As the Akira ransomware group continues to evolve its operations, Talos has the latest research on the group's attack chain, targeted verticals, and potential future TTPs.

Akira ransomware continues to evolve

A hacker known as “TAINTU” is advertising a “Top Secret U.S. Space Force Military Technology Archive” for sale,…

A hacker known as “TAINTU” is advertising a “Top Secret U.S. Space Force Military Technology Archive” for sale, allegedly containing classified data on advanced space-based defence systems and AI-driven weapons.

A hacker using the alias “TAINTU” is offering what they claim to be 1.45 TB of “top secret USSF military technology archives” for sale, priced at $15,000 in Bitcoin (BTC) or Monero (XMR) cryptocurrency.

The acronym USSF stands for the United States Space Force, the space operations branch of the U.S. Armed Forces. The USSF is responsible for organizing, training, and equipping military personnel for space-related operations.

The ad, viewed by _**Hackread.com**_, was initially posted on the data breach and cybercrime platform Breach Forums on Saturday, October 19, 2024. However, it was removed by the hacker on the same day. When _**Hackread.com**_ inquired about the removal, the hacker explained that the data remains available for sale through underground channels, citing the lack of “seriousness” from users on Breach Forums.

Partial screenshot from the now deleted post (Screenshot: Hackread.com)

**What’s in the Archive?**

The hacker’s use of the term “archive” implies a comprehensive collection of information rather than just a single piece of file/data. The sample data published by the hacker appears to be contains classified leaks from the United States Space Force (USSF), detailing advanced military technologies, space-based weapon systems, future developments, and simulated battle scenarios.

The trove of data also allegedly also includes in-depth technical analyses, project files, and system diagrams from ongoing USSF development programs, with a focus on next-generation orbital defence.

This collection, described as “dozens of files,” holds critical military data, technical diagrams, and performance simulations. It reportedly provides unprecedented insight into next-generation weaponry and space-based defence systems, including the following:

**Directed Energy Weapons (DEW):** Advanced systems optimized for targeting satellites and enemy space infrastructure using high-energy lasers. 

**Quantum Cyber Warfare:** Cutting-edge encryption-breaking technology for intercepting and neutralizing enemy satellite communications. 

**Electromagnetic Pulse (EMP) Systems:** Area-wide electronic grid disruptors, capable of disabling enemy communication, radar, and missile systems over a vast range. 

**AI-Controlled Weapons:** Autonomous targeting systems using advanced machine learning algorithms for real-time satellite interception and space warfare scenarios. 

The archive allegedly contains leaked content such as project files with technical breakdowns and financial allocations for the development of Directed Energy Weapons (DEW), AI-based orbital weapons, and quantum cybersecurity systems. It also includes research on future technologies like antimatter energy and quantum teleportation, schematics and diagrams outline high-orbit defence systems and missile interception strategies, while CSV data files provide comprehensive simulation data on energy consumption and AI response times.

In addition, the files appears to be contain over 20 technical PDF reports covering satellite communication encryption, EMP defence, and AI targeting systems, as well as classified intelligence on adversarial capabilities from nations like China and Russia, and countermeasures for hypersonic missile threats.

The sample files published by the hacker are claimed to be "technical samples extracted directly from the archive." These include PDF files detailing “Phase 3 testing of the Helios *** laser platform,” CSV files containing detailed test results related to high-tech weapons or defence systems—apparently involving directed energy weapons (DEWs) or similar technologies—and a project file snippet outlining the budget and technical progress report for the DEW-\*\*\*1.

The data also includes several diagrams, including one titled “Orbital Defense and Interception Scenarios,” which details a “beam divergence analysis for orbital defence” among other related information. However, due to security concerns and the potential implications of this being a national security breach for the United States, **_Hackread.com_** is refraining from publishing any images or details that could compromise the security of the institution.

**“Exclusive Access and Direct Breach”**

When asked whether the alleged data breach involving a third-party contractor, as seen in the April 2024 case of US defence contractor Acuity Inc., where an Intel Broker hacker leaked ICE and USCIS data, the hacker claimed it was a “direct data breach,” with no third-party firm involved.

“This archive offers exclusive access to classified military technologies currently in development by the USSF. The data covers cutting-edge research, including highly advanced AI-controlled defence systems and quantum-based communication, which are reshaping the future of warfare,” the hacker told _**Hackread.com**_.

“These documents are invaluable to anyone interested in military technology or defence strategies, providing insights into the most advanced space-based weapon systems on the planet.”

The authenticity of the breach has yet to be confirmed. _**Hackread.com**_ has reached out to the Cybersecurity and Infrastructure Security Agency (CISA) for comment. However, the hacker remains confident in the legitimacy of the archive.

