Breaking Pedersen Hashes in Practice
A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads
A Primer On Slowable Encoders
Threat Spotlight – Hydra
Rustproofing Linux (Part 4/4 Shared Memory)
Rustproofing Linux (Part 3/4 Integer Overflows)
Security Code Review With ChatGPT
Rustproofing Linux (Part 2/4 Race Conditions)
Readable Thrift
Building WiMap the Wi-Fi Mapping Drone
Fuzzing the Easy Way Using Zulu
Exploiting CVE-2014-0282
Rustproofing Linux (Part 1/4 Leaking Addresses)
Machine Learning 102: Attacking Facial Authentication with Poisoned Data
Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
Using Semgrep with Jupyter Notebook files
Announcing NCC Group’s Cryptopals Guided Tour: Set 2
Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)
Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434)
Project Bishop: Clustering Web Pages
Puckungfu: A NETGEAR WAN Command Injection
MeshyJSON: A TP-Link tdpServer JSON Stack Overflow
Machine Learning 101: The Integrity of Image (Mis)Classification?
Replicating CVEs with KLEE
Public Report – VPN by Google One Security Assessment
Public Report – Confidential Space Security Review
Exploring Prompt Injection Attacks
So long and thanks for all the 0day
A jq255 Elliptic Curve Specification, and a Retrospective
Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
Tool Release – Web3 Decoder Burp Suite Extension
Tales of Windows detection opportunities for an implant framework
Check out our new Microcorruption challenges!
Toner Deaf – Printing your next persistence (Hexacon 2022)
Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes
Public Report – IOV Labs powHSM Security Assessment
Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
Detecting Mimikatz with Busylight
Whitepaper – Project Triforce: Run AFL On Everything (2017)
Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414)
A Guide to Improving Security Through Infrastructure-as-Code
Tool Release – ScoutSuite 5.12.0
Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review
Tool Release – Monkey365
Sharkbot is back in Google Play
Constant-Time Data Processing At a Secret Offset, Privacy and QUIC
There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
Conference Talks – September/October 2022
SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
Writing FreeBSD Kernel Modules in Rust
NCC Con Europe 2022 – Pwn2Own Austin Presentations
Tool Release – JWT-Reauth
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
Top of the Pops: Three common ransomware entry techniques
NCC Group Research at Black Hat USA 2022 and DEF CON 30
Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505)
NIST Selects Post-Quantum Algorithms for Standardization
Climbing Mount Everest: Black-Byte Bytes Back?
Five Essential Machine Learning Security Papers
Whitepaper – Practical Attacks on Machine Learning Systems
Flubot: the evolution of a notorious Android Banking Malware
Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link
Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
Understanding the Impact of Ransomware on Patient Outcomes – Do We Know Enough?
Public Report – Threshold ECDSA Cryptography Review
Exception Handling and Data Integrity in Salesforce
Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)
Shining the Light on Black Basta
Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible Reports through the Intel Circuit Breaker program
Conference Talks – June 2022
Hardware Security By Design: ESP32 Guidance
Public Report – Lantern and Replica Security Assessment
NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher Leaderboard
Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 – Unauthenticated Command Injection ( CVE-2022-31794 and CVE-2022-31795)
Public Report – go-cose Security Assessment
Technical Advisory – SerComm h500s – Authenticated Remote Command Execution (CVE-2021-44080)
Metastealer – filling the Racoon void
earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts
Tool Release – Ghostrings
Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks
Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks
Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
Adventures in the land of BumbleBee – a new malicious loader
LAPSUS$: Recent techniques, tactics and procedures
Real World Cryptography Conference 2022
Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark
A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
Public Report – Google Enterprise API Security Assessment
Conti-nuation: methods and techniques observed in operations post the leaks
Whitepaper – Double Fetch Vulnerabilities in C and C++
Mining data from Cobalt Strike beacons
Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
Tool Release – ScoutSuite 5.11.0
Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)
Microsoft announces the WMIC command is being retired, Long Live PowerShell
SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store
BrokenPrint: A Netgear stack overflow
Conference Talks – March 2022
Hardware & Embedded Systems: A little early effort in security can return a huge payoff
Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review
Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2)
Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5 Attacks vs the CIS Microsoft 365 Foundation Benchmark
Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1)
Detecting Karakurt – an extortion focused threat actor
BAT: a Fast and Small Key Encapsulation Mechanism
A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would have prevented
Estimating the Bit Security of Pairing-Friendly Curves
Testing Infrastructure-as-Code Using Dynamic Tooling
Machine Learning for Static Analysis of Malware – Expansion of Research Scope
10 real-world stories of how we’ve compromised CI/CD pipelines
Impersonating Gamers With GPT-2
NCC Group’s 2021 Annual Research Report
Tool Release – insject: A Linux Namespace Injector
Detecting anomalous Vectored Exception Handlers on Windows
On the malicious use of large language models like GPT-3
Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination Programs
Tool Update – ruby-trace: A Low-Level Tracer for Ruby
Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches
Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)
Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers
FPGAs: Security Through Obscurity?
Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
Log4Shell: Reconnaissance and post exploitation network detection
Announcing NCC Group’s Cryptopals Guided Tour!
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote Command Execution (CVE-2021-20044)
Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow (CVE-2021-20043)
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload Path Traversal (CVE-2021-20040)
Why IoT Security Matters
Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050)
Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
Tracking a P2P network related to TA505
Conference Talks – December 2021
Public Report – Zendoo Proof Verifier Cryptography Review
An Illustrated Guide to Elliptic Curve Cryptography Validation
Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
“We wait, because we know you.” Inside the ransomware negotiation economics.
Detection Engineering for Kubernetes clusters
Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571)
TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
Public Report – Zcash NU5 Cryptography Review
The Next C Language Standard (C23)
Conference Talks – November 2021
Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
Cracking RDP NLA Supplied Credentials for Threat Intelligence
Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the Internet
Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments
Cracking Random Number Generators using Machine Learning – Part 2: Mersenne Twister
Cracking Random Number Generators using Machine Learning – Part 1: xorshift128
NCC Group placed first in global 5G Cyber Security Hack competition
Paradoxical Compression with Verifiable Delay Functions
A Look At Some Real-World Obfuscation Techniques
SnapMC skips ransomware, steals data
The Challenges of Fuzzing 5G Protocols
Reverse engineering and decrypting CyberArk vault credential files
Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)
Assessing the security and privacy of Vaccine Passports
Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)
Conference Talks – October 2021
Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
Detecting and Hunting for the PetitPotam NTLM Relay Attack
Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)
Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
NSA & CISA Kubernetes Security Guidance – A Critical Review
Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery
Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy
Conference Talks – September 2021
The ABCs of NFC chip security
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
Disabling Office Macros to Reduce Malware Infections
Some Musings on Common (eBPF) Linux Tracing Bugs
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)
Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
Practical Considerations of Right-to-Repair Legislation
Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log Server (CVE-2021-35478,CVE-2021-35479)
Detecting and Hunting for the Malicious NetFilter Driver
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
NCC Group Research at Black Hat USA 2021 and DEF CON 29
Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
Software-Based Fault Injection Countermeasures (Part 2/3)
An Introduction to Fault Injection (Part 1/3)
Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587)
Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0
Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
Tool Release – Reliably-checked String Library Binding
Are you oversharing (in Salesforce)? Our new tool could sniff it out!
Exploit mitigations: keeping up with evolving and complex software/hardware
NCC Group co-signs the Electronic Frontier Foundation’s Statement on DMCA Use Against Security Researchers
Handy guide to a new Fivehands ransomware variant
On the Use of Pedersen Commitments for Confidential Payments
Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
Testing Two-Factor Authentication
Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
Research Paper – Machine Learning for Static Malware Analysis, with University College London
Conference Talks – June 2021
Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and Implementation Review
iOS User Enrollment and Trusted Certificates
Detecting Rclone – An Effective Tool for Exfiltration
Supply Chain Security Begins with Secure Software Development
Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re cryptographically random)
Public Report – Dell Secured Component Verification
RM3 – Curiosities of the wildest banking malware
Conference Talks – May 2021
A Census of Deployed Pulse Connect Secure (PCS) Versions
NCC Group’s Upcoming Trainings at Black Hat USA 2021
Public Report – VPN by Google One: Technical Security & Privacy Assessment
Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
Tool Release – Principal Mapper v1.1.0 Update
SAML XML Injection
The Future of C Code Review
RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
Tool Release – Solitude: A privacy analysis tool
Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads
Lending a hand to the community – Covenant v0.7 Updates
Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)
Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)
Cryptopals: Exploiting CBC Padding Oracles
Investigating Potential Security Vulnerability Manifestation through Various Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be Improved)
NCC Group’s 2020 Annual Research Report
Conference Talks – February/March 2021
Software Verification and Analysis Using Z3
Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)
Real World Cryptography Conference 2021: A Virtual Experience
RIFT: Analysing a Lazarus Shellcode Execution Method
MSSQL Lateral Movement
Public Report – BLST Cryptographic Implementation Review
Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
Abusing cloud services to fly under the radar
Building an RDP Credential Catcher for Threat Intelligence
Double-odd Elliptic Curves
Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs
Domestic IoT Nightmares: Smart Doorbells
Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)
Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0
An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful
ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures
ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks
Tool Release – Carnivore: Microsoft External Assessment Tool
Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
Conference Talks – December 2020
TA505: A Brief History Of Their Time
Decrypting OpenSSH sessions for fun and profit
Past, Present and Future of Effective C
Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788)
Technical Advisory: Command Injection
Conference Talks – November 2020
Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)
Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)
Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)
Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data release
Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)
Tool – Windows Executable Memory Page Delta Reporter
Salesforce Security with Remote Working
Tool Release – ScoutSuite 5.10
Conference Talks – October 2020
Tool Release – ICPin, an integrity-check and anti-debug detection pintool
Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)
Online Casino Roulette – A guideline for penetration testers and security researchers
Extending a Thinkst Canary to become an interactive honeypot
StreamDivert: Relaying (specific) network connections
Public Report – Electric Coin Company NU4 Cryptographic Specification and Implementation Review
Machine learning from idea to reality: a PowerShell case study
Conference Talks – September 2020
Whitepaper – Exploring the Security of KaiOS Mobile Applications
Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)
Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS Pre-installed Mobile Applications
Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application
Immortalising 20 Years of Epic Research
Pairing over BLS12-381, Part 3: Pairing!
Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers in 2020
Lights, Camera, HACKED! An insight into the world of popular IP Cameras
Conference Talks – August 2020
Tool Release – Winstrument: An Instrumentation Framework for Windows Application Assessments
Tool Release: Sinking U-Boots with Depthcharge
Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
Pairing over BLS12-381, Part 2: Curves
Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 Intelligence
An offensive guide to the Authorization Code grant
Technical Advisory – KwikTag Web Admin Authentication Bypass
Pairing over BLS12-381, Part 1: Fields
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
Experiments in Extending Thinkst Canary – Part 1
Tool Release – ScoutSuite 5.9.0
Technical Advisory – macOS Installer Local Root Privilege Escalation (CVE-2020-9817)
Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often
How-to: Importing WStalker CSV (and more) into Burp Suite via Import to Sitemap Extension
Tool: WStalker – an easy proxy to support Web API assessments
Security Considerations of zk-SNARK Parameter Multi-Party Computation
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Tool Release – Socks Over RDP Now Works With Citrix
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
Cyber Security of New Space Paper
In-depth analysis of the new Team9 malware family
Common Insecure Practices with Configuring and Extending Salesforce
Exploring DeepFake Capabilities & Mitigation Strategies with University College London
Game Security
Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
Research Report – Zephyr and MCUboot Security Assessment
CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive
CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
Using SharePoint as a Phishing Platform
Public Report – Coda Cryptographic Review
Shell Arithmetic Expansion and Evaluation Abuse
CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
Tool Release – Socks Over RDP
Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
Practical Machine Learning for Random (Filename) Detection
Curve9767 and Fast Signature Verification
CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
The Extended AWS Security Ramp-Up Guide
Code Patterns for API Authorization: Designing for Security
Order Details Screens and PII
How cryptography is used to monitor the spread of COVID-19
Rise of the Sensors: Securing LoRaWAN Networks
C Language Standards Update – Zero-size Reallocations are Undefined Behavior
IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
Exploring Verifiable Random Functions in Code
Crave the Data: Statistics from 1,300 Phishing Campaigns
Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
Tool Release – ScoutSuite 5.8.0
Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities
Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
LDAPFragger: Bypassing network restrictions using LDAP attributes
Threat Actors: exploiting the pandemic
A Survey of Istio’s Network Security Features
Conference Talks – March 2020
Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review
Reviewing Verifiable Random Functions
CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for fun and exploitation
Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
Improving Software Security through C Language Standards
Whitepaper – A Tour of Curve 25519 in Erlang
Deep Dive into Real-World Kubernetes Threats
Technical Advisory – playSMS Pre-Authentication Remote Code Execution (CVE-2020-8644)
Interfaces.d to RCE
Properly Signed Certificates on CPE Devices
Conference Talks – February 2020
Tool Release – Collaborator++
Public Report – Electric Coin Company NU3 Specification and Blossom Implementation Audit
Tool Release – Enumerating Docker Registries with go-pillage-registries
Conference Talks – January 2020
Passive Decryption of Ethereum Peer-to-Peer Traffic
On Linux’s Random Number Generation
Demystifying AWS’ AssumeRole and sts:ExternalId
Welcome to the new NCC Group Global Research blog
Technical Advisory: Gaining root access on Sumpple S610 IP Camera via Telnet; and Unprotected client and server data transmission between Android and IOS clients
Security impact of IoT on the Enterprise
Secure Device Provisioning Best Practices: Heavy Truck Edition
CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service
Padding the struct: How a compiler optimization can disclose stack memory
Embedded Device Security Certifications
An Introduction to Ultrasound Security Research
PhanTap (Phantom Tap): Making networks spookier one packet at a time
An Introduction to Quantum Computing for Security Professionals
Sniffle: A Sniffer for Bluetooth 5
Compromising a Hospital Network for £118 (Plus Postage & Packaging)
Getting Shell with XAMLX Files
Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation
Technical Advisory: Unauthenticated SQL Injection in Lansweeper
Jenkins Plugins and Core Technical Summary Advisory
Technical Advisory: Multiple Vulnerabilities in Ricoh Printers
Technical Advisory: Multiple Vulnerabilities in Brother Printers
Technical Advisory: Multiple Vulnerabilities in Xerox Printers
Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and Next Steps
Technical Advisory: Multiple Vulnerabilities in HP Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 9: Adventures with Expert Systems
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 8: Development of Prototype #4 – Building on Takaesu’s Approach with Focus on XSS
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 7: Development of Prototype #3 – Adventures in Anomaly Detection
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 5: Development of Prototype #1 – Text Processing and Semantic Relationships
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 4: Architecture and Design
Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 3: Understanding Existing Approaches and Attempts
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in Social Engineering
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 1: Understanding the Basics and What Platforms and Frameworks Are Available
Technical Advisory: Multiple Vulnerabilities in Lexmark Printers
Technical Advisory: Intel Driver Support & Assistance – Local Privilege Escalation
Technical Advisory: Citrix Workspace / Receiver Remote Code Execution Vulnerability
The Sorry State of Aftermarket Head Unit Security
Cyber Security in UK Agriculture
NCC Group Connected Health Whitepaper July 2019
Story of a Hundred Vulnerable Jenkins Plugins
Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone
Technical Advisory: Multiple Vulnerabilities in SmarterMail
Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
Chafer backdoor analysis
Finding and Exploiting .NET Remoting over HTTP using Deserialisation
Technical Advisory: Multiple Vulnerabilities in MailEnable
Assessing Unikernel Security
Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
Zcash Overwinter Consensus and Sapling Cryptography Review
Xendbg: A Full-Featured Debugger for the Xen Hypervisor
Use of Deserialisation in .NET Framework Methods and Classes
Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
Nine years of bugs at NCC Group
The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations
Third party assurance
Turla PNG Dropper is back
Public cloud
Android Cloud Backup/Restore
Spectre on a Television
RokRat Analysis
Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook
Technical Advisory: Authentication Bypass in libSSH
Securing Google Cloud Platform – Ten best practices
Public Report – Android Cloud Backup/Restore
Much Ado About Hardware Implants
NCC Group’s Exploit Development Capability: Why and What
Technical Advisory: Bypassing Workflows Protection Mechanisms – Remote Code Execution on SharePoint
Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability
Improving Your Embedded Linux Security Posture With Yocto
How I did not get a shell
Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw
Singularity of Origin
Proxy Re-Encryption Protocol: IronCore Public Report
Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data
Celebrating NCC Con Europe 2018
The disadvantages of a blacklist-based approach to input validation
Securing Teradata Database
Technical Advisory: Unauthenticated Remote Command Execution through Multiple Vulnerabilities in Virgin Media Hub 3.0
Ethics in Security Testing
Freddy: An extension for automatically identifying deserialisation issues in Java and .NET applications
Sobelow Update
House
Principal Mapper (pmapper)
Return of the hidden number problem
Technical advisory: “ROHNP”- key extraction side channel in multiple crypto libraries
CVE-2017-8570 RTF and the Sisfader RAT
Mallory: Transparent TCP and UDP Proxy
Mallory and Me: Setting up a Mobile Mallory Gateway
CyberVillainsCA
DECTbeacon
Fuzzbox
Gizmo
HTTP Profiler
Intent Sniffer
Intent Fuzzer
iSEC Partners Releases SSLyze
Jailbreak
Manifest Explorer
Package Play
ProxMon
pySimReader
SAML Pummel
SecureBigIP
SecureCisco
SecureCookies
SecureIE.ActiveX
WebRATS
AWS Inventory: A tool for mapping AWS resources
Extractor
CMakerer: A small tool to aid CLion’s indexing
Emissary Panda – A potential new malicious tool
SMB hash hijacking & user tracking in MS Outlook
Testing HTTP/2 only web services
Windows IPC Fuzzing Tools
WSBang
WSMap
Nerve
Ragweed
File Fuzzers
Kivlad
Android SSL Bypass
Hiccupy
iOS SSL Killswitch
The SSL Conservatory
TLSPretense — SSL/TLS Client Testing Framework
tcpprox
YoNTMA
Tattler
PeachFarmer
Android-KillPermAndSigChecks
Android-OpenDebug
Android-SSL-TrustKiller
Introspy for Android
RtspFuzzer
SSLyze v0.8
NCLoader
IG Learner Walkthrough
Forensic Fuzzing Tools
Security First Umbrella
Autochrome
WSSiP: A Websocket Manipulation Proxy
AssetHook
Call Map: A Tool for Navigating Call Graphs in Python
Sobelow: Static analysis for the Phoenix Framework
G-Scout
Decoder Improved Burp Suite Plugin
Python Class Informer: an IDAPython plugin for viewing run-time type information (RTTI)
AutoRepeater: Automated HTTP Request Repeating With Burp Suite
TPM Genie
Open Banking: Security considerations & potential risks
scenester
port-scan-automation
Windows DACL Enum Project
umap
Shocker
Zulu
whitebox
vlan-hopping
tybocer
xcavator
WindowsJobLock
Azucar
Readable Thrift
Introducing Azucar
Decoding network data from a Gh0st RAT variant
Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central
Discovering Smart Contract Vulnerabilities with GOATCasino
BLEBoy
APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus
Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple Microsoft Products
Technical Advisory: Code Execution by Viewing Resource Files in .NET Reflector
Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in Jenkins Delivery Pipeline plugin
Spectre and Meltdown: What you Need to Know
The economics of defensive security
HIDDEN COBRA Volgmer: A Technical Analysis
Integrity destroying malicious code for financial or geopolitical gain: A vision of the future?
Kubernetes Security: Consider Your Threat Model
Mobile & web browser credential management: Security implications, attack cases & mitigations
SOC maturity & capability
Automated Reverse Engineering of Relationships Between Data Structures in C++ Binaries
Pointer Sequence Reverser (PSR)
Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1
Bypassing Android’s Network Security Configuration
Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
Cisco ASA series part seven: Checkheaps
Adversarial Machine Learning: Approaches & defences
eBook: Breach notification under GDPR – How to communicate a personal data breach
Cisco ASA series part six: Cisco ASA mempools
The Update Framework (TUF) Security Assessment
Cisco ASA series part five: libptmalloc gdb plugin
Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA
Decoder Improved Burp Suite plugin release part two
Cisco ASA series part three: Debugging Cisco ASA firmware
Managing PowerShell in a modern corporate environment
Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
Cisco ASA series part one: Intro to the Cisco ASA
EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
Technical Advisory: Authentication rule bypass
Technical Advisory – play-pac4j Authentication rule bypass
Decoder Improved Burp Suite plugin release part one
Technical advisory: Remote shell commands execution in ttyd
Poison Ivy string decryption
Securing the continuous integration process
Signaturing an Authenticode anomaly with Yara
Analysing a recent Poison Ivy sample
Endpoint connectivity
DeLux Edition: Getting root privileges on the eLux Thin Client OS
UK government cyber security guidelines for connected & autonomous vehicles
Smuggling HTA files in Internet Explorer/Edge
Database Security Brief: The Oracle Critical Patch Update for April 2007
Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform
Data-mining with SQL Injection and Inference
The Pharming Guide – Understanding and preventing DNS related attacks by phishers
Weak Randomness Part I – Linear Congruential Random Number Generators
Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
Blind Exploitation of Stack Overflow Vulnerabilities
Slotting Security into Corporate Development
Creating Arbitrary Shellcode In Unicode Expanded Strings
Violating Database – Enforced Security Mechanisms
Hacking the Extensible Firmware Interface
Advanced Exploitation of Oracle PL/SQL Flaws
Firmware Rootkits: The Threat to the Enterprise
Database Security: A Christmas Carol
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server
Non-flood/non-volumetric Distributed Denial of Service (DDoS)
VoIP Security Methodology and Results
E-mail Spoofing and CDONTS.NEWMAIL
Dangling Cursor Snarfing: A New Class of Attack in Oracle
Database Servers on Windows XP and the unintended consequences of simple file sharing
DNS Pinning and Web Proxies
Technical advisory: CVE-2017-8592 – XMLHttpRequest in IE followed 307 redirections with additional or customised headers
Which database is more secure? Oracle vs. Microsoft
Variations in Exploit methods between Linux and Windows
Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things
Live Incident Blog: June Global Ransomware Outbreak
Beyond data loss prevention
How to protect yourself & your organisation from phishing attacks
Rise of the machines: Machine Learning & its cyber security applications
Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input Streams (LAOIS)
A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287
Latest threats to the connected car & intelligent transport ecosystem
Network Attached Security: Attacking a Synology NAS
Accessing Private Fields Outside of Classes in Java
Understanding the insider threat & how to mitigate it
Matty McMattface: Security implications, mitigations & testing strategies for biometric facial recognition systems
Setting a New Standard for Kubernetes Deployments
Encryption at rest: Not the panacea to data protection
Applying normalised compression distance for architecture classification
Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures
D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow
Fix Bounty
Unauthenticated XML eXternal Entity (XXE) vulnerability
General Data Protection Regulation: Knowing your data
Technical Advisory: Shell Injection in MacVim mvim URI Handler
Technical Advisory: Shell Injection in SourceTree
SCOMplicated? – Decrypting SCOM “RunAs” credentials
Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer Appliance
ISM RAT
Mergers & Acquisitions (M&A) cyber security due diligence
Advisory-CraigSBlackie-CVE-2016-9795
Best practices with BYOD
Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows Decryption of Stored Credentials
Compromising Apache Tomcat via JMX access
Berserko: Kerberos Authentication for Burp Suite
Java RMI Registry.bind() Unvalidated Deserialization
NCC CON Europe 2017
Understanding cyber risk management vs uncertainty with confidence in 2017
iOS MobileSlideShow USB Image Class arbitrary code execution.txt
Denial of Service in Parsing a URL by ierutil.dll
U plug, we play
SSL checklist for pentesters
Dissecting social engineering attacks
External Enumeration and Exploitation of Email and Web Security Solutions
Social Engineering
Phishing Stories
Automating extraction from malware and recent campaign analysis
DDoS Common Approaches and Failings
Absolute Security
How much training should staff have on cyber security?
USB under the bonnet: Implications of USB security vulnerabilities in vehicle systems
Cyber Essentials Scheme
Webinar – PCI Version 3.0: Are you ready?
Webinar: 4 Secrets to a Robust Incident Response Plan
Cloud Security Presentation
Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions
Memory Gap
44Con2013Game
creep-web-app-scanner
ncccodenavi
Pip3line
typofinder
DIBF – Updated
IODIDE
CECSTeR
cisco-SNMP-enumeration
dotnetpaddingoracle
dotnetpefuzzing
easyda
EDIDFuzzer
Fat-Finger
firstexecution
grepify
FrisbeeLite
State-of-the-art email risk
Ransomware: what organisations can do to survive
hostresolver
lapith
metasploitavevasion
Maritime Cyber Security: Threats and Opportunities
IP-reputation-snort-rule-generator
The L4m3ne55 of Passw0rds: Notes from the field
Mature Security Testing Framework
Exporting Non-Exportable RSA Keys
Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
The role of security research in improving cyber security
Self-Driving Cars- The future is now…
They Ought to Know Better: Exploiting Security Gateways via their Web Interfaces
Mobile apps and security by design
The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate Pinning
USB Undermining Security Barriers:further adventures with USB
Software Security Austerity Security Debt in Modern Software Development
RSA Conference – Mobile Threat War Room
Finding the weak link in binaries
To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms
Harnessing GPUs Building Better Browser Based Botnets
The Browser Hacker’s Handbook
SQL Server Security
The Database Hacker’s Handbook
Social Engineering Penetration Testing
Public Report – Matrix Olm Cryptographic Review
Research Insights Volume 8 – Hardware Design: FPGA Security Risks
Zcash Cryptography and Code Review
Optimum Routers: Researching Managed Routers
Peeling back the layers on defence in depth…knowing your onions
End-of-life pragmatism
iOS Instrumentation Without Jailbreak
The Password is Dead, Long Live the Password!
Microsoft Office Memory Corruption Vulnerability
Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode
Elephant in the Boardroom Survey 2016
A Peek Behind the Great Firewall of Russia
Avoiding Pitfalls Developing with Electron
Flash local-with-filesystem Bypass in navigateToURL
D-Link routers vulnerable to Remote Code Execution (RCE)
iOS Application Security: The Definitive Guide for Hackers and Developers
The Mobile Application Hacker’s Handbook
Research Insights Volume 9 – Modern Security Vulnerability Discovery
Post-quantum cryptography overview
The CIS Security Standard for Docker available now
An adventure in PoEKmon NeutriGo land
The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd Edition
How will GDPR impact your communications?
Potential false redirection of web site content in Internet in SAP NetWeaver web applications
Multiple security vulnerabilities in SAP NetWeaver BSP Logon
The Automotive Threat Modeling Template
My name is Matt – My voice is my password
Ransomware: How vulnerable is your system?
NCC Group WhitepaperUnderstanding and HardeningLinux ContainersJune 29, 2016 – Version 1.1
My Hash is My Passport: Understanding Web and Mobile Authentication
Project Triforce: Run AFL on Everything!
Writing Exploits for Win32 Systems from Scratch
How to Backdoor Diffie-Hellman
Local network compromise despite good patching
Sakula: an adventure in DLL planting
When a Trusted Site in Internet Explorer was Anything But
GSM/GPRS Traffic Interception for Penetration Testing Engagements
An Adaptive-Ciphertext Attack Against “I ⊕ C” Block Cipher Modes With an Oracle
Creating a Safer OAuth User Experience
Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
Aurora Response Recommendations
Blind Security Testing – An Evolutionary Approach
Building Security In: Software Penetration Testing
Cleaning Up After Cookies
Command Injection in XML Signatures and Encryption
Common Flaws of Distributed Identity and Authentication Systems
Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
Developing Secure Mobile Applications for Android
Exposing Vulnerabilities in Media Software
Hunting SQL Injection Bugs
IAX Voice Over-IP Security
ProxMon: Automating Web Application Penetration Testing
iSEC’s Analysis of Microsoft’s SDL and its ROI
Secure Application Development on Facebook
Secure Session Management With Cookies for Web Applications
Security Compliance as an Engineering Discipline
Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
Exploiting Rich Content
HTML5 Security The Modern Web Browser Perspective
An Introduction to Authenticated Encryption
Attacks on SSL
Content Security Policies Best Practices
Windows Phone 7 Application Security Survey
Browser Extension Password Managers
Introducing idb-Simplified Blackbox iOS App Pentesting
Login Service Security
The factoring dead: Preparing for the cryptopocalypse
Auditing Enterprise Class Applications and Secure Containers on Android
Early CCS Attack Analysis
Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver URSA
Perfect Forward Security
Internet of Things Security
Secure Messaging for Normal People
Understanding and Hardening Linux Containers
Adventures in Windows Driver Development: Part 1
Private sector cyber resilience and the role of data diodes
From CSV to CMD to qwerty
General Data Protection Regulation – are you ready?
Business Insights: Cyber Security in the Financial Sector
The Importance of a Cryptographic Review
osquery Application Security Assessment Public Report
Sysinternals SDelete: When Secure Delete Fails
Ricochet Security Assessment Public Report
Breaking into Security Research at NCC Group
Building Systems from Commercial Components
Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices
Secure Coding in C and C++
CERT Oracle Secure Coding Standard for Java
CERT C Secure Coding Standard
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
Professional C Programming LiveLessons, (Video Training) Part I: Writing Robust, Secure, Reliable Code
Secure Coding in C and C++, 2nd Edition
Building WiMap the Wi-Fi Mapping Drone
The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems
Secure Coding Rules for Java LiveLessons, Part 1
Fuzzing the Easy Way Using Zulu
Hacking Displays Made Interesting
What the HEC? Security implications of HDMI Ethernet Channel and other related protocols
44CON Workshop – How to assess and secure iOS apps
Payment Card Industry Data Security Standard (PCI DSS) A Navigation and Explanation of Changes from v2.0 to v3.0
Mobile World Congress – Mobile Internet of Things
Practical SME security on a shoestring
BlackHat Asia USB Physical Access
How we breach network infrastructures and protect them
Hacking a web application
Batten down the hatches: Cyber threats facing DP operations
Threats and vulnerabilities within the Maritime and shipping sectors
Distributed Ledger (Blockchain) Security and Quantum Computing Implications
Abusing Privileged and Unprivileged Linux Containers
A few notes on usefully exploiting libstagefright on Android 5.x
NCC Con Europe 2016
Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify External Emails
Exploiting CVE-2014-0282
Car Parking Apps Vulnerable To Hacks
eBook – Do you know how your organisation would react in a real-world attack scenario?
Erlang Security 101
SysAid Helpdesk blind SQL injection
SysAid Helpdesk stored XSS
Virtual Access Monitor Multiple SQL Injection Vulnerabilities
Whatsupgold Premium Directory traversal
Windows remote desktop memory corruptoin leading to RCE on XPSP3
Windows USB RNDIS driver kernel pool overflow
Drones: Detect, Identify, Intercept, and Hijack
Introducing Chuckle and the Importance of SMB Signing
Threat Intelligence: Benefits for the Enterprise
Best Practices for the use of Static Code Analysis within a Real-World Secure Development Lifecycle
Secure Device Manufacturing: Supply Chain Security Resilience
eBook – Planning a robust incident response process
HDMI Ethernet Channel
Advanced SQL Injection in SQL Server Applications
USB keyboards by post – use of embedded keystroke injectors to bypass autorun restrictions on modern desktop operating systems
ASP.NET Security and the Importance of KB2698981 in Cloud Environments
Xen HYPERVISOR_xen_version stack memory revelation
Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
SysAid Helpdesk Pro – Blind SQL Injection
Symantec Messaging Gateway SSH with backdoor user account + privilege escalation to root due to very old Kernel
Symantec Messaging Gateway Out of band stored XSS delivered by email
Symantec Messaging Gateway Easy CSRF to add a backdoor-administrator (for example)
Symantec Messaging Gateway Arbitrary file download is possible with a crafted URL (authenticated)
Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom Reports
Symantec Backup Exec 2012 – OS version and service pack information leak
Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs
Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding Groups, Servers and Computers
Squiz CMS File Path Traversal
Solaris 11 USB Hub Class descriptor kernel stack overflow
SmarterMail – Stored XSS in emails
Remote code execution in ImpressPages CMS
OS X 10.6.6 Camera Raw Library Memory Corruption
Oracle Java Installer Adds a System Path Which is Writable by All
Oracle Hyperion 11 Directory Traversal
Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
Nessus Authenticated Scan – Local Privilege Escalation
NCC Group Malware Technical Note
Nagios XI Network Monitor – Stored and Reflective XSS
Multiple Vulnerabilities in MailEnable
Microsoft Internet Explorer CMarkup Use-After-Free
McAfee Email and Web Security Appliance v5.6 – Session hijacking (and bypassing client-side session timeouts)
McAfee Email and Web Security Appliance v5.6 – Password hashes can be recovered from a system backup and easily cracked
McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is possible with a crafted URL, when logged in as any user
McAfee Email and Web Security Appliance v5.6 – Any logged-in user can bypass controls to reset passwords of other administrators
McAfee Email and Web Security Appliance v5.6 – Active session tokens of other users are disclosed within the UI
iOS 7 arbitrary code execution in kernel mode
Understanding Microsoft Word OLE Exploit Primitives
Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability
Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using the TD-8817
Vehicle Emissions and Cyber Security
Research Insights Volume 6: Common Issues with Environment Breakouts
Does TypeScript Offer Security Improvements Over JavaScript?
