Guardicore Labs

Guardicore Labs is a global research team, consisting of hackers, cybersecurity researchers and industry experts. We publish our cyber security research and provide analysis, insights and response methodologies to the latest cyber threats as well as lead and participate in academic research. We are also the core maintainers of the Infection Monkey, a popular open-source network resiliency test tool

Guardicore - Highlights from Black Hat & DEFCON

Highlights from Black Hat & DEFCON

I spent the last week at the “Hacker Summer Camp” of Black Hat and DEFCON. Besides meeting people and enjoying the dual craziness of the DEFCON crowd and the Black Hat business hall, we also gave a well received lecture – Escalating Insider Threats using VMWare’s API. Ofri Ziv, Head of Guardicore labs, presented a backdoor we discovered in VMware’s remote administration API, enabling vSphere users to quickly and easily take over guest machines without providing guest credentials

Read More »
Guardicore - Escalating Insider Threats Using VMware's API

Escalating Insider Threats Using VMware’s API

VMware vSphere is the most widely used virtualization platform for on-premises data centers. Similarly to other virtualization platforms, it basically relies on host servers running guest machines. These hosts and guest machines can be managed using administration interfaces such as vSphere API and VIX API. The Guardicore Labs team has discovered a vulnerability in the vSphere infrastructure that can be exploited using VMware’s Virtual Infrastructure eXtension (VIX) API. This vulnerability allows an attacker to remotely execute code on guest machines, bypassing the need for guest authentication.

Read More »
Guardicore - SambaCry, the Seven Year Old Samba Vulnerability, is the Next Big Threat (for now)

SambaCry, the Seven Year Old Samba Vulnerability, is the Next Big Threat (for now)

The Samba team released a patch on May 24 for a critical remote code execution vulnerability in Samba, the most popular file sharing service for all Linux systems. Samba is commonly included as a basic system service on other Unix-based operating systems as well.
This vulnerability, indexed CVE-2017-7494, enables a malicious attacker with valid write access to a file share to upload and execute an arbitrary binary file which will run with Samba permissions.

Read More »
Guardicore - The Bondnet Army: Questions & Answers

The Bondnet Army: Questions & Answers

Last week we announced the discovery of Bondnet, a new botnet that was uncovered by Guardicore Labs. The originator of Bondnet had installed a cryptocurrency miner and backdoor in thousands of servers of varying power and conscripted them into a botnet – a group of computing devices that can be centrally controlled for malicious purposes.

Read More »
Guardicore - The Bondnet Army: Questions & Answers

The Bondnet Army

Guardicore Labs has recently picked up Bondnet, a botnet of thousands of compromised servers of varying power. Managed and controlled remotely, the Bondnet is currently used to mine different cryptocurrencies and is ready to be weaponized immediately for other purposes such as mounting DDoS attacks as shown by the Mirai Botnet. Among the botnet’s victims are high profile global companies, universities, city councils and other public institutions.

Read More »
Guardicore - 0.2 BTC Strikes Back, Now Attacking MySQL Databases

0.2 BTC Strikes Back, Now Attacking MySQL Databases

Last week we first tweeted that the Guardicore Global Sensor Network (GGSN) has detected a wide ransomware attack targeting MySQL databases. The attacks look like an evolution of the MongoDB ransomware attacks first reported earlier this year by Victor Gevers. In this post we will describe in detail the attack flow and provide some recommendations on how to protect your databases from similar attacks along with attack IoCs.

Read More »