Author: Ollie Whitehouse

Group CTO of NCC Group

Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902

CVE-2020-5902 was disclosed on July 1st, 2020 by F5 Networks in K52145254 as a CVSS 10.0 remote code execution vulnerability in the Big-IP administrative interface. This blog looks at the root causes of both the exploit paths discovered which boil down to subtle configuration issues and differences in behavior between Apache httpd and Apache Tomcat when dealing with an uncommon URI element called matrix (or path) parameters.

Experiments in Extending Thinkst Canary – Part 1

The Thinkst Canary is best described as a digital tripwire for physical and virtual environments. It sits there waiting for a threat actor to tip you off they are mooching around your environment. What is less appreciated however is it is extensible with custom user modules. This post is the first in a series detailing our experiments in extending the product.

Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often

tl;dr Today we've released a whitepaper on the key techniques that continue to enable us to breach the largest and most sophisticated organisations on the planet. Organisations that prioritize these areas, and the mitigations we outline, will thwart attacks while making threat actors work harder and ultimately fail more often. Objective The purpose of this … Continue reading Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often

Tool Release – ScoutSuite 5.8.0

Quick note to say we've released ScoutSuite 5.8.0 on Github with the following features: Improved support for AWS Added support for KMS Added basic support for Secrets Manager Simplified evaluation of IAM policies in multiple rules Improved support for Azure Added support for App Service Web Apps Added support for Security Center Compliance Results Added … Continue reading Tool Release – ScoutSuite 5.8.0

EternalGlue part one: Rebuilding NotPetya to assess real-world resilience

Tl;dr - we were engaged by a client back in June 2017 to rebuild NotPetya from scratch. However, instead of the data destruction payload, they asked for telemetry and safeguards. Why? Because they wanted to measure what the impact of NotPetya would have been. Below, you’ll find part one of the story… When you dodge a … Continue reading EternalGlue part one: Rebuilding NotPetya to assess real-world resilience

Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify External Emails

Phishing the simple and effective blended attack Phishing is a common and yet highly successful technique used by adversaries and red teams alike to breach organisations. Phishing is successful as it is a blended attack relying on end-users to be convinced, tricked or otherwise persuaded into performing an action which benefits the attacker. The actions … Continue reading Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify External Emails

SMACK, SKIP-TLS & FREAK SSL/TLS Vulnerabilities

Previous current event This is a current event and as such this blog post is subject to change over the course of the next couple of days as we perform further supplementary research and analysis. 1.0: Initial version.1.1: Revised to include further vulnerable software, alpha signature and small clarifications.1.2: Added additional analysis from NCC Group’s … Continue reading SMACK, SKIP-TLS & FREAK SSL/TLS Vulnerabilities