İbrahim BALOĞLU - Siber Güvenlik Paylaşımları

CVE-2026-4747 * Claude Wrote a Full FreeBSD Remote Kernel RCE with Root Shell * exploit.py

#exploit #AppSec 1⃣ CVE-2026-4946: NSA Ghidra Auto-Analysis Annotation Command Execution // A novel and highly effective attack against reverse engineers and malware analysts. By embedding malicious annotation payloads into distributed binaries, an attacker can reliably achieve code execution on the systems of analysts who inspect those binaries in Ghidra 2⃣ CVE-2025-14325: SpiderMonkey Type Confusion in Baseline JIT Inline Cache // A type confusion in SpiderMonkey's JIT inline cache that enables arbitrary memory access and RCE through heap leaks and memory overlapping exploits during property operations

#Kernel_Security Linux File System Basics Part 1 // Overview and CVE-2022-0185 / CVE-2023-5345 Part 2 // Isolation, Permission Model and CVE-2023-0386

#Malware_analysis 1⃣  EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons https://www.esentire.com/blog/etherrat-sys-info-module-c2-on-ethereum-etherhiding-target-selection-cdn-like-beacons 2⃣ Compromised telnyx on PyPI: WAV Steganography and Credential Theft https://safedep.io/malicious-telnyx-pypi-compromise 3⃣ Illuminating VoidLink: Technical analysis of the VoidLink rootkit framework https://www.elastic.co/de/security-labs/illuminating-voidlink

#Analytics #Threat_Research An analytical review of the main cybersecurity events for the week (Mar.21-28, 2026) 1⃣  Telegram 0-click RCE // CVSS: 9.8 2⃣ litellm PyPI package (v1.82.7 + v1.82.8) compromised // full timeline and status 3⃣  Claude security configurations // Enhanced security configurations for Claude on MacOS 4⃣  Business TikTok accounts targeted with AITM phishing kits 5⃣  Exploiting AQL Injection Vulnerabilities in ArangoDB // This post serves as a comprehensive reference for pentesters seeking detailed insight into AQL injections and how they can be exploited 6⃣  Infiniti Stealer // New macOS infostealer using ClickFix and Python/Nuitka 7⃣  Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack // On Mar.19,2026, threat actors injected credential-stealing malware into Aqua Security’s Trivy scanner and related GitHub Actions 8⃣  strongSwan CVE-2026-25075: Integer Underflow in VPN Authentication // Critical integer underflow vulnerability in strongSwan 4.5.0-6.0.4 allows attackers to cause DoS via malformed EAP-TTLS messages ]-> P.S. The past week has demonstrated that attackers' focus has finally shifted to developer tools (AI libraries, CI/CD) ... ]-> Analytical review (Mar.14-21, 2026)

#tools #Hardware_Security Disabling Security Features in a Locked BIOS https://www.mdsec.co.uk/2026/03/disabling-security-features-in-a-locked-bios ]-> Manually tampering with UEFI settings ]-> DMAReaper - Disable Kernel DMA Protection on Win11 via pre-boot DMA attack // This post explores how modifying a Dell UEFI firmware image at the flash level can fundamentally undermine platform security without leaving visible traces in the firmware interface..

#Malware_analysis 1⃣ When Bills Come with Surprise: Donut of Python and Rat https://labs.itresit.es/2026/03/25/when-bills-come-with-surprise-donut-of-python-and-rat // This analysis breaks down a highly evasive, multi-stage malware infection chain to bypass traditional file-based detection and operate almost entirely within memory 2⃣ Trivy Compromised: Everything You Need to Know about the Latest Supply Chain Attack https://www.wiz.io/blog/trivy-compromised-teampcp-supply-chain-attack // On Mar.19, 2026, threat actors injected credential-stealing malware into Aqua Security’s Trivy scanner and related GitHub Actions 3⃣ How Cloudflare Services are Abused for Credential Theft and Malware Distribution https://securityboulevard.com/2026/03/the-unintentional-enabler-how-cloudflare-services-are-abused-for-credential-theft-and-malware-distribution // Threat actors continue exploiting Cloudflare’s services for credential phishing and malware distribution and evading email-based security controls like Secure Email Gateways

#tools #exploit #Offensive_security 1⃣ Fritter - tool that generates unique, evasive, position-independent shellcode for in-memory execution, building on Donut's framework with dynamic memory management and randomized components for enhanced stealth 2⃣ KslDump exploits a Microsoft-signed Defender driver vulnerability via IOCTL 0x222044, enabling unrestricted kernel and physical memory access, bypassing security protections, through registry manipulation and local privileges 3⃣ RegPwn - privilege escalation exploit affecting Windows 10, 11, and Server editions (CVE-2026-24291) // Disclaimer

#tools #Offensive_security #Red_Team_Tactics 1⃣ VMkatz - Extract Windows credentials directly from VM memory snapshots and virtual disks 2⃣ KaplaStrike - module overloading, NtContinue entry transfer, call stack spoofing, sleep masking, and static signature removal 3⃣ StealthyWMIExec - a stealthier approach to WMI-based command execution using Impacket without touching the disk 4⃣ Kerlab - a Rust implementation of Kerberos for Fun and Detection 5⃣ Ghost in the PPL - LSASS Memory Dump