Common Security Issues in Financially-Oriented Web Applications
Research Insights Volume 3 – How are we breaking in: Mobile Security
Build Your Own Wi-Fi Mapping Drone Capability
Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
Password and brute-force mitigation policies
Understanding Ransomware: Impact, Evolution and Defensive Strategies
libtalloc: A GDB plugin for analysing the talloc heap
Lumension Device Control (formerly Sanctuary) remote memory corruption
LibAVCodec AMV Out of Array Write
Increased exploitation of Oracle GlassFish Server Administration Console Remote Authentication Bypass
Flash security restrictions bypass: File upload by URLRequest
Immunity Debugger Buffer Overflow
DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout, Privilege Escalation and Full Disk Decryption
Cups-filters remote code execution
Critical Risk Vulnerability in SAP Message Server (Heap Overflow)
Critical Risk Vulnerability in SAP DB Web Server (Stack Overflow)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 2)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 1)
Cisco VPN Client Privilege Escalation
Cisco IPSec VPN Implementation Group Name Enumeration
Blue Coat BCAAA Remote Code Execution Vulnerability
BlackBerry Link WebDav Server Bound to the BlackBerry VPN Adapter
Bit51 Better Security WP Security Plugin – Unauthenticated Stored XSS to RCE
Back Office Web Administration Authentication Bypass
AtHoc Toolbar
ASE 12.5.1 datatype overflow
Archived Technical Advisories
Apple QuickTime Player m4a Processing Buffer Overflow
Apple OSX/iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow
Apple Mac OS X ImageIO TIFF Integer Overflow
Apple CoreAnimation Heap Overflow
Writing Small Shellcode
Writing Secure ASP Scripts
Windows 2000 Format String Vulnerabilities
The Pentesters Guide to Akamai
Adobe flash sandbox bypass to navigate to local drives
Adobe Flash Player Cross Domain Policy Bypass
Adobe Acrobat Reader XML Forms Data Format Buffer Overflow
Tool Release: Introducing opinel: Scout2’s favorite tool
Broadcasting your attack – DAB security
Modelling Threat Actor Phishing Behaviour
Research Insights Volume 7: Exploitation Advancements
Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
The Demise of Signature Based Antivirus
Stopping Automated Attack Tools
Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond
Security Best Practice: Host Naming & URL Conventions
Securing PL/SQL Applications with DBMS_ASSERT
Second-Order Code Injection Attacks
Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions 2013
Research Insights Volume 4 – Sector Focus: Maritime Sector
Research Insights Volume 2 – Defensive Trends
Research Insights Volume 1 – Sector Focus: Financial Services
Quantum Cryptography – A Study Into Present Technologies and Future Applications
Protecting stored cardholder data (an unofficial supplement to PCI DSS V3.0)
Preparing for Cyber Battleships – Electronic Chart Display and Information System Security
Passive Information Gathering – The Analysis of Leaked Network Security Information
Oracle Passwords and OraBrute
Oracle Forensics Part 7 Using the Oracle System Change Number in Forensic Investigations
Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle Bin
Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of Auditing
Oracle Forensics Part 4: Live Response
Oracle Forensics Part 3: Isolating Evidence of Attacks Against the Authentication Mechanism
Oracle Forensics Part 2: Locating Dropped Objects
Oracle Forensics Part 1: Dissecting the Redo Logs
Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT 2000 XP
New Attack Vectors and a Vulnerability Dissection of MS03-007
More Advanced SQL Injection
Microsoft’s SQL Server vs. Oracle’s RDBMS
Microsoft SQL Server Passwords
Low Cost Attacks on Smart Cards – The Electromagnetic Side-Channel
Lessons learned from 50 bugs: Common USB driver vulnerabilities
Inter-Protocol Exploitation
Inter-Protocol Communication
Improving your Network and Application Assurance Strategy in an environment of increasing 0day vulnerabilities
Implementing and Detecting a PCI Rootkit
How organisations can properly configure SSL services to ensure the integrity and confidentiality of data in transit
Hackproofing Oracle Application Server
Hackproofing MySQL
Hackproofing Lotus Domino Web Server
Hacking Appliances: Ironic exploits in security products
Fuzzing USB devices using Frisbee Lite
HDMI – Hacking Displays Made Interesting
Exploiting Security Gateways Via Web Interfaces
Research Insights Volume 5 – Sector Focus: Automotive
The why behind web application penetration test prerequisites
Blackbox iOS App Assessments Using idb
Cyber red-teaming business-critical systems while managing operational risk
Blind Return Oriented Programming
Username enumeration techniques and their value
IAM user management strategy (part 2)
Faux Disk Encryption: Realities of Secure Storage On Mobile Devices
Some Notes About the Xen XSA-122 Bug
USB attacks need physical access right? Not any more…
Image IO Memory Corruption
Threat Profiling Microsoft SQL Server
Thin Clients: Slim Security
Impress Pages CMS Remote Code Execution
The Phishing Guide: Understanding & Preventing Phishing Attacks
Lumension Device Control Remote Memory Corruption
McAfee Email and Web Security Appliance Active session tokens of other users are disclosed within the UI
McAfee Email and Web Security Appliance Any logged-in user can bypass controls to reset passwords of other administrators
Bypassing Oracle DBMS_ASSERT (in certain situations)
McAfee Email and Web Security Appliance Arbitrary file download is possible with a crafted URL, when logged in as any user
McAfee Email and Web Security Appliance Password hashes can be recovered from a system backup and easily cracked
McAfee Email and Web Security Appliance Reflective XSS allowing an attacker to gain session tokens
McAfee Email and Web Security Appliance Session hijacking and bypassing client-side session timeouts
Medium Risk Vulnerability in Symantec Enterprise Security Management
Medium Risk Vulnerability in Symantec Network Access Control
Nagios XI Network Monitor Stored and Reflected XSS
NX Server for Linux Arbitrary Files can be read with root privileges
Oracle 11g TNS listener remote Invalid Pointer Read
Oracle 11g TNS listener remote Null Pointer Dereference
Oracle Retail Integration Bus Manager Directory Traversal
Oracle Retail Invoice Manager SQL Injection
OS X Lion USB Hub Class Descriptor Arbitrary Code Execution
PRTG Network Monitor Command injection
Samba Andx Request Remote Code Execution
Enter a search term
Search
Breaking Pedersen Hashes in Practice
A Race to Report a TOCTOU: Analysis of a Bug Collision in Intel SMM
Making New Connections – Leveraging Cisco AnyConnect Client to Drop and Run Payloads
A Primer On Slowable Encoders
Threat Spotlight – Hydra
Rustproofing Linux (Part 4/4 Shared Memory)
Rustproofing Linux (Part 3/4 Integer Overflows)
Security Code Review With ChatGPT
Rustproofing Linux (Part 2/4 Race Conditions)
Readable Thrift
Building WiMap the Wi-Fi Mapping Drone
Fuzzing the Easy Way Using Zulu
Exploiting CVE-2014-0282
Rustproofing Linux (Part 1/4 Leaking Addresses)
Machine Learning 102: Attacking Facial Authentication with Poisoned Data
Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
Using Semgrep with Jupyter Notebook files
Announcing NCC Group’s Cryptopals Guided Tour: Set 2
Technical Advisory – U-Boot – Unchecked Download Size and Direction in USB DFU (CVE-2022-2347)
Technical Advisory – Multiple Vulnerabilities in the Galaxy App Store (CVE-2023-21433, CVE-2023-21434)
Project Bishop: Clustering Web Pages
Puckungfu: A NETGEAR WAN Command Injection
MeshyJSON: A TP-Link tdpServer JSON Stack Overflow
Machine Learning 101: The Integrity of Image (Mis)Classification?
Replicating CVEs with KLEE
Public Report – VPN by Google One Security Assessment
Public Report – Confidential Space Security Review
Exploring Prompt Injection Attacks
So long and thanks for all the 0day
A jq255 Elliptic Curve Specification, and a Retrospective
Technical Advisory – NXP i.MX SDP_READ_DISABLE Fuse Bypass (CVE-2022-45163)
Tool Release – Web3 Decoder Burp Suite Extension
Tales of Windows detection opportunities for an implant framework
Check out our new Microcorruption challenges!
Toner Deaf – Printing your next persistence (Hexacon 2022)
Technical Advisory – OpenJDK – Weak Parsing Logic in java.net.InetAddress and Related Classes
Public Report – IOV Labs powHSM Security Assessment
Shining New Light on an Old ROM Vulnerability: Secure Boot Bypass via DCD and CSF Tampering on NXP i.MX Devices
A glimpse into the shadowy realm of a Chinese APT: detailed analysis of a ShadowPad intrusion
Detecting Mimikatz with Busylight
Whitepaper – Project Triforce: Run AFL On Everything (2017)
Tool Release – Project Kubescout: Adding Kubernetes Support to Scout Suite
Technical Advisory – Multiple Vulnerabilities in Juplink RX4-1800 WiFi Router (CVE-2022-37413, CVE-2022-37414)
A Guide to Improving Security Through Infrastructure-as-Code
Tool Release – ScoutSuite 5.12.0
Public Report – Penumbra Labs Decaf377 Implementation and Poseidon Parameter Selection Review
Tool Release – Monkey365
Sharkbot is back in Google Play
Constant-Time Data Processing At a Secret Offset, Privacy and QUIC
There’s Another Hole In Your SoC: Unisoc ROM Vulnerabilities
Conference Talks – September/October 2022
SETTLERS OF NETLINK: Exploiting a limited UAF in nf_tables (CVE-2022-32250)
Writing FreeBSD Kernel Modules in Rust
NCC Con Europe 2022 – Pwn2Own Austin Presentations
Tool Release – JWT-Reauth
Back in Black: Unlocking a LockBit 3.0 Ransomware Attack
Wheel of Fortune Outcome Prediction – Taking the Luck out of Gambling
Detecting DNS implants: Old kitten, new tricks – A Saitama Case Study
Implementing the Castryck-Decru SIDH Key Recovery Attack in SageMath
Top of the Pops: Three common ransomware entry techniques
NCC Group Research at Black Hat USA 2022 and DEF CON 30
Technical Advisory – Multiple vulnerabilities in Nuki smart locks (CVE-2022-32509, CVE-2022-32504, CVE-2022-32502, CVE-2022-32507, CVE-2022-32503, CVE-2022-32510, CVE-2022-32506, CVE-2022-32508, CVE-2022-32505)
NIST Selects Post-Quantum Algorithms for Standardization
Climbing Mount Everest: Black-Byte Bytes Back?
Five Essential Machine Learning Security Papers
Whitepaper – Practical Attacks on Machine Learning Systems
Flubot: the evolution of a notorious Android Banking Malware
Technical Advisory – ExpressLRS vulnerabilities allow for hijack of control link
Updated: Technical Advisory and Proofs of Concept – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
Understanding the Impact of Ransomware on Patient Outcomes – Do We Know Enough?
Public Report – Threshold ECDSA Cryptography Review
Exception Handling and Data Integrity in Salesforce
Technical Advisory – Multiple Vulnerabilities in Trendnet TEW-831DR WiFi Router (CVE-2022-30325, CVE-2022-30326, CVE-2022-30327, CVE-2022-30328, CVE-2022-30329)
Shining the Light on Black Basta
Technical Advisory – Multiple Vulnerabilities in U-Boot (CVE-2022-30790, CVE-2022-30552)
NCC Group’s Jeremy Boone recognized for Highest Quality and Most Eligible Reports through the Intel Circuit Breaker program
Conference Talks – June 2022
Hardware Security By Design: ESP32 Guidance
Public Report – Lantern and Replica Security Assessment
NCC Group’s Juan Garrido named to Microsoft’s MSRC Office Security Researcher Leaderboard
Technical Advisory – FUJITSU CentricStor Control Center <= V8.1 – Unauthenticated Command Injection ( CVE-2022-31794 and CVE-2022-31795)
Public Report – go-cose Security Assessment
Technical Advisory – SerComm h500s – Authenticated Remote Command Execution (CVE-2021-44080)
Metastealer – filling the Racoon void
earlyremoval, in the Conservatory, with the Wrench: Exploring Ghidra’s decompiler internals to make automatic P-Code analysis scripts
Tool Release – Ghostrings
Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks
Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks
Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks
Technical Advisory: Ruby on Rails – Possible XSS Vulnerability in ActionView tag helpers (CVE-2022-27777)
North Korea’s Lazarus: their initial access trade-craft using social media and social engineering
Adventures in the land of BumbleBee – a new malicious loader
LAPSUS$: Recent techniques, tactics and procedures
Real World Cryptography Conference 2022
Mitigating the top 10 security threats to GCP using the CIS Google Cloud Platform Foundation Benchmark
A brief look at Windows telemetry: CIT aka Customer Interaction Tracker
Public Report – Google Enterprise API Security Assessment
Conti-nuation: methods and techniques observed in operations post the leaks
Whitepaper – Double Fetch Vulnerabilities in C and C++
Mining data from Cobalt Strike beacons
Remote Code Execution on Western Digital PR4100 NAS (CVE-2022-23121)
Tool Release – ScoutSuite 5.11.0
Technical Advisory – Apple macOS XAR – Arbitrary File Write (CVE-2022-22582)
Microsoft announces the WMIC command is being retired, Long Live PowerShell
SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store
BrokenPrint: A Netgear stack overflow
Conference Talks – March 2022
Hardware & Embedded Systems: A little early effort in security can return a huge payoff
Public Report – O(1) Labs Mina Client SDK, Signature Library and Base Components Cryptography and Implementation Review
Analyzing a PJL directory traversal vulnerability – exploiting the Lexmark MC3224i printer (part 2)
Shaking The Foundation of An Online Collaboration Tool: Microsoft 365 Top 5 Attacks vs the CIS Microsoft 365 Foundation Benchmark
Bypassing software update package encryption – extracting the Lexmark MC3224i printer firmware (part 1)
Detecting Karakurt – an extortion focused threat actor
BAT: a Fast and Small Key Encapsulation Mechanism
A deeper dive into CVE-2021-39137 – a Golang security bug that Rust would have prevented
Estimating the Bit Security of Pairing-Friendly Curves
Testing Infrastructure-as-Code Using Dynamic Tooling
Machine Learning for Static Analysis of Malware – Expansion of Research Scope
10 real-world stories of how we’ve compromised CI/CD pipelines
Impersonating Gamers With GPT-2
NCC Group’s 2021 Annual Research Report
Tool Release – insject: A Linux Namespace Injector
Detecting anomalous Vectored Exception Handlers on Windows
On the malicious use of large language models like GPT-3
Exploring the Security & Privacy of Canada’s Digital Proof of Vaccination Programs
Tool Update – ruby-trace: A Low-Level Tracer for Ruby
Tool Release – shouganaiyo-loader: A Tool to Force JVM Attaches
Technical Advisory – Lenovo ImController Local Privilege Escalation (CVE-2021-3922, CVE-2021-3969)
Choosing the Right MCU for Your Embedded Device — Desired Security Features of Microcontrollers
FPGAs: Security Through Obscurity?
