Blog

Java – Cracking the Random: CVE-2024-29868

TL;DR

If you employ a Java application with a token-based password recovery mechanism, be sure that said token isn't generated using: RandomStringUtils. Spoiler: You can crack it and predict all past and future tokens generated by the application!

Some Context

During a Penetration Test I was sifting through the internet - as one often does...

Kelvin Security and Spectre, investigating possible relationships

Kelvin Security and Spectre, investigating possible relationships

Introduction

The Yarix Cyber Threat Intelligence Team (YCTI) has conducted an investigation that has discovered a possible relationship between the threat actor Kelvin Security with another threat actor called Spectre. This relations was identified through the discovery and analysis of an indicator found within an Italian governmental leak that was...

BlueDuck: an(other) Infostealer Coveting Digital Marketing Agencies’ Facebook Business Accounts

Introduction

In November 2023, the Yarix Cyber Threat Intelligence team (YCTI) intercepted a set of suspicious phishing emails addressed to digital marketing agencies that were impersonating different famous fashion brands. Through the analysis of these emails, we uncovered the activities of a Vietnamese cybercriminal group distributing a malicious python-based infostealer, tracked as BlueDuck, aimed to...

Citrix ADC – Unexpected Treasure

 TL;DR Setting secure rules for the RelayState parameter is a MUST when configuring Citrix Application Delivery Controller (ADC) and Citrix Gateway as SAML Service Provider, because an attacker can exploit a chain of three low-risk vulnerabilities to compromise victims’ accounts. By luring users to a malicious domain, attackers can steal session cookies and gain unauthorized...

Rhysida – Ransomware Payload Analysis

RANSOMWARE GROUP DETAILS

Ryhsida is a ransomware gang that became famous starting from May 2023 after being correlated to a series of high profile cyber attacks in west Europe, north an south America and Australia. The group seems to be linked with the known Threat Actor “Vice Society”. The team takes his name from a centipede species...

GhostSec, the hacktivist collective targeting ICSs

Introduction

To be able to achieve their objectives, hacktivist groups have been traditionally employing techniques such as distributed denial of services (DDoS), website defacements, and leaks of documents. These operations are usually conducted to advocate for specific social or political causes. Recently, it has been observed that hacktivist groups have shifted towards the targeting of Industrial Control...

GIS3W: Persistent XSS in G3WSuite 3.5 – CVE-2023-29998

GIS3W: Persistent XSS in G3WSuite 3.5 – CVE-2023-29998

Overview

During an engagement on a client's public infrastructure, we detected an exposed installation of G3WSuite. Since we were asked to perform a black box pentest on the G3WSuite installation, we had to find a way to gather as much information about the target as possible. Luckily for us,...

Win$ton: a Russian-Speaking Scam Group Targeting Middle-Eastern Customers

Introduction

As Yarix Cyber Threat Intelligence (YCTI) team, we regularly monitor, track and counter phishing websites that aim to steal user-sensitive data (e.g., login credentials, phone numbers, credit cards). One of the most challenging aspect of proactively countering and tracking phishing campaigns is hunting and analyzing exposed phishing kits. The analysis of these archives enables...