#Analytics #Threat_Research An analytical review of the main cybersecurity events for the week (Mar.7-14, 2026) 1⃣ YARA-X 1.14.0 Release // A rewrite of YARA in Rust 2⃣ RCE in Nextcloud Flow via vulnerable Windmill version // CVE-2026-29059 3⃣ Analyzing "Zombie Zip" Files (CVE-2026-0866) // The trick is to change the compression method to STORED while the contend is still DEFLATED: a flag in the ZIP file header states the content is not compressed, while in reality, the content is compressed 4⃣ How "Strengthening Crypto" Broke Authentication: FreshRSS and bcrypt's 72-Byte Limit // An authentication bypass in FreshRSS, a self-hosted RSS aggregator. It is a good example of how over-engineering can hurt the security of an application 5⃣ OpenAI Codex Security AI agent // Available in research preview format 6⃣ On the Effectiveness of Mutational Grammar Fuzzing // More coverage does not mean more bugs. Mutational grammar fuzzing tends to produce samples that are very similar 7⃣ AEGIS v.0.9.1 // EDR for AI Agents ]-> Analytical review (Feb.28-Mar.7, 2026)

#Malware_analysis 1⃣ The ExifTool vulnerability: how an image can infect macOS systems https://www.kaspersky.com/blog/exiftool-macos-picture-vulnerability-mitigation-cve-2026-3102/55362 2⃣ 5 Malicious Rust Crates Posed as Time Utilities to Exfiltrate .env Files https://socket.dev/blog/5-malicious-rust-crates-posed-as-time-utilities-to-exfiltrate-env-files 3⃣ New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering https://www.bluevoyant.com/blog/new-a0backdoor-linked-to-teams-impersonation-and-quick-assist-social-engineering 4⃣ Uncovering a phishing campaign abusing MS Device Code Authentication and Cloudflare Worker Pages, with detection hunts for Entra and MS365 https://newtonpaul.com/blog/device-code-phishing-campaign 5⃣ BeatBanker: A dual‑mode Android Trojan https://securelist.com/beatbanker-miner-and-banker/119121

#Offensive_security A Deep Dive into the GetProcessHandleFromHwnd API https://projectzero.google/2026/02/gphfh-deep-dive.html // From Windows XP to Windows 11 24H2 See also: ]-> PPLwindow PPL Bypass via GetProcessHandleFromHwnd

WatchDogKiller Weaponizing the WatchDog Anti-Malware Driver Vulnerability. * PoC

#exploit 1⃣ Total Recall - Retracing Your Steps Back to NT AUTHORITY\SYSTEM https://www.mdsec.co.uk/2026/02/total-recall-retracing-your-steps-back-to-nt-authoritysystem // Researchers uncovered a Windows 11 privilege escalation flaw exploiting WNF state names and scheduled tasks to achieve SYSTEM-level code execution (CVE-2026-20941) 2⃣ Bypassing Apache FOP Postscript Escaping to reach GhostScript https://offsec.almond.consulting/bypassing-apache-fop-escaping-to-reach-ghostscript.html // Vulnerability in Apache FOP's PostScript generation allows crafted input to execute arbitrary code and escape sandbox via PostScript injection 3⃣ Cred Relay Issue #2 https://www.credrelay.com/p/cred-relay-issue-2 // Privilege escalation in ASUS PTP driver due to insecure device creation lacking SDDL security descriptors

#exploit 1⃣ Total Recall - Retracing Your Steps Back to NT AUTHORITY\SYSTEM https://www.mdsec.co.uk/2026/02/total-recall-retracing-your-steps-back-to-nt-authoritysystem // Researchers uncovered a Windows 11 privilege escalation flaw exploiting WNF state names and scheduled tasks to achieve SYSTEM-level code execution (CVE-2026-20941) 2⃣ Bypassing Apache FOP Postscript Escaping to reach GhostScript https://offsec.almond.consulting/bypassing-apache-fop-escaping-to-reach-ghostscript.html // Vulnerability in Apache FOP's PostScript generation allows crafted input to execute arbitrary code and escape sandbox via PostScript injection 3⃣ Cred Relay Issue #2 https://www.credrelay.com/p/cred-relay-issue-2 // Privilege escalation in ASUS PTP driver due to insecure device creation lacking SDDL security descriptors

#Malware_analysis 1⃣ Zerobot Malware https://www.akamai.com/blog/security-research/2026/feb/zerobot-malware-targets-n8n-automation-platform // Exploitation of command injection vulnerabilities CVE-2025-7544, CVE-2025-68613 against Tenda AC1206 routers and the n8n automation platform 2⃣ Archive*org Stego Delivers Remcos and AsyncRAT https://www.derp.ca/research/archive-org-stego-campaign // The operator hides .NET injector DLLs inside 4K wallpaper JPEGs using steganography 3⃣ Hydra and Saiga malware https://www.vmray.com/hydra-saiga-covert-espionage-and-infiltration-of-critical-utilities/ 4⃣ Inside a fake Google security check that becomes a browser RAT https://www.malwarebytes.com/blog/privacy/2026/02/inside-a-fake-google-security-check-that-becomes-a-browser-rat 5⃣ Moonrise RAT https://evalian.co.uk/inside-a-new-malware-trojan-moonrise // examines the malware’s WebSocket C&C architecture, JSON-based tasking model, and surveillance capabilities to understand its operational risk