Live Incident Blog: June Global Ransomware Outbreak

On Tuesday 27 June, we saw another outbreak of ransomware. This blog is live and will be updated as we know more. The ransomware is currently being discussed as a variant of Petya, which also modifies the Master Boot Record (MBR), although this ransomware also has traits similar to WannaCry in that it uses Eternal Blue … Continue reading Live Incident Blog: June Global Ransomware Outbreak

Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures

NCC Group is currently aware of a zero-day vulnerability targeting Microsoft Office users which is being exploited in the wild by a number of threat actors including organised criminal gangs. NCC Group has identified various samples exploiting this issue from as far back as 2016. Click here to see NCC Group’s analysis: https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Office%20zero-day%20(April%202017)/2017-04%20Office%20OLE2Link%20zero-day%20v0.4.pdf In the … Continue reading Microsoft Zero-Day Vulnerability – OLE2Link – Threat Intelligence and Signatures

Sysinternals SDelete: When Secure Delete Fails

Introduction Securely erasing media is an important process for any IT department. There are numerous methods of ensuring that sensitive data is removed before items are reissued or disposed. And the removal of such data is also mandated by various standards such as ISO 27001, which states:  A.11.2.7 – “All items of equipment containing storage … Continue reading Sysinternals SDelete: When Secure Delete Fails

Derusbi: A Case Study in Rapid Capability Development

NCC Group’s Cyber Defence Operations team has released a technical note about the Derusbi Server variant, which we encountered on an engagement at the end of last year. The Derusbi Server variant is typically associated with advanced attackers (APT groups) and was the most sophisticated attempt to retain persistence on our client’s network.  Other activity … Continue reading Derusbi: A Case Study in Rapid Capability Development

Samba _netr_ServerPasswordSet Expoitability Analysis

tl;dr This is my analysis of the recent pre-auth Samba remote tracked by CVE-2015-0240[1]. It doesn’t appear to be very exploitable to me, but I’d love to be proven wrong. Note that since the time when I originally did this analysis someone has released their own PoC and analysis [8] showing why they don’t think … Continue reading Samba _netr_ServerPasswordSet Expoitability Analysis

Ghost Vulnerability (CVE-2015-0235)

Executive Summary An alert about a severe vulnerability discovered by the Qualys security team was issued on Tuesday, January 27 2015. This vulnerability allows a local or remote attacker to execute code within the context of an application linked with certain versions of the glibc library. The vulnerability is triggered by a buffer overflow in the gethostbyname() function, called … Continue reading Ghost Vulnerability (CVE-2015-0235)

Analysis of the Linux backdoor used in freenode IRC network compromise

Background freenode is a large IRC network providing services to Free and Open Source Software communities, and in September the freenode staff team blogged about a potential compromise of an IRC server. NCC Group’s Cyber Defence Operations team provided pro bono digital forensic and reverse engineering services to assist the freenode infrastructure team with their incident … Continue reading Analysis of the Linux backdoor used in freenode IRC network compromise