Security Boulevard

The post Product Release: Selective Sync + Account Recovery appeared first on PreVeil.

The post Product Release: Selective Sync + Account Recovery appeared first on Security Boulevard.

Mythic 3.3 — Out of Beta

Mythic 3.3 was released in a Beta six weeks ago, and since then there has been a bunch of feedback, not just about new Mythic 3.3 features but about the framework overall. Now that Mythic is exiting Beta and going to a full release, I wanted to take a moment and highlight some of these newer features that aren’t in the original announcement post for Mythic 3.3.

File Rendering

When downloading files in Mythic 3.2, Mythic offered a series of buttons you could click to try to render the downloaded file in your browser or to preview the first 512KB of the file as strings or hex. Now, in Mythic 3.3, this view is updated to condense all that functionality into one solution. This also provides some contextual metadata about the file at the top. If the file is text, then Mythic will automatically try to determine the file syntax based on the file extension and automatically select the right syntax highlighter. The following screenshot shows the download of a Golang file with the new in-line media renderer:

File Media Renderer

This functionality is available for browser scripts with the media field as well as in the file search page and file browser.

File Browser

During assessments, operators might spend a large amount of time in Mythic’s file browser triaging multiple hosts and file shares to find that one special file that gives them the keys to the kingdom. Because of this, it’s important to have a workflow that minimizes operator friction. The new file browser in Mythic 3.3 has a lot of improvements to help with this:

Mythic 3.3 File Browser Helpful Hints

The new file browser has a few more buttons in the top navigation pane to help movement feel more natural. There’s forward and backward icons to go through your traversal history as well as an up icon to go up a folder. If you get file browser data for a folder, Mythic will automatically infer that the parent folders must exist on the system, even though you haven’t explicitly listed them. To make this scenario clearer, Mythic now displays a message indicating that you don’t have data for this path explicitly and gives a helpful button to task an agent to list it.

On the right-hand side there’s a new button next to the file upload cloud. This is disabled by default, but when enabled, if you browse to a folder that has not yet been listed (such as in the screenshot above), then Mythic will automatically issue the list tasking for you. This allows you to quickly click through folders and have tasks kick off to fetch data without you explicitly clicking “list” each time.

If you try to list out the contents of a folder and get denied, Mythic will show a red exclamation point, but in Mythic 3.2 you wouldn’t get any additional context from the file browser itself. In Mythic 3.3, the file browser will change to show you the exact task that failed so you can see why (such as the access denied in the following screenshot):

Access Denied in File Browser Situational Tracking

As you’re operating and you get many callbacks from your targets, it can be difficult to correlate which tab you’re interacting with and which callback that corresponds to. Similarly, when you’re browsing in the file browser, it can be easy to lose track of where you are in the tree view if you’re clicking through folders on the table view. To help with this, both the file browser and active callbacks table will auto scroll and highlight what you’re interacting with.

This means as you click between your active tabs, the corresponding callback is highlighted and scrolled into view if needed. In the screenshot below we have a file browser tab for callback 1757 selected and we can see the corresponding callback also highlighted at the top.

Active Callback Highlighting Interactive Task Searching

One of the newer features of Mythic3.2 is the ability to perform “interactive” actions through your normal async communications channels. This can manifest in a variety of different ways in agents, but a common implementation is to allow an operator to drop into a pseudo terminal on the target and run commands. When doing this through Poseidon's pty command, you drop into your specified terminal and get a full logon session, complete with the user’s environment, *rc files, and history. This also means you can save environment variables and even run sudo normally (including providing a password).

While this is extremely helpful, it breaks one of Mythic’s normal flows — task and output tracking. You’re issuing new tasks to your agent (which are tracked), but all of the output is smashed together through the interactive tasking command. While you’re interacting with the task, this isn’t a huge issue, but when it comes time to search, there’s no more correlation. In Mythic 3.2, this meant you’d have to specifically search for the overarching interactive task and just browse through all the output to find what you’re looking for. In Mythic 3.3 though, we can approximate the responses from around the time that the task was issued and guess what the output might be. In the screenshot below we can see that we issued whoami to a pty task. We fetch the first five results from the agent after that task was issued and return that to the user with an indication of which pty task this belonged to.

Interactive Tasking Search Results

There’s still plenty of room for improvement in this area, but this gets closer to bringing this sort of tasking inline with the normal Mythic tasking flows.

Preferred Tasking Views

Since Mythic tracks tasks and their output, there’s many ways we can display this data. The normal view is an accordion style where you expand the task to see the output, but can collapse it away to see more tasks at once. This can result in double scroll bars as you scroll through tasks and through large task output. To help with this, there’s also a “split tasking” view where all the tasks are on one side and all of output is on another. You can only see one task’s output at a time, but at least there’s no double scroll bars. The last view that’s currently in Mythic is an attempt at somewhere between the previous two — it’s a “console”-like view where there are accordions, but they’re all expanded by default and don’t collapse.

Naturally, everybody has their own preference as to the view they prefer, so Mythic 3.3 is allowing you to set that preference. The screenshot below shows a snippet of a user’s settings page where you can choose your preferred default.

User Tasking View Preferences

To make this preference even easier for users, you can double click any callback row and open a tab based on your interactive preferences (or you can click the icon next to your callback number in the table):

Context Menus on Callbacks

You can also now right-click anywhere in the active callbacks table and get a handy dropdown menu to interact with the callback (instead of having to click the small dropdown arrow). As you can see in the above screenshot, all of the tasking views are always available to choose from, but your preferred default will also change the icons next to the callback identifiers.

Host Networking

Mythic uses Docker and Docker Compose to organize the various main Mythic services as well as any third-party service you install (agents, c2 profiles, etc). Because of this, the main Mythic binary runs within a Docker container with certain ports exposed for various things like SOCKS. This is of course a configurable field in Mythic/.env with the MYTHIC_SERVER_DYNAMIC_PORTS variable and the defaults set to ports 7000–7010.

However, when it comes to things like reverse port forwards, I’ve noticed this starts to cause an issue for people. A common scenario is to do a local port forward from the Mythic server to an operator’s attacker workstation, and then a reverse port forward from the target computer to that specified port on the Mythic server. Many people want to access this “local” port via 127.0.0.1 or localhost, but since the connection initiates from within a Docker container, those resolve to within the Docker container, not the host. This means people have to reference that “local” port on the Mythic server via the server’s IP address, but that can cause issues because additional firewall rules might come into play since you’re not accessing it via the loopback.

To combat all of this, there’s now an option in Mythic 3.3 in Mythic/.env for MYTHIC_DOCKER_NETWORKING. This is set to bridge by default and everything works as normal. If you set this to host and restart Mythic, then all of the Mythic services (mythic, jupyter, postgres, rabbitmq, nginx, react, graphql, etc) will change to host networking. The mythic-cli is smart enough to detect this change and adjust everything in the docker-compose properly to reflect this, as well as updating configs for the various services so that they are still bound to 127.0.0.1 by default (instead of 0.0.0.0). In our previous scenario though, it means that Mythic will be able to connect to that “local” port via the loopback interface properly.

Everything is still using Docker and Docker compose, but the ability to switch to host networking provides a greater level of flexibility. There is a caveat though — Docker Desktopdoes not support host networking. So, if you’re just using docker on a Linux computer, you’re fine, or if you’re using something like orbstack on a macOS computer, you’re fine. If you’re using Docker Desktop on macOS or Windows though, then it’ll appear as though this feature will work, but none of your ports will actually be exposed to your host system. This is just due to how Docker Desktop works under the hood. Mythic uses host networking already for all installed third-party services (agents, c2 profiles, etc), so those won’t work with Docker Desktop anyway.

Acknowledgements

I wanted to give a special shoutout to Lee Chagolla-Christensen. Lee provides a lot of valuable feedback and was the guiding force behind all of these awesome quality of life updates for operators.

Feedback

If you have any feedback, feature requests, bug reports, or just general comments about Mythic, any of its agents, or any of its C2 Profiles, please feel free to reach out on Twitter or in the BloodHound Slack!

Mythic 3.3 — Out of Beta was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Mythic 3.3 — Out of Beta appeared first on Security Boulevard.

There’s a well known mental model that lays out the premise that “the map is not the territory.” It’s a...

The post Choosing the Right DSPM Vendor: The Map is Not the Territory appeared first on Symmetry Systems.

The post Choosing the Right DSPM Vendor: The Map is Not the Territory appeared first on Security Boulevard.

As a database administrator, you don’t just maintain systems—you protect your organization’s most sensitive data. With the rise of AI, big data, and ever-tightening regulations, the challenge isn’t just in securing data; it’s in making sure that data remains accessible and usable. As data spreads across multiple formats and systems, data masking has become increasingly […]

The post Data Masking Challenges in Complex Data Environments and How to Tackle them first appeared on Accutive Security.