Public Report – WhatsApp opaque-ke Cryptographic Implementation Review
log4j-jndi-be-gone: A simple mitigation for CVE-2021-44228
Log4Shell: Reconnaissance and post exploitation network detection
Announcing NCC Group’s Cryptopals Guided Tour!
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Arbitrary File Deletion
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated Stored XSS
Technical Advisory – SonicWall SMA 100 Series – Multiple Unauthenticated Heap-based and Stack-based Buffer Overflow (CVE-2021-20045)
Technical Advisory – SonicWall SMA 100 Series – Post-Authentication Remote Command Execution (CVE-2021-20044)
Technical Advisory – SonicWall SMA 100 Series – Heap-Based Buffer Overflow (CVE-2021-20043)
Technical Advisory – SonicWall SMA 100 Series – Unauthenticated File Upload Path Traversal (CVE-2021-20040)
Why IoT Security Matters
Technical Advisory – Authenticated SQL Injection in SOAP Request in Broadcom CA Network Flow Analysis (CVE-2021-44050)
Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm
Tracking a P2P network related to TA505
Conference Talks – December 2021
Public Report – Zendoo Proof Verifier Cryptography Review
An Illustrated Guide to Elliptic Curve Cryptography Validation
Exploit the Fuzz – Exploiting Vulnerabilities in 5G Core Networks
POC2021 – Pwning the Windows 10 Kernel with NTFS and WNF Slides
Technical Advisory – Multiple Vulnerabilities in Victure WR1200 WiFi Router (CVE-2021-43282, CVE-2021-43283, CVE-2021-43284)
“We wait, because we know you.” Inside the ransomware negotiation economics.
Detection Engineering for Kubernetes clusters
Vaccine Misinformation Part 1: Misinformation Attacks as a Cyber Kill Chain
Technical Advisory – Arbitrary Signature Forgery in Stark Bank ECDSA Libraries (CVE-2021-43572, CVE-2021-43570, CVE-2021-43569, CVE-2021-43568, CVE-2021-43571)
TA505 exploits SolarWinds Serv-U vulnerability (CVE-2021-35211) for initial access
Public Report – Zcash NU5 Cryptography Review
The Next C Language Standard (C23)
Conference Talks – November 2021
Technical Advisory – Apple XAR – Arbitrary File Write (CVE-2021-30833)
Public Report – WhatsApp End-to-End Encrypted Backups Security Assessment
Cracking RDP NLA Supplied Credentials for Threat Intelligence
Detecting and Protecting when Remote Desktop Protocol (RDP) is open to the Internet
Enterprise-scale seamless onboarding and deployment of Azure Sentinel using Lighthouse for multi-tenant environments
Cracking Random Number Generators using Machine Learning – Part 2: Mersenne Twister
Cracking Random Number Generators using Machine Learning – Part 1: xorshift128
NCC Group placed first in global 5G Cyber Security Hack competition
Paradoxical Compression with Verifiable Delay Functions
A Look At Some Real-World Obfuscation Techniques
SnapMC skips ransomware, steals data
The Challenges of Fuzzing 5G Protocols
Reverse engineering and decrypting CyberArk vault credential files
Technical Advisory – Open5GS Stack Buffer Overflow During PFCP Session Establishment on UPF (CVE-2021-41794)
Assessing the security and privacy of Vaccine Passports
Technical Advisory – NULL Pointer Derefence in McAfee Drive Encryption (CVE-2021-23893)
Conference Talks – October 2021
Technical Advisory – Garuda Linux Insecure User Creation (CVE-2021-3784)
Detecting and Hunting for the PetitPotam NTLM Relay Attack
Technical Advisory: PDFTron JavaScript URLs Allowed in WebViewer UI (CVE-2021-39307)
Optimizing Pairing-Based Cryptography: Montgomery Multiplication in Assembly
CertPortal: Building Self-Service Secure S/MIME Provisioning Portal
NSA & CISA Kubernetes Security Guidance – A Critical Review
Technical Advisory – New York State Excelsior Pass Vaccine Passport Credential Forgery
Technical Advisory – New York State Excelsior Pass Vaccine Passport Scanner App Sends Data to a Third Party not Specified in Privacy Policy
Conference Talks – September 2021
The ABCs of NFC chip security
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 2
Disabling Office Macros to Reduce Malware Infections
Some Musings on Common (eBPF) Linux Tracing Bugs
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Archive Extraction – CVE-2021-22937 (Patch Bypass)
Technical Advisory – Sunhillo SureLine Unauthenticated OS Command Injection (CVE-2021-36380)
Practical Considerations of Right-to-Repair Legislation
Technical Advisory – ICTFAX 7-4 – Indirect Object Reference
Technical Advisory: Stored and Reflected XSS Vulnerability in Nagios Log Server (CVE-2021-35478,CVE-2021-35479)
Detecting and Hunting for the Malicious NetFilter Driver
CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1
NCC Group Research at Black Hat USA 2021 and DEF CON 29
Alternative Approaches for Fault Injection Countermeasures (Part 3/3)
Software-Based Fault Injection Countermeasures (Part 2/3)
An Introduction to Fault Injection (Part 1/3)
Technical Advisory – Arbitrary File Read in Dell Wyse Management Suite (CVE-2021-21586, CVE-2021-21587)
Exploiting the Sudo Baron Samedit vulnerability (CVE-2021-3156) on VMWare vCenter Server 7.0
Technical Advisory – Shop app sends pasteboard data to Shopify’s servers
Tool Release – Reliably-checked String Library Binding
Are you oversharing (in Salesforce)? Our new tool could sniff it out!
Exploit mitigations: keeping up with evolving and complex software/hardware
NCC Group co-signs the Electronic Frontier Foundation’s Statement on DMCA Use Against Security Researchers
Handy guide to a new Fivehands ransomware variant
On the Use of Pedersen Commitments for Confidential Payments
Incremental Machine Learning by Example: Detecting Suspicious Activity with Zeek Data Streams, River, and JA3 Hashes
Testing Two-Factor Authentication
Optimizing Pairing-Based Cryptography: Montgomery Arithmetic in Rust
Research Paper – Machine Learning for Static Malware Analysis, with University College London
Conference Talks – June 2021
Public Report – Protocol Labs Groth16 Proof Aggregation: Cryptography and Implementation Review
iOS User Enrollment and Trusted Certificates
Detecting Rclone – An Effective Tool for Exfiltration
Supply Chain Security Begins with Secure Software Development
Toxic Tokens: Using UUIDs for Authorization is Dangerous (even if they’re cryptographically random)
Public Report – Dell Secured Component Verification
RM3 – Curiosities of the wildest banking malware
Conference Talks – May 2021
A Census of Deployed Pulse Connect Secure (PCS) Versions
NCC Group’s Upcoming Trainings at Black Hat USA 2021
Public Report – VPN by Google One: Technical Security & Privacy Assessment
Technical Advisory – ParcelTrack sends all pasteboard data to ParcelTrack’s servers on startup
Tool Release – Principal Mapper v1.1.0 Update
SAML XML Injection
The Future of C Code Review
RIFT: Detection capabilities for recent F5 BIG-IP/BIG-IQ iControl REST API vulnerabilities CVE-2021-22986
Tool Release – Solitude: A privacy analysis tool
Deception Engineering: exploring the use of Windows Installer Packages against first stage payloads
Lending a hand to the community – Covenant v0.7 Updates
Technical Advisory: Dell SupportAssist Local Privilege Escalation (CVE-2021-21518)
Technical Advisory – Multiple Vulnerabilities in Netgear ProSAFE Plus JGS516PE / GS116Ev2 Switches
Deception Engineering: exploring the use of Windows Service Canaries against ransomware
Wubes: Leveraging the Windows 10 Sandbox for Arbitrary Processes
Technical Advisory: Administrative Passcode Recovery and Authenticated Remote Buffer Overflow Vulnerabilities in Gigaset DX600A Handset (CVE-2021-25309, CVE-2021-25306)
Cryptopals: Exploiting CBC Padding Oracles
Investigating Potential Security Vulnerability Manifestation through Various Analyses & Inferences Regarding Internet RFCs (and how RFC Security might be Improved)
NCC Group’s 2020 Annual Research Report
Conference Talks – February/March 2021
Software Verification and Analysis Using Z3
Technical Advisory – Linksys WRT160NL – Authenticated Command Injection (CVE-2021-25310)
Real World Cryptography Conference 2021: A Virtual Experience
RIFT: Analysing a Lazarus Shellcode Execution Method
MSSQL Lateral Movement
Public Report – BLST Cryptographic Implementation Review
Sign over Your Hashes – Stealing NetNTLM Hashes via Outlook Signatures
Abusing cloud services to fly under the radar
Building an RDP Credential Catcher for Threat Intelligence
Double-odd Elliptic Curves
Using AWS and Azure for Cost Effective Log Ingestion with Data Processing Pipelines for SIEMs
Domestic IoT Nightmares: Smart Doorbells
Technical Advisory: OS Command Injection in Silver Peak EdgeConnect Appliances (CVE-2020-12148, CVE-2020-12149)
Helping Engineering Teams Tackle Security Debt in Embedded Systems: U-Boot Configuration Auditing Introduced in Depthcharge v0.2.0
An Adventure in Contingency Debugging: Ruby IO#read/IO#write Considered Harmful
ABSTRACT SHIMMER (CVE-2020-15257): Host Networking is root-Equivalent, Again
Tool Release – HTTPSignatures: A Burp Suite Extension Implementing HTTP Signatures
ICS/OT Security & the evolution of the Purdue Model: Integrating Industrial and Business Networks
Tool Release – Carnivore: Microsoft External Assessment Tool
Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)
Conference Talks – December 2020
TA505: A Brief History Of Their Time
Decrypting OpenSSH sessions for fun and profit
Past, Present and Future of Effective C
Technical Advisory: SQL Injection and Reflected Cross-Site Scripting (XSS) Vulnerabilities in Oracle Communications Diameter Signaling Router (CVE-2020-14787, CVE-2020-14788)
Technical Advisory: Command Injection
Conference Talks – November 2020
Technical Advisory: Pulse Connect Secure – Arbitrary File Read via Logon Message (CVE-2020-8255)
Technical Advisory: Pulse Connect Secure – RCE via Uncontrolled Gzip Extraction (CVE-2020-8260)
Technical Advisory – Jitsi Meet Electron – Arbitrary Client Remote Code Execution (CVE-2020-27162)
Technical Advisory – Jitsi Meet Electron – Limited Certificate Validation Bypass (CVE-2020-27161)
Public Report – Filecoin Bellman and BLS Signatures Cryptographic Review
Technical Advisory – Linksys WRT160NL – Authenticated Remote Buffer Overflow (CVE-2020-26561)
There’s A Hole In Your SoC: Glitching The MediaTek BootROM
RIFT: F5 CVE-2020-5902 and Citrix CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 honeypot data release
Technical Advisory – Pulse Connect Secure – RCE via Template Injection (CVE-2020-8243)
Tool – Windows Executable Memory Page Delta Reporter
Salesforce Security with Remote Working
Tool Release – ScoutSuite 5.10
Conference Talks – October 2020
Tool Release – ICPin, an integrity-check and anti-debug detection pintool
Faster Modular Inversion and Legendre Symbol, and an X25519 Speed Record
Technical Advisory – Lansweeper Privilege Escalation via CSRF Using HTTP Method Interchange (CVE-2020-13658)
Online Casino Roulette – A guideline for penetration testers and security researchers
Extending a Thinkst Canary to become an interactive honeypot
StreamDivert: Relaying (specific) network connections
Public Report – Electric Coin Company NU4 Cryptographic Specification and Implementation Review
Machine learning from idea to reality: a PowerShell case study
Conference Talks – September 2020
Whitepaper – Exploring the Security of KaiOS Mobile Applications
Technical Advisory – wolfSSL TLS 1.3 Client Man-in-the-Middle Attack (CVE-2020-24613)
Technical Advisory – Multiple HTML Injection Vulnerabilities in KaiOS Pre-installed Mobile Applications
Technical Advisory – FreePBX – Multiple Authenticated SQL Injections in UCP application
Immortalising 20 Years of Epic Research
Pairing over BLS12-381, Part 3: Pairing!
