Yorick Koster

@yorickkoster

Offensive security research & tools

Netherlands
securify.nl/en/
Joined June 2013
31 Photos and videos Photos and videos

Tweets

You blocked @yorickkoster

Are you sure you want to view these Tweets? Viewing Tweets won't unblock @yorickkoster

  1. Retweeted
    21 hours ago

    Microsoft will no longer require users to enter a password to access their accounts. Instead, they'll have to use an app, a verification code or facial recognition. Check it out ⬇️

    39 replies 488 retweets 1,578 likes
    Undo
  2. Retweeted
    Sep 15

    Android banking trojan src and builder panel leak is a fact, we are already see an increase in new samples.

    5 retweets 5 likes
    Undo
  3. Retweeted
    Sep 15

    The Community Kit has been growing and now has 60+ projects. The research behind these projects is fantastic. Thanks to everyone who has shared their work. Consider following me and for updates.

    27 retweets 63 likes
    Undo
  4. Retweeted
    Sep 13

    As mentioned, the use of a .JS: (and other) URI can result it pretty trivial code execution of a local script: IE seems to prompt before using URIs. However, Word using the ITW exploit works fine. Perhaps this is why it's so complicated?

    5 replies 7 retweets 31 likes
    Show this thread
    Show this thread
    Undo
  5. Retweeted
    Sep 13

    As we promised on Friday, here is an update to our blog on , describing all the new features implemented, like 2FA grabber and automated session stealer.

    1 reply 8 retweets 13 likes
    Undo
  6. Retweeted
    Sep 10

    After testing another CVE-2021-40444 sample that works with html+cab payload on a remote web server, I can now confirm that "mhtml:" and "x-usc:" are not needed in the remote OLE URL for the exploit to work. But the double URL http:...!http:... seems required.

    Bad news about CVE-2021-40444 detection: after some tests, I can confirm that the remote object URL can be a simple URL, no need for mhtml, x-usc or even the double URL. So no way to detect CVE-2021-40444 just by looking at the URL, you need to get the remote object to find out.
    Show this thread
    4 replies 46 retweets 91 likes
    Undo
  7. Retweeted
    Sep 10

    CVE-2021-40444 PoCs are being shared on private forums. We will now share the PoC we received. However, additions have been made to what we are releasing. It contains 3 HTML script variants. https://vx-underground[.]org/tmp/CVE-2021-40444.rar

    11 replies 277 retweets 743 likes
    Undo
  8. Retweeted
    Sep 8

    Not sure if Microsoft fixed this (my VM is unpatched). But it works in explorer preview mode via RTF:

    9 replies 55 retweets 187 likes
    Show this thread
    Show this thread
    Undo
  9. Retweeted
    Sep 10

    btw, it's not just CVE-2021-40444 that this trick is useful for. For example, it works for other RTF-based vectors too, e.g.

    68 retweets 212 likes
    Undo
  10. Retweeted
    Sep 10

    Several banking, wallets, and shopping apps are the target of a newly discovered trojan that could enable attackers to siphon sensitive data from infected devices, including credentials and open the door for on-device fraud.

    9 replies 99 retweets 167 likes
    Undo
  11. Retweeted
    Sep 10

    The new campaign comes with new features: - 2FA stealer - Country checks to defend CIS devices - Telegram API support to receive information - Emulator checks - Manufacturer specific modules - App download support Stay tuned, we will update our blog to tell you more!

    4 retweets 12 likes
    Show this thread
    Show this thread
    Undo
  12. Retweeted
    Sep 10

    A new banking trojan S.O.V.A with great ambitions discovered: cookie stealing becoming a new trend. Check out our new blog :

    3 replies 25 retweets 27 likes
    Show this thread
    Show this thread
    Undo
  13. Retweeted
    Sep 10

    () 4.9 is out with new overlay targets for Android banking apps in USA 🇺🇸, UK 🇬🇧, Ireland 🇮🇪 + Crypto wallets!

    6 retweets 10 likes
    Undo
  14. Retweeted
    Sep 9

    Bad news about CVE-2021-40444 detection: after some tests, I can confirm that the remote object URL can be a simple URL, no need for mhtml, x-usc or even the double URL. So no way to detect CVE-2021-40444 just by looking at the URL, you need to get the remote object to find out.

    oleobj (from ) can be used to detect CVE-2021-40444: if there is a remote OLE object with an URL starting with "mhtml:", it's probably an exploit for that vulnerability.
    8 replies 113 retweets 258 likes
    Show this thread
    Show this thread
    Undo
  15. Retweeted
    Sep 9

    Good thread on the activeX vuln

    MS Office ActiveX CVE-2021-40444 summary: 🎯No macros needed - normal detections & mitigations fail. 🎯No word from MS on patch ETA 🎯Can in some cases be executed in Explorer Preview mode. (RTF older O365 client?) - h/t - 1/x
    Show this thread
    1 reply 7 retweets 14 likes
    Undo
  16. Retweeted
    Sep 8

    Early august our MTI team discovered a new Android banking trojan with fowl intentions: cookie stealer, DDOS, Ransomware, overlays, keylogger, VNC, stay tuned for our new blog!

    C2 advertised panel SOVA TA
    1 reply 5 retweets 12 likes
    Undo
  17. Retweeted
    Sep 7

    Things discovered: 1) If you plug in enough USB VID/PID pairs, eventually you'll end up with a Windows system that no longer boots and is not repairable. 2) If you're patient/masochistic enough to single step the area around a sweet spot, you can pinpoint VID:0x0711 PID:0x5824

    4 replies 12 retweets 46 likes
    Show this thread
    Show this thread
    Undo
  18. Retweeted
    Sep 6

    A new era has arrived!

    1 retweet 4 likes
    Undo
  19. Retweeted
    Sep 6

    With a majority stake of in we can make our customers more resilient through knowledge sharing and a strong service portfolio. Watch the video:

    2 replies 1 retweet 6 likes
    Undo
  20. Retweeted
    Sep 6

    We are proud to announce a strategic partnership with . From now on we will work together to offer our customers a safe digital environment on all fronts. Read more here: release

    5 retweets 8 likes
    Undo

@yorickkoster hasn't Tweeted yet.

Loading seems to be taking a while.

Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.

    You may also like

    ·