This page contains all published blog posts.
- Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
- Abusing cloud services to fly under the radar
- Building an RDP Credential Catcher for Threat Intelligence
- Double-odd Elliptic Curves
- Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs
- Domestic IoT Nightmares: Smart Doorbells
- Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)
- Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0
- An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful
- ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
- Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures
- ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks
- Tool Release – Carnivore: Microsoft External Assessment Tool
- Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
- Conference Talks – December 2020
- TA505: A Brief History Of Their Time
- Decrypting OpenSSH sessions for fun and profit
- Past, Present and Future of Effective C
- Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788)
- Conference Talks – November 2020
- Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)
- Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)
- Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)
- Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)
- Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
- Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)
- There’s A Hole In Your SoC: Glitching The MediaTek BootROM
- RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data release
- Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)
- Tool – Windows Executable Memory Page Delta Reporter
- Salesforce Security with Remote Working
- Tool Release – ScoutSuite 5.10
- Conference Talks – October 2020
- Tool Release – ICPin, an integrity-check and anti-debug detection pintool
- Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
- Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)
- Online Casino Roulette – A guideline for penetration testers and security researchers
- Extending a Thinkst Canary to become an interactive honeypot
- StreamDivert: Relaying (specific) network connections
- Public Report – Electric Coin Company NU4 Cryptographic Specification and Implementation Review
- Machine learning from idea to reality: a PowerShell case study
- Conference Talks – September 2020
- Whitepaper – Exploring the Security of KaiOS Mobile Applications
- Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)
- Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS Pre-installed Mobile Applications
- Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application
- Immortalising 20 Years of Epic Research
- Pairing over BLS12-381, Part 3: Pairing!
- Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
- NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers in 2020
- Lights, Camera, HACKED! An insight into the world of popular IP Cameras
- Conference Talks – August 2020
- Tool Release – Winstrument: An Instrumentation Framework for Windows Application Assessments
- Tool Release: Sinking U-Boots with Depthcharge
- Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
- Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
- Pairing over BLS12-381, Part 2: Curves
- Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
- RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 Intelligence
- An offensive guide to the Authorization Code grant
- Technical Advisory – KwikTag Web Admin Authentication Bypass
- Pairing over BLS12-381, Part 1: Fields
- RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
- Experiments in Extending Thinkst Canary – Part 1
- Tool Release – ScoutSuite 5.9.0
- Technical Advisory – macOS Installer Local Root Privilege Escalation (CVE-2020-9817)
- Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often
- How-to: Importing WStalker CSV (and more) into Burp Suite via Import to Sitemap Extension
- Tool: WStalker – an easy proxy to support Web API assessments
- Security Considerations of zk-SNARK Parameter Multi-Party Computation
- WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
- Tool Release – Socks Over RDP Now Works With Citrix
- Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
- Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
- Cyber Security of New Space Paper
- In-depth analysis of the new Team9 malware family
- Common Insecure Practices with Configuring and Extending Salesforce
- Exploring DeepFake Capabilities & Mitigation Strategies with University College London
- Game Security
- Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
- Research Report – Zephyr and MCUboot Security Assessment
- CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive
- CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
- Using SharePoint as a Phishing Platform
- Public Report – Coda Cryptographic Review
- Shell Arithmetic Expansion and Evaluation Abuse
- CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
- Tool Release – Socks Over RDP
- Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
- CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
- Practical Machine Learning for Random (Filename) Detection
- Curve9767 and Fast Signature Verification
- CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
- The Extended AWS Security Ramp-Up Guide
- Code Patterns for API Authorization: Designing for Security
- Order Details Screens and PII
- How cryptography is used to monitor the spread of COVID-19
- Rise of the Sensors: Securing LoRaWAN Networks
- CVE-2019-1381 and CVE-2020-0859 – How Misleading Documentation Led to a Broken Patch for a Windows Arbitrary File Disclosure Vulnerability
- C Language Standards Update – Zero-size Reallocations are Undefined Behavior
- IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
- Exploring Verifiable Random Functions in Code
- Crave the Data: Statistics from 1,300 Phishing Campaigns
- Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
- Tool Release – ScoutSuite 5.8.0
- Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities
- Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
- LDAPFragger: Bypassing network restrictions using LDAP attributes
- Threat Actors: exploiting the pandemic
- A Survey of Istio’s Network Security Features
- Conference Talks – March 2020
- Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review
- Reviewing Verifiable Random Functions
- CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for fun and exploitation
- Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
- Improving Software Security through C Language Standards
- Whitepaper – A Tour of Curve 25519 in Erlang
- Deep Dive into Real-World Kubernetes Threats
- Technical Advisory – playSMS Pre-Authentication Remote Code Execution (CVE-2020-8644)
- Interfaces.d to RCE
- Properly Signed Certificates on CPE Devices
- Conference Talks – February 2020
- Tool Release – Collaborator++
- Public Report – Electric Coin Company NU3 Specification and Blossom Implementation Audit
- Tool Release – Enumerating Docker Registries with go-pillage-registries
- Conference Talks – January 2020
- Passive Decryption of Ethereum Peer-to-Peer Traffic
- On Linux’s Random Number Generation
- Demystifying AWS’ AssumeRole and sts:ExternalId
- Welcome to the new NCC Group Global Research blog
- Getting Shell with XAMLX Files
- Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation
- Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and Next Steps
- Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 9: Adventures with Expert Systems
- Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 8: Development of Prototype #4 – Building on Takaesu’s Approach with Focus on XSS
- Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 7: Development of Prototype #3 – Adventures in Anomaly Detection
- Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
- Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 5: Development of Prototype #1 – Text Processing and Semantic Relationships
- Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 4: Architecture and Design
- Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
- Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 3: Understanding Existing Approaches and Attempts
- Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in Social Engineering
- Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 1: Understanding the Basics and What Platforms and Frameworks Are Available
- Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
- Chafer backdoor analysis
- Finding and Exploiting .NET Remoting over HTTP using Deserialisation
- Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
- Turla PNG Dropper is back
- RokRat Analysis
- Securing Google Cloud Platform – Ten best practices
- Celebrating NCC Con Europe 2018
- Securing Teradata Database
- CVE-2017-8570 RTF and the Sisfader RAT
- Emissary Panda – A potential new malicious tool
- SMB hash hijacking & user tracking in MS Outlook
- Testing HTTP/2 only web services
- Readable Thrift
- Introducing Azucar
- Decoding network data from a Gh0st RAT variant
- APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
- Spectre and Meltdown: What you Need to Know
- HIDDEN COBRA Volgmer: A Technical Analysis
- Kubernetes Security: Consider Your Threat Model
- Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1
- Bypassing Android’s Network Security Configuration
- Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
- Cisco ASA series part seven: Checkheaps
- Cisco ASA series part six: Cisco ASA mempools
- Cisco ASA series part five: libptmalloc gdb plugin
- Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA
- Decoder Improved Burp Suite plugin release part two
- Cisco ASA series part three: Debugging Cisco ASA firmware
- Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
- Cisco ASA series part one: Intro to the Cisco ASA
- EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
- Decoder Improved Burp Suite plugin release part one
- Poison Ivy string decryption
- Signaturing an Authenticode anomaly with Yara
- Analysing a recent Poison Ivy sample
- DeLux Edition: Getting root privileges on the eLux Thin Client OS
- UK government cyber security guidelines for connected & autonomous vehicles
- Smuggling HTA files in Internet Explorer/Edge
- Live Incident Blog: June Global Ransomware Outbreak
- A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287
- Setting a New Standard for Kubernetes Deployments
- Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures
- Fix Bounty
- SCOMplicated? – Decrypting SCOM “RunAs” credentials
- ISM RAT
- Compromising Apache Tomcat via JMX access
- Berserko: Kerberos Authentication for Burp Suite
- NCC CON Europe 2017
- iOS Instrumentation Without Jailbreak
- The Password is Dead, Long Live the Password!
- A Peek Behind the Great Firewall of Russia
- Avoiding Pitfalls Developing with Electron
- The CIS Security Standard for Docker available now
- An adventure in PoEKmon NeutriGo land
- The Automotive Threat Modeling Template
- Ransomware: How vulnerable is your system?
- Writing Exploits for Win32 Systems from Scratch
- Sakula: an adventure in DLL planting
- When a Trusted Site in Internet Explorer was Anything But
- GSM/GPRS Traffic Interception for Penetration Testing Engagements
- Adventures in Windows Driver Development: Part 1
- From CSV to CMD to qwerty
- Sysinternals SDelete: When Secure Delete Fails
- Breaking into Security Research at NCC Group
- Building WiMap the Wi-Fi Mapping Drone
- NCC Con Europe 2016
- Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
- Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify External Emails
- Exploiting CVE-2014-0282
- Car Parking Apps Vulnerable To Hacks
- Drones: Detect, Identify, Intercept, and Hijack
- Introducing Chuckle and the Importance of SMB Signing
- Understanding Microsoft Word OLE Exploit Primitives
- Vehicle Emissions and Cyber Security
- Does TypeScript Offer Security Improvements Over JavaScript?
