🐛 COMMON VULNERABILITIES AND EXPOSURES 8[−]
27 JunBypassing Windows authentication reflection mitigations for SYSTEM shells - Part ②In part 1 of this blogpost series, we proved our initial theory that the patch for CVE-2025-33073 was insufficient, by disclosing a trivial NTLM reflection vulnerability leading to LPE. In this second part, we turn to Kerberos and explain how we achieved a full-blown RCE primitiv…SYNACKTIV.COM
27 JunBypassing Windows authentication reflection mitigations for SYSTEM shells - Part 1A year ago, authentication reflection vulnerabilities resurfaced as a powerful attack vector through the discovery of CVE-2025-33073 by several security researchers, including us. This logical vulnerability allowed taking over almost any Windows machine without any user interacti…SYNACKTIV.COM
27 JunPaint it blue: Attacking the bluetooth stackBluetooth has always been an attractive target to attackers since it is present almost everywhere (TV, automotive charger, connected fridge, etc.). This is especially true on mobile devices, as it runs as a privileged process with a potential access to microphone, address book, e…SYNACKTIV.COM
27 JunSniffing Authentication References on macOSCVE-2017-7170 was a local priv-esc vulnerability that affected OSX/macOS for over a decade! Here (for the first time!), we dive into the technical details of finding the bug, the core flaw, and exploitation.OBJECTIVE-SEE.ORG
27 JunRootpipe Reborn (Part II)@CodeColorist continues writing about bugs, such as CVE-2019-8521 and CVE-2019-8565 that provide a mechanism to elevate privileges to root on macOS.OBJECTIVE-SEE.ORG
27 JunFrom the Top to the Bottom; Tracking down CVE-2017-7149High Sierra suffered from a nasty bug (CVE-2017-7149) that afforded local attackers access to the contents of encrypted APFS volumes.OBJECTIVE-SEE.ORG
27 JunCVE-2015-3673: Goodbye Rootpipe...(for now?)Details on bypassing Apple's original rootpipe patchOBJECTIVE-SEE.ORG
27 JunDirtyClone: Fourth Linux Kernel Flaw in Six Weeks Escalates to RootDirtyClone: a Linux kernel privilege escalation that silently rewrites executables in memory, leaving no disk trace. Patch now. JFrog Security Research published a working exploit walkthrough on June 25 for CVE-2026-43503 (CVSS score of 8.8), a Linux kernel privilege escalation t…SECURITYAFFAIRS.COM
⚠️ VULNERABILITY DISCLOSURE 31[−]
27 JunWhy Car Dealerships Are Prime Cyber Targets: Fraud, Resilience, and Security Leadership with Jennifer HuttonCybersecurity Today would like to than Material Security for their support of this podcast. On Cybersecurity Today on the Weekend, the host speaks with Jennifer Hutton, a cybersecurity leader in the car dealership sector, about how she entered cybersecurity through increasing cyb…CYBERSECURITYTODAY.LIBSYN.COM
27 Jun KEVKlue supply-chain attack impacts cybersecurity firms.Tata Electronics and Bajaj Auto continue recovery from cyberattacks. CISA warns of actively exploited PTC and Cisco vulnerabilities.THECYBERWIRE.COM
27 JunSurviving the surge of new Linux LPE : Defense in Depth not deadThanks to AI-assisted vulnerability research and kernel patch diffing that breaks "responsible disclosure" embargos, it's quite the overwhelming time for defenders. There's been a weekly reveal of new Linux critical vulnerabilities, with full exploit scripts made public days befo…SYNACKTIV.COM
27 JunExploiting the Tesla Wall Connector from its charge port connector - Part 2: bypassing the anti-downgradeIn a previous article, we presented an attack against the Tesla Wall Connector Gen 3 used during Pwn2Own Automotive 2025. The exploit chain relied on a simple fact: there was no anti-downgrade mechanism. Once we could speak UDS over the charging cable, we could just write an old,…SYNACKTIV.COM
