New tools, products, platforms, funding rounds, and company developments in AI security.
Pickle files (Python's serialization format for saving objects) can be backdoored because they execute code through opcodes (instructions that control a virtual machine). Attackers can inject malicious commands into pickle files using tools like fickling, and when someone loads the file, the hidden code runs without interrupting the program's normal function. This is especially dangerous in shared environments like Google Colab, where an infected pickle file could give attackers access to a user's connected Google Drive.
Fix: The source mentions fickling, a tool by Trail of Bits that can both inject code into pickle files and check them for backdoors using two built-in safety features: '--check-safety' (which checks for malicious opcodes) and '--trace' (which shows the various opcodes). The source also recommends: "only ever open pickle files that you created or trust."
Embrace The RedThis post demonstrates how attackers can use eBPF (extended Berkeley Packet Filter, a technology that lets programs run safely inside the Linux kernel) and bpftrace (a tool for tracing system events) to intercept and steal PAM (Pluggable Authentication Modules, the system that handles login authentication) passwords when users log in. The technique works similarly to a backdoor PAM module but uses eBPF instead, highlighting emerging security risks from new kernel-level attack tools.
This post describes a post-exploitation attack where an attacker modifies PAM (Pluggable Authentication Modules, a Unix system for controlling login behavior) to secretly capture user passwords by inserting a malicious script into the authentication pipeline. The attacker creates a bash script that logs usernames, passwords, and IP addresses whenever someone logs in, making it difficult to detect because it operates within legitimate system authentication mechanisms.
This article explains how to customize shell prompts (the command-line interface where users type commands) to automatically display date and time information, which helps security professionals document their activities during red team exercises (simulated attacks to test security). The article provides examples for three common shells: Bash, zsh on macOS, and PowerShell.
On macOS, attackers can extract password hashes from the local directory service (the system that stores account information) using the dscl command tool, even when System Integrity Protection is enabled, then convert these hashes to a format that hashcat (a password-cracking tool) can process to crack the passwords. This technique is particularly dangerous when organizations reuse the same admin password across multiple Mac computers, making lateral movement (spreading access across a network) easier for attackers.
The Flipper Zero is a handheld device that can read and emulate NFC (near-field communication, the wireless tech in credit cards and phones), RFID (radio-frequency identification used in key fobs), infrared signals, and radio frequencies, along with a Bad-USB feature that lets it act as a keyboard to send preprogrammed commands. The author demonstrates that it can easily read credit card numbers from physical cards and Apple Watches, though they note the device is educational and users should understand the risks and legal implications of its capabilities.
This article describes a bash script tool that runs AWS commands across multiple AWS profiles (sets of credentials configured locally) to help security researchers test discovered AWS access keys during penetration testing or bug bounties. The script checks whether each key is valid, identifies what resources it can access, and logs metadata like timestamps and the source IP address for reporting purposes.
This post documents reconnaissance techniques for GitLab (a code hosting platform similar to GitHub) after obtaining a GitLab Token (a credential that grants API access). An attacker with a valid token can enumerate projects, clone source code repositories to search for secrets, extract CI/CD variables (configuration values that often contain passwords or access keys), and discover runner tokens (registration credentials for build automation systems).
Log4Shell is a critical vulnerability in Apache's log4j library (a widely-used Java logging tool) that allows remote code execution (running commands on a system from afar) through its Java Naming and Directory Interface support. The vulnerability is particularly dangerous because log4j is used in many Java applications and is easy to exploit. The source mentions that patches were released to fix the issue, though it also notes that bypasses to those patches were discovered, leading to additional patches.
This is a video resource about how security breaches happen, covering the step-by-step process attackers use to compromise systems. The content is from WUNDERWUZZI and is intended for educational purposes to help people understand attack methods and how to defend against them.
This post explores how BPF (Berkeley Packet Filter, a technology that allows running custom programs inside the Linux kernel) can be used offensively, specifically focusing on the bpf_probe_write_user function (a helper that lets BPF programs modify user-space data during execution). The author documents their process of learning to write advanced BPF programs in C using libbpf to manipulate filenames, hide directories, and simulate ransomware attacks while also considering detection methods.
This post describes how to use bpftrace (a tool for tracing system behavior) with uprobes (hooks into user-space functions) to intercept and read Firefox's encrypted traffic by hooking into the NSS library (Mozilla's Network Security Services, which Firefox uses for encryption). The author discovered that Firefox uses local NSS libraries rather than system-wide encryption libraries, and created a bpftrace script that hooks the PR_Write function to capture and display the data Firefox sends.
Tabnabbing is a web application security vulnerability that attackers can use to perform phishing attacks (tricking users into giving up sensitive information by impersonating legitimate websites). The video explains how tabnabbing works and how to defend against it, and notes that the vulnerability is relatively straightforward to prevent.
This post explores bpfcc-tools, a collection of existing BPF (Berkeley Packet Filter, a technology that runs custom programs inside the Linux kernel) programs used for system performance monitoring and observability. The author explains that BPF tools are becoming increasingly common in production environments because they're useful for analyzing system behavior without requiring custom code.
This post discusses detection strategies for identifying malicious use of BPF (Berkeley Packet Filter, a technology that allows programs to run safely inside the Linux kernel), specifically focusing on bpftrace (a tool for tracing system events using BPF). The author is exploring how attackers might misuse BPF and what defensive approaches Blue Teams (security defenders) could use to catch such misuse.
This post describes how to use bpftrace (a tool for tracing Linux kernel events) to create a backdoor that executes commands when it receives a specific secret message on any port. The author explains how to use enter and exit trace points (hooks into when functions start and finish) to capture data from network reads, then compare that data against a trigger message to run malicious commands.
This post explores how bpftrace, a tool for running BPF programs (eBPF, extended Berkeley Packet Filter, which lets programs monitor and modify system behavior at a low kernel level), could potentially be misused to create backdoors by observing network traffic and triggering malicious actions. The author is studying this offensive technique to better understand security threats and help defenders recognize such attacks.
eBPF (extended Berkeley Packet Filtering, a technology that lets users run small programs inside the Linux kernel without modifying kernel source code) is gaining attention for offensive security uses because it can hook into system calls, manipulate data, and even run on network hardware. The article introduces eBPF's structure (programs, maps, and events) and explains how attackers could potentially exploit its flexibility and power to hook into system functions, modify data, and spawn processes.
Fix: The source explicitly mentions three mitigation strategies: (1) 'Test EDR to catch modifications in PAM configurations (also binary patching or entirely replacing/backdooring existing ones)', (2) 'Review the PAM modules and there configuration in your environments', and (3) 'Do a purple team exercise that focuses on PAM modules and related configuration files'.
Embrace The RedGPT-3 (a large language model that generates realistic human-like text) could be misused by attackers to create convincing phishing attacks (fraudulent messages designed to trick people into revealing sensitive information). The post discusses this threat and mentions that organizations can take countermeasures to protect themselves, though specific details are not provided in the excerpt.
Fix: Patches were released to address the vulnerability. The source notes that when bypasses to initial patches were discovered, additional patches were subsequently released.
Embrace The RedAdversaries can hide a smaller image within a larger one so that it becomes visible when a computer resizes the image using insecure interpolation (a method of calculating pixel values between known points). The video demonstrates this attack technique and explains how to prevent it from happening.
Fix: The source mentions that mitigation is discussed in the video but does not explicitly state the mitigation steps in the text provided. N/A -- no specific mitigation described in source.
Embrace The Red