Guardicore Labs

Guardicore Labs is a global research team, consisting of hackers, cybersecurity researchers and industry experts. We publish our cyber security research and provide analysis, insights and response methodologies to the latest cyber threats as well as lead and participate in academic research. We are also the core maintainers of the Infection Monkey, a popular open-source network resiliency test tool.

Highlights of BlueHat Israel 2019

BlueHat Israel covered many interesting talks, covering supply chain attacks, processor flaws and many more.

Labs

A vulnerability in Debian’s apt allows for easy lateral movement in data centers

by Daniel Goldberg

0 Comments

January 23, 2019

Guardicore Labs explains the recent vulnerability in the apt package management tool that allows attackers to exploit software installation process to attack Linux servers.

Labs

Bread and butter attacks

by Ofri Ziv

1 Comment

November 29, 2018

Guardicore Labs has uncovered an SSH brute force attack that has stayed under the radar for years. The attack deploys a RAT with DDoS capabilities and a cryptocurrency miner. In this post, we describe the attack, payload and different preventive steps.

Labs

What's New in Infection Monkey Release 1.6

by Ravit Greitser

0 Comments

November 21, 2018

We are proud to announce the release of a new version of the Infection Monkey, GuardiCore’s open-source Breach and Attack Simulation (BAS) tool. Release 1.6 introduces several new features and a few bug fixes.

TEST YOUR NETWORK WITH OUR OPEN SOURCE ATTACK SIMULATION TOOL

Assess the resiliency of your network to post-breach attacks and lateral movement

LEARN MORE

SSH A New Vulnerability Allows Authentication Bypass

Labs

With libSSH, Authentication is Optional

by Daniel Goldberg

1 Comment

October 18, 2018

A critical vulnerability (CVE-2018-10933) was disclosed in libSSH, a library implementing the SSH2 protocol for clients and servers. The vulnerability allows an attacker to completely bypass the authentication step and connect to the server without providing any credentials, the worst possible flaw for a library implementing SSH.

Labs

Operation Prowli: Monetizing 40,000 Victim Machines

by Ofri Ziv

3 Comments

June 6, 2018

Guardicore Labs has uncovered a previously unknown operation named Prowli, focused on cryptocurrency mining and traffic hijacking. This operation showcases how attackers abuses insecure websites and their visitors by redirecting them to malicious domains.

Labs

Azure passwords are still at risk; Infection Monkey can help

by Ravit Greitser

0 Comments

April 4, 2018

As this security flaw still exists and puts Azure environments at risk, we believe it’s important to continuously verify whether your environment is vulnerable. To do that we integrated Azure password harvesting capabilities into the Infection Monkey.

Labs

Recovering Plaintext Passwords from Azure Virtual Machines like It’s the 1990s

by Ofri Ziv

3 Comments

March 19, 2018

While researching the Azure Guest Agent, we’ve uncovered several security issues which have all been reported to Microsoft. This post will focus on a security design flaw in the VM Access plugin that may enable a cross platform attack impacting every machine type provided by Azure.

Labs

The Next Gen Infection Monkey is Here

by Ravit Greitser

4 Comments

March 13, 2018

We are pleased to announce a new version of our Infection Monkey open source attack simulation tool with several significant enhancements. We first introduced the Infection Monkey in 2016 and have continuously developed and supported it. Part of what we did came from feedback we received from our community so thanks everyone for contributing!

Labs

Something is brewing: A CPU bug risks virtual memory segmentation

by Ofri Ziv

0 Comments

January 3, 2018

At any given moment, attack and defense are in a cat and mouse game where each side gains a momentary advantage. What we’ve recently seen over the past few months is a situation where defense is playing catch-up with what appears to be a serious hardware bug.

Labs

Beware the Hex-Men

by Daniel Goldberg

6 Comments

December 19, 2017

In the last few months GuardiCore Labs has been investigating multiple attack campaigns conducted by an established Chinese crime group that operates worldwide. The campaigns are launched from a large coordinated infrastructure and are mostly targeting servers running database services. By now we were able to identify three attack variants - Hex, Hanako and Taylor - targeting different SQL Servers, each with its own goals, scale and target services. This report covers the attackers’ infrastructure, attack variants and how the victims are used for both profit and further propagation.

