
Checkout our previous posts on “PowerShell Security”
More latest Titles on PowerShell…
InfoSec books | InfoSec tools | InfoSec services
Jan 17 2023
Jan 02 2023
Aug 17 2021
An authenticated attacker could execute arbitrary commands as the root user on the underlying system via the SAML server configuration page. Experts pointed out that the flaw could be chained with an authentication bypass flaw that could allow an attacker
The vulnerability impacts Fortinet FortiWeb versions 6.3.11 and earlier, an authenticated attacker could exploit the issue to take complete control of servers running vulnerable versions of the FortiWeb WAF.
An authenticated attacker could execute arbitrary commands as the root user on the underlying system via the SAML server configuration page. Experts pointed out that the flaw could be chained with an authentication bypass flaw (i.e. CVE-2020-29015) to allow an unauthenticated attacker to trigger the vulnerability.
The vulnerability was reported by the researcher William Vu from Rapid7.
āAn attacker, who is first authenticated to the management interface of the FortiWeb device, can smuggle commands using backticks in the āNameā field of the SAML Server configuration page. These commands are then executed as the root user of the underlying operating system.ā reads theĀ postĀ published by Rapid7.Ā āAn attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges.Ā ā
The flaw could allow an attacker to deploy a persistent shell, install crypto mining software, or other malware families. If the management interface is exposed to the internet, an attacker could trigger the issue to reach into the affected network beyond the DMZ. Rapid7 researchers discovered less than three hundred devices exposing their management interfaces online. Letās remind that management interfaces for devices like FortiWeb should not be exposed online!
May 14 2021
MagecartĀ hackers are distributing malicious PHP web shells hidden in website favicon to inject JavaScript e-skimmers into online stores and steal payment information.
Researchers from Malwarebytes observed threat actors, likely Magecart Group 12, using this technique in attacks aimed at online stores running on Magento 1 websites.
TheĀ web shellsĀ employed in the attacks are tracked as Smilodon orĀ Megalodon, they dynamically load JavaScript skimming code via server-side requests into online stores. This technique allows bypassing most client-side security tools.
āWhile performing a crawl of Magento 1 websites, we detected a new piece of malware disguised as a favicon. The file named Magento.png attempts to pass itself as āimage/pngā but does not have the proper PNG format for a valid image file.ā reads theĀ analysisĀ published by Malwarebytes.
Feb 12 2021
Jul 05 2019
PowerShell is a valuable tool for automating Windows administration tasks, including laborious security chores
Source: 10 essential PowerShell security scripts for Windows administrators
Defending Against PowerShell Attacks