May 3, 2021Improving the network-based detection of Cobalt Strike C2 servers in the wild while reducing the risk of false positivesContext Cobalt Strike it’s a commercial post exploitation platform for Windows based environments. The Cobalt Strike beacon (implant) can be delivered in multiple ways to the chosen target even without exploiting technical vulnerabilities in the target environment (e.g. malicious email attachments). The product functionality can be enhanced through plug-ins and over…Incident Response9 min readIncident Response9 min read
Published inThe Dark Water Journal·Dec 25, 2019The Dark Water Journal: PhashionistaThe following article presents an independent investigation into the world of online shopping scams using counterfeit fashion goods. During the last few weeks I tracked three campaigns designed to scam users into making payments for fake (and often bogus) fashion items while revealing sensitive financial and personal information about themselves…Cybersecurity8 min readCybersecurity8 min read
Published inThe Dark Water Journal·Dec 24, 2019The Dark Water Journal: American PhisherThe following article presents an independent investigation into three separate phishing campaigns which were active during December 2019. They impacted Bank of America, Chase Bank (JP Morgan Chase) and PayPal. …Security13 min readSecurity13 min read
Published inThe Dark Water Journal·Dec 16, 2019The Dark Water Journal: Latin PhisherThe following article presents a phishing investigation which uncovered a campaign designed to impersonate Banco Santander Brazil’s website and gather personal identifiable information (PII) from Brazilian companies. The threat actor compromised several vulnerable websites around the world and after that he deployed a phishing tool called “ZUB”. At the moment…Phishing3 min readPhishing3 min read
Published inThe Dark Water Journal·Dec 7, 2019The Dark Water Journal: Fortune PhisherThe following article presents a spam email investigation which uncovered a campaign designed to lure users in risky financial schemes involving cryptocurrencies websites. The campaign is active since at least August 2019 and is still ongoing with the number of websites and URLs changing from week to week. In this…Security4 min readSecurity4 min read
Mar 1, 2019Insecure permissions and multiple vulnerabilities in ChinaMobile PLC wireless routers leaves more than 4,300 devices vulnerable to remote attacksBlank passwords and default factory settings ChinaMobile PLC Wireless Router model GPN2.4P21-C-CN running the firmware version W2000EN-01(hardware platform Gpn2.4P21-C_WIFI-V0.05) is shipped and deployed without an administrative password on port 8080 and the web configuration interface is accessible using the following syntax: http://<target ip>:8080. …Cybersecurity2 min readCybersecurity2 min read
Mar 1, 2019Insecure permissions in REHAU Group Unlimited Polymer Solutions implementation of Carel pCOWeb configuration tool exposes heating and temperature control systems to remote attackers.About Carel pCOWeb The pCOWeb card is used to interface the pCO Sistema to networks that use the HVAC protocols based on the Ethernet physical standard, such as BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated Web-Server, which both contains the HTML pages relating to the specific application and…Cybersecurity3 min readCybersecurity3 min read
Feb 28, 2019Insecure permissions in Glen Dimplex Deutschland GmbH implementation of Carel pCOWeb configuration tool exposes brine-to-water heat pumps to remote attackers.About Carel pCOWeb The pCOWeb card is used to interface the pCO Sistema to networks that use the HVAC protocols based on the Ethernet physical standard, such as BACnet IP, Modbus TCP/IP and SNMP. The card also features an integrated Web-Server, which both contains the HTML pages relating to the specific application and…Technology3 min readTechnology3 min read
Feb 3, 2019Insecure permissions in ILC and AXC controllers leaves over 1,200 ICS devices vulnerable to attacks over the internetAbout PCWorx and ILC/AXC controllers PCWorx is a protocol found in several ICS (industrial control systems)components made by Phoenix Contact. They make a series of inline controllers called ILC. The controllers allow the use of different ICS protocols and the use of common TCP/IP protocols like HTTP, FTP, SNTP, SNMP, SMTP, SQL, MySQL, etc. …Information Security4 min readInformation Security4 min read
