Education

All your DNSSEC base are belong to us

DNSSEC (Domain Name System Security Extensions) has been around since the mid-2000s and technically works well: it cryptographically signs DNS records so resolvers can verify that the answer they got really came from the authoritative server and wasn’t tampered with. Despite that, adoption and real-world deployment remain surprisingly low outside a few countries (notably .se, .nl, .cz and some others). Here’s why it never took off broadly, and why the rise of DNS over HTTPS (DoH) has made many people conclude that pushing DNSSEC further isn’t worth the effort anymore.

Read more “All your DNSSEC base are belong to us”
Threat Intel

Fortiweb – CVE-2025-58034

‘CVE-2025-58034 is an OS command injection vulnerability (CWE-78) in Fortinet FortiWeb, allowing an authenticated attacker to execute unauthorized code on the system through crafted HTTP requests or CLI commands. It affects versions including FortiWeb 8.0.0-8.0.1, 7.6.0-7.6.5, 7.4.0-7.4.10, 7.2.0-7.2.11, and 7.0.0-7.0.11. The vulnerability has a CVSSv3 score of 6.7 (medium severity) and has been observed exploited in the wild, prompting its addition to CISA’s Known Exploited Vulnerabilities catalog.’

Read more “Fortiweb – CVE-2025-58034”
Threat Intel

Analysing 1 Million Honeypot events with Defused Cyber Deception

A common perimeter firewall in organisations is the CISCO ASA. Back when I started in the industry we used to have CISCO PIX firewalls, the ASA was the next generation of these! Why is this important? Well its important to understand how common threat actors work, you will see from a while ago I wrote a review of the manual 2.0 by Bassterlord (a known cybercriminal), this is to help understand how attackers work, what real world cybercrime looks like so that we can enable people to help defend against these threats.

Read more “Analysing 1 Million Honeypot events with Defused Cyber Deception”
Education

Detecting ‘Dark Tunnels’ with Microsoft Defender using KQL

Detecting ‘Dark Tunnels’ is an important element to corporate security, much like detecting unauthorised RMM usage. But what is a dark tunnel?

according to GROK:

A dark tunnel (sometimes called a “dark pool tunnel” or simply a secure reverse tunnel in networking contexts) refers to a type of secure, outbound-only tunneling technology that allows private access to internal services, devices, or networks without exposing them to the public internet. The “dark” aspect emphasizes that the tunnel is hidden or invisible from external scanners—there’s no inbound port forwarding, firewall holes, or public IP exposure required. Instead, it relies on encrypted outbound connections from the internal resource to a cloud-based relay or peer-to-peer mesh, enabling zero-trust access (e.g., via authentication tokens or keys).
This approach is popular in DevOps, IoT, remote work, and cybersecurity for bridging on-premises or edge devices to the cloud securely, often bypassing NAT traversal issues or legacy VPN complexities.

Read more “Detecting ‘Dark Tunnels’ with Microsoft Defender using KQL”
Education

Windows Defender at my tunnel

I was doing some testing with Cloudflare tunnels this weekend and I woke up this morning to see if funny honeypot messages I had, I quickly checked if the site was online and found a cloudflare error message. This is a just an IIS instance running on a windows 11 PC (with no WIFI or Bluetooth) plugged into a test network (so if it gets pwn3d, it’s not going to impact anything important).

Read more “Windows Defender at my tunnel”
Education

Kerberoasting History

Kerberoasting, a technique for offline cracking of Kerberos service account passwords in Active Directory environments, was publicly introduced and detailed by Tim Medin in his research paper and Black Hat USA 2014 presentation titled “Attacking Microsoft Kerberos: Kicking the Guard Dog of Hades.”

Read more “Kerberoasting History”
Breach

Ransomware kill chains are boring.. will we ever learn?

Are we stuck in a cyber world that never learns? are we doomed to suffer the same fate over and over again? Well, not if you take action, you can totally prevent events like this!

This is a fast post using an LLM to analyse the Capita redacted ICO report. Hopefully it will help people think about things and take the lessons and apply them in their own organisations.

Read more “Ransomware kill chains are boring.. will we ever learn?”
Education

A threat to sanity – Cyber Myth: Juice Jacking

“Juice jacking” has become a modern cybersecurity myth — a catchy scare story built on a long-patched Android debugging issue and fueled by viral fear rather than facts. Despite years of warnings, there are no confirmed cases of real-world juice jacking attacks; the cost, effort, and low reward make it an impractical method for criminals. Yet the myth persists because it’s vivid, simple, and scary — everything our brains latch onto. The real danger is not the USB port at the airport, but the distraction such myths create. When people focus on imaginary threats, they waste precious attention that should go toward genuine risks like weak passwords, missing MFA, unpatched systems, and poor backups. So let’s take a bit of a deeper dive into this subject, because by it’s important to understand what to, and what not to focus on in my experience!

Read more “A threat to sanity – Cyber Myth: Juice Jacking”
Copyright (c) Xservus Limited