Category: Research

An offensive guide to the Authorization Code grant

OAuth is the widely used standard for access delegation, enabling many of the "Sign in with X" buttons and "Connect your Calendar" features of modern Internet software. OAuth 2.0 is the most common and recent version of this specification, which defines four grant types (as well as various extensions), specifically suited for different use cases. … Continue reading An offensive guide to the Authorization Code grant

Security Considerations of zk-SNARK Parameter Multi-Party Computation

The secure generation of parameters for zk-SNARKs is a crucial step in the trustworthiness of the resulting proof system. By highlighting some potential pitfalls and important security considerations of these implementations, NCC Group hopes to provide helpful pointers to all implementers and avoid the introduction of vulnerabilities detrimental to the confidence users have in the different applications of these systems.

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox), Michael Sandee and in close collaboration with NCC’s RIFT. About the Research and Intelligence Fusion Team (RIFT):RIFT leverages our strategic analysis, data science, and threat hunting capabilities to create actionable threat intelligence, ranging from IOCs and detection capabilities to strategic reports on tomorrow's threat landscape. Cyber security is an … Continue reading WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

Tool Release – Socks Over RDP Now Works With Citrix

Introduction A month ago, we released a new tool that made it possible to tunnel traffic over an existing Remote Desktop Connection without the need to alter the configuration of the environment. This tool enables penetration testers to conduct their assessments over Windows-based jump boxes. Remote Access technologies are quite diversified, although Remote Desktop Services … Continue reading Tool Release – Socks Over RDP Now Works With Citrix

Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability

This vulnerability applied to a 5 year old end of life version of CobaltStrike and is being published in the spirit of archaeological interest in the vulnerability. tl;dr This blog looks at some of the communication and encryption internals of Cobalt Strike between Beacons and the Team Server in the 3.5 family. We then explore … Continue reading Striking Back at Retired Cobalt Strike: A look at a legacy vulnerability

Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption

Vendor: ARM Vendor URL: https://os.mbed.com/ Versions affected: Prior to 5.15.2 Systems Affected: ARM Mbed OS Author: Ilya Zhuravlev Risk: High Summary: The ARM Mbed operating system contains a USB Mass Storage driver (USBMD), which allows emulation of a mass storage device over USB. This driver contains a three (3) memory safety vulnerabilities, allowing adversaries with … Continue reading Technical Advisory – ARM MbedOS USB Mass Storage Driver Memory Corruption

In-depth analysis of the new Team9 malware family

Publicly discovered in late April 2020, the Team9 malware family (also known as ‘Bazar’) appears to be a new malware being developed by the group behind Trickbot. Even though the development of the malware appears to be recent, the developers have already developed two components with rich functionality. The purpose of this blog post is to describe the functionality of the two components, the loader and the backdoor.