GhostSec, the hacktivist collective targeting ICSs
Introduction
To be able to achieve their objectives, hacktivist groups have been traditionally employing techniques such as distributed denial of services (DDoS), website defacements, and leaks of documents. These operations are usually conducted to advocate for specific social or political causes. Recently, it has been observed that hacktivist groups have shifted towards the targeting of Industrial Control...
GIS3W: Persistent XSS in G3WSuite 3.5 – CVE-2023-29998
GIS3W: Persistent XSS in G3WSuite 3.5 – CVE-2023-29998
Overview
During an engagement on a client's public infrastructure, we detected an exposed installation of G3WSuite. Since we were asked to perform a black box pentest on the G3WSuite installation, we had to find a way to gather as much information about the target as possible. Luckily for us,...
Win$ton: a Russian-Speaking Scam Group Targeting Middle-Eastern Customers
Introduction
As Yarix Cyber Threat Intelligence (YCTI) team, we regularly monitor, track and counter phishing websites that aim to steal user-sensitive data (e.g., login credentials, phone numbers, credit cards). One of the most challenging aspect of proactively countering and tracking phishing campaigns is hunting and analyzing exposed phishing kits. The analysis of these archives enables...
Vade Secure Gateway Multiple XSS (CVE-2023-29712, CVE-2023-29713, CVE-2023-29714)
Vade Secure Gateway
During a penetration test activity, several reflected cross-site scripting (XSS) vulnerabilities were found on an application developed by the French Company Vade Secure. The vulnerable application is Vade Secure Gateway which is an email box scanning and processing tool for spam removal that can be managed via a web page. Once we identified the...
Analysis of BlackBasta ransomware gang (Part 1)
Executive Summary
The present article provides valuable highlights about BlackBasta ransomware-as-a-service (RaaS), as a result of the analysis conducted by Yarix Cyber Threat Intelligence – YCTI team. BlackBasta emerged in April 2022 and has already compromised over 200 organizations, thus representing one of the most threatening ransomware gangs in the cyber-scene. From April 2022 until March...
PrivEsc on a production-mode POS
Earlier this year, we were involved in the security assessment of a mobile application that included the use and verification of a POS, a Pax D200. An Internet search aimed at identifying any known vulnerabilities about it, led us to this post called pax-pwn and written by lsd.cat where three CVEs were reported and...
SIRI WI400: XSS on Login Page – CVE-2022-48111
WI400 is a software developed by SIRI that acts as a web interface for the IBM Power Systems (AS/400). During a penetration test activity, a reflected cross-site scripting (XSS) vulnerability was found on the login page. This allowed to craft URLs with arbitrary JavaScript code injected that would execute once the link was visited.Advisory -...
Russian Cyber Underground: Genesis and Anatomy of the Dark Web Forum Infinity
Executive Summary
The Yarix Cyber Threat Intelligence (YCTI) team analysed the genesis and anatomy of a brand-new forum operating in the Russian cyber underground: the Infinity Forum. Infinity is a recently appeared cyber creature founded by KillMillk (former head of the pro-Russia hacktivist group Killnet) and engineered by Russian hacktivists. It is officially operative since January...