Ethical Hacking Techniques

New research from Google Threat Intelligence Group (GTIG) details how PRC-nexus 🇨🇳 APT41 is leveraging innovative tactics, including the use of Google Calendar for command and control (C2). In late October 2024, we discovered APT41 exploiting a government website to deliver a novel malware family TOUGHPROGRESS. TOUGHPROGRESS utilizes Google Calendar to exfiltrate data and receive commands, an evolution in APT41's misuse of cloud services to blend in with legitimate traffic. The malware uses several obfuscation techniques, including memory-only payloads and intricate control flow obfuscation. GTIG has taken action to disrupt this campaign by terminating attacker-controlled infrastructure, updating Safe Browsing, and providing detection signatures. Our report also discusses APT41's broader use of free web hosting tools for malware distribution. Full report available here: https://lnkd.in/gPv7bPQj

#ASD and international partners have released an advisory on the tradecraft of a #PRC-backed threat actor named #APT40, and it's well worth a read, whether you are in Government or the private sector. APT40 is code for a group backed by the PRC's Ministry of State Security (#MSS). The MSS is engaged in intelligence gathering and foreign interference activities, including cyber warfare. APT40, based in Haikou, Hainan Province, has been targeting Government and private sector entities around the world since 2017. Their objectives appear to be maintaining persistence in order to exfiltrate data. How does APT40 go about their activities? 🔴 Exploit small office / home office (SOHO) routers as proxies to hide their origins among normal traffic 🔴 Target vulnerable systems on the edge of networks, such as MS Exchange, Atlassian Confluence, and Log4j (commonly found in Java applications), 🔴 Deploying web shells - uploaded code snippets that allow commands to be executed on the remote host, eg. a malicious .aspx file dropped in a public directory on an OWA server 🔴 Conduct internal recon to enumerate victim hosts and accounts 🔴 Move laterally, stealing credentials, then exfiltrating data via existing Command and Control (C2) channels None of the TTPs described in the report are "top shelf" exploitation. This is clever use of well-known exploits against well-known vulnerabilities. Why expose clever TTPs if you don't need to? The advisory contains a few indicators, detection rules, and recommended mitigations. Here is a summary of mitigations: 🔵 Look for process executions in unusual directories or world-writable locations, eg. why is there a process running from C:\WIndows\Temp? (Allow listing would probably prevent this.) 🔵 Implement logging in a centralized location with a suitable retention period 🔵 Patch! The common factor in the listed vulnerabilities (CVE 2021 44228, CVE-2021-31207, CVE-2021- 26084, CVE-2021-31207, CVE-2021-34523; CVE-2021-34473) is that they were all discovered (and presumably patched) in 2021! 🔵 Segment your network - impose costs by forcing the adversary to conduct recon and lateral movement on hard mode. Use jump servers to access sensitive hosts such as auth. 🔵 Other strategies covered in the Essential 8, eg. MFA, restricting admin privs and office macros I for one am glad to see a return to Mandiant-style "APT" codenames rather than the new-fangled monikers like "Electric Tempest". But I would like to see structured threat intelligence released with these reports, eg. STIX JSON format, and hopefully someday soon, structured hunting and response playbooks in CACAO JSON! But I will have more to say about CACAO another day...

Pentest Exercises #2 - Finding XSS with Recon Ways to identify XSS? - Automating your scans is very useful, finding entry points, endpoints and other information to get a range of possibilities and chances of getting an XSS. - However, always carry out a manual analysis, identify all inputs and request methods.  - Analyze how the server behaves with different types of requests. - If you encounter an HTML injection, you may have a better chance of encountering an XSS. - Look for any type of input pattern, whether via GET or POST method, dynamic and static forms and their input fields, as well as Hidden fields that can only be disabled in the front-end of the application. - Check the Headers, especially the referer, cookie and user-agent - Don't settle for a simple text alert, try to get at least a session cookie or extract the JWT stored in localstorage - Look for insecure methods like innerHTML, eval and data inserted directly into javascript - Analyze security filters and test bypass methods (that's for another post) See if there is data persisted while manipulating the page - And never stop browsing the site, don't just depend on the results of automated tools, as I've already found XSS in parameters that the tools don't return. A payload inserted directly into the URL can end up generating surprises. Shall we see some tools examples? Use the GoSpider tool to perform crawling and obtain urls, endpoints and paths that help identify possible xss https://lnkd.in/d3Cb_J7w The Katana tool is also useful for crawling the application so you can carry out XSS attacks https://lnkd.in/dnvq7ECZ Another way is to use XSS Hunters, mainly for XSS Blind that require Payloads that deviate from traditional alerts, for example. https://xsshunter.com/#/ Using the KXSS tool to validate input fields, especially in reflected XSS to try injections echo "https://lnkd.in/d_9YED9z" | kxss echo https://lnkd.in/dFjMZ2uC | waybackurls | kxss The airixss tool is an interesting option for you to use during a recon, it helps you identify reflected points of attacks https://lnkd.in/dPTvyqKU cat targets | airixss -payload '"><svg onload=confirm(1)>' One way to do it automated is using the XssorRecon tool, this is the free version, there is a paid version which is really cool https://lnkd.in/dNQvHZCK XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler. https://lnkd.in/dJkuhQ4X These are the tips and tools. Do you have any more? Image by Kali Linux Tutorials Others PenTest Exercises: https://lnkd.in/dwgB3RMM #pentest #redteam #xss #webpentest

