Ghidra nanoMIPS ISA module
Sifting through the spines: identifying (potential) Cactus ransomware victims
Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis
Non-Deterministic Nature of Prompt Injection
Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224)
Public Report – Google Privacy Sandbox Aggregation Service and Coordinator
Android Malware Vultur Expands Its Wingspan
LTair: The LTE Air Interface Tool
The Development of a Telco Attack Testing Tool
Public Report – AWS Nitro System API & Security Claims Italian
Public Report – AWS Nitro System API & Security Claims French
Public Report – AWS Nitro System API & Security Claims Spanish
Public Report – AWS Nitro System API & Security Claims German
Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures
Puckungfu 2: Another NETGEAR WAN Command Injection
Public Report: Aleo snarkOS Implementation and Consensus Mechanism Review
Analyzing AI Application Threat Models
Ivanti Zero Day – Threat Actors observed leveraging CVE-2021-42278 and CVE-2021-42287 for quick privilege escalation to Domain Admin
Memory Scanning for the Masses
Rust for Security and Correctness in the embedded world
Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise
Retro Gaming Vulnerability Research: Warcraft 2
Public Report – Security Review of RSA Blind Signatures with Public Metadata
Reverse, Reveal, Recover: Windows Defender Quarantine Forensics
Public Report – Aleo snarkVM Implementation Review
Technical Advisory – Multiple Vulnerabilities in Nagios XI
NCC Group’s 2022 & 2023 Research Report
Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call
Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100
Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets
Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group
The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses
Public Report – WhatsApp Auditable Key Directory (AKD) Implementation Review
Don’t throw a hissy fit; defend against Medusa
Demystifying Cobalt Strike’s “make_token” Command
Tool Release: Magisk Module – Conscrypt Trust User Certs
Post-exploiting a compromised etcd – Full control over the cluster and its nodes
D0nut encrypt me, I have a wife and no backups
Popping Blisters for research: An overview of past payloads and exploring recent developments
Technical Advisory: Insufficient Proxyman HelperTool XPC Validation
Unveiling the Dark Side: A Deep Dive into Active Ransomware Families
Public Report – Zcash FROST Security Assessment
Technical Advisory – Multiple Vulnerabilities in Connectize G6 AC2100 Dual Band Gigabit WiFi Router (CVE-2023-24046, CVE-2023-24047, CVE-2023-24048, CVE-2023-24049, CVE-2023-24050, CVE-2023-24051, CVE-2023-24052)
Public Report – Caliptra Security Assessment
Introduction to AWS Attribute-Based Access Control
On Multiplications with Unsaturated Limbs
From ERMAC to Hook: Investigating the technical differences between two Android malware variants
Ruling the rules
HITB Phuket 2023 – Exploiting the Lexmark PostScript Stack
Public Report – Entropy/Rust Cryptography Review
SIAM AG23: Algebraic Geometry with Friends
5G security – how to minimise the threats to a 5G network
Real World Cryptography Conference 2023 – Part II
Technical Advisory – SonicWall Global Management System (GMS) & Analytics – Multiple Critical Vulnerabilities
LeaPFRogging PFR Implementations
Dancing Offbit: The Story of a Single Character Typo that Broke a ChaCha-Based PRNG
Public Report – Penumbra Labs R1CS Implementation Review
Demystifying Multivariate Cryptography
Building Intuition for Lattice-Based Signatures – Part 2: Fiat-Shamir with Aborts
Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
SysPWN – VR for Pwn2Own
Intel BIOS Advisory – Memory Corruption in HID Drivers
Building Intuition for Lattice-Based Signatures – Part 1: Trapdoor Signatures
Tool Release: Cartographer
Tool Release – ScoutSuite 5.13.0
Overview of Modern Memory Security Concerns
Technical Advisory – Nullsoft Scriptable Installer System (NSIS) – Insecure Temporary Directory Usage
Public Report – Zcash Zebra Security Assessment
Getting per-user Conditional Access MFA status in Azure
Exploiting Noisy Oracles with Bayesian Inference
New Sources of Microsoft Office Metadata – Tool Release MetadataPlus
Dynamic Linq Injection Remote Code Execution Vulnerability (CVE-2023-32571)
Defeating Windows DEP With A Custom ROP Chain
Machine Learning 104: Breaking AES With Power Side-Channels
A Brief Review of Bitcoin Locking Scripts and Ordinals
How to Spot and Prevent an Eclipse Attack
Eurocrypt 2023: Death of a KEM
Reverse Engineering Coin Hunt World’s Binary Protocol
Technical Advisory – Multiple Vulnerabilities in Faronics Insight (CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353)
Tool Release: Code Query (cq)
CowCloud
OffensiveCon 2023 – Exploit Engineering – Attacking the Linux Kernel
Tool Release: Code Credential Scanner (ccs)
Exploring Overfitting Risks in Large Language Models
The Paillier Cryptosystem with Applications to Threshold ECDSA
Rigging the Vote: Uniqueness in Verifiable Random Functions
Medical Devices: A Hardware Security Perspective
NETGEAR Routers: A Playground for Hackers?
Real World Cryptography Conference 2023 – Part I
Public Report – AWS Nitro System API & Security Claims
State of DNS Rebinding in 2023
Machine Learning 103: Exploring LLM Code Generation
HITBAMS – Your Not so “Home” Office – Soho Hacking at Pwn2Own
Public Report – Kubernetes 1.24 Security Audit
Public Report – Solana Program Library ZK-Token Security Assessment
Stepping Insyde System Management Mode
Breaking Pedersen Hashes in Practice
A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads
A Primer On Slowable Encoders
Threat Spotlight – Hydra
Rustproofing Linux (Part 4/4 Shared Memory)
Rustproofing Linux (Part 3/4 Integer Overflows)
Security Code Review With ChatGPT
Rustproofing Linux (Part 2/4 Race Conditions)
Readable Thrift
Building WiMap the Wi-Fi Mapping Drone
Fuzzing the Easy Way Using Zulu
Exploiting CVE-2014-0282
Exploiting CVE-2014-0282
Rustproofing Linux (Part 1/4 Leaking Addresses)
Machine Learning 102: Attacking Facial Authentication with Poisoned Data
Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
Using Semgrep with Jupyter Notebook files
Announcing NCC Group’s Cryptopals Guided Tour: Set 2
Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)
Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434)
Project Bishop: Clustering Web Pages
Puckungfu: A NETGEAR WAN Command Injection
MeshyJSON: A TP-Link tdpServer JSON Stack Overflow
Machine Learning 101: The Integrity of Image (Mis)Classification?
Replicating CVEs with KLEE
Public Report – VPN by Google One Security Assessment
Public Report – Confidential Space Security Review
Exploring Prompt Injection Attacks
Impersonating Gamers With GPT-2
So long and thanks for all the 0day
A jq255 Elliptic Curve Specification, and a Retrospective
Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
Tool Release – Web3 Decoder Burp Suite Extension
Tales of Windows detection opportunities for an implant framework
Check out our new Microcorruption challenges!
Toner Deaf – Printing your next persistence (Hexacon 2022)
Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes
Public Report – IOV Labs powHSM Security Assessment
Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
Detecting Mimikatz with Busylight
Whitepaper – Project Triforce: Run AFL On Everything (2017)
Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414)
A Guide to Improving Security Through Infrastructure-as-Code
Tool Release – ScoutSuite 5.12.0
Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review
Tool Release – Monkey365
Sharkbot is back in Google Play
Constant-Time Data Processing At a Secret Offset, Privacy and QUIC
There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
Conference Talks – September/October 2022
SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
Writing FreeBSD Kernel Modules in Rust
NCC Con Europe 2022 – Pwn2Own Austin Presentations
Tool Release – JWT-Reauth
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
Top of the Pops: Three common ransomware entry techniques
NCC Group Research at Black Hat USA 2022 and DEF CON 30
Tool Release – insject: A Linux Namespace Injector
Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505)
NIST Selects Post-Quantum Algorithms for Standardization
Climbing Mount Everest: Black-Byte Bytes Back?
Five Essential Machine Learning Security Papers
Whitepaper – Practical Attacks on Machine Learning Systems
Flubot: the evolution of a notorious Android Banking Malware
A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would have prevented
Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link
Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
Understanding the Impact of Ransomware on Patient Outcomes – Do We Know Enough?
Public Report – Threshold ECDSA Cryptography Review
Exception Handling and Data Integrity in Salesforce
Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)
Shining the Light on Black Basta
Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible Reports through the Intel Circuit Breaker program
Conference Talks – June 2022
Hardware Security By Design: ESP32 Guidance
Public Report – Lantern and Replica Security Assessment
NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher Leaderboard
Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 – Unauthenticated Command Injection ( CVE-2022-31794 and CVE-2022-31795)
Public Report – go-cose Security Assessment
Technical Advisory – SerComm h500s – Authenticated Remote Command Execution (CVE-2021-44080)
Metastealer – filling the Racoon void
earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts
Tool Release – Ghostrings
Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks
Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks
Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
Adventures in the land of BumbleBee – a new malicious loader
LAPSUS$: Recent techniques, tactics and procedures
Real World Cryptography Conference 2022
Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark
A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
Public Report – Google Enterprise API Security Assessment
Conti-nuation: methods and techniques observed in operations post the leaks
Whitepaper – Double Fetch Vulnerabilities in C and C++
Mining data from Cobalt Strike beacons
Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
Tool Release – ScoutSuite 5.11.0
Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)
Microsoft announces the WMIC command is being retired, Long Live PowerShell
SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store
Estimating the Bit Security of Pairing-Friendly Curves
Detecting anomalous Vectored Exception Handlers on Windows
BrokenPrint: A Netgear stack overflow
Conference Talks – March 2022
Hardware & Embedded Systems: A little early effort in security can return a huge payoff
Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review
Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2)
Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5 Attacks vs the CIS Microsoft 365 Foundation Benchmark
Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1)
Detecting Karakurt – an extortion focused threat actor
BAT: a Fast and Small Key Encapsulation Mechanism
Testing Infrastructure-as-Code Using Dynamic Tooling
Machine Learning for Static Analysis of Malware – Expansion of Research Scope
10 real-world stories of how we’ve compromised CI/CD pipelines
NCC Group’s 2021 Annual Research Report
On the malicious use of large language models like GPT-3
Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination Programs
Tool Update – ruby-trace: A Low-Level Tracer for Ruby
Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches
Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)
Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers
FPGAs: Security Through Obscurity?
Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
Log4Shell: Reconnaissance and post exploitation network detection
Announcing NCC Group’s Cryptopals Guided Tour!
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote Command Execution (CVE-2021-20044)
Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow (CVE-2021-20043)
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload Path Traversal (CVE-2021-20040)
Why IoT Security Matters
Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050)
Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
Tracking a P2P network related to TA505
Conference Talks – December 2021
Public Report – Zendoo Proof Verifier Cryptography Review
An Illustrated Guide to Elliptic Curve Cryptography Validation
Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
“We wait, because we know you.” Inside the ransomware negotiation economics.
Detection Engineering for Kubernetes clusters
Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571)
TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
Public Report – Zcash NU5 Cryptography Review
The Next C Language Standard (C23)
Conference Talks – November 2021
Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
Cracking RDP NLA Supplied Credentials for Threat Intelligence
Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the Internet
Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments
Cracking Random Number Generators using Machine Learning – Part 2: Mersenne Twister
Cracking Random Number Generators using Machine Learning – Part 1: xorshift128
NCC Group placed first in global 5G Cyber Security Hack competition
Paradoxical Compression with Verifiable Delay Functions
A Look At Some Real-World Obfuscation Techniques
SnapMC skips ransomware, steals data
The Challenges of Fuzzing 5G Protocols
Reverse engineering and decrypting CyberArk vault credential files
Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)
Assessing the security and privacy of Vaccine Passports
Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)
Conference Talks – October 2021
Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
Detecting and Hunting for the PetitPotam NTLM Relay Attack
Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)
Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
NSA & CISA Kubernetes Security Guidance – A Critical Review
Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery
Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy
Conference Talks – September 2021
The ABCs of NFC chip security
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
Disabling Office Macros to Reduce Malware Infections
Some Musings on Common (eBPF) Linux Tracing Bugs
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)
Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
Practical Considerations of Right-to-Repair Legislation
Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log Server (CVE-2021-35478,CVE-2021-35479)
Detecting and Hunting for the Malicious NetFilter Driver
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
NCC Group Research at Black Hat USA 2021 and DEF CON 29
Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
Software-Based Fault Injection Countermeasures (Part 2/3)
An Introduction to Fault Injection (Part 1/3)
Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587)
Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0
Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
Tool Release – Reliably-checked String Library Binding
Are you oversharing (in Salesforce)? Our new tool could sniff it out!
