SIRI WI400: XSS on Login Page – CVE-2022-48111
WI400 is a software developed by SIRI that acts as a web interface for the IBM Power Systems (AS/400). During a penetration test activity, a reflected cross-site scripting (XSS) vulnerability was found on the login page. This allowed to craft URLs with arbitrary JavaScript code injected that would execute once the link was visited.Advisory -...
Russian Cyber Underground: Genesis and Anatomy of the Dark Web Forum Infinity
Executive Summary
The Yarix Cyber Threat Intelligence (YCTI) team analysed the genesis and anatomy of a brand-new forum operating in the Russian cyber underground: the Infinity Forum. Infinity is a recently appeared cyber creature founded by KillMillk (former head of the pro-Russia hacktivist group Killnet) and engineered by Russian hacktivists. It is officially operative since January...
The Foreigner – A (not so) quick and dirty drop box for Red Teamers
Some time ago, the Yarix Red Team was engaged on a red team assessment that included an onsite activity to test the physical security posture of the Customer. Although we would have used social engineering tactics to physically enter the Customer property, this would have given us a too short amount of time to stay...
Advanced Phobia
Ransomware Gang Details
Phobos ransomware, first discovered in December 2018, is another notorious cyber threat actor which targets businesses. Phobos is popular among threat actors because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic: the gang’s name was likely inspired by him. Phobos is a...
Phobia
Ransomware Details
Phobos ransomware, first discovered in December 2018, is another notorious cyber threat that targets businesses. Phobos is popular among threat actors of various technical abilities because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic; hence the name Phobos was likely inspired by him. Phobos...
Analysis of the Russian-Speaking Threat Actor NoName 057(16)
The report analyzes the threat actor NoName057(16). Yarix Cyber Threat Intelligence (YCTI) team has tracked the activities of this cyber-collective from its creation (early March 2022) until the month of September 2022. From the findings and the evidence collected, NoName057(16) is a Russian-speaking threat actor, whose actions are driven by ideological and political grounds, namely:...
Plug n Panda – APT Group
“Plug N Panda” group (the name that has been chosen by Yarix R&D) is a newly observed group characterized by the use of Ransomware DLL sideloading (PlugX – Talisman) techniques to cover his tracks after carrying an attack and it is believed to originate from China. This APT was first observed in the first months of...
Analysis of a Command Injection in VBScript
In this writeup we present the analysis and exploitation of a VBScript command injection vulnerability we stumbled upon during a penetration test on a .NET web application. What makes this vulnerability stand out is the fact that at first glance it could be mistaken for a common SQL injection. After a few exploitation attempts, we...