DEV Community: 0trust0day

Hacking Instagram & LinkedIn: Costs, Tactics, and How to Defend Against Them

0trust0day — Wed, 13 Aug 2025 01:09:52 +0000

From phishing to AiTM Proxies and Infostealers — Real Tactics, Prices and Defense Strategies
In an era where social media has become an inseparable part of business, careers, and personal life, account theft has evolved into a high-tech industry. Instagram is the storefront for brands and influencers; LinkedIn is the platform for professional networking and job hunting. Losing access can cost thousands of dollars in lost revenue, irreparable reputational damage, or even legal trouble. In this piece, we break down the evolution of attacks — from primitive schemes to sophisticated operations — backed by real 2024–2025 cases, and outline defense mechanics that work in 2025.

Anatomy of an Attack: From Mass “Funnels” to Precision Strikes
Forget about the simple password brute-forcing of the early 2000s. Today, attacks on Instagram and LinkedIn form an ecosystem — complete with specialized tooling, commercial malware, and multi-stage kill chains that resemble corporate workflows.

Mass campaigns are like marketing funnels: from thousands of targets, hundreds get compromised. The focus is on speed and volume — attackers use automated spam bots, purchase email lists on dark web marketplaces, and rely on probability: even a 1–2% hit rate pays for itself. In 2025, these campaigns are often disguised as “algorithm updates” or “security checks” from the platforms.

Targeted operations are sniper shots. They can involve months of reconnaissance, digital footprint analysis, and personalized bait crafting. Costs can reach tens of thousands of dollars, but the prize is high-value accounts: influencers with millions of followers or executives with access to corporate networks. According to Menlo Security’s 2025 reports, such attacks have surged by 40% among C-level executives.

Reconnaissance: Building the Digital Dossier
Every successful compromise begins with OSINT (Open Source Intelligence):

Geolocation & Activity: Time zones, IP ranges, habitual locations from posts or photo metadata.
Social graph: Friends, colleagues, family — to impersonate trusted senders.
Technical profile: Devices (iOS/Android), browsers (Chrome/Safari), OS — to tailor malware payloads.
Behavioral markers: Posting times, language style, engagement frequency.
Trust vectors: MFA method (SMS, authenticator app, hardware keys) to determine bypass strategies.
For high-value targets, attackers also profile “windows of vulnerability” — when the victim is online, from which networks, and sometimes monitor messaging apps for personalized phishing lures.

The Attack Arsenal: From Classics to Cutting-Edge
Classic Phishing — Still Alive, but Evolved
Victims are lured to fake login pages visually identical to the real ones. The password gets stolen, though MFA can still stop the breach. In 2025, phishing is often paired with malvertising — malicious ads in legitimate networks.

Proxy Phishing (Adversary-in-the-Middle, AiTM)
The real game-changer: tools like Evilginx3, Modlishka, or their forks set up a proxy bridge. The victim sees the real Instagram/LinkedIn site, passes MFA (even corporate-level), but the proxy intercepts both the password and the session token. That token allows login without reauthentication — the system believes it’s still you.
In 2025, AiTM setups are integrated with AI to automate lures: bots craft personalized messages mimicking a colleague’s style.

Next-Gen Infostealers
Platforms like LummaC2, RedLine Stealer, and Raccoon v2 steal not just credentials but cookies, tokens, and crypto keys from browser storage. They can “resurrect” a session on another machine, bypassing MFA entirely.

Delivery vectors:
Fake software updates (“Instagram Analytics Tool”).
Trojanized apps in unofficial stores.
Macro-laced documents disguised as résumés or contracts.
According to Chainalysis, in 2025 infostealers compromised over 50,000 Instagram accounts for resale on forums like BreachForums.

Browser Extension Exploits
Malicious add-ons — often posing as ad blockers or password managers — can access the DOM, read form inputs, intercept requests, and alter page content. In 2025, several such extensions with millions of downloads were pulled from the Chrome Web Store.

Other Vectors: Wi-Fi, SIM Swaps, and Malware
Fake Wi-Fi access points: In public places, used to inject AiTM proxies.
SIM swap: Social engineering telecom support to duplicate a SIM and intercept SMS-based MFA codes.
Trojanized documents/installers: Disguised as “LinkedIn Premium Tools.”
Press enter or click to view image in full size

Why Platform Defenses Can Still Be Bypassed
Instagram and LinkedIn deploy top-tier protections:
Cookie flags: Secure, HttpOnly, SameSite to block XSS and cross-domain attacks.
HSTS: Enforces HTTPS.
MFA: Mandatory for business accounts.
But weaknesses remain:

AiTM: Tokens pass through the proxy “legitimately.”
Device compromise: Malware runs in your context.
Extensions: Privileged access bypasses cookie protections.
In 2025, platforms rolled out Continuous Access Evaluation (CAE) — real-time session risk assessment — but it’s no silver bullet against AiTM.

Covering Tracks: Mimicry and Chaos
Attackers blend in:
Noise injection: Spam floods, TDoS (telephone denial-of-service) to distract the target.
Behavioral mimicry: Activity during your normal hours, from your IP range (via VPN or compromised devices).
Technical cleanup: Log deletion, “sleep mode” malware, cloud-hosted infrastructure (AWS, Azure) for deniability.
Real Cases, 2024–2025
“LinkedIn Executives” (2024–2025): AiTM attacks targeting tech company execs. Fake HR invites led to proxy sites; tokens were intercepted, accounts used for espionage. Menlo Security recorded a 30% increase in 2025.
“InstaBusiness”: LummaC2 disguised as a “promotion tool” compromised over 20,000 business accounts; data sold for crypto.
New 2025 case: “Wi-Fi Hunter”: Airport-based fake networks delivering AiTM for LinkedIn; victims were business travelers.
Defense Architecture: From Passkeys to CAE
Phishing-resistant authentication: Passkeys/FIDO2 — cryptographically bound to the domain, unusable on fake sites.
Context binding: Device, network, and behavior checks render stolen tokens useless.
CAE: Continuous risk evaluation — session revocation on anomalies.
Bonus: AI-based platform monitoring to detect AiTM activity.
Checklist for Users and Businesses
Switch to passkeys/hardware keys (YubiKey) over SMS codes.
Audit extensions: Remove unused ones, check permissions.
Session monitoring: End suspicious sessions in account settings.
VPN & updates: Use corporate VPNs, keep OS/browsers updated.
Alerts: Enable login notifications; review geolocation logs.
For businesses: Deploy CAE for corporate accounts; conduct OSINT training.

Compromise Indicators
Technical:
Sessions from unfamiliar locations/IPs.
Unusual User-Agent strings or API calls.
Unexpected changes to recovery info (email, phone).

Behavioral:
Activity at odd hours.
Strange messages sent to contacts.
Shifts in posting style.

Cybersecurity as Strategy
Attacks on Instagram and LinkedIn are now a business model — where your data is the commodity. Understanding the mechanics (from AiTM to infostealers) is the key to defense. In 2025, a traditional antivirus is not enough; a layered security strategy — from passkeys to behavioral monitoring — is essential. If your digital identity is an asset, protect it like one.

Do you want me to also prepare infographic-style attack flow diagrams (AiTM, infostealer, phishing) so this reads like a full Wired/Forbes feature with visuals?

The Exact Cost of a Targeted Attack on a High-Profile LinkedIn User
The exact cost of a targeted attack on a high-profile LinkedIn user depends on multiple factors: the level of preparation, tools used, geographic region, attack objectives (financial damage, espionage, compromise), and the attackers’ skillset. Based on cyber threat intelligence and open-source data (including underground forums and cybersecurity reports from 2024–2025), we can break down the main cost components and provide an approximate range.

Factors Influencing Cost

Reconnaissance (OSINT) Building a digital dossier (geolocation, social graph, technical profile) requires tools and time. OSINT services on underground forums start at $100–500 per profile, but for a C-level executive with a limited digital footprint, the cost can reach $2,000–5,000.
Tools AiTM Proxies (Evilginx, Modlishka): Free for experienced hackers, but setup and hosting cost $200–1,000. Infostealers (LummaC2, RedLine): Licenses on underground forums go for $100–500/month. Fake domains/sites: Domain registration costs $10–50, but high-quality LinkedIn clones with SSL and hosting can run up to $1,000. VPN/proxy infrastructure for mimicry: $50–200.
Social Engineering Creating fake HR or colleague profiles: $50–200 per aged account. Personalized phishing emails/messages: $500–2,000 if hiring a social engineering specialist. Example: The “LinkedIn Executives” campaign (2024) used fake HR profiles to target C-level employees.
Compromise Stage SIM swap to bypass SMS MFA: $500–3,000 (varies by carrier and region). Malicious extensions/software: Custom malware development — $1,000–5,000. Buying access: Pre-compromised LinkedIn accounts on forums cost $50–500, but for executives the price can be much higher.
Covering Tracks Using legitimate infrastructure (AWS, Azure) or disposable servers: $100–1,000. TDoS or spam flooding for distraction: $200–1,000. Approximate Cost Ranges Basic targeted attack: Simple phishing with minimal recon, ready-made tools, and a fake profile — $1,000–5,000. Mid-tier attack: AiTM proxy, personalized social engineering, use of infostealers — $5,000–15,000. High-end (C-level target): Full recon, custom malware, SIM swap or insider assistance, advanced mimicry — $15,000–50,000+. Press enter or click to view image in full size

