Discover and read the best of Twitter Threads about #Exploit

Most recents (14)

Some more information on the #Nginx #0day by @_Blue_hornet as shared via DM and published here with permission: Image
Update on the #Nginx 1.18 #0day:
Around 20 minutes ago @_Blue_hornet started a Github Repo arround the exploit:
github.com/AgainstTheWest…

Some more hints on the Exploit:
- Related to #Spring4Shell
- Created by #BrazenEagle
- Related to ldap-auth demon used together with #Nginx Image
Read 10 tweets
Lessons from Inverse Finance's hack.

@InverseFinance was hacked for $15 Million, which should not make anyone in #DeFi happy.

Here's a thread 🧵reflecting on what we (and others) can do to avoid going through the same.

More info at:
rekt.news/inverse-financ…

Starts here👇
2/10

In short, the #exploit employed a vulnerability whereby the market price for a collateral token ( $INV) was manipulated to be higher than it should.

Why higher?🧐

So that the attacker could take out a collateralized loan for more than they should have.
3/10

By withdrawing more assets than they should have been able to, the exploiter has an open window to repeatedly follow this process, profiting at each round.

The hacker achieved this by manipulating a TWAP feed, an oracle source flagged as problematic multiple times. Image
Read 10 tweets
THIS is not an #exploit !
The whole AirDrop Thing and Website is not required. I will explain what happened here, bare with me.
(Thread)
First of all, he trusted the Phone to the computer and vice versa.
Now, just to make that clear: To "establish trust", the device needs to be unlocked (and eventually you need to re-enter your code!).
"Trust" has a wide implication in the iOS/Apple World. It means, the trusted Computer can do Backups, Reset the Phone, Install Apps, monitor Log-Files - everything you can do in iTunes/Finder/iMazing. Which is a lot.
Read 11 tweets
And in this single statement 👇 @MattHancock demonstrates not only his profound ignorance, but his underlying thinking - that information about you is a #TradableAsset.

Who "owns" the fact of your relationship with your sister? You? Her? Or your date of birth? Your current age?
Let's not even get started on things like #genomic data (i.e. data derived from your #DNA) which says things not only about you, but your relatives. Who "owns" that?

The reason the #powerful want people to think they "own" their #PersonalData - rather than it being protected...
...by a strong, well-enforced #rights framework - is that they can #force or #fool you into surrendering it, so the data you give them becomes THEIR "#property" to #exploit.

If '#DataIsTheNewOil', as they want you to believe, then what does that make YOU?
Read 4 tweets
#Sidewinder #APT

It seems that #Indian APTs have been raging war on #Pakistan with the same payloads over and over again. Meanwhile, Pakistani #Government and #Military is either helpless or over occupied. Following is another new sample that goes ages back.
A variant of this sample has attributed to #Sidewinder #APT by Govt. of Pak. The #malware is deployed using the shared image in a #phishing email using a similar methodology to that of Image
DOCX MD5: 2a6249bc69463921ada1e960e3eea589 Mech 8 ZIRC0N-TSIRK0N.doc
#Exploit: hashcheck[.]xyz/PY8997/yrql/plqs
RTF MD5: 7c11d5125c3fb167cca82ff8b539e3c7 plqs
#C2: sportfunk[.]xyz/topaz/foti
CVE-2017-11882 Image
Read 12 tweets
1/ So nun werde ich hier noch mal zum angekündigten, Zusammenhang Zwischen der Webseite ⛔️linke-blockt ⛔️und der #Doxing Szene geben, dies wird ein langer #Thread
Wie kommen #Hacker an #Daten ? #Doxing

man lockt Sie auf eine Webseite #OSINT #WhiteHat

sueddeutsche.de/digital/datenk…
2/ Man landet auf einer sog. #LandingPage
, diese ist schnell geladen und hat nur 10 html Zeilen und ca. 10 #Javascripte ,
Diese #Sripte tun Ihre Arbeit, und der Anwender wird abgekloppft, #knocking ,
zu diesem Zeitpunkt kennt der Server schon einiges #dnssniff #ipgeoilog #CSS #Ports ! und #JavaSkripte#Twitter  #Java#Remote #Get der #Knocking ...Dies #CSS wird im Hintergru...
3/ Da jeder #Hacker faul ist lässt er natürlich andere seine Arbeit machen #Browser , #CPU, #framework #Cookie #Cloudserver #Datenbank wo die Ergebnisse des #Doxing dann in Millisekunden je nach verfügbarer Internetleitung gespeichert werden ohne das der #User was merkt ! #SSS #CSS #Framework Freeware au...#Favicon vektor angiff ? @h...#SSS Server Side Scripting ...#Browsererweiterung mit #ph...
Read 6 tweets
(1/3)🚨Deepening CVE-2019-2215 #exploit used by #APT36🚨

c37d7cc1ef250ef62240211fae775f964c2ac1c09c58594730425aec0fda04d8

Set #SELinux to Permissive, give root shell for arbitrary code exec due to a use-after-free vuln.

