White Papers

Analyzing “Ragnar Locker” ransomware that threats a company by its name

In November 2020, CAPCOM's cyber-attack news widely spread out primarily in foreign media. According to the news, the cyber-attack involved ransomware called Ragnar Locker. After the incident happened, Ragnar Locker attack group actually released a criminal statement on November 9, 2020. Based on the publicly available data, we investigated and found a suspected specimen on VirusTotal. This article describes the results of the analysis of the relevant specimen.

Click to Download

Understanding internal structure of the SNAKE(EKANS) ransomware

The news has been running around the world that Honda has been suffered by cyber attacks in June 2020. In this article, we analyzed the sample of SNAKE ransomware that was uploaded to VirusTotal, and would like to share the information we found through our analysis.

Click to Download

SMTP Injection via recipient email addresses

SMTP Injection is an attack technique that injects attacker-controlled SMTP commands into the data transmitted from an application (typically a web application) to an SMTP server for spamming purposes.

This paper describes a newly discovered attack technique utilizing crafted recipient email addresses, the attack mechanism and explains some vulnerability examples in email libraries on Java, Ruby, PHP and other platforms. Other attack techniques and countermeasures are also discussed.

Click to Download

A few RPO exploitation techniques

RPO (Relative Path Overwrite) is an elaborate attack technique publicized by Gareth Heyes in 2014. This attack utilizes a crafted URL (typically with a PATH_INFO) to force the target Web page to load itself as a stylesheet, when it contains both-relative stylesheets and attacker-controllable contents.

This paper describes: path manipulation techniques specific to some client / server environments, a technique to forcefully enable IE's CSS expression using CV, attack possibility on non-stylesheet relative URLs, a related vulnerability discovered in CakePHP framework, and countermeasures.

Click to Download

Identifier based XSSI attacks

For years, Cross Site Script Inclusion (XSSI) has been known among Web security researchers that JavaScript file, JSONP and, in certain old browsers, JSON data are subject to this type of information theft attacks. Some browser vulnerabilities that allow attackers to gain information via JavaScript error messages have been discovered and fixed in the past.

This paper describes new attack techniques and browser vulnerabilities that allow attackers to steal simple text strings such as CSV, and more complex data under certain circumstances.

Click to Download

Attacking Android browsers via intent scheme URLs

Most major browsers for Android support intent scheme URLs. In general, intent scheme URL brings security risk as it gives malicious Web pages a chance to conduct intent-based attacks against installed apps. Therefore, browsers take measures to reduce the risk, but these measures are not necessarily enough.

This paper explains what an intent scheme URL is and presents three examples of Android browser's vulnerability related to intent scheme URL (including cookie file theft and universal XSS) and the countermeasure.

Click to Download

FilterExpression Injection attacks against ASP.NET applications

FilterExpression is a SQL-like filter language built in ASP.NET framework. Like SQL, injection attacks are possible if an application utilizes FilterExpression in an improper manner, which can result in data leakages under certain situations. This paper presents the “FilterExpression Injection,” its mechanism, impact, detection method and countermeasure.

Click to Download