Qilin? / ClearFake Camapain
Qilin? / ClearFake Campaign Analysis Overview A malicious or compromised site was hosting a ClickFix campaign that initially determines whether to show the payload with the following initial stage...
Qilin? / ClearFake Campaign Analysis Overview A malicious or compromised site was hosting a ClickFix campaign that initially determines whether to show the payload with the following initial stage...
Salesforce/Gainsight Breach IOCs Overview Security teams have identified unauthorized access to Salesforce environments via a compromised Gainsight integration token. The intrusion appears highly ...
Streamlining Cloud Development with LocalStack and Terragrunt The landscape of cloud development is constantly evolving. With a growing emphasis on efficiency, consistency, and cost management we ...
Phreaky We can pull all the IMF files out of the pcap, and we get a bunch of base64 encoded email attachments with passwords. Putting them all in a script to make the zip file and unzip it: # P...
Data Siege The pcap contains a .NET executable that we can decompile in ILSpy. Inside, we see that the traffic is encrypted, and then base64 encoded before being sent out over the network. I wr...
What Happened A user alerted us on July 25, 2023, that they had clicked on a possible phishing link. This link was disguised as an invoice and urged the recipient to make an urgent payment. Attach...
Mutation Lab Checking out the main page of the application, we can initially register and get logged in with any user/password combo Here we see a way to export images and when we hit the exp...
Kryptos Support The first page you are greeted with is an entry page for leaving feedback for the Kryptos Vault and a “backend” button that we can’t click but poking around it leads us to /ad...
Compressor So we are given an endpoint we can netcat into and it presents us with the following: Compressor [*] Directory to work in: QqcbsvCcKGxpk7n6JNvqNxPB19gC5OiB Component List: +=========...
Automation We are given a pcap file that looks like a bunch of windows update traffic. Poking around we see a bunch of weird DNS traffic with a few TXT answers. as well as a url to http://win...