Drupal Vulnerability

Current event - 1.1 of post This is a current event and as such the blog post is subject to change over the course of a couple of days as we performed further supplementary research and analysis by NCC Group’s Cyber Defence Operations and Security Consulting divisions. v1.1 - updated to include initial Snort signature … Continue reading Drupal Vulnerability →

The facts about BadUSB

Introduction Since the BadUSB talk [1] by Karsten Nohl and Jakob Lell at Black Hat USA in August there has been much discussion about the implications of this class of USB attack. The discussions gained additional momentum when Adam Caudill and Brandon Wilson investigated the attack further and publicly released working code [2] at the … Continue reading The facts about BadUSB →

Shellshock Bash Vulnerability

Current event - 1.2 of post This is a current event and as such the blog post is subject to change over the course of the next few days as we perform further supplementary research and analysis by NCC Group’s Cyber Defence Operations and Security Consulting divisions. v1.2 - Link to NCC Group North America … Continue reading Shellshock Bash Vulnerability →

A New Flying Kitten?

Introduction In May 2014 FireEye[1]and Crowdstrike[2] produced reports about the activities of “Flying Kitten”, otherwise known as the Ajax Security Team. In July 2014 NCC Group’s Cyber Defence Operations team encountered several executables in our malware zoo that appear to be updated versions of the “Stealer” malware reported by FireEye in their report. We refer … Continue reading A New Flying Kitten? →

Apache Struts Vulnerability

Archived current event – v1.2 of post This was a current event and as such this blog post was subject to change as we performed further supplementary research and analysis. 1.2: Updated to include Struts v11.1: Final public release of this blog post1.0: Initial version Background The Struts project released a recent security advisory (April 24th, 2014) … Continue reading Apache Struts Vulnerability →

Heartbleed OpenSSL vulnerability

Previous current event – v1.8 of post This was a current event and as such the blog post was subject to change over the course of a couple of days as we performed further supplementary research and analysis. 1.8: Update to include Bro detection and further analysis. This is likely final public release – private … Continue reading Heartbleed OpenSSL vulnerability →

How To Spot a Penetration Tester in Your Network (and Catch the Real Bad Guys at the Same Time)

I've been re-reading the Mandiant report on the notorious APT1 group, and it occurred to me that the tools and techniques used by this relatively unsophisticated (but very successful) group are similar to those used by penetration testers. That isn't to say that penetration testers, or pen testers as they are colloquially known, are unsophisticated - the … Continue reading How To Spot a Penetration Tester in Your Network (and Catch the Real Bad Guys at the Same Time) →

ASP.NET Security and the Importance of KB2698981 in Cloud Environments Threat Brief

This threat brief discusses a security issue noted by NCC Group in September 2012 relating to the use of ASP.NET forms authentication in a shared / cloud hosting environment. If virtual hosting is used to make multiple applications on the same IIS server available at different domain names, then a forms authentication cookie issued by … Continue reading ASP.NET Security and the Importance of KB2698981 in Cloud Environments Threat Brief →

The death of USB autorun and the rise of the USB keyboard

Back in 2010 Seth Fogie noted that certain car manufactures were sending out USB devices. These USB devices presented themselves as keyboards in order to inject key strokes into the computer to which they were attached. Why a keyboard? Well in order to circumvent security controls designed to stop the automatic execution of anything potentially malicious from untrusted … Continue reading The death of USB autorun and the rise of the USB keyboard →