Labs Archive

MuddyWater APT's updated toolkit: an evolution of PowGoop malware, abuse of tunneling tools, and targeting of Exchange servers. MuddyWater's activities are attributed to the Iranian Ministry of Intelligence by U.S. Cyber Command.

Security Research

CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers

Max Van Amerongen / January 11, 2022

SentinelLabs has discovered a high severity flaw in NetUSB which could be remotely exploited to execute code in the kernel.

Security & Intelligence

A Threat Hunter’s Guide to the Mac’s Most Prevalent Adware Infections 2022

Phil Stokes / January 4, 2022

Mac adware is hidden, persistent, and evasive, fingerprinting devices and delivering custom payloads. Learn how to hunt it on macOS.

Crimeware

New Rook Ransomware Feeds Off the Code of Babuk

Jim Walter / December 23, 2021

Scavenging code leaked from Babuk, Rook's first victim was a bank and the theft of 1123 GB of data. Learn more about this new ransomware operator.

Security Research

USB Over Ethernet | Multiple Vulnerabilities in AWS and Other Major Cloud Services

Kasif Dekel / December 7, 2021

25 CVEs and counting: SentinelLabs' latest research reveals millions of cloud users are exposed to privilege escalations from bugs in shared driver software.

Security Research

GSOh No! Hunting for Vulnerabilities in VirtualBox Network Offloads

Max Van Amerongen / November 23, 2021

Inspired by Pwn2Own, SentinelLabs' researcher Max Van Amerongen discovered three CVEs, including two privilege escalations, in VirtualBox. Read more here.

Security Research

Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma

Phil Stokes / November 15, 2021

SentinelLabs reveals further IoCs, behavior and analysis around suspected APT attack targeting macOS users and Hong Kong pro-democracy activists.

Security Research

CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution

Max Van Amerongen / November 4, 2021

SentinelLabs has discovered a heap overflow vulnerability in the TIPC module of the Linux Kernel, which can allow attackers to compromise an entire system.

Crimeware

Spook Ransomware | Prometheus Derivative Names Those That Pay, Shames Those That Don’t

Jim Walter / October 28, 2021

New ransomware operator publishes victim details even if they pay. Our technical analysis shows how Spook is connected to other well-known malware families.

BlackCat Ransomware | Highly-Configurable, Rust-Driven RaaS On The Prowl For Victims

Wading Through Muddy Waters | Recent Activity of an Iranian State-Sponsored Threat Actor

CVE-2021-45608 | NetUSB RCE Flaw in Millions of End User Routers

A Threat Hunter’s Guide to the Mac’s Most Prevalent Adware Infections 2022

New Rook Ransomware Feeds Off the Code of Babuk

GSOh No! Hunting for Vulnerabilities in VirtualBox Network Offloads

Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma

CVE-2021-43267: Remote Linux Kernel Heap Overflow | TIPC Module Allows Arbitrary Code Execution

Spook Ransomware | Prometheus Derivative Names Those That Pay, Shames Those That Don’t