A New Flying Kitten?

Introduction In May 2014 FireEye[1]and Crowdstrike[2] produced reports about the activities of “Flying Kitten”, otherwise known as the Ajax Security Team. In July 2014 NCC Group’s Cyber Defence Operations team encountered several executables in our malware zoo that appear to be updated versions of the “Stealer” malware reported by FireEye in their report. We refer … Continue reading A New Flying Kitten?

Apache Struts Vulnerability

Archived current event – v1.2 of post This was a current event and as such this blog post was subject to change as we performed further supplementary research and analysis. 1.2: Updated to include Struts v11.1: Final public release of this blog post1.0: Initial version Background The Struts project released a recent security advisory (April 24th, 2014) … Continue reading Apache Struts Vulnerability

Heartbleed OpenSSL vulnerability

Previous current event – v1.8 of post This was a current event and as such the blog post was subject to change over the course of a couple of days as we performed further supplementary research and analysis. 1.8: Update to include Bro detection and further analysis. This is likely final public release – private … Continue reading Heartbleed OpenSSL vulnerability

How To Spot a Penetration Tester in Your Network (and Catch the Real Bad Guys at the Same Time)

I've been re-reading the Mandiant report on the notorious APT1 group, and it occurred to me that the tools and techniques used by this relatively unsophisticated (but very successful) group are similar to those used by penetration testers. That isn't to say that penetration testers, or pen testers as they are colloquially known, are unsophisticated - the … Continue reading How To Spot a Penetration Tester in Your Network (and Catch the Real Bad Guys at the Same Time)

ASP.NET Security and the Importance of KB2698981 in Cloud Environments Threat Brief

This threat brief discusses a security issue noted by NCC Group in September 2012 relating to the use of ASP.NET forms authentication in a shared / cloud hosting environment. If virtual hosting is used to make multiple applications on the same IIS server available at different domain names, then a forms authentication cookie issued by … Continue reading ASP.NET Security and the Importance of KB2698981 in Cloud Environments Threat Brief

The death of USB autorun and the rise of the USB keyboard

Back in 2010 Seth Fogie noted that certain car manufactures were sending out USB devices. These USB devices presented themselves as keyboards in order to inject key strokes into the computer to which they were attached. Why a keyboard? Well in order to circumvent security controls designed to stop the automatic execution of anything potentially malicious from untrusted … Continue reading The death of USB autorun and the rise of the USB keyboard