The post Data Masking Challenges in Complex Data Environments and How to Tackle them appeared first on Security Boulevard.

Our new Fastly Compute server-side integration is the latest in a range of 50+ integrations that ensure DataDome stops bad bots & fraud on any infrastructure.

The post DataDome Releases Fastly Compute Server-Side Integration appeared first on Security Boulevard.

Threat Intelligence Report

Date: August 28, 2024

Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS

As the US election approaches, the surge in political activity and heightened public interest make it an attractive target for cybercriminals. In each election cycle, billions of dollars are donated to support various candidates and political causes. For example, the 2020 US election saw an unprecedented amount of over $14 billion in donations, surpassing any previous election in US history. This enormous influx of funds creates opportunities for threat actors to exploit vulnerable donors and organizations.

One such tactic, which has been observed in the past and appears to be resurfacing, involves the creation of fake domains that closely mimic legitimate donation websites. In 2016, following the Democratic National Convention (DNC) hacks, Buzzfeed News reported that cybercriminals had set up fake domains to impersonate legitimate political websites, aiming to trick users into donating to fraudulent causes.

ActsBlue Phishing Site

Now, this tactic seems to be active again. The domain actsblue[.]com has been identified as a phishing site designed to look identical to actblue.com, the official platform for Democratic Party donations. Unlike the legitimate site actblue.com, which is registered with Amazon AWS, actsblue[.]com is registered with Namecheap, a registrar known for providing anonymity through redacted WHOIS data and accepting bitcoin payments. This anonymity makes it challenging to trace the domain back to the original threat actors, making it difficult to attribute it to the same group responsible for similar attacks in the past.

Look for Unlikely Account Names

One suspicious element of the phishing page is the large variety of payment options, some with unlikely account names:

Zelle Payment: diazjohana394@gmail[.]com

Cash App Payment: $MollyManisay

Venmo Payment: $JJWDiaz

Bitcoin Payment: bc1q856ynd25sf43suwcy4shlszdkkxk42ahlpe6ec

Ethereum Payment: 0xC8623b18327957751A2ffbEEdAd002319A52D367

USDT Ethereum (ERC20) Payment: 0xC8623b18327957751A2ffbEEdAd002319A52D367

For USDT Tron (TRC20) Payment: TGfoTqZLc3SNYkataG8pBf1vTvDf3Z62QK

A domain like this could be combined with phone calls, text messages, or emails to direct potential donors to the malicious site. This case underscores the importance of vigilance among donors and political organizations as the election draws near. Cybercriminals are likely to continue exploiting the chaotic and high-stakes environment to siphon funds and sow confusion.

Download: How to Stop Phishing Attacks with Protective DNS

 

Suspicious Domains Identified

In our investigation, we have identified a series of suspicious domains, all registered through domain.com and using the same nameservers: ns1.dotster.com and ns2.dotster.com. These domains include:

nationalcommittee[.]democrat
nationalcommittee[.]republican
republicanpac[.]net
democraticnationalcommittee[.]co
democratnationalcommittee[.]org
republicannationalcommittee[.]org

While some of these sites appear to accept donations, it is unclear where the funds are actually directed. The consistent configuration across these domains suggests they may have been registered by the same actor. We strongly advise against making donations through these sites until more information is available.

Warning: Be Cautious When Making Donations

As the election season heats up, it’s crucial to be vigilant about where you send your donations. Cybercriminals often take advantage of the heightened emotions and urgency surrounding elections to deceive well-meaning donors. If you receive a request for a donation via phone call, email, or text message, always verify the legitimacy of the source before proceeding. Do not click on links or provide payment information unless you are certain that the request is genuine.

For those wishing to support political campaigns, the official websites for donations are:
Republican Party: winred.com
Democratic Party: actblue.com

Donating through these sites ensures that your contributions are directed to the intended recipients.

Want more threat intel on a weekly basis?

Follow HYAS on LinkedIn
Follow HYAS on X

Read recent HYAS threat reports:

HYAS Investigates Threat Actors Hidden In Gaming Services

Caught in the Act: StealC, the Cyber Thief in C 

HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards

StealC & Vidar Malware Campaign Identified

Sign up for the (free!) HYAS Insight Intel Feed

Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.