Public Report – Pixel 4/4XL and Pixel 4a ioXt Audit
NCC Group researchers named amongst MSRC’s Most Valuable Security Researchers in 2020
Lights, Camera, HACKED! An insight into the world of popular IP Cameras
Conference Talks – August 2020
Tool Release – Winstrument: An Instrumentation Framework for Windows Application Assessments
Tool Release: Sinking U-Boots with Depthcharge
Technical Advisory: Heartbleed chained with a Pass-the-Hash attack leads to device compromise on TP-Link C200 IP Camera
Public Report – Qredo Apache Milagro MPC Cryptographic Assessment
Pairing over BLS12-381, Part 2: Curves
Understanding the root cause of F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902
RIFT: Citrix ADC Vulnerabilities CVE-2020-8193, CVE-2020-8195 and CVE-2020-8196 Intelligence
An offensive guide to the Authorization Code grant
Technical Advisory – KwikTag Web Admin Authentication Bypass
Pairing over BLS12-381, Part 1: Fields
RIFT: F5 Networks K52145254: TMUI RCE vulnerability CVE-2020-5902 Intelligence
Experiments in Extending Thinkst Canary – Part 1
Tool Release – ScoutSuite 5.9.0
Technical Advisory – macOS Installer Local Root Privilege Escalation (CVE-2020-9817)
Paper: Thematic for Success in Real-World Offensive Cyber Operations – How to make threat actors work harder and fail more often
How-to: Importing WStalker CSV (and more) into Burp Suite via Import to Sitemap Extension
Tool: WStalker – an easy proxy to support Web API assessments
Security Considerations of zk-SNARK Parameter Multi-Party Computation
WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group
Tool Release – Socks Over RDP Now Works With Citrix
Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability
Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption
Cyber Security of New Space Paper
In-depth analysis of the new Team9 malware family
Common Insecure Practices with Configuring and Extending Salesforce
Exploring DeepFake Capabilities & Mitigation Strategies with University College London
Game Security
Exploring macOS Calendar Alerts: Part 2 – Exfiltrating data (CVE-2020-3882)
Research Report – Zephyr and MCUboot Security Assessment
CVE-2018-8611 Exploiting Windows KTM Part 5/5 – Vulnerability detection and a better read/write primitive
CVE-2018-8611 Exploiting Windows KTM Part 4/5 – From race win to kernel read and write primitive
Using SharePoint as a Phishing Platform
Public Report – Coda Cryptographic Review
Shell Arithmetic Expansion and Evaluation Abuse
CVE-2018-8611 Exploiting Windows KTM Part 3/5 – Triggering the race condition and debugging tricks
Tool Release – Socks Over RDP
Exploring macOS Calendar Alerts: Part 1 – Attempting to execute code
CVE-2018-8611 Exploiting Windows KTM Part 2/5 – Patch analysis and basic triggering
Practical Machine Learning for Random (Filename) Detection
Curve9767 and Fast Signature Verification
CVE-2018-8611 Exploiting Windows KTM Part 1/5 – Introduction
The Extended AWS Security Ramp-Up Guide
Code Patterns for API Authorization: Designing for Security
Order Details Screens and PII
How cryptography is used to monitor the spread of COVID-19
Rise of the Sensors: Securing LoRaWAN Networks
C Language Standards Update – Zero-size Reallocations are Undefined Behavior
IETF Draft: Indicators of Compromise and Their Role in Attack and Defen[c|s]e
Exploring Verifiable Random Functions in Code
Crave the Data: Statistics from 1,300 Phishing Campaigns
Impact of DNS over HTTPS (DoH) on DNS Rebinding Attacks
Tool Release – ScoutSuite 5.8.0
Whitepaper – Coinbugs: Enumerating Common Blockchain Implementation-Level Vulnerabilities
Smart Contracts Inside SGX Enclaves: Common Security Bug Patterns
LDAPFragger: Bypassing network restrictions using LDAP attributes
Threat Actors: exploiting the pandemic
A Survey of Istio’s Network Security Features
Conference Talks – March 2020
Public Report – RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review
Reviewing Verifiable Random Functions
CVE-2018-8611 – Diving into the Windows Kernel Transaction Manager (KTM) for fun and exploitation
Whitepaper – Microcontroller Readback Protection: Bypasses and Defenses
Improving Software Security through C Language Standards
Whitepaper – A Tour of Curve 25519 in Erlang
Deep Dive into Real-World Kubernetes Threats
Technical Advisory – playSMS Pre-Authentication Remote Code Execution (CVE-2020-8644)
Interfaces.d to RCE
Properly Signed Certificates on CPE Devices
Conference Talks – February 2020
Tool Release – Collaborator++
Public Report – Electric Coin Company NU3 Specification and Blossom Implementation Audit
Tool Release – Enumerating Docker Registries with go-pillage-registries
Conference Talks – January 2020
Passive Decryption of Ethereum Peer-to-Peer Traffic
On Linux’s Random Number Generation
Demystifying AWS’ AssumeRole and sts:ExternalId
Welcome to the new NCC Group Global Research blog
Technical Advisory: Gaining root access on Sumpple S610 IP Camera via Telnet; and Unprotected client and server data transmission between Android and IOS clients
Security impact of IoT on the Enterprise
Secure Device Provisioning Best Practices: Heavy Truck Edition
CVE-2019-1405 and CVE-2019-1322 – Elevation to SYSTEM via the UPnP Device Host Service and the Update Orchestrator Service
Padding the struct: How a compiler optimization can disclose stack memory
Embedded Device Security Certifications
An Introduction to Ultrasound Security Research
PhanTap (Phantom Tap): Making networks spookier one packet at a time
An Introduction to Quantum Computing for Security Professionals
Sniffle: A Sniffer for Bluetooth 5
Compromising a Hospital Network for £118 (Plus Postage & Packaging)
Getting Shell with XAMLX Files
Kerberos Resource-Based Constrained Delegation: When an Image Change Leads to a Privilege Escalation
Technical Advisory: Unauthenticated SQL Injection in Lansweeper
Jenkins Plugins and Core Technical Summary Advisory
Technical Advisory: Multiple Vulnerabilities in Ricoh Printers
Technical Advisory: Multiple Vulnerabilities in Brother Printers
Technical Advisory: Multiple Vulnerabilities in Xerox Printers
Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 10: Efficacy Demonstration, Project Conclusion and Next Steps
Technical Advisory: Multiple Vulnerabilities in HP Printers
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 9: Adventures with Expert Systems
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 8: Development of Prototype #4 – Building on Takaesu’s Approach with Focus on XSS
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 7: Development of Prototype #3 – Adventures in Anomaly Detection
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 6: Development of Prototype #2 – Creating a SQLi PoC
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 5: Development of Prototype #1 – Text Processing and Semantic Relationships
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 4: Architecture and Design
Technical Advisory – Authorization Bypass Allows for Pinboard Corruption
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 3: Understanding Existing Approaches and Attempts
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 2: Going off on a Tangent – AI/ML Applications in Social Engineering
Project Ava: On the Matter of Using Machine Learning for Web Application Security Testing – Part 1: Understanding the Basics and What Platforms and Frameworks Are Available
Technical Advisory: Multiple Vulnerabilities in Lexmark Printers
Technical Advisory: Intel Driver Support & Assistance – Local Privilege Escalation
Technical Advisory: Citrix Workspace / Receiver Remote Code Execution Vulnerability
The Sorry State of Aftermarket Head Unit Security
Cyber Security in UK Agriculture
NCC Group Connected Health Whitepaper July 2019
Story of a Hundred Vulnerable Jenkins Plugins
Whitepaper – Hardware-Backed Heist: Extracting ECDSA Keys from Qualcomm’s TrustZone
Technical Advisory: Multiple Vulnerabilities in SmarterMail
Technical Advisory – DelTek Vision – Arbitrary SQL Execution (SQLi)
eBPF Adventures: Fiddling with the Linux Kernel and Unix Domain Sockets
Chafer backdoor analysis
Finding and Exploiting .NET Remoting over HTTP using Deserialisation
Technical Advisory: Multiple Vulnerabilities in MailEnable
Assessing Unikernel Security
Technical Advisory: IP Office Stored Cross Site Scripting (XSS) Vulnerability
Zcash Overwinter Consensus and Sapling Cryptography Review
Xendbg: A Full-Featured Debugger for the Xen Hypervisor
Use of Deserialisation in .NET Framework Methods and Classes
Owning the Virgin Media Hub 3.0: The perfect place for a backdoor
Nine years of bugs at NCC Group
The 9 Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS Implementations
Third party assurance
Turla PNG Dropper is back
Public cloud
Android Cloud Backup/Restore
Spectre on a Television
RokRat Analysis
Technical Advisory: SMB Hash Hijacking and User Tracking in MS Outlook
Technical Advisory: Authentication Bypass in libSSH
Securing Google Cloud Platform – Ten best practices
Public Report – Android Cloud Backup/Restore
Much Ado About Hardware Implants
NCC Group’s Exploit Development Capability: Why and What
Technical Advisory: Bypassing Workflows Protection Mechanisms – Remote Code Execution on SharePoint
Technical Advisory: Mosquitto Broker DoS through a Memory Leak vulnerability
Improving Your Embedded Linux Security Posture With Yocto
How I did not get a shell
Technical Advisory: Mitel MiVoice 5330e Memory Corruption Flaw
Singularity of Origin
Proxy Re-Encryption Protocol: IronCore Public Report
Technical Advisory: Bypassing Microsoft XOML Workflows Protection Mechanisms using Deserialisation of Untrusted Data
Celebrating NCC Con Europe 2018
The disadvantages of a blacklist-based approach to input validation
Securing Teradata Database
Technical Advisory: Unauthenticated Remote Command Execution through Multiple Vulnerabilities in Virgin Media Hub 3.0
Ethics in Security Testing
Freddy: An extension for automatically identifying deserialisation issues in Java and .NET applications
Sobelow Update
House
Principal Mapper (pmapper)
Return of the hidden number problem
Technical advisory: “ROHNP”- key extraction side channel in multiple crypto libraries
CVE-2017-8570 RTF and the Sisfader RAT
Mallory: Transparent TCP and UDP Proxy
Mallory and Me: Setting up a Mobile Mallory Gateway
CyberVillainsCA
DECTbeacon
Fuzzbox
Gizmo
HTTP Profiler
Intent Sniffer
Intent Fuzzer
iSEC Partners Releases SSLyze
Jailbreak
Manifest Explorer
Package Play
ProxMon
pySimReader
SAML Pummel
SecureBigIP
SecureCisco
SecureCookies
SecureIE.ActiveX
WebRATS
AWS Inventory: A tool for mapping AWS resources
Extractor
CMakerer: A small tool to aid CLion’s indexing
Emissary Panda – A potential new malicious tool
SMB hash hijacking & user tracking in MS Outlook
Testing HTTP/2 only web services
Windows IPC Fuzzing Tools
WSBang
WSMap
Nerve
Ragweed
File Fuzzers
Kivlad
Android SSL Bypass
Hiccupy
iOS SSL Killswitch
The SSL Conservatory
TLSPretense — SSL/TLS Client Testing Framework
tcpprox
YoNTMA
Tattler
PeachFarmer
Android-KillPermAndSigChecks
Android-OpenDebug
Android-SSL-TrustKiller
Introspy for Android
RtspFuzzer
SSLyze v0.8
NCLoader
IG Learner Walkthrough
Forensic Fuzzing Tools
Security First Umbrella
Autochrome
WSSiP: A Websocket Manipulation Proxy
AssetHook
Call Map: A Tool for Navigating Call Graphs in Python
Sobelow: Static analysis for the Phoenix Framework
G-Scout
Decoder Improved Burp Suite Plugin
Python Class Informer: an IDAPython plugin for viewing run-time type information (RTTI)
AutoRepeater: Automated HTTP Request Repeating With Burp Suite
TPM Genie
Open Banking: Security considerations & potential risks
scenester
port-scan-automation
Windows DACL Enum Project
umap
Shocker
Zulu
whitebox
vlan-hopping
tybocer
xcavator
WindowsJobLock
Azucar
Readable Thrift
Introducing Azucar
Decoding network data from a Gh0st RAT variant
Technical Advisory: Multiple Vulnerabilities in ManageEngine Desktop Central
Discovering Smart Contract Vulnerabilities with GOATCasino
BLEBoy
APT15 is Alive and Strong: An Analysis of RoyalCli and RoyalDNS
TPM Genie: Interposer Attacks Against the Trusted Platform Module Serial Bus
Technical Advisory: Code Execution by Unsafe Resource Handling in Multiple Microsoft Products
Technical Advisory: Code Execution by Viewing Resource Files in .NET Reflector
Technical Advisory: Reflected Cross-Site Scripting (XSS) vulnerability in Jenkins Delivery Pipeline plugin
Spectre and Meltdown: What you Need to Know
The economics of defensive security
HIDDEN COBRA Volgmer: A Technical Analysis
Integrity destroying malicious code for financial or geopolitical gain: A vision of the future?
