The Foreigner – A (not so) quick and dirty drop box for Red Teamers
Some time ago, the Yarix Red Team was engaged on a red team assessment that included an onsite activity to test the physical security posture of the Customer. Although we would have used social engineering tactics to physically enter the Customer property, this would have given us a too short amount of time to stay...
Advanced Phobia
Ransomware Gang Details Phobos ransomware, first discovered in December 2018, is another notorious cyber threat actor which targets businesses. Phobos is popular among threat actors because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic: the gang’s name was likely inspired by him. Phobos is a ransomware...
Phobia
Ransomware Details Phobos ransomware, first discovered in December 2018, is another notorious cyber threat that targets businesses. Phobos is popular among threat actors of various technical abilities because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic; hence the name Phobos was likely inspired by him. Phobos...
Analysis of the Russian-Speaking Threat Actor NoName 057(16)
The report analyzes the threat actor NoName057(16). Yarix Cyber Threat Intelligence (YCTI) team has tracked the activities of this cyber-collective from its creation (early March 2022) until the month of September 2022. From the findings and the evidence collected, NoName057(16) is a Russian-speaking threat actor, whose actions are driven by ideological and political grounds, namely:...
Plug n Panda – APT Group
“Plug N Panda” group (the name that has been chosen by Yarix R&D) is a newly observed group characterized by the use of Ransomware DLL sideloading (PlugX – Talisman) techniques to cover his tracks after carrying an attack and it is believed to originate from China. This APT was first observed in the first months of...
Analysis of a Command Injection in VBScript
In this writeup we present the analysis and exploitation of a VBScript command injection vulnerability we stumbled upon during a penetration test on a .NET web application. What makes this vulnerability stand out is the fact that at first glance it could be mistaken for a common SQL injection. After a few exploitation attempts, we...
OverIT framework XSLT Injection and XXE – CVE-2022-22834 & CVE-2022-22835
During a penetration test activity, two vulnerabilities were discovered on a specific functionality called “Test Trasformazione xsl” whose purpose is to test the correct operation of the XSLT Java engine. This functionality is part of the set of tools available within the Geocall-Framework and it is not active by default. Advisory - CVE-2022-22834 OverIT projects based on...
Merry Hackmas: multiple vulnerabilities in MSI’s products
This blog post serves as an advisory for a couple MSI’s products that are affected by multiple high-severity vulnerabilities in the driver components they are shipped with. All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to: Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a...