Ethical Hacking Techniques

New research from Google Threat Intelligence Group (GTIG) details how PRC-nexus 🇨🇳 APT41 is leveraging innovative tactics, including the use of Google Calendar for command and control (C2). In late October 2024, we discovered APT41 exploiting a government website to deliver a novel malware family TOUGHPROGRESS. TOUGHPROGRESS utilizes Google Calendar to exfiltrate data and receive commands, an evolution in APT41's misuse of cloud services to blend in with legitimate traffic. The malware uses several obfuscation techniques, including memory-only payloads and intricate control flow obfuscation. GTIG has taken action to disrupt this campaign by terminating attacker-controlled infrastructure, updating Safe Browsing, and providing detection signatures. Our report also discusses APT41's broader use of free web hosting tools for malware distribution. Full report available here: https://lnkd.in/gPv7bPQj

#ASD and international partners have released an advisory on the tradecraft of a #PRC-backed threat actor named #APT40, and it's well worth a read, whether you are in Government or the private sector. APT40 is code for a group backed by the PRC's Ministry of State Security (#MSS). The MSS is engaged in intelligence gathering and foreign interference activities, including cyber warfare. APT40, based in Haikou, Hainan Province, has been targeting Government and private sector entities around the world since 2017. Their objectives appear to be maintaining persistence in order to exfiltrate data. How does APT40 go about their activities? 🔴 Exploit small office / home office (SOHO) routers as proxies to hide their origins among normal traffic 🔴 Target vulnerable systems on the edge of networks, such as MS Exchange, Atlassian Confluence, and Log4j (commonly found in Java applications), 🔴 Deploying web shells - uploaded code snippets that allow commands to be executed on the remote host, eg. a malicious .aspx file dropped in a public directory on an OWA server 🔴 Conduct internal recon to enumerate victim hosts and accounts 🔴 Move laterally, stealing credentials, then exfiltrating data via existing Command and Control (C2) channels None of the TTPs described in the report are "top shelf" exploitation. This is clever use of well-known exploits against well-known vulnerabilities. Why expose clever TTPs if you don't need to? The advisory contains a few indicators, detection rules, and recommended mitigations. Here is a summary of mitigations: 🔵 Look for process executions in unusual directories or world-writable locations, eg. why is there a process running from C:\WIndows\Temp? (Allow listing would probably prevent this.) 🔵 Implement logging in a centralized location with a suitable retention period 🔵 Patch! The common factor in the listed vulnerabilities (CVE 2021 44228, CVE-2021-31207, CVE-2021- 26084, CVE-2021-31207, CVE-2021-34523; CVE-2021-34473) is that they were all discovered (and presumably patched) in 2021! 🔵 Segment your network - impose costs by forcing the adversary to conduct recon and lateral movement on hard mode. Use jump servers to access sensitive hosts such as auth. 🔵 Other strategies covered in the Essential 8, eg. MFA, restricting admin privs and office macros I for one am glad to see a return to Mandiant-style "APT" codenames rather than the new-fangled monikers like "Electric Tempest". But I would like to see structured threat intelligence released with these reports, eg. STIX JSON format, and hopefully someday soon, structured hunting and response playbooks in CACAO JSON! But I will have more to say about CACAO another day...

🚨 Bybit Hack Update The TRM Labs team, along with our partners across the ecosystem, continue to follow the stolen funds from North Korea's $1.5 billion hack of Bybit. As of February 26, we’ve tracked over $400 million in stolen funds being laundered across multiple blockchains. As you can see from our investigator's graph on screen, the attackers are hopping through wallets, swapping tokens, and using decentralized exchanges and cross-chain bridges in an attempt to obfuscate their activities. While the North Korean hackers experimented with different assets early on, nearly all of the stolen eeth is now being converted into Bitcoin. Some funds briefly moved through Binance Smart Chain and Solana, but right now, most of that Bitcoin is just sitting there, barely moved. So, what’s next? Traditionally, we'd expect North Korea to funnel the stolen funds into a mixer. But, no mixer can reasonably obscure the volumes associated with this hack, especially given the speed at which the funds are moving now. Instead, we could be seeing an intensified version of North Korea’s "flood the zone" tactic, overwhelming compliance teams, blockchain analysts, and law enforcement agencies with rapid, high-frequency transactions across multiple platforms, thereby complicating tracking efforts. But a critical countermeasure is Bybit’s innovative bounty program that will pay out 10% on any frozen transaction. That means we’re likely to see a surge of both amateur and professional blockchain investigators joining the hunt, which will putt even more pressure on the attackers. The next few weeks will be pivotal in determining whether investigators can stay ahead of the attackers or if the launderers can successfully cash out. Read more here: https://lnkd.in/g4VfcsBE