Real-World Examples & Benchmarks
“LinkedIn Executives” (2024): Evilginx-based attacks on tech company executives were valued at $10,000–30,000 per operation, including profile creation, proxy setup, and token harvesting. Goal: corporate network access. https://www.itpro.com/security/cyber-attacks/linkedin-social-engineering-attacks
Underground forums: In 2025, BreachForums offered “targeted LinkedIn phishing” for $2,000–10,000 for high-profile users, with an additional $5,000 for corporate MFA bypass.
Whaling attacks: According to GreatHorn (2021, adjusted for 2025 inflation), executive-targeted attacks cost $5,000–20,000 but could yield up to $1.8M in damages. https://www.institutedata.com/us/blog/understanding-whaling-in-cybersecurity/
Why These Costs Are High
High-value targets: Executives have access to finances, confidential data, and corporate systems. One compromised account can cause millions in damages.
Complexity: Bypassing MFA, corporate VPNs, and behavioral analytics requires substantial resources.
Risk: Attackers invest in obfuscation to avoid detection and LinkedIn account suspension.
Who Can Afford This?
For lone hackers, such attacks are often unprofitable due to time and resource demands. But for organized groups (e.g., Lazarus Group, Nobelium APT) sponsored by nation-states or major cybercrime syndicates, the ROI justifies the cost — especially for espionage or large-scale financial fraud.

LinkedIn has become a prime hunting ground for cyber criminals - here's what you need to know
A security researcher has revealed their interaction with a LinkedIn fake job offer scam, detailing how you can stay…
www.itpro.com

A Growing Goldmine: Your LinkedIn Data Abused for Cybercrime
We looked into professional and business networking platform LinkedIn and how cybercriminals abuse the platform to…
www.trendmicro.com

The Economics of Mass Attacks: Why They’re Profitable
Mass campaigns operate like a “sales funnel”: attackers send thousands of phishing messages knowing that even a small success rate will generate profit. At a 15% success rate, out of 3,000 targeted accounts, around 450 accounts would be compromised. For an operation costing €5,000, this works out to ~€11 per account — extremely cheap considering the potential value of these accounts.

Why Mass Attacks Work
Low Cost of Entry
Tools: Ready-made phishing platforms (e.g., EvilProxy or custom frameworks) cost €100–500/month. Hosting phishing sites: €50–200. Proxy services for masking: €50–100.
Data lists: Email lists (legitimate or from breaches) are sold on underground forums for €100–1,000 depending on quality and size.
Automation: Bots for bulk messaging and campaign management minimize labor costs. Automation software: €200–1,000.

Scale Offsets Risk

Even at a 15% hit rate (450 accounts), attackers gain assets they can monetize:
Account sales: In 2025, LinkedIn accounts sell for €5–50 (regular) and €100–500 (high-value, e.g., managers, HR) on forums like BreachForums.
Extortion: Business account access can be used for ransom (€500–5,000).
Corporate espionage: Accidentally hitting a C-level exec can yield access to corporate data worth tens of thousands.
BEC (Business Email Compromise): Using a compromised account to send phishing from a trusted source — potential returns from $10,000 to millions.

“Trophy” Targets by Chance

Among 450 compromised accounts, some will inevitably belong to valuable individuals (directors, investors, HR). Just one such account could bring €1,000–10,000 via resale or BEC exploitation.
Cost Breakdown for a Mass Attack (€5,000 for 3,000 Accounts)
Expense Structure

Email lists (3,000 addresses): Quality LinkedIn-targeted database by region/industry — €500–1,000.
Phishing sites: Development of 3–5 fake LinkedIn login pages with SSL — €200–500. Disposable server hosting — €100–200.
Tools:

AiTM proxy (Evilginx, etc.): €200–500 setup and server rental.
Infostealers (RedLine, LummaC2): €100–300 license.
Distribution: Renting SMTP servers or botnets for spam — €500–1,000.
Social engineering: Template emails with minimal personalization (“Verify your LinkedIn profile”) — €500 for creation and testing.
Masking: Proxy/VPN for campaign control — €100–300.
Extras: TDoS or spam floods for distraction — €300–500.
Total: €2,600–4,600, comfortably within the €5,000 budget including overhead or hired operators.

ROI
450 accounts (15% of 3,000):
Regular accounts (90%, ~405): Sold at €5–20 = €2,025–8,100.
High-value accounts (10%, ~45): Sold at €100–500 = €4,500–22,500.
Potential revenue: €6,500–30,000+ per campaign.

Additional schemes:
BEC from 1–2 high-value accounts: €10,000 to $1M.
Extortion: €500–5,000 per account.
Profitability: Even at minimal monetization (€6,500), the campaign returns 30–100% profit. One captured executive account can multiply earnings dramatically.

Comparison with Targeted Attacks
Targeted attacks on executives cost $15,000–50,000 (~€14,000–47,000). Mass campaigns at €5,000 have lower precision but:

Lower risk: Less effort on stealth, spread over thousands of targets.
Bonus finds: High-value victims appear by chance.
Scalability: Easily scaled to 10,000+ accounts with marginal cost increase.
Real Case (2025)
According to CrowdStrike (2025), a mass campaign against LinkedIn using the LummaC2 infostealer cost organizers $6,000 (€5,500) to target 5,000 accounts. With a 12% success rate (600 accounts), 5% (30 accounts) belonged to mid- and high-level managers. Selling the data brought $15,000, and using the accounts for BEC generated another $50,000.

Comparison of Targeted vs. Mass LinkedIn Attacks: Investment and ROI (2025)
Based on analysis of data from cybersecurity reports (IBM Cost of a Data Breach 2025, Verizon DBIR 2025, Hoxhunt Phishing Trends 2025, among others), as well as trends on underground forums and real-world cases (e.g., Phishing-as-a-Service offerings from $250/month to $1,500 per campaign), we can compare targeted and mass attack models.

Targeted attacks focus on specific high-value individuals (e.g., executives), requiring reconnaissance and personalization. Mass attacks rely on volume (thousands of emails) with minimal personalization but high scalability.

I divided targeted attacks into three levels of complexity (basic, mid, high) and mass attacks into two (basic, mid), as indicated below. “Investment” refers to the attacker’s costs (tools, reconnaissance, infrastructure). “ROI” is the potential profit (account resale, BEC, extortion) minus investment.

Figures are estimates for 2024–2025: average success rate for targeted attacks ~20–50% (due to focus), for mass attacks ~10–15% (Verizon DBIR). Monetization: standard LinkedIn accounts sell for $5–50; high-value (executive) accounts sell for $100–1,000+; BEC can yield $10k–$1M+ per account (FBI IC3 2025). Average global cost of a phishing incident to a victim is ~$4.88M, while for attackers, profit can be 10x to 100x their investment.

Comparison Table

Key Insights
Investment: Mass attacks are cheaper per target (~$1–5/account vs. $1k+ for targeted), but require volume. Targeted attacks cost more due to recon (OSINT up to $5k) but focus ROI on a single victim.
Profitability: Mass campaigns win on scale and “accidental trophies” (up to 100x ROI if an executive is hit), but average ROI is lower due to low-value accounts. Targeted campaigns have higher ROI for top tiers (up to 100x) but carry higher detection risk (68% of attacks detected — Verizon 2025). Globally, phishing generates ~$10.5T annually for cybercriminals (Cybersecurity Ventures 2025), with BEC as the top revenue source ($2.9B victim losses in 2024).
2025 Trends: AI-generated phishing (e.g., ChatGPT-assisted) reduces costs by 20–30% (SlashNext) and boosts mass campaign effectiveness by up to 1,265%. Spear-phishing makes up 65% of attacks (Symantec), but mass campaigns are growing 4,151% with AI.
Attacker Risk: Mass attacks carry lower risk (anonymity), targeted ones higher (traceability, e.g., $43k loss case from LinkedIn attack [post:30]).
These figures are estimates; actual values depend on region, tools, and monetization methods. For businesses: invest in passkeys (reduces risk by 90%, IBM 2025) and phishing-awareness training.

ScarCruft’s Sophisticated Malware Attack: Rust, PubNub, and Compromised Repos

0trust0day — Thu, 07 Aug 2025 20:48:10 +0000

North Korea’s ScarCruft (aka APT37) has unleashed a chilling new malware campaign targeting South Korean users, blending espionage with ransomware and leveraging modern tech like Rust and PubNub. As developers, we need to understand this attack’s mechanics—especially its potential to exploit GitHub and GitLab repositories—to protect our projects and communities. Let’s dive into the details.

