GoSecure Blog

Are Sextortion Spammers Making Money?

Summary of a research that uncovers the sextortion spamming scheme

This week, our cybersecurity researcher presents the Spams meet Cryptocurrencies: Sextortion in the Bitcoin Ecosystem research results, at the Advances in Financial Technologies (AFT) academic conference in Zürich. This research, also covered by the MIT technology review, is extensive: it involves an analysis of over 4 million sextortion spams and their associated payments in the Bitcoin ecosystem, to estimate the lower-bound revenue of this new extortion scheme. The research was completed in collaboration with Matteo Romiti and Bernhard Haslhofer from the Austrian Institute of Technology and Tomáš Charvát from VirusFree. The blog post below is a quick review of the main research findings.

Credit: teguhjatipras & mohamed_hassan from Pixabay

Read More

Topics: Email Phishing, bitcoin, sextortion

FindSecBugs officially an OWASP project

Over the years, Find Security Bugs - or FindSecBugs in short - has evolved from a limited static-analysis tool to one with solid coverage of bug patterns. In this post, we will present the latest milestone from the project: arrival in the OWASP family, some figures and details regarding its new release.

Read More

Topics: code review, static analysis, java, owasp

Contribute to Open Source with Hacktoberfest at GoSecure!

GoSecure is encouraging everyone to join Hacktoberfest. GoSecure has multiple projects open to external contributions. For this specific event, we have tagged issues that are accessible to newcomers with the official tag [hacktoberfest].

In addition to the official Hacktoberfest swag, we will send you stickers from the respective projects you have contributed to.

Read More

Topics: malboxes, pyrdp, find-sec-bugs, open-source

Butor Portal Arbitrary File Download Vulnerability (CVE-2019-13343)

TLDR: It is frightening, a patch was made available the same day it was disclosed and everybody should update their servers. 

Impact

Butor Portal is affected by a Path Traversal vulnerability leading to pre-authentication arbitrary file downloads. Every file that can be read by the local user running the Butor Portal Web service could be exfiltrated by an anonymous attacker.

With the ability of reading most files on a server, an unauthenticated attacker could not only fully compromise the Butor application, but also the underlying infrastructure such as the database or the LDAP server using credentials stored in plain text in configuration files.

Exploitation of this vulnerability does not require advanced skill and can be automated.

Read More

Topics: appsec, code review, vulnerability

Drugs, Guns, Fake documents, Hitmen... What I expected and much more!

This is the continuity of my first blog post How I Indexed the Darknet and Pastebin During My First University Internship. The GoSecure Torscraper was developed about 1 year ago. Due to a few issues, the entirety of the project was dockerized to simplify the installation procedure (~4-8 lines instead of 4 pages of documentation) and to automate the whole scraping process. With this upgrade, it makes the tool easier to use by everyone. Once the project was dockerized, I started analyzing the collected data and it goes without saying that it was the most interesting part of this project.

Read More

Topics: Research, darknet, threat-intelligence

Fuzzing Closed Source PDF Viewers

This blog post covers typical problems which arise when fuzzing closed source PDF viewers and possible approaches to these problems. Hereby it focuses on both: Input-Minimization and Non-Terminating programs.

The approaches were found and implemented as part of my master thesis which I have written at TU Darmstadt, Germany in cooperation with Fraunhofer SIT.

Read More

Topics: windows, binary analysis, dynamic analysis, fuzzing, pdf

Automating local DTD discovery for XXE exploitation

Last month, we presented at Hack In Paris (France) a XML External Entities (XXE) exploitation workshop. It showcase methods to exploit XXE with numerous obstacles. Today, we present our method to exploit XXEs with a local Document Type Declaration (DTD) file. More specifically, how we built a huge list of reusable DTD files.

Read More

Topics: appsec, tool, web, pentest

Java Remote Code Execution Potpourri

Some time ago; we published a blog about jenkins-fsb, a preconfigured Jenkins instance for efficiently using the plug-in, Find Security Bugs. In that blog post, there was an indication about multiple vulnerabilities having been found but not disclosed. Well, today we are sharing more details about the process of finding four different kinds of remote code execution in modern Java applications. Remote execution in Java can happen under different circumstances and all the findings presented here are all different from one another. This shows that while some code execution vulnerabilities are easy to detect, some of them require a thorough inspection.

Read More

Topics: code review, vulnerability, web, java

ESI Injection Part 2: Abusing specific implementations

Last year, we published a blog post about the injection of ESI tags in pages to fool the web cache proxy, and in August 2018, our colleague Louis Dion-Marcil spoke at Defcon about the discovery of the ESI Injection uncovered by the GoSecure intrusion testing team. For those interested, the presentation has been released on the Defcon YouTube channel. Defcon and Black Hat gave us an opportunity to unveil how ESI implementations can lead to session leakage through the client web browser without any malicious JavaScript. ESI is a specification that defines statements in the form of XML tags that are interpreted by the caching server. Those statements describe the content assembly of web pages by composing various HTML fragments from external resources. An attacker can abuse this mechanism by injecting a malicious tag inside an intercepted web page.

Read More

Topics: cybersecurity, security, ESI tags, GoSecure

Abusing Unsafe Defaults in Active Directory Domain Services: A Real-World Case Study

This past July, Kevin Robertson from NetSPI released a blog post entitled, "Beyond LLMNR/NBNS Spoofing – Exploiting Active Directory-Integrated DNS," which introduced a new technique (to us at least) targeting weak default access control in Active Directory Domain Services. At GoSecure, since most of our engagements require some level of Active Directory security assessment, we followed our interest and decided to find a way to reliably exploit it.

Read More

Topics: pentest, Active Directory, NTLM

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all