Analyzing “Ragnar Locker” ransomware that threats a company by its name
In November 2020, CAPCOM's cyber-attack news widely spread out primarily in foreign media. According to the news, the cyber-attack involved ransomware called Ragnar Locker. After the incident happened, Ragnar Locker attack group actually released a criminal statement on November 9, 2020. Based on the publicly available data, we investigated and found a suspected specimen on VirusTotal. This article describes the results of the analysis of the relevant specimen.
Understanding internal structure of the SNAKE(EKANS) ransomware
The news has been running around the world that Honda has been suffered by cyber attacks in June 2020. In this article, we analyzed the sample of SNAKE ransomware that was uploaded to VirusTotal, and would like to share the information we found through our analysis.
SMTP Injection via recipient email addresses
SMTP Injection is an attack technique that injects attacker-controlled SMTP commands into the data transmitted from an application (typically a web application) to an SMTP server for spamming purposes.
This paper describes a newly discovered attack technique utilizing crafted recipient email addresses, the attack mechanism and explains some vulnerability examples in email libraries on Java, Ruby, PHP and other platforms. Other attack techniques and countermeasures are also discussed.
A few RPO exploitation techniques
RPO (Relative Path Overwrite) is an elaborate attack technique publicized by Gareth Heyes in 2014. This attack utilizes a crafted URL (typically with a PATH_INFO) to force the target Web page to load itself as a stylesheet, when it contains both-relative stylesheets and attacker-controllable contents.
This paper describes: path manipulation techniques specific to some client / server environments, a technique to forcefully enable IE's CSS expression using CV, attack possibility on non-stylesheet relative URLs, a related vulnerability discovered in CakePHP framework, and countermeasures.
Identifier based XSSI attacks
For years, Cross Site Script Inclusion (XSSI) has been known among Web security researchers that JavaScript file, JSONP and, in certain old browsers, JSON data are subject to this type of information theft attacks. Some browser vulnerabilities that allow attackers to gain information via JavaScript error messages have been discovered and fixed in the past.
This paper describes new attack techniques and browser vulnerabilities that allow attackers to steal simple text strings such as CSV, and more complex data under certain circumstances.
Attacking Android browsers via intent scheme URLs
Most major browsers for Android support intent scheme URLs. In general, intent scheme URL brings security risk as it gives malicious Web pages a chance to conduct intent-based attacks against installed apps. Therefore, browsers take measures to reduce the risk, but these measures are not necessarily enough.
This paper explains what an intent scheme URL is and presents three examples of Android browser's vulnerability related to intent scheme URL (including cookie file theft and universal XSS) and the countermeasure.
FilterExpression Injection attacks against ASP.NET applications
FilterExpression is a SQL-like filter language built in ASP.NET framework. Like SQL, injection attacks are possible if an application utilizes FilterExpression in an improper manner, which can result in data leakages under certain situations. This paper presents the “FilterExpression Injection,” its mechanism, impact, detection method and countermeasure.