New Open-Source Tool Spotlight

Sqlmap is an open-source tool for automating SQL injection detection and exploitation. It supports multiple databases like MySQL, PostgreSQL, Oracle, and more. Widely used for penetration testing, it includes features like database dumping, password cracking, and file system access.

Remember: powerful tools require responsible use. #CyberSecurity #PenTesting

Project link on #GitHub https://github.com/sqlmapproject/sqlmap

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

New Open-Source Tool Spotlight

Mimikatz is a well-known open-source tool for extracting credentials from Windows systems. It can retrieve plaintext passwords, hash credentials, and even Kerberos tickets from memory. Used by both researchers and attackers, it highlights the importance of secure credential management in Active Directory environments. #CyberSecurity #WindowsSecurity

Project link on #GitHub https://github.com/gentilkiwi/mimikatz

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

DOGE destroying cybersecurity in the USA. This also has impact on all those digital services from the US we rely on
https://www.theregister.com/2025/03/12/cisa_staff_layoffs/
#doge #musk #cybersecurity #redteam #cisa

Last week, I finally finished my writeup of a vulnerability based on a misuse of #Cryptography that we found a while back in a penetration test. It's my favorite vulnerability so far, as it relies on abusing basic properties of unauthenticated encryption and shows, in a real-world scenario, how such seemingly theoretical issues can compromise an entire system. In the end, it's a teachable moment about both cryptography and secure software architecture.

I had the draft lying around for more than a year, but reading the articles by @soatok finally reminded me that I should really wrap this up and post it. So, here it is: https://blog.maass.xyz/encryption-isnt-enough-compromising-a-payment-processor-using-math

SoaPy is a Proof of Concept (PoC) tool for conducting offensive interaction with Active Directory Web Services (ADWS) from Linux hosts

https://github.com/logangoins/SoaPy

How does a single nation take on some of the largest crypto networks in the world?

According to blockchain tracking firms and cybersecurity researchers, North Korea is linked to one of the most significant crypto hacks of recent times. The attack, believed to involve sophisticated tactics, siphoned off millions in digital assets. This isn’t the country's first foray into crypto theft; North Korean hacking groups, most notably Lazarus Group, have been implicated in multiple similar exploits.

Blockchain activity linked to the breach reveals well-coordinated operations leveraging vulnerabilities in decentralized finance (DeFi) protocols and cryptocurrency exchanges. These groups often use techniques like phishing, social engineering, or exploiting weak smart contract security to gain access to funds. Once stolen, the assets are laundered through complex methods such as chain-hopping — moving funds across multiple blockchains — or using mixer services to obscure transaction history.

The United Nations has long accused North Korea of using stolen cryptocurrency to fund its missile programs, bypassing global sanctions. With estimates suggesting billions have been lost to these operations over the years, this latest hack adds to a growing pattern that highlights weaknesses in crypto security.

For crypto users and developers, this serves as another wake-up call about the critical need for robust security measures, especially as attackers continue to evolve their methods.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

It's Friday AND I accepted a job offer as a purple team engineer!
#purpleteam #blueteam #redteam #infosec

How can a seemingly simple API flaw lead to arbitrary code execution or even a DDoS attack?

Meta's Llama framework recently faced a significant vulnerability, tracked as CVE-2024-50050. This flaw, with a CVSS score of 6.3 (and rated more critically by others at 9.3), exposed its Python-based inference server to remote code execution (RCE). The issue stemmed from unsafe deserialization practices using Python’s `pickle` module within the Llama Stack component, which handles API interfaces for AI development. When combined with exposed ZeroMQ sockets over a network, attackers could send maliciously crafted objects to gain control of the host machine.

To address this, Meta shifted from the risky `pickle` format to the safer JSON serialization in version 0.0.41, released on October 10, 2024. This problem highlights the dangers of using insecure serialization formats, especially when handling untrusted data in AI frameworks.

Interestingly, this isn't an isolated case. In August 2024, a similar deserialization vulnerability was found in TensorFlow’s Keras framework, resulting from the misuse of Python's `marshal` module. Beyond RCE risks, vulnerabilities extend to other AI applications too. For instance, OpenAI recently patched a ChatGPT crawler flaw that allowed attackers to initiate amplified DDoS attacks through unchecked HTTP POST parameters.

These exposures emphasize an evolving trend—LLMs and their supporting tools are often misused, whether due to coding oversights or deliberate abuse. Researchers also warn about the potential misuse of LLMs in cyberattack lifecycles, from payload delivery to command-and-control functionalities. Moreover, methods like ShadowGenes emerged to identify model genealogy, providing insights into AI’s architecture while raising concerns about reverse engineering risks.