Penetration Testing Tip of the Week! Don't use alert boxes to prove your Cross-Site Scripting vulnerability finding. You are a manual, experienced tester - prove your value and justify the finding! Continuing on my theme of distinguishing your manual testing effort from automated tools, use that effort to provide value where a tool can't, such as demonstrating unique exploits for common vulnerabilities, like Cross-Site Scripting (XSS). Use some scripting knowledge and combine the XSS vulnerability with a CSRF to: 🔸 Change the user's password to a known value 🔸 Add a new user to the application 🔸 Do *anything* that requires admin rights Alternatively, set up a remote server (Burp's collaborator is a great tool for this) and exfiltrate: 🔸 Session cookies 🔸 User lists 🔸 User profiles 🔸 Passwords (if available) 🔸 Internal data Be responsible, of course - don't exfiltrate more data than you need and don't steal actual production data, if you don't have to. But, don't just pop an alert box and assume that your client will take the finding seriously. #security #cybersecurity #penetrationtesting #pentesting #reporting #providevalue

Pentest Exercises #2 - Finding XSS with Recon Ways to identify XSS? - Automating your scans is very useful, finding entry points, endpoints and other information to get a range of possibilities and chances of getting an XSS. - However, always carry out a manual analysis, identify all inputs and request methods.  - Analyze how the server behaves with different types of requests. - If you encounter an HTML injection, you may have a better chance of encountering an XSS. - Look for any type of input pattern, whether via GET or POST method, dynamic and static forms and their input fields, as well as Hidden fields that can only be disabled in the front-end of the application. - Check the Headers, especially the referer, cookie and user-agent - Don't settle for a simple text alert, try to get at least a session cookie or extract the JWT stored in localstorage - Look for insecure methods like innerHTML, eval and data inserted directly into javascript - Analyze security filters and test bypass methods (that's for another post) See if there is data persisted while manipulating the page - And never stop browsing the site, don't just depend on the results of automated tools, as I've already found XSS in parameters that the tools don't return. A payload inserted directly into the URL can end up generating surprises. Shall we see some tools examples? Use the GoSpider tool to perform crawling and obtain urls, endpoints and paths that help identify possible xss https://lnkd.in/d3Cb_J7w The Katana tool is also useful for crawling the application so you can carry out XSS attacks https://lnkd.in/dnvq7ECZ Another way is to use XSS Hunters, mainly for XSS Blind that require Payloads that deviate from traditional alerts, for example. https://xsshunter.com/#/ Using the KXSS tool to validate input fields, especially in reflected XSS to try injections echo "https://lnkd.in/d_9YED9z" | kxss echo https://lnkd.in/dFjMZ2uC | waybackurls | kxss The airixss tool is an interesting option for you to use during a recon, it helps you identify reflected points of attacks https://lnkd.in/dPTvyqKU cat targets | airixss -payload '"><svg onload=confirm(1)>' One way to do it automated is using the XssorRecon tool, this is the free version, there is a paid version which is really cool https://lnkd.in/dNQvHZCK XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler. https://lnkd.in/dJkuhQ4X These are the tips and tools. Do you have any more? Image by Kali Linux Tutorials Others PenTest Exercises: https://lnkd.in/dwgB3RMM #pentest #redteam #xss #webpentest