1.  **Crimson Palace: Chinese Hackers Stole Military Secrets**
2.  **Military Satellite Access Sold on Russian Forum for $15,000**
3.  **Intel Broker Claims Cisco Breach, Selling Data from Major Firms**
4.  **Russian National Jailed for Smuggling US Military Tech to Russia**
5.  **S3 Buckets Exposed US Military’s Social Media Spying Campaign**

1.  \* indicates redacted information ↩︎

Hacker Advertises “Top Secret US Space Force (USSF) Military Technology Archive”

The emergence of novel anti-detection kits for sale on the Dark Web limit the effectiveness of a Chrome browser feature that warns users that they have reached a phishing page.

Source: Rawpixel via Shutterstock

Cybercriminals have found a new way to get around what has been an effective deterrent to phishing attacks, with novel anti-bot services sold on the Dark Web that allow them to bypass the protective "Red Page" warning in Google Chrome that alerts users to potential fraud.

The anti-bot services aim to prevent security crawlers from identifying phishing pages and blocklisting them by filtering out cybersecurity bots and disguising phishing pages from Google scanners, according to new research published today by SlashNext.

They do this by rendering ineffective the Red Page, a feature of Google Safe Browsing — which itself is a feature of Chromium-based browsers and other Google services — that aims to protect users from harmful websites by warning them of potential dangers, such as phishing attempts. The page is so-named because it is displayed in red and provides a warning that a site to which someone is navigating may be deceptive, advising them to avoid it.

In doing so, the warning can "severely" limit "the potential success of phishing attacks," according to the post, providing "a massive hurdle" to threat campaigns. That's because these campaigns rely on high click-through rates, which is significantly lowered when Google's detection flags a phishing page and adds it to a blocklist.

Now various anti-bot services found on the Dark Web, such as Otus Anti-Bot, Remove Red, and Limitless Anti-Bot, "threaten to undermine this line of defense, potentially exposing more users to sophisticated phishing attempts," according to the post.

**How Anti-Bot Services Work**

Though each service has its own unique features, they are all based on a combination of several techniques that allow malicious content to bypass Google's Red Page feature. Most rely on bot detection mechanisms that analyze user-agent strings and IP addresses to filter known security bot traffic that would otherwise be blocked, according to SlashNext.

"Public lists of cybersecurity crawlers are widely available (for example, Shodan), making it easy to filter known security bot traffic," according to the post. "Once an IP address or user-agent is flagged as a security crawler, it is blocked, ensuring the page remains accessible to real users but hidden from cybersecurity entities."

The services also use cloaking techniques such as context-switching or JavaScript obfuscation to serve different content based on the visitor’s profile. These techniques effectively redirect security crawlers to benign content while directing a user to a phishing page.

Another common feature of the anti-bot services is to introduce CAPTCHA or challenge pages to filter out automated scanners that typically would analyze a webpage for malicious content. "Since most bots cannot solve CAPTCHAs, this technique effectively blocks them while allowing real users through," according to the post.

Some anti-bot services might even introduce a time delay, which further confuses security bots by making them "time out" before they can scan the page and thus warn users of a potential security threat.

They also can bypass the Google Red Page by delivering region-specific content and blocking foreign traffic, according to SlashNext. For example, if a phishing campaign is targeting a Korean bank, the service might allow only Korean traffic to visit the site while blocking foreign IP addresses, the researchers noted. Moreover, these methods can get extremely specific in terms of geography, even narrowing campaigns down to the city level, which would prevent international cybersecurity services from detecting the page entirely, according to the post.

**Not Completely Foolproof**

While these anti-bot services can significantly reduce the scope of Google Red Page, they do have their limitations, the researchers noted. The malicious services work best in less sophisticated phishing campaigns because they can identify and block known crawlers in the user-agent string — where many security vendors declare their bots and crawlers, the researchers noted.

"This allows cybercriminals to filter out bot traffic, prolonging the lifespan of phishing campaigns," according to the post. However, in more sophisticated phishing operations, manual analysis by analysts will eventually detect the page, leading to its inclusion on blocklists.

Still, anything that can limit the detection of phishing by end users is a threat to the overall security, not just of individuals but also enterprises. That's because despite being one of the oldest forms of cybercrime, phishing is still one of the primary ways attackers gain initial entry onto corporate networks to perform other types of malicious activities, such as ransomware attacks.

Moreover, the rise in the availability of phishing kits that make it easy for attackers to create campaigns, the growing sophistication of phishing tactics and now the emergence of anti-bot services make detection by individuals and defenders more complex.

The best defense against the use of anti-bot services to bypass Google Red Page is to use security platforms that can detect threats in real-time across email, mobile, and messaging apps with as much accuracy as possible, according to SlashNext. Aforementioned manual analysis of phishing pages and the subsequent addition of malicious sites to blocklists also can prevent these services from being effective.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Anti-Bot Services Help Cybercrooks Bypass Google 'Red Page'

The future of application security is no longer about reacting to the inevitable — it's about anticipating and preventing attacks before they can cause damage.

Source: Panther Media GmbH via Alamy Stock Photo

COMMENTARY

In my years managing security in complex environments, I've seen how threats and defenses evolve, but application security has proven a very tough nut to crack. What excites me today is the significant progress we're making in closing long-standing gaps in AppSec, and I would argue that application detection and response (ADR) is leading the charge. 

**A Fresh Take on an old Problem**

Historically, application security has been reactive. Tools like firewalls, endpoint protection, and network monitoring have been crucial, but they've often missed the critical component of the application layer itself. As our applications have transformed into interconnected ecosystems, it's become clear that traditional security measures aren't measuring up. 

The paradigm shift of ADR, which hinges on transforming AppSec from reactive to proactive security, is finally moving the needle. Instead of just detecting threats, new ADR solutions are providing deep insights into application behavior in real-time, allowing us to get ahead of potential issues. It offers unprecedented visibility and response capabilities across distributed architectures, enabling continuous monitoring of runtime behaviors, anomaly detection, and rapid incident response. This shift not only enhances our ability to identify and address threats promptly but also significantly reduces incident response times. 

**Real-Time Visibility Is a Game Changer**

One of the most frustrating aspects of securing modern applications has always been the lack of real-time visibility. Traditional tools offer only a snapshot of an application's security at a specific moment, leaving us blind to what's happening during runtime. ADR integrations are changing this dynamic by utilizing data that's already being collected and turning it into actionable insights. 

It is now possible to continuously map out applications as they evolve, monitoring data flows, API interactions, and third-party integrations. This offers new capabilities to identify potential vulnerabilities and misconfigurations in real-time as applications scale or change in production environments. For instance, the discovery of the ALBeast vulnerability, a critical weakness in AWS's Application Load Balancers (ALBs), was made possible by real-time configuration analysis. This is yet another critical issue that would have otherwise gone unnoticed without ADR tools.

**Proactive, Not Reactive**

Previously, security often meant reacting to issues after they occurred. ADR allows us to get ahead of threats, providing security teams with context about how applications behave and where weaknesses may lie. It doesn't just stop at identifying anomalies, it helps us understand why those anomalies matter and how to address them effectively. 

What excites me most about this is how today's ADR pioneers are complementing existing security measures, like Web application firewalls (WAFs) or authentication controls. These tools often generate large volumes of alerts, many of which turn out to be false positives. With ADR tech, we can cut through that noise, prioritizing threats based on application-specific context and focusing on what really matters. The pragmatist in me is also thrilled to see how ADR enhances the effectiveness of these tools, ensuring that every part of a security stack operates at its full potential. 

**Securing Distributed, Cloud-Native Applications**

As we build more distributed and cloud-native applications, the complexity of these systems will continue to grow. These architectures provide incredible flexibility and scalability, but every integration also opens new attack surfaces. ADR is a field built for this environment, by capitalizing on the wealth of insights provided by runtime behavior across microservices, APIs, and third-party integrations. Application performance and identifying misconfigurations or vulnerable code paths can now be found within a moment. 

**Why Now?**

The timing for the budding ADR market couldn't be better. As the threat landscape continues to evolve, adversaries are getting more sophisticated, targeting weaknesses at the application layer that traditional tools can't catch. We're seeing new types of attacks that exploit the growing complexity of our applications, and ADR allows us to address these threats head-on. By integrating ADR tools and principles into our strategies, we not only respond more quickly, we also enhance overall security across the industry. 

I would also be remiss to downplay another key role of ADR — facilitating better collaboration between development and security teams. With real-time visibility into both the development and runtime phases, security doesn't have to feel like a roadblock anymore. Instead, it's becoming a continuous process that extends throughout the application life cycle. 

**Looking Forward**

While no solution is a silver bullet, ADR represents a significant step forward. By offering a clear window into how applications behave at every stage, we can finally move away from reactive, best-effort security to data-driven, proactive protection. 

For those of us responsible for securing today's complex environments, ADR signifies a much-needed evolution. The future of application security is no longer about reacting to the inevitable; it's about anticipating and preventing attacks before they can cause damage. 

As a chief information security officer, that's a future I'm genuinely excited about. 

**About the Author**

Vice President & CISO, Paychex

Bradley Schaufenbuel is the vice president and chief information security officer at Paychex, a recognized leader in the payroll, human resource, and benefits outsourcing industry.  

With more than 20 years of industry experience, Bradley is a recognized security professional with significant expertise in information security management, IT compliance, fraud examination, IT audit, computer forensics, ethical hacking, business continuity planning, project management, cloud security, and process improvement.  

Prior to Paychex, Bradley served as vice president and chief information security officer at Paylocity. Previously, he served as Director of Information Security at Midland States Bank, senior vice president and chief information security and privacy officer at Midwest Bank, senior manager of IT risk and security at Zurich Financial Services, and held senior security positions at Experian and Arthur Andersen. He is licensed to practice law in Illinois and is a member of the United States Supreme Court Bar.

Why I'm Excited About the Future of Application Security

Those who hacked the Internet Archive haven’t gone away. Users of the Internet Archive who have submitted helpdesk tickets are reporting...

Those who hacked the Internet Archive haven’t gone away. Users of the Internet Archive who have submitted helpdesk tickets are reporting replies to the tickets from the hackers themselves.

Internet Archive, most known for its Wayback Machine, is a digital library that allows users to look at website snapshots from the past. It is often used for academic research and data analysis. Earlier in October, the Internet Archive suffered from a data breach and DDoS attack.

During that breach the attackers were able to steal a user authentication database containing 31 million records.

While the Wayback Machine is almost fully functional again, in a recent turn of events the attackers have started replying to those users that have opened a support ticket with the Internet Archive.

This is one of the replies a user reported:

> “It’s dispiriting to see that even after being made aware of the breach 2 weeks ago, IA has still not done the due diligence of rotating many of the API keys that were exposed in their gitlab secrets.
> 
> As demonstrated by this message, this includes a Zendesk token with perms to access 800K+ support tickets sent to info@archive.org since 2018.
> 
> Whether you were trying to ask a general question, or requesting the removal of your site from the Wayback Machine—your data is now in the hands of some random guy. If not me, it’d be someone else.
> 
> Here’s hoping that they’ll get their shit together now.”

An Application Programming Interface (API) token is like a special pass that allows a computer program or app to access and use services provided by another program or website. It is used as proof that the user or app has permission to access the service.

It appears as if the Internet Archive uses Zendesk to manage its support tickets. Having the Internet Archive’s Zendesk token would certainly explain why the hackers can reply to customer tickets.

Changing a Zendesk API token is not very hard, but it can have unexpected consequences, so it may require some advance planning to minimize potential disruptions. This could be why the Internet Archive may not have gotten round to it yet. But not changing API keys that would grant the attackers access to the organization’s important infrastructure like Zendesk would be a serious omission.

On October 18, 2024, Internet Archive founder Brewster Kahle, posted an update stating the stored data of the Internet Archive is safe and work on resuming services safely is in progress.

> “We’re taking a cautious, deliberate approach to rebuild and strengthen our defenses. Our priority is ensuring the Internet Archive comes online stronger and more secure.”

So far, the Internet Archive has not responded to the new developments, and the motivation for the attacks on the Internet Archive remain unclear. We’ll keep you posted.

 Internet Archive attackers email support users: &#8220;Your data is now in the hands of some random guy&#8221; 

Paxton Net2 versions prior to 6.07.14023.5015 (SR4) suffers from a bypass vulnerability that allows for unauthorized enabling of the API.

CloudAware Security Advisory

CVE-2024-48939: Unauthorized enabling of API in Paxton Net2 software

========================================================================  
Summary  
========================================================================  
Bypass of Paxton Net2 API license. Possible leaking of PII and access to   
admin functionality.  
No physical access to computer running Paxton Net2 is required.

========================================================================  
Product  
========================================================================  
* Paxton Net2  (version < 6.07.14023.5015 (SR4))

========================================================================  
Detailed description  
========================================================================  
Paxton Net2 software offers an API. This API offers the user access to   
sensitive data such as access logs and other  
user data.[2]  
In order to enable the API a license file is needed. The license file is   
trivial to generate as demonstrated in POC in ref [1].  
This is possible while the signature checks in the Net2 software were   
not functional for the license file.  
Additionally to the license file user credentials are needed to   
authenticate against the API.  
The vendor has fixed this in version 6.07.14023.5015 (SR4) of the Net2   
software.

========================================================================  
Solution  
========================================================================  
Upgrade Paxton Net2 to version 6.07.14023.5015 (SR4)

========================================================================  
Mitigation  
========================================================================  
1) If an upgrade is not an option - as `anyone' can create valid license   
files; ensure that the filesystem of  
computers running Paxton Net2 are not reachable by unauthorised entities.  
2) Evaluate the impact of the disclosure of any configurations rolled   
out prior to these mitigation steps

========================================================================  
Weblinks  
========================================================================  
[1] https://github.com/gitaware/poc_exploit_paxton_license  
[2]   
https://www.paxton-access.com/integrating-with-paxton/how-to-integrate-with-net2/integration-capability-matrix/

========================================================================  
History  
========================================================================  
Feb 26, 2024: Paxton informed about working POC  
Feb 29, 2024: Paxton confirms working POC  
<Sept 2024: Paxton releases software update to fix issue  
Oct 10, 2024: CVE-2024-48939 issued

Paxton Net2 API License Bypass

Helper is an enumerator written in PHP that helps identify directories on webservers that could be targets for things like cross site scripting, local file inclusion, remote shell upload, and remote SQL injection vulnerabilities.

Helper 0.1

Funadmin 5.0.2 is vulnerable to SQL Injection via the selectFields parameter in the index method of \app\backend\controller\auth\Auth.php.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-7pp4-388x-2xqj: SQL injection in funadmin

Pentest Checklists Are More Important Than Ever
Given the expanding attack surface coupled with the increasing sophistication of attacker tactics and techniques, penetration testing checklists have become essential for ensuring thorough assessments across an organization’s attack surface, both internal and external. By providing a structured approach, these checklists help testers systematically

Penetration Testing / API Security

****Pentest Checklists Are More Important Than Ever****

Given the expanding attack surface coupled with the increasing sophistication of attacker tactics and techniques, penetration testing checklists have become essential for ensuring thorough assessments across an organization's attack surface, both internal and external. By providing a structured approach, these checklists help testers systematically uncover vulnerabilities in various assets like networks, applications, APIs, and systems. They ensure no critical area is overlooked and guide the testing process, making it more efficient and effective at identifying security weaknesses that could be exploited by attackers. A pentest checklist essentially leaves no stone unturned and is a detailed and comprehensive list of every type of vulnerability in which to simulate an attack against.

Each asset being tested, however, requires a different pentest checklist tailored to its specific characteristics and risks. For example, a checklist for pentesting web applications – which remains one of the top targets by malicious actors - will be quite lengthy but encompasses vulnerabilities that are unique to external-facing apps. These specialized checklists are a litmus test to ensure that security measures are evaluated, assesses for effectiveness, depending on the asset, and make overall testing more targeted and relevant to each environment.

BreachLock recently introduced a comprehensive guide that includes detailed pentest checklists of the primary stages involved in pentesting using various frameworks such as OWASP Top 10 and OWAS ASVS across every asset and all respective associated vulnerabilities for the following:

*   **Network –** A pentest checklist for a Black Box external network testing including information gather, vulnerability scanning and enumeration, generic security findings, and service-based testing.
*   **Web Applications**. A pentest checklist for Gray Box testing including user authentication, authorization testing, input testing, file-based attacks, error handling, business logic testing, and discovery and recon.
*   **APIs –** A pentest checklist for Gray Box testing including user authentication, authorization testing, input testing, file-based attacks, error handling, business logic testing, and discovery and recon.
*   **Mobile -** A pentest checklist for Gray Box testing including static analysis, dynamic analysis, and network analysis.
*   **Wireless** – An abbreviated pentest checklist including identification of wireless network (SSID), unauthorized access to wireless networks, access security controls, and rogue access point detection
*   **Social Engineering**\- Aa abbreviated pentest checklist including phishing attacks, pretexting and impersonation, USB drops, and physical penetration.

This is a summary of why pentest checklists are important including an overview of a general pentest checklist. A complete guide for full-stack security, including BreachLock's compendium of comprehensive pentest checklists across all assets, can be accessed here.

****Overview of Pentesting Delivery Models****

Penetration testing has become one of the most effective offensive security measures to identify and assess vulnerabilities across both internal and external attack surfaces. Traditional pentesting methods have certainly evolved and penetration testing services are now widely used to help fortify an organization's security posture.

Pentesting is carried out by certified security experts who simulate real-world attacks to identify vulnerabilities for assessment and mitigation within a specific scope. These tests are based on detailed pentest checklists that are tailored by asset (e.g., web applications, network, APIs, etc.) and act as a guide for the pentest checklist process, ensuring standardized frameworks are used and testing adheres to applicable compliance requirements.

To better understanding pentesting, below are the varied methods used for penetration testing that lie in the delivery model, scalability, and frequency of testing, followed by pentest checklists by asset type.

****Delivery Models****

1.  **Traditional Penetration Testing:** Typically performed manually by a team of certified pentesting experts over a fixed period (often a few days or weeks). The engagement is project-based with a final report delivered upon completion of testing.
    *   **Frequency:** Usually performed on a periodic basis, such as annually or semi-annually, as part of compliance requirements or security audits.
    *   **Scalability:** Limited in scalability due to the manual effort required by human testers and the one-off nature of the engagement.
    *   **Advantage:** Deep analysis, thorough testing tailored to specific security requirements, and direct engagement with pentest experts.
    *   **Challenges:** Fixed time frame and limited scope of assessment, which can leave gaps between tests.
2.  **Penetration Testing as a Service (PTaaS):** PTaaS is a cloud-based model that offers ongoing penetration testing services, often integrated with platforms that provide real-time reporting and collaboration. It combines automated tools with human-led expertise.
    *   **Frequency:** A more proactive approach that allows for continuous or more frequent approach to detecting and updating vulnerabilities as they emerge, .
    *   **Scalability:** Highly scalable, as it leverages automation, cloud infrastructure, and hybrid models (automated testing with human validation), enabling rapid testing of multiple assets across different environments.
    *   **Advantage:** Scalable, on-demand accessibility, hybrid efficiency, convenience, provides real-time insights, and allows for ongoing security testing.
3.  **Automated or Continuous Penetration Testing:** Uses automation to continuously monitor and test systems for vulnerabilities and is often integrated with tools that run periodic scans.
    *   **Frequency:** Provides ongoing or continuous assessments rather than periodic tests. Can be used for ongoing pentesting to validate security measure and/or to uncover new vulnerabilities as they emerge.
    *   **Scalability:** Highly scalable, as it leverages automation enabling rapid testing of multiple assets across different environments.
    *   **Advantage:** Efficient for frequent testing of repetitive tasks or enterprises in high computing environments, cost-effective, and ideal for covering large attack surfaces and complex IT infrastructures.
    *   **Challenges:** Limited in identifying complex vulnerabilities and unique attack paths that require human intuition.
4.  **Human-led Penetration Testing:** A manual and well-scoped process where certified pentest experts simulate realistic attack scenarios and TTPs, focusing on complex vulnerabilities that automated tools may miss.
    *   **Frequency:** Relies on a human-driven approach whereby certified pentest experts explore potential attack vectors. Frequency is usually project-led and periodic.
    *   **Scalability:** Highly customized to the enterprise's unique environment and assets. However, limited scalability due to the manual effort required by human testers
    *   **Advantage:** In-depth analysis, greater flexibility, and a high success rate in discovering sophisticated vulnerabilities.
    *   **Challenges:** Can be more time-consuming and costly than automated methods.

****Pentest Checklists Across Your Attack Surfaces********High-Level Pentest Checklist****

Creating a detailed pentest checklist is essential for performing thorough and effective security assessments. This first checklist is a general but expanded checklist that offers a structure approach to ensure both enterprises and CREST-certified pentest experts cover all critical areas in evaluating cybersecurity defenses.

1.  **Set Clear Objectives and Define Scope**
    *   **Clarify Goals:** Set concise objectives of the pentest engagement, such as identifying weaknesses for specific assets, compliance or security audit, or post-incident reconnaissance.
    *   **Define Scope:** Specify the systems, networks, and applications that will be tested, including the type of testing (e.g., black box, white box, gray box) for each asset.
    *   **Establish Boundaries:** Set parameters to avoid disrupting operations, such as not testing certain assets or limiting tests to outside business hours.
2.  **Assemble Penetration Testing Team**
    *   **Build a Skilled Team:** Include certified professionals with diverse expertise, such as network, application security, or social engineering specialists.
    *   **Check Credentials:** Ensure pentest experts have relevant certifications like CREST, OSCP, OSWE, CEH, or CISSP, along with hands-on experience.
3.  **Obtain Necessary Approvals**
    *   **Get Formal Authorization:** Secure written consent from stakeholders detailing and agreeing upon scope, objectives, and limitations of the test to ensure legal compliance.
    *   **Document Process:** Record all stages of the approval process, including discussions and any agreed-upon conditions. If using a third-party pentesting provider, the scope and process should be documented and signed off on.
4.  **Information Gathering**
    *   **Analyze Targets:** Gather comprehensive information about the infrastructure, including hardware, software, network design, and configurations.
    *   **Use OSINT:** Apply open-source intelligence techniques to gather additional insights into the enterprise's online presence and potential weak points.
5.  **Generating a Pentest Roadmap**
    *   **Attack Surface Management:** Run automated scans using tools such as Nessus or OpenVAS to identify vulnerabilities, focusing on identifying issues without manual input to create a preliminary roadmap for penetration testing.
    *   **Validate Findings:** Results from these scans can be validated to rule out false positives, understand the real context and impact of each potential vulnerability, and categorize by severity to provide a clear roadmap for penetration testing.
6.  **Create a Threat Model**
    *   **Identify Potential Threats:** Review recent attacks and TTPs, consider likely attackers - from random hackers to more targeted - likely attack paths, sophisticated entities, and their motivations.
    *   **Map Attack Vectors:** Prioritize the possible ways an attacker could breach an enterprise based on its environment and the current threat landscape.
7.  **Simulate Attacks**
    *   **Follow a Structure Approach:** Conduct attacks systematically, attempting to exploit weaknesses, bypass controls, and gain higher privileges where possible.
    *   **Adhere to Ethical Standards:** Ensure testing is conducted by certified experts, following standardized frameworks and compliance standards, to minimize risks to systems and data.
8.  **Gather Data and Analyze Results**
    *   **Capture Evidence:** Collect thorough evidence for each attack, such as proof of concepts (POCs) via screenshots, potential attack paths for each domain and associated subdomains and IPs.
    *   **Assess Impact:** Evaluate the consequences or impact of each vulnerability, including potential data breaches, system compromise, and operational disruption and prioritize findings by risk severity and potential impact.
9.  **Prepare and Deliver Reports**
    *   **Document Findings:** Provide a detailed report on each vulnerability and technical descriptions, POCs, risk severity, potential impact, and remediation recommendations.
    *   **Prioritization:** Penetration testing or PTaaS providers will work with enterprises to rank vulnerabilities based on risk and develop a plan for remediation in line with available resources.
10.  **Support Remediation Efforts**
    *   **Actionable Mitigation:** Present clear recommendations on how to mitigate each issue based on severity and impact.
    *   **Retesting:** Verify effectiveness of remediation by conducting follow-up pentest to ensure issues have been resolved.
11.  **Communicate with Stakeholders**
    *   **Present Results:** Share findings by providing story of impact if no action is taken. This is a much more effective strategy then providing a laundry list of vulnerabilities. Summarize key risks and actions for non-technical stakeholders.
    *   **Foster Dialogue:** Engage in discussions to address any concerns or questions about reporting and remediation efforts.

****Conclusion****

Pentest checklists serve pentest experts and their organizations by ensuring a consistent, comprehensive, and systematic approach to identifying security vulnerabilities. A pentest checklist leaves no stone unturned and facilitates better communication between pentesters and stakeholders. They provide a clear outline of what will be tested, evaluated, and how the findings will be assessed. This transparency helps enterprises understand their security posture and to make more informed decisions about improvements.

Pentest checklists are not only effective in identifying vulnerabilities but ensure a systematic approach, using the best practices, tools, and frameworks, for penetration testing. They benefit pentesters by providing assurances to their organization and stakeholders that they are taking meaningful steps to protect their assets. Pentest checklists are a security blanket for any organization conducting penetration testing as a Service.

For more detailed pentest checklists, click here for the complete guide for full-stack security, including BreachLock's compendium of comprehensive pentest checklists across all assets.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Guide:  The Ultimate Pentest Checklist for Full-Stack Security

Hi there! Here’s your quick update on the latest in cybersecurity.
Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.
Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle.

Cybersecurity / Weekly Recap

Hi there! Here's your quick update on the latest in cybersecurity.

Hackers are using new tricks to break into systems we thought were secure—like finding hidden doors in locked houses. But the good news? Security experts are fighting back with smarter tools to keep data safe.

Some big companies were hit with attacks, while others fixed their vulnerabilities just in time. It's a constant battle. For you, staying protected means keeping your devices and apps up to date.

In this newsletter, we'll break down the top stories. Whether you're protecting personal data or managing security for a business, we've got tips to help you stay safe.

Let's get started!

****⚡ Threat of the Week****

**China Calls Volt Typhoon an Invention of the U.S.:** China's National Computer Virus Emergency Response Center (CVERC) has claimed that the threat actor tracked Volt Typhoon is an invention of U.S. intelligence agencies and their allies. It also accused the U.S. of carrying out false flag operations in an attempt to conceal its own malicious cyber attacks and that it has established a "large-scale global internet surveillance network."

****‎️‍Trending CVEs****

CVE-2024-38178, CVE-2024-9486, CVE-2024-44133, CVE-2024-9487, CVE-2024-28987, CVE-2024-8963, CVE-2024-40711, CVE-2024-30088, CVE-2024-9164

****🔔 Top News****

*   **Apple macOS Flaw Bypasses Privacy Controls in Safari Browser:** Microsoft has disclosed details about a now-patched security flaw in Apple's Transparency, Consent, and Control (TCC) framework in macOS that could be abused to get around a user's privacy preferences and access data. There is some evidence that the vulnerability, tracked as CVE-2024-44133, may have been exploited by AdLoad adware campaigns. The issue has been addressed in macOS Sequoia 15 released last month.
*   **Legitimate Red Team Tool Abuse in Real-World Attacks:** Threat actors are attempting to weaponize the open-source EDRSilencer tool as part of efforts to interfere with endpoint detection and response (EDR) solutions and hide malicious activity. In doing so, the aim is to render EDR software ineffective and make it a lot more challenging to identify and remove malware.
*   **TrickMo Can Now Steal Android PINs:** Researchers have spotted new variants of the TrickMo Android banking trojan that incorporate features to steal a device's unlock pattern or PIN by presenting to victims' a bogus web page that mimics the device's actual unlock screen.
*   **FIDO Alliance Debuts New Specs for Passkey Transfer:** One of the major design limitations with passkeys, the new passwordless sign-in method becoming increasingly common, is that it's impossible to transfer them between platforms such as Android and iOS (or vice versa). The FIDO Alliance has now announced that it aims to make passkeys more interoperable through new draft protocols such as the Credential Exchange Protocol (CXP) and Credential Exchange Format (CXF) that allow for secure credential exchange.
*   **Hijack Loader Uses Legitimate Code-Signing Certificates:** Malware campaigns are now leveraging a loader family called Hijack Loader that's signed legitimate code-signing certificates in a bid to evade detection. These attacks typically involve tricking users into downloading a booby-trapped binary under the guise of pirated software or movies.

****📰 Around the Cyber World****

*   **Apple Releases Draft Ballot to Shorten Certificate Lifespan to 45 Days:** Apple has published a draft ballot that proposes to incrementally phase the lifespan of public SSL/TLS certificates from 398 days to 45 days between now and 2027. Google previously announced a similar roadmap of its intention to reduce the maximum validity for public SSL/TLS certificates from 398 days to 90 days.
*   **87,000+ Internet-Facing Fortinet Devices Vulnerable to CVE-2024-23113:** About 87,390 Fortinet IP addresses are still likely susceptible to a critical code execution flaw (CVE-2024-23113, CVSS score: 9.8), which was recently added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog. watchTowr Labs researcher Aliz Hammond described it as a "super complex vulnerability" that could result in remote code execution. The development comes as Google revealed that of the 138 exploited security vulnerabilities that were disclosed in 2023, 97 of them (70%) were first weaponized as zero-days. The time-to-exploit (TTE) has dropped from an average of 63 days in 2018-19 to just five days in 2023.
*   **Researchers Outline Early Cascade Injection:** Researchers have disclosed a novel-yet-stealthy process injection technique called Early Cascade Injection that makes it possible to evade detection by endpoint security software. "This new Early Cascade Injection technique targets the user-mode part of process creation and combines elements of the well-known Early Bird APC Injection technique with the recently published EDR-Preloading technique," Outflank researcher Guido Miggelenbrink said. "Unlike Early Bird APC Injection, this new technique avoids queuing cross-process Asynchronous Procedure Calls (APCs), while having minimal remote process interaction."
*   **ESET Israeli Partner Breached to Deliver Wiper Malware:** In a new campaign, threat actors infiltrated cybersecurity company ESET's partner in Israel, ComSecure, to send phishing emails that propagated wipers to Israeli companies disguised as antivirus software. "Based on our initial investigation, a limited malicious email campaign was blocked within ten minutes," the company said in a post on X, adding it was not compromised as a result of the incident.
*   **Google Outlines Two-Pronged Approach to Tackle Memory Safety Challenges:** Google said it's migrating to memory-safe languages such as Rust, Kotlin, Go, as well as exploring interoperability with C++ through Carbon, to ensure a seamless transition. In tandem, the tech giant emphasized it's focusing on risk reduction and containment of memory-unsafe code using techniques like C++ hardening, expanding security boundaries like sandboxing and privilege reduction, and leveraging AI-assisted methods like Naptime to uncover security flaws. As recently disclosed, the number of memory safety vulnerabilities reported in Android has dropped significantly from more than 220 in 2019 to a projected 36 by the end of this year. The tech giant has also detailed the ways it's using Chrome's accessibility APIs to find security bugs. "We're now 'fuzzing' that accessibility tree – that is, interacting with the different UI controls semi-randomly to see if we can make things crash," Chrome's Adrian Taylor said.

**Cybersecurity Resources & Insights****LIVE Webinars**

**1.** **DSPM Decoded: Learn How Global-e Transformed Their Data Defense**: Are your data defenses crumbling? Discover how Data Security Posture Management (DSPM) became Global-e's secret weapon. In this can't-miss webinar, Global-e's CISO breaks down:

*   The exact steps that transformed their data security overnight
*   Insider tricks to implement DSPM with minimal disruption
*   The roadmap that slashed security incidents by 70%

**2.** **Identity Theft 2.0: Defending Against LUCR-3's Advanced Attacks**: LUCR-3 is picking locks to your digital kingdom. Is your crown jewel data already in their crosshairs?

Join Ian Ahl, Mandiant's former threat-hunting mastermind, as he:

*   Decrypts LUCR-3's shadowy tactics that breach 9 out of 10 targets
*   Unveils the Achilles' heel in your cloud defenses you never knew existed
*   Arms you with the counterpunch that leaves LUCR-3 reeling

This isn't a webinar. It's your war room strategy session against the internet's most elusive threat. Seats are filling fast – enlist now or risk becoming LUCR-3's next trophy.

**Cybersecurity Tools**

*   **Vulnhuntr****: AI-Powered Open-Source Bug Hunting Tool —** What if AI could find vulnerabilities BEFORE hackers? Vulnhuntr uses advanced AI models to find complex security flaws in Python code. In just hours, it uncovered multiple 0-day vulnerabilities in major open-source projects.

**Tip of the Week**

**Secure Your Accounts with Hardware Security Key:** For advanced protection, hardware security keys like YubiKey are a game-changer. But here's how to take it up a notch: pair two keys—one for daily use and a backup stored securely offline. This ensures you're never locked out, even if one key is lost. Also, enable "FIDO2/WebAuthn" protocols when setting up your keys—these prevent phishing by ensuring your key only works with legitimate websites. For businesses, hardware keys can streamline security with centralized management, letting you assign, track, and revoke access across your team in real-time. It's security that's physical, smart, and almost foolproof.

****Conclusion****

That's the roundup for this week's cybersecurity news. Before you log off, take a minute to review your security practices—small steps can make a huge difference. And don't forget, cybersecurity isn't just for the IT team; it's everyone's responsibility. We'll be back next week with more insights and tips to help you stay ahead of the curve.

Stay vigilant, and we'll see you next Monday!

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#auth