GoSecure Blog

IDC Technology and Customer Spotlights

A few months ago, the International Data Corporation (IDC) conducted a Technology Spotlight and a Customer Spotlight on our company. The two reports: Advanced Managed Security in a New Era: Simple Steps to Rapid Response Advanced Managed Security and Yellow Pages: Better Security, Great User Experience reaffirm our position as a high-quality provider of managed security services, one that follows a flexible and customer-centric approach. We provide a summary of the two reports below.

Read More

Topics: EDR, MSSP, AAP

Chaos: a Stolen Backdoor Rising Again

This post describes a backdoor that spawns a fully encrypted and integrity checked reverse shell that was found in our SSH honeypot, and that was presented at GoSec 2017 in Montreal. We named the backdoor ‘Chaos’, following the name the attacker gave it on the system. After more research, we found out this backdoor was originally part of the 'sebd' rootkit that was active around 2013.

Read More

Topics: malware, botnet

Our Experience around Fake Follower Factories

Last Saturday, January 27th, the New York Times published a detailed article on the sales of automated likes and follows by an American company called Demuvi. The same day, a New York attorney general announced that he opened an investigation on the company, which sold millions of fake followers on social networks. Some of these fake followers stole real users' data such as pictures and profile descriptions. The news article relates to the research we’ve conducted on the botnet Linux/Moose and the ego market it is thriving in. This blog post contextualizes the New York Times' article with our own experience.

Read More

Topics: botnet, moose, opinion

Why you should consider Kotlin for Burp extension development

This small article is an opinion piece to explain why we find the Kotlin language interesting. Its benefits applied to Burp extension development.

Read More

Topics: burp, development, proxy, java, kotlin, plugin

VMware Horizon (V4H/V4PA) desktop agent privilege escalation vulnerability (CVE-2017-4946)

The story of a privileged handle...

Context

As virtualization technology continues to become the corporate standard, the popularity of Virtual Desktop Infrastructure (VDI) in large enterprises has been increasing. These automated environments can provision desktops and applications from the internal and external network on top of virtualization technology without an IT administrator’s input. There are many components involved in a VDI infrastructure, but one specifically caught our attention on a customer mandate back in September 2017: the Windows "vmwagent.exe".

On this particular mandate, we had to escape the VDI environment with developer access and without local administrative access. The customer had done a great job at image hardening; services, applications and operating systems were well configured and patched, with up-to-date antivirus software, behavior monitoring, and strong passwords. Faced with this situation, we decided to perform a quick look around with the popular Process Explorer from the
Read More

Topics: vulnerability, windows, enterprise, exploitation, pentest, privilege-escalation

Can We Trust Social Media Data? Social Network Manipulation by an IoT Botnet

New results related to our research about Linux/Moose, an IoT botnet that conducts social media fraud (SMF), were published in the scientific journal, Social Media & Society, last week. The article is open-source and available at: http://dl.acm.org/citation.cfm?id=3097301. However, if you don’t want to bother reading it, we have provided below a quick summary of the main findings. In general, the study assesses the market for social media fraud.

Read More

Building a Content Security Policy configuration with CSP Auditor

Content Security Policy - or CSP in short – is the latest milestone in browser XSS attack mitigation. Rather than relying on the browser's anti-XSS filter solely, it is now possible to instruct browsers to apply additional restrictions on external resources like Javascript. This is enforced via the CSP HTTP Headers. The true adoption of this standard will probably not happen before auto-generated and transparent CSP configuration become built-in to web frameworks. At the moment, manual work is still needed in most cases.

Read More

Topics: appsec, auditor, burp

Opinion: Petya, NotPetya and what's wrong with our industry?

In the last few days, we closely followed the malicious software outbreak that took control of about 12,500 devices, mostly in Ukraine and Russia, demanding a $300 ransom from the infected device’s owner. Although this new attack is fascinating, we noticed that the associated stories quickly got out of hand.

Read More

Topics: malware, Ransomware, industry, media, opinion

An Introduction to Application Security

To remain in business, companies rely on perimeter security to protect, among other, their “secret sauce” recipe and the confidential information of their customers. To this end, information security vendors offer different types of defenses. The intent is commendable and the organization then feels confident, warm and cozy behind its firewall. However, there is something fishy. Businesses put up a variety of web applications on the Internet (thus accessible by everyone - including malicious actors) to offer different services. These applications can take many shapes, from transactional Web sites, to mobile applications or Web services. With them, the appropriate security question becomes: beyond securing the infrastructure, how can one defend these applications against hackers? The answer is: the proper design of the application’s source code. There you have it: application security.

Read More

Topics: appsec, process, sdlc, security

Detecting deserialization bugs with DNS exfiltration

At the moment, Java deserialization vulnerabilities are becoming well known by vendors and attackers. Nevertheless, pentesters will still encounter these types of vulnerabilities. The low-hanging fruits can be identified with the current tools. Most of the available tools rely on the command execution API. However, the command from the payload may fail because of Operating System specific conditions. Additionally, the command used might be missing or the arguments it requires may differ due to the version of the command or the flavor installed (ie: GNU netcat vs OpenBSD netcat for example).

Read More

Topics: deserialization, detection, vulnerability, web, weblogic, dns, exploit, java, jboss, jenkins

Subscribe to Email Updates

Recent Posts