The digital battlefield is now the frontline for kinetic conflict. As geopolitical tensions escalate in the Middle East, our latest Palo Alto Networks Unit 42 Threat Brief highlights a significant surge in Iranian state-aligned cyber activity that every global leader should have on their radar. Cyber operations are Iran’s primary asymmetric weapon. Based on our latest intelligence, here are the three most critical takeaways for your defense & operational resilience strategy: 1️⃣ Weaponized Identity is the Primary Entry Point: Iranian actors continue to move away from complex malware and toward logging in. By using social engineering and exploiting federated identity systems, they are bypassing traditional perimeters to move laterally across your network undetected. 2️⃣ Retaliatory Wipers: We are seeing a shift from stealthy espionage to aggressive, disruptive tactics. This includes the use of wiper malware designed to permanently destroy data and paralyze critical infrastructure, often masquerading as hacktivist activity to provide plausible deniability. 3️⃣ AI Accelerated Reconnaissance: Threat actors are now using Generative AI to map regional infrastructure and identify vulnerabilities in minutes, not days. This compressed attack lifecycle means your detection and response must now operate at machine speed. To outpace these threats, leadership must prioritize three proactive shifts: 1️⃣ Move to Phishing-Resistant MFA: Standard MFA is no longer enough to stop sophisticated identity based attacks.  Prioritize hardware based authenticators for high value roles to neutralize the log in threat. 2️⃣ Implement Just-in-Time Admin Rights: Eliminate standing administrative privileges. By moving to a model where access is granted only when needed and for a limited time, you drastically reduce the blast radius of a compromised account. 3️⃣ Automate External Patching: With AI-accelerated recon, the window to exploit a new vulnerability has shrunk to hours. Organizations must mandate automated patching for all internet facing assets to close the gap before the adversary can find it. At Palo Alto Networks, we are committed to protecting our clients worldwide by turning this intelligence into action. Link to the full Unit 42 analysis in comments below.

Immutable Malware: Blockchain-Based Attacks Introduce a New Cybersecurity Paradigm A new form of malware is redefining cyber threats by leveraging blockchain technology to create attacks that are nearly impossible to eliminate. This evolution signals a shift from traditional malware toward persistent, decentralized threat architectures. The attack begins deceptively, often through fake job offers targeting developers, where victims are encouraged to run seemingly harmless code. Once executed, the code initiates a complex attack chain that interacts with multiple blockchain networks, including TRON, Aptos, and Binance Smart Chain. Instead of hosting malicious payloads on centralized servers, the malware uses blockchain transactions as a permanent, publicly accessible storage layer, embedding instructions and pointers that guide the attack. Because blockchain data cannot be easily altered or removed, the malicious infrastructure becomes effectively permanent. This design introduces a significant challenge for cybersecurity defense. Traditional mitigation strategies rely on identifying and shutting down command-and-control servers, but in this case, the infrastructure is decentralized and immutable. Early reports indicate that hundreds of thousands of credentials across numerous organizations may already be compromised, with experts warning that the scale and persistence of this campaign could rival or exceed past global cyberattacks. This development matters because it represents a fundamental shift in how cyber threats are constructed and sustained. By exploiting the permanence and resilience of blockchain systems, attackers are creating a new class of malware that is resistant to conventional countermeasures. For organizations, this underscores the urgent need to rethink security architectures, emphasizing prevention, behavioral detection, and zero-trust principles in a landscape where threats can no longer be easily dismantled once deployed. I share daily insights with tens of thousands followers across defense, tech, and policy. If this topic resonates, I invite you to connect and continue the conversation. Keith King https://lnkd.in/gHPvUttw

𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝘁 𝗧𝗿𝗶𝗯𝗲’𝘀 𝗡𝗲𝘄 𝗥𝗔𝗧 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻: 𝗔 𝗥𝗲𝗻𝗲𝘄𝗲𝗱 𝗖𝘆𝗯𝗲𝗿-𝗘𝘀𝗽𝗶𝗼𝗻𝗮𝗴𝗲 𝗧𝗵𝗿𝗲𝗮𝘁 𝘁𝗼 𝗜𝗻𝗱𝗶𝗮 India’s cyber front is under constant pressure silent, persistent, and continuously evolving. The latest reminder comes from a renewed cyber espionage campaign linked to Transparent Tribe (APT36), a well known threat actor with a long history of targeting Indian interests. According to CYFIRMA, the campaign targets Indian government bodies, academic institutions, and strategic organisations, underscoring ongoing, long-term intelligence gathering efforts against the country. What Makes This Campaign Dangerous? This operation is not noisy ransomware or defacement it’s covert cyber espionage. The attack chain begins with phishing emails carrying ZIP attachments. Inside these archives are malicious Windows shortcut (LNK) files, cleverly disguised as PDF documents. Once a victim opens the file: - A Remote Access Trojan (RAT) is deployed silently in the background - A decoy PDF is displayed to reduce suspicion - The attacker gains persistent access to the system This combination of social engineering and stealthy execution allows the malware to remain undetected for extended periods. Adaptive Malware Built for Persistence One of the most concerning aspects of this campaign is the malware’s adaptive behavior. Researchers observed that the RAT dynamically adjusts its persistence mechanisms based on the antivirus or endpoint protection installed on the victim’s machine. Once fully deployed, the payload allows attackers to: - Steal sensitive data - Control and manipulate files - Capture screenshots - Monitor clipboard activity - Execute commands remotely These capabilities make it a powerful surveillance tool rather than a short-term attack. A Familiar Pattern, A Long Term Strategy Active since at least 2013, Transparent Tribe has steadily evolved its tools and techniques. Previous campaigns have used malware such as CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT each improving stealth and control. CYFIRMA warns that the group remains strategically driven, focused on long-term intelligence collection rather than short-term disruption. Parallel Threat Activity: Patchwork (Maha Grass) Security researchers have also flagged related activity by Patchwork, another advanced threat group targeting defence and strategic sectors. This group has been linked to new spyware frameworks that rely on: - Advanced obfuscation - Long term persistence - Low visibility execution Together, these campaigns highlight a broader and ongoing threat to India’s strategic digital ecosystem. Why This Matters for India ? These attacks highlight a critical reality: modern cyber warfare is rarely loud. It is quiet, long term surveillance aimed at stealing intelligence, research, and strategic insights. Awareness is the first step. Preparedness is the next.