Labs

Highlights from Black Hat & DEFCON

by Daniel Goldberg

0 Comments

August 2, 2017

I spent the last week at the “Hacker Summer Camp” of Black Hat and DEFCON. Besides meeting people and enjoying the dual craziness of the DEFCON crowd and the Black Hat business hall, we also gave a well received lecture - Escalating Insider Threats using VMWare’s API. Ofri Ziv, Head of GuardiCore labs, presented a backdoor we discovered in VMware’s remote administration API, enabling vSphere users to quickly and easily take over guest machines without providing guest credentials

Labs

Escalating Insider Threats Using VMware's API

by Ofri Ziv

2 Comments

July 27, 2017

VMware vSphere is the most widely used virtualization platform for on-premises data centers. Similarly to other virtualization platforms, it basically relies on host servers running guest machines. These hosts and guest machines can be managed using administration interfaces such as vSphere API and VIX API. The GuardiCore Labs team has discovered a vulnerability in the vSphere infrastructure that can be exploited using VMware’s Virtual Infrastructure eXtension (VIX) API. This vulnerability allows an attacker to remotely execute code on guest machines, bypassing the need for guest authentication.

Labs

SambaCry, the Seven Year Old Samba Vulnerability, is the Next Big Threat (for now)

by Ravit Greitser

4 Comments

May 25, 2017

The Samba team released a patch on May 24 for a critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems. Samba is commonly included as a basic system service on other Unix-based operating systems as well. This vulnerability, indexed CVE-2017-7494, enables a malicious attacker with valid write access to a file share to upload and execute an arbitrary binary file which will run with Samba permissions.

Labs

The Bondnet Army: Questions & Answers

by Daniel Goldberg

1 Comment

May 11, 2017

Last week we announced the discovery of Bondnet, a new botnet that was uncovered by GuardiCore Labs. The originator of Bondnet had installed a cryptocurrency miner and backdoor in thousands of servers of varying power and conscripted them into a botnet - a group of computing devices that can be centrally controlled for malicious purposes.

Labs

The Bondnet Army

by Daniel Goldberg

11 Comments

May 4, 2017

GuardiCore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions.

Labs

0.2 BTC Strikes Back, Now Attacking MySQL Databases

by Ofri Ziv

3 Comments

February 24, 2017

Last week we first tweeted that the GuardiCore Global Sensor Network (GGSN) has detected a wide ransomware attack targeting MySQL databases. The attacks look like an evolution of the MongoDB ransomware attacks first reported earlier this year by Victor Gevers. In this post we will describe in detail the attack flow and provide some recommendations on how to protect your databases from similar attacks along with attack IoCs.

Labs

The Oracle of Delphi Will Steal Your Credentials

by Daniel Goldberg

1 Comment

October 3, 2016

It was one of those warm summer nights, no clouds, just a bright full moon lighting the way. Someone had unknowingly stumbled upon our honeypot, completely unaware of the fact that her every move was recorded and fully analyzed. Thanks to our deception technology, we could easily reroute the attacker, making her believe she reached her real target.

Labs

Infection Monkey Is on the Loose!

by Daniel Goldberg

1 Comment

July 27, 2016

Today we are releasing the Infection Monkey, our inhouse tool for testing a data center's resiliency to perimeter breaches and internal server infection. The Infection Monkey is a new open source security testing tool that we’ve developed at GuardiCore to test the resiliency of modern data centers to attack. Being good sports, we are sharing it with the security community. Just pick a random machine, release the Infection Monkey and see where it ends up. Use our Monkey to test whether your security systems can detect, stop and contain real threats. The monkey is benign and does not pose any risk to your network.

Labs

The PhotoMiner Campaign

by Daniel Goldberg

2 Comments

June 14, 2016

Over the past few months, we've been following a new type of worm we named PhotoMiner. PhotoMiner features a unique infection mechanism, reaching endpoints by infecting websites hosted on FTP servers while making money by mining Monero. The choice of a lesser known currency with a good exchange rate allows the attackers to rapidly gain money while the sophisticated use of safeguards makes it resilient to most disruption attempts, potentially leaving victims infected for years.