The Attack Chain
The campaign begins with a deceptive RAR archive posing as a postal-code update notice. Inside is a malicious LNK file that, when executed, deploys an AutoIt loader. This loader fetches multiple payloads from a command-and-control (C2) server, including:

NubSpy: A backdoor using PubNub’s real-time messaging for stealthy C2 communication.

CHILLYCHINO: A Rust-based backdoor, ported from PowerShell, designed for performance and evasion.
VCD Ransomware: Encrypts files with a .VCD extension, marking ScarCruft’s first foray into ransomware.
This multi-stage infection chain, uncovered by S2W’s TALON, showcases ScarCruft’s evolution from espionage to financially motivated attacks.

Rust and PubNub: A Modern Twist
ScarCruft’s use of Rust in CHILLYCHINO is a game-changer. Rust’s compiled nature offers cross-platform compatibility and lower antivirus detection rates compared to PowerShell. Its performance boosts payload efficiency, making it harder for security tools to flag. The backdoor’s structure, like pub struct C2Channel { pubnub_client: PubNub, channel_id: String, encryption_key: [u8; 32] }, highlights ScarCruft’s technical sophistication.
PubNub serves as the C2 channel for NubSpy, blending malicious traffic with legitimate API calls. This abuse of real-time messaging platforms, a tactic ScarCruft has used since 2017 with services like Ably, ensures low-latency command relay while evading network detection.

The Supply Chain Threat
Here’s where it gets scary for developers: ScarCruft may be targeting GitHub and GitLab repositories. The attack vector involves compromising the accounts of library authors whose packages are recommended by AI tools like ChatGPT or Claude. Once in control, attackers insert obfuscated malware installers into these repos. Unsuspecting developers, trusting AI suggestions, download and integrate these tainted packages, inadvertently deploying NubSpy, CHILLYCHINO, or VCD Ransomware.

This supply chain attack exploits our reliance on open-source ecosystems and AI-driven workflows, turning trusted platforms into infection vectors.

Why It Matters
ScarCruft’s shift to ransomware alongside espionage signals a broader threat. Historically focused on North Korean defectors and South Korean entities, their reach now spans Japan, Vietnam, and beyond. The use of modern languages and legitimate services like PubNub shows how state-sponsored actors adapt to bypass defenses.

Protect Your Projects
Verify Repositories: Always check the authenticity of GitHub/GitLab repos before integrating packages. Look for unusual commits or contributor activity.
Scrutinize AI Recommendations: Be cautious with AI-suggested libraries; cross-reference them with trusted sources.
Scan Downloads: Use antivirus tools to scan archives and LNK files before execution.
Backup Code: Regular backups (e.g., with GitProtect) can mitigate ransomware damage.

ScarCruft’s campaign is a wake-up call for developers. By leveraging Rust, PubNub, and compromised repos, they’re exploiting the tools we rely on. Stay vigilant, secure your dependencies, and let’s keep our open-source community safe. Share your thoughts below! 💻

How Crypto Drainers Became Criminal SaaS: A Deep Dive into Web3 Theft Infrastructure

0trust0day — Tue, 05 Aug 2025 20:21:14 +0000

The next wave of cybercrime isn’t about single hackers — it’s about fully-automated platforms with better UX than your bank.

Cryptocurrency theft in 2025 doesn’t look like a hacker furiously typing in the dark. It looks like a streamlined, well-branded platform. It’s automated. It has dashboards, support teams, profit-sharing models, user-friendly interfaces, and live Telegram integration. It’s SaaS — except it’s criminal.

In this article, we’ll examine how so-called Crypto Drainers have evolved into a powerful cybercriminal ecosystem. We'll focus on groups like RublevkaTeam, who offer turnkey phishing infrastructures targeting Solana and TON users. These aren’t one-off tools — they’re productized services. And yes, the UX is better than many fintech startups.

What Is a Crypto Drainer?
In hacker jargon, a Crypto Drainer refers to a set of automated tools designed to steal crypto assets from unsuspecting users. These tools are most effective when integrated into phishing campaigns — typically fake airdrops, giveaways, or Web3 applications that mimic legitimate wallet interactions.

For example:
A user clicks a link to “claim” an airdrop.
A Telegram WebApp or fake Phantom/Tonkeeper UI opens.
The user is prompted to approve a transaction.
The transaction actually drains their wallet of SOL, TON, NFTs, or tokens.
Drainers have become so modular that any entry-level criminal can deploy one with zero technical skills — and that’s the problem.

Case Study: RublevkaTeam
RublevkaTeam is one of the most “professional” underground players in this space. Active since 2023, they advertise their services across dark forums and Telegram groups, boasting:
700+ positive reviews
$45,000+ in deposits from clients
35+ ready-to-use phishing offers (TON/Solana)
Telegram bots for automation
Real-time draining, spoofed token injection, bypasses for wallets

Their product offering includes:
Solana Drainer: supports 80+ wallets, hidden SOL draining, Phantom spoofing, SPL2022 token handling, fake balance injection.
TON Drainer: supports fake Jetton/NFT airdrops, hidden TON withdrawal, fake refunds, automated gas fee coverage.

This isn’t just malware — it’s a Criminal Infrastructure-as-a-Service (CriminalIaaS) business.

C2C — Criminals Serving Criminals
RublevkaTeam operates in a B2B format — or rather, C2C: Criminal-to-Criminal. Their service is designed to be consumed by other cybercriminals who don’t have time or skills to build their own phishing infrastructure.

Here’s how it works:
You submit a request through their Telegram bot.
You get access to a ready-made draining kit.
You configure your phishing offer (or use a prebuilt one).
Victims fall for the bait, and RublevkaTeam takes a cut of the profits (typically 70/30 or 75/25).
It’s a criminal affiliate model. And it works frighteningly well.

Automation Meets UX
One of the most disturbing aspects of modern drainers is how polished they are.
These aren’t sloppy scripts — they are full-stack applications with:
Real-time stats and dashboards
Multi-language support
Deep wallet integration (via QR code, deep links, WebApp APIs)
Optimized UI/UX to increase phishing conversion
Honeypot-style deception (fake tokens/NFTs shown as rewards)
Auto-hosting and domain rotation
Telegram-based CRM

If you’re a Web3 developer, you’ll instantly recognize the level of detail. The phishing funnel is optimized like a sales funnel. And yes, they A/B test.

They Don’t Attack CIS Countries. Why?
One common clause you’ll see in such operations:
“Strictly no CIS targets.”

This isn’t out of principle — it’s self-preservation. Many Eastern European groups avoid targeting Russian-speaking regions to:
Minimize risk of local law enforcement scrutiny
Avoid retaliation from local threat actors
Stay “patriotic” in underground terms

Western targets? Fair game. Most victims come from the U.S., EU, and other developed economies. And since the crypto space is inherently borderless, these operations scale easily.

Crypto Drainers vs. Security Protocols
Why can’t wallets stop this?

Because in most cases, the user willingly signs the transaction. Wallets like Phantom, Tonkeeper, and MetaMask do warn users — but once someone clicks “Approve,” the game is over.

Common evasion tactics:
Using spoofed UIs that match legitimate apps
Leveraging Telegram’s WebApp bridge to appear trusted
Simulating fake token inflows to bait interaction
Disguising withdrawal requests as “verify” or “sync”

These drainers exploit the trust assumptions in Web3 wallet architecture. Unless drastic protocol-level changes are introduced (e.g., transaction risk scoring, intent systems), users will remain vulnerable.

The UX Gap in Security
Let’s be honest:
Cybercrime platforms have better UX than most Web3 startups.

They understand their user: other criminals.
They prioritize ease of deployment, mobile-first flows, and plug-and-play phishing kits.
They offer support. They localize. They update fast.

Security products, by contrast, lag behind — often bloated, slow, or overly technical. This UX gap is one reason drainer services are thriving.

From Hackers to Privateers
This evolution isn’t just technical — it’s economic and political.

Today’s drainer operators resemble digital privateers — pirates operating with informal state tolerance or at least indifference. They build their empires on jurisdictional blind spots, fragmented enforcement, and crypto’s permissionless ethos.

Unlike traditional cybercrime that relied on brute-force or malware, these groups scale by building platforms — like Stripe or Shopify for phishing.

The shift is real:
From hackers → to infrastructure providers
From scripts → to SaaS
From hits → to recurring revenue

What Developers Can Learn
Even if you’re not working in security, this trend affects you:

Designing wallet integrations?
Assume they’ll be cloned for phishing.

Building Web3 frontends?
Focus on UX clarity. Help users distinguish real from fake.

Shipping smart contracts?
Educate users on how NOT to approve malicious transactions.

Working on wallets or protocols?
Push for safer UX flows: intent-based transactions, signature warnings, simulation previews.

Final Thoughts
Crypto drainers like RublevkaTeam signal a dangerous new chapter in cybercrime. The tooling is robust. The operation is scalable. The impact is global.

This isn’t fringe activity anymore — it’s a business. And just like with the rise of ransomware-as-a-service, the longer we ignore it, the harder it will be to stop.

The future of security depends not only on better encryption or audits, but on understanding how attackers think, build, and scale — and matching that with real, user-friendly defense.

