Heads-up from CERT-UA: they're flagging Excel phishing campaigns targeting Ukraine right now. Honestly, it's a pretty classic tactic we've seen before, right?

Still, reverse shells and data theft are absolutely no joke. This whole situation really takes me back to my pentesting days – it always hammers home that user awareness is crucial. More often than not, those sneaky macros are the exact gateway attackers use to get in.

So, how are you all keeping your users safe on your end? Are you leaning more on specific tools, or is it all about the training? Curious to hear your strategies!

Fast Flux, huh? Think of it as the cybercrime world's ultimate game of hide-and-seek.

Basically, it's all about constantly swapping IP addresses. Why? To make tracking down those nasty malware servers incredibly tough. You see, threat actors like Gamaredon absolutely rely on this technique – it's perfect for cloaking their C2 infrastructure or hosting those sneaky phishing pages that pop up and disappear.

Trying to catch it with automated scans alone? Good luck. They're often pretty much useless against this kind of dynamic setup. What you really need is roll-up-your-sleeves manual analysis to figure out what's *actually* going on.

So, how do you fight back effectively? Well, just blocking IPs as they appear is like trying to fight a wildfire with a water pistol – you're always playing catch-up. Of course, strategies like sinkholing, smart traffic filtering, and continuous monitoring are crucial pieces of the puzzle.

But here's the real kicker, the absolute cornerstone? Training your users! Let's be honest, at the end of the day, someone still has to click that malicious link for the attack to succeed. User education is paramount.

What's your experience been tackling Fast Flux? Got any go-to tools or clever techniques you find particularly useful? Let's talk!

ActiveSyncBruter is a penetration testing tool designed to enumerate and brute-force credentials against Microsoft Exchange ActiveSync endpoints

https://github.com/0xB455/ActiveSyncBruter

Yikes, SSL misconfigurations... talk about rolling out the welcome mat for attackers! Saw this with a client just the other day – literally half their subdomains were stuck using outdated protocols. Wild!

Seriously, folks, you've gotta check your certs! But don't stop there. We're talking cipher suites, TLS versions, HSTS... the whole nine yards needs to be spot-on. If it's not, you're basically leaving a gaping hole in your security setup.

Sure, EASM tools can be invaluable for helping you keep tabs on everything. *However*, at the end of the day, you still need a human to actually look at the findings and *understand* what's really going on. Automation's great, but it's definitely no substitute for real expertise.

So, what are your biggest SSL pain points? Let me know below!

AI Security & Compliance - whew, that's a tough one, right?

No doubt, AI can seriously level up security efforts. But then there's that whole GRC (Governance, Risk, Compliance) headache... Sound familiar?

Picture this: Your client's hyped about deploying a new AI-powered firewall, but then Legal and Data Protection slam on the brakes. Classic scenario! It really is a tricky balancing act.

Honestly, AI isn't just an 'install and forget' kind of deal. You've *gotta* stay proactive and really bake security in right from the beginning – thinking 'security by design' is crucial. Otherwise, you get stuck in that frustrating loop: no budget means skimping on security, but weak security makes getting that budget approved way harder...

So, let's talk real challenges. What are *your* biggest pain points when dealing with AI security? Spill the beans below!

Seriously, the Outlaw botnet? Still pulling off SSH brute-force attacks in 2024?! Wild how that's *still* getting results. It really just hammers home the point: the fundamentals are absolutely crucial!

You've gotta have solid password habits locked down. Things like key authentication, maybe changing the default SSH port, setting up Fail2ban... c'mon, it isn't exactly brain surgery, right?

But yeah, setting it up takes a bit of effort, doesn't it? And we all know time equals money...

Working as a pentester, I see it way too often – companies cutting corners precisely on these foundational steps. They'd rather splash out on flashy AI security tools, yet leave the digital front door practically wide open. Then, inevitably, everyone acts shocked when things go sideways.

So, I gotta ask: What "basic" security measures do you see getting consistently overlooked where you work?

Alright, let's get real about NIST. Yeah, it's important, no question. **But** banking solely on a certificate? That's definitely not the silver bullet for security!

Seriously, I've seen cloud environments myself that ticked all the NIST compliance boxes on paper, yet they were still wide open with security holes. It happens!

So, what's the takeaway? You absolutely can't just blindly trust that "compliant" status. This is exactly why making regular pentests a standard part of your routine isn't just nice-to-have, it's essential. You've gotta actively look for those weaknesses.

What about you? What's your experience been with NIST frameworks and actually keeping cloud setups secure? I'm curious to hear your stories!

Top #hashcat tip:

Want per-position duplication in your rules to leverage your GPU?