𝗧𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝘁 𝗧𝗿𝗶𝗯𝗲’𝘀 𝗡𝗲𝘄 𝗥𝗔𝗧 𝗖𝗮𝗺𝗽𝗮𝗶𝗴𝗻: 𝗔 𝗥𝗲𝗻𝗲𝘄𝗲𝗱 𝗖𝘆𝗯𝗲𝗿-𝗘𝘀𝗽𝗶𝗼𝗻𝗮𝗴𝗲 𝗧𝗵𝗿𝗲𝗮𝘁 𝘁𝗼 𝗜𝗻𝗱𝗶𝗮 India’s cyber front is under constant pressure silent, persistent, and continuously evolving. The latest reminder comes from a renewed cyber espionage campaign linked to Transparent Tribe (APT36), a well known threat actor with a long history of targeting Indian interests. According to CYFIRMA, the campaign targets Indian government bodies, academic institutions, and strategic organisations, underscoring ongoing, long-term intelligence gathering efforts against the country. What Makes This Campaign Dangerous? This operation is not noisy ransomware or defacement it’s covert cyber espionage. The attack chain begins with phishing emails carrying ZIP attachments. Inside these archives are malicious Windows shortcut (LNK) files, cleverly disguised as PDF documents. Once a victim opens the file: - A Remote Access Trojan (RAT) is deployed silently in the background - A decoy PDF is displayed to reduce suspicion - The attacker gains persistent access to the system This combination of social engineering and stealthy execution allows the malware to remain undetected for extended periods. Adaptive Malware Built for Persistence One of the most concerning aspects of this campaign is the malware’s adaptive behavior. Researchers observed that the RAT dynamically adjusts its persistence mechanisms based on the antivirus or endpoint protection installed on the victim’s machine. Once fully deployed, the payload allows attackers to: - Steal sensitive data - Control and manipulate files - Capture screenshots - Monitor clipboard activity - Execute commands remotely These capabilities make it a powerful surveillance tool rather than a short-term attack. A Familiar Pattern, A Long Term Strategy Active since at least 2013, Transparent Tribe has steadily evolved its tools and techniques. Previous campaigns have used malware such as CapraRAT, Crimson RAT, ElizaRAT, and DeskRAT each improving stealth and control. CYFIRMA warns that the group remains strategically driven, focused on long-term intelligence collection rather than short-term disruption. Parallel Threat Activity: Patchwork (Maha Grass) Security researchers have also flagged related activity by Patchwork, another advanced threat group targeting defence and strategic sectors. This group has been linked to new spyware frameworks that rely on: - Advanced obfuscation - Long term persistence - Low visibility execution Together, these campaigns highlight a broader and ongoing threat to India’s strategic digital ecosystem. Why This Matters for India ? These attacks highlight a critical reality: modern cyber warfare is rarely loud. It is quiet, long term surveillance aimed at stealing intelligence, research, and strategic insights. Awareness is the first step. Preparedness is the next.