Kubernetes Security: Consider Your Threat Model
Mobile & web browser credential management: Security implications, attack cases & mitigations
SOC maturity & capability
Automated Reverse Engineering of Relationships Between Data Structures in C++ Binaries
Pointer Sequence Reverser (PSR)
Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1
Bypassing Android’s Network Security Configuration
Technical Advisory – Bomgar Remote Support – Local Privilege Escalation
Cisco ASA series part seven: Checkheaps
Adversarial Machine Learning: Approaches & defences
eBook: Breach notification under GDPR – How to communicate a personal data breach
Cisco ASA series part six: Cisco ASA mempools
The Update Framework (TUF) Security Assessment
Cisco ASA series part five: libptmalloc gdb plugin
Technical Advisory: Adobe ColdFusion RMI Registry.bind() Deserialisation RCE
Technical Advisory: Adobe ColdFusion Object Deserialisation RCE
Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA
Decoder Improved Burp Suite plugin release part two
Cisco ASA series part three: Debugging Cisco ASA firmware
Managing PowerShell in a modern corporate environment
Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware
Cisco ASA series part one: Intro to the Cisco ASA
EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
Technical Advisory: Authentication rule bypass
Technical Advisory – play-pac4j Authentication rule bypass
Decoder Improved Burp Suite plugin release part one
Technical advisory: Remote shell commands execution in ttyd
Poison Ivy string decryption
Securing the continuous integration process
Signaturing an Authenticode anomaly with Yara
Analysing a recent Poison Ivy sample
Endpoint connectivity
DeLux Edition: Getting root privileges on the eLux Thin Client OS
UK government cyber security guidelines for connected & autonomous vehicles
Smuggling HTA files in Internet Explorer/Edge
Database Security Brief: The Oracle Critical Patch Update for April 2007
Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform
Data-mining with SQL Injection and Inference
The Pharming Guide – Understanding and preventing DNS related attacks by phishers
Weak Randomness Part I – Linear Congruential Random Number Generators
Exploiting PL/SQL Injection Flaws with only CREATE SESSION Privileges
Blind Exploitation of Stack Overflow Vulnerabilities
Slotting Security into Corporate Development
Creating Arbitrary Shellcode In Unicode Expanded Strings
Violating Database – Enforced Security Mechanisms
Hacking the Extensible Firmware Interface
Advanced Exploitation of Oracle PL/SQL Flaws
Firmware Rootkits: The Threat to the Enterprise
Database Security: A Christmas Carol
Defeating the Stack Based Buffer Overflow Prevention Mechanism of Microsoft Windows 2003 Server
Non-flood/non-volumetric Distributed Denial of Service (DDoS)
VoIP Security Methodology and Results
E-mail Spoofing and CDONTS.NEWMAIL
Dangling Cursor Snarfing: A New Class of Attack in Oracle
Database Servers on Windows XP and the unintended consequences of simple file sharing
DNS Pinning and Web Proxies
Technical advisory: CVE-2017-8592 – XMLHttpRequest in IE followed 307 redirections with additional or customised headers
Which database is more secure? Oracle vs. Microsoft
Variations in Exploit methods between Linux and Windows
Using graph databases to assess the security of thingernets based on the thingabilities and thingertivity of things
Live Incident Blog: June Global Ransomware Outbreak
Beyond data loss prevention
How to protect yourself & your organisation from phishing attacks
Rise of the machines: Machine Learning & its cyber security applications
Combating Java Deserialisation Vulnerabilities with Look-Ahead Object Input Streams (LAOIS)
A WarCon 2017 Presentation: Cisco ASA – Exploiting the IKEv1 Heap Overflow – CVE-2016-1287
Latest threats to the connected car & intelligent transport ecosystem
Network Attached Security: Attacking a Synology NAS
Accessing Private Fields Outside of Classes in Java
Understanding the insider threat & how to mitigate it
Matty McMattface: Security implications, mitigations & testing strategies for biometric facial recognition systems
Setting a New Standard for Kubernetes Deployments
Encryption at rest: Not the panacea to data protection
Applying normalised compression distance for architecture classification
Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures
D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow
Fix Bounty
Unauthenticated XML eXternal Entity (XXE) vulnerability
General Data Protection Regulation: Knowing your data
Technical Advisory: Shell Injection in MacVim mvim URI Handler
Technical Advisory: Shell Injection in SourceTree
SCOMplicated? – Decrypting SCOM “RunAs” credentials
Technical Advisory: Multiple Vulnerabilities in Accellion File Transfer Appliance
ISM RAT
Mergers & Acquisitions (M&A) cyber security due diligence
Advisory-CraigSBlackie-CVE-2016-9795
Best practices with BYOD
Technical Advisory: Nexpose Hard‐coded Java Key Store Passphrase Allows Decryption of Stored Credentials
Compromising Apache Tomcat via JMX access
Berserko: Kerberos Authentication for Burp Suite
Java RMI Registry.bind() Unvalidated Deserialization
NCC CON Europe 2017
Understanding cyber risk management vs uncertainty with confidence in 2017
iOS MobileSlideShow USB Image Class arbitrary code execution.txt
Denial of Service in Parsing a URL by ierutil.dll
U plug, we play
SSL checklist for pentesters
Dissecting social engineering attacks
External Enumeration and Exploitation of Email and Web Security Solutions
Social Engineering
Phishing Stories
Automating extraction from malware and recent campaign analysis
DDoS Common Approaches and Failings
Absolute Security
How much training should staff have on cyber security?
USB under the bonnet: Implications of USB security vulnerabilities in vehicle systems
Cyber Essentials Scheme
Webinar – PCI Version 3.0: Are you ready?
Webinar: 4 Secrets to a Robust Incident Response Plan
Cloud Security Presentation
Webinar: SMACK, SKIP-TLS & FREAK SSL/TLS vulnerabilities
Revealing Embedded Fingerprints: Deriving intelligence from USB stack interactions
Memory Gap
44Con2013Game
creep-web-app-scanner
ncccodenavi
Pip3line
typofinder
DIBF – Updated
IODIDE
CECSTeR
cisco-SNMP-enumeration
dotnetpaddingoracle
dotnetpefuzzing
easyda
EDIDFuzzer
Fat-Finger
firstexecution
grepify
FrisbeeLite
State-of-the-art email risk
Ransomware: what organisations can do to survive
hostresolver
lapith
metasploitavevasion
Maritime Cyber Security: Threats and Opportunities
IP-reputation-snort-rule-generator
The L4m3ne55 of Passw0rds: Notes from the field
Mature Security Testing Framework
Exporting Non-Exportable RSA Keys
Black Hat USA 2015 presentation: Broadcasting your attack-DAB security
The role of security research in improving cyber security
Self-Driving Cars- The future is now…
They Ought to Know Better: Exploiting Security Gateways via their Web Interfaces
Mobile apps and security by design
The Myth of Twelve More Bytes: Security on the Post-Scarcity Internet
When Security Gets in the Way: PenTesting Mobile Apps That Use Certificate Pinning
USB Undermining Security Barriers:further adventures with USB
Software Security Austerity Security Debt in Modern Software Development
RSA Conference – Mobile Threat War Room
Finding the weak link in binaries
To dock or not to dock, that is the question: Using laptop docking stations as hardware-based attack platforms
Harnessing GPUs Building Better Browser Based Botnets
The Browser Hacker’s Handbook
SQL Server Security
The Database Hacker’s Handbook
Social Engineering Penetration Testing
Public Report – Matrix Olm Cryptographic Review
Research Insights Volume 8 – Hardware Design: FPGA Security Risks
Zcash Cryptography and Code Review
Optimum Routers: Researching Managed Routers
Peeling back the layers on defence in depth…knowing your onions
End-of-life pragmatism
iOS Instrumentation Without Jailbreak
The Password is Dead, Long Live the Password!
Microsoft Office Memory Corruption Vulnerability
Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode
Elephant in the Boardroom Survey 2016
A Peek Behind the Great Firewall of Russia
Avoiding Pitfalls Developing with Electron
Flash local-with-filesystem Bypass in navigateToURL
D-Link routers vulnerable to Remote Code Execution (RCE)
iOS Application Security: The Definitive Guide for Hackers and Developers
The Mobile Application Hacker’s Handbook
Research Insights Volume 9 – Modern Security Vulnerability Discovery
Post-quantum cryptography overview
The CIS Security Standard for Docker available now
An adventure in PoEKmon NeutriGo land
The Shellcoder’s Handbook: Discovering and Exploiting Security Holes, 2nd Edition
How will GDPR impact your communications?
Potential false redirection of web site content in Internet in SAP NetWeaver web applications
Multiple security vulnerabilities in SAP NetWeaver BSP Logon
The Automotive Threat Modeling Template
My name is Matt – My voice is my password
Ransomware: How vulnerable is your system?
NCC Group WhitepaperUnderstanding and HardeningLinux ContainersJune 29, 2016 – Version 1.1
My Hash is My Passport: Understanding Web and Mobile Authentication
Project Triforce: Run AFL on Everything!
Writing Exploits for Win32 Systems from Scratch
How to Backdoor Diffie-Hellman
Local network compromise despite good patching
Sakula: an adventure in DLL planting
When a Trusted Site in Internet Explorer was Anything But
GSM/GPRS Traffic Interception for Penetration Testing Engagements
An Adaptive-Ciphertext Attack Against “I ⊕ C” Block Cipher Modes With an Oracle
Creating a Safer OAuth User Experience
Attacking Web Service Security: Message Oriented Madness, XML Worms and Web Service Security Sanity
Aurora Response Recommendations
Blind Security Testing – An Evolutionary Approach
Building Security In: Software Penetration Testing
Cleaning Up After Cookies
Command Injection in XML Signatures and Encryption
Common Flaws of Distributed Identity and Authentication Systems
Cross Site Request Forgery: An Introduction to a Common Web Application Weakness
Developing Secure Mobile Applications for Android
Exposing Vulnerabilities in Media Software
Hunting SQL Injection Bugs
IAX Voice Over-IP Security
ProxMon: Automating Web Application Penetration Testing
iSEC’s Analysis of Microsoft’s SDL and its ROI
Secure Application Development on Facebook
Secure Session Management With Cookies for Web Applications
Security Compliance as an Engineering Discipline
Weaknesses and Best Practices of Public Key Kerberos with Smart Cards
Exploiting Rich Content
HTML5 Security The Modern Web Browser Perspective
An Introduction to Authenticated Encryption
Attacks on SSL
Content Security Policies Best Practices
Windows Phone 7 Application Security Survey
Browser Extension Password Managers
Introducing idb-Simplified Blackbox iOS App Pentesting
Login Service Security
The factoring dead: Preparing for the cryptopocalypse
Auditing Enterprise Class Applications and Secure Containers on Android
Early CCS Attack Analysis
Analysis of Boomerang Differential Trials via a SAT-Based Constraint Solver URSA
Perfect Forward Security
Internet of Things Security
Secure Messaging for Normal People
Understanding and Hardening Linux Containers
Adventures in Windows Driver Development: Part 1
Private sector cyber resilience and the role of data diodes
From CSV to CMD to qwerty
General Data Protection Regulation – are you ready?