THREAT CAMPAIGN: APT43 USING DROPBOX FOR PAYLOAD DISTRIBUTION AND DATA EXFILTRATION ℹ️ Researchers published a multi-stage cyber operation campaign dubbed DEEP#DRIVE that was attributed to APT43 (aka Kimsuky, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima) against South Korean businesses, government entities, and cryptocurrency users. ℹ️ KEY FEATURES: 📍 ATTACK VECTOR ■ The attack initiates with tailored phishing lures written in Korean, disguised as legitimate documents, such as work logs, insurance documents, and crypto-related files. ■ These lures were presented in trusted file formats (.hwp, .xlsx, .pptx) and distributed via Dropbox links to blend into normal user behavior. ■ A .lnk file masquerading as a document (e.g., 종신안내장V02_곽성환D[.]pdf[.]pdf) was used to execute malicious scripts. 📍 PAYLOAD DELIVERY AND EXECUTION ■ PowerShell scripts were critical in delivering payloads, performing reconnaissance, and executing next-stage malware. ■ The script (temp[.]ps1) downloaded, modified, and decompressed a Gzip-compressed .NET assembly (system_drive[.]dat), which was loaded directly into memory to invoke the Main method for payload execution. ■ The campaign relied heavily on Dropbox for payload distribution and data exfiltration. 📍 PERSISTENCE AND STEALTH: ■ Persistence was achieved by creating a scheduled task named ChromeUpdateTaskMachine, ensuring periodic execution of malicious scripts. ■ Code obfuscation techniques were employed to evade detection, including meaningless variable names, irrelevant assignments, and string concatenation. 📍RECONNAISSANCE AND DATA EXFILTRATION ■ Reconnaissance scripts like system_first[.]ps1 were used to gather detailed system information, including IP addresses, OS details, antivirus products, and running processes. The collected data was exfiltrated to Dropbox. 📍 C2 INFRASTRUCTURE AND ATTRIBUTION ■ Dropbox served as the C2 platform for hosting payloads and exfiltrating data. ■ The rapid takedown of critical Dropbox links suggests the infrastructure was either short-lived or actively monitored. ■ The TTPs used in this campaign closely align with those historically used by APT43. Report: https://lnkd.in/dj8YCWiY #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

Do you want to be a great pentester? If you find a cross-site scripting vulnerability, but you are limited to the number of characters you can fit in the parameter field, check to see if parameter pollution is possible. This is a big one for older ASP applications. For example, using a parameter like firstname, the standard URL is: https://<domain>/?firstname=tim Try: https://<domain>/?firstname=tim&firstname=tim If the application responds with a value of <tim,tim> the application is vulnerable to parameter pollution. To weaponize this for XSS, and to get around the character limitations, do: https://<domain>/?firstname=tim<!—&firstname=—>tim You’ll notice the server will respond with <timtim>, removing the original comma between the two tim values. There usually isn’t a limitation on how many times you can do this, which means you can have as many characters as needed to execute your payload.