Exploit mitigations: keeping up with evolving and complex software/hardware
NCC Group co-signs the Electronic Frontier Foundation’s Statement on DMCA Use Against Security Researchers
Handy guide to a new Fivehands ransomware variant
On the Use of Pedersen Commitments for Confidential Payments
Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
Testing Two-Factor Authentication
Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
Research Paper – Machine Learning for Static Malware Analysis, with University College London
Conference Talks – June 2021
Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and Implementation Review
iOS User Enrollment and Trusted Certificates
Detecting Rclone – An Effective Tool for Exfiltration
Supply Chain Security Begins with Secure Software Development
Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re cryptographically random)
Public Report – Dell Secured Component Verification
RM3 – Curiosities of the wildest banking malware
Conference Talks – May 2021
A Census of Deployed Pulse Connect Secure (PCS) Versions
NCC Group’s Upcoming Trainings at Black Hat USA 2021
Public Report – VPN by Google One: Technical Security & Privacy Assessment
Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
Tool Release – Principal Mapper v1.1.0 Update
SAML XML Injection
The Future of C Code Review
RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
Tool Release – Solitude: A privacy analysis tool
Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads
Lending a hand to the community – Covenant v0.7 Updates
Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)
Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)
Cryptopals: Exploiting CBC Padding Oracles
Investigating Potential Security Vulnerability Manifestation through Various Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be Improved)
NCC Group’s 2020 Annual Research Report
Conference Talks – February/March 2021
Software Verification and Analysis Using Z3
Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)
Real World Cryptography Conference 2021: A Virtual Experience
RIFT: Analysing a Lazarus Shellcode Execution Method
MSSQL Lateral Movement
Public Report – BLST Cryptographic Implementation Review
Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
Building an RDP Credential Catcher for Threat Intelligence
Double-odd Elliptic Curves
Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs
Domestic IoT Nightmares: Smart Doorbells
Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)
Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0
An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful
ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures
ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks
Tool Release – Carnivore: Microsoft External Assessment Tool
Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
Conference Talks – December 2020
TA505: A Brief History Of Their Time
Decrypting OpenSSH sessions for fun and profit
Past, Present and Future of Effective C
Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788)
Technical Advisory: Command Injection
Conference Talks – November 2020
Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)
Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)
Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)
Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data release
Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)
Tool – Windows Executable Memory Page Delta Reporter
Salesforce Security with Remote Working
Tool Release – ScoutSuite 5.10
Conference Talks – October 2020
Tool Release – ICPin, an integrity-check and anti-debug detection pintool
Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)
Online Casino Roulette – A guideline for penetration testers and security researchers
Extending a Thinkst Canary to become an interactive honeypot
StreamDivert: Relaying (specific) network connections
Public Report – Electric Coin Company NU4 Cryptographic Specification and Implementation Review
Machine learning from idea to reality: a PowerShell case study
Conference Talks – September 2020
Whitepaper – Exploring the Security of KaiOS Mobile Applications
Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)
Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS Pre-installed Mobile Applications
Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application
Immortalising 20 Years of Epic Research
Pairing over BLS12-381, Part 3: Pairing!
Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers in 2020
Lights, Camera, HACKED! An insight into the world of popular IP Cameras
Conference Talks – August 2020
Tool Release – Winstrument: An Instrumentation Framework for Windows Application Assessments
Tool Release: Sinking U-Boots with Depthcharge
Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
Pairing over BLS12-381, Part 2: Curves
Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 Intelligence
An offensive guide to the Authorization Code grant
Technical Advisory – KwikTag Web Admin Authentication Bypass
Pairing over BLS12-381, Part 1: Fields
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
Experiments in Extending Thinkst Canary – Part 1
Tool Release – ScoutSuite 5.9.0
Technical Advisory – macOS Installer Local Root Privilege Escalation (CVE-2020-9817)
Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often
How-to: Importing WStalker CSV (and more) into Burp Suite via Import to Sitemap Extension
Tool: WStalker – an easy proxy to support Web API assessments
Security Considerations of zk-SNARK Parameter Multi-Party Computation
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Tool Release – Socks Over RDP Now Works With Citrix
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
Cyber Security of New Space Paper
In-depth analysis of the new Team9 malware family
Common Insecure Practices with Configuring and Extending Salesforce
Dangers of Kubernetes IAM Integrations
Exploring DeepFake Capabilities & Mitigation Strategies with University College London
Game Security
Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
Research Report – Zephyr and MCUboot Security Assessment
CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive
CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
Using SharePoint as a Phishing Platform
Public Report – Coda Cryptographic Review
Shell Arithmetic Expansion and Evaluation Abuse
CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
Tool Release – Socks Over RDP
Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
Practical Machine Learning for Random (Filename) Detection
Curve9767 and Fast Signature Verification
CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
The Extended AWS Security Ramp-Up Guide
Code Patterns for API Authorization: Designing for Security
Order Details Screens and PII
How cryptography is used to monitor the spread of COVID-19
Rise of the Sensors: Securing LoRaWAN Networks
C Language Standards Update – Zero-size Reallocations are Undefined Behavior
IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
Exploring Verifiable Random Functions in Code
Crave the Data: Statistics from 1,300 Phishing Campaigns
Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
Tool Release – ScoutSuite 5.8.0
Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities
Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
LDAPFragger: Bypassing network restrictions using LDAP attributes
Threat Actors: exploiting the pandemic
A Survey of Istio’s Network Security Features
Conference Talks – March 2020
Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review
Reviewing Verifiable Random Functions
CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for fun and exploitation
Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
Improving Software Security through C Language Standards
Whitepaper – A Tour of Curve 25519 in Erlang
Deep Dive into Real-World Kubernetes Threats
Technical Advisory – playSMS Pre-Authentication Remote Code Execution (CVE-2020-8644)
Interfaces.d to RCE
Properly Signed Certificates on CPE Devices
Conference Talks – February 2020
Tool Release – Collaborator++
Public Report – Electric Coin Company NU3 Specification and Blossom Implementation Audit
Tool Release – Enumerating Docker Registries with go-pillage-registries
Conference Talks – January 2020
Passive Decryption of Ethereum Peer-to-Peer Traffic
On Linux’s Random Number Generation
Demystifying AWS’ AssumeRole and sts:ExternalId
Welcome to the new NCC Group Global Research blog
Technical Advisory: Gaining root access on Sumpple S610 IP Camera via Telnet; and Unprotected client and server data transmission between Android and IOS clients
Security impact of IoT on the Enterprise
Secure Device Provisioning Best Practices: Heavy Truck Edition
CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service
Padding the struct: How a compiler optimization can disclose stack memory
Embedded Device Security Certifications
An Introduction to Ultrasound Security Research
PhanTap (Phantom Tap): Making networks spookier one packet at a time
An Introduction to Quantum Computing for Security Professionals
Sniffle: A Sniffer for Bluetooth 5
Compromising a Hospital Network for £118 (Plus Postage & Packaging)
Getting Shell with XAMLX Files
Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation
Technical Advisory: CyberArk EPM Non-paged Pool Buffer Overflow
Technical Advisory: Unauthenticated SQL Injection in Lansweeper
Jenkins Plugins and Core Technical Summary Advisory
Technical Advisory: Multiple Vulnerabilities in Ricoh Printers
Technical Advisory: Multiple Vulnerabilities in Brother Printers
Technical Advisory: Multiple Vulnerabilities in Xerox Printers
Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and Next Steps
Technical Advisory: Multiple Vulnerabilities in HP Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 9: Adventures with Expert Systems
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 8: Development of Prototype #4 – Building on Takaesu’s Approach with Focus on XSS
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 7: Development of Prototype #3 – Adventures in Anomaly Detection
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 5: Development of Prototype #1 – Text Processing and Semantic Relationships
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 4: Architecture and Design
Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 3: Understanding Existing Approaches and Attempts
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in Social Engineering
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 1: Understanding the Basics and What Platforms and Frameworks Are Available
Technical Advisory: Multiple Vulnerabilities in Lexmark Printers
Technical Advisory: Intel Driver Support & Assistance – Local Privilege Escalation
Technical Advisory: Citrix Workspace / Receiver Remote Code Execution Vulnerability
The Sorry State of Aftermarket Head Unit Security
Cyber Security in UK Agriculture
NCC Group Connected Health Whitepaper July 2019
Story of a Hundred Vulnerable Jenkins Plugins
Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone
Technical Advisory: Multiple Vulnerabilities in SmarterMail
Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
Chafer backdoor analysis
Finding and Exploiting .NET Remoting over HTTP using Deserialisation
Technical Advisory: Multiple Vulnerabilities in MailEnable
Assessing Unikernel Security
Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
Zcash Overwinter Consensus and Sapling Cryptography Review
Xendbg: A Full-Featured Debugger for the Xen Hypervisor
Use of Deserialisation in .NET Framework Methods and Classes
Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
Nine years of bugs at NCC Group
The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations
Third party assurance
Turla PNG Dropper is back
Public cloud
Android Cloud Backup/Restore
Spectre on a Television
RokRat Analysis
Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook
Technical Advisory: Authentication Bypass in libSSH
Securing Google Cloud Platform – Ten best practices
Public Report – Android Cloud Backup/Restore
Much Ado About Hardware Implants
NCC Group’s Exploit Development Capability: Why and What
Technical Advisory: Bypassing Workflows Protection Mechanisms – Remote Code Execution on SharePoint
Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability
Improving Your Embedded Linux Security Posture With Yocto
How I did not get a shell
Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw
Singularity of Origin
Proxy Re-Encryption Protocol: IronCore Public Report
Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data
Jackson Deserialization Vulnerabilities
Celebrating NCC Con Europe 2018
The disadvantages of a blacklist-based approach to input validation
Securing Teradata Database
Technical Advisory: Unauthenticated Remote Command Execution through Multiple Vulnerabilities in Virgin Media Hub 3.0
Ethics in Security Testing
Freddy: An extension for automatically identifying deserialisation issues in Java and .NET applications
Sobelow Update
House
Principal Mapper (pmapper)
Return of the hidden number problem
Technical advisory: “ROHNP”- key extraction side channel in multiple crypto libraries
CVE-2017-8570 RTF and the Sisfader RAT
Mallory: Transparent TCP and UDP Proxy
Mallory and Me: Setting up a Mobile Mallory Gateway
CyberVillainsCA
DECTbeacon
Fuzzbox
Gizmo
HTTP Profiler
Intent Sniffer
Intent Fuzzer
iSEC Partners Releases SSLyze
Jailbreak
Manifest Explorer
Package Play
ProxMon
pySimReader
SAML Pummel
SecureBigIP
SecureCisco
SecureCookies
SecureIE.ActiveX
WebRATS
AWS Inventory: A tool for mapping AWS resources
Extractor
CMakerer: A small tool to aid CLion’s indexing
Emissary Panda – A potential new malicious tool
SMB hash hijacking & user tracking in MS Outlook
Testing HTTP/2 only web services
Windows IPC Fuzzing Tools
WSBang
WSMap
Nerve
Ragweed
File Fuzzers
Kivlad
Android SSL Bypass
Hiccupy
iOS SSL Killswitch
The SSL Conservatory
TLSPretense — SSL/TLS Client Testing Framework
tcpprox
YoNTMA
Tattler
PeachFarmer
Android-KillPermAndSigChecks
Android-OpenDebug
Android-SSL-TrustKiller
Introspy for Android
RtspFuzzer
SSLyze v0.8
NCLoader
IG Learner Walkthrough
Forensic Fuzzing Tools
Security First Umbrella
Autochrome
WSSiP: A Websocket Manipulation Proxy
AssetHook
Call Map: A Tool for Navigating Call Graphs in Python
Sobelow: Static analysis for the Phoenix Framework
G-Scout
Decoder Improved Burp Suite Plugin
Python Class Informer: an IDAPython plugin for viewing run-time type information (RTTI)
AutoRepeater: Automated HTTP Request Repeating With Burp Suite
TPM Genie
Open Banking: Security considerations & potential risks
scenester
port-scan-automation
Windows DACL Enum Project
umap
Shocker
Zulu
whitebox
vlan-hopping
tybocer
xcavator
WindowsJobLock
Azucar
Introducing Azucar
Readable Thrift
Decoding network data from a Gh0st RAT variant
Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central
Discovering Smart Contract Vulnerabilities with GOATCasino
BLEBoy
APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus
Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple Microsoft Products
Technical Advisory: Code Execution by Viewing Resource Files in .NET Reflector
Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in Jenkins Delivery Pipeline plugin
Spectre and Meltdown: What you Need to Know
The economics of defensive security
HIDDEN COBRA Volgmer: A Technical Analysis
Integrity destroying malicious code for financial or geopolitical gain: A vision of the future?