Business Insights: Cyber Security in the Financial Sector
The Importance of a Cryptographic Review
osquery Application Security Assessment Public Report
Sysinternals SDelete: When Secure Delete Fails
Ricochet Security Assessment Public Report
Breaking into Security Research at NCC Group
Building Systems from Commercial Components
Modernizing Legacy Systems: Software Technologies, Engineering Processes, and Business Practices
Secure Coding in C and C++
CERT Oracle Secure Coding Standard for Java
CERT C Secure Coding Standard
Java Coding Guidelines: 75 Recommendations for Reliable and Secure Programs
Professional C Programming LiveLessons, (Video Training) Part I: Writing Robust, Secure, Reliable Code
Secure Coding in C and C++, 2nd Edition
Building WiMap the Wi-Fi Mapping Drone
The CERT® C Coding Standard, Second Edition: 98 Rules for Developing Safe, Reliable, and Secure Systems
Secure Coding Rules for Java LiveLessons, Part 1
Fuzzing the Easy Way Using Zulu
Hacking Displays Made Interesting
What the HEC? Security implications of HDMI Ethernet Channel and other related protocols
44CON Workshop – How to assess and secure iOS apps
Payment Card Industry Data Security Standard (PCI DSS) A Navigation and Explanation of Changes from v2.0 to v3.0
Mobile World Congress – Mobile Internet of Things
Practical SME security on a shoestring
BlackHat Asia USB Physical Access
How we breach network infrastructures and protect them
Hacking a web application
Batten down the hatches: Cyber threats facing DP operations
Threats and vulnerabilities within the Maritime and shipping sectors
Distributed Ledger (Blockchain) Security and Quantum Computing Implications
Abusing Privileged and Unprivileged Linux Containers
A few notes on usefully exploiting libstagefright on Android 5.x
NCC Con Europe 2016
Remote Exploitation of Microsoft Office DLL Hijacking (MS15-132) via Browsers
Phishing Mitigations: Configuring Microsoft Exchange to Clearly Identify External Emails
Exploiting CVE-2014-0282
Car Parking Apps Vulnerable To Hacks
eBook – Do you know how your organisation would react in a real-world attack scenario?
Erlang Security 101
SysAid Helpdesk blind SQL injection
SysAid Helpdesk stored XSS
Virtual Access Monitor Multiple SQL Injection Vulnerabilities
Whatsupgold Premium Directory traversal
Windows remote desktop memory corruptoin leading to RCE on XPSP3
Windows USB RNDIS driver kernel pool overflow
Drones: Detect, Identify, Intercept, and Hijack
Introducing Chuckle and the Importance of SMB Signing
Threat Intelligence: Benefits for the Enterprise
Best Practices for the use of Static Code Analysis within a Real-World Secure Development Lifecycle
Secure Device Manufacturing: Supply Chain Security Resilience
eBook – Planning a robust incident response process
HDMI Ethernet Channel
Advanced SQL Injection in SQL Server Applications
USB keyboards by post – use of embedded keystroke injectors to bypass autorun restrictions on modern desktop operating systems
ASP.NET Security and the Importance of KB2698981 in Cloud Environments
Xen HYPERVISOR_xen_version stack memory revelation
Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3
SysAid Helpdesk Pro – Blind SQL Injection
Symantec Messaging Gateway SSH with backdoor user account + privilege escalation to root due to very old Kernel
Symantec Messaging Gateway Out of band stored XSS delivered by email
Symantec Messaging Gateway Easy CSRF to add a backdoor-administrator (for example)
Symantec Messaging Gateway Arbitrary file download is possible with a crafted URL (authenticated)
Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom Reports
Symantec Backup Exec 2012 – OS version and service pack information leak
Symantec Backup Exec 2012 – Linux Backup Agent Heap Overflow
Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs
Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding Groups, Servers and Computers
Squiz CMS File Path Traversal
Solaris 11 USB Hub Class descriptor kernel stack overflow
SmarterMail – Stored XSS in emails
Remote code execution in ImpressPages CMS
OS X 10.6.6 Camera Raw Library Memory Corruption
Oracle Java Installer Adds a System Path Which is Writable by All
Oracle Hyperion 11 Directory Traversal
Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges
Nessus Authenticated Scan – Local Privilege Escalation
NCC Group Malware Technical Note
Nagios XI Network Monitor – Stored and Reflective XSS
Multiple Vulnerabilities in MailEnable
Microsoft Internet Explorer CMarkup Use-After-Free
McAfee Email and Web Security Appliance v5.6 – Session hijacking (and bypassing client-side session timeouts)
McAfee Email and Web Security Appliance v5.6 – Password hashes can be recovered from a system backup and easily cracked
McAfee Email and Web Security Appliance v5.6 – Arbitrary file download is possible with a crafted URL, when logged in as any user
McAfee Email and Web Security Appliance v5.6 – Any logged-in user can bypass controls to reset passwords of other administrators
McAfee Email and Web Security Appliance v5.6 – Active session tokens of other users are disclosed within the UI
iOS 7 arbitrary code execution in kernel mode
Understanding Microsoft Word OLE Exploit Primitives
Understanding Microsoft Word OLE Exploit Primitives: Exploiting CVE-2015-1642 Microsoft Office CTaskSymbol Use-After-Free Vulnerability
Porting the Misfortune Cookie Exploit: A Look into Router Exploitation Using the TD-8817
Vehicle Emissions and Cyber Security
Research Insights Volume 6: Common Issues with Environment Breakouts
Does TypeScript Offer Security Improvements Over JavaScript?
Common Security Issues in Financially-Oriented Web Applications
Research Insights Volume 3 – How are we breaking in: Mobile Security
Build Your Own Wi-Fi Mapping Drone Capability
Exploiting CVE-2015-2426, and How I Ported it to a Recent Windows 8.1 64-bit
Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
Password and brute-force mitigation policies
Understanding Ransomware: Impact, Evolution and Defensive Strategies
libtalloc: A GDB plugin for analysing the talloc heap
Lumension Device Control (formerly Sanctuary) remote memory corruption
LibAVCodec AMV Out of Array Write
Increased exploitation of Oracle GlassFish Server Administration Console Remote Authentication Bypass
Flash security restrictions bypass: File upload by URLRequest
Immunity Debugger Buffer Overflow
DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout, Privilege Escalation and Full Disk Decryption
Cups-filters remote code execution
Critical Risk Vulnerability in SAP Message Server (Heap Overflow)
Critical Risk Vulnerability in SAP DB Web Server (Stack Overflow)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 2)
Critical Risk Vulnerability in Ingres (Pointer Overwrite 1)
Cisco VPN Client Privilege Escalation
Cisco IPSec VPN Implementation Group Name Enumeration
Blue Coat BCAAA Remote Code Execution Vulnerability
BlackBerry Link WebDav Server Bound to the BlackBerry VPN Adapter
Bit51 Better Security WP Security Plugin – Unauthenticated Stored XSS to RCE
Back Office Web Administration Authentication Bypass
AtHoc Toolbar
ASE 12.5.1 datatype overflow
Archived Technical Advisories
Apple QuickTime Player m4a Processing Buffer Overflow
Apple OSX/iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap Overflow
Apple Mac OS X ImageIO TIFF Integer Overflow
Apple CoreAnimation Heap Overflow
Writing Small Shellcode
Writing Secure ASP Scripts
Windows 2000 Format String Vulnerabilities
The Pentesters Guide to Akamai
Adobe flash sandbox bypass to navigate to local drives
Adobe Flash Player Cross Domain Policy Bypass
Adobe Acrobat Reader XML Forms Data Format Buffer Overflow
Tool Release: Introducing opinel: Scout2’s favorite tool
Broadcasting your attack – DAB security
Modelling Threat Actor Phishing Behaviour
Research Insights Volume 7: Exploitation Advancements
Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit
The Demise of Signature Based Antivirus
Stopping Automated Attack Tools
Security of Things: An Implementers’ Guide to Cyber-Security for Internet of Things Devices and Beyond
Security Best Practice: Host Naming & URL Conventions
Securing PL/SQL Applications with DBMS_ASSERT
Second-Order Code Injection Attacks
Revealing Embedded Fingerprints: Deriving Intelligence from USB Stack Interactions 2013
Research Insights Volume 4 – Sector Focus: Maritime Sector
Research Insights Volume 2 – Defensive Trends
Research Insights Volume 1 – Sector Focus: Financial Services
Quantum Cryptography – A Study Into Present Technologies and Future Applications
Protecting stored cardholder data (an unofficial supplement to PCI DSS V3.0)
Preparing for Cyber Battleships – Electronic Chart Display and Information System Security
Passive Information Gathering – The Analysis of Leaked Network Security Information
Oracle Passwords and OraBrute
Oracle Forensics Part 7 Using the Oracle System Change Number in Forensic Investigations
Oracle Forensics Part 6: Examining Undo Segments, Flashback and the Oracle Recycle Bin
Oracle Forensics Part 5: Finding Evidence of Data Theft in the Absence of Auditing
Oracle Forensics Part 4: Live Response
Oracle Forensics Part 3: Isolating Evidence of Attacks Against the Authentication Mechanism
Oracle Forensics Part 2: Locating Dropped Objects
Oracle Forensics Part 1: Dissecting the Redo Logs
Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT 2000 XP
New Attack Vectors and a Vulnerability Dissection of MS03-007
More Advanced SQL Injection
Microsoft’s SQL Server vs. Oracle’s RDBMS
Microsoft SQL Server Passwords
Low Cost Attacks on Smart Cards – The Electromagnetic Side-Channel
Lessons learned from 50 bugs: Common USB driver vulnerabilities
Inter-Protocol Exploitation
Inter-Protocol Communication
Improving your Network and Application Assurance Strategy in an environment of increasing 0day vulnerabilities
Implementing and Detecting a PCI Rootkit
How organisations can properly configure SSL services to ensure the integrity and confidentiality of data in transit
Hackproofing Oracle Application Server
Hackproofing MySQL
Hackproofing Lotus Domino Web Server
Hacking Appliances: Ironic exploits in security products
Fuzzing USB devices using Frisbee Lite
HDMI – Hacking Displays Made Interesting
Exploiting Security Gateways Via Web Interfaces
Research Insights Volume 5 – Sector Focus: Automotive
The why behind web application penetration test prerequisites
Blackbox iOS App Assessments Using idb
Cyber red-teaming business-critical systems while managing operational risk
Blind Return Oriented Programming
Username enumeration techniques and their value
IAM user management strategy (part 2)
Faux Disk Encryption: Realities of Secure Storage On Mobile Devices
Some Notes About the Xen XSA-122 Bug
USB attacks need physical access right? Not any more…
Image IO Memory Corruption
Threat Profiling Microsoft SQL Server
Thin Clients: Slim Security
Impress Pages CMS Remote Code Execution
The Phishing Guide: Understanding & Preventing Phishing Attacks
Lumension Device Control Remote Memory Corruption
McAfee Email and Web Security Appliance Active session tokens of other users are disclosed within the UI
McAfee Email and Web Security Appliance Any logged-in user can bypass controls to reset passwords of other administrators
Bypassing Oracle DBMS_ASSERT (in certain situations)
McAfee Email and Web Security Appliance Arbitrary file download is possible with a crafted URL, when logged in as any user
McAfee Email and Web Security Appliance Password hashes can be recovered from a system backup and easily cracked
McAfee Email and Web Security Appliance Reflective XSS allowing an attacker to gain session tokens
McAfee Email and Web Security Appliance Session hijacking and bypassing client-side session timeouts
Medium Risk Vulnerability in Symantec Enterprise Security Management
Medium Risk Vulnerability in Symantec Network Access Control
Nagios XI Network Monitor Stored and Reflected XSS
NX Server for Linux Arbitrary Files can be read with root privileges
Oracle 11g TNS listener remote Invalid Pointer Read
Oracle 11g TNS listener remote Null Pointer Dereference
Oracle Retail Integration Bus Manager Directory Traversal
Oracle Retail Invoice Manager SQL Injection
OS X Lion USB Hub Class Descriptor Arbitrary Code Execution
PRTG Network Monitor Command injection
Samba Andx Request Remote Code Execution
nccgroup.com
Support
2021 Research Report
Contact
CTFs/Microcorruption
Loading Comments...
Write a Comment...
Email (Required)
Name (Required)
Website