oridavid123 Profile Banner
Ori David Profile
Ori David

@oridavid123

Followers
385
Following
1K
Media
13
Statuses
115

Security researcher @Akamai

Joined November 2012
Don't wanna be here? Send us removal request.
@oridavid123
Ori David
2 years
Today I had the pleasure of presenting my research at #BHEU, and I am now very excited to share it with the rest of the world. TL;DR - unauthenticated attackers can spoof sensitive DNS records by abusing Microsoft DHCP. @akamai_research.1/7
Tweet media one
@akamai_research
Akamai Security Intelligence Group
2 years
Turns out, sometimes it isn't DNS. it's DHCP 👀. See @oridavid123's research on how DHCP can be used to spoof DNS records- potentially leading to Active Directory compromise. Worst part? No credentials needed, just network access. Full write-up:.
Tweet media one
7
11
40
@oridavid123
Ori David
2 days
RT @akamai_research: This is a wild one. 🏜️. The Coyote malware is now abusing UI Automation (UIA) - marking the first known case of UIA ab….
0
7
0
@oridavid123
Ori David
27 days
11/.For more technical details on this CVE and additional VPN post-exploitation techniques check out my Black Hat talk and blog post:
0
0
0
@oridavid123
Ori David
27 days
10/.I reported this issue to Fortinet last year, but they did not consider it as a vulnerability and currently have no plans to address it. So what can you do?. - Assume your VPN may eventually be breached.- Act accordingly by not storing *any* valuable credentials on it.
1
0
0
@oridavid123
Ori David
27 days
9/.This is likely part of what CISA is seeing in the wild. Credential theft from compromised Fortinet gear, followed by lateral movement (likely into AD). This exact behavior was detailed by Mandiant in a report covering Ivanti VPN exploitation:
Tweet card summary image
cloud.google.com
We have conducted multiple incident response engagements across a range of industry verticals and geographic regions.
1
0
0
@oridavid123
Ori David
27 days
8/.So even after the "fix", if an attacker compromises your Fortinet appliance, they can always:.✅ Disable the custom key.✅ Dump the config.✅ Decrypt all stored secrets.✅ Move laterally to additional services.
1
0
0
@oridavid123
Ori David
27 days
7/.While this protects exported config files—there’s still a big flaw:. If an attacker gains access to the device, they can. disable the custom key setting. This *reverts everything back to using the hardcoded key*. And. it doesn't require knowledge of the custom key.
1
0
0
@oridavid123
Ori David
27 days
6/.Now, Fortinet did try to fix this. They added an option to use a custom encryption key instead of the default one. Sounds good, right?. Well, not really.
1
0
0
@oridavid123
Ori David
27 days
5/.In both cases, the attacker can decrypt the secrets and pivot to whatever services are stored in the config:. ➡️ Active Directory.➡️ Cloud services.➡️ Kubernetes clusters.…and more. (A list of supported Fortinet integrations below)
Tweet media one
1
0
0
@oridavid123
Ori David
27 days
4/.Scenario 2:.🖥️ The attacker compromises the Fortinet device itself (via stolen credentials or an exploit) and extracts the config.
1
0
0
@oridavid123
Ori David
27 days
3/.The original vulnerability could be exploited in two scenarios:. Scenario 1:.📁 An attacker finds an exported config file—left exposed somewhere (e.g. old backups, shared folders, etc.).
1
0
0
@oridavid123
Ori David
27 days
2/.The CVE TL;DR:.Fortinet encrypts stored secrets (such as local users, AD users used for LDAP integration, etc.) in exported config files using a *hardcoded* encryption key - and a weak one at that. The real problem?.The CVE was never properly fixed.
Tweet media one
1
0
0
@oridavid123
Ori David
27 days
1/.🚨 CISA just added CVE-2019-6693 to their Known Exploited Vulnerabilities (KEV) catalog. This is a serious flaw in Fortinet appliances - *which was never fully fixed*. A quick breakdown 🧵.
1
0
3
@oridavid123
Ori David
30 days
RT @akamai_research: If you can't beat them, ban them 😏 . Malicious Cryptominers can be tough to dismantle - but we found a way. 👀 By explo….
0
7
0
@oridavid123
Ori David
1 month
RT @OutflankNL: Here's our new blog on hiding your implant in VTL1, where even an EDR's kernel sensor can't see it.🧑‍🦯. Post includes full….
Tweet card summary image
outflank.nl
Dig into secure enclave internals and learn about practical techniques used to exploit a read-write primitive in a vulnerable enclave DLL.
0
82
0
@oridavid123
Ori David
2 months
RT @YuG0rd: Many missed this on #BadSuccessor: it’s also a credential dumper. I wrote a simple PowerShell script that uses Rubeus to dump….
0
148
0
@oridavid123
Ori David
2 months
RT @YuG0rd: @aniqfakhrul You can actually target krbtgt and get its keys, no need for DCSync.
0
1
0
@oridavid123
Ori David
2 months
RT @0xTriboulet: Microsoft, and other software vendors, have demonstrated time and again that security will always come second. I agree tha….
0
6
0
@oridavid123
Ori David
2 months
RT @YuG0rd: We've heard feedback suggesting we should have waited to release details about BadSuccessor until Microsoft issued a patch. We….
0
13
0
@oridavid123
Ori David
2 months
RT @akamai_research: Today we unveil BadSuccessor - a new no-fix Active Directory privilege escalation technique. We will explore the rece….
0
179
0
@oridavid123
Ori David
2 months
Amazing research by Yuval! .A privilege escalation technique in Active Directory that allows weak users to compromise ANY user in the domain. Microsoft considers this issue to be a moderate severity vulnerability, and don't currently plan to fix it. We'll let you be the judge🤷‍♂️.
@YuG0rd
Yuval Gordon
2 months
🚀 We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability.It allows compromising any user in AD, it works with the default config, and. Microsoft currently won't fix it 🤷‍♂️.Read Here -
Tweet media one
0
2
7