Publications

Forensic analysis of bitwarden self-hosted server

14/10/2024 Bitwarden is a popular password managing software. Being open-source, it offers self-hosting capabilities with ease of use in a controlled office or home environment. Attackers might prioritize targeting this application given the secrets it usually stores. In this article, we will deep dive into the internals of Bitwarden, how it stores encrypted data, and what information is available to whomever controls the server.

Quantum readiness: Lattice-based PQC

11/10/2024 This is the third article in the "Quantum readiness" series. This article aims at giving a rough introduction to lattices in the context of cryptography. It follows the first article, "Quantum readiness: Introduction to Modern Cryptography", and the second article, "Quantum readiness: Hash-based signatures". Knowledge of the concepts introduced in those articles such as indistinguishability games and hash functions, as well as standard knowledge of linear algebra, is strongly recommended. If you are unfamiliar with linear algebra, ...

Fuzzing confused dependencies with Depfuzzer

25/09/2024 In the landscape of software development, leveraging open-source libraries and packages through registries like NPM, PyPI, Go modules, and Crates for Rust has become standard practice. This approach facilitates the rapid integration of diverse functionalities into applications, driving both innovation and efficiency across the development community. While the benefits of using these resources are clear, the management of external dependencies introduces a set of considerations regarding security and maintainability. Inspired by Alex ...

Defend against vampires with 10 gbps network encryption

13/09/2024 Discover how attackers can sniff your data on network cables and how you can defend against it, by encrypting on-the-fly all your ethernet traffic with very good performance. Keywords : wireguard, vxlan, tapping, fiber optics, lan2lan, macsec

Diving into ADB protocol internals (1/2)

12/09/2024 For those having experience working on Android devices, you may already be familiar with a useful tool called adb. This tool is invaluable for debugging, offering a unified way to execute shell commands, transfer files, install APKs, and much more. In this first blogpost, we will explore its underlying protocol between client and server and introduce a Rust crate called adb_client implementing it.

Using Veeam metadata for efficient extraction of Backup artefacts (2/3)

30/08/2024 In a previous blogpost, we explored Veeam Backup & Replication's "backup chain metadata" files and how to parse them in a comprehensive Velociraptor artifact. In this article, we complement our findings with metadata embedded directly in VBR's Storage files. Then, we create a Velociraptor pipeline to remotely access relevant forensic artefacts in backed up data. This aims to enable DFIR analysts to extend the time horizon in their investigations using Veeam backups and Velociraptor, while minimizing network bandwidth usage and extensi...

Quantum readiness: Hash-based signatures

26/08/2024 Building robust digital signature algorithms is one of the main challenges in post-quantum cryptography, as classical signatures such as ECDSA and RSA are broken by quantum computers. Thankfully, in the past decades, the academic field has come up with multiple quantum-resistant algorithms which are now being standardized and implemented in modern software. This article highlights XMSS and SPHINCS+, two digital signature algorithms which rely on the well-known robustness of hash functions against quantum computers. However, each one c...

LAPSUS$ is dead, long live HexaLocker?

18/08/2024 The LAPSUS$ threat group has been known since 2021 for spear phishing, data theft, and extortion against large companies (e.g., Microsoft, Nvidia, Uber). Although evidence of destruction methods was reported, there was no known use of ransomware. In June 2024, LAPSUS$ announced its closure. However, two months later, a new ransomware called HexaLocker was advertised on Telegram channels. Its "only real" admin and probable developer is ZZART3XX, one of the LAPSUS$ administrators. This article will dissect the HexaLocker ransomware samp...

SCCMSecrets.py: exploiting SCCM policies distribution for credentials harvesting, initial access and lateral movement

14/08/2024 SCCM policies are a prime target for attackers in Active Directory environments as they may expose – intentionally or otherwise – sensitive technical information such as account credentials. Said credentials could be retrieved by authenticated attackers impersonating a registered device, or in some cases from an unauthenticated position by exploiting misconfigurations on policies distribution. SCCMSecrets.py is a python utility that builds upon existing SCCM research. It goes beyond NAA credentials extraction, and aims to provide...

GitHub Actions exploitation: Dependabot

06/08/2024 Following our GitHub action exploitation series, we found a new GitHub action exploitation technique leveraging the Dependabot GitHub app to compromise some repositories, leading to arbitrary code push. In this article we will explain how we discovered it and illustrate with 2 real world examples which are the Spring-security and trpc projects.