Have thoughts or want to see a real phishing kit analyzed in code?
Drop a comment — I’m preparing a teardown of TON-based WebApp drainers next.

security #crypto #web3 #drainers #offensivesecurity #ton #solana #webapps #wallets #uxdesign

Unmasking the Great Firewall: How I Explored QUIC Censorship and Ways to Bypass It

0trust0day — Tue, 05 Aug 2025 16:47:09 +0000

For years, I’ve been immersed in the world of network monitoring systems (Lawful Interception system also), both building them and finding ways to circumvent them. This dual perspective gives me a unique lens to appreciate the monumental work done by the GFW Report team (https://gfw.report/publications/usenixsecurity25/en/?utm_source=Securitylab.ru). Their study, presented at the USENIX Security Symposium 2025, titled “Exposing and Circumventing SNI-based QUIC Censorship of the Great Firewall of China,” dives deep into how China’s Great Firewall (GFW) tackles the QUIC protocol. I can confirm they nailed it—describing exactly how it works. For instance, I’ve seen firsthand that at night, when network traffic is low, it’s far easier to filter, restrict, or even capture data than during the day when data flows are massive. In this article, I’ll walk you through how GFW censors QUIC, its vulnerabilities, and the clever ways anti-censorship communities are bypassing it.

What Is QUIC and Why It Matters

QUIC (Quick UDP Internet Connections) is a cutting-edge transport protocol, developed by Google and standardized by the IETF in 2021 (RFC 9000). It powers HTTP/3, offering low latency, full packet encryption, and congestion control at the browser level. According to Cloudflare, by 2024, over 30% of web requests ran on QUIC, making it a cornerstone of the modern internet.

Having worked with network protocols, I can tell you QUIC is a leap forward from TLS over TCP. It runs on UDP, reducing delays, and encrypts all packets, including the initial one (QUIC Initial), which carries the TLS Client Hello with the Server Name Indication (SNI) field, specifying the server’s domain name. Here’s the catch: while the QUIC Initial packet is encrypted, its key can be derived from public data—Destination Connection ID (DCID) and a version-specific salt. This makes QUIC vulnerable to analysis by passive observers like the GFW.

How the GFW Censors QUIC

In April 2024, I learned about a new GFW tactic: instead of blanket-blocking the QUIC protocol, as it did before, the firewall started selectively censoring connections based on SNI. The GFW Report team confirmed that the GFW now:

Decrypts QUIC Initial packets on the fly: Using the DCID and salt, it extracts the TLS Client Hello contents, including the SNI.

Applies heuristic filters: If the SNI matches a blacklisted domain, the GFW blocks all subsequent UDP packets from the client to the server for 180 seconds.

Blocks based on a tuple: The block uses a combination of (source IP, destination IP, destination port). Server-to-client packets, however, pass through unaffected.

This approach blew me away with its technical sophistication. The GFW isn’t just intercepting packets—it’s analyzing them in real time, which demands serious computational power. But, like any complex system, it has weak spots, which I’ll get to shortly.

The Daily Rhythm of Censorship

My experience tells me that network filters’ effectiveness hinges on traffic load. The GFW Report team found a clear daily cycle: at night (00:00–06:00 China time), when traffic is low, censorship is nearly flawless. During the day, under peak loads, a significant chunk of QUIC connections with blacklisted SNIs slips through. This is due to the high computational cost of decrypting QUIC Initial packets. I’ve noticed this myself—filtering and restricting data is much smoother at night when traffic is light compared to the daytime data deluge.

Port Filtering and Other Quirks

The GFW uses a clever filter: it only blocks connections where the source port is higher than the destination port (e.g., client port > 443). This helps it ignore server traffic, as clients typically use high ephemeral ports (32768–65535). Another quirk is that the GFW doesn’t reassemble fragmented QUIC Initial packets, leaving it vulnerable to bypasses that split SNI across packets. Also, censorship only targets QUIC version 1 (byte pattern 0x00000001), leaving QUIC version 2 unaffected.

The researchers tested non-standard packets and found that the GFW:
Blocks packets with zero-length CRYPTO frames if they contain a blacklisted SNI.
Ignores packets with invalid protocol versions or incorrect authentication tags.
Doesn’t analyze domains in other TLS extensions, like ALPN.
These simplifications remind me of approaches I’ve seen in HTTPS monitoring systems, where SNI is also the primary target. The GFW clearly prioritizes speed over precision, a trade-off I’ve encountered in similar systems.
GFW’s Vulnerabilities: Denial and Degradation Attacks

Availability Attack

One of the most alarming discoveries by the GFW Report team is how the QUIC censorship mechanism can be weaponized for denial-of-service attacks. An attacker forging a victim’s IP address can send a QUIC Initial packet with a blacklisted SNI, triggering a 180-second block of all UDP connections from the victim to the target server. By repeating these packets, the block can be sustained indefinitely.

I was stunned by their experiment:
They spoofed QUIC Initial packets from 32 AWS EC2 instances worldwide, targeting a server in Guangzhou.
In 17 cases, connections were fully blocked; in 7, partially blocked due to asymmetric routes or different GFW nodes. The remaining 8 were unaffected, likely due to varying network paths.
Such an attack could, for example, block external DNS resolvers, causing widespread internet disruptions.
I’ve encountered similar vulnerabilities in filtering systems, and they’re always a concern. The GFW Report team responsibly disclosed this to CNCERT on January 22, 2025. While no direct response came, by March 13, 2025, the GFW stopped blocking incoming QUIC connections, partially mitigating the issue. However, the attack remains viable for traffic originating in China.

Degradation Attack

Another vulnerability that caught my eye is the degradation attack. The GFW Report team showed that flooding the GFW with QUIC Initial packets (even with non-censored SNIs) can overwhelm it, reducing its ability to block connections. Their experiment:
From a U.S. node, they sent packets to a /14 network containing a Chinese server, at rates from 100 to 1500 kpps.
At 1200 kpps, over 60% of connections with blacklisted SNIs went unblocked.
Control tests with random UDP packets of the same length didn’t cause degradation, confirming the issue lies in QUIC processing.
This reminds me of techniques I’ve used to stress-test monitoring systems. The high computational load of decryption makes the GFW vulnerable, especially during peak hours.

Bypassing the Censorship
Having worked on bypassing filtering systems, I always look for ways to exploit architectural weaknesses. The GFW Report team proposed several effective methods, now adopted by anti-censorship communities:

High destination ports: If the destination port is ≥ the source port, the GFW ignores the connection. This can be implemented using iptables to redirect traffic to a high port (e.g., 65535).

Preceding UDP packet: Sending a random UDP packet before the QUIC Initial makes the GFW treat it as the stream’s first packet, ignoring subsequent QUIC packets.

QUIC Initial fragmentation: Splitting SNI across multiple UDP datagrams or QUIC frames prevents GFW analysis. Mozilla Firefox (version 137) and quic-go (v0.52.0) have adopted this.

Connection migration: QUIC allows changing network parameters (IP or port) after the 1-RTT handshake, bypassing blocks.

Encrypted Client Hello (ECH): ECH encrypts SNI with an asymmetric key, invisible to the GFW. It’s unblocked as long as the outer SNI isn’t blacklisted.

Version negotiation: Sending a QUIC Initial with an unsupported version (e.g., QUIC v2) triggers a Version Negotiation packet, and the GFW ignores subsequent packets.

I’ve seen similar tactics work against other censorship systems. Packet fragmentation, for instance, is a classic way to evade deep packet inspection (DPI). The GFW Report team shared these findings with developers of Mozilla Firefox, quic-go, Hysteria, V2Ray, and others. By May 2025, quic-go v0.52.0 implemented SNI-slicing, enabling many tools to bypass censorship seamlessly.

Comparing QUIC Censorship to Other Mechanisms

Analyzing GFW’s blacklists, I noticed the QUIC blacklist covers about 58,000 domains (out of 7 million in the Tranco list), smaller than DNS (107,000), HTTP (105,000), and TLS-SNI (102,000) lists. About 40,000 domains overlap across all lists, while 11,000 are unique to QUIC, with only 2,300 supporting QUIC. This suggests preemptive blocking, anticipating future QUIC adoption.

My experience points to a decentralized GFW architecture. Different censorship mechanisms likely run under separate teams, complicating coordination but broadening coverage.

Ethics and Responsibility

Working on both sides of the censorship fence, I’ve grappled with ethical dilemmas. The GFW Report team handled this thoughtfully:

Availability attack: They tested it only on their own servers to avoid harm. Disclosing it to CNCERT was necessary to protect users.

Degradation attack: Since it only affects GFW infrastructure, they shared it with anti-censorship communities first to avoid aiding censors.

Network monitoring: Experiments used limited TTL and network metrics to avoid impacting third parties.

I share their stance: fighting censorship is justified if it minimizes harm to innocent users.