27 JunMake it Blink: Over-the-Air Exploitation of the Philips Hue BridgeThe year-end edition of Pwn2Own took place in Cork, Ireland. For the first time, this event featured smart home devices, including the Amazon Smart Plug, Home Assistant Green, and the Philips Hue Bridge. The attack scenario defined by the ZDI involved an adversary with access to …SYNACKTIV.COM
27 JunExploring cross-domain & cross-forest RBCDThe Resource-based Constrained Delegation (RBCD) attack is well-known from pentesters and attackers: by editing the msDS-AllowedToActOnBehalfOfOtherIdentity attribute of a machine account, an attacker can impersonate users on said machine. Even though this attack mechanism has be…SYNACKTIV.COM
27 Junmitmproxy for fun and profit: Interception and Analysis of Application TrafficA solid understanding of the protocols used by applications is a necessary prerequisite when assessing application security. In recent projects, we have had to intercept various types of network traffic across different platforms, including Linux, Android, and iOS. The purpose of…SYNACKTIV.COM
27 JunBeyond ACLs: Mapping Windows Privilege Escalation Paths with BloodHoundWindows privileges are special rights that grant processes the ability to perform sensitive operations. Some privileges allow bypassing standard Access Control List (ACL) checks, which can lead to significant security implications. While privileges like SeDebugPrivilege, SeImpers…SYNACKTIV.COM
27 JunOn the clock: Escaping VMware Workstation at Pwn2Own Berlin 2025At Pwn2Own Berlin 2025, we exploited VMware Workstation by abusing a Heap-Overflow in its PVSCSI controller implementation. The vulnerable allocation landed in the LFH allocator of Windows 11, whose exploit mitigations posed a major challenge. We overcame this through a complex i…SYNACKTIV.COM
27 JunLivewire: remote command execution through unmarshalingLivewire revolutionizes Laravel development by enabling real-time, interactive web interfaces using only PHP and Blade, removing the need of heavy JavaScript frameworks. Its innovative hydration system seamlessly instantiate and restores component states, supporting complex data …SYNACKTIV.COM
27 JunExploiting Anno 1404Anno 1404 is a strategy game developed by Related Designs and published by Ubisoft. It is a real-time strategy game that focuses on city management and construction. The Anno 1404: Venice expansion, released in 2010, includes an online and local area network multiplayer mode. Dur…SYNACKTIV.COM
27 Jun2025 Winter Challenge: QuinindromeA few months have passed and the first snowflakes have fallen since the end of the Synacktiv Summer Challenge. This event was a success, with one of the participants even finding a zero-day vulnerability while working on his solution! Although it hasn't been made public yet, it w…SYNACKTIV.COM
27 JunBreaking the BeeStation: Inside Our Pwn2Own 2025 Exploit JourneyThis article documents our successful exploitation at Pwn2Own Ireland 2025 against the BeeStation Plus. We walk through the full vulnerability research process, including attack surface enumeration, code auditing, exploit development, and ultimately obtaining a root shell on the …SYNACKTIV.COM
27 JunSite Unseen: Enumerating and Attacking Active Directory SitesActive Directory Sites are a feature allowing to optimize network performance and bandwidth usage in AD internal environments. They are commonly implemented by large, geographically dispersed organizations spanning across multiple countries or continents. Sites did not receive mu…SYNACKTIV.COM
27 Junappledb_rs, a research support tool for Apple platformsOver the years, research on Apple platforms has become significantly more complex, largely due to the numerous countermeasures deployed by the Cupertino company. To address this challenge during our missions on these platforms, we developed appledb_rs: an open-source tool (https:…SYNACKTIV.COM
27 JunThe 'S' in Zoom, Stands for SecurityToday we uncover two (local) security flaws in Zoom's latest macOS client. First, a privilege escalation vulnerability, and second, a method to surreptitiously access a user's webcam and microphone (via Zoom).OBJECTIVE-SEE.ORG