Learn More About HYAS Insight

An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.

Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.

More from HYAS Labs

Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.

Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.

The post Special Bulletin: US Election Phishing Alert appeared first on Security Boulevard.

Xi whiz: Versa Networks criticized for swerving the blame.

The post China Cyberwar Coming? Versa’s Vice: Volt Typhoon’s Target appeared first on Security Boulevard.

The CISO Global Pen Testing Team Earlier this month, a group of our intrepid pen testers from our Readiness & Resilience team at CISO Global ventured into the heart of the hacking world at DEFCON 32 in Las Vegas. This annual pilgrimage to the mecca of cybersecurity (and more importantly, hacking) is more than just […]

The post Badge Life: The CISO Team Takes on DEF CON appeared first on CISO Global.

The post Badge Life: The CISO Team Takes on DEF CON appeared first on Security Boulevard.

As we continue our Summer School blog series, let's focus on a vital aspect of modern application security: the relationship between API posture governance, API security, and the constantly changing regulatory compliance landscape.

In today's interconnected world, where APIs are crucial for digital interactions, organizations are challenged with securing their APIs while complying with complex regulations designed to protect sensitive data and critical infrastructure.

The Rise of API-Centric Regulations

Industries in healthcare, finance, retail, and manufacturing are experiencing a significant increase in regulations that directly affect the management and security of APIs. Non-compliance with these regulations can result in severe penalties, highlighting the importance of implementing strong API governance and security measures:

• HIPAA: The Health Insurance Portability and Accountability Act mandates stringent safeguards for Protected Health Information (PHI), encompassing PHI's secure transmission and storage via APIs. Any unauthorized access or breach of PHI through APIs could result in substantial fines and reputational damage, underscoring the necessity for strong API posture governance and security measures to ensure compliance.
• GDPR: The General Data Protection Regulation imposes strict requirements for the handling of personal data, including data accessed or transmitted through APIs. Organizations face hefty fines for non-compliance, highlighting the importance of API posture governance to maintain a clear inventory of APIs handling personal data and ensure robust security controls are in place to protect it.
• PCI DSS: The Payment Card Industry Data Security Standard sets forth comprehensive security controls for protecting cardholder data, extending to APIs that process or store such data. Any compromise of cardholder data can lead to financial losses, legal repercussions, and brand damage. API posture governance and security are vital in ensuring compliance with PCI DSS and safeguarding sensitive payment information.

The Crucial Role of API Posture Governance

API posture governance enables organizations to set and uphold consistent security policies throughout their entire API ecosystem. This proactive approach guarantees that APIs comply with regulatory mandates, industry best practices, and internal security standards. Key benefits of API posture governance include:

• Enhanced Visibility: Gain a comprehensive understanding of all APIs, their endpoints, and associated vulnerabilities.
• Risk Mitigation: Identify and address potential security risks before they lead to breaches or regulatory non-compliance.
• Streamlined Compliance: Automate the enforcement of security policies to facilitate compliance with relevant regulations.

API Security: The Cornerstone of Compliance

Robust API security is essential for safeguarding sensitive data and mitigating the risk of unauthorized access, data leaks, and cyberattacks. Critical components of API security include:

• Authentication and Authorization: Implement robust mechanisms to verify the identity of API endpoints and control their access to specific resources.
• Data Encryption: Protect data in transit and at rest using strong encryption algorithms.
• Threat Detection and Response: Deploy advanced security solutions to detect and respond to potential threats in real time.

Conclusion

In today's highly regulated digital environment, it's crucial for organizations to prioritize robust API governance and security. These practices are essential for safeguarding sensitive data, maintaining customer trust, and ensuring overall business resilience. At Salt Security, as a leading API security provider, we offer a comprehensive AI-infused platform that addresses API governance and security requirements. With advanced features such as panoramic discovery, full lifecycle governance, and AI-powered threat defense, Salt equips organizations to confidently navigate regulatory requirements and strengthen their defenses against evolving threats.

If you want to learn more about Salt and how we can help you on your API Security journey through discovery, posture management, and run-time threat protection, please contact us, schedule a demo, or check out our website.

The post Mastering API Compliance in a Regulated World appeared first on Security Boulevard.

Reading Time: 4 min Discover how automation has revolutionized email security. Learn about the benefits of AI, threat intelligence, and tools like PowerDMARC in safeguarding your inbox from phishing, spam, and malware.