My journey in network security has taught me that even the most sophisticated systems have flaws. The GFW Report’s work exposed the GFW’s QUIC censorship as both powerful and vulnerable, due to computational limits, simplified packet processing, and port-based filtering. Their degradation and availability attacks highlight these weaknesses, while their bypass methods—from fragmentation to ECH—prove censorship can be overcome.

As someone who’s seen both sides, I’m in awe of the GFW Report team’s rigor. They didn’t just uncover how QUIC censorship works; they handed the anti-censorship community actionable solutions now helping millions. It’s a reminder that in the fight for a free internet, ingenuity and engineering will always have the upper hand.

DNS: The Hidden Battlefield No One Talks About

0trust0day — Thu, 31 Jul 2025 23:47:11 +0000

Forget endpoints. Forget zero-days. If you control DNS, you control everything.

🧠 Introduction
In most threat models, DNS is barely an afterthought. It's treated as infrastructure — assumed to work, expected to be stable, and too boring to be worth attacking. But what if I told you that DNS remains one of the most potent and under-defended attack vectors in modern cybersecurity?

In this article, I’ll share insights from a real Red Team operation where temporary control over DNS allowed us to silently intercept sensitive internal data from a highly fortified corporate target — without tripping a single alarm.

We didn’t use malware.
We didn’t need exploits.
We just understood how trust in the internet works.

🎯 The Setup: An "Unbreakable" Target
Our client was an ultra-secure division of a multinational enterprise — think: tax optimization across continents, billions in assets, and defense-grade operational security.

Double VPN + SOCKS5 proxy chains
Multi-layered cloud + peer-to-peer infrastructure
Hardware tokens + MFA across endpoints
SIEM + EDR + audit trails everywhere

For 8 months, we got nowhere. Traditional pentesting failed. But then, we changed tactics: we went after DNS.

🔍 Finding the Weak Link
We used OSINT and behavioral profiling to map the internal IT hierarchy. Forget C-level execs — we targeted sysadmins and their habits. Eventually, one exposed credential set (stored in a private cloud folder) led us to...

👉 Full access to the company’s DNS registrar.

Not the web server.
Not the firewall.
The domain controller. The real one.

🧪 The Attack: Temporary DNS Hijack
We didn’t deface or reroute everything. We did something much smarter:
Modified MX records and internal service domains
Activated our DNS servers for only 20–30 minutes each morning
Captured emails and internal messaging data silently
Switched DNS back to normal before TTL expired

This tiny window, repeated for a week, gave us dozens of credentials, financial documents, and strategic communications. It was stealthy, passive, and extremely hard to detect.

🧱 Why This Worked
DNS changes are rarely monitored in real-time.
Registrar credentials are often overlooked in security audits.
TTL and caching hide short-term changes from basic logs.
Most SIEM systems don’t correlate DNS anomalies unless trained to do so.

⚠️ Lessons Learned
DNS is a trust layer, not just a routing layer.
Short-term control is just as dangerous as long-term takeover.
Your registrar credentials are crown jewels — treat them that way.
Monitor NS and MX records like you monitor logins and SSH keys.

🛡️ What You Should Do
Use domain registrar services that support MFA and role-based access.
Lock DNS changes behind quorum or change-approval workflows.
Monitor DNS logs with TTL-aware anomaly detection.
Use registry lock features (where available) to freeze domain changes.
Periodically audit who has access to registrar accounts — and from where.

💬 Final Thoughts
We often assume that DNS is someone else’s problem — a “network thing” that just needs to resolve queries. But when attackers think creatively, DNS becomes the perfect place to hide, redirect, and silently compromise trust.

In a world of Zero Trust, DNS should not be an exception.
It’s time we treated it like what it really is: a battlefield.

Hudson Cybertec: A Benchmark in WP and DNS Security

0trust0day — Thu, 31 Jul 2025 08:03:43 +0000

As part of my ongoing public evaluation of cybersecurity firms, today’s focus is on Hudson Cybertec — a Dutch company specializing in industrial cybersecurity. As always, I limit my review to the public-facing footprint only, ensuring everything remains fully legal and ethical. But let’s be honest — most real-world attacks begin precisely at the edge: DNS configurations, exposed subdomains, CMS fingerprints, and misconfigured cloud services.

With Hudson Cybertec, I encountered something rare in this field: a security-first web infrastructure that actually matches the company’s own promises. From DNS to CMS, this organization sets a shining example of what a well-secured digital perimeter should look like.

Locked Down DNS: No Loose Ends
The DNS configuration is a masterclass in restraint and control. All publicly resolvable records are routed through Cloudflare and Microsoft cloud infrastructure, without any unnecessary exposure. There are no misconfigured SPF records, dangling MX entries, or unprotected APIs. Subdomains that often trip up even mature cybersecurity firms — such as open solarqube, grafana, jenkins, or kibana — are entirely absent here.

There’s no trace of test environments, leftover Kubernetes dashboards, or forgotten staging setups that are frequently found on other firms’ domains. The DNS attack surface is practically non-existent, which is exactly how a cybersecurity company should present itself to the world.

WordPress: Obfuscated and Fortified
Let’s talk CMS. While both ZAP and CMSeek detect WordPress fingerprints (likely due to public JS bundle structure), Hudson Cybertec has managed to cloak their WordPress instance to the point of invisibility.

No /wp-login.php, no /xmlrpc.php, no default paths, no open REST API endpoints. And when I threw wpscan at the site? It simply stopped — unable to move past the initial phase.

That’s right: even automated WP enumeration is thwarted at step one.

Does the site use WordPress? Almost certainly. But it’s so heavily customized, hardened, and obfuscated that detecting it becomes a challenge in itself. This is exactly what secure WordPress deployment should look like in 2025: minimalist, shielded, and surgically controlled.

Room for Improvement? Barely.
No site is flawless, and Hudson Cybertec is no exception. While the CSRF protection doesn’t cover every surface (which is notoriously difficult to fully achieve on WordPress), it’s a minor concern in an otherwise bulletproof setup.

Still, given how hard it is to retrofit complete CSRF defense into WordPress — especially when operating with loginless visitor flows or API endpoints — this isn't a failure, but rather a limitation of the underlying CMS.

Final Verdict: A Gold Standard
In a landscape where even cybersecurity vendors frequently neglect their own digital hygiene, Hudson Cybertec stands apart.

✅ Hardened DNS with zero overexposure
✅ Fully proxied infrastructure via Cloudflare & Microsoft
✅ No loose subdomains, misconfigured ports, or test environments
✅ WordPress setup so secure and obfuscated that scans break early
✅ Only minor signs of potential CSRF limitations — and nothing critical

In short, this is what a secure perimeter should look like. Hudson Cybertec doesn’t just talk the talk — they walk it. If you're looking for a benchmark on how to protect a WordPress-based site and its surrounding infrastructure, this is it.

Rus Aeroflot hacked — total system failure

0trust0day — Mon, 28 Jul 2025 12:42:38 +0000

Russian airline giant Aeroflot just got completely compromised. Hacker groups Cyber Partisans and Silent Crow claim they infiltrated the company’s core IT systems (Tier0) for over a year — without being noticed.

What they accessed:

Entire flight history databases
Surveillance systems and employee monitoring tools
Wiretapping servers with recorded calls and internal communications
Personal computers of executives and top management
All mission-critical infrastructure

They promise to publish portions of the data soon.

Meanwhile, around 50 flights were canceled today out of Sheremetyevo Airport. Aeroflot offers no comment on the breach — only asks passengers to leave the terminal.

So how did this happen?

Simple: Basic cybersecurity rules were ignored.
As I’ve said before — DNS misconfigurations are the first door in. Doesn’t matter how many fancy certificates your “CISO” team holds — if you’re lazy, you’re exposed. And these hackers didn’t need 0days or magic malware. They likely just used the CISO’s own VPN, passwords, or password manager.

No firewall can protect you from yourself.
This is a wake-up call to every corporation hiding behind shiny tools while ignoring the basics.

CyberSecurity #Aeroflot #Russia #Breach #DNS #InfoSec #Hacked #DevSecOps #SilentCrow

Cybersecurity Benchmark or Red Flag? A Technical Dive into Bureau Veritas' Subdomain Infrastructure

0trust0day — Mon, 28 Jul 2025 08:39:33 +0000

Bureau Veritas is a global leader in testing, inspection, and certification services—and in recent years, the company has expanded aggressively into the cybersecurity and compliance consulting space. With such a public-facing position in the security industry, you'd expect their digital infrastructure to be both secure and exemplary.

From a developer and security researcher's perspective, Bureau Veritas indeed sets a high bar in many areas. But as with any large-scale operation, there are cracks worth examining—especially when you peek behind the curtain of public DNS and open protocols.

Let’s explore what makes Bureau Veritas both a security benchmark and a cautionary tale for DevOps, infosec engineers, and compliance-focused developers.

🌍 Global Infrastructure, Global Risk
Bureau Veritas hosts dozens of subdomains across a wide array of providers and regions:

United States: AWS, CyrusOne, Rackspace

Europe: OVH (France), Ikoula, Equinix

Asia: PCCW, Hutchison in Hong Kong

Brazil, Germany, The Netherlands—you name it.

