HIDDEN COBRA Volgmer: A Technical Analysis

In November, US-CERT published two alerts about malicious activity by the North Korean government, referred to as HIDDEN COBRA [1][2]. These alerts addressed the remote administration tool FALLCHILL and a Trojan called Volgmer. We’ll focus on the latter in this blog post. Volgmer is a backdoor Trojan that was designed primarily to give covert access … Continue reading HIDDEN COBRA Volgmer: A Technical Analysis

Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. Exodus Intel released how they exploited [1] CVE-2016-1287 for IKEv2 in February 2016, but there wasn't anything public for IKEv1. This blog post documents … Continue reading Cisco ASA series part eight: Exploiting the CVE-2016-1287 heap overflow over IKEv1

Cisco ASA series part seven: Checkheaps

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. As part of our ongoing series we would like to talk about Cisco's Checkheaps security and stability mechanism. More specifically, we’ll look at how … Continue reading Cisco ASA series part seven: Checkheaps

Cisco ASA series part six: Cisco ASA mempools

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. In part six, we document some of the details around Cisco ASA mempools and how the mempool-related functions wrap more traditional heap functions in … Continue reading Cisco ASA series part six: Cisco ASA mempools

Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. This article is meant to provide a summary of some key functionality for dlmalloc-2.8.x and introduce a debugging plugin called libdlmalloc [1] that is … Continue reading Cisco ASA series part four: dlmalloc-2.8.x, libdlmalloc, & dlmalloc on Cisco ASA

Cisco ASA series part three: Debugging Cisco ASA firmware

This article is part of a series of blog posts. We recommend that you start at the beginning. Alternatively, scroll to the bottom of this article to navigate through the whole series. We have developed a small framework of tools to automate the debugging of most Cisco ASA firmware files using gdb, while supporting both real … Continue reading Cisco ASA series part three: Debugging Cisco ASA firmware

Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware

This article is part of a series of blog posts. If you haven’t already, we recommend that you read the introduction article prior to this one. During our research, we ended up wanting to analyse a large number of Cisco ASA firmware files. Most importantly, we needed to mine exploit targets for both CVE-2016-1287 and CVE-2016-6366 and … Continue reading Cisco ASA series part two: Static analysis & datamining of Cisco ASA firmware

Cisco ASA series part one: Intro to the Cisco ASA

We’ve spent a bunch of time investigating Cisco ASA devices and their firmware while looking into exploiting CVE-2016-1287, CVE-2016-6366, and other bugs. Part of this research has involved data mining numerous Cisco ASA firmware files to generate new exploit targets. We took the time to write some tools to more effectively analyse or debug certain … Continue reading Cisco ASA series part one: Intro to the Cisco ASA

EternalGlue part one: Rebuilding NotPetya to assess real-world resilience

Tl;dr - we were engaged by a client back in June 2017 to rebuild NotPetya from scratch. However, instead of the data destruction payload, they asked for telemetry and safeguards. Why? Because they wanted to measure what the impact of NotPetya would have been. Below, you’ll find part one of the story… When you dodge a … Continue reading EternalGlue part one: Rebuilding NotPetya to assess real-world resilience

Analysing a recent Poison Ivy sample

In a recent blog post, Fortinet discussed a new version of Poison Ivy[1] spreading through malicious PowerPoint files. The PowerPoint file includes a .NET loader in a stream which goes on to load a variant of Poison Ivy. But there is some debate regarding whether this is a pure Poison Ivy variant or a hybrid … Continue reading Analysing a recent Poison Ivy sample