Episode #2022-04

Posted on Feb 23, 2022

github qbot safari uxss websockets zero-trust

Github presented how they built static analysis at scale. ¹

Safari has a universal XSS that allows attacker to gain unauthorized camera access. ²

DFIR-report presented a detail analysis about QBot. ³

Maya Kaczorowski talked about the practical challenge of BeyondCorp. ⁴

Germano Gabbianelli discussed the attacks on WebSockets and how Server-Sent Events can be used as an alternative. ⁵

Footnotes

1. Static Analysis at GitHub | February 2022 | Communications of the ACM (cacm.acm.org)

2. Webcam Hacking (again) - Safari UXSS | Ryan Pickren (www.ryanpickren.com)

See also:

NVD - CVE-2021-30861 (nvd.nist.gov)

NVD - CVE-2021-30975 (nvd.nist.gov)

3. Qbot Likes to Move It, Move It (thedfirreport.com)

See also:

A closer look at Qakbot’s latest building blocks (and how to knock them down) - Microsoft Security Blog (www.microsoft.com)

Qbot - 2021 Threat Detection Report - Red Canary (redcanary.com)

Automated Malware Analysis Report for doc-220808714.xls - Generated by Joe Sandbox (www.joesandbox.com)

4. BeyondCorp is dead, long live BeyondCorp (mayakaczorowski.com)

See also:

M-22-09 Federal Zero Trust Strategy (www.whitehouse.gov)

BastionZero Blog | I read the federal government’s Zero-Trust Memo so you don’t have to (www.bastionzero.com)

BeyondCorp: A New Approach to Enterprise Security – Google Research (research.google)

BeyondCorp Zero Trust Enterprise Security | Google Cloud (cloud.google.com)

BeyondCorp 6: Building a Healthy Fleet – Google Research (research.google)

5. Server-Sent Events: the alternative to WebSockets you should be using - germano.dev (germano.dev)

See also:

Using SSE Instead Of WebSockets For Unidirectional Data Flow Over HTTP/2 — Smashing Magazine (www.smashingmagazine.com)

How HTML5 Web Sockets Interact With Proxy Servers (www.infoq.com)

Cross-Site WebSocket Hijacking (CSWSH) (christian-schneider.net)