Hey everyone, does this sound familiar? You install a Python package and suddenly feel like you've been robbed blind?

Right now, there's a nasty campaign going on targeting PyPI, and it's misusing "time" utilities to swipe cloud credentials. Get this – it's already had over 14,000 downloads! The malware hides in packages that are *supposed* to just check the time. But instead, they're snatching cloud keys (AWS, Azure, the works) and sending them straight to the bad guys.

Honestly, it reminds me of a pentest we did where we *almost* missed a similar camouflage trick. Seriously creepy! So, heads up: Double-check your dependencies, run those scans, review your cloud configurations, and above all, be suspicious! And hey, just a friendly reminder: automated scans are no substitute for a manual pentest!

Have you run into anything similar? What tools are you using to beef up your security? Let's chat about it!

Hey #redteam and #pentest ers, what security controlsnon endpoints and servers make your life miserable on an engagement?

App allow listing?
DEP?
Powershell execution policies?
Hostbased firewall?

Chrome Extensions: Masters of Disguise at Work!

Heads up, folks! There's a seriously nasty new wave of attacks going around: fake Chrome extensions are out there, and they're stealing your data! These things are so good at mimicking the icons and pop-ups of your favorite add-ons, you might not even realize what's happening. And it affects Chrome, Edge, basically everything!

Here's the really sneaky part: the extension doesn't *immediately* do anything bad. Instead, it quietly figures out which add-ons you're using. Then, BAM! It transforms itself, temporarily disabling the real extension. Next thing you know – login credentials stolen, account gone!

Speaking as a pentester, I've gotta say, this is some impressive social engineering. Automated scans won't catch this stuff because, hey, the extension appears to be "working" just fine. So, a bit of human intelligence and healthy skepticism are absolutely essential here.

My advice? Always take a *very* close look at new extensions before you install them. Double-check the permissions they're asking for! Does it *really* need access to *everything*? And remember, regular pentests are worth their weight in gold.

So, have you had any experiences with these fake extensions? How do *you* protect yourself? What tools do you use to spot suspicious Chrome extensions? Let's share some tips in the comments!
#infosec #pentest #chrome

Whoa, check this out! A million devices infected via malvertising! Seriously scary stuff. You know, those illegal streaming sites? Total playground for cybercriminals.

Malvertising is a real nasty piece of work, isn't it? They sneak malware in through ads. Gotta remember: even "free" stuff comes with a cost, right?

This Lumma Stealer thing grabs your passwords, and these RATs (Remote Access Trojans) let them control your system remotely. And get this – they're abusing GitHub to host the malware. Ugh.

It actually reminds me of a pentest we did where we almost missed an attack chain just like this. You really gotta stay vigilant!

So, what does it mean for you? Well, a firewall's great, but it's not a magic bullet. Double-check your downloads, and be super skeptical of any links.

Microsoft's calling these guys "Storm-0408." Apparently, they're using PowerShell, messing with Defender, and even faking AI chatbot sites! Sneaky!

Bottom line: steer clear of those shady streaming sites. Be wary of links! Keep your antivirus updated. Keep an eye on PowerShell. And most importantly: run regular pentests!

Ever had a run-in with malvertising? How do *you* stay safe? Share your tips!

Wow, Black Basta and CACTUS using the *same* backconnect module? Smells like a collaboration, or maybe affiliates jumping ship!

BackConnect is a real pain – it's a super persistent backdoor. Once they're in, getting rid of it is tough. So, just a reminder: penetration tests need more than just automated scans. Manual analysis? Absolutely crucial.

Seriously folks, patch your systems! And employee training? It's not rocket science! Just get it done!

Hey, is there an easy way to spot BackConnect traffic on a network? I'd love to hear your thoughts!

Looking for a good Canadian pen tester for a web application. Specifically one who bills in CAD.

Any recommendations?

Så er der opdateret lidt på materialet til på mandag, Workshop hos PROSA.

DDoS simulering hvor vi samles om noget netværksudstyr og lærer at sende netværkspakker, MANGE MANGE netværkspakker

https://github.com/kramse/security-courses/tree/master/presentations/pentest/simulated-ddos-workshop

Materialet må som altid deles og kopieres, og samme workshop plejer jeg at holde på BornHack, så måske skal du skrive det i kalenderen

psexecsvc - a python implementation of PSExec's native service implementation

https://github.com/sensepost/susinternals

Done, but... just out of curiosity.

Should Pentester cleanup after themself?

Like, delete all Accounts (they may have created) or remove E-Mail Forwarders from Printers and other Systems?

Please retoot to reach more people.

Them: Why are we doing a pentest on the airgapped network?

Me: Because the reality is that the airgapped network is a lie.

Do you need a good laugh? Check out my hilarious new music video, PenTest (no, no, no), a fun spin on a Amy Winehouse's 'Rehab'! Tell me if you get the inside jokes!

https://www.youtube.com/watch?v=NmZcL8CBHeA

Do you need a good laugh? Check out my hilarious new music video, PenTest (no, no, no), a fun spin on a Amy Winehouse's 'Rehab'! Tell me if you get the inside jokes!

https://www.youtube.com/watch?v=NmZcL8CBHeA

Hey everyone! Need a good laugh? Check out my hilarious new music video, PenTest (no, no, no), a fun spin on a Amy Winehouse's 'Rehab'! Tell me if you get the inside jokes!
#WatchNow #PleaseShare #PenTest

https://www.youtube.com/watch?v=NmZcL8CBHeA

I think I'll be messing around with TryHackMe's Advent of Cyber 2024, starting on 1 December. There is no option to participate as a team but if you also plan on hitting their Grinch-themed event, add me on THM: https://tryhackme.com/r/p/tac0shell.

Advent of Cyber 2024 event page:
https://tryhackme.com/r/room/adventofcyber2024

#hacking
#ctf
#pentest
#tryhackme
#christmas

Is there an equivalent of a #pentest for spam and online abuse? Thinking of a Nheko bug report I saw recently about messages from blocked accounts not disappearing. There are harassers who will send triggering images to their victims and someone who is familiar with harassment campaigns would likely have noticed this gap.
Is there even a name for this kind of test? I guess a #phishing attack is the closest corporate equivalent.
cc: #moderation

If anyone is interested in getting down with Hack the Box's Halloween CTF, "Hack the Boo," this week and you haven't already signed up, go create an account and request to join the team, "ACAB-All Churros Are Beautiful," then DM me.

https://ctf.hackthebox.com/team/overview/200979

The warm-up has been Monday, Tuesday, and today and the competition begins tomorrow and goes until Friday. No pressure to actually perform. I haven't gotten much time in myself because of responsibilities but the 3 questions I've been able to burn energy on have been fun. I don't get to reverse engineer much and it's always a fun challenge, even in failure.

https://ctf.hackthebox.com/

#hacking
#pentest
#ctf
#hackthebox

Really excited to be presenting Faction at @phreaknic 25! If you're tired of writing
#pentest
reports and wish to collaborate more with your fellow
#pentesters
then check out my talk 5:00pm - 5:30pm on Friday Nov. 8

#appsec
#redteam
#cybersecurity
#hacking

I published my WriteUp of Analysis box from @hackthebox_eu

https://v0lk3n.github.io/writeup/HackTheBox/Box/Analysis/HTB-Analysis_WriteUp

I hope that you will like it :)