| ▲ | nurettin 5 days ago | ||||||||||||||||
What did you see specifically? And on what OS? | |||||||||||||||||
| ▲ | 41throw-it 4 days ago | parent | next [-] | ||||||||||||||||
Hi -- throwaway I have seen this happen as well. A memory corruption vulnerability in popular software allows unpriv shellcode to reach out and drop a rootkit which loads a rat as a kernel module. Attacker has control. Several big problems. cobaltstrike beacons blocked. Instead pierce nat with STUN to attacker proxy. Use socket activated VNC/RDP/X. Why not just steal the sessions and local data? Remote services log access (ip, time, location), easily correlate and forensics would lead back. Local data encrypted at rest, hands on keyboard needed any way since recon incomplete. Are they planning to scan memory for ssh key unlocks or intercept ssh -sk key? This is big, noisy and take developer time. If you log in to a email this leave forensics and is a CFAA violation while risking FAANG security. Attacker needs to shoulder surf. Most hack is install crypto mining or steal a password. Maybe it is ransom. How do you get 2fa code if you want access to sensitive information? How do you steal hardware keys? You can back door browser, MitB but it gets updated away and you lose access. back door anything and lose access or discovered. This is not a advanced attacks but it is targeted attacks. People are saying x server never get hacked, but computers get hacked. with X11 the chain is Exploit -> Game over. with wayland you need to go farther. | |||||||||||||||||
| ▲ | anthk 4 days ago | parent | prev | next [-] | ||||||||||||||||
All of NIXen. ~/.profile ~/.env ~/.xprofile Exploiting TMPDIR, /tmp race conditions, ~/.mailcap and mutt (I used that to get access to 'premium' binaries under restricted accounts). If you have Emacs you can do tons of stuff from a single account. And so on. | |||||||||||||||||
| |||||||||||||||||
| ▲ | kragen 5 days ago | parent | prev [-] | ||||||||||||||||
Can't give details. | |||||||||||||||||