Review
• The Next C Language Standard (C23)
• Conference Talks – November 2021
• Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
• Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
• Cracking RDP NLA Supplied Credentials for Threat Intelligence
• Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the Internet
• Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments
• Cracking Random Number Generators using Machine Learning – Part 2: Mersenne Twister
• Cracking Random Number Generators using Machine Learning – Part 1: xorshift128
• NCC Group placed first in global 5G Cyber Security Hack competition
• Paradoxical Compression with Verifiable Delay Functions
• A Look At Some Real-World Obfuscation Techniques
• SnapMC skips ransomware, steals data
• The Challenges of Fuzzing 5G Protocols
• Reverse engineering and decrypting CyberArk vault credential files
• Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)
• Assessing the security and privacy of Vaccine Passports
• Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)
• Conference Talks – October 2021
• Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
• Detecting and Hunting for the PetitPotam NTLM Relay Attack
• Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)
• Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
• CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
• NSA & CISA Kubernetes Security Guidance – A Critical Review
• Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery
• Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy
• Conference Talks – September 2021
• The ABCs of NFC chip security
• CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
• Disabling Office Macros to Reduce Malware Infections
• Some Musings on Common (eBPF) Linux Tracing Bugs
• Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)
• Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
• Practical Considerations of Right-to-Repair Legislation
• Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
• Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log Server (CVE-2021-35478,CVE-2021-35479)
• Detecting and Hunting for the Malicious NetFilter Driver
• CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
• NCC Group Research at Black Hat USA 2021 and DEF CON 29
• Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
• Software-Based Fault Injection Countermeasures (Part 2/3)
• An Introduction to Fault Injection (Part 1/3)
• Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587)
• Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0
• Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
• Tool Release – Reliably-checked String Library Binding
• Are you oversharing (in Salesforce)? Our new tool could sniff it out!
• Exploit mitigations: keeping up with evolving and complex software/hardware
• NCC Group co-signs the Electronic Frontier Foundation’s Statement on DMCA Use Against Security Researchers
• Handy guide to a new Fivehands ransomware variant
• On the Use of Pedersen Commitments for Confidential Payments
• Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
• Testing Two-Factor Authentication
• Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
• Research Paper – Machine Learning for Static Malware Analysis, with University College London
• Conference Talks – June 2021
• Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and Implementation Review
• iOS User Enrollment and Trusted Certificates
• Detecting Rclone – An Effective Tool for Exfiltration
• Supply Chain Security Begins with Secure Software Development
• Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re cryptographically random)
• Public Report – Dell Secured Component Verification
• RM3 – Curiosities of the wildest banking malware
• Conference Talks – May 2021
• A Census of Deployed Pulse Connect Secure (PCS) Versions
• NCC Group’s Upcoming Trainings at Black Hat USA 2021
• Public Report – VPN by Google One: Technical Security & Privacy Assessment
• Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
• Tool Release – Principal Mapper v1.1.0 Update
• SAML XML Injection
• The Future of C Code Review
• RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
• Tool Release – Solitude: A privacy analysis tool
• Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads
• Lending a hand to the community – Covenant v0.7 Updates
• Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)
• Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches
• Deception Engineering: exploring the use of Windows Service Canaries against ransomware
• Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
• Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)
• Cryptopals: Exploiting CBC Padding Oracles
• Investigating Potential Security Vulnerability Manifestation through Various Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be Improved)
• NCC Group’s 2020 Annual Research Report
• Conference Talks – February/March 2021
• Software Verification and Analysis Using Z3
• Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)
• Real World Cryptography Conference 2021: A Virtual Experience
• RIFT: Analysing a Lazarus Shellcode Execution Method
• MSSQL Lateral Movement
• Public Report – BLST Cryptographic Implementation Review
• Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
• Abusing cloud services to fly under the radar
• Building an RDP Credential Catcher for Threat Intelligence
• Double-odd Elliptic Curves
• Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs
• Domestic IoT Nightmares: Smart Doorbells
• Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)
• Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0
• An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful
• ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
• Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures
• ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks
• Tool Release – Carnivore: Microsoft External Assessment Tool
• Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
• Conference Talks – December 2020
• TA505: A Brief History Of Their Time
• Decrypting OpenSSH sessions for fun and profit
• Past, Present and Future of Effective C
• Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788)
• Conference Talks – November 2020
• Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)
• Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)
• Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)
• Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)
• Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
• Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)
• There’s A Hole In Your SoC: Glitching The MediaTek BootROM
• RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data release
• Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)
• Tool – Windows Executable Memory Page Delta Reporter
• Salesforce Security with Remote Working
• Tool Release – ScoutSuite 5.10
• Conference Talks – October 2020
• Tool Release – ICPin, an integrity-check and anti-debug detection pintool
• Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
• Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)
• Online Casino Roulette – A guideline for penetration testers and security researchers
• Extending a Thinkst Canary to become an interactive honeypot
• StreamDivert: Relaying (specific) network connections
• Public Report – Electric Coin Company NU4 Cryptographic Specification and Implementation Review
• Machine learning from idea to reality: a PowerShell case study
• Conference Talks – September 2020
• Whitepaper – Exploring the Security of KaiOS Mobile Applications
• Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)
• Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS Pre-installed Mobile Applications
• Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application
• Immortalising 20 Years of Epic Research
• Pairing over BLS12-381, Part 3: Pairing!
• Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
• NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers in 2020
• Lights, Camera, HACKED! An insight into the world of popular IP Cameras
• Conference Talks – August 2020
• Tool Release – Winstrument: An Instrumentation Framework for Windows Application Assessments
• Tool Release: Sinking U-Boots with Depthcharge
• Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
• Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
• Pairing over BLS12-381, Part 2: Curves
• Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
• RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 Intelligence
• An offensive guide to the Authorization Code grant
• Technical Advisory – KwikTag Web Admin Authentication Bypass
• Pairing over BLS12-381, Part 1: Fields
• RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
• Experiments in Extending Thinkst Canary – Part 1
• Tool Release – ScoutSuite 5.9.0
• Technical Advisory – macOS Installer Local Root Privilege Escalation (CVE-2020-9817)
• Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often
• How-to: Importing WStalker CSV (and more) into Burp Suite via Import to Sitemap Extension
• Tool: WStalker – an easy proxy to support Web API assessments
• Security Considerations of zk-SNARK Parameter Multi-Party Computation
• WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
• Tool Release – Socks Over RDP Now Works With Citrix
• Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
• Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
• Cyber Security of New Space Paper
• In-depth analysis of the new Team9 malware family
• Common Insecure Practices with Configuring and Extending Salesforce
• Exploring DeepFake Capabilities & Mitigation Strategies with University College London
• Game Security
• Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
• Research Report – Zephyr and MCUboot Security Assessment
• CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive
• CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
• Using SharePoint as a Phishing Platform
• Public Report – Coda Cryptographic Review
• Shell Arithmetic Expansion and Evaluation Abuse
• CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
• Tool Release – Socks Over RDP
• Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
• CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
• Practical Machine Learning for Random (Filename) Detection
• Curve9767 and Fast Signature Verification
• CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
• The Extended AWS Security Ramp-Up Guide
• Code Patterns for API Authorization: Designing for Security
• Order Details Screens and PII
• How cryptography is used to monitor the spread of COVID-19
• Rise of the Sensors: Securing LoRaWAN Networks
• CVE-2019-1381 and CVE-2020-0859 – How Misleading Documentation Led to a Broken Patch for a Windows Arbitrary File Disclosure Vulnerability
• C Language Standards Update – Zero-size Reallocations are Undefined Behavior
• IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
• Exploring Verifiable Random Functions in Code
• Crave the Data: Statistics from 1,300 Phishing Campaigns
• Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
• Tool Release – ScoutSuite 5.8.0
• Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities
• Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
• LDAPFragger: Bypassing network restrictions using LDAP attributes
• Threat Actors: exploiting the pandemic
• A Survey of Istio’s Network Security Features
• Conference Talks – March 2020
• Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review
• Reviewing Verifiable Random Functions
• CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for fun and exploitation
• Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
• Improving Software Security through C Language Standards
• Whitepaper – A Tour of Curve 25519 in Erlang
• Deep Dive into Real-World Kubernetes Threats
• Technical Advisory – playSMS Pre-Authentication Remote Code Execution (CVE-2020-8644)
• Interfaces.d to RCE
• Properly Signed Certificates on CPE Devices
• Conference Talks – February 2020
• Tool Release – Collaborator++
• Public Report – Electric Coin Company NU3 Specification and Blossom Implementation Audit
• Tool Release – Enumerating Docker Registries with go-pillage-registries
• Conference Talks – January 2020
• Passive Decryption of Ethereum Peer-to-Peer Traffic
• On Linux’s Random Number Generation