27 Jun[0day] Abusing XLM Macros in SYLK FilesA 0day logic flaw in Microsoft Excel leads to 'remote' code execution on macOS, via malicious macros.OBJECTIVE-SEE.ORG
27 JunBurned by Fire(fox) (Part III)Recently, an attacker targeted (Mac) users via a Firefox 0day. In this third post, we analyze a second backdoor used in the attack, detailing its persistence, capabilities, and ultimate identify it a new variant of the cross-platform Mokes malware!OBJECTIVE-SEE.ORG
27 JunBurned by Fire(fox) (Part II)Recently, an attacker targeted (Mac) users via a Firefox 0day. In this second post, we fully reverse OSX.NetWire.A, revealing (for the first time!), its inner workings and complex capabilities.OBJECTIVE-SEE.ORG
27 JunBurned by Fire(fox) (Part I)Recently, an attacker targeted (Mac) users via a Firefox 0day. In this first post, we triage and identify the malware (OSX.NetWire.A) utilized in this attack, identifying its methods of persistence, and more!OBJECTIVE-SEE.ORG
27 Jun[0day] Mojave's Sandbox is LeakyThe macOS sandbox is seeks to prevent malicious applications from surreptitiously spy on unsuspecting users. Turns out, it's trivial to sidestep some of these protections, resulting in significant privacy implications!OBJECTIVE-SEE.ORG
27 JunRemote Mac Exploitation Via Custom URL SchemesThe WINDSHIFT APT group is successfully infecting Macs with a novel infection mechanism. By abusing custom URL scheme handlers and minimal user interaction, Macs can be remotely compromised!OBJECTIVE-SEE.ORG
27 Jun[0day] Synthetic RealityIf you can programmatically generate synthetic mouse clicks, you can break macOS! Approving kernel extensions, dismissing privacy alerts, and much more more...OBJECTIVE-SEE.ORG
27 JunEscaping the Microsoft Office SandboxImagine you've gained remote code execution on a Mac via a malicious Word document. Turns out, you're still stuck in a sandbox. However, via a faulty regex, you can escape and persist!OBJECTIVE-SEE.ORG
27 Jun[0day] Bypassing SIP via SandboxingIn this guest blog post @CodeColorist writes about a neat macOS vulnerability. Ironically, by abusing security mechanisms such as sandboxing, macOS can be coerced to load an untrusted library, into a SIP-entitled process!OBJECTIVE-SEE.ORG
27 JunAn Unpatched Kernel BugOn my flight to ShmooCon, I managed to panic my fully-patched MacBook. Here we analyze the kernel panic report, finding that Apple's AMDRadeonX4150 kext is responsible for the crash.OBJECTIVE-SEE.ORG
27 JunTwo Bugs, One Func(), part threeAnalyzing code within the macOS kernel audit subsystem uncovered an exploitable heap overflow.OBJECTIVE-SEE.ORG
27 JunNew Attack, Old TricksA Word document targets Mac users with malicious macros and an open-source payload.OBJECTIVE-SEE.ORG
27 Jun[0day] Bypassing Apple's System Integrity ProtectionRead how an attacker can bypass Apple's SIP, via the local OS upgrade processOBJECTIVE-SEE.ORG
27 JunPhoenix: RootPipe lives! ...even on OS X 10.10.3Exploiting RootPipe on OS X 10.10.3OBJECTIVE-SEE.ORG
27 JunNAIC suspends investment risk designations after cyber attackThe National Association of Insurance Commissioners (NAIC) is the U.S. standard-setting and regulatory support organization. It is governed by the chief insurance regulators from the 50 states, the District of Columbia, and five U.S. territories. The organization serves the publi…DATABREACHES.NET
📢 SECURITY ADVISORIES 5[−]
27 JunFBI Warns Russian Intelligence Hackers Target Signal Backup Recovery KeysThe FBI and CISA have updated their March warning about Russian intelligence phishing Signal accounts, and the operators have added a step: they now coax targets into handing over their Signal Backup Recovery Key. Hand it over once, and the attacker can restore the acco…THEHACKERNEWS.COM