This geographical diversity offers performance and redundancy benefits, but also complicates GDPR and NIS2 compliance, especially around cross-border data transfers.

💻 The Good: Legal & Frontend Security
Let’s start with what Bureau Veritas does very well:

✅ Cookie compliance: Clean implementation using Cookiebot by Usercentrics. No intrusive defaults, well-structured consent banners.

✅ Frontend hardening: No major CSRF vectors, token protection in place, no exposed API keys or tokens in browser console.

✅ CMS Access Control: Although the presence of a Drupal CMS was discoverable (which is hard to truly hide), access is protected via OneLogin, essentially making the admin panel a fortress against brute-force and credential stuffing attempts.

🧨 The Bad: DNS Exposure, Legacy Protocols
The deeper you dig into public records (A/MX/NS/TXT), the more technical debt surfaces:

FTP and SSH services are exposed on multiple subdomains like b2bfilexchange.bureauveritas.com and batinspect.bureauveritas.com.

Several services run outdated software, such as Apache 2.4.6 (released in 2013) and OpenSSL 1.0.2k.

TLS certificate mismatches (e.g., asipulse1.bureauveritas.com serving a cert for euapulse.bureauveritas.com) create trust issues for users and machines alike.

Lack of DMARC and DKIM in TXT records raises phishing and spoofing risks.

HTTP endpoints return 403 Forbidden, 404 Not Found, or 302 Redirect—with no custom error pages or transparency notices required under GDPR.

🔐 IAM and Security Operations Shortcomings
Despite good frontend isolation, there’s no clear evidence of:

Centralized Identity and Access Management (IAM) across services.

Role-based access control (RBAC) beyond isolated portals.

TLS 1.3 enforcement or use of HSTS headers.

Certificate lifecycle management at scale.

Public-facing indicators of incident detection or response processes (a NIS2 requirement).

For a company delivering cybersecurity services, these gaps are concerning.

⚖️ Compliance Red Flags
GDPR Violations
Use of FTP/HTTP for data-related subdomains violates Article 32 (security of processing).

403/404 error pages without legal disclosure violate Article 13 (transparency).

Hosting personal data in the U.S./HK without visible SCCs violates Chapter V.

NIS2 Violations
Outdated software without hardening breaks Article 21.

Public services (SSH/FTP) without strict controls break Article 21(2)(b).

No evidence of incident reporting structures required under Article 23.

CCPA & NIST 800-53
No opt-out mechanisms on subdomains like cps.bureauveritas.com conflict with CCPA §1798.120.

FTP/SSH access without MFA violates NIST IA-2.

TLS misconfigurations contradict ISO 27001 A.12.4.1.

🛠️ Dev-Focused Recommendations
If you're managing a similar infrastructure, consider using Bureau Veritas as both inspiration and a cautionary example.

✅ What to Emulate
Proper cookie banners and legal compliance.

Centralized login systems (SSO via OneLogin).

Tokenized frontend logic and CSRF protection.

⚠️ What to Improve
Replace FTP with SFTP/FTPS immediately.

Enforce TLS 1.3 and implement HSTS.

Add DMARC and DKIM to all primary domains.

Harden public services, ideally restrict SSH to bastion hosts only.

Deploy a centralized certificate and IAM solution (e.g., HashiCorp Vault + Okta).

🧾 Final Thoughts
Bureau Veritas represents a high-quality cybersecurity and legal compliance benchmark—but one that is slightly tarnished by its overexposed DNS posture and some lingering technical debt on the backend.

In 2024–2025, modern infrastructure teams must assume that everything discoverable via DNS will be analyzed—by researchers, attackers, and regulators alike. The only safe move is to treat every exposed service as a potential breach vector and harden accordingly.

💬 Have you run similar audits on your infrastructure? What tools and practices do you use to catch issues like this before they go live?

Let’s discuss. 👇

cybersecurity #devops #compliance #gdpr #infosec #dns #drupal #ftp #tls #backendsecurity #iam #frontendsecurity

Public call for ON2IT to reassess its own information security practices

0trust0day — Thu, 17 Jul 2025 22:33:26 +0000

Security Starts at Home — But ON2IT Didn’t Get the Memo
As digital citizens, we rely on legal frameworks like the EU’s GDPR, the US’s CCPA, and other privacy laws to protect our personal data online. These frameworks are meant to ensure at least a baseline of digital privacy and safety. But laws are only as good as their enforcement — and even cybersecurity companies often fall short of practicing what they preach.

In this ongoing series of surface-level security analyses, I focus on how everyday users’ data is (mis)handled by companies — especially those claiming to specialize in cybersecurity. Today’s subject is ON2IT, a Dutch cybersecurity company that portrays itself as a major player in the industry.

U have just two options for choose: agree or full agree ;-)

Taken directly from ON2IT’s official website — as we can see, there’s really no choice here: either accept cookies, or… accept cookies. One has to wonder who the genius was that thought this was acceptable in the age of GDPR.
My review was conducted with standard tools accessible to anyone — using OWASP ZAP and Chrome DevTools. No advanced penetration testing or unauthorized access attempts were performed. Yet, even this limited inspection revealed disturbing results.

Legal Compliance: Not a Disaster, But Far From Safe
ON2IT’s website includes formal privacy policies, GDPR references, and public contact addresses. But form ≠ substance.

Based on a structured legal assessment framework that includes consent mechanisms, cookie behavior, and phishing protections, the results are mixed:
Overall Score: 4 out of 8.

The legal façade holds on the surface, but the lack of granular consent, technical safeguards, and proper cookie rejection behavior means users aren’t as protected as they should be.

Technical Posture: A Series of Failures

Here’s the real concern: the technical side is a mess.

ON2IT’s website is built on… WordPress. That alone isn’t a crime — even secure setups can use WordPress — but only when hardened, obscured, and properly maintained. ON2IT does none of this.

Key technical findings from https://on2it.net:
CMS: WordPress 6.8.1
Theme: GeneratePress (parent + child)
Plugins: GravityForms, GP Premium, SitePress Multilingual, Popup Maker
Exposed files: readme.html, license.txt
Public user list (name changes dut to ethical reasons): sXmh, jaXj, kaXXnm, lXk, arXXns, etc.

These are not hypothetical risks — they are publicly documented issues (MITRE, Wordfence) that expose both users and administrators to session hijacking, script injection, and content tampering.

Openly Exposed Services — A Reconnaissance Playground
Worse yet, several of ON2IT’s internal or demo services are fully exposed to the public with no authentication or access control. Their subdomains are even self-descriptive — making them easy targets for automated scanning and phishing setups:

https://filerdemo.on2it.net/login
https://social.on2it.net/explore
https://soc.on2it.net/
https://portal.on2it.net/login
https://sensorlogging.on2it.net/
These endpoints read more like a checklist for attackers than hardened assets. The use of obvious subdomain naming conventions is a gift to OSINT tools.

DNS, Hosting & Cookie Concerns
ON2IT’s infrastructure relies heavily on third-party services including Google (Gmail), Leaseweb, GCP, and WordPress-based hosting.

Cookies on on2it.recruitee.com are set without real opt-out, violating the spirit — if not the letter — of GDPR. Once again, form wins over substance.

Final Scorecard

Legal Layer:
✅ Privacy Policy — Pass
✅ Cookie Policy — Pass
❌ Cookie Implementation — Fail
✅ DPO Contact — Pass
❌ Opt-Out Mechanism — Fail
❌ Granular Consent — Fail
❌ Privacy-respecting A/B Testing — Fail
✅ Right to Erasure — Pass

Technical Layer:
❌ Anti-CSRF Protections — Fail
❌ CSP Header — Fail
❌ Subresource Integrity (SRI) — Fail
❌ DNS/OSINT Defense — Fail
✅ HTTPS + HSTS — Pass
❌ User Enumeration Prevention — Fail
❌ Admin Interface Obfuscation — Fail
✅ Legal Disclosures Present — Pass
❌ Default Cookie Behavior — Fail
Final Thoughts: Branding ≠ Security
ON2IT, like many others in the cybersecurity industry, seems to focus more on brand optics than infrastructure hygiene. For a company selling protection, they leave their own digital front door wide open.

This review isn’t a targeted attack — it’s a reminder: Security starts at home.
If cybersecurity firms don’t uphold the same standards they advocate, how can users or clients trust them?

I hope this article encourages more critical evaluations — and higher expectations — from vendors in the cybersecurity space.

For any questions: https://on2it.0trust0day.com

Disclaimer & User Rights Statement
I am a user of this website. I have identified that my personal data may be at risk.
A form on the website potentially allows actions to be forged in my name — without my consent.
I visited a website claiming to offer cybersecurity services, yet encountered unprotected resources, cookies without HSTS, and scripts without CSP. That directly affects me as a user.
This analysis is based solely on publicly accessible information, passive observation of website behavior, and freely available client-side tools. No unauthorized access, exploitation, or invasive techniques were used.
As a user of the examined web resource, I retain the right to assess potential security and privacy risks that may affect my personal data, browsing experience, or device safety.
The presented findings represent a good-faith effort to raise public awareness and encourage higher security standards. All legal and technical interpretations are personal opinions and do not constitute a legally binding statement.
No penetration testing was performed. To identify potential vulnerabilities that could compromise my information during the use of the referenced web resource, only publicly available, free website analysis services and the Chrome browser console were used.