• Demystifying AWS’ AssumeRole and sts:ExternalId
• Welcome to the new NCC Group Global Research blog
• CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service
• Padding the struct: How a compiler optimization can disclose stack memory
• Embedded Device Security Certifications
• PhanTap (Phantom Tap): Making networks spookier one packet at a time
• Compromising a Hospital Network for £118 (Plus Postage & Packaging)
• Getting Shell with XAMLX Files
• Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and Next Steps
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 9: Adventures with Expert Systems
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 8: Development of Prototype #4 – Building on Takaesu’s Approach with Focus on XSS
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 7: Development of Prototype #3 – Adventures in Anomaly Detection
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 5: Development of Prototype #1 – Text Processing and Semantic Relationships
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 4: Architecture and Design
• Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 3: Understanding Existing Approaches and Attempts
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in Social Engineering
• Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 1: Understanding the Basics and What Platforms and Frameworks Are Available
• Story of a Hundred Vulnerable Jenkins Plugins
• Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
• eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
• Chafer backdoor analysis
• Finding and Exploiting .NET Remoting over HTTP using Deserialisation
• Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
• Turla PNG Dropper is back
• Spectre on a Television
• RokRat Analysis
• Securing Google Cloud Platform – Ten best practices
• Public Report – Android Cloud Backup/Restore
• Much Ado About Hardware Implants
• NCC Group’s Exploit Development Capability: Why and What
• Celebrating NCC Con Europe 2018
• Securing Teradata Database
• CVE-2017-8570 RTF and the Sisfader RAT
• Emissary Panda – A potential new malicious tool
• SMB hash hijacking & user tracking in MS Outlook
• Testing HTTP/2 only web services
• Readable Thrift
• Introducing Azucar
• Decoding network data from a Gh0st RAT variant
• APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
• Spectre and Meltdown: What you Need to Know
• HIDDEN COBRA Volgmer: A Technical Analysis
• Kubernetes Security: Consider Your Threat Model
• Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1
• Bypassing Android’s Network Security Configuration
• Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
• Cisco ASA series part seven: Checkheaps
• Cisco ASA series part six: Cisco ASA mempools
• Cisco ASA series part five: libptmalloc gdb plugin
• Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA
• Decoder Improved Burp Suite plugin release part two
• Cisco ASA series part three: Debugging Cisco ASA firmware
• Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
• Cisco ASA series part one: Intro to the Cisco ASA
• EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
• Technical Advisory – play-pac4j Authentication rule bypass
• Decoder Improved Burp Suite plugin release part one
• Poison Ivy string decryption
• Signaturing an Authenticode anomaly with Yara
• Analysing a recent Poison Ivy sample
• DeLux Edition: Getting root privileges on the eLux Thin Client OS
• UK government cyber security guidelines for connected & autonomous vehicles
• Smuggling HTA files in Internet Explorer/Edge
• Live Incident Blog: June Global Ransomware Outbreak
• A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287
• Setting a New Standard for Kubernetes Deployments
• Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures
• Fix Bounty
• SCOMplicated? – Decrypting SCOM “RunAs” credentials
• ISM RAT
• Compromising Apache Tomcat via JMX access
• Berserko: Kerberos Authentication for Burp Suite
• NCC CON Europe 2017
• Public Report – Matrix Olm Cryptographic Review
• iOS Instrumentation Without Jailbreak
• The Password is Dead, Long Live the Password!
• A Peek Behind the Great Firewall of Russia
• Avoiding Pitfalls Developing with Electron
• The CIS Security Standard for Docker available now
• An adventure in PoEKmon NeutriGo land
• The Automotive Threat Modeling Template
• Ransomware: How vulnerable is your system?
• Project Triforce: Run AFL on Everything!