27 JunAWS Forensics : What you need to knowNowadays, it is rare to find a company whose IT system does not rely, at least in part, on cloud technologies. These solutions offer numerous benefits, particularly in terms of the rapid deployment of services and infrastructure. However, those technologies require specific skill…SYNACKTIV.COM
27 JunActivID administrator account takeover : the story behind HID-PSA-2025-002In September 2025, we were asked by one of our clients to focus on a specific product: ActivID Appliance by HID. According to the vendor, this product is used worldwide to secure access to critical infrastructure and data. It supports a wide range of authentication methods includ…SYNACKTIV.COM
27 JunWhat Counts as a Crypto Security?The SEC has introduced a five-part framework to clarify when a crypto asset should be treated as a security. Under the guidance, assets such as Bitcoin, Ethereum, meme coins, and utility tokens are generally not classified as securities, while stablecoins fall under separate legi…YOUTUBE.COM
27 JunNew FBI Alert: Russian Intelligence Uses Signal Recovery Keys to Access MessagesFBI warns Russian spies now target Signal Backup Recovery Keys, enabling access to message history and long-term account takeover. The FBI and CISA updated their March 2026 warning about Russian intelligence phishing campaigns, and the new advisory adds a detail that wasn’t…SECURITYAFFAIRS.COM
🔥 INCIDENT REPORTING 7[−]
27 JunKubernetes forensics 1/3: what the container ?In 2025, Synacktiv CSIRT observed a significant rise in attacks and compromises targeting Kubernetes environments. The consensus is that these attacks are bound to keep expanding as much as the technology itself. To better understand how a Kubernetes cluster works and how to inve…SYNACKTIV.COM
27 JunOSX/MacRansom; analyzing the latest ransomware to target macsLooks like somebody on the 'dark web' is offering 'Ransomware as a Service'...that's designed to infect Macs!OBJECTIVE-SEE.ORG
27 JunHandBrake Hacked! OSX/Proton (re)AppearsThe website of a popular application was hacked, and the application trojaned with a new variant of osx/proton.OBJECTIVE-SEE.ORG
27 JunTowards Generic Ransomware DetectionBy monitoring file I/O events and detecting the rapid creation of encrypted files by untrusted processes, can ransomware be generically detected?OBJECTIVE-SEE.ORG
27 JunThird-Party Breaches Teach Education Sector a Costly Lesson in Vendor RiskRising threats from third-party actors are forcing institutions to play defense to protect student data from ransomware and other attacks.DARKREADING.COM
27 JunHospitality Sector Hit by Phishing Campaign Using Fake Guest Complaint EmailsMicrosoft warns of a phishing campaign targeting the hospitality sector with fake guest emails that install TonRAT using resilient persistence. Microsoft Threat Intelligence published a detailed analysis on an ongoing hacking campaign against hospitality organizations that has be…SECURITYAFFAIRS.COM
27 JunUkraine Says Russian Intelligence Used Fake Support Texts to Steal Messaging CredentialsThe Security Service of Ukraine (SSU) said it, together with the U.S. Federal Bureau of Investigation (FBI), uncovered a long-running campaign orchestrated by Russian intelligence services to break into the messaging accounts of government officials, military personnel, politicia…THEHACKERNEWS.COM
🕵️ THREAT INTELLIGENCE 8[−]
27 JunThe Dacls RAT ...now on macOS!A sophisticated Lazarus Group implant has arrived on macOS. In this post, we deconstruct the Mac variant of a OSX.Dacls, detailing its install logic, persistence, and capabilities.OBJECTIVE-SEE.ORG
27 JunWeaponizing a Lazarus Group ImplantThe Lazarus group's latest implant/loader supports in-memory loading of 2nd-stage payloads. In this post we describe exactly how to repurposing this 1st-stage loader to execute *our* custom 'fileless' payloads!OBJECTIVE-SEE.ORG
