Research

Ax’s research centers around digital technology, networking, and cybersecurity.

Malware discovery and/or analysis:

1. Python cryptomining malware on PyPI registry aka “Warehouse”
2. Fake “Browserify” component with Linux, macOS zero-detection ELF malware
3. Malicious dependency confusion copycats exfiltrating /etc/shadow and .bash_history targeting Amazon, Lyft, Zillow, Slack, etc.
4. Discovered/analyzed “an0n-chat-lib“, “discord-fix”, “sonatype” typosquatting malware from CursedGrabber malware authors
5. Malicious RubyGems “ruby-bitcoin” and “pretty_color” laced with cryptocurrency (Bitcoin, Monero, ETH) stealing malware
6. njRAT/Bladabindi Windows malware discovery/analysis on npm registry in “jdb.js” and “db-json.js” packages.
7. CursedGrabber Windows malware analysis (“xpc.js”) with Sonatype Security Research team
8. “discord.dll“, “discord.app”, “ac-addon”, “wsbd.js” malware discovery and analysis
9. “twilio-npm” brandjacking malware
10. “electorn“, “loadyaml” typosquatting malware analysis
11. “fallguys” malware technical analysis

Vulnerability deep-dive analysis and blogging

1. GitHub-hosted malware calculates Cobalt Strike payload from an Imgur picture
2. Bouncy Castle authentication bypass due to incorrect password hash matching algorithm
3. NodeJS module downloaded 7M times lets hackers inject code
4. Linux malware authors use Ezuri Golang crypter for zero detection
5. PoC exploits for Apache Flink Path Traversal vulnerabilities
6. Why streaming a video could freeze Microsoft IIS servers?
   .
   .
7. Many many many more on BleepingComputer and Security Report.

Reported CVEs and Vulnerabilities:

NOTE: This may not be an exhaustive list because of “good faith” responsible disclosure agreements and ongoing vulnerability research pending disclosure.

• 2021: EXCLUSIVE: Indian Govt sites leaking thousands of COVID-19 test results online
• HM Government of Gibraltar SQL Injection and Authentication Bypass
• Hacker Noon Stored XSS via SVGs
• CVE-2018-10990:  Insufficient Session Expiration in Arris Touchstone Gateway Devices

• CVE-2018-10989: Cleartext Transmission of Sensitive Information in Arris Touchstone Gateway Devices
• Georgia Tech’s Backdoor
• StartupTree: Open Redirects
• P.F. Chang’s: Member Information Leak (RT’d by Brian Krebs and computer security experts)
• Buca di Beppo: XSS
• PlanetFitness: Premium Access Bypass
• Ellucian Software (pending disclosure)

Published Papers and miscellaneous works:

• • Analyzing 150+ Million Network Flows in Real-Time with nProbe and Elastic Sketch
  • A Non-Oppressive, Community-Driven Electronic Identification Platform (Fall 2013 – Present)
    • Implementation (Proof of Concept): https://electronicid.org/

• • Park, J.R, Sharma, A, El Mimouni, H. (2016). Developing an Automatic Metadata Harvesting and Generation System for a Continuing Education Repository: A Pilot Study. Juried poster at iConference 2016 in Philadelphia, March 20, 2016.
    • Implementation: http://metadatace.cci.drexel.edu/omeka/
    • PDF (Research Paper): metadata_paper.pdf

• • From Computational Thinking to Computational Making: a Demo (Co-author)- Best Companion Paper, Ubicomp 2015
  • Contribution/Discussion: “Does Technology Have a Race?” http://houdaelmimouni.com/publications/hankerson_alt.chi_2016.pdf

• • Patent: Method for Establishing Unique Online User Identification System with Facial Recognition, USPTO 61/616605 (Pending), 2011-12
  • Patent: System and Method for Authenticating Paper Documents over a network, UKIPO GB1215191.6, 2012