- Build Your Own Wi-Fi Mapping Drone Capability
- Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
- libtalloc: A GDB plugin for analysing the talloc heap
- Broadcasting your attack – DAB security
- Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
- Blind Return Oriented Programming
- Username enumeration techniques and their value
- Some Notes About the Xen XSA-122 Bug
- A Back-to-Front TrueCrypt Recovery Story: The Plaintext is the Ciphertext
- Xen SMEP (and SMAP) Bypass
- Exploiting Samba CVE-2015-0240 on Ubuntu 12.04 and Debian 7 32-bit
- Derusbi: A Case Study in Rapid Capability Development
- SMACK, SKIP-TLS & FREAK SSL/TLS Vulnerabilities
- Samba _netr_ServerPasswordSet Expoitability Analysis
- Adventures in Xen Exploitation
- Abusing Blu-ray Players Part 1 – Sandbox Escapes
- Violating the Virtual Channel – RDP Testing
- Windows Firewall Hook Enumeration
- DARPA OnStar Vulnerability Analysis
- Ghost Vulnerability (CVE-2015-0235)
- Analysis of setting cookies for third party websites in different browsers
- Intel® Software Guard Extensions (SGX): A Researcher’s Primer
- Launching the first in our series of Research Insights
- Tis the Season to Be…
- Analysis of the Linux backdoor used in freenode IRC network compromise
- Drupal Vulnerability
- The facts about BadUSB
- CloudWatch: Amazon Web Services & Shellshock
- Shellshock Bash Vulnerability
- Technical Advisory – Apple iOS / OSX: Foundation NSXMLParser XXE Vulnerability
- Understanding Ransomware
- A New Flying Kitten?
- Extracting the Payload from a CVE-2014-1761 RTF Document
- Writing Robust Yara Detection Rules for Heartbleed
- Whitepaper – XML Schema, DTD, and Entity Attacks: A Compendium of Known Techniques
- The Case of Missing File Extensions
- Apache Struts Vulnerability
- Logs, Logs, the Audit Trail – Features of a Successful Log Management Solution
- Heartbleed OpenSSL vulnerability
- Security of Things: An Implementer’s Guide to Cyber Security for Internet of Things Devices and Beyond
- Vulnerabilities Found In Geofencing Apps
- Introduction to Anti-Fuzzing: A Defence in Depth Aid
- Non Obvious PE Parsers – The .NET runtime – Part 1
- Windows DACLs & Why There Is Still Room for Interest
- Scenester – A Small Tool for Cross-Platform Web Application
- How To Spot a Penetration Tester in Your Network (and Catch the Real Bad Guys at the Same Time)
- Technical Advisory – IBM WebSphere Commerce: Encrypted URL Parameter Vulnerable to Padding Oracle Attacks
- EasyDA – Easy Windows Domain Access Script
- ASP.NET Security and the Importance of KB2698981 in Cloud Environments Threat Brief
- Pip3line – The Swiss Army Knife of Byte Manipulation
- Content Security Policies and Popular CMS Systems
- Grepify – a Small Tool for Code Reviewers
- Visualising Firewall Rulesets – Simplifying Firewall Administration and Spotting the Pivot Point
- Spy-Pi: Do you trust your laptop docking stations?
- Advice for security decision makers contemplating the value of Antivirus
- The death of USB autorun and the rise of the USB keyboard
- Lessons learned from 50 USB bugs
- How Microsoft Office knows a document came from the Internet and might be dangerous
- Technical Advisory – HTC IQRD Android Permission Leakage
- Technical Advisory – libraptor – XXE in RDF/XML File Interpretation
- Whitepaper – A Heap of Trouble: Breaking the Linux Kernel SLOB Allocator
- Technical Advisory – VMware Tools Multiple Vulnerabilities
- Technical Advisory – Apple HFS+ Information Disclosure Vulnerability
- Technical Advisory – OpenOffice.org Multiple Memory Corruption Vulnerabilities
- Technical Advisory – Citrix Access Gateway Command Injection Vulnerability
- Technical Advisory – Linux RDS Protocol Local Privilege Escalation
- Technical Advisory – Coda Filesystem Kernel Memory Disclosure
- WebLogic Plugin HTTP Injection via Encoded URLs
- Multiple Cisco CSS / ACE Client Certificate and HTTP Header
- TANDBERG Video Communication Server Authentication Bypass
- TANDBERG Video Communication Server Static SSH Host Keys
- TANDBERG Video Communication Server Arbitrary File Retrieval
- Chrome Password Manager Cross Origin Weakness
- Whitepaper – Weaning the Web off of Session Cookies: Making Digest Authentication Viable
- Whitepaper – HTTP Digest Integrity: Another look, in light of recent attacks
- Research Paper – Recovering deleted data from the Windows registry
- Java Web Start File Inclusion via System Properties Override
- Multiple Format String Injections in AFFLIB
- Multiple Shell Metacharacter Injections in AFFLIB
- Multiple Buffer Overflows Discovered in AFFLIB
- PDF Form Filling and Flattening Tool Buffer Overflow
- WebSense content filter bypass when deployed in conjunction with Cisco filtering devices
- Remote Directory Traversal and File Retrieval
- Technical Advisory – IBM TAM: Remote Directory Traversal and File Retrieval via web server plug-in