27 JunLazarus Group Goes 'Fileless'The rather infamous APT group, "Lazarus", continues to evolve their macOS capabilities. Today, we tear apart their latest 1st-stage implant that supports remote download & in-memory execution of secondary payloads!OBJECTIVE-SEE.ORG
27 JunPass the AppleJeusA new macOS backdoor written by the infamous Lazarus APT group needs analyzing. Here, we examine it's infection vector, method of persistence, capabilities, and more!OBJECTIVE-SEE.ORG
27 JunMiddle East Cyber-Espionage (part two)The APT group WindShift has been targeting Middle Eastern governments with Mac implants. Let's (continue to) analyze their 1st-stage macOS implant: OSX.WindTail!OBJECTIVE-SEE.ORG
27 JunMiddle East Cyber-EspionageThe APT group WindShift has been targeting Middle Eastern governments with Mac implants. Let's analyze their 1st-stage macOS implant: OSX.WindTail!OBJECTIVE-SEE.ORG
27 JunWho Moved My Pixels?!In this guest blog post my friend Mikhail Sosonkin reverses Apple's screencapture utility, discusses Mac malware that captures desktop images, and suggests methods for screen-capture detection!OBJECTIVE-SEE.ORG
27 JunChinese Framework Powers 200,000 Scam SitesThreat actors are selling investment scam templates created using the legitimate DCloud Uni-App toolkit. The post Chinese Framework Powers 200,000 Scam Sites appeared first on SecurityWeek .SECURITYWEEK.COM
🌐 CYBER THREAT LANDSCAPE 18[−]
27 JunMore bark than byte.This week we are joined by Daniel Schwalbe, Chief Information Security Officer & Head of Investigations at DomainTools, discussing their work on "ZionSiphon OT Malware First Attempts? Psyops? Both?" Researchers at DomainTools take a closer look at ZionSiphon, a purported oper…THECYBERWIRE.COM
27 JunSecurity News This Week: LastPass Users Had Their Data Stolen—AgainPlus: Former national security advisor John Bolton pleads guilty in classified-materials case, Microsoft helps take down major infostealer infrastructure, and more.WIRED.COM
27 JunSay hi to Pike!In this article we will introduce Pike, an experimental LLM agent that generates and analyzes Linux program execution traces. We will show that with its simple architecture paired with a good LLM, Pike can quickly help debug a crash, identify malware, or give valuable high level …SYNACKTIV.COM
27 JunCreating a "Two-Face" Rust binary on LinuxIn this article we will describe a technique to easily create a "Two-Face" Rust binary on Linux: an executable file that runs a harmless program most of the time, but will run a different, hidden code if deployed on a specific target host. This approach, which allows binding a bi…SYNACKTIV.COM
27 JunQuantum readiness: Hybridizing key exchangesFollowing our previous article on signatures hybridization, this article covers the basics of hybridizing your key exchanges to ensure maximal security of your data.SYNACKTIV.COM
27 JunLinkPro: eBPF rootkit analysisDuring a digital investigation related to the compromise of an AWS-hosted infrastructure, a stealthy backdoor targeting GNU/Linux systems was discovered. This backdoor features functionalities relying on the installation of two eBPF modules, on the one hand to conceal itself, and…SYNACKTIV.COM
27 JunLLM Poisoning [1/3] - Reading the Transformer's ThoughtsYour local LLM can hack you. This three-part series reveals how tiny weights edits can implant stealthy backdoors that stay dormant in everyday use, then fire on specific inputs, turning a "safe" offline model into an attacker. This article shows how transformers encode concepts …SYNACKTIV.COM
27 JunThe Mac Malware of 2019Our annual report on all the Mac malware of the year - including samples for download, infection vectors, persistence mechanisms, payloads and more!OBJECTIVE-SEE.ORG
27 JunThe Mac Malware of 2018Our annual report on all the Mac malware of the year - including samples for download, infection vectors, persistence mechanisms, payloads and more!OBJECTIVE-SEE.ORG
