Blog

SIRI WI400: XSS on Login Page – CVE-2022-48111

WI400 is a software developed by SIRI that acts as a web interface for the IBM Power Systems (AS/400). During a penetration test activity, a reflected cross-site scripting (XSS) vulnerability was found on the login page. This allowed to craft URLs with arbitrary JavaScript code injected that would execute once the link was visited. Advisory -...

Russian Cyber Underground: Genesis and Anatomy of the Dark Web Forum Infinity

Executive Summary The Yarix Cyber Threat Intelligence (YCTI) team analysed the genesis and anatomy of a brand-new forum operating in the Russian cyber underground: the Infinity Forum. Infinity is a recently appeared cyber creature founded by KillMillk (former head of the pro-Russia hacktivist group Killnet) and  engineered by Russian hacktivists. It is officially operative since January 2023,...

Advanced Phobia

Ransomware Gang Details Phobos ransomware, first discovered in December 2018, is another notorious cyber threat actor which targets businesses. Phobos is popular among threat actors because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic: the gang’s name was likely inspired by him. Phobos is a ransomware...

Phobia

Ransomware Details Phobos ransomware, first discovered in December 2018, is another notorious cyber threat that targets businesses. Phobos is popular among threat actors of various technical abilities because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic; hence the name Phobos was likely inspired by him. Phobos...

Analysis of the Russian-Speaking Threat Actor NoName 057(16)

The report analyzes the threat actor NoName057(16). Yarix Cyber Threat Intelligence (YCTI) team has tracked the activities of this cyber-collective from its creation (early March 2022) until the month of September 2022. From the findings and the evidence collected, NoName057(16) is a Russian-speaking threat actor, whose actions are driven by ideological and political grounds, namely:...

Plug n Panda – APT Group

“Plug N Panda” group (the name that has been chosen by Yarix R&D) is a newly observed group characterized by the use of Ransomware DLL sideloading (PlugX – Talisman) techniques to cover his tracks after carrying an attack and it is believed to originate from China. This APT was first observed in the first months of...

Analysis of a Command Injection in VBScript

In this writeup we present the analysis and exploitation of a VBScript command injection vulnerability we stumbled upon during a penetration test on a .NET web application. What makes this vulnerability stand out is the fact that at first glance it could be mistaken for a common SQL injection. After a few exploitation attempts, we...

OverIT framework XSLT Injection and XXE – CVE-2022-22834 & CVE-2022-22835

During a penetration test activity, two vulnerabilities were discovered on a specific functionality called “Test Trasformazione xsl” whose purpose is to test the correct operation of the XSLT Java engine. This functionality is part of the set of tools available within the Geocall-Framework and it is not active by default. Advisory - CVE-2022-22834 OverIT projects based on...

Merry Hackmas: multiple vulnerabilities in MSI’s products

This blog post serves as an advisory for a couple MSI’s products that are affected by multiple high-severity vulnerabilities in the driver components they are shipped with. All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to: Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into a...