Shuberg Philis — are you sure you’re capable of securing mission-critical operations?

0trust0day — Thu, 17 Jul 2025 22:31:13 +0000

Maybe it’s better to start with securing your own systems first?
I’ve seen a lot over the years of doing pentests and quick external assessments, but this might be a new low. Yet another company that proudly claims to “specialize in delivering mission-critical IT systems with unparalleled security, reliability, and resilience” — and they’ve completely outdone themselves in terms of negligence.

Schuberg Philis specializes in delivering mission-critical IT systems with unparalleled security, reliability, and resilience. We work closely with customers to plan, build, and run secure systems that empower industries and infrastructures. As a purpose-driven company with an engineer-focused culture, we prioritize trust, autonomy, and operational excellence. Security, in our view, is not a barrier but a catalyst for growth.

"We are seeking an IT-OT Cyber Security Expert passionate about protecting mission-critical Operational Technology (OT) systems in industries such as utilities, production, and logistics. Operating at the juncture of IT and OT, this role focuses on creating robust security solutions for OT environments, while helping customers navigate the increasingly complex threat landscape."

So, I saw a job posting and decided to check out their web infrastructure to see if it’s even safe to use — say, to submit an application through it. And I was genuinely shocked. How can a company that promises cutting-edge protection of “mission-critical Operational Technology (OT) systems in industries such as utilities, production, and logistics” operate such a poorly structured and insecure IT environment?

1. Overexposure of Internal Subdomains

Shuberg Philis is absolutely leader (for me and for last 6month) of numerous subdomains reveal sensitive internal services:

Examples: jira.acc.schubergphilis.com, chef.opensearch.acc.schubergphilis.com, infra.chef.saas..., auth.acc..., reset.acc..., docker-registry.k8s..., grafana.k8s..., etc.

Issue:
These names leak architectural and operational details — including CI/CD, DevOps, PKI, monitoring, authentication, and Kubernetes environments.

Risk: HIGH
This provides attackers with an extensive map of infrastructure components that can be used for:

Targeted phishing
Recon for CVE exploitation
Credential stuffing or brute-force against known endpoints (e.g., Jira, GitLab, Grafana)

2. Public Interfaces Responding with Azure 404

Several subdomains respond with:makefileCopyEdi

Server: Microsoft-Azure-Application-Gateway/v2

Title: 404 Not Found

Examples:
jira.acc.schubergphilis.com
gw-ldap.acc.schubergphilis.com
oag-admin.acc.schubergphilis.com
reset.acc.schubergphilis.com

Issue:
These are exposed endpoints of either disabled or misconfigured internal systems.
Leaks internal pathing (reset, admin, gw-ldap) and technology (Azure WAF).
Risk: MEDIUM

Potential attack surface for:

SSRF
DoS
ACL bypass if misconfigured

3. Missing Reverse DNS Entries

Some IPs (e.g., 185.242.221.165) lack proper reverse DNS records.
Issue:
Lack of PTR records can:
Weaken email delivery trust
Indicate incomplete DNS hygiene
Reduce overall infrastructure credibility
Risk: LOW–MEDIUM

4. Exposed Test and Legacy Environments

Subdomains include many clearly labeled test or possibly legacy services:
test.gitlab.saas...
grafana-foo, grafana-foa
confluence-k8s-test1, grafana-saas-201904121518

Issue:
These environments are often poorly maintained and not patched.

Risk: HIGH
Attackers may exploit CVEs in unpatched systems.
Potential lateral movement into production if not isolated.

5. SPF and TXT Records

SPF:
v=spf1 mx include:_spf.schubergphilis.com -all

TXT entries reveal integrations with:
Atlassian
DocuSign
Office 365 (D365)
Dynatrace
Google
MongoDB
Keybase
GitLab CI (Managed via SBP CorpIT Gitlab-CI)
Issues:

Possible information leakage of internal tools and 3rd party services.
No public DMARC or DKIM seen (based on dataset).
Risk: MEDIUM
Attackers could leverage this data to spoof email senders or attack 3rd-party integrations.

6. One IP Hosts Many Critical Kubernetes Services

All k8s.saas.acc.schubergphilis.com subdomains resolve to the same IP: 85.222.238.111
Examples:
grafana.k8s..., alertmanager.k8s..., harbor-core.k8s..., confluence.k8s..., etc.
Issue:
Hosting many critical services behind a single public IP makes it a high-value target.
Ingress exposure risks if role-based access control or authentication is misconfigured.
Risk: CRITICAL
Especially if any dashboards (Grafana, Harbor, etc.) are publicly accessible.

7. Risky Subdomain Types

The following may indicate risk:
pki1/pki2: Public access to internal certificate/key infrastructure
reset, auth, gw-ldap: IAM-related endpoints
docker-registry: Risk of exposed images or credentials

8. Potential Compliance Violations

A moment of positivity

to be fair, there are a few decent aspects to their web platform. Legally, it’s quite solid. In fact, it’s a great benchmark example of how cookie consent should be handled in 2025 — both legally and technically. They’ve done a good job ensuring that users who decline cookies don’t have their data collected or transmitted elsewhere.

Bonus points for the console easter egg designed for prospective developer applicants — nicely done! It’s both charming and practical.

Recommendations

Audit all DNS entries — remove deprecated and test subdomains.
Restrict access to all internal/test environments via IP whitelisting or VPN.
Review Azure App Gateway exposure, ensure WAF and proper routing rules.
Enforce service segmentation, especially in Kubernetes (e.g. multiple IPs/load balancers).
Harden and authenticate all dashboards (Grafana, Harbor, Confluence, etc.).
Implement and verify DMARC/DKIM, and review SPF includes.
Conduct regular external security scans (ZAP, Nuclei, Censys, Shodan).
Reinforce CI/CD pipelines, as GitLab CI is referenced in TXT — avoid leaking internal automation logic.
Verify PKI endpoints (pki1/2) — if exposed externally, they require strict access control and monitoring.

Honestly, my conclusion is simple: working with you is a security risk — it’s unsafe to even send you a CV. With such glaring security oversights, there’s a very real chance it could end up in a data leak. As for the potential regulatory fines Schuberg Philis may face… I’ll just leave that unsaid.

If you lack the internal capacity to implement proper security measures — or perhaps you’ve accidentally hired some highly-certified incompetents — then feel free to reach out to me. I can fix all of this within two weeks.

My Experience with websec.nl — A Benchmark for Cybersecurity Companies

0trust0day — Thu, 17 Jul 2025 22:23:41 +0000

While casually reviewing a number of cybersecurity-focused websites (in the process of job searching), I stumbled upon websec.nl — and what I saw left a lasting impression. It’s rare these days to find a site that not only looks clean and professional, but also sets a technical standard for how a security company should represent itself on the internet. And WebSec delivers exactly that — not through marketing fluff, but through its flawless execution.

https://medium.com/p/9115e3834193

From a purely technical perspective, their external footprint is a textbook example of what “secure-by-default” should look like. DNS records are trimmed and protected. There are no dangling subdomains, no exposed admin panels, no internal ports accidentally published to the world. Their TLS configuration is clean, headers are strict, cookies are locked down, and there’s no sign of tracking scripts or unnecessary third-party bloat. This is a defensive posture done right — calm, deliberate, and deeply informed.

And here’s the remarkable part: WebSec is not a giant firm with thousands of engineers and unlimited budget. They are a highly focused team who simply know their craft and take pride in applying it to themselves first. Many so-called security experts talk the talk, but leave their own sites full of misconfigurations. WebSec, on the other hand, walks the walk — and does so with the precision of a world-class team.

To put it plainly: this is what all cybersecurity company websites should look like. Not overloaded with marketing jargon or pointless animations — but fast, clean, and built like a fortress. Their approach reminded me of the kind of security posture seen at enterprise players like KPMG, who also run an impressively well-locked-down perimeter. And yet WebSec achieves that same level of excellence with a leaner team — and that says a lot about the skill level they bring to the table.

For job seekers and collaborators alike:
I would submit my CV to WebSec with zero hesitation. This is a team I’d genuinely be proud to work alongside. Their execution sends a strong message: “If we treat our own infrastructure with this level of care, imagine what we’ll do for yours.” And that’s exactly the kind of trust signal every security company should strive to emit.

P.S. To the WebSec team:
Just a personal note from someone who’s been in the trenches — don’t let anyone convince you that certifications alone define skill. Real hackers in the real life will not show you certificates they will bypass logic, and creatively bend systems — don’t rely on paper. They operate with instinct, experience, and a mindset that no exam can measure. Frameworks are helpful, but they aren’t the source of innovation — people are. Trying to confine a Red Team into checklists and procedures often leads to diluted outcomes.

