Software Vulnerabilities March 30, 2023

X-Force Prevents Zero Day from Going Anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities…

Software Vulnerabilities March 21, 2023

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development…

Endpoint March 20, 2023

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

7 min read - In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will…

Software Vulnerabilities February 21, 2023

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers…

Software Vulnerabilities January 20, 2023

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

10 min read - September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code…

Endpoint July 1, 2021

Hunting for Windows “Features” with Frida: DLL Sideloading

8 min read - Offensive security professionals have been using Frida for analyzing iOS and Android mobile applications. However, there has been minimal usage of Frida for desktop operating systems such as Windows. Frida is described by the author as a “Dynamic instrumentation toolkit…

News April 28, 2021

QBot Malware Spotted Using Windows Defender Antivirus Lure

2 min read - Attackers are using fake Windows Defender Antivirus emails to distribute QBot malware. The QBot Attack Campaign In late August 2020, Bleeping Computer revealed that QBot had begun using a new template in its email attacks. This template also used stolen…

June 1, 2020

Trickbot Replaces ‘Mworm’ Propagation Method With New ‘Nworm’ Module

2 min read - Security researchers discovered that the Trickbot Trojan has replaced its "mworm" propagation method with a new "nworm" module.

June 1, 2020

Weekly Security News Roundup: Average Ransomware Demand Grew 14 Times in One Year

3 min read - Researchers revealed that the average ransomware demand grew 14 times over a one-year period from 2018 to 2019. Read on to learn what else happened last week in security news.

May 12, 2020

Thunderspy Vulnerabilities Put Some Thunderbolt Users at Risk of Data Theft

2 min read - Millions of Windows and Linux-based devices could be hit by what researchers call Thunderspy attacks, where flaws in Thunderport interfaces are exploited in a matter of minutes.