• Writing Exploits for Win32 Systems from Scratch
• Sakula: an adventure in DLL planting
• When a Trusted Site in Internet Explorer was Anything But
• GSM/GPRS Traffic Interception for Penetration Testing Engagements
• Adventures in Windows Driver Development: Part 1
• From CSV to CMD to qwerty
• Sysinternals SDelete: When Secure Delete Fails
• Breaking into Security Research at NCC Group
• Building WiMap the Wi-Fi Mapping Drone
• NCC Con Europe 2016
• Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
• Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify External Emails
• Exploiting CVE-2014-0282
• Car Parking Apps Vulnerable To Hacks
• Drones: Detect, Identify, Intercept, and Hijack
• Introducing Chuckle and the Importance of SMB Signing
• Understanding Microsoft Word OLE Exploit Primitives
• Vehicle Emissions and Cyber Security
• Does TypeScript Offer Security Improvements Over JavaScript?
• Build Your Own Wi-Fi Mapping Drone Capability
• Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
• libtalloc: A GDB plugin for analysing the talloc heap
• Tool Release: Introducing opinel: Scout2’s favorite tool
• Broadcasting your attack – DAB security
• Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
• Blind Return Oriented Programming
• Username enumeration techniques and their value
• IAM user management strategy (part 2)
• Some Notes About the Xen XSA-122 Bug
• iSEC audit of MediaWiki
• A Back-to-Front TrueCrypt Recovery Story: The Plaintext is the Ciphertext
• Xen SMEP (and SMAP) Bypass
• Work daily with enforced MFA-protected API access
• Use and enforce Multi-Factor Authentication
• iSEC reviews SecureDrop
• Exploiting Samba CVE-2015-0240 on Ubuntu 12.04 and Debian 7 32-bit
• Derusbi: A Case Study in Rapid Capability Development
• SMACK, SKIP-TLS & FREAK SSL/TLS Vulnerabilities
• Whitepaper: Recognizing and Preventing TOCTOU
• Samba _netr_ServerPasswordSet Expoitability Analysis
• Adventures in Xen Exploitation
• Abusing Blu-ray Players Part 1 – Sandbox Escapes
• IAM user management strategy
• Violating the Virtual Channel – RDP Testing
• Do not use your AWS root account
• Announcing the AWS blog post series
• Windows Firewall Hook Enumeration
• DARPA OnStar Vulnerability Analysis
• Whitepaper: CA Alternative
• Ghost Vulnerability (CVE-2015-0235)
• Tool Release: Calculating SQL Permissions
• Vulnerability Overview: Ghost (CVE-2015-0235)
• Analysis of setting cookies for third party websites in different browsers
• Jailbreak, updated and open-sourced
• Intel® Software Guard Extensions (SGX): A Researcher’s Primer
• Launching the first in our series of Research Insights
• Tis the Season to Be…
• Tool Release: A Simple DLL Injection Utility
• Analysis of the Linux backdoor used in freenode IRC network compromise
• Drupal Vulnerability
• The facts about BadUSB
• CloudWatch: Amazon Web Services & Shellshock
• Shellshock Advisory
• Shellshock Bash Vulnerability
• Technical Advisory – Apple iOS / OSX: Foundation NSXMLParser XXE Vulnerability
• Whitepaper: Perfect Forward Security
• Tor Browser Research Report Released
• ZigTools: An Open Source 802.15.4 Framework
• Understanding Ransomware
• A New Flying Kitten?
• Extracting the Payload from a CVE-2014-1761 RTF Document
• Writing Robust Yara Detection Rules for Heartbleed
• Whitepaper – XML Schema, DTD, and Entity Attacks: A Compendium of Known Techniques
• The Case of Missing File Extensions
• Apache Struts Vulnerability
• Tool Release: You’ll Never (Ever) Take Me Alive!
