Why DLP System Without Behavioral Analytics Is Blind to Slices
DLP sees content and transmission channel. It works when a document with a “confidential” stamp goes to personal mail or is copied to USB. But the insider, who worked in the company for three years, knows which files are marked with...
On February 13, 2026, CISA gave the organizations three days to eliminate CVE-2026-1731 - pre-authentiction RCE in BeyondTrust Remote Support with CVSS 9.9. Three days. The operation was in active ransomware campaigns even before most teams managed to download the patch, not to mention testing...
At the pre-engagement phase of the pentest industrial company, I uploaded the root domain to cl.sh and received 47 subdomains. The IT department knew about 28. Among the remaining 19 - staging-stand of the corporate ERP, Jenkins without authorization and three dev-environment with expired...
When we disassembled a similar case on the protection side for a media organization, the picture was painfully familiar: the corporate SIEM did not see mobile traffic, MDM checked only the OS version, and the journalist went with a iPhone work without Lockdown Mode. Three anomalous DNS...
CI/CD-pipeline as an attack surface
CI/CD (Continuous Integration / Continuous Delivery) - a conveyor that automatically collects, tests and delivers code from repository to production. For the developer, this is the acceleration of releases. For a pentester, a chain of servers, tokens and...
Why CVSS is not enough to prioritize patches by risk
CVSS has long been the only language of vulnerability management with business and IT. Vulnerability with CVSS 9.8 - critical, patch immediately. CVSS 4.0 - can wait. In practice, this logic is falling apart.
CVSS evaluates the technical...
Five entries in the CISA KEV catalog in three years - so many times Ivanti EPMM demanded emergency patching as an actively used product. Four out of five CVE have EPSS-skro above 0.8, and CVE-2023-35078 holds the absolute maximum of the scale - 1.0. According to Unit 42 (Palo Alto Networks)...
Wednesday, 14:20, the third day of the internal pentest in the fintech company. Through Responder and NTM relay, I get foothold at the work station of an accountant - a standard bundle for initial access in the internal network. By 15:00 - full Dampdam Bitwarden vault: 340 records, including...
Business logic of the Ford: what is behind the anomalous transaction
The scale is specific. According to AFP Payments Fraud and Control Survey, fraudulent actions affect about 80% of organizations each year. According to Juniper Research estimates, the total losses from online stuff in payments...
CI/CD-pipeline as the surface of the attack: why does it be known to the pentester
Before you build scanners, it is worth looking at the pipeline through the attacker’s eyes. CI/CD is a full-fledged surface of the attack with its own TTPs in MITRE ATT&CK. More details - in our Detailed analysis...
Entry
In general, I do not make WriteWP's on the tasks that already have it on the platform. However, after my decision, I decided to read it and I did not like it very much, there is no information that is why the newcomer can put a deadlock in, so here I will write in great detail step by...
At the cryptocurrencies API fintech service, I found TLS 1.0 with RC4 on three internal endpoints - interservice interaction, not updated since 2018, because "does not look out". A month and a half after the correction of the threat intelligence team recorded on the network equipment the...
At the last internal pentest, fintech companies 14 of the 18 workstations were on macOS Sequoia with M3 chips. Cobalt Strike beacon, SharpHound, Rubus - all familiar arsenal was useless in the first two days. Just don't start. It was necessary to rebuild the whole kill chain for a platform that...
Over the past two years, I have dealt with more than fifty incidents, where the initial access began with one pair of login/steel logg password. In seven out of ten cases, less than 48 hours of the first login with stolen account data to domain admin took place. The record in the public field is...
On the telecom operator pentest last year, I killed two days perimeter - WAF, minimum surface, standard story. The entry point was found where they did not wait: Jira Service Management, exposed to contractors. Self-registration on Service Desk, account in three minutes, then SSRF via batch...
The attacker substituted someone else's identifier in the request, the server returned the data. No exploit, without bypassing the WAF - just GET /api/orders/1254 with someone else's ID. According to Snyk, this is a classic Broken Object Level Authorization scenario, number one in OWASP API...
The business logic of the attack: why RMM is the perfect engine of scale
The MSP provider by definition has privileged access to the infrastructure of dozens, sometimes hundreds of customers. RMM agent - whether Kasey VSA, ConnectWise Automate or Datto RMM - works with SYSTEM rights and is able...
DownUnderCTF 2023 served more than 2000 teams on 68 assignments, withstood a peak of 32 100 requests per second and cost $ 876 AUD in two weeks on Google Cloud - including a full-fledged test environment. During the competition, 4579 isolated installs of tasks were created (data from public...
Morning. Grafana shows 340 Gbps inbound UDP traffic on the border routers of the fintech company, where six months ago adjusted echeloned protection. Ordinary baseline - 12 Gbps. The SOC-on-duty classifies NTP reflection/amplification of four ANS, in a couple of minutes switches traffic to a...
On one IR case in a fintech company, we shot the RAM dump via WinPmem - RAT at the developer's workstation found on Thursday morning, the full memory image began four hours after the start of the response. Bitwarden was blocked by car: the user handled the storage two hours before we arrived...