It's not available in a single op, but you can emulate it by incrementally duplicating the first N chars, and then incrementally deleting the position and frequency of the redundant characters

A showcase of a payload development process for initial access phishing

https://lorenzomeacci.com/advanced-initial-access-techniques

Heard about WordPress "mu-plugins" being used as a sneaky entry point? Yikes!

Think of 'mu-plugins' – those 'must-use plugins' WordPress *always* loads automatically. Super handy, right? Well, for attackers they are, because let's be real, who actually checks those regularly?

What's wild is that some malicious scripts hidden there even check if they're being scanned by a bot, just to stay under the radar. Talk about sneaky! It almost feels like a professional job... kinda reminds me of when we're pentesting for clients and trying to slip past their defenses.

Usually, the culprits behind these breaches are the usual suspects: outdated plugins or themes, weak or stolen passwords, or maybe server misconfigurations. Seriously people, keeping everything updated is crucial!

Look, automated scans have their place, they're a decent first step. But honestly? A thorough pentest is often what *really* digs up these hidden nasties. So, spill the beans: Anyone else bumped into attacks leveraging mu-plugins or something similar? What tools are your go-to for sniffing them out? Let me know below!

According to the #OVH #tos if I do a #pentest on my infrastructure and services I do have to send them a report with all the vulnerabilities.

https://contract.eu.ovhapis.com/1.0/pdf/contrat_genServices-it.pdf (Article 3.9)

And they are going to fix them for free for me right? /s

Just earned my OSCP+ certification from @offsectraining!
After 90 intense days of labs, AD exploits, real-world pentesting, and a 24h exam + 24h report marathon… I passed on my first try with 90 points!

Big thanks to everyone who supported me. This is one of the biggest milestones of my career.
#OSCP #OffSec #Cybersecurity #Pentest #RedTeam #KaliLinux #TryHarder

New cheatsheets pushed

https://github.com/r1cksec/cheatsheets

Alright, security pros! Just stumbled upon another article about pentesting, and it really hit home. You know how clients sometimes assume that just having security certificates and a firewall means they're totally secure?

Well, let's be real, that's often far from the truth.

Here's the deal: Real penetration testing is *way* more than just running an automated scan. It actually demands brainpower, a dose of creativity, and the knack for thinking way outside the box. You've gotta get creative!

And yeah, proper security isn't free. But isn't it way better to invest upfront than deal with a potentially massive (and costly) mess later on? Makes sense, right?

So, what have you seen out there? What are the so-called "quick fixes" in security that drive you absolutely nuts? Let me know below!

A proof-of-concept fileless DCOM Lateral Movement technique using trapped COM objects

https://github.com/xforcered/ForsHops

This whole #FediverseChick thing smells like penetration testing to me.

Just published my latest case study on pentesting a Windows application! Discoveries:

Disabled security flags, that lead to uncovering of many high risk vulnerabilities
Plaintext credentials
A backdoor that bypasses authentication

Read more: https://techsplicer.com/career-hub/pentesting-a-windows-application-a-case-study/

@zaproxy release 2.16.1 just landed: https://www.zaproxy.org/blog/2025-03-25-zap-2-16-1/

Whoa, things are really popping off! Raspberry Robin's at it again. They've found 200 *new* C2 domains? It's like battling a hydra – chop off one head, and boom, two more appear.

These Initial Access Brokers (IABs) are seriously nasty. They're basically opening the floodgates for other malware. And get this, USB drives are the gateway? Seriously, who still falls for that? But, I guess sometimes the old-school methods are, unfortunately, effective.

It makes you wonder: how many companies *actually* have a clue what's happening on their network? For real, would they even notice this kind of threat spreading?

Here's my take: keep a close eye on network traffic. Plus, it's time to rethink that USB policy, and be extra careful with Discord downloads. And, for crying out loud, stop plugging in every random USB drive you find!

So, what wild IAB stories have *you* encountered? Let's hear 'em!

Wow, VanHelsing RaaS is here! It really looks like RaaS is becoming the norm... $5k starting capital? That's insane. The competition is keeping everyone on their toes, huh?

Double Extortion, Dark Mode in the panel, RMM tools in the crosshairs... Sounds like the usual, but let's not overlook the fundamentals! First things first: make sure you're checking your backups. You need to be patching those systems. And, of course, raise awareness. Plus, remember folks, automated scans are *not* the same as a pentest!

We've gotta shift our focus. It's not about "selling a product," it's about "helping customers." Security by Design should be the default, not some optional extra. Let's also give Open Source more of a boost!

So, how are *you* protecting against RaaS? What strategies are you turning to these days?