HackDig : Dig high-quality web security articles

Encryption Does Not Equal Invisibility – Detecting Anomalous TLS Certificates with the Half-Space-Trees Algorithm

Author: Margit Hazenbroek tl;dr An approach to detecting suspicious TLS certificates using an incremental anomaly detection model is discussed. This model utilizes the Half-Space-Trees algorithm and provides our security operations teams (SOC) with the opportunity to detect suspicious behavior, in real-time, even when network traffic is encrypted.
Publish At:2021-12-07 12:47 | Read:3202 | Comments:0 | Tags:Blog Uncategorized

SnapMC skips ransomware, steals data

Over the past few months NCC Group has observed an increasing number of data breach extortion cases, where the attacker steals data and threatens to publish said data online if the victim decides not to pay. Given the current threat landscape, most notable is the absence of ransomware or any technical attempt at disrupting the victim’s operations. Within
Publish At:2021-10-11 18:08 | Read:1872 | Comments:0 | Tags:Blog Threat Intelligence extortion hacking mc.exe minio snap

Chrome casts away the padlock—is it good riddance or farewell?

It’s been an interesting journey for security messaging where browsers are concerned. Back in the day, many of the websites you’d visit on a daily basis weren’t secure. By secure, I mean that they didn’t use HTTPS. There was no padlock, which meant that the traffic between you and the website wasn’t encrypted, and so it was vulnerable to being sn
Publish At:2021-08-04 10:57 | Read:2314 | Comments:0 | Tags:Privacy blog blogspot browser chrome encrypted Google http H

Abusing cloud services to fly under the radar

tl;dr NCC Group and Fox-IT have been tracking a threat group with a wide set of interests, from intellectual property (IP) from victims in the semiconductors industry through to passenger data from the airline industry. In their intrusions they regularly abuse cloud services from Google and Microsoft to achieve their goals. NCC Group and Fox-IT observe
Publish At:2021-01-12 12:08 | Read:2375 | Comments:0 | Tags:Blog Cobalt Strike Threat Intelligence Cloud

StreamDivert: Relaying (specific) network connections

Author: Jelle Vergeer The first part of this blog will be the story of how this tool found its way into existence, the problems we faced and the thought process followed. The second part will be a more technical deep dive into the tool itself, how to use it, and how it works. Storytime About 1½ half years ago I did an awesome Red Team like project.
Publish At:2020-09-10 15:25 | Read:2488 | Comments:0 | Tags:audits Blog pentest Uncategorized

New Deepfakes using GAN stirs up questions about digital fakery

Subversive deepfake campaigns that enter the party unannounced, do their thing, then slink off into the night without anybody noticing are where it’s at. Easily debunked clips of Donald Trump yelling THE NUKES ARE UP or something similarly ludicrous are not a major concern. We’ve already dug into why that’s the case. What we’ve also explored are the peopl
Publish At:2020-07-23 11:20 | Read:2849 | Comments:0 | Tags:Social engineering AI article blog deepfake deepfakes deepfa

Website misconfigurations and other errors to avoid

Website owners, listen up: There are lots of things you shouldn’t do with your site, and many more you should avoid with the domains you’re responsible for. Insider malice, bad luck, and the stars aligning in impossible ways can all give your online portfolio a bad hair day. However, if you want to tempt fate, you can bring on the mayhem with website misconf
Publish At:2020-07-15 11:33 | Read:2338 | Comments:0 | Tags:How-tos bank banking blog CMS dns hijack redirect website

WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group

Authors: Nikolaos Pantazopoulos, Stefano Antenucci (@Antelox) and Michael Sandee 1. Introduction WastedLocker is a new ransomware locker we’ve detected being used since May 2020. We believe it has been in development for a number of months prior to this and was started in conjunction with a number of other changes we have seen originate from the
Publish At:2020-06-23 09:25 | Read:2995 | Comments:0 | Tags:Blog Cobalt Strike Threat Intelligence evilcorp ransomware w

LDAPFragger: Command and Control over LDAP attributes

  Introduction A while back during a penetration test of an internal network, we encountered physically segmented networks. These networks contained workstations joined to the same Active Directory domain, however only one network segment could connect to the internet. To control workstations in both segments remotely with Cobalt Strike, we built a tool
Publish At:2020-03-19 06:53 | Read:3270 | Comments:0 | Tags:audits Blog Cobalt Strike pentest Uncategorized

Phishing – Ask and ye shall receive

During penetration tests, our primary goal is to identify the difference in paths that can be used to obtain the goal(s) as agreed upon with our customers. This often succeeds due to insufficient hardening, lack of awareness or poor password hygiene. Sometimes we do get access to a resource, but do not have access to the username or password of the user that
Publish At:2019-09-19 23:30 | Read:3427 | Comments:0 | Tags:audits Blog pentest Uncategorized

Your trust, our signature

Written and researched by Mark Bregman and Rindert Kramer Sending signed phishing emails Every organisation, whatever its size, will encounter phishing emails sooner or later. While the number of phishing attacks is increasing every day, the way in which phishing is used within a cyber-attack has not changed: an attacker comes up with a scenario which looks
Publish At:2019-09-19 23:30 | Read:3753 | Comments:0 | Tags:audits Blog pentest Uncategorized email hacking phishing

Getting in the Zone: dumping Active Directory DNS using adidnsdump

Zone transfers are a classical way of performing reconnaissance in networks (or even from the internet). They require an insecurely configured DNS server that allows anonymous users to transfer all records and gather information about host in the network. What not many people know however is that if Active Directory integrated DNS is used, any user can query
Publish At:2019-09-19 23:30 | Read:3610 | Comments:0 | Tags:Blog

Export corrupts Windows Event Log files

Exported .evtx files may contain corrupted data – Check interpretation of forensic tools. Author: Jeffrey Wassenaar Introduction As forensic investigators, we truly love log files. During the investigation of a system with a Microsoft Windows operating system, Windows Event Log files (.evtx) can be very useful. System events (such as logons) are logged
Publish At:2019-09-19 23:30 | Read:3520 | Comments:0 | Tags:Blog

Syncing yourself to Global Administrator in Azure Active Directory

This blog describes a vulnerability discovered by Fox-IT last year in Azure AD Connect, which would allow anyone with account creation privileges in the on-premise Active Directory directory to modify the password of any cloud-only account in Azure AD. Because of the way accounts are commonly configured, this could often enable an attacker to take over the h
Publish At:2019-09-19 23:30 | Read:3734 | Comments:0 | Tags:Blog pentest

Using Anomaly Detection to find malicious domains

Applying unsupervised machine learning to find ‘randomly generated domains. Authors: Ruud van Luijk and Anne Postma At Fox-IT we perform a variety of research and investigation projects to detect malicious activity to improve the service of  our Security Operations Center. One of these areas is applying data science techniques to real world data in real worl
Publish At:2019-09-19 23:30 | Read:3203 | Comments:0 | Tags:Blog


Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud