DEV Community: Mark0

How to Identify and Exploit New Vulnerabilities

Mark0 — Thu, 14 May 2026 05:14:20 +0000

In the rapidly changing landscape of cybersecurity, red teams must prioritize the identification of new vulnerabilities to maintain an operational edge and bypass updated defenses. The article emphasizes that discovering exploits is not an unattainable 'dark art' but rather a discipline grounded in patience, curiosity, and experimentation. By researching existing advisories and community blog posts, security professionals can find the necessary starting points for their own deep-dive investigations.

Technically, the process involves leveraging both reverse engineering suites like Ghidra and IDA Pro, as well as system monitoring tools such as Process Monitor and System Informer. The author illustrates this by sharing how methodical observation of registry queries led to the discovery of deficiencies and the subsequent development of FaceDancer, a tool for DLL hijacking. This systematic approach—defining a need, researching, reverse engineering, and testing—is essential for hardening organizational defenses against modern threats.

Read Full Article

Slamming the Door on Quick Assist Tech Support Scams and Abuse

Mark0 — Thu, 14 May 2026 05:13:19 +0000

This article examines the rise of social engineering attacks exploiting Windows Quick Assist, a built-in remote management tool. Attackers typically initiate these scams via phishing emails followed by unsolicited Microsoft Teams calls, posing as IT support to gain remote access to victim systems. By leveraging the trust associated with native Microsoft tools, threat actors can bypass traditional security awareness hurdles and establish a foothold within the environment.

To defend against these threats, organizations should implement both procedural and technical controls. Key recommendations include disabling Quick Assist if not required, migrating to more secure alternatives like Microsoft Intune Remote Help, and monitoring network egress for specific Microsoft support URLs. Additionally, educating users on legitimate IT support protocols and conducting regular social engineering simulations are vital for early detection and mitigation.

Read Full Article

Elastic Security MCP App: Interactive security operations inside your AI Tools

Mark0 — Thu, 14 May 2026 05:12:15 +0000

Elastic has introduced the Security MCP (Model Context Protocol) App, designed to bridge the gap between AI-driven analysis and the traditional SOC workflow. Instead of analysts switching between triage dashboards, threat hunting tools, and case management files, this extension allows interactive UIs to be rendered directly within environments like Claude Desktop, VS Code, and Cursor. By bringing Kibana-like capabilities into the AI conversation, analysts can perform high-level security operations without losing the context of their investigation.

The app features six specialized interactive dashboards: Alert Triage, Attack Discovery, Case Management, Detection Rules, Threat Hunt, and Sample Data generation. These tools return both a compact text summary for the LLM to reason over and a React-based interface for the analyst to act upon. Built on the open MCP standard, the tool connects directly to the user's Elasticsearch cluster, ensuring that all findings, cases, and queries are preserved within the existing security infrastructure while maintaining strict role-based access controls.

Read Full Article

The Convergence of Cloud Secrets & AI Risk

Mark0 — Thu, 14 May 2026 05:11:09 +0000

The 2025-2026 SentinelOne AI and Cloud Verified Exploit Paths report identifies the adoption of AI and Large Language Models (LLMs) as the primary driver of modern cloud risk. With an observed 140% increase in AI-specific secrets, organizations are facing a rise in "shadow AI"—the unsanctioned use of unmanaged API keys. This sprawl enables unique attack vectors, including prompt injection, data poisoning, and unauthorized access to sensitive datasets processed by AI models.

Traditional security challenges also persist, with attackers frequently leveraging legacy vulnerabilities and misconfigured external services as initial entry points. The report emphasizes that high-privilege cloud provider keys and CI/CD tokens remain critical targets, potentially leading to large-scale data exfiltration and supply chain compromises. To counter these threats, security leaders are advised to implement continuous surface monitoring, automate DevSecOps workflows, and establish centralized governance for all AI-related credentials.

Read Full Article

Breaking things to keep them safe with Philippe Laulheret

Mark0 — Thu, 14 May 2026 05:10:04 +0000

Philippe Laulheret, a Senior Vulnerability Researcher at Cisco Talos, discusses the intricacies of ethical hacking and vulnerability research. He explains his role in proactively identifying security flaws in software and hardware, emphasizing how his work allows security teams to create detection rules that protect customers before vulnerabilities are exploited by malicious actors.

The interview highlights Philippe's non-traditional career path, moving from engineering studies in France to interactive design and eventually returning to his passion for security. He stresses the value of Capture The Flag (CTF) competitions and reverse engineering as foundational skills that helped him transition from software development to a specialized research role.

Read Full Article

Eyes wide open: How to mitigate the security and privacy risks of smart glasses

Mark0 — Thu, 14 May 2026 05:09:01 +0000

The resurgence of smart glasses, led by companies like Meta and Google, brings significant privacy and security concerns beyond simple surveillance. Unlike previous iterations, modern smart glasses are integrated with powerful AI capable of real-time facial recognition and surreptitious data collection, which can empower stalkers and fraudsters through the extraction of personal information from the internet.

Beyond privacy, these devices pose technical security risks including firmware exploitation, shoulder surfing for PINs, and the potential for sensitive data to be ingested into AI training models. Mitigation requires a combination of strict software hygiene for wearers—such as using MFA and disabling AI data reviews—and increased awareness from bystanders to prevent unauthorized recording and data theft.

Read Full Article

May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs

Mark0 — Thu, 14 May 2026 05:07:58 +0000

Read Full Article

Falcon AIDR Detects Threats at the Prompt Layer in Kubernetes AI Applications

Mark0 — Thu, 14 May 2026 05:07:16 +0000

Read Full Article

[webapps] glances 4.5.2 - command injection

Mark0 — Thu, 14 May 2026 05:06:40 +0000

Read Full Article

State of ransomware in 2026

Mark0 — Thu, 14 May 2026 05:06:00 +0000

The 2026 ransomware landscape highlights a significant evolution in cyberthreat tactics, characterized by the emergence of post-quantum cryptography and encryptionless extortion. Groups like PE32 are now utilizing the Kyber1024 algorithm to secure data against future quantum decryption, while others prioritize the theft and public exposure of sensitive information over traditional file encryption. This shift reflects an adaptation to declining ransom payments and improved victim backup practices, transforming ransomware from a business continuity issue into a broader data security challenge.

Technical trends include the widespread use of "EDR killers" and Bring Your Own Vulnerable Driver (BYOVD) techniques to disable security monitoring. The "Access-as-a-Service" model remains dominant, with initial access brokers increasingly targeting RDWeb portals and RDP/VPN credentials. To combat these threats, organizations must adopt proactive measures such as zero trust architectures, automated patch management for vulnerable drivers, and the maintenance of immutable, air-gapped backups.

Read Full Article

2026-05-11: Google ad for Claude leads to macOS malware infection

Mark0 — Thu, 14 May 2026 05:04:42 +0000

This report details a malicious Google ad campaign targeting macOS users. Attackers utilized search terms like "Homebrew" to display fraudulent advertisements leading to a page impersonating the download site for Claude AI. The campaign employs a "ClickFix" social engineering technique, where victims are instructed to copy and paste a malicious command directly into their terminal to resolve a fake installation error.

Once executed, the malware attempts to gain elevated privileges by prompting the user for their system password and requesting broad access to the Finder and various user folders. The report provides comprehensive technical evidence, including network traffic captures (PCAPs), Indicators of Compromise (IOCs), and sample files for security researchers to analyze the infection chain and behavior.

Read Full Article

Investigating server compromises with cgroups: A Linux DFIR primer

Mark0 — Thu, 14 May 2026 05:03:15 +0000

Repurposing Linux kernel features like control groups (cgroups) offers a powerful new stream of telemetry for cloud security and forensic investigations. While traditionally used for resource management, cgroups encode critical context regarding process lineage, user sessions, and container identities directly within the kernel's hierarchy. This metadata allows analysts to group related processes and identify suspicious behavior across host systems and containerized environments even when traditional telemetry is obfuscated.

This technical deep dive examines how systemd, Docker, and Kubernetes utilize cgroups to structure workloads. By leveraging tools such as CNCF Falco or custom eBPF scripts, defenders can surface hidden relationships between processes and detect persistence mechanisms or container escapes. The article provides actionable advice for integrating cgroup data into detection engineering workflows to improve the fidelity of security alerts and accelerate incident response.

Read Full Article