THREAT CAMPAIGN: APT43 USING DROPBOX FOR PAYLOAD DISTRIBUTION AND DATA EXFILTRATION ℹ️ Researchers published a multi-stage cyber operation campaign dubbed DEEP#DRIVE that was attributed to APT43 (aka Kimsuky, Black Banshee, Emerald Sleet, Sparkling Pisces, Springtail, TA427, and Velvet Chollima) against South Korean businesses, government entities, and cryptocurrency users. ℹ️ KEY FEATURES: 📍 ATTACK VECTOR ■ The attack initiates with tailored phishing lures written in Korean, disguised as legitimate documents, such as work logs, insurance documents, and crypto-related files. ■ These lures were presented in trusted file formats (.hwp, .xlsx, .pptx) and distributed via Dropbox links to blend into normal user behavior. ■ A .lnk file masquerading as a document (e.g., 종신안내장V02_곽성환D[.]pdf[.]pdf) was used to execute malicious scripts. 📍 PAYLOAD DELIVERY AND EXECUTION ■ PowerShell scripts were critical in delivering payloads, performing reconnaissance, and executing next-stage malware. ■ The script (temp[.]ps1) downloaded, modified, and decompressed a Gzip-compressed .NET assembly (system_drive[.]dat), which was loaded directly into memory to invoke the Main method for payload execution. ■ The campaign relied heavily on Dropbox for payload distribution and data exfiltration. 📍 PERSISTENCE AND STEALTH: ■ Persistence was achieved by creating a scheduled task named ChromeUpdateTaskMachine, ensuring periodic execution of malicious scripts. ■ Code obfuscation techniques were employed to evade detection, including meaningless variable names, irrelevant assignments, and string concatenation. 📍RECONNAISSANCE AND DATA EXFILTRATION ■ Reconnaissance scripts like system_first[.]ps1 were used to gather detailed system information, including IP addresses, OS details, antivirus products, and running processes. The collected data was exfiltrated to Dropbox. 📍 C2 INFRASTRUCTURE AND ATTRIBUTION ■ Dropbox served as the C2 platform for hosting payloads and exfiltrating data. ■ The rapid takedown of critical Dropbox links suggests the infrastructure was either short-lived or actively monitored. ■ The TTPs used in this campaign closely align with those historically used by APT43. Report: https://lnkd.in/dj8YCWiY #threathunting #threatdetection #threatanalysis #threatintelligence #cyberthreatintelligence #cyberintelligence #cybersecurity #cyberprotection #cyberdefense

𝐓𝐡𝐞 𝐏𝐲𝐫𝐚𝐦𝐢𝐝 𝐨𝐟 𝐂𝐲𝐛𝐞𝐫𝐬𝐞𝐜𝐮𝐫𝐢𝐭𝐲 𝐏𝐨𝐬𝐭𝐮𝐫𝐞 𝐌𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 𝐭𝐨 𝐝𝐞𝐟𝐞𝐧𝐝 𝐚𝐠𝐚𝐢𝐧𝐬𝐭 𝐛𝐚𝐝 𝐭𝐡𝐫𝐞𝐚𝐭 𝐚𝐜𝐭𝐨𝐫𝐬 𝐚𝐧𝐝 𝐀𝐏𝐓𝐬. 🔹 Vulnerability Scanning: Conduct quarterly scans to identify and document security weaknesses.   🔹Patching and Updates: Implement a robust patch management strategy, addressing critical vulnerabilities within 48 hours and others within 7-30 days based on severity. 🔹Vulnerability Assessments : Generate detailed reports to analyze risks and prioritize security measures. 🔹Penetration Testing : Simulate real-world attacks to identify critical vulnerabilities, performing tests once or twice a year. 🔹Red Team Engagement : Conduct realistic assessments of security capabilities, with Purple Team collaboration for real-time defense training. 🔹Vulnerability Remediation : Systematically eliminate identified weaknesses post-assessment and testing, with ongoing monitoring. 🔹Blue Team Training / Incident Response Training : Provide continuous training on best practices and response strategies to enhance security team readiness. 🔹 Overall Strategy : Implement these activities to strengthen security posture against evolving cyber threats. Disclaimer: The provided article is intended for educational and knowledge-sharing purposes related to cybersecurity. #ciso #cybersecurity

Do you want to be a great pentester? If you find a cross-site scripting vulnerability, but you are limited to the number of characters you can fit in the parameter field, check to see if parameter pollution is possible. This is a big one for older ASP applications. For example, using a parameter like firstname, the standard URL is: https://<domain>/?firstname=tim Try: https://<domain>/?firstname=tim&firstname=tim If the application responds with a value of <tim,tim> the application is vulnerable to parameter pollution. To weaponize this for XSS, and to get around the character limitations, do: https://<domain>/?firstname=tim<!—&firstname=—>tim You’ll notice the server will respond with <timtim>, removing the original comma between the two tim values. There usually isn’t a limitation on how many times you can do this, which means you can have as many characters as needed to execute your payload.

🚨 Claude is no longer just “chat with AI.” With the right skills, it can become an OSINT operator. I came across Claude-OSINT, an open-source GitHub project that packages offensive reconnaissance methodology into Claude Skills. 🔗 GitHub Repo: https://lnkd.in/g-CTBvyT And the idea is powerful: Instead of prompting Claude from scratch every time… you give it structured tradecraft. What makes this interesting? The project includes: ✅ 2 paired Claude Skills   ✅ 90+ recon modules   ✅ 48 secret-regex patterns   ✅ 80+ dorks   ✅ 9 read-only credential validators   ✅ 27 attack-path templates   ✅ 5,500+ lines of structured OSINT methodology  The two-skill model is smart: 🔹 osint-methodology   How to think. Asset graphs, severity logic, time budgeting, scope discipline, reporting templates. 🔹 offensive-osint   What to reach for. Dorks, regexes, probe paths, validators, tool references, reconnaissance workflows. 💡 My biggest takeaway: The future of AI in security is not just better models. It is better operational context. A generic AI assistant gives generic answers. But an AI assistant with structured skills, scoped methodology, and clear constraints becomes much more useful for real security work. 🚨 Important point: This type of workflow should only be used for assets you own or have written authorization to assess. AI does not remove responsibility. It increases the need for scope, logging, and discipline. Claude + OSINT skills can help with: • external attack surface mapping   • subdomain discovery   • identity and SSO mapping   • cloud exposure checks   • secret pattern review   • breach intelligence   • reporting and prioritization  The real shift is simple: ❌ Prompting from memory   ✅ Operating from methodology That’s where AI becomes useful for security teams. 💬 Would you trust an AI-assisted OSINT workflow in your recon process? #OSINT #ClaudeAI #AISecurity #CyberSecurity #RedTeam #BugBounty #ThreatIntelligence #Reconnaissance #InfoSec #AgenticAI

FBI Cyber Division and our partners, including Japan NISC, are warning multinational corporations to review all subsidiary connections, verify access, and consider implementing Zero Trust models to limit the extent of a potential PRC-linked BlackTech compromise. BlackTech actors TTPs include developing customized malware and tailored persistent mechanisms for compromising routers. These TTPs allow the actors to disable logging and abuse trusted domain relationships to pivot between international subsidiaries and domestic headquarters’ networks. Custom BlackTech malware families include BendyBear, Bifrose, BTSDoor, FakeDead (a.k.a. TSCookie), FlagPro, FrontShell (FakeDead’s downloader module), IconDown, PLEAD, SpiderPig, SpiderSpring, SpiderStack, and WaterBear. BlackTech actors continuously update these tools to evade detection by security software. The actors also use stolen code-signing certificates to sign the malicious payloads, which make them appear legitimate and therefore more difficult for security software to detect. BlackTech actors use living off the land TTPs to blend in with normal operating system and network activities, allowing them to evade detection by EDR products. Common methods of persistence on a host include NetCat shells, modifying the victim registry to enable the RDP and SSH. The actors have also used SNScan for enumeration and a local file transfer protocol (FTP) server to move data through the victim network. After gaining access to international subsidiaries’ internal networks, BlackTech actors are able to pivot from the trusted internal routers to other subsidiaries of the companies and the headquarters’ networks. Specifically, upon gaining an initial foothold into a target network and gaining administrator access to network edge devices, BlackTech cyber actors often modify the firmware to hide their activity across the edge devices to further maintain persistence in the network. To extend their foothold across an organization, BlackTech actors target branch routers—typically smaller appliances used at remote branch offices to connect to a corporate headquarters—and then abuse the trusted relationship of the branch routers within the corporate network being targeted. BlackTech actors then use the compromised public-facing branch routers as part of their infrastructure for proxying traffic, blending in with corporate network traffic, and pivoting to other victims on the same corporate network. BlackTech has targeted and exploited various brands and versions of router devices, including Cisco. TTPs against routers enable the actors to conceal configuration changes, hide commands, and disable logging while BlackTech actors conduct operations. For additional TTPs, IOCs, and detailed detection and mitigation measures, see the attached CSA. #cyberintelligence #cyberthreatintelligence #cyberthreatintel #CybersecurityAdvisory #FBI

If you’re studying Political Science and not exploring OSINT, you might be missing out on the fastest-growing career path in risk & security. Here’s why 👇 Most PolSci students get trained to read theories, debates, and history. But OSINT (Open-Source Intelligence) teaches you how to apply that knowledge to the real world. Think about it: 🔎 Instead of just studying “conflict theory,” you’re live-tracking how protests, coups, or cyberattacks unfold. 🗺️ Instead of writing about borders, you’re mapping satellite images or shipping routes. 📡 Instead of abstract debates, you’re decoding signals from Telegram, TikTok, or local news wires. 💡 Why this matters: Companies, NGOs, and governments all rely on OSINT analysts to anticipate disruptions, from supply chain risks to political instability. And PolSci students are naturally good at it because you already know how to connect dots across politics, society, and security. ✨ Want to start? Try these free resources: - OSINTCurious— beginner-friendly blogs & streams. - Trace Labs OSINT Discord — hands-on practice. - Bellingcat’s Guides — practical tutorials. PolSci isn’t just about books & exams anymore. It’s about being the person who can say: “I saw this coming.” ✨ Over the years, so many Humanities, Political Science & IR grads have reached out to me — usually feeling lost about what comes after the degree. 💡 Each time, I’ve shared a few resources that gave them clarity and helped them take real steps forward. And almost every single person comes back saying: “I wish I had this earlier.” 👉 If you’re figuring out your own path and don’t want to waste months in trial-and-error, just DM me or drop your email — I’ll share them with you too.