27 JunOSX.DummyA new Mac malware targets the cryptocurrency community. In this post, we dive into the malware and illustrate how Objective-See's tools can generically thwart this new threat at every step of the way.OBJECTIVE-SEE.ORG
27 JunTearing Apart the Undetected (OSX)Coldroot RATI uncovered a new cross-platform backdoor that provides remote attackers persistent access to infected systemsOBJECTIVE-SEE.ORG
27 JunAy MaMi - Analyzing a New macOS DNS HijackerOSX/MaMi (the first Mac malware of 2018) hijacks infected users' DNS settings and installs a malicious certificate into the System keychain, in order to give remote attackers 'access' to all network trafficOBJECTIVE-SEE.ORG
27 JunMac Malware of 2017Let's look at all the mac malware from 2017, for each - discussing their infection vector, persistence mechanism, features & goals.OBJECTIVE-SEE.ORG
27 JunOSX/Proton.B; a brief analysis, 6 miles upAnalysis of OSX/Proton.B reveals some interesting tricks plus a command file that can be decrypted to reveal the malware's capabilitiesOBJECTIVE-SEE.ORG
27 JunMac Malware of 2016Let's analyse the malware that appeared in 2016, discussing the infection vector, persistence mechanism, feature, and disinfection for each.OBJECTIVE-SEE.ORG
27 JunHackingTeam Reborn; A Brief Analyis of the RCS Implant InstallerHackingTeam using native OS X crypto to protect malware -neat! New blog w/ sample + decryptions/dumpings/detectionsOBJECTIVE-SEE.ORG
27 JunMore on, "Adware for OS X Distributes Trojans"A deeper dive into 'MacInstaller' and the adware it installsOBJECTIVE-SEE.ORG
27 JunClean GitHub repo tricks AI coding agents into running malwareAn agentic coding tool tasked with cloning and setting up a seemingly benign GitHub repository could execute a malicious payload that remains invisible to security scanners, AI agents, and human reviewers. [...]BLEEPINGCOMPUTER.COM
📡 INFOSEC NEWS 49[−]
27 JunHooking Windows Named PipesDuring security assessments, we often see desktop applications composed of several processes. Some of them run as SYSTEM, and others run in the user session context, meaning they are unprivileged. These processes need to communicate in some way, and often use Windows Named Pipes …SYNACKTIV.COM
27 JunDeep-dive into the deployment of an on-premise low-privileged LLM serverIn 1826, children fantasized riding horses in the Wild West. In 1926, it was outrunning the law as a moonshiner. In 2026, managing distributed inference servers without leaking all the company data is surely a universal dream among the new generation. This article rewinds our jou…SYNACKTIV.COM
27 Jun2025 winter challenge writeupCreating quines is a game that has always fascinated computer scientists. The journal Software: Practice and Experience dedicated an article to the subject in 1972—well before Intel released its first 32-bit x86 processor (1985). Even today, many enthusiasts continue to explore t…SYNACKTIV.COM
27 JunWireless-(in)Fidelity: Pentesting Wi-Fi in 2025Despite the advancements that have been made in Wi-Fi security with the arrival of WPA3, some misconfigurations and legacy protocols still remain. In this blogpost, we share insights into Wi-Fi related findings encountered during penetration testing engagements. We will present c…SYNACKTIV.COM
27 JunWhat could go wrong when MySQL strict SQL mode is off?This article shows some examples of attacks that can abuse MySQL behavior when the strict SQL mode is disabled, especially when string characters are invalid in the current encoding. This happens when the encoding of the application (e.g. UTF-8) is wider than that of the database…SYNACKTIV.COM
27 JunQuantum readiness: Hybridizing signaturesIn light of new legal requirements being enacted in many countries for software providers to adopt hybrid post-quantum cryptography, Synacktiv has initiated research into these novel cryptographic algorithms. After having studied what makes post-quantum cryptography “post-quantum…SYNACKTIV.COM
27 JunMass Surveillance, is an (un)Complicated BusinessA massively popular iOS application turns out to be a government spy tool! Here, we analyze the app; decrypting its binary and studying its network traffic.OBJECTIVE-SEE.ORG
27 JunWriting a File Monitor with Apple's Endpoint Security FrameworkLearn how to leverage Apple's new Endpoint Security Framework to create a comprehensive (user-mode) File Monitor for macOS 10.15!OBJECTIVE-SEE.ORG
27 JunWriting a Process Monitor with Apple's Endpoint Security FrameworkLearn how to leverage Apple's new Endpoint Security Framework to create a comprehensive (user-mode) Process Monitor for macOS 10.15!OBJECTIVE-SEE.ORG
27 JunGetting Root with Benign AppStore AppsIn this guest blog post, "Objective by the Sea" speaker, Csaba Fitzl writes about an interesting way to get root via Apps from the official Mac App Store!OBJECTIVE-SEE.ORG
27 Jun"Objective by the Sea" v2.0After the success of #OBTS v1.0, we decided to go international and plan #OBTS v2.0 in Europe! In this blog post, we re-live the highlights (from Monaco!) of "Objective by the Sea" v2.0.OBJECTIVE-SEE.ORG
27 JunRootpipe Reborn (Part I)In part one of a guest blog post, @CodeColorist writes about several neat macOS vulnerabilities.OBJECTIVE-SEE.ORG
27 JunMac Adware, à la PythonLet's tear apart a persistent piece of adware, decompiling, decoding, and decompressing it's code to uncover its methods and capabilities.OBJECTIVE-SEE.ORG
27 JunDeath by vmmapA core Mojave utility is rather disastrously broken - causing a full-system lockup. Let's find out why!OBJECTIVE-SEE.ORG
27 JunWord to Your MacA malicious Word document targeting macOS users, was recently uncovered. Let's extract the embedded macros, decode an embedded downloader, and retrieve the 2nd-stage payload!OBJECTIVE-SEE.ORG
27 JunA Deceitful 'Doctor' in the Mac App StoreA massively popular app from the official Mac App Store, surreptitiously steals your browsing history! By fully reversing the application, we can fully expose its functionality and rather shady capabilities.OBJECTIVE-SEE.ORG
27 JunA Remote iOS BugApple wrote code to appease the Chinese government ...it was buggy. In certain configurations, iOS devices were vulnerable a "emoji-related" flaw that could be triggered remotely!OBJECTIVE-SEE.ORG
27 JunBlock Blocking Login ItemsApple recently updated the way login items are stored by the OS. In this post, we'll illustrate how to parse the (new) login item files to detect persistenceOBJECTIVE-SEE.ORG
27 JunCache Me OutsideAre full paths and preview thumbnails for files even on encrypted containers and removable usb devices really persistently stored? ...yes :( Apple's 'QuickLook' cache is to blame.OBJECTIVE-SEE.ORG
27 JunBreaking macOS Mojave (Beta)In macOS Mojave apps, to have to obtain user permission before using the Mac camera & microphone. We'll illustrate how this is trivial to bypass (at least in the current beta).OBJECTIVE-SEE.ORG
27 JunWhen Disappearing Messages Don't DisappearDid you know on macOS, notifications are stored in a unencrypted database? Which means that even 'disappearing' messages from apps such as Signal - may not really disappear. Yikes!OBJECTIVE-SEE.ORG
27 JunAn Insecurity in Apple's Security Framework?Turns out that writing security tools is a great way to inadvertently uncover bugs in macOS. How about a crash in Apple's 'Security' framework ... that can't be good!?OBJECTIVE-SEE.ORG
27 JunA Surreptitious Cryptocurrency Miner in the Mac App Store?Turns out the innocuously named "Calendar 2" app, found on the official Mac App Store, was surreptitiously turning Mac into cryptocurrency miners!OBJECTIVE-SEE.ORG
27 JunAnalyzing OSX/CreativeUpdaterRecently, the popular MacUpdate website was subverted to distribute a new macOS cryptominer; OSX/CreativeUpdater.OBJECTIVE-SEE.ORG