The increasing integration of AI in various domains demands heightened vigilance on security measures, particularly in areas like data handling, serialization, and model genealogy tracking. Each vulnerability reveals how even minor issues can cascade into larger consequences if left unchecked.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

New here . Looking forward to connect with other malware developing/red teaming enthusiasts, as well as with nice interesting people in general. Still trying to get the hang out of Mastodon, sorry if it shows

It is possible to get lost in — and overwhelmed by — the awfulness that has been just Week One of the 2nd trump administration. It's also possible to hope too much that such awfulness backfires and results in a return to "normalcy" (whatever that is) and/or progressive liberal values. But "... the analytical task here is to tread carefully between the twin temptations of unwarranted optimism and hopeless cynicism..."

Good analysis —
https://www.salon.com/2025/01/25/elons-global-takeover-can-one-billionaire-dismantle-democracy-well-find-out/
#RedTeam #musk #bannon #elections

Done, but... just out of curiosity.

Should Pentester cleanup after themself?

Like, delete all Accounts (they may have created) or remove E-Mail Forwarders from Printers and other Systems?

Please retoot to reach more people.

New here . Looking forward to connect with other malware developing/red teaming enthusiasts, as well as with nice interesting people in general. Still trying to get the hang out of Mastodon, sorry if it shows

How do you stop a malware strain used for over a decade to steal sensitive information?

The FBI, working with global partners and cybersecurity experts, has successfully removed PlugX malware from 4,258 computers across U.S. networks. PlugX, linked to a China-backed threat group called Mustang Panda (also known as Twill Typhoon), has been active since 2014 and primarily targets governments, shipping firms, and dissident groups in the U.S., Europe, and Asia.

During the operation, French law enforcement and cybersecurity firm Sekoia.io played a significant role. By gaining access to a command-and-control (C2) server used by the attackers, they were able to issue commands that instructed the malware to delete itself. The FBI tested these commands to ensure they wouldn’t disrupt normal computing and then executed their removal process under nine court warrants issued between August 2024 and January 2025.

PlugX is particularly dangerous due to its worm-like capabilities, which can spread infections via USB drives. It allows attackers to steal sensitive data and maintain persistence on infected systems by leveraging registry keys and hidden directories. The self-delete functionality of PlugX was exploited in this operation to systematically remove its traces from victim computers. This process deleted files, stopped running processes, and cleared directories created by the malware.

Victim notifications are ongoing, with the FBI coordinating efforts with ISPs to contact affected entities. This international collaboration highlights the growing ability of global law enforcement to dismantle large-scale cyber threats, even those sponsored by state actors.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

Can a simple double-click jeopardize your online security?

Security researchers have uncovered a new vulnerability class called "DoubleClickjacking," which takes traditional clickjacking tactics a step further. Unlike the usual single-click manipulation, this technique exploits the timing between two clicks to compromise accounts and sensitive data. It bypasses established protections like X-Frame-Options headers and SameSite cookie policies—tools many websites rely on for security.

Here’s how it works: An attacker sets up a deceptive website that prompts users to double-click on an element, such as a CAPTCHA-like dialog box. During this sequence, the attacker uses JavaScript to redirect the second click to malicious actions, like approving unauthorized access to sensitive resources (e.g., OAuth applications). Meanwhile, the attacker-controlled tab closes, leaving no trace of the underlying exploit.

Why is this so effective? Most existing web defenses are designed to guard against forced single clicks but don’t account for subtleties in double-click behavior. This makes DoubleClickjacking a sophisticated way to bypass frameworks like Content Security Policy (CSP) and common browser-level safeguards.

To mitigate such risks, experts suggest implementing client-side restrictions, like disabling critical buttons unless users interact with specific gestures or keys—solutions already adopted by companies like Dropbox. However, long-term fixes may require browser vendors to introduce new standards, analogous to X-Frame-Options, tailored to handle double-click vulnerabilities.

This development follows another similar attack from the same researcher, Paulos Yibelo, who had demonstrated "gesture-jacking" last year. That variant exploited key presses or mouse gestures to achieve unwanted actions on sites like Coinbase and Yahoo! Through such techniques, attackers manipulate user trust and interaction patterns in increasingly creative ways.

The bottom line? As threat actors refine these tricks, both users and developers must stay alert to evolving attack vectors.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

How does a stolen API key open the door to a major cybersecurity breach?

The U.S. Treasury Department has revealed it suffered a significant cybersecurity breach, tracing the root cause back to a stolen API key belonging to its third-party software service provider, BeyondTrust. This breach, attributed to suspected Chinese state-sponsored attackers, exposed certain unclassified documents and allowed unauthorized remote access to departmental computers.

The incident began on December 8, 2024, when BeyondTrust informed the Treasury that threat actors had obtained an API key used to secure their cloud-based service. This service facilitated remote technical support for Treasury Departmental Offices (DO) end users. With the compromised key, attackers bypassed security measures to access Treasury user workstations and internal files.

