
Category: research
How an APT technique turns to be a public Red Team Project
09/07/2023
Introduction DLL Sideloading (T1574.002) stands as a remarkably effective stratagem employed by adversaries to execute their own malicious code, while clandestinely leveraging the implicit trust placed in legitimate applications. This report dissects the multifaceted nuances of DLL Sideloading, delving into its mechanics, the prevalence of victim applications, and its reverberating impact on the cybersecurity landscape. […]
CVE Advisory - Full Disclosure Cisco ISE Multiple Vulnerabilities - RCE with 1-Click
04/24/2023
Introduction Initially three vulnerabilities were discovered, which are described here: Advisory Vulnerabilities CVE-2022-20964 – Command Injection – CWE-78 CVE-2022-20964 - Command Injection - CWE-78 PRODUCT LINE VERSION SCORE IMPACT Cisco Identity Services Engine 2.7 < 3.2 P1 CNA: 6.3NIST: 8.8 High OWASP CATEGORY OWASP CONTROL A03 - Injection WSTG-INPV-12 AFFECTED ENDPOINT - AFFACTED PARAMETER https://ciscoise.server/admin/rs/uiapi/mnt/tcpdump/Starthttps://ciscoise.server/admin/rs/uiapi/mnt/tcpdump/DeleteFile […]
CVE Advisory - Full Disclosure Cisco ISE Broken Access Control
04/13/2023
Introduction Through the internal project called Saguri, we started with the analysis of the Cisco Identity Service Engine - 3.1.0.518-Patch3-22042809, the Cisco ISE is a useful tool in the management of one's own network and not only, it allows the implementation and application in a dynamic and automated way of security and 'management' policies, simplifying […]
Money Ransomware: The Latest Double Extortion Group
04/13/2023
Introduction Ransomware attacks have emerged as a predominant menace in recent years, with the strategies employed by malicious actors constantly evolving. Among the most effective and worrisome tactics is the "double extortion" model, which has rapidly gained popularity as a preferred business model for threat actors. Financially motivated perpetrators particularly favor the double extortion model, […]
CVE Advisory - Full Disclosure Cisco ISE Cross Site Scripting
04/05/2023
Introduction In July 2022 the Yoroi advisory team, in the context of its internal project Saguri, started analysing the Cisco Identity Service Engine (ver. 3.1.0.518-Patch3-22042809).Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have access […]
DuckTail: Dissecting a complex infection chain started from social engineering
03/29/2023
Introduction It is concerning to learn about the increasing use of social engineering tactics to exploit users on social media platforms. Cybercriminals commonly disguise malware as games, music, software, and other media content to deceive users into downloading and installing malicious software on their devices. One such sophisticated stealer is DuckTail, which was first identified […]
CVE Advisory - Full Disclosure Cisco ISE Path Traversal
03/28/2023
Introduction In July 2022 the Yoroi advisory team, in the context of its internal project Saguri, started analysing the Cisco Identity Service Engine (ver. 3.1.0.518-Patch3-22042809).Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable precise controls over who can access the network, what they have access […]
CVE Advisory - Partial Disclosure Zumtobel Multiple Vulnerabilities
03/21/2023
Introduction The vulnerability has been found during a security assessment on Netlink CCD Onboard version 3.74 and Firmware version 3.80.The Netlink CCD is an IoT control device with 3 DALI-compliant outputs and one LM-Bus interface for open-loop control of maximum 250 luminaires and motors. It can be operated locally or by using an external litenet […]
Hunting Cyber Evil Ratels: From the targeted attacks to the widespread usage of Brute Ratel
02/15/2023
Introduction Red team operations are fundamental for achieving an adequate cybersecurity maturity level. So, many different C2 commercial frameworks were born to provide help in managing security tests. However, these technologies can be used at the same time even by attackers to make cyber intrusions. One of the most emblematic examples of this phenomenon is […]
CVE Advisory - Partial Disclosure Cisco ISE Multiple Vulnerabilities
11/24/2022
Introduction Initially three vulnerabilities were discovered, which are described here: https://yoroi.company/?s=saguri. Further research prompted the discovery of four other vulnerabilities including a Command Injection, which if exploited allows one to gain root access to the system shell.Cisco ISE is a network management tool which allows definition and implementation of security and management policies, which enable […]
Reconstructing the last activities of Royal Ransomware
11/17/2022
Introduction Royal Ransomware is a new group first spotted on Bleeping Computer last September, where the cybersecurity news site revealed a connection with another malware known as Zeon. At the moment, we don’t have much information about the group and all its actual TTPs, but we know that they use the Double Extortion model to […]
CVE Advisory - Partial Disclosure Cisco ISE Broken Access Control
11/10/2022
Introduction Through the internal project called Saguri, we started with the analysis of the Cisco Identity Service Engine - 3.1.0.518-Patch3-22042809, the Cisco ISE is a useful tool in the management of one's own network and not only, it allows the implementation and application in a dynamic and automated way of security and 'management' policies, simplifying […]