27 JunAnalyzing CrossRATThe EFF/Lookout discovered a cross-platform implant, named CrossRat with ties to nationstate operators. Here, we tear it apart; analyzing its persistence mechanisms, features, and network communications.OBJECTIVE-SEE.ORG
27 JunAll Your Docs Are Belong To UsHere, we reverse, then 'extend' a popular macOS anti-virus engine. With the creation of a new anti-virus signature, classified documents will be automatically detected!OBJECTIVE-SEE.ORG
27 JunWhy _blank_ Gets You RootYet another a massive security flaw affects the latest version of macOS (High Sierra), allowing anybody to log into the root account with a blank, or password, of their choosing!OBJECTIVE-SEE.ORG
27 JunHigh Sierra's 'Secure Kernel Extension Loading' is BrokenA new 'security' feature in macOS 10.13, is trivial to bypass.OBJECTIVE-SEE.ORG
27 JunWTF is Mughthesec!? poking on a piece of undetected adwareSome undetected adware named "Mughthesec" is infecting Macs...let's check it out!OBJECTIVE-SEE.ORG
27 JunTwo Bugs, One Func(), part twoApple's 'fix' for a macOS kernel panic, fixes nothing and worse, introduces a new bug.OBJECTIVE-SEE.ORG
27 JunTwo Bugs, One Func(), part oneThe macOS kernel had an (intentional?) off-by-one bug that could trigger a kernel panic.OBJECTIVE-SEE.ORG
27 JunHappy Birthday to Objective-SeeToday is our 2nd birthday! Let's look at our past, present, and future.OBJECTIVE-SEE.ORG
27 JunFrom Italy With Love?Reverse-engineering a 'Russian' implant reveals HackingTeam's code!?OBJECTIVE-SEE.ORG
27 Jun'Untranslocating' an AppApple's App Translocation broke several of my tools, but we can locally undo it to restore broken functionality!OBJECTIVE-SEE.ORG
27 JunForget the NSA, it's Shazam that's always listening!Does Shazam's Mac App keep recording even when you turn the app off? ...yes :/OBJECTIVE-SEE.ORG
27 JunClick File, App OpensThe 'Mac File Opener' adware is fairly normal, except for it how it persists via registered document handlersOBJECTIVE-SEE.ORG
27 JunPersisting via a Finder SyncLearn how a Finder Sync can 'extend' Finder.app and how this could be abused for persistenceOBJECTIVE-SEE.ORG
27 JunAre you from the Mac App Store?How to verify that an application came from the official Mac App Store, via receipt validationOBJECTIVE-SEE.ORG
27 JunAnalysis of an Intrusive Cross-Platform Adware; OSX/PirritIn Objective-See's first guest blog post, Amit Serper presents his detailed analysis of OSX/PirritOBJECTIVE-SEE.ORG
27 JunAnalyzing the Anti-Analysis Logic of an Adware InstallerDissecting string obfuscations, junk code insertions, and anti-debugging logic of InstallCoreOBJECTIVE-SEE.ORG
27 Jun KEVMonitoring Process Creation via the Kernel (Part III)Getting process creation notifcations from kernel-mode to user-mode, via the undocumented kev_msg_post functionOBJECTIVE-SEE.ORG
27 JunMonitoring Process Creation via the Kernel (Part II)Process monitoring via the KAuth Subsystem (and some limitations)OBJECTIVE-SEE.ORG
27 JunMonitoring Process Creation via the Kernel (Part I)Why BlockBlock needs a kext (hint: process monitoring), and how the kext was createdOBJECTIVE-SEE.ORG
27 JunKernel Debugging a Virtualized OS X El Capitan ImageHow to remotely kernel-debug a OS X 10.11 VMOBJECTIVE-SEE.ORG
27 JunReversing to Engineer: Learning to 'Secure' XPC from a PatchHow reversing Apple's 'RootPipe' patch provided the means to secure TaskExplorer's XPC serviceOBJECTIVE-SEE.ORG
27 JunBuilding HackingTeam's OS X Implant For Fun & ProfitHow to build HackingTeam's OS X implant in XcodeOBJECTIVE-SEE.ORG
27 JunDylib Hijack Scanner ReleasedAnnouncing the release of DHS; a tool to help detect (dylib) hijackersOBJECTIVE-SEE.ORG
27 JunOpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber SafeguardsOpenAI on Friday released three versions of GPT-5.6, called Sol, Terra, and Luna, as a limited preview to a small number of companies as part of an ongoing engagement with the U.S. government. While Sol is the latest flagship model and the most powerful, Terra strikes a balance b…THEHACKERNEWS.COM