Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch special interest group Cyberveilig Nederland … Continue reading Sifting through the spines: identifying (potential) Cactus ransomware victims
Author: Fox-SRT
Android Malware Vultur Expands Its Wingspan
Authored by Joshua Kamp Executive summary The authors behind Android banking malware Vultur have been spotted adding new technical features, which allow the malware operator to further remotely interact with the victim's mobile device. Vultur has also started masquerading more of its malicious activity by encrypting its C2 communication, using multiple encrypted payloads that are … Continue reading Android Malware Vultur Expands Its Wingspan
Memory Scanning for the Masses
Authors: Axel Boesenach and Erik Schamper In this blog post we will go into a user-friendly memory scanning Python library that was created out of the necessity of having more control during memory scanning. We will give an overview of how this library works, share the thought process and the why’s. This blog post will … Continue reading Memory Scanning for the Masses
Reverse, Reveal, Recover: Windows Defender Quarantine Forensics
Max Groot & Erik Schamper TL;DR Windows Defender (the antivirus shipped with standard installations of Windows) places malicious files into quarantine upon detection. Reverse engineering mpengine.dll resulted in finding previously undocumented metadata in the Windows Defender quarantine folder that can be used for digital forensics and incident response. Existing scripts that extract quarantined files do … Continue reading Reverse, Reveal, Recover: Windows Defender Quarantine Forensics
The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses
Authored by Margit Hazenbroek At Fox-IT (part of NCC Group) identifying servers that host nefarious activities is a critical aspect of our threat intelligence. One approach involves looking for anomalies in responses of HTTP servers. Sometimes cybercriminals that host malicious servers employ tactics that involve mimicking the responses of legitimate software to evade detection. However, … Continue reading The Spelling Police: Searching for Malicious HTTP Servers by Identifying Typos in HTTP Responses
Popping Blisters for research: An overview of past payloads and exploring recent developments
Authored by Mick Koomen Summary Blister is a piece of malware that loads a payload embedded inside it. We provide an overview of payloads dropped by the Blister loader based on 137 unpacked samples from the past one and a half years and take a look at recent activity of Blister. The overview shows that … Continue reading Popping Blisters for research: An overview of past payloads and exploring recent developments
Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
Fox-IT (part of NCC Group) has uncovered a large-scale exploitation campaign of Citrix NetScalers in a joint effort with the Dutch Institute of Vulnerability Disclosure (DIVD). An adversary appears to have exploited CVE-2023-3519 in an automated fashion, placing webshells on vulnerable NetScalers to gain persistent access. The adversary can execute arbitrary commands with this webshell, … Continue reading Approximately 2000 Citrix NetScalers backdoored in mass-exploitation campaign
CVE-2022-27510, CVE-2022-27518 – Measuring Citrix ADC & Gateway version adoption on the Internet
Authored by Yun Zheng Hu Recently, two critical vulnerabilities were reported in Citrix ADC and Citrix Gateway; where one of them was being exploited in the wild by a threat actor. Due to these vulnerabilities being exploitable remotely and given the situation of past Citrix vulnerabilities, RIFT started to research on how to identify the … Continue reading CVE-2022-27510, CVE-2022-27518 – Measuring Citrix ADC & Gateway version adoption on the Internet
One Year Since Log4Shell: Lessons Learned for the next ‘code red’
Authored by Edwin van Vliet and Max Groot One year ago, Fox-IT and NCC Group released their blogpost detailing findings on detecting & responding to exploitation of CVE-2021-44228, better known as ‘Log4Shell’. Log4Shell was a textbook example of a code red scenario: exploitation was trivial, the software was widely used in all sorts of applications … Continue reading One Year Since Log4Shell: Lessons Learned for the next ‘code red’