BeyondTrust disclosed that these attackers exploited the API key to reset application passwords within their Remote Support system. Although BeyondTrust revoked the key, suspended impacted instances, and offered alternatives, the damage underscores how vulnerabilities in third-party systems can ripple into government networks. The company is still investigating how the key was originally obtained.

Additionally, BeyondTrust identified two related vulnerabilities, one classified as critical with a CVSS score of 9.8 (CVE-2024-12356). CISA has listed this flaw in its Known Exploited Vulnerabilities catalog due to ongoing exploitation in the wild.

While the Treasury confirmed the BeyondTrust service has been taken offline and there’s no evidence of ongoing access, this breach highlights the risks posed by supply-chain attacks, particularly when they involve privileged access tools. It also serves as a reminder of the importance of rigorous third-party vendor assessments and proactive vulnerability management strategies.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

How secure are your browser extensions?

A recent attack campaign has compromised at least 16 Chrome browser extensions, potentially exposing over 600,000 users to credential theft and data breaches. The attack exploited the extensive permissions granted to these extensions, demonstrating how they can be a weak link in web security systems.

The breach was initiated through a phishing scheme targeting extension publishers on the Chrome Web Store. Once attackers gained access, they implanted malicious code into legitimate extensions, enabling them to steal cookies, user access tokens, and other sensitive data. This malicious code communicated with an external Command and Control (C&C) server, allowing hackers to download additional configurations and exfiltrate stolen data.

Cybersecurity firm Cyberhaven was one of the first known victims. Its browser extension was compromised, and its malicious version remained active for about 24 hours before being removed. However, security experts warn that removing the extension from the Chrome Web Store doesn't entirely resolve the threat. If the compromised extension remains installed on user devices, it could still exfiltrate data.

The attack was not isolated to Cyberhaven. Security researchers identified several other compromised extensions during their investigation, including popular tools like AI Assistant - ChatGPT and Gemini for Chrome, Bard AI Chat Extension, Search Copilot AI Assistant, and multiple VPN-related extensions. These extensions were found communicating with the same C&C server involved in the Cyberhaven breach, signaling a broad, targeted campaign.

Researchers have discovered that the malicious code in Cyberhaven's extension targeted identity data and access tokens associated with Facebook accounts, specifically Facebook business accounts. This highlights the potential risk these attacks pose to both individual users and organizations relying on such accounts for operations.

Security experts criticize the widespread complacency around browser extension security. Most organizations lack visibility into the extensions installed across their devices, leaving them vulnerable. Since browser extensions often require broad permissions, such as access to cookies or identity information, they represent an overlooked but significant source of risk.

While some extensions have been updated or removed, this incident underscores broader challenges in managing browser extension security. Organizations and users alike must closely monitor installed extensions, limit unnecessary permissions, and remain vigilant against similar threats. The scope and sophistication of this campaign raise serious concerns about the future integrity of browser-based tools.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

How does a fake job interview lead to a global cybersecurity threat?

North Korean hackers are intensifying efforts to exploit unsuspecting job seekers through the "Contagious Interview" campaign, which has recently introduced a new malware named OtterCookie. This operation involves posing as recruiters to lure individuals into downloading malicious software under the guise of a job interview process.

One key method is distributing malware-laden videoconferencing apps or npm packages hosted on platforms like GitHub or official registries. These tools pave the way for deploying other malware like BeaverTail and InvisibleFerret. Notably, BeaverTail now uses Python scripts, collectively referred to as CivetQ, to enhance its modular approach for stealing sensitive information.

OtterCookie, first detected in September 2024, is a JavaScript-based malware that communicates with command-and-control (C2) servers using the Socket.IO library. Once activated, it can execute shell commands to steal files, clipboard content, and, more critically, cryptocurrency wallet keys. A newer version, spotted just last month, builds upon its predecessor by tweaking how it steals crypto wallet keys—integrating this directly into its code rather than relying on remote commands.

The attackers' persistence in updating their tools while keeping their infection strategy intact underscores the effectiveness of their operations. These activities share similarities with other North Korean campaigns but stand distinct from larger efforts like "Operation Dream Job."

Beyond malware advancements, this campaign ties into broader illicit schemes. Recent sanctions by South Korea’s Ministry of Foreign Affairs highlight how North Korea sends IT workers abroad to secure funds for its nuclear and missile programs. Sanctioned entities like the 313th General Bureau exemplify how these cyber operations stretch globally, undermining international security by funneling stolen resources into military projects.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

—
P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking

A bunch of (100+) useful open source (mainly) security tools and products:

https://www.infosecworrier.dk/stuff/securityproducts/