At DEF CON 32, SquareX presented groundbreaking research curating vulnerabilities in Secure Web Gateways (SWGs) that leave organizations vulnerable to threats that these tools fail to detect. These traditional defenses, once considered the gold standard for enterprise security, can now be easily bypassed through client-side web attacks that they simply cannot protect against. Collectively, these attacks are called ‘Last Mile Reassembly Attacks’.

WebAssembly, a boon and a bane

Among the most concerning of these threats is the use of WebAssembly (WASM), a powerful web technology that can deliver malware directly to a user’s browser, evading SWG detection entirely. This binary instruction format allows high-performance execution of code in web browsers, enabling complex applications to run with near-native speed. However, its power and flexibility also make it an attractive vector for cyberattacks, particularly in environments where Secure Web Gateways (SWGs) are the primary line of defense.

WebAssembly is designed to work alongside JavaScript, allowing developers to execute code with higher efficiency and performance. It’s widely adopted by organizations to enhance web applications. SWGs, which are traditionally focused on inspecting network traffic at the layer of HTML, CSS, and JavaScript, are often blind to the intricacies of WebAssembly modules.

The problem lies in the fact that SWGs, operating at the network layer, do not perform the necessary dynamic analysis on WebAssembly code. This lack of visibility means that malicious actors can embed malware within WASM modules, which can then be extracted directly on the browser, bypassing the SWG’s detection mechanisms entirely.

For instance, an attacker could conceal malicious payloads within a WebAssembly module and distribute it through a compromised or even a legitimate website. Since SWGs lack the capability to analyze WebAssembly files, the malicious content slips through the network defenses undetected. The malware is assembled on the client-side and downloaded to the victim’s endpoint.

This threat is exacerbated by the fact that there is currently a lack of industry-standard security frameworks specifically designed to analyze and protect against malicious WebAssembly code. As a result, many enterprises remain vulnerable to this method of attack, relying on outdated SWGs that were never designed to handle such complex threats.

The need for a browser-native security approach

The implications of this vulnerability are clear: enterprises can no longer depend solely on network-layer defenses like SWGs to protect against the full spectrum of modern web threats. A more effective approach involves adopting browser-native security solutions, which operate directly within the browser and can analyze WebAssembly modules in real-time. These solutions provide the necessary visibility and control to detect and neutralize threats before they can cause damage.

As WebAssembly continues to gain traction in the development of web applications, enterprises must recognize the limitations Secure Web Gateways and take proactive steps to protect their environments with solutions designed to handle the complexities of today’s web technologies.

Assess your Secure Web Gateway

Similar to smuggling malware through WebAssembly modules, there are more than 30 attacks that bypass all Secure Web Gateways. Check if your enterprise is vulnerable to them at https://browser.security/

WebAssembly: The Fly on the Wall Delivering Malware Past Secure Web Gateways was originally published in SquareX Labs on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post WebAssembly: The Fly on the Wall Delivering Malware Past Secure Web Gateways appeared first on Security Boulevard.

Should’ve listened to Edison: After the arrest of Pavel Durov—the Telegram CEO—comes news of domestic extremists using the chat app to organize.

The post ‘Terrorgram’ Telegram Terrorists Trash Transformers — Grid in Peril appeared first on Security Boulevard.

The post DTEX i³ Threat Advisory Reveals Growing Risk of Credential Abuse by Outside Adversaries appeared first on DTEX Systems Inc.

The post DTEX i³ Threat Advisory Reveals Growing Risk of Credential Abuse by Outside Adversaries appeared first on Security Boulevard.

Oink, oink, FAIL—you’re in jail: Kansas bank chief exec Shan Hanes stole money from investors, a church and others to buy cryptocurrency to feed a scam.

The post Pig Butchering at Heart of Bank Failure — CEO Gets 24 Years in Jail appeared first on Security Boulevard.

The post Safe Practices for Online Shopping: Guarding Against Bad Actors appeared first on Security Boulevard.

Attacks today can be executed through a myriad of communication channels, including emails, social media and mobile applications.  

The post The Golden Age of Impersonation: The Dual Role of AI in Cyber Attacks & Cyber Defense     appeared first on Security Boulevard.

We are hiring consultants at various levels. The job posting can be found under the Consultant opening here: https://specterops.io/careers/#careers

Introduction

Hey there! I’m Duane Michael, a Managing Consultant and red teamer at SpecterOps. Over the past four years, I’ve had a front-row seat to the company’s incredible journey. In that time, we’ve grown by almost 100 employees, built a product, created new teams and capabilities, trained thousands of students, and performed countless unique and challenging penetration tests and red team exercises.

I’m always chatting with applicants, friends, and fellow security geeks about SpecterOps and the unique blend of challenges and opportunities we offer. There’s a certain SpecterOps “sparkle” that’s hard to define but easy to recognize — a passion for pushing the boundaries of security, a collaborative spirit, and a commitment to growth. I find myself wishing I could bottle this essence and share it with a wider audience, hoping to attract more individuals who can contribute to and benefit from this special culture. This blog aims to illuminate some facets of the SpