Upstream
A previously unknown vulnerability, CVE-2021-44228 also dubbed Log4Shell, in Apache’s popular logging library, Log4j, was discovered to have been exploited in the wild for several days prior to the vulnerability being publicly disclosed on 9 December. Affected versions of Log4j include 2.0-beta9 to 2.15.0. The vulnerability, through a simple exploitation, provides an attacker with the …
Continue reading “Defend against Log4Shell exploits (CVE-2021-44228) with ReaQta-Hive”
A recently discovered exploit targeting a vulnerability in Microsoft’s internal browser engine, MSHTML, could become a prolific tool by cyber criminals in both targeted and wide-spread campaigns. CVE-2021-40444, a remote code execution vulnerability within Microsoft’s MSHTML browser engine was disclosed by Microsoft in a 07 September 2021 advisory1 but a malicious document involved in the exploit …
What is PrintNightmare? PrintNightmare (CVE-2021-34527) is a recently discovered vulnerability, affecting the Microsoft Windows Print Spooler Service. It allows threat actors to run arbitrary code on any device with Print Spooler service enabled with SYSTEM level privileges via Remote Code Execution (RCE) after obtaining initial access. The vulnerability allows attackers to load a DLL into …
A hunting query to identify post-exploitation activities Customized Detection Strategy (DeStra) to detect future exploitation attempts On the 11th of March, Microsoft reported an active exploitation campaign of several zero-day vulnerabilities affecting on-premise versions of Microsoft Exchange Servers allegedly from a state-sponsored adversary, HAFNIUM. The attack starts by exploiting vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and …
Continue reading “Detecting HAFNIUM Exchange Exploitation Campaign with ReaQta-Hive”
During an analysis of different remote desktop trojans we came across an interesting attack-chain which leverages an RTF that exploits CVE-2017-8759 to deliver DarkVNC, a malicious version of the well-known VNC, designed to silently remote-control a victim.
Adobe released in April 2015 an update to patch CVE-2015-3043 that was being exploited actively in the wild by (but not only) threat actor APT28 during the operation RussianDoll. The vulnerability was a heap overflow in the FLV audio parsing engine, in particular the culprit was a hardcoded heap buffer length of 0x2000 bytes, the attackers simply had to provide a …