Sample is c/o @ShadowChasing1

ImageImage
(2/3) Abused in other malicious apps like:

0294f46d0e8cb5377f97b49ea3593c25

e7e96236fb596828afd968d124b4308f

66bb354965c1c4214bf39b4ea11e1d6e

96cfa2cb99f7c6ebe1cb0333f2e47645

26b7096a6db9f4fae31722f455c03ee0

5f563a38e3b98a7bc6c65555d0ad5cfd
(3/3) Fully inspired to the PoC published by #projectzero years ago...

👇👇👇

https[://bugs.chromium.org/p/project-zero/issues/attachmentText?aid=414885
Read 3 tweets
THAT was not easy. But we did it. #ios14 #exploit #zeroday
Keeping up to date... Image
Here we go again, this time - 14.0 release Image
Read 3 tweets
Kommentar zum Artikel:
Bei unseren Kunden wurden alle #Netscaler unmittelbar nach bekanntwerden des Workaround angepasst.
Nach genauerer Analyse mussten wir aber feststellen, dass "alle" Netscaler bereits #kompromitiert sind. 1/x

#Citrix #Shitrix #fail

security-insider.de/shitrix-gefaeh…
Da auf den Systemen durch die #Exploit's offensichtlich unter anderem auch #Cronjob's eingerichtet wurden, welche irgendwann in Zukunft beliebigen Code von russischen Servern nachladen...jeder Anwender absolut sicherstellen, dass sein System nicht bereits #kompromitiert wurde.
Der angekündigte #Hotfix, wird die bereits entstandenen Probleme sicher nicht lösen. Aus unserer Sicht hilft ausschließlich eine komplette #Neuinstallation der #Komponenten, verbunden mit einem unmittelbaren unmittelbares umsetzen des #Workaround bevor das System online geht.
Read 11 tweets
Stoked to share these free resources to expand your #infosec and technical skill set.

Each is a career path in its own right, the rabbit hole goes down as far as you follow.

Check these out and make 2020 count! 🎊

#30DaysOfThreads #BlackTechTwitter
#latinxintech
Begin your road into #pentesting with this staple book and free VM to practice hacking into 💻

Metasploit The Penetration Testers Guide : archive.org/details/Metasp… via @internetarchive

offensive-security.com/metasploit-unl…
A requirement for all in #dfir is being able to read and understand network traffic. It’s how our systems communicate!

Practical packet analysis: using Wireshark to solve real-world network problems : Sanders, Chris

archive.org/details/Practi…
Read 9 tweets
Vamos a usar este tweet para publicar #Dorks de todo tipo, empecemos con este:

inurl:wp-config.php intext:DB_PASSWORD -stackoverflow -wpbeginner -foro -forum -topic -blog -about -docs -articles

#CyberSecurity #dork #BugBounty
intext:"pass" ! "usuario" | "user" | "contraseña" filetype:sql -github
Este es muy bueno, nos permite hacer uploads, ha sido probado con imágenes .jpeg

intitle:"FCKeditor - Uploaders Tests"
Read 63 tweets
Helps you to find Jira Servers that may vulnerable to Template injection vulnerability [CVE-2019-11581].

Shodan:"/secure/ContactAdministrators!default.jspa"
ZoomEye:title:"System Dashboard"

#jira #vulnerability #shodan #infosec #bugbounty #exploit #exploitation #osint ImageImageImage
Google:inurl:/secure/ContactAdministrators!default.jspa inurl:helpdesk intext:"Request Details" -intext:"Your Jira administrator has not yet configured this contact form"
Google:intext:"Atlassian Jira Management Software (v8.0.2" inurl:/secure/ContactAdministrators!default.jspa -intext:"Your Jira administrator has not yet configured this contact form"
Read 3 tweets
#OSHO #hypnosis

The #unconscious #mind is nine times bigger than the #conscious; it has tremendous treasures, all the memories of your past.

Below the unconscious, there is the collective unconscious. One can descend into the collective unconscious also with somebody’s help.
The master of Mystery School will take you slowly towards the unconscious and the collective #unconscious.

In your collective unconscious, you have memories of your #PastLives as animals, as birds.
Below the collective unconscious is the #cosmic #unconscious.

Slowly, slowly one can go deeper and deeper, and the cosmic unconscious has #memories of your being trees, rosebushes, stones.
Read 13 tweets
Speaker: Pst. Joel Awogu
Topic: Making Positive Impact
Hebrew 11:32-34

As a Christian your impact is different From that of an ordinary man.
In you dwells the ability to make tremendous impact on the earth (Gen 12:13-22 ) Your impact can have an heavenly dimension as well as earthly dimension.

Don't strive alone or settle to make impact in one dimension.
You need to understand that you are the salt of the earth (Math 5:13-16)

When you don't manifest your saltiness men will trample over you, your potential notwithstanding, you will be of no influence or impact. You need to enforce your saltiness.
Read 15 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!