Weekly in Security 202306

2023-02-06 to 2023-02-13

3 min read - 571 words


Weekly in Security is a summary of the cybersecurity news from the past week. This post covers 2023-02-06 to 2023-02-13.


CVE-2023-25136 - OpenSSH

The double-free vulnerability was introduced in July 2022 and was reported in January 2023. JFrog Security Research team published a detailed analysis for the vulnerability. Qualys Threat Research Unit created a demonstration of the vulnerability with the technical details published on seclists. While the double-free vulnerability in OpenSSH version 9.1 may raise concerns, it is essential to note that exploiting this issue is no simple task

Interesting Reads

Dota 2 with V8 from 2018

Avast discovered that the massively popular Dota 2 video game was using a V8 Javasccript engine from 2018. During their research they also discovered malicious content exploiting CVE-2021-38003 in V8 by a single author. At first they discoverd a test, which contained a lot of debug statements and was presumably used to develop a working exploit. The blog article contains a detailed summary.

Phishing revisited in 2023

Phishing is nevertheless still active and kicking

This blog post by SSE provides an insight in techniques and procedures for phishing in 2023.

VSCode as C2 framework

Visual Studio Code provides a Remote Development feature. PfiatDe did a test and verified this would serve as a valid and stealthy C2 channel.


Little Bobby Tables has grown up, and now he’s playing with graphs. The article provides an overview of the different attacks observed on graph databases.

Insights into Phishing as a Service

A security researcher at Cyberark received a SMSishing message. As expected, the researcher started to track down the origin of the attack. Based on an insecure server configuration he was able to infiltrate the telegram channels for the phishing campaign. The whole story is described here

Data Encrypted for Impact

Picus published an article some time ago with a summary overview of T1486.

cURL audit results

The OpenSSF engaged Trail of Bits to review the security of cURL. The audit report and the threat model are already published. The blog article describes a bit the process of fuzzing argv.

Stealthy C2 via Failed Request Event Buffering (FREB)

Symantec published an article on the Frebniis malware. The new technique involves injecting malicious code into the memory of a DLL file (iisfreb.dll) related to an IIS feature used to troubleshoot and analyze failed web page requests. The Frebniis malicious injected code parses all received HTTP POST requests for /logon.aspx or /default.aspx along with a parameter password set to ‘7ux4398!’. If the password matches, Frebniis decrypts and executes a section of the injected code, which is .NET executable code consisting of the main backdoor functionality. No executables are saved to disk in this process, keeping the backdoor completely stealthy.

Inadmissible evidence

AI generated images have come a long way with the recent hype. However, it seems to have problems with generating humand hands, see 1, 2. Turning this problem around, could wearing a fake finger like FINGERring result in regular footage looking like AI generate footage?



RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact


Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records.

The tool was created by Matt Keeley of Bishop Fox and featured in their blog and webcast.


The SpecterOps project management and reporting engine