Kubernetes Security: Consider Your Threat Model
Mobile & web browser credential management: Security implications, attack cases & mitigations
SOC maturity & capability
Automated Reverse Engineering of Relationships Between Data Structures in C++ Binaries
Pointer Sequence Reverser (PSR)
Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1
Bypassing Android’s Network Security Configuration
Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
Cisco ASA series part seven: Checkheaps
Adversarial Machine Learning: Approaches & defences
eBook: Breach notification under GDPR – How to communicate a personal data breach
Cisco ASA series part six: Cisco ASA mempools
The Update Framework (TUF) Security Assessment
Cisco ASA series part five: libptmalloc gdb plugin
Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA
Decoder Improved Burp Suite plugin release part two
Cisco ASA series part three: Debugging Cisco ASA firmware
Managing PowerShell in a modern corporate environment
Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
Cisco ASA series part one: Intro to the Cisco ASA
EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
Technical Advisory: Authentication rule bypass
Technical Advisory – play-pac4j Authentication rule bypass
Decoder Improved Burp Suite plugin release part one
Technical advisory: Remote shell commands execution in ttyd
Poison Ivy string decryption
Securing the continuous integration process
Signaturing an Authenticode anomaly with Yara
Analysing a recent Poison Ivy sample
Endpoint connectivity
DeLux Edition: Getting root privileges on the eLux Thin Client OS
UK government cyber security guidelines for connected & autonomous vehicles
Smuggling HTA files in Internet Explorer/Edge
Database Security Brief: The Oracle Critical Patch Update for April 2007
Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform
Data-mining with SQL Injection and Inference
The Pharming Guide – Understanding and preventing DNS related attacks by phishers
Weak Randomness Part I – Linear Congruential Random Number Generators
Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
Blind Exploitation of Stack Overflow Vulnerabilities
Slotting Security into Corporate Development
Creating Arbitrary Shellcode In Unicode Expanded Strings
Violating Database – Enforced Security Mechanisms
Hacking the Extensible Firmware Interface
Advanced Exploitation of Oracle PL/SQL Flaws
Firmware Rootkits: The Threat to the Enterprise
Database Security: A Christmas Carol
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server
Non-flood/non-volumetric Distributed Denial of Service (DDoS)
VoIP Security Methodology and Results
E-mail Spoofing and CDONTS.NEWMAIL
Dangling Cursor Snarfing: A New Class of Attack in Oracle
Database Servers on Windows XP and the unintended consequences of simple file sharing
DNS Pinning and Web Proxies
Technical advisory: CVE-2017-8592 – XMLHttpRequest in IE followed 307 redirections with additional or customised headers
Which database is more secure? Oracle vs. Microsoft
Variations in Exploit methods between Linux and Windows
Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things
Live Incident Blog: June Global Ransomware Outbreak
Beyond data loss prevention
How to protect yourself & your organisation from phishing attacks
Rise of the machines: Machine Learning & its cyber security applications
Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input Streams (LAOIS)
A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287
Latest threats to the connected car & intelligent transport ecosystem
Network Attached Security: Attacking a Synology NAS
Accessing Private Fields Outside of Classes in Java
Understanding the insider threat & how to mitigate it
Matty McMattface: Security implications, mitigations & testing strategies for biometric facial recognition systems
Setting a New Standard for Kubernetes Deployments
Encryption at rest: Not the panacea to data protection
Applying normalised compression distance for architecture classification
Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures
D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow
Fix Bounty
Unauthenticated XML eXternal Entity (XXE) vulnerability
General Data Protection Regulation: Knowing your data
Technical Advisory: Shell Injection in MacVim mvim URI Handler
Technical Advisory: Shell Injection in SourceTree
SCOMplicated? – Decrypting SCOM “RunAs” credentials
Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer Appliance
ISM RAT
Mergers & Acquisitions (M&A) cyber security due diligence
Advisory-CraigSBlackie-CVE-2016-9795
Best practices with BYOD
Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows Decryption of Stored Credentials
Compromising Apache Tomcat via JMX access
Berserko: Kerberos Authentication for Burp Suite
Java RMI Registry.bind() Unvalidated Deserialization
NCC CON Europe 2017
Understanding cyber risk management vs uncertainty with confidence in 2017
iOS MobileSlideShow USB Image Class arbitrary code execution.txt
Denial of Service in Parsing a URL by ierutil.dll
U plug, we play
SSL checklist for pentesters
Dissecting social engineering attacks
External Enumeration and Exploitation of Email and Web Security Solutions
Social Engineering
Phishing Stories
Automating extraction from malware and recent campaign analysis
DDoS Common Approaches and Failings
Absolute Security
How much training should staff have on cyber security?
USB under the bonnet: Implications of USB security vulnerabilities in vehicle systems
Cyber Essentials Scheme
Webinar – PCI Version 3.0: Are you ready?
Webinar: 4 Secrets to a Robust Incident Response Plan
Cloud Security Presentation
Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions
Memory Gap
44Con2013Game
creep-web-app-scanner
ncccodenavi
Pip3line
typofinder
DIBF – Updated
IODIDE
CECSTeR
cisco-SNMP-enumeration
dotnetpaddingoracle
dotnetpefuzzing
easyda
EDIDFuzzer
Fat-Finger
firstexecution
grepify
FrisbeeLite
State-of-the-art email risk
Ransomware: what organisations can do to survive
hostresolver
lapith
metasploitavevasion
Maritime Cyber Security: Threats and Opportunities
IP-reputation-snort-rule-generator
The L4m3ne55 of Passw0rds: Notes from the field
Mature Security Testing Framework
Exporting non-exportable RSA keys
Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
The role of security research in improving cyber security
Self-Driving Cars- The future is now…
They Ought to Know Better: Exploiting Security Gateways via their Web Interfaces
Mobile apps and security by design
The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate Pinning
USB Undermining Security Barriers:further adventures with USB
Software Security Austerity Security Debt in Modern Software Development
RSA Conference – Mobile Threat War Room
Finding the weak link in binaries
To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms
Harnessing GPUs Building Better Browser Based Botnets
The Browser Hacker’s Handbook
SQL Server Security
The Database Hacker’s Handbook
Social Engineering Penetration Testing
Public Report – Matrix Olm Cryptographic Review
Research Insights Volume 8 – Hardware Design: FPGA Security Risks
Zcash Cryptography and Code Review
Optimum Routers: Researching Managed Routers
Peeling back the layers on defence in depth…knowing your onions
End-of-life pragmatism
iOS Instrumentation Without Jailbreak
The Password is Dead, Long Live the Password!
Microsoft Office Memory Corruption Vulnerability
Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode
Elephant in the Boardroom Survey 2016
A Peek Behind the Great Firewall of Russia
Avoiding Pitfalls Developing with Electron
Flash local-with-filesystem Bypass in navigateToURL
D-Link routers vulnerable to Remote Code Execution (RCE)
iOS Application Security: The Definitive Guide for Hackers and Developers
The Mobile Application Hacker’s Handbook
Research Insights Volume 9 – Modern Security Vulnerability Discovery
Post-quantum cryptography overview
The CIS Security Standard for Docker available now
An adventure in PoEKmon NeutriGo land
The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd Edition
How will GDPR impact your communications?
Potential false redirection of web site content in Internet in SAP NetWeaver web applications
Multiple security vulnerabilities in SAP NetWeaver BSP Logon
The Automotive Threat Modeling Template
My name is Matt – My voice is my password
Ransomware: How vulnerable is your system?
NCC Group WhitepaperUnderstanding and HardeningLinux ContainersJune 29, 2016 – Version 1.1
My Hash is My Passport: Understanding Web and Mobile Authentication
Project Triforce: Run AFL on Everything!
Writing Exploits for Win32 Systems from Scratch
How to Backdoor Diffie-Hellman
Local network compromise despite good patching
Sakula: an adventure in DLL planting
When a Trusted Site in Internet Explorer was Anything But
GSM/GPRS Traffic Interception for Penetration Testing Engagements
An Adaptive-Ciphertext Attack Against “I ⊕ C” Block Cipher Modes With an Oracle
Creating a Safer OAuth User Experience
Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
Aurora Response Recommendations
Blind Security Testing – An Evolutionary Approach
Building Security In: Software Penetration Testing
Cleaning Up After Cookies
Command Injection in XML Signatures and Encryption
Common Flaws of Distributed Identity and Authentication Systems
Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
Developing Secure Mobile Applications for Android
Exposing Vulnerabilities in Media Software
Hunting SQL Injection Bugs
IAX Voice Over-IP Security
ProxMon: Automating Web Application Penetration Testing
iSEC’s Analysis of Microsoft’s SDL and its ROI
Secure Application Development on Facebook
Secure Session Management With Cookies for Web Applications
Security Compliance as an Engineering Discipline
Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
Exploiting Rich Content
HTML5 Security The Modern Web Browser Perspective
An Introduction to Authenticated Encryption
Attacks on SSL
Content Security Policies Best Practices
Windows Phone 7 Application Security Survey
Browser Extension Password Managers
Introducing idb-Simplified Blackbox iOS App Pentesting
Login Service Security
The factoring dead: Preparing for the cryptopocalypse
Auditing Enterprise Class Applications and Secure Containers on Android
Early CCS Attack Analysis
Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver URSA
Perfect Forward Security
Internet of Things Security
Secure Messaging for Normal People
Understanding and Hardening Linux Containers
Adventures in Windows Driver Development: Part 1
Private sector cyber resilience and the role of data diodes
From CSV to CMD to qwerty
General Data Protection Regulation – are you ready?