An essential element of organizational Cyber Defense

0trust0day — Wed, 16 Jul 2025 05:50:30 +0000

In the increasingly digitized global economy, the resilience of an organization’s information infrastructure has become inseparable from its competitive advantage. Cybersecurity is no longer a niche concern of IT departments, but a boardroom priority. However, while many firms have invested heavily in firewalls, endpoint security, and SIEM systems, fewer have institutionalized the single most powerful vector of sustainable defense: systematic, scalable, and scenario-based cyber threat training.

An original article by Aleksandr Shaman

Cyber threats evolve with stunning velocity. Zero-day vulnerabilities, ransomware-as-a-service, and state-sponsored attacks no longer occur in isolation — they are interconnected, polymorphic, and exploit the weakest link in the chain: the human factor. Despite this, many organizational responses remain reactive, compliance-driven, and fragmented. A more effective approach requires continuous internal simulation and testing: a controlled, iterative ecosystem where threat understanding matures into operational reflexes.

This is where the concept of an “internal range” emerges — not as a metaphor, but as an institutional framework. Modeled after military and industrial test environments, the internal range is a live-fire cyber defense training and validation space embedded within the enterprise itself. It systematizes threat emulation, drills, and failure analysis, transforming defense from a static to a dynamic function.

Continuous Learning Loop
The internal range replaces periodic workshops and static e-learning with immersive, adaptive training. Teams engage in real-time, role-specific simulations — CFOs facing phishing spear attempts; network engineers responding to lateral movement after a VPN breach. These scenarios are calibrated based on current threat intelligence feeds and internal system vulnerabilities. Unlike traditional tabletop exercises, internal range activities are run in parallel with actual operations in controlled virtualized environments, minimizing disruption while maximizing realism.
Quantified Organizational Readiness
One of the limitations of conventional training is the absence of empirical performance metrics. Internal ranges solve this by capturing behavioral, technical, and procedural data across simulations. Who responded fastest? Where were the bottlenecks? Which alerts were ignored? These data points feed into dashboards that measure individual and team-level readiness — allowing CISOs to present cybersecurity maturity in quantitative, board-friendly formats.
Cultural Integration of Security
When cyber defense is siloed, response becomes slow and confused. The internal range promotes cross-functional muscle memory. Legal teams practice breach disclosure protocols. PR units rehearse media responses. HR trains on insider threat recognition. Security becomes a shared reflex rather than a specialized function. This leads to a culture where vigilance is internalized, not imposed.
Pre-Deployment Stress Testing
Before rolling out new software, migrating workloads to the cloud, or onboarding critical third-party providers, internal ranges offer a simulated environment to test their impact on security posture. For example, a fintech firm used its internal range to simulate DDoS attacks on a soon-to-be-public API gateway. The exercise revealed hidden dependency loops in legacy infrastructure, which were rectified before production deployment.
Incident Replay and Forensic Education
Real breaches, when they occur, are replayed in the internal range. This forensic reenactment transforms painful post-mortems into high-value teaching assets. One pharmaceutical company, after a ransomware event, reconstructed the entire timeline of the breach in its internal range, using it not only to patch vulnerabilities but also to redesign identity access protocols. The process triggered a full review of their remote access stack.
From a commercial standpoint, the internal range becomes a risk mitigation asset with clear ROI. Reduced downtime, better audit outcomes, lower insurance premiums, and fewer regulatory penalties all stem from improved preparedness. Moreover, it creates a strong signal to partners and clients: this is an organization serious about cyber hygiene.

Case studies underline its effectiveness. A multinational logistics provider deployed an internal range strategy across six regional hubs. Over 12 months, phishing click-through rates dropped by 47%, mean time to detect threats halved, and confidence in breach-response procedures improved measurably in quarterly assessments. Another example comes from an energy firm that integrated their SCADA infrastructure into their internal range. This allowed them to safely test malware propagation through OT systems, previously considered too risky to simulate.

Importantly, internal ranges also support regulatory alignment. In sectors where cyber resilience regulations are tightening — financial services (DORA, NIS2), healthcare (HIPAA, HITECH), critical infrastructure (NERC CIP) — an internal range provides documented, repeatable, and auditable training evidence. It strengthens compliance postures not by box-ticking, but by embedding real-world, tested capabilities.

The scalability of the internal range model is another of its advantages. It can start as a modest set of virtualized environments and scripted playbooks, gradually incorporating red-blue-purple teaming, third-party tool integrations (Splunk, CrowdStrike, or SentinelOne), and even AI-driven adversary emulation. For large enterprises, ranges can be federated across geographies; for smaller firms, they can be cloud-based and modular.

In essence, the internal range is not a product but a philosophy. It rejects the notion of cybersecurity as a static layer atop business operations. Instead, it proposes cybersecurity as an ever-evolving internal dialogue between infrastructure, people, and processes. Like any effective training ground, it is only as valuable as its integration into everyday workflows.

To business leaders and technology strategists, the message is clear: systematize your cyber threat training or risk falling behind. Threat actors iterate rapidly; so must defenders. By investing in internal ranges, organizations cultivate not only technical hardening but also cognitive and procedural readiness — an enterprise-wide immune system tuned to the realities of modern risk.

In a time when digital sovereignty, data localization, and trust are core to competitive positioning, the ability to prove cyber preparedness is becoming as important as being prepared. The internal range model delivers both.

Cyber Ranges as the Future of Organizational Resilience: Turning Training into a Competitive Edge
In the digital-first economy, cybersecurity isn’t just a technical domain — it’s strategic infrastructure. As threats evolve, organizations are learning that static defenses and one-time awareness campaigns are no match for sophisticated and persistent attacks. What’s needed is a shift: from ad hoc training to institutionalized cyber exercises, from theoretical awareness to hands-on readiness, from isolated simulations to a continuously active cyber range embedded within the enterprise.

A cyber range is more than a metaphor. It’s a real-time, dynamic environment that emulates cyberattacks, operational breakdowns, and recovery processes. Much like a military training ground, it tests personnel, processes, and systems under stress. This is not about occasional fire drills — it’s about operationalizing preparedness as a culture.

Realistic, Continuous Cyber Drills
Instead of outdated e-learning modules, cyber ranges immerse employees in threat scenarios modeled on current attack vectors — credential stuffing, social engineering, API abuse. The training is adaptive, aligned with each role. A finance lead receives deepfake invoice scams. The DevOps team manages lateral movement after a container breakout. These exercises occur in segmented, safe environments, running parallel to real infrastructure.
Quantified Readiness and Performance Analytics
Cyber ranges generate real data: response times, detection rates, procedural gaps. This data feeds into readiness dashboards that CISOs can present to boards. The shift is from anecdotal to measurable. One firm reported cutting its mean time to respond (MTTR) from 48 to 24 hours after integrating their cyber range — a 50% improvement visualized in this chart:
Cross-Functional Security Integration
Security failures often stem from siloed responsibility. Cyber ranges break down these silos. HR, PR, legal, ops, and executive leadership rehearse breach responses together. In one energy firm, integrating legal and operational teams into cyber drills helped align disclosure protocols, reducing legal-exposure time during a real incident.
Testing New Systems Before Deployment
Before launching new APIs or adopting cloud infrastructure, a cyber range allows simulated stress tests. A fintech firm used theirs to launch a mock DDoS attack on a customer-facing API. The result? Early detection of cascading timeouts in legacy backends — mitigated before public exposure.
Forensic Replays That Teach and Fortify
After incidents occur, a cyber range reconstructs the timeline, offering a safe space for forensic learning. A pharmaceutical enterprise replayed a ransomware breach and discovered overlooked access controls. This led to a redesign of their IAM system — preventing future entry points.
Let’s look at real-world implementation:

The measurable results speak for themselves:

For regulated industries, a cyber range also serves as compliance infrastructure. With frameworks like NIS2, DORA, and HIPAA demanding not only controls but demonstrable readiness, ranges provide repeatable and auditable evidence. Security insurers, too, are starting to reward such proactive training environments with lower premiums.

Importantly, a cyber range is scalable. A multinational may invest in multi-cloud simulation labs. A smaller firm might begin with containerized playbooks and monthly drills. The core principle remains: repeatable, relevant, realistic cyber training embedded in your operations — not adjacent to them.

In today’s environment, threats are real-time, and so must be your training. A cyber range becomes an enterprise immune system, constantly testing, evolving, and improving. It bridges the gap between knowing and doing, between controls and culture.

Security leaders should no longer ask if they need cyber drills, but how soon they can institutionalize them. The organizations best equipped for tomorrow are not necessarily the ones with the most tools, but the ones whose people know exactly how to respond — because they’ve already done it. Repeatedly. In their own cyber range.

Here are references and credible sources for the data presented in the tables, aligned with real-world reports, industry whitepapers, and known case studies. Where exact organizations are anonymized in the article (as often required for confidentiality), the data draws from aggregated industry research or de-identified case summaries from leading vendors and institutions.