company logo


Our Product

We are Reshaping the way Developers find and fix vulnerabilities before they get exploited.



By Industry




IT & Telecom

By Role





Resource Library

Get actionable insight straight from our threat Intel lab to keep you informed about the ever-changing Threat landscape.

Threat Feeds

Threat Research

White Paper

SB Blogs

Subscribe to Our Weekly Threat Digest


Contact Us

Have queries, feedback or prospects? Get in touch and we shall be with you shortly.

Our Story

Our Team


Press & Media

Contact Us



Appin Exposed: Decoding Shadowy Hack-for-Hire Group's Cyberespionage

Unmasking Appin's Cyberespionage: A Definitive Dive into Global Espionage and Evolution in the Hack-for-Hire

4 min read

Related Articles



A new strain of ransomware called MadCat has been linked by security researchers...

A new strain of ransomware, MadCat, has emerged, creating a stir among security researchers and cybercrime enthusiasts alike. Damien Black, a seasoned journalist, unveils the intricate web of deception woven by this group of cybercriminals. ### Deceptive Prelude On November 23rd, cybersecurity pundit Dominic Alvieri hinted at the debut of MadCat, a ransomware group that purportedly stole passport details. However, a subsequent investigation led by cyber investigator Karol Paciorek revealed a shocking twist – MadCat was not a force to be reckoned with but rather a group of scammers preying on their fellow criminals. ## Unmasking the Culprits Paciorek, along with his team at CSIRT KNF cybersecurity firm, exposed the perpetrators behind MadCat. The investigation linked dark web accounts @plessy, @rooted, and @whitevendor to the fraudulent sale of 246,000 screenshotted Polish passport pages and other dubious offers of stolen travel documents. The scammers were cunningly enticing their targets with fake promises. ### Scam Unveiled The scam, discovered on October 30th, involved @plessy posing as the seller of the entire illegal passport collection for a hefty sum of $3,400. CSIRT's analysis pointed to a potential link between @plessy and @whitevendor, suggesting they might be the same individual. The writing style, thread creation methods, and sales focus on identity documents were key indicators. ## Criminal Fallout As the web of deception expanded, criminals on platforms like BreachForums started sharing tales of being duped. One user, "onesandzeroes," lamented losing nearly 20 units of Monero (XMR) cryptocurrency, approximately $3,000, to @rooted's false promises of stolen Japanese and Chinese passport details. The CSIRT report further solidified the connection between @rooted and @whitevendor. ### Tracing the Web Presence Paciorek's investigation unveiled the web address, it was associated with the aliases @plessy, @rooted, and @whitevendor. Surprisingly, when Cybernews attempted to access the site, it redirected to a Telegram channel, @shinyenigma, connected to @plessy. The tangled web expanded to a GitHub profile with the same name but showed signs of dormancy, except for a recent update. ## The Ransomware Link The investigation also connected @plessy to @MadCatR, leading to a discussion channel called @MadCatRansom, with @plessy as the sole user. CSIRT highlighted the possibility of this channel being a hub for the ransomware group. The unfolding narrative pointed towards a group that had set its sights on deception from the beginning. ### Downfall in Sight Paciorek, commenting on the exposed MadCat group, foresaw a swift downfall akin to RansomedVC, another newcomer in the cybercrime scene. The Mad Cat ransomware site, linked by Alvieri, was found dead at the time of writing. Whether this was a response to Paciorek's revelations or a mere coincidence remains unclear. ## The Evolution of Deception The perpetrators, having been unmasked, showcased a history of deception that extended beyond their cybercriminal activities. User @WhiteVendor, facing negative feedback, abandoned the account and rebranded as @Plessy, continuing the scam under a new pseudonym. CSIRT's findings irrefutably connected these identities to the MadCat ransomware group. ### Lessons Learned The MadCat saga serves as a cautionary tale in the cybersecurity realm, emphasizing the need for vigilance, even among criminals. The deceptive tactics employed by these scammers highlight the importance of thorough investigations and collaboration within the cybersecurity community to unveil and neutralize potential threats.

loading..   25-Nov-2023
loading..   3 min read


Newly discovered HrServ.dll web shell in an APT attack on an Afghan government e...

An undisclosed government entity in Afghanistan fell victim to an advanced persistent threat (APT) attack orchestrated through a previously undocumented web shell named HrServ.dll. This article will meticulously dissect the technical intricacies of this malicious entity, shedding light on its features, attack chain, and potential threat actor. --- ### HrServ.dll Web Shell: A Closer Look Kaspersky's security researcher, Mert Degirmenci, uncovered the HrServ.dll web shell, a dynamic-link library exhibiting sophisticated features, including custom encoding methods for client communication and in-memory execution. Variants of this malware have been traced back to early 2021, indicating a persistent and evolving threat. --- ### Malicious Tools at Play The attack chain uses the PAExec remote administration tool, a launchpad for creating a scheduled task disguised as a Microsoft update. This task, named "MicrosoftsUpdate," executes a Windows batch script ("JKNLA.bat"), which, in turn, initiates the HrServ.dll as an HTTP server. --- ### Code Execution and HTTP Requests The web shell utilizes GET parameters, notably 'hl,' mimicking Google services, to blend rogue requests in network traffic, challenging the distinction between malicious and benign events. Embedded within HTTP requests is a parameter called 'cp,' dictating actions such as spawning threads, creating files, reading files, and accessing Outlook Web App HTML data. --- ### Critical Parameter: 'cp' in Action The value of 'cp' in a POST request triggers specific actions. If 'cp' equals "6," code execution is initiated by parsing encoded data, copying it into memory, creating a new thread, and inducing a sleep state. This strategic utilization of 'cp' adds a layer of complexity to the threat actor's operations. --- ### Multifunctional Implant for Stealth The web shell can activate a multifunctional implant in memory designed to erase the forensic trail. This includes deleting the "MicrosoftsUpdate" job, as well as the initial DLL and batch files. The presence of distinct strings in the web shell and memory implant, along with a carefully crafted help message, intrigues the malware's characteristics. --- ### Attribution Challenges While the threat actor behind HrServ.dll remains unidentified, linguistic anomalies in the source code suggest a non-native English speaker. The article highlights typos and linguistic patterns, providing insights into the potential motives behind the attack. Notably, the malware's characteristics, although aligning with financially motivated malicious activity, also exhibit similarities with APT behavior.

loading..   25-Nov-2023
loading..   2 min read

Cloud Security


Dive into the code risks of ownCloud's critical vulnerabilities, exposing admin ...

The open-source file-sharing solution, ownCloud, has sounded the alarm on three critical security vulnerabilities. This [Threatfeed]( dives deep into the intricacies of these flaws, shedding light on potential risks and offering comprehensive solutions. ## Vulnerability 1: Disclosure of Sensitive Credentials in Containerized Deployments **Risk Assessment** - Critical - CVSS v3 Base Score: 10 - CWE ID: CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) **Description** The "graphapi" app, dependent on a third-party library, exposes PHP environment details, risking the exposure of critical data, including ownCloud admin passwords and mail server credentials. Even in non-containerized environments, the vulnerability persists, emphasizing the severity. **Mitigation Steps** 1. Delete the vulnerable file: `owncloud/apps/graphapi/vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php` 2. Disable the 'phpinfo' function in Docker containers. 3. Update exposed secrets: ownCloud admin password, mail server credentials, database credentials, and Object-Store/S3 access keys. ## Vulnerability 2: WebDAV API Authentication Bypass Using Pre-Signed URLs **Risk Assessment** - High - CVSS v3 Base Score: 9.8 - CWE ID: CWE-665 (Improper Initialization) **Description** In ownCloud core library versions 10.6.0 to 10.13.0, an authentication bypass flaw allows unauthorized access, modification, or deletion of any file if the victim's username is known and no signing key is configured. **Mitigation Steps** 1. Deny the use of pre-signed URLs if no signing key is configured for the file owner. ## Vulnerability 3: Subdomain Validation Bypass in OAuth2 App **Risk Assessment** - Critical - CVSS v3 Base Score: 9 - CWE ID: CWE-284 (Improper Access Control) **Description** The OAuth2 app is susceptible to subdomain validation bypass, enabling attackers to redirect callbacks to a domain controlled by them. **Mitigation Steps** 1. Harden the validation code in the OAuth2 app. 2. As a temporary workaround, turn off the "Allow Subdomains" option. ## Implications and Urgency These security flaws pose severe threats to ownCloud environments, potentially leading to data breaches, stealthy data theft, and phishing attacks. With the constant targeting of file-sharing platforms by ransomware groups, such as CLOP, the urgency to apply recommended fixes and perform library updates cannot be overstated. ## Contextual Analysis Understanding the technical intricacies of each vulnerability is crucial for system administrators and cybersecurity professionals. Let's delve into the nuances of each flaw to grasp their impact fully. ### Vulnerability 1: GraphAPI App Exposing PHP environment details through a third-party library creates a significant risk. The vulnerable file, `GetPhpInfo.php,` opens the door to unauthorized access to critical information. The advice to turn off the 'phpinfo' function in Docker containers is a strategic move to thwart potential exploits. Changing exposed secrets adds an extra layer of security. ### Vulnerability 2: WebDAV API Authentication Bypass The authentication bypass flaw in the core library is a serious concern. Allowing unauthorized access without proper authentication can lead to unauthorized data manipulation. Denying pre-signed URLs without a signing key is a straightforward yet effective solution to mitigate this risk. ### Vulnerability 3: OAuth2 App Subdomain Validation Bypass The OAuth2 app's vulnerability to subdomain validation bypass opens avenues for attackers to redirect callbacks, potentially leading to unauthorized control. Hardening the validation code and, as a temporary measure, turning off the "Allow Subdomains" option are crucial steps to fortify the security of the OAuth2 app. ## Code-Level Insights For those delving into the codebase, understanding the specific details of these vulnerabilities is paramount. Let's examine code snippets related to each flaw. ### GraphAPI App Vulnerability ```php // Vulnerable code in graphapi app include('vendor/microsoft/microsoft-graph/tests/GetPhpInfo.php'); ``` The inclusion of `GetPhpInfo.php` exposes sensitive PHP environment details. Deleting this file is a critical step in closing this vulnerability. ### WebDAV API Authentication Bypass ```python # Vulnerable code in ownCloud core library if not signing_key_configured: allow_pre_signed_urls() ``` The absence of proper signing key configuration allows the unauthorized use of pre-signed URLs, posing a serious security risk. ### OAuth2 App Subdomain Validation Bypass ```javascript // Vulnerable code in oauth2 app if (allow_subdomains_option_enabled) { // Bypass subdomain validation redirect_to_attacker_controlled_domain(); } ``` The conditional bypass of subdomain validation in the OAuth2 app can be mitigated by hardening the validation code and disabling the "Allow Subdomains" option. ## Urgent Actions for ownCloud Administrators In light of these vulnerabilities, ownCloud administrators must act promptly to secure their environments. The following actions are imperative: 1. **Apply Recommended Fixes**: Implement the solutions for each vulnerability without delay. 2. **Update Libraries**: Stay vigilant for future core releases that include additional hardenings to mitigate similar vulnerabilities. 3. **Monitor Environment**: Regularly assess the ownCloud environment for any signs of compromise, especially considering the potential stealthy nature of these vulnerabilities. 4. **Educate Users**: Ensure users know the risks and the importance of updating credentials and configurations.

loading..   25-Nov-2023
loading..   4 min read