The post The Role of Automation in Protecting Email Systems appeared first on Security Boulevard.

Discover the key differences between SOC 2 and SAS 70, and learn why SOC 2 is the modern standard for ensuring data security and compliance.

The post SOC 2 vs. SAS 70: A Comprehensive Comparison appeared first on Scytale.

The post SOC 2 vs. SAS 70: A Comprehensive Comparison appeared first on Security Boulevard.

Welcome to our deep dive into the world of Kubernetes, where we share some of the top lessons our site reliability engineers (SREs) have learned from years of managing this complex yet essential cloud-native technology. During a recent Kubernetes Clinic webinar, SRE Brian Bensky joined me, and we talked through our extensive experience managing K8s for clients, helping clients go beyond just running clusters to using Kubernetes as a platform that enables you to run applications successfully. Let’s walk through these lessons learned to help anyone navigating Kubernetes.

The post Top 10 Lessons Learned from Managing Kubernetes from the Trenches appeared first on Security Boulevard.

The recent standardization of first three post-quantum cryptography (PQC) encryption and digital signature algorithms by the U.S. National Institute of Standards and Technology (NIST) has officially kicked off the race to PQC readiness. In its PQC press release, NIST cites predictions that within the next decade, a cryptographically-relevant quantum computer (CRQC) capable of running Shor’s […]

The post Quantum Computing and the Risk to Classical Cryptography appeared first on Security Boulevard.

Azul announced Java Hero Awards for 17 organizations and individuals who have achieved innovative world-class results with Java.

The post We Celebrate Our Customers’ Successes with Java appeared first on Azul | Better Java Performance, Superior Java Support.

The post We Celebrate Our Customers’ Successes with Java appeared first on Security Boulevard.

The Oregon Zoo's recent data breach serves as a stark reminder of the urgent need for robust cybersecurity measures in today's digital landscape. With over 117,000 payment card details potentially compromised, this incident underscores the vulnerabilities that organizations face when it comes to eSkimming (client-side) attacks and PCI DSS compliance.

The post Oregon Zoo Data Breach Exposes Payment Card Information appeared first on Source Defense.

The post Oregon Zoo Data Breach Exposes Payment Card Information appeared first on Security Boulevard.

Broadcom today at the VMware Explore 2024 conference extended its VMware vDefend portfolio to include generative artificial intelligence (AI) capabilities in addition to extending its software-defined edge computing portfolio to provide deeper integrations with networking and security platforms that its VMware business unit provides.

The post Broadcom Extends VMware Cybersecurity Portfolio appeared first on Security Boulevard.

  Applications are typically tested and guaranteed to function on specific Linux distributions, but may work on others as well. Kernel versions, libraries, and system calls are key factors affecting binary compatibility between distributions. Differences in the operating system’s ABI (Application Binary Interface) are also a frequent source of compatibility problems. Binary compatibility is an […]

The post What is binary compatibility, and what does it mean for Linux distributions? appeared first on TuxCare.

The post What is binary compatibility, and what does it mean for Linux distributions? appeared first on Security Boulevard.

As a part of the Microsoft security update, the tech giant had released several fixes to address 90 critical security flaws. Reports claim that 10 of them have zero day vulnerabilities and 6 out of these 10 have fallen prey to threat actor attempts for exploitation. In this article, we’ll cover these fixes and the […]

The post Microsoft Security Update: 90 Critical Vulnerabilities Fixed appeared first on TuxCare.

The post Microsoft Security Update: 90 Critical Vulnerabilities Fixed appeared first on Security Boulevard.

Choosing the correct cybersecurity service provider is critical for any business in today’s digital world. Rather than selecting a vendor, due diligence is required to secure your data, systems, and networks. To help you make your choice, here are the top 7 questions to ask cybersecurity service providers: 1. What is your experience in handling […]

The post Top 7 Questions to Ask Cybersecurity Service Providers first appeared on StrongBox IT.

The post Top 7 Questions to Ask Cybersecurity Service Providers appeared first on Security Boulevard.

In a recent conversation with Evan Kirstel on the What’s Up with Tech? podcast, Axio CEO Scott Kannry discussed the intersection of cybersecurity and risk management, highlighting the unique approach

Read More

The post Scott Kannry on the What’s Up with Tech? Podcast appeared first on Axio.

The post Scott Kannry on the What’s Up with Tech? Podcast appeared first on Security Boulevard.