Reading view

There are new articles available, click to refresh the page.

Rhysida – Ransomware Payload Analysis

Reading Time: 8 minutes RANSOMWARE GROUP DETAILS Ryhsida is a ransomware gang that became famous starting from May 2023 after being correlated to a series of high profile cyber attacks in west Europe, north an south America and Australia. The group seems to be linked with the known Threat Actor β€œVice Society”. The team takes his name from a […]

Pizza, Pasta and Red Teaming: insights and ideas for an Italian-style report

Reading Time: 6 minutes Pizza, Pasta and Red Teaming: insights and ideas for an Italian-style report Foreword After more than 2 years from the inauguration of Labs, made with my friend Paolo Stagno aka VoidSec, it was perhaps time for me to write something . But $whoami? Make yourself comfortable and go to the β€œAuthor” section at the end […]

GhostSec, the hacktivist collective targeting ICSs

Reading Time: 13 minutes Introduction To be able to achieve their objectives, hacktivist groups have been traditionally employing techniques such as distributed denial of services (DDoS), website defacements, and leaks of documents. These operations are usually conducted to advocate for specific social or political causes. Recently, it has been observed that hacktivist groups have shifted towards the targeting of […]

GIS3W: Persistent XSS in G3WSuite 3.5 – CVE-2023-29998

Reading Time: 6 minutes GIS3W: Persistent XSS in G3WSuite 3.5 – CVE-2023-29998 Overview During an engagement on a client’s public infrastructure, we detected an exposed installation of G3WSuite. Since we were asked to perform a black box pentest on the G3WSuite installation, we had to find a way to gather as much information about the target as possible. Luckily […]

Win$ton: a Russian-Speaking Scam Group Targeting Middle-Eastern Customers

Reading Time: 7 minutes Introduction As Yarix Cyber Threat Intelligence (YCTI) team, we regularly monitor, track and counter phishing websites that aim to steal user-sensitive data (e.g., login credentials, phone numbers, credit cards). One of the most challenging aspect of proactively countering and tracking phishing campaigns is hunting and analyzing exposed phishing kits. The analysis of these archives enables […]

Vade Secure Gateway Multiple XSS (CVE-2023-29712, CVE-2023-29713, CVE-2023-29714)

Reading Time: 4 minutes Vade Secure Gateway During a penetration test activity, several reflected cross-site scripting (XSS) vulnerabilities were found on an application developed by the French Company Vade Secure. The vulnerable application is Vade Secure Gateway which is an email box scanning and processing tool for spam removal that can be managed via a web page. Once we […]

Analysis of BlackBasta ransomware gang (Part 1)

Reading Time: 10 minutes Executive Summary The present article provides valuable highlights about BlackBasta ransomware-as-a-service (RaaS), as a result of the analysis conducted by Yarix Cyber Threat Intelligence – YCTI team. BlackBasta emerged in April 2022 and has already compromised over 200 organizations, thus representing one of the most threatening ransomware gangs in the cyber-scene. From April 2022 until […]

PrivEsc on a production-mode POS

Reading Time: 8 minutes Earlier this year, we were involved in the security assessment of a mobile application that included the use and verification of a POS, a Pax D200. An Internet search aimed at identifying any known vulnerabilities about it, led us to this post called pax-pwn and written by lsd.cat where three CVEs were reported and described […]

SIRI WI400: XSS on Login Page – CVE-2022-48111

Reading Time: 3 minutes WI400 is a software developed by SIRI that acts as a web interface for the IBM Power Systems (AS/400). During a penetration test activity, a reflected cross-site scripting (XSS) vulnerability was found on the login page. This allowed to craft URLs with arbitrary JavaScript code injected that would execute once the link was visited. Advisory […]

Russian Cyber Underground: Genesis and Anatomy of the Dark Web Forum Infinity

Reading Time: 25 minutes Executive Summary The Yarix Cyber Threat Intelligence (YCTI) team analysed the genesis and anatomy of a brand-new forum operating in the Russian cyber underground: the Infinity Forum. Infinity is a recently appeared cyber creature founded by KillMillk (former head of the pro-Russia hacktivist group Killnet) and Β engineered by Russian hacktivists. It is officially operative since […]

The Foreigner – A (not so) quick and dirty drop box for Red Teamers

Reading Time: 17 minutes Some time ago, the Yarix Red Team was engaged on a red team assessment that included an onsite activity to test the physical security posture of the Customer. Although we would have used social engineering tactics to physically enter the Customer property, this would have given us a too short amount of time to stay […]

Advanced Phobia

Reading Time: 8 minutes Ransomware Gang Details Phobos ransomware, first discovered in December 2018, is another notorious cyber threat actor which targets businesses. Phobos is popular among threat actors because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic: the gang’s name was likely inspired by him. Phobos […]


Reading Time: 9 minutes Ransomware Details Phobos ransomware, first discovered in December 2018, is another notorious cyber threat that targets businesses. Phobos is popular among threat actors of various technical abilities because of its simple design. In addition, the Greek god Phobos was thought to be the incarnation of fear and panic; hence the name Phobos was likely inspired […]

Analysis of the Russian-Speaking Threat Actor NoName 057(16)

Reading Time: 14 minutes The report analyzes the threat actor NoName057(16). Yarix Cyber Threat Intelligence (YCTI) team has tracked the activities of this cyber-collective from its creation (early March 2022) until the month of September 2022. From the findings and the evidence collected, NoName057(16) is a Russian-speaking threat actor, whose actions are driven by ideological and political grounds, namely: […]

Plug n Panda – APT Group

Reading Time: 7 minutes β€œPlug N Panda” group (the name that has been chosen by Yarix R&D) is a newly observed group characterized by the use of Ransomware DLL sideloading (PlugX – Talisman) techniques to cover his tracks after carrying an attack and it is believed to originate from China. This APT was first observed in the first months […]

Analysis of a Command Injection in VBScript

Reading Time: 7 minutes In this writeup we present the analysis and exploitation of a VBScript command injection vulnerability we stumbled upon during a penetration test on a .NET web application. What makes this vulnerability stand out is the fact that at first glance it could be mistaken for a common SQL injection. After a few exploitation attempts, we […]

Merry Hackmas: multiple vulnerabilities in MSI’s products

Reading Time: 2 minutes This blog post serves as an advisory for a couple MSI’s products that are affected by multiple high-severity vulnerabilities in the driver components they are shipped with. All the vulnerabilities are triggered by sending specific IOCTL requests and will allow to: Directly interact with physical memory via the MmMapIoSpace function call, mapping physical memory into […]

Driver Buddy Reloaded

Reading Time: 5 minutes As part of Yarix's continuous security research journey, during this year I’ve spent a good amount of time reverse-engineering Windows drivers and exploiting kernel-mode related vulnerabilities. While in the past there were (as far as I know), at least two good IDA plugins aiding in the reverse engineering process: DriverBuddy of NCC Group. win_driver_plugin of […]

Crucial’s MOD Utility LPE – CVE-2021-41285

Reading Time: 7 minutes Crucial Ballistix MOD Utility is a software product that can be used to customize and control gaming systems, specifically LED colours and patterns, memory, temperature, and overclock.During my vulnerability research, I’ve discovered that this software utilizes a driver, MODAPI.sys, containing multiple vulnerabilities and allowing an attacker to achieve local privilege escalation from a low privileged […]

Homemade Fuzzing Platform Recipe

Reading Time: 5 minutes It’s no secret that, since the beginning of the year, I’ve spent a good amount of time learning how to fuzz different Windows software, triaging crashes, filling CVE forms, writing harnesses and custom tools to aid in the process.Today I would like to sneak peek into my high-level process of designing a Homemade Fuzzing Platform, […]

Root Cause Analysis of a Printer’s Driver Vulnerability

Reading Time: 8 minutes Last week SentinelOne disclosed a "high severity" flaw in HP, Samsung, and Xerox printer's drivers (CVE-2021-3438); the blog post highlighted a vulnerable strncpy operation with a user-controllable size parameter but it did not explain the reverse engineering nor the exploitation phase of the issue. With this blog post, I would like to analyse the vulnerability […]

Reverse Engineering & Exploiting Dell CVE-2021-21551

Reading Time: 11 minutes At the beginning of the month, Sentinel One disclosed five high severity vulnerabilities in Dell’s firmware update driver.As the described vulnerability appeared not too complicated to exploit, a lot of fellow security researchers started weaponizing it. I was one of, if not the first tweeting about weaponizing it into a _SEP_TOKEN_PRIVILEGES overwrite exploit, and with […]

Chaining Bugs: NVIDIA GeForce Experience (GFE) Command Execution

Reading Time: 5 minutes NVIDIA GeForce Experience (GFE) v.<= 3.21 is affected by an Arbitrary File Write vulnerability in the GameStream/ShadowPlay plugins, where log files are created using NT AUTHORITY\SYSTEM level permissions, which lead to Command Execution and Elevation of Privileges (EoP). NVIDIA Security Bulletin – April 2021 NVIDIA Acknowledgements Page Introduction Some time ago I was looking for […]

Malware Analysis: Ragnarok Ransomware

Reading Time: 11 minutes The analysed sample is a malware employed by the Threat Actor known as Ragnarok. The ransomware is responsible for files’ encryption and it is typically executed, by the actors themselves, on the compromised machines. The name of the analysed executable is xs_high.exe, but others have been found used by the same ransomware family (such as […]