• Tool Release: SSLyze v 0.9 released – Heartbleed edition
• Tool Release: DIBF Tool Suite
• iSEC Completes TrueCrypt Audit
• Heartbleed (CVE-2014-0160) Advisory
• Logs, Logs, the Audit Trail – Features of a Successful Log Management Solution
• Heartbleed OpenSSL vulnerability
• Security of Things: An Implementer’s Guide to Cyber Security for Internet of Things Devices and Beyond
• White Paper: Cryptopocalypse Reference Paper
• Vulnerabilities Found In Geofencing Apps
• iOS certificate pinning code updated for iOS 7
• Tool Release: Announcing the Release of RtspFuzzer
• iOS 7 tool updates
• Introduction to Anti-Fuzzing: A Defence in Depth Aid
• Tool Release: SSLyze v0.8 released
• Fuzzing RTSP to discover an exploitable vulnerability in VLC
• iSEC Engages in TrueCrypt Audit
• White Paper: Login Service Security
• Tool Release: SSL pinning bypass and other Android tools
• Tool Release: Blackbox Android App Analysis with Introspy
• Non Obvious PE Parsers – The .NET runtime – Part 1
• White Paper: Browser Extension Password Managers
• Windows DACLs & Why There Is Still Room for Interest
• Ruxcon 2013 – Introspy Presentation Slides
• Scenester – A Small Tool for Cross-Platform Web Application
• Tool Release: iOS Secure State Preservation
• Tool Release: Redirecting traffic with dnsRedir.py
• Tool Release: Blackbox iOS App Analysis with Introspy
• Man-in-the-Middling Non-Proxy Aware Wi-Fi Devices with a Pineapple
• Tool Release: iOS SSL Kill Switch v0.5 Released
• Black Hat 2013 – Femtocell Presentation Slides, Videos and App
• Working with the Open Technology Fund
• SSLyze v0.7 Released
• Black Hat 2013 – Bluetooth Smart Presentation Available
• Black Hat 2013 – Cryptopocalypse Presentation Available
• How To Spot a Penetration Tester in Your Network (and Catch the Real Bad Guys at the Same Time)
• Technical Advisory – IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to Padding Oracle Attacks
• Tool Release: PeachFarmer
• EasyDA – Easy Windows Domain Access Script
• White Paper: An Introduction to Authenticated Encryption
• ASP.NET Security and the Importance of KB2698981 in Cloud Environments Threat Brief
• Pip3line – The Swiss Army Knife of Byte Manipulation
• Content Security Policies and Popular CMS Systems
• Grepify – a Small Tool for Code Reviewers
• Visualising Firewall Rulesets – Simplifying Firewall Administration and Spotting the Pivot Point
• Tool Release: YoNTMA
• Tool Release: tcpprox
• Tool Release: Exploring SSL Pinning on iOS
• Spy-Pi: Do you trust your laptop docking stations?
• Advice for security decision makers contemplating the value of Antivirus
• The death of USB autorun and the rise of the USB keyboard
• Lessons learned from 50 USB bugs
• How Microsoft Office knows a document came from the Internet and might be dangerous
• Technical Advisory – HTC IQRD Android Permission Leakage
• Technical Advisory – libraptor – XXE in RDF/XML File Interpretation
• Whitepaper – A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator
• Technical Advisory – VMware Tools Multiple Vulnerabilities
• Technical Advisory – Apple HFS+ Information Disclosure Vulnerability
• Technical Advisory – OpenOffice.org Multiple Memory Corruption Vulnerabilities
• Technical Advisory – Citrix Access Gateway Command Injection Vulnerability
• Technical Advisory – Linux RDS Protocol Local Privilege Escalation
• Technical Advisory – Coda Filesystem Kernel Memory Disclosure
• WebLogic Plugin HTTP Injection via Encoded URLs
• Multiple Cisco CSS / ACE Client Certificate and HTTP Header
• TANDBERG Video Communication Server Authentication Bypass
• TANDBERG Video Communication Server Static SSH Host Keys
• TANDBERG Video Communication Server Arbitrary File Retrieval
• Chrome Password Manager Cross Origin Weakness
• Whitepaper – Weaning the Web off of Session Cookies: Making Digest Authentication Viable
• Whitepaper – HTTP Digest Integrity: Another look, in light of recent attacks
• Research Paper – Recovering deleted data from the Windows registry
• Java Web Start File Inclusion via System Properties Override
• Multiple Format String Injections in AFFLIB
• Multiple Shell Metacharacter Injections in AFFLIB
• Multiple Buffer Overflows Discovered in AFFLIB
• PDF Form Filling and Flattening Tool Buffer Overflow
• WebSense content filter bypass when deployed in conjunction with Cisco filtering devices
• Remote Directory Traversal and File Retrieval
• Technical Advisory – IBM TAM: Remote Directory Traversal and File Retrieval via web server plug-in