Business Insights: Cyber Security in the Financial Sector
The Importance of a Cryptographic Review
osquery Application Security Assessment Public Report
Sysinternals SDelete: When Secure Delete Fails
Ricochet Security Assessment Public Report
Breaking into Security Research at NCC Group
Building Systems from Commercial Components
Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices
Secure Coding in C and C++
CERT Oracle Secure Coding Standard for Java
CERT C Secure Coding Standard
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
Professional C Programming LiveLessons, (Video Training) Part I: Writing Robust, Secure, Reliable Code
Secure Coding in C and C++, 2nd Edition
The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems
Secure Coding Rules for Java LiveLessons, Part 1
Hacking Displays Made Interesting
What the HEC? Security implications of HDMI Ethernet Channel and other related protocols
44CON Workshop – How to assess and secure iOS apps
Payment Card Industry Data Security Standard (PCI DSS) A Navigation and Explanation of Changes from v2.0 to v3.0
Mobile World Congress – Mobile Internet of Things
Practical SME security on a shoestring
BlackHat Asia USB Physical Access
How we breach network infrastructures and protect them
Hacking a web application
Batten down the hatches: Cyber threats facing DP operations
Threats and vulnerabilities within the Maritime and shipping sectors
Distributed Ledger (Blockchain) Security and Quantum Computing Implications
Building WiMap the Wi-Fi Mapping Drone
Abusing Privileged and Unprivileged Linux Containers
A few notes on usefully exploiting libstagefright on Android 5.x
NCC Con Europe 2016
Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify External Emails
Car Parking Apps Vulnerable To Hacks
eBook – Do you know how your organisation would react in a real-world attack scenario?
Erlang Security 101
SysAid Helpdesk blind SQL injection
SysAid Helpdesk stored XSS
Virtual Access Monitor Multiple SQL Injection Vulnerabilities
Whatsupgold Premium Directory traversal
Windows remote desktop memory corruptoin leading to RCE on XPSP3
Windows USB RNDIS driver kernel pool overflow
Drones: Detect, Identify, Intercept, and Hijack
Introducing Chuckle and the Importance of SMB Signing
Threat Intelligence: Benefits for the Enterprise
Best Practices for the use of Static Code Analysis within a Real-World Secure Development Lifecycle
Secure Device Manufacturing: Supply Chain Security Resilience
eBook – Planning a robust incident response process
HDMI Ethernet Channel
Advanced SQL Injection in SQL Server Applications
USB keyboards by post – use of embedded keystroke injectors to bypass autorun restrictions on modern desktop operating systems
ASP.NET Security and the Importance of KB2698981 in Cloud Environments
Xen HYPERVISOR_xen_version stack memory revelation
Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
SysAid Helpdesk Pro – Blind SQL Injection
Symantec Messaging Gateway SSH with backdoor user account + privilege escalation to root due to very old Kernel
Symantec Messaging Gateway Out of band stored XSS delivered by email
Symantec Messaging Gateway Easy CSRF to add a backdoor-administrator (for example)
Symantec Messaging Gateway Arbitrary file download is possible with a crafted URL (authenticated)
Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom Reports
Symantec Backup Exec 2012 – OS version and service pack information leak
Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs
Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding Groups, Servers and Computers
Squiz CMS File Path Traversal
Solaris 11 USB Hub Class descriptor kernel stack overflow
SmarterMail – Stored XSS in emails
Remote code execution in ImpressPages CMS
OS X 10.6.6 Camera Raw Library Memory Corruption
Oracle Java Installer Adds a System Path Which is Writable by All
Oracle Hyperion 11 Directory Traversal
Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
Nessus Authenticated Scan – Local Privilege Escalation
NCC Group Malware Technical Note
Nagios XI Network Monitor – Stored and Reflective XSS
Multiple Vulnerabilities in MailEnable
Microsoft Internet Explorer CMarkup Use-After-Free
McAfee Email and Web Security Appliance v5.6 – Session hijacking (and bypassing client-side session timeouts)
McAfee Email and Web Security Appliance v5.6 – Password hashes can be recovered from a system backup and easily cracked
McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is possible with a crafted URL, when logged in as any user
McAfee Email and Web Security Appliance v5.6 – Any logged-in user can bypass controls to reset passwords of other administrators
McAfee Email and Web Security Appliance v5.6 – Active session tokens of other users are disclosed within the UI
iOS 7 arbitrary code execution in kernel mode
Understanding Microsoft Word OLE Exploit Primitives
Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability
Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using the TD-8817
Vehicle Emissions and Cyber Security
Research Insights Volume 6: Common Issues with Environment Breakouts
Does TypeScript Offer Security Improvements Over JavaScript?
Common Security Issues in Financially-Oriented Web Applications
Research Insights Volume 3 – How are we breaking in: Mobile Security
Build Your Own Wi-Fi Mapping Drone Capability
Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
Password and brute-force mitigation policies
Understanding Ransomware: Impact, Evolution and Defensive Strategies
libtalloc: A GDB plugin for analysing the talloc heap
Lumension Device Control (formerly Sanctuary) remote memory corruption
LibAVCodec AMV Out of Array Write
Increased exploitation of Oracle GlassFish Server Administration Console Remote Authentication Bypass
Flash security restrictions bypass: File upload by URLRequest
Immunity Debugger Buffer Overflow
DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout, Privilege Escalation and Full Disk Decryption
Cups-filters remote code execution
Critical Risk Vulnerability in SAP Message Server (Heap Overflow)
Critical Risk Vulnerability in SAP DB Web Server (Stack Overflow)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 2)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 1)
Cisco VPN Client Privilege Escalation
Cisco IPSec VPN Implementation Group Name Enumeration
Blue Coat BCAAA Remote Code Execution Vulnerability
Adam Roberts
Anthony Ferrillo
Aaron Greetham
Aaron Haymore
Akshat Joshi
Alberto Verza
Aleksandar Kircanski
Alessandro Fanio Gonzalez
Alessandro Fanio González
Alex Plaskett
Alex Zaviyalov
Alvaro Martin Fraguas
Álvaro Martín Fraguas
Andrea Shirley-Bellande
Drew Wade
Andy Davis
Andy Grant
Antonis Terefos
anvesh3752
Alexander Smye
aschmitz
Austin Peavy
Ava Howell
Andrew Whistlecroft
balazs.bucsay
Nicolas Bidron
NCC Group Physical Breach Team
Rich Warren
Caleb Watt
Clinton Carpene
Cedric Halbronn
chrisanley
Christo Butcher
christopherjamesbury
Clayton Lowell
Clint Gibler
cnevncc
Corey Arthur
Christian Powills
Craig Blackie
Catalin Visinescu
Ken Wolstencroft
Damon Small
Dan Hastings
Dan Palmer
Dave G.
David Tulis
David Cash
Daniele Costa
destoken
Diana Dragusin
Diego Gomez Maranon
Diego Gómez Marañon
Domen Puncer Kugler
Daniel Romero
Deni
David Young
Edward Torkington
Exploit Development Group
Elena Bakos Lang
Eli Sohl
epliuncc
Erik Schamper
Erik Steringer
Eric Schorn
Eva Esteban Molina
Fernando Gallego
Aaron Adams
Gavin Cotter (Temp)
Gerald Doussot
Gérald Doussot
Giacomo Pope
Global Threat Intelligence
Guy Morley
William Handy
Liew hock lai
Hollie Mowatt
Heather Overcash
Rob Wood
Iain Smart
Izzy Whistlecroft
Jacob Heath
Jameson Hyde
Phillip Langlois and Edward Torkington
Jashan Benawra
Jason Kielpinski
Javed Samuel
James Chambers
Jelle Vergeer
Jennifer Reed
Jeremy Boone
Jerome Smith
Jesus Calderon Marin
Jesús Calderón Marín
Jay Houppermans
Jack Leadford
Joshua Makinen
jmrcsnchz
John Redford
Joost Jansen
Joshua Dow
Joshua Kamp
Jose Selvi
Kenneth Yu
Kat Sommer
Katarina Dabler
Ben Lister
Krijn de Mik
Lars Behrens
Lawrence Munro
Liam Glanfield
Liam Stevenson
Liyun Li
Lucas Rosevear
Luis Toro Puig
Luke Paris
Matt Lewis
Manuel Gines
Margit Hazenbroek
Marie-Sarah Lacharite
Mario Rivas
NCC Group & Fox-IT Data Science Team
Max Groot
McCaulay Hudson
Michael Gough
Mick Koomen
Mostafa Hassan
Matthew Pettitt
Frank Gifford
Michelle Simpson
Neil Bergman
NCC Group
NCC Group Publication Archive
Bill Marquette
Daniel Lopezjimenez
nccdavid
Dan Helton
RIFT: Research and Intelligence Fusion Team
R.Rivera
NCC Group Red Team
Ilya Zhuravlev
Jennifer Fernick
ncckai
Lewis Lockwood
Jon Szymaniak
Mark Manning
Mark Tedman
Michael Sandee
Simon Palmer
nccricardomr
Stefano Antenucci
Simone Salucci and Daniel Lopez Jimenez
Samuel Siu
Tanner Prynn
Yun Zheng Hu
Stephen Tomkinson
Nicolas Guigo
Nick Galloway
Nick Muir
Nick Dunn
Nick Sirris
Nikolaos Pantazopoulos
Oliver Brooks
Ollie Whitehouse
Ollie Wen
Parnian Alimi
Paul Bottinelli
Peter Scopes
Peter Hannay
philipmarsdennccgroupcom
pqueenncc
Philipp Schaefer
qkchambers
Rory McCune
Ralph Andalis
Rami McCarthy
Ray Lai
Robert C. Seacord
Rennie deGraaf
Chris Nevin
Richard Appleby
Rick Veldhoven
Fumik0_
Rindert Kramer
Rob Ince
robertgrimes123
Robert Wessen
Ross Bradley
Robert Schwass
ruud-fox-it
sampeate
Roger Meyer
schlopeckincc
scottleitch53e8989cc3
Siddarth Adukia
Sam Leonard (they/them)
smarkelon
Spencer Michaels
sean.morland@nccgroup.com
Sander de Jong
Steven van der Baan
Stuart Kurutac
Subscriber Test
Sultan Khan
Swathi Nagarajan
Simon Watson
Jeff Dileo
Thomas Marshall
Ivan Reedman
Thomas Pornin
Viktor Gazdag
Vishtasp Jokhi
Wouter Jansen
William Groesbeck
whoughtonncc
wolawola123
Wordpress SSO Test
Xavier Cervilla
Xavier Garceau-Aranda
Ken Gannon
Kevin Henry
5G Security & Smart Environments
Academic Partnership
Annual Research Report
Asia Pacific Research
Awards & Recognition
Blockchain
Books
Business Insights
Cloud & Containerization
Cloud Security
Conferences
Corporate
Cryptography
CTFs/Microcorruption
Current events
Cyber as a Science
Cyber Security
Detection and Threat Hunting
Digital Forensics and Incident Response (DFIR)
Disclosure Policy
Emerging Technologies
Engineering
Fox-IT
Fox-IT and European Research
Gaming & Media
Hardware & Embedded Systems
Intern Projects
iSec Partners
Machine Learning
Managed Detection & Response
Misinformation, Deepfakes, & Synthetic Media
North American Research
Offensive Security & Artificial Intelligence
Offensive Security & Artificial Intelligence
Patch notifications
Presentations
protocol_name
Public interest technology
Public interest technology
Public Reports
Public tools
Reducing Vulnerabilities at Scale
Research
Research Paper
Resources
Reverse Engineering
Risk Management & Governance
Standards
Technical advisories
Technology Policy
Threat briefs
Threat Intelligence
Tool Release
Transport
Tutorial/Study Guide
UK Research
Uncategorized
Virtualization, Emulation, & Containerization
VSR
Vulnerability
Vulnerability Research
Whitepapers

Enter a search term

Ghidra nanoMIPS ISA module
Sifting through the spines: identifying (potential) Cactus ransomware victims
Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis
Non-Deterministic Nature of Prompt Injection
Technical Advisory – Ollama DNS Rebinding Attack (CVE-2024-28224)
Public Report – Google Privacy Sandbox Aggregation Service and Coordinator
Android Malware Vultur Expands Its Wingspan
LTair: The LTE Air Interface Tool
The Development of a Telco Attack Testing Tool
Public Report – AWS Nitro System API & Security Claims Italian
Public Report – AWS Nitro System API & Security Claims French
Public Report – AWS Nitro System API & Security Claims Spanish
Public Report – AWS Nitro System API & Security Claims German
Unmasking Lorenz Ransomware: A Dive into Recent Tactics, Techniques and Procedures
Puckungfu 2: Another NETGEAR WAN Command Injection
Public Report: Aleo snarkOS Implementation and Consensus Mechanism Review
Analyzing AI Application Threat Models
Ivanti Zero Day – Threat Actors observed leveraging CVE-2021-42278 and CVE-2021-42287 for quick privilege escalation to Domain Admin
Memory Scanning for the Masses
Rust for Security and Correctness in the embedded world
Technical Advisory – Multiple Vulnerabilities in PandoraFMS Enterprise
Retro Gaming Vulnerability Research: Warcraft 2
Public Report – Security Review of RSA Blind Signatures with Public Metadata
Reverse, Reveal, Recover: Windows Defender Quarantine Forensics
Public Report – Aleo snarkVM Implementation Review
Technical Advisory – Multiple Vulnerabilities in Nagios XI
NCC Group’s 2022 & 2023 Research Report
Technical Advisory: Sonos Era 100 Secure Boot Bypass Through Unchecked setenv() call
Shooting Yourself in the .flags – Jailbreaking the Sonos Era 100
Technical Advisory: Adobe ColdFusion WDDX Deserialization Gadgets
Is this the real life? Is this just fantasy? Caught in a landslide, NoEscape from NCC Group
The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses
Public Report – WhatsApp Auditable Key Directory (AKD) Implementation Review
Don’t throw a hissy fit; defend against Medusa
Demystifying Cobalt Strike’s “make_token” Command
Tool Release: Magisk Module – Conscrypt Trust User Certs
Post-exploiting a compromised etcd – Full control over the cluster and its nodes
D0nut encrypt me, I have a wife and no backups
Popping Blisters for research: An overview of past payloads and exploring recent developments
Technical Advisory: Insufficient Proxyman HelperTool XPC Validation
Unveiling the Dark Side: A Deep Dive into Active Ransomware Families
Public Report – Zcash FROST Security Assessment
Technical Advisory – Multiple Vulnerabilities in Connectize G6 AC2100 Dual Band Gigabit WiFi Router (CVE-2023-24046, CVE-2023-24047, CVE-2023-24048, CVE-2023-24049, CVE-2023-24050, CVE-2023-24051, CVE-2023-24052)
Public Report – Caliptra Security Assessment
Introduction to AWS Attribute-Based Access Control
On Multiplications with Unsaturated Limbs
From ERMAC to Hook: Investigating the technical differences between two Android malware variants
Ruling the rules
HITB Phuket 2023 – Exploiting the Lexmark PostScript Stack
Public Report – Entropy/Rust Cryptography Review
SIAM AG23: Algebraic Geometry with Friends
5G security – how to minimise the threats to a 5G network
Real World Cryptography Conference 2023 – Part II
Technical Advisory – SonicWall Global Management System (GMS) & Analytics – Multiple Critical Vulnerabilities
LeaPFRogging PFR Implementations
Dancing Offbit: The Story of a Single Character Typo that Broke a ChaCha-Based PRNG
Public Report – Penumbra Labs R1CS Implementation Review
Demystifying Multivariate Cryptography
Building Intuition for Lattice-Based Signatures – Part 2: Fiat-Shamir with Aborts
Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
SysPWN – VR for Pwn2Own
Intel BIOS Advisory – Memory Corruption in HID Drivers
Building Intuition for Lattice-Based Signatures – Part 1: Trapdoor Signatures
Tool Release: Cartographer
Tool Release – ScoutSuite 5.13.0
Overview of Modern Memory Security Concerns
Technical Advisory – Nullsoft Scriptable Installer System (NSIS) – Insecure Temporary Directory Usage
Public Report – Zcash Zebra Security Assessment
Getting per-user Conditional Access MFA status in Azure
Exploiting Noisy Oracles with Bayesian Inference
New Sources of Microsoft Office Metadata – Tool Release MetadataPlus
Dynamic Linq Injection Remote Code Execution Vulnerability (CVE-2023-32571)
Defeating Windows DEP With A Custom ROP Chain
Machine Learning 104: Breaking AES With Power Side-Channels
A Brief Review of Bitcoin Locking Scripts and Ordinals
How to Spot and Prevent an Eclipse Attack
Eurocrypt 2023: Death of a KEM
Reverse Engineering Coin Hunt World’s Binary Protocol
Technical Advisory – Multiple Vulnerabilities in Faronics Insight (CVE-2023-28344, CVE-2023-28345, CVE-2023-28346, CVE-2023-28347, CVE-2023-28348, CVE-2023-28349, CVE-2023-28350, CVE-2023-28351, CVE-2023-28352, CVE-2023-28353)
Tool Release: Code Query (cq)
CowCloud
OffensiveCon 2023 – Exploit Engineering – Attacking the Linux Kernel
Tool Release: Code Credential Scanner (ccs)
Exploring Overfitting Risks in Large Language Models
The Paillier Cryptosystem with Applications to Threshold ECDSA
Rigging the Vote: Uniqueness in Verifiable Random Functions
Medical Devices: A Hardware Security Perspective
NETGEAR Routers: A Playground for Hackers?
Real World Cryptography Conference 2023 – Part I
Public Report – AWS Nitro System API & Security Claims
State of DNS Rebinding in 2023
Machine Learning 103: Exploring LLM Code Generation
HITBAMS – Your Not so “Home” Office – Soho Hacking at Pwn2Own
Public Report – Kubernetes 1.24 Security Audit
Public Report – Solana Program Library ZK-Token Security Assessment
Stepping Insyde System Management Mode
Breaking Pedersen Hashes in Practice
A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads
A Primer On Slowable Encoders
Threat Spotlight – Hydra
Rustproofing Linux (Part 4/4 Shared Memory)
Rustproofing Linux (Part 3/4 Integer Overflows)
Security Code Review With ChatGPT
Rustproofing Linux (Part 2/4 Race Conditions)
Readable Thrift
Building WiMap the Wi-Fi Mapping Drone
Fuzzing the Easy Way Using Zulu
Exploiting CVE-2014-0282
Exploiting CVE-2014-0282
Rustproofing Linux (Part 1/4 Leaking Addresses)
Machine Learning 102: Attacking Facial Authentication with Poisoned Data
Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
Using Semgrep with Jupyter Notebook files
Announcing NCC Group’s Cryptopals Guided Tour: Set 2
Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)
Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434)
Project Bishop: Clustering Web Pages
Puckungfu: A NETGEAR WAN Command Injection
MeshyJSON: A TP-Link tdpServer JSON Stack Overflow
Machine Learning 101: The Integrity of Image (Mis)Classification?
Replicating CVEs with KLEE
Public Report – VPN by Google One Security Assessment
Public Report – Confidential Space Security Review
Exploring Prompt Injection Attacks
Impersonating Gamers With GPT-2
So long and thanks for all the 0day
A jq255 Elliptic Curve Specification, and a Retrospective
Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
Tool Release – Web3 Decoder Burp Suite Extension
Tales of Windows detection opportunities for an implant framework
Check out our new Microcorruption challenges!
Toner Deaf – Printing your next persistence (Hexacon 2022)
Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes
Public Report – IOV Labs powHSM Security Assessment
Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
Detecting Mimikatz with Busylight
Whitepaper – Project Triforce: Run AFL On Everything (2017)
Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414)
A Guide to Improving Security Through Infrastructure-as-Code
Tool Release – ScoutSuite 5.12.0
Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review
Tool Release – Monkey365
Sharkbot is back in Google Play
Constant-Time Data Processing At a Secret Offset, Privacy and QUIC
There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
Conference Talks – September/October 2022
SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
Writing FreeBSD Kernel Modules in Rust
NCC Con Europe 2022 – Pwn2Own Austin Presentations
Tool Release – JWT-Reauth
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
Top of the Pops: Three common ransomware entry techniques
NCC Group Research at Black Hat USA 2022 and DEF CON 30
Tool Release – insject: A Linux Namespace Injector
Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505)
NIST Selects Post-Quantum Algorithms for Standardization
Climbing Mount Everest: Black-Byte Bytes Back?
Five Essential Machine Learning Security Papers
Whitepaper – Practical Attacks on Machine Learning Systems
Flubot: the evolution of a notorious Android Banking Malware
A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would have prevented
Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link
Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
Understanding the Impact of Ransomware on Patient Outcomes – Do We Know Enough?
Public Report – Threshold ECDSA Cryptography Review
Exception Handling and Data Integrity in Salesforce
Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)
Shining the Light on Black Basta
Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible Reports through the Intel Circuit Breaker program
Conference Talks – June 2022
Hardware Security By Design: ESP32 Guidance
Public Report – Lantern and Replica Security Assessment
NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher Leaderboard
Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 – Unauthenticated Command Injection ( CVE-2022-31794 and CVE-2022-31795)
Public Report – go-cose Security Assessment
Technical Advisory – SerComm h500s – Authenticated Remote Command Execution (CVE-2021-44080)
Metastealer – filling the Racoon void
earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts
Tool Release – Ghostrings
Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks
Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks
Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
Adventures in the land of BumbleBee – a new malicious loader
LAPSUS$: Recent techniques, tactics and procedures
Real World Cryptography Conference 2022
Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark
A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
Public Report – Google Enterprise API Security Assessment
Conti-nuation: methods and techniques observed in operations post the leaks
Whitepaper – Double Fetch Vulnerabilities in C and C++
Mining data from Cobalt Strike beacons
Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
Tool Release – ScoutSuite 5.11.0
Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)
Microsoft announces the WMIC command is being retired, Long Live PowerShell
SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store
Estimating the Bit Security of Pairing-Friendly Curves
Detecting anomalous Vectored Exception Handlers on Windows
BrokenPrint: A Netgear stack overflow
Conference Talks – March 2022
Hardware & Embedded Systems: A little early effort in security can return a huge payoff
Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review
Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2)
Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5 Attacks vs the CIS Microsoft 365 Foundation Benchmark
Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1)
Detecting Karakurt – an extortion focused threat actor
BAT: a Fast and Small Key Encapsulation Mechanism
Testing Infrastructure-as-Code Using Dynamic Tooling
Machine Learning for Static Analysis of Malware – Expansion of Research Scope
10 real-world stories of how we’ve compromised CI/CD pipelines
NCC Group’s 2021 Annual Research Report
On the malicious use of large language models like GPT-3
Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination Programs
Tool Update – ruby-trace: A Low-Level Tracer for Ruby
Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches
Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)
Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers
FPGAs: Security Through Obscurity?
Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
Log4Shell: Reconnaissance and post exploitation network detection
Announcing NCC Group’s Cryptopals Guided Tour!
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote Command Execution (CVE-2021-20044)
Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow (CVE-2021-20043)
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload Path Traversal (CVE-2021-20040)
Why IoT Security Matters
Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050)
Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
Tracking a P2P network related to TA505
Conference Talks – December 2021
Public Report – Zendoo Proof Verifier Cryptography Review
An Illustrated Guide to Elliptic Curve Cryptography Validation
Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
“We wait, because we know you.” Inside the ransomware negotiation economics.
Detection Engineering for Kubernetes clusters
Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571)
TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
Public Report – Zcash NU5 Cryptography Review
The Next C Language Standard (C23)
Conference Talks – November 2021
Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
Cracking RDP NLA Supplied Credentials for Threat Intelligence
Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the Internet
Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments
Cracking Random Number Generators using Machine Learning – Part 2: Mersenne Twister
Cracking Random Number Generators using Machine Learning – Part 1: xorshift128
NCC Group placed first in global 5G Cyber Security Hack competition
Paradoxical Compression with Verifiable Delay Functions
A Look At Some Real-World Obfuscation Techniques
SnapMC skips ransomware, steals data
The Challenges of Fuzzing 5G Protocols
Reverse engineering and decrypting CyberArk vault credential files
Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)
Assessing the security and privacy of Vaccine Passports
Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)
Conference Talks – October 2021
Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
Detecting and Hunting for the PetitPotam NTLM Relay Attack
Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)
Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
NSA & CISA Kubernetes Security Guidance – A Critical Review
Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery
Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy
Conference Talks – September 2021
The ABCs of NFC chip security
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
Disabling Office Macros to Reduce Malware Infections
Some Musings on Common (eBPF) Linux Tracing Bugs
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)
Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
Practical Considerations of Right-to-Repair Legislation
Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log Server (CVE-2021-35478,CVE-2021-35479)
Detecting and Hunting for the Malicious NetFilter Driver
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
NCC Group Research at Black Hat USA 2021 and DEF CON 29
Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
Software-Based Fault Injection Countermeasures (Part 2/3)
An Introduction to Fault Injection (Part 1/3)
Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587)
Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0
Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
Tool Release – Reliably-checked String Library Binding
Are you oversharing (in Salesforce)? Our new tool could sniff it out!
Exploit mitigations: keeping up with evolving and complex software/hardware
NCC Group co-signs the Electronic Frontier Foundation’s Statement on DMCA Use Against Security Researchers
Handy guide to a new Fivehands ransomware variant
On the Use of Pedersen Commitments for Confidential Payments
Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
Testing Two-Factor Authentication
Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
Research Paper – Machine Learning for Static Malware Analysis, with University College London
Conference Talks – June 2021
Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and Implementation Review
iOS User Enrollment and Trusted Certificates
Detecting Rclone – An Effective Tool for Exfiltration
Supply Chain Security Begins with Secure Software Development
Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re cryptographically random)
Public Report – Dell Secured Component Verification
RM3 – Curiosities of the wildest banking malware
Conference Talks – May 2021
A Census of Deployed Pulse Connect Secure (PCS) Versions
NCC Group’s Upcoming Trainings at Black Hat USA 2021
Public Report – VPN by Google One: Technical Security & Privacy Assessment
Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
Tool Release – Principal Mapper v1.1.0 Update
SAML XML Injection
The Future of C Code Review
RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
Tool Release – Solitude: A privacy analysis tool
Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads
Lending a hand to the community – Covenant v0.7 Updates
Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)
Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)
Cryptopals: Exploiting CBC Padding Oracles
Investigating Potential Security Vulnerability Manifestation through Various Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be Improved)
NCC Group’s 2020 Annual Research Report
Conference Talks – February/March 2021
Software Verification and Analysis Using Z3
Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)
Real World Cryptography Conference 2021: A Virtual Experience
RIFT: Analysing a Lazarus Shellcode Execution Method
MSSQL Lateral Movement
Public Report – BLST Cryptographic Implementation Review
Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
Building an RDP Credential Catcher for Threat Intelligence
Double-odd Elliptic Curves
Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs
Domestic IoT Nightmares: Smart Doorbells
Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)
Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0
An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful
ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures
ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks
Tool Release – Carnivore: Microsoft External Assessment Tool
Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
Conference Talks – December 2020
TA505: A Brief History Of Their Time
Decrypting OpenSSH sessions for fun and profit
Past, Present and Future of Effective C
Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788)
Technical Advisory: Command Injection
Conference Talks – November 2020
Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)
Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)
Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)
Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data release
Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)
Tool – Windows Executable Memory Page Delta Reporter
Salesforce Security with Remote Working
Tool Release – ScoutSuite 5.10
Conference Talks – October 2020
Tool Release – ICPin, an integrity-check and anti-debug detection pintool
Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)
Online Casino Roulette – A guideline for penetration testers and security researchers
Extending a Thinkst Canary to become an interactive honeypot
StreamDivert: Relaying (specific) network connections
Public Report – Electric Coin Company NU4 Cryptographic Specification and Implementation Review
Machine learning from idea to reality: a PowerShell case study
Conference Talks – September 2020
Whitepaper – Exploring the Security of KaiOS Mobile Applications
Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)
Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS Pre-installed Mobile Applications
Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application
Immortalising 20 Years of Epic Research
Pairing over BLS12-381, Part 3: Pairing!
Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers in 2020
Lights, Camera, HACKED! An insight into the world of popular IP Cameras
Conference Talks – August 2020
Tool Release – Winstrument: An Instrumentation Framework for Windows Application Assessments
Tool Release: Sinking U-Boots with Depthcharge
Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
Pairing over BLS12-381, Part 2: Curves
Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 Intelligence
An offensive guide to the Authorization Code grant
Technical Advisory – KwikTag Web Admin Authentication Bypass
Pairing over BLS12-381, Part 1: Fields
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
Experiments in Extending Thinkst Canary – Part 1
Tool Release – ScoutSuite 5.9.0
Technical Advisory – macOS Installer Local Root Privilege Escalation (CVE-2020-9817)
Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often
How-to: Importing WStalker CSV (and more) into Burp Suite via Import to Sitemap Extension
Tool: WStalker – an easy proxy to support Web API assessments
Security Considerations of zk-SNARK Parameter Multi-Party Computation
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Tool Release – Socks Over RDP Now Works With Citrix
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
Cyber Security of New Space Paper
In-depth analysis of the new Team9 malware family
Common Insecure Practices with Configuring and Extending Salesforce
Dangers of Kubernetes IAM Integrations
Exploring DeepFake Capabilities & Mitigation Strategies with University College London
Game Security
Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
Research Report – Zephyr and MCUboot Security Assessment
CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive
CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
Using SharePoint as a Phishing Platform
Public Report – Coda Cryptographic Review
Shell Arithmetic Expansion and Evaluation Abuse
CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
Tool Release – Socks Over RDP
Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
Practical Machine Learning for Random (Filename) Detection
Curve9767 and Fast Signature Verification
CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
The Extended AWS Security Ramp-Up Guide
Code Patterns for API Authorization: Designing for Security
Order Details Screens and PII
How cryptography is used to monitor the spread of COVID-19
Rise of the Sensors: Securing LoRaWAN Networks
C Language Standards Update – Zero-size Reallocations are Undefined Behavior
IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
Exploring Verifiable Random Functions in Code
Crave the Data: Statistics from 1,300 Phishing Campaigns
Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
Tool Release – ScoutSuite 5.8.0
Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities
Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
LDAPFragger: Bypassing network restrictions using LDAP attributes
Threat Actors: exploiting the pandemic
A Survey of Istio’s Network Security Features
Conference Talks – March 2020
Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review
Reviewing Verifiable Random Functions
CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for fun and exploitation
Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
Improving Software Security through C Language Standards
Whitepaper – A Tour of Curve 25519 in Erlang
Deep Dive into Real-World Kubernetes Threats
Technical Advisory – playSMS Pre-Authentication Remote Code Execution (CVE-2020-8644)
Interfaces.d to RCE
Properly Signed Certificates on CPE Devices
Conference Talks – February 2020
Tool Release – Collaborator++
Public Report – Electric Coin Company NU3 Specification and Blossom Implementation Audit
Tool Release – Enumerating Docker Registries with go-pillage-registries
Conference Talks – January 2020
Passive Decryption of Ethereum Peer-to-Peer Traffic
On Linux’s Random Number Generation
Demystifying AWS’ AssumeRole and sts:ExternalId
Welcome to the new NCC Group Global Research blog
Technical Advisory: Gaining root access on Sumpple S610 IP Camera via Telnet; and Unprotected client and server data transmission between Android and IOS clients
Security impact of IoT on the Enterprise
Secure Device Provisioning Best Practices: Heavy Truck Edition
CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service
Padding the struct: How a compiler optimization can disclose stack memory
Embedded Device Security Certifications
An Introduction to Ultrasound Security Research
PhanTap (Phantom Tap): Making networks spookier one packet at a time
An Introduction to Quantum Computing for Security Professionals
Sniffle: A Sniffer for Bluetooth 5
Compromising a Hospital Network for £118 (Plus Postage & Packaging)
Getting Shell with XAMLX Files
Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation
Technical Advisory: CyberArk EPM Non-paged Pool Buffer Overflow
Technical Advisory: Unauthenticated SQL Injection in Lansweeper
Jenkins Plugins and Core Technical Summary Advisory
Technical Advisory: Multiple Vulnerabilities in Ricoh Printers
Technical Advisory: Multiple Vulnerabilities in Brother Printers
Technical Advisory: Multiple Vulnerabilities in Xerox Printers
Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and Next Steps
Technical Advisory: Multiple Vulnerabilities in HP Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 9: Adventures with Expert Systems
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 8: Development of Prototype #4 – Building on Takaesu’s Approach with Focus on XSS
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 7: Development of Prototype #3 – Adventures in Anomaly Detection
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 5: Development of Prototype #1 – Text Processing and Semantic Relationships
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 4: Architecture and Design
Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 3: Understanding Existing Approaches and Attempts
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in Social Engineering
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 1: Understanding the Basics and What Platforms and Frameworks Are Available
Technical Advisory: Multiple Vulnerabilities in Lexmark Printers
Technical Advisory: Intel Driver Support & Assistance – Local Privilege Escalation
Technical Advisory: Citrix Workspace / Receiver Remote Code Execution Vulnerability
The Sorry State of Aftermarket Head Unit Security
Cyber Security in UK Agriculture
NCC Group Connected Health Whitepaper July 2019
Story of a Hundred Vulnerable Jenkins Plugins
Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone
Technical Advisory: Multiple Vulnerabilities in SmarterMail
Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
Chafer backdoor analysis
Finding and Exploiting .NET Remoting over HTTP using Deserialisation
Technical Advisory: Multiple Vulnerabilities in MailEnable
Assessing Unikernel Security
Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
Zcash Overwinter Consensus and Sapling Cryptography Review
Xendbg: A Full-Featured Debugger for the Xen Hypervisor
Use of Deserialisation in .NET Framework Methods and Classes
Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
Nine years of bugs at NCC Group
The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations
Third party assurance
Turla PNG Dropper is back
Public cloud
Android Cloud Backup/Restore
Spectre on a Television
RokRat Analysis
Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook
Technical Advisory: Authentication Bypass in libSSH
Securing Google Cloud Platform – Ten best practices
Public Report – Android Cloud Backup/Restore
Much Ado About Hardware Implants
NCC Group’s Exploit Development Capability: Why and What
Technical Advisory: Bypassing Workflows Protection Mechanisms – Remote Code Execution on SharePoint
Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability
Improving Your Embedded Linux Security Posture With Yocto
How I did not get a shell
Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw
Singularity of Origin
Proxy Re-Encryption Protocol: IronCore Public Report
Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data
Jackson Deserialization Vulnerabilities
Celebrating NCC Con Europe 2018
The disadvantages of a blacklist-based approach to input validation
Securing Teradata Database
Technical Advisory: Unauthenticated Remote Command Execution through Multiple Vulnerabilities in Virgin Media Hub 3.0
Ethics in Security Testing
Freddy: An extension for automatically identifying deserialisation issues in Java and .NET applications
Sobelow Update
House
Principal Mapper (pmapper)
Return of the hidden number problem
Technical advisory: “ROHNP”- key extraction side channel in multiple crypto libraries
CVE-2017-8570 RTF and the Sisfader RAT
Mallory: Transparent TCP and UDP Proxy
Mallory and Me: Setting up a Mobile Mallory Gateway
CyberVillainsCA
DECTbeacon
Fuzzbox
Gizmo
HTTP Profiler
Intent Sniffer
Intent Fuzzer
iSEC Partners Releases SSLyze
Jailbreak
Manifest Explorer
Package Play
ProxMon
pySimReader
SAML Pummel
SecureBigIP
SecureCisco
SecureCookies
SecureIE.ActiveX
WebRATS
AWS Inventory: A tool for mapping AWS resources
Extractor
CMakerer: A small tool to aid CLion’s indexing
Emissary Panda – A potential new malicious tool
SMB hash hijacking & user tracking in MS Outlook
Testing HTTP/2 only web services
Windows IPC Fuzzing Tools
WSBang
WSMap
Nerve
Ragweed
File Fuzzers
Kivlad
Android SSL Bypass
Hiccupy
iOS SSL Killswitch
The SSL Conservatory
TLSPretense — SSL/TLS Client Testing Framework
tcpprox
YoNTMA
Tattler
PeachFarmer
Android-KillPermAndSigChecks
Android-OpenDebug
Android-SSL-TrustKiller
Introspy for Android
RtspFuzzer
SSLyze v0.8
NCLoader
IG Learner Walkthrough
Forensic Fuzzing Tools
Security First Umbrella
Autochrome
WSSiP: A Websocket Manipulation Proxy
AssetHook
Call Map: A Tool for Navigating Call Graphs in Python
Sobelow: Static analysis for the Phoenix Framework
G-Scout
Decoder Improved Burp Suite Plugin
Python Class Informer: an IDAPython plugin for viewing run-time type information (RTTI)
AutoRepeater: Automated HTTP Request Repeating With Burp Suite
TPM Genie
Open Banking: Security considerations & potential risks
scenester
port-scan-automation
Windows DACL Enum Project
umap
Shocker
Zulu
whitebox
vlan-hopping
tybocer
xcavator
WindowsJobLock
Azucar
Introducing Azucar
Readable Thrift
Decoding network data from a Gh0st RAT variant
Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central
Discovering Smart Contract Vulnerabilities with GOATCasino
BLEBoy
APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus
Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple Microsoft Products
Technical Advisory: Code Execution by Viewing Resource Files in .NET Reflector
Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in Jenkins Delivery Pipeline plugin
Spectre and Meltdown: What you Need to Know
The economics of defensive security
HIDDEN COBRA Volgmer: A Technical Analysis
Integrity destroying malicious code for financial or geopolitical gain: A vision of the future?
Kubernetes Security: Consider Your Threat Model
Mobile & web browser credential management: Security implications, attack cases & mitigations
SOC maturity & capability
Automated Reverse Engineering of Relationships Between Data Structures in C++ Binaries
Pointer Sequence Reverser (PSR)
Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1
Bypassing Android’s Network Security Configuration
Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
Cisco ASA series part seven: Checkheaps
Adversarial Machine Learning: Approaches & defences
eBook: Breach notification under GDPR – How to communicate a personal data breach
Cisco ASA series part six: Cisco ASA mempools
The Update Framework (TUF) Security Assessment
Cisco ASA series part five: libptmalloc gdb plugin
Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA
Decoder Improved Burp Suite plugin release part two
Cisco ASA series part three: Debugging Cisco ASA firmware
Managing PowerShell in a modern corporate environment
Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
Cisco ASA series part one: Intro to the Cisco ASA
EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
Technical Advisory: Authentication rule bypass
Technical Advisory – play-pac4j Authentication rule bypass
Decoder Improved Burp Suite plugin release part one
Technical advisory: Remote shell commands execution in ttyd
Poison Ivy string decryption
Securing the continuous integration process
Signaturing an Authenticode anomaly with Yara
Analysing a recent Poison Ivy sample
Endpoint connectivity
DeLux Edition: Getting root privileges on the eLux Thin Client OS
UK government cyber security guidelines for connected & autonomous vehicles
Smuggling HTA files in Internet Explorer/Edge
Database Security Brief: The Oracle Critical Patch Update for April 2007
Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform
Data-mining with SQL Injection and Inference
The Pharming Guide – Understanding and preventing DNS related attacks by phishers
Weak Randomness Part I – Linear Congruential Random Number Generators
Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
Blind Exploitation of Stack Overflow Vulnerabilities
Slotting Security into Corporate Development
Creating Arbitrary Shellcode In Unicode Expanded Strings
Violating Database – Enforced Security Mechanisms
Hacking the Extensible Firmware Interface
Advanced Exploitation of Oracle PL/SQL Flaws
Firmware Rootkits: The Threat to the Enterprise
Database Security: A Christmas Carol
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server
Non-flood/non-volumetric Distributed Denial of Service (DDoS)
VoIP Security Methodology and Results
E-mail Spoofing and CDONTS.NEWMAIL
Dangling Cursor Snarfing: A New Class of Attack in Oracle
Database Servers on Windows XP and the unintended consequences of simple file sharing
DNS Pinning and Web Proxies
Technical advisory: CVE-2017-8592 – XMLHttpRequest in IE followed 307 redirections with additional or customised headers
Which database is more secure? Oracle vs. Microsoft
Variations in Exploit methods between Linux and Windows
Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things
Live Incident Blog: June Global Ransomware Outbreak
Beyond data loss prevention
How to protect yourself & your organisation from phishing attacks
Rise of the machines: Machine Learning & its cyber security applications
Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input Streams (LAOIS)
A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287
Latest threats to the connected car & intelligent transport ecosystem
Network Attached Security: Attacking a Synology NAS
Accessing Private Fields Outside of Classes in Java
Understanding the insider threat & how to mitigate it
Matty McMattface: Security implications, mitigations & testing strategies for biometric facial recognition systems
Setting a New Standard for Kubernetes Deployments
Encryption at rest: Not the panacea to data protection
Applying normalised compression distance for architecture classification
Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures
D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow
Fix Bounty
Unauthenticated XML eXternal Entity (XXE) vulnerability
General Data Protection Regulation: Knowing your data
Technical Advisory: Shell Injection in MacVim mvim URI Handler
Technical Advisory: Shell Injection in SourceTree
SCOMplicated? – Decrypting SCOM “RunAs” credentials
Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer Appliance
ISM RAT
Mergers & Acquisitions (M&A) cyber security due diligence
Advisory-CraigSBlackie-CVE-2016-9795
Best practices with BYOD
Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows Decryption of Stored Credentials
Compromising Apache Tomcat via JMX access
Berserko: Kerberos Authentication for Burp Suite
Java RMI Registry.bind() Unvalidated Deserialization
NCC CON Europe 2017
Understanding cyber risk management vs uncertainty with confidence in 2017
iOS MobileSlideShow USB Image Class arbitrary code execution.txt
Denial of Service in Parsing a URL by ierutil.dll
U plug, we play
SSL checklist for pentesters
Dissecting social engineering attacks
External Enumeration and Exploitation of Email and Web Security Solutions
Social Engineering
Phishing Stories
Automating extraction from malware and recent campaign analysis
DDoS Common Approaches and Failings
Absolute Security
How much training should staff have on cyber security?
USB under the bonnet: Implications of USB security vulnerabilities in vehicle systems
Cyber Essentials Scheme
Webinar – PCI Version 3.0: Are you ready?
Webinar: 4 Secrets to a Robust Incident Response Plan
Cloud Security Presentation
Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions
Memory Gap
44Con2013Game
creep-web-app-scanner
ncccodenavi
Pip3line
typofinder
DIBF – Updated
IODIDE
CECSTeR
cisco-SNMP-enumeration
dotnetpaddingoracle
dotnetpefuzzing
easyda
EDIDFuzzer
Fat-Finger
firstexecution
grepify
FrisbeeLite
State-of-the-art email risk
Ransomware: what organisations can do to survive
hostresolver
lapith
metasploitavevasion
Maritime Cyber Security: Threats and Opportunities
IP-reputation-snort-rule-generator
The L4m3ne55 of Passw0rds: Notes from the field
Mature Security Testing Framework
Exporting non-exportable RSA keys
Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
The role of security research in improving cyber security
Self-Driving Cars- The future is now…
They Ought to Know Better: Exploiting Security Gateways via their Web Interfaces
Mobile apps and security by design
The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate Pinning
USB Undermining Security Barriers:further adventures with USB
Software Security Austerity Security Debt in Modern Software Development
RSA Conference – Mobile Threat War Room
Finding the weak link in binaries
To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms
Harnessing GPUs Building Better Browser Based Botnets
The Browser Hacker’s Handbook
SQL Server Security
The Database Hacker’s Handbook
Social Engineering Penetration Testing
Public Report – Matrix Olm Cryptographic Review
Research Insights Volume 8 – Hardware Design: FPGA Security Risks
Zcash Cryptography and Code Review
Optimum Routers: Researching Managed Routers
Peeling back the layers on defence in depth…knowing your onions
End-of-life pragmatism
iOS Instrumentation Without Jailbreak
The Password is Dead, Long Live the Password!
Microsoft Office Memory Corruption Vulnerability
Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode
Elephant in the Boardroom Survey 2016
A Peek Behind the Great Firewall of Russia
Avoiding Pitfalls Developing with Electron
Flash local-with-filesystem Bypass in navigateToURL
D-Link routers vulnerable to Remote Code Execution (RCE)
iOS Application Security: The Definitive Guide for Hackers and Developers
The Mobile Application Hacker’s Handbook
Research Insights Volume 9 – Modern Security Vulnerability Discovery
Post-quantum cryptography overview
The CIS Security Standard for Docker available now
An adventure in PoEKmon NeutriGo land
The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd Edition
How will GDPR impact your communications?
Potential false redirection of web site content in Internet in SAP NetWeaver web applications
Multiple security vulnerabilities in SAP NetWeaver BSP Logon
The Automotive Threat Modeling Template
My name is Matt – My voice is my password
Ransomware: How vulnerable is your system?
NCC Group WhitepaperUnderstanding and HardeningLinux ContainersJune 29, 2016 – Version 1.1
My Hash is My Passport: Understanding Web and Mobile Authentication
Project Triforce: Run AFL on Everything!
Writing Exploits for Win32 Systems from Scratch
How to Backdoor Diffie-Hellman
Local network compromise despite good patching
Sakula: an adventure in DLL planting
When a Trusted Site in Internet Explorer was Anything But
GSM/GPRS Traffic Interception for Penetration Testing Engagements
An Adaptive-Ciphertext Attack Against “I ⊕ C” Block Cipher Modes With an Oracle
Creating a Safer OAuth User Experience
Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
Aurora Response Recommendations
Blind Security Testing – An Evolutionary Approach
Building Security In: Software Penetration Testing
Cleaning Up After Cookies
Command Injection in XML Signatures and Encryption
Common Flaws of Distributed Identity and Authentication Systems
Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
Developing Secure Mobile Applications for Android
Exposing Vulnerabilities in Media Software
Hunting SQL Injection Bugs
IAX Voice Over-IP Security
ProxMon: Automating Web Application Penetration Testing
iSEC’s Analysis of Microsoft’s SDL and its ROI
Secure Application Development on Facebook
Secure Session Management With Cookies for Web Applications
Security Compliance as an Engineering Discipline
Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
Exploiting Rich Content
HTML5 Security The Modern Web Browser Perspective
An Introduction to Authenticated Encryption
Attacks on SSL
Content Security Policies Best Practices
Windows Phone 7 Application Security Survey
Browser Extension Password Managers
Introducing idb-Simplified Blackbox iOS App Pentesting
Login Service Security
The factoring dead: Preparing for the cryptopocalypse
Auditing Enterprise Class Applications and Secure Containers on Android
Early CCS Attack Analysis
Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver URSA
Perfect Forward Security
Internet of Things Security
Secure Messaging for Normal People
Understanding and Hardening Linux Containers
Adventures in Windows Driver Development: Part 1
Private sector cyber resilience and the role of data diodes
From CSV to CMD to qwerty
General Data Protection Regulation – are you ready?
Business Insights: Cyber Security in the Financial Sector
The Importance of a Cryptographic Review
osquery Application Security Assessment Public Report
Sysinternals SDelete: When Secure Delete Fails
Ricochet Security Assessment Public Report
Breaking into Security Research at NCC Group
Building Systems from Commercial Components
Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices
Secure Coding in C and C++
CERT Oracle Secure Coding Standard for Java
CERT C Secure Coding Standard
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
Professional C Programming LiveLessons, (Video Training) Part I: Writing Robust, Secure, Reliable Code
Secure Coding in C and C++, 2nd Edition
The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems
Secure Coding Rules for Java LiveLessons, Part 1
Hacking Displays Made Interesting
What the HEC? Security implications of HDMI Ethernet Channel and other related protocols
44CON Workshop – How to assess and secure iOS apps
Payment Card Industry Data Security Standard (PCI DSS) A Navigation and Explanation of Changes from v2.0 to v3.0
Mobile World Congress – Mobile Internet of Things
Practical SME security on a shoestring
BlackHat Asia USB Physical Access
How we breach network infrastructures and protect them
Hacking a web application
Batten down the hatches: Cyber threats facing DP operations
Threats and vulnerabilities within the Maritime and shipping sectors
Distributed Ledger (Blockchain) Security and Quantum Computing Implications
Building WiMap the Wi-Fi Mapping Drone
Abusing Privileged and Unprivileged Linux Containers
A few notes on usefully exploiting libstagefright on Android 5.x
NCC Con Europe 2016
Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify External Emails
Car Parking Apps Vulnerable To Hacks
eBook – Do you know how your organisation would react in a real-world attack scenario?
Erlang Security 101
SysAid Helpdesk blind SQL injection
SysAid Helpdesk stored XSS
Virtual Access Monitor Multiple SQL Injection Vulnerabilities
Whatsupgold Premium Directory traversal
Windows remote desktop memory corruptoin leading to RCE on XPSP3
Windows USB RNDIS driver kernel pool overflow
Drones: Detect, Identify, Intercept, and Hijack
Introducing Chuckle and the Importance of SMB Signing
Threat Intelligence: Benefits for the Enterprise
Best Practices for the use of Static Code Analysis within a Real-World Secure Development Lifecycle
Secure Device Manufacturing: Supply Chain Security Resilience
eBook – Planning a robust incident response process
HDMI Ethernet Channel
Advanced SQL Injection in SQL Server Applications
USB keyboards by post – use of embedded keystroke injectors to bypass autorun restrictions on modern desktop operating systems
ASP.NET Security and the Importance of KB2698981 in Cloud Environments
Xen HYPERVISOR_xen_version stack memory revelation
Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
SysAid Helpdesk Pro – Blind SQL Injection
Symantec Messaging Gateway SSH with backdoor user account + privilege escalation to root due to very old Kernel
Symantec Messaging Gateway Out of band stored XSS delivered by email
Symantec Messaging Gateway Easy CSRF to add a backdoor-administrator (for example)
Symantec Messaging Gateway Arbitrary file download is possible with a crafted URL (authenticated)
Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom Reports
Symantec Backup Exec 2012 – OS version and service pack information leak
Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs
Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding Groups, Servers and Computers
Squiz CMS File Path Traversal
Solaris 11 USB Hub Class descriptor kernel stack overflow
SmarterMail – Stored XSS in emails
Remote code execution in ImpressPages CMS
OS X 10.6.6 Camera Raw Library Memory Corruption
Oracle Java Installer Adds a System Path Which is Writable by All
Oracle Hyperion 11 Directory Traversal
Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
Nessus Authenticated Scan – Local Privilege Escalation
NCC Group Malware Technical Note
Nagios XI Network Monitor – Stored and Reflective XSS
Multiple Vulnerabilities in MailEnable
Microsoft Internet Explorer CMarkup Use-After-Free
McAfee Email and Web Security Appliance v5.6 – Session hijacking (and bypassing client-side session timeouts)
McAfee Email and Web Security Appliance v5.6 – Password hashes can be recovered from a system backup and easily cracked
McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is possible with a crafted URL, when logged in as any user
McAfee Email and Web Security Appliance v5.6 – Any logged-in user can bypass controls to reset passwords of other administrators
McAfee Email and Web Security Appliance v5.6 – Active session tokens of other users are disclosed within the UI
iOS 7 arbitrary code execution in kernel mode
Understanding Microsoft Word OLE Exploit Primitives
Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability
Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using the TD-8817
Vehicle Emissions and Cyber Security
Research Insights Volume 6: Common Issues with Environment Breakouts
Does TypeScript Offer Security Improvements Over JavaScript?
Common Security Issues in Financially-Oriented Web Applications
Research Insights Volume 3 – How are we breaking in: Mobile Security
Build Your Own Wi-Fi Mapping Drone Capability
Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
Password and brute-force mitigation policies
Understanding Ransomware: Impact, Evolution and Defensive Strategies
libtalloc: A GDB plugin for analysing the talloc heap
Lumension Device Control (formerly Sanctuary) remote memory corruption
LibAVCodec AMV Out of Array Write
Increased exploitation of Oracle GlassFish Server Administration Console Remote Authentication Bypass
Flash security restrictions bypass: File upload by URLRequest
Immunity Debugger Buffer Overflow
DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout, Privilege Escalation and Full Disk Decryption
Cups-filters remote code execution
Critical Risk Vulnerability in SAP Message Server (Heap Overflow)
Critical Risk Vulnerability in SAP DB Web Server (Stack Overflow)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 2)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 1)
Cisco VPN Client Privilege Escalation
Cisco IPSec VPN Implementation Group Name Enumeration
Blue Coat BCAAA Remote Code Execution Vulnerability
Adam Roberts
Anthony Ferrillo
Aaron Greetham
Aaron Haymore
Akshat Joshi
Alberto Verza
Aleksandar Kircanski
Alessandro Fanio Gonzalez
Alessandro Fanio González
Alex Plaskett
Alex Zaviyalov
Alvaro Martin Fraguas
Álvaro Martín Fraguas
Andrea Shirley-Bellande
Drew Wade
Andy Davis
Andy Grant
Antonis Terefos
anvesh3752
Alexander Smye
aschmitz
Austin Peavy
Ava Howell
Andrew Whistlecroft
balazs.bucsay
Nicolas Bidron
NCC Group Physical Breach Team
Rich Warren
Caleb Watt
Clinton Carpene
Cedric Halbronn
chrisanley
Christo Butcher
christopherjamesbury
Clayton Lowell
Clint Gibler
cnevncc
Corey Arthur
Christian Powills
Craig Blackie
Catalin Visinescu
Ken Wolstencroft
Damon Small
Dan Hastings
Dan Palmer
Dave G.
David Tulis
David Cash
Daniele Costa
destoken
Diana Dragusin
Diego Gomez Maranon
Diego Gómez Marañon
Domen Puncer Kugler
Daniel Romero
Deni
David Young
Edward Torkington
Exploit Development Group
Elena Bakos Lang
Eli Sohl
epliuncc
Erik Schamper
Erik Steringer
Eric Schorn
Eva Esteban Molina
Fernando Gallego
Aaron Adams
Gavin Cotter (Temp)
Gerald Doussot
Gérald Doussot
Giacomo Pope
Global Threat Intelligence
Guy Morley
William Handy
Liew hock lai
Hollie Mowatt
Heather Overcash
Rob Wood
Iain Smart
Izzy Whistlecroft
Jacob Heath
Jameson Hyde
Phillip Langlois and Edward Torkington
Jashan Benawra
Jason Kielpinski
Javed Samuel
James Chambers
Jelle Vergeer
Jennifer Reed
Jeremy Boone
Jerome Smith
Jesus Calderon Marin
Jesús Calderón Marín
Jay Houppermans
Jack Leadford
Joshua Makinen
jmrcsnchz
John Redford
Joost Jansen
Joshua Dow
Joshua Kamp
Jose Selvi
Kenneth Yu
Kat Sommer
Katarina Dabler
Ben Lister
Krijn de Mik
Lars Behrens
Lawrence Munro
Liam Glanfield
Liam Stevenson
Liyun Li
Lucas Rosevear
Luis Toro Puig
Luke Paris
Matt Lewis
Manuel Gines
Margit Hazenbroek
Marie-Sarah Lacharite
Mario Rivas
NCC Group & Fox-IT Data Science Team
Max Groot
McCaulay Hudson
Michael Gough
Mick Koomen
Mostafa Hassan
Matthew Pettitt
Frank Gifford
Michelle Simpson
Neil Bergman
NCC Group
NCC Group Publication Archive
Bill Marquette
Daniel Lopezjimenez
nccdavid
Dan Helton
RIFT: Research and Intelligence Fusion Team
R.Rivera
NCC Group Red Team
Ilya Zhuravlev
Jennifer Fernick
ncckai
Lewis Lockwood
Jon Szymaniak
Mark Manning
Mark Tedman
Michael Sandee
Simon Palmer
nccricardomr
Stefano Antenucci
Simone Salucci and Daniel Lopez Jimenez
Samuel Siu
Tanner Prynn
Yun Zheng Hu
Stephen Tomkinson
Nicolas Guigo
Nick Galloway
Nick Muir
Nick Dunn
Nick Sirris
Nikolaos Pantazopoulos
Oliver Brooks
Ollie Whitehouse
Ollie Wen
Parnian Alimi
Paul Bottinelli
Peter Scopes
Peter Hannay
philipmarsdennccgroupcom
pqueenncc
Philipp Schaefer
qkchambers
Rory McCune
Ralph Andalis
Rami McCarthy
Ray Lai
Robert C. Seacord
Rennie deGraaf
Chris Nevin
Richard Appleby
Rick Veldhoven
Fumik0_
Rindert Kramer
Rob Ince
robertgrimes123
Robert Wessen
Ross Bradley
Robert Schwass
ruud-fox-it
sampeate
Roger Meyer
schlopeckincc
scottleitch53e8989cc3
Siddarth Adukia
Sam Leonard (they/them)
smarkelon
Spencer Michaels
sean.morland@nccgroup.com
Sander de Jong
Steven van der Baan
Stuart Kurutac
Subscriber Test
Sultan Khan
Swathi Nagarajan
Simon Watson
Jeff Dileo
Thomas Marshall
Ivan Reedman
Thomas Pornin
Viktor Gazdag
Vishtasp Jokhi
Wouter Jansen
William Groesbeck
whoughtonncc
wolawola123
Wordpress SSO Test
Xavier Cervilla
Xavier Garceau-Aranda
Ken Gannon
Kevin Henry
5G Security & Smart Environments
Academic Partnership
Annual Research Report
Asia Pacific Research
Awards & Recognition
Blockchain
Books
Business Insights
Cloud & Containerization
Cloud Security
Conferences
Corporate
Cryptography
CTFs/Microcorruption
Current events
Cyber as a Science
Cyber Security
Detection and Threat Hunting
Digital Forensics and Incident Response (DFIR)
Disclosure Policy
Emerging Technologies
Engineering
Fox-IT
Fox-IT and European Research
Gaming & Media
Hardware & Embedded Systems
Intern Projects
iSec Partners
Machine Learning
Managed Detection & Response
Misinformation, Deepfakes, & Synthetic Media
North American Research
Offensive Security & Artificial Intelligence
Offensive Security & Artificial Intelligence
Patch notifications
Presentations
protocol_name
Public interest technology
Public interest technology
Public Reports
Public tools
Reducing Vulnerabilities at Scale
Research
Research Paper
Resources
Reverse Engineering
Risk Management & Governance
Standards
Technical advisories
Technology Policy
Threat briefs
Threat Intelligence
Tool Release
Transport
Tutorial/Study Guide
UK Research
Uncategorized
Virtualization, Emulation, & Containerization
VSR
Vulnerability
Vulnerability Research
Whitepapers

nccgroup.com
Support

22/23 Research Report
Public Reports
Contact

Digital Forensics and Incident Response (DFIR)

Call us on:

General Number:

441612095200

24/7 Emergency Incident Response:

443316300690

Terms and Conditions Privacy Policy Contact Us Accessibility Disclosure Policy

Assessment & Advisory Detection and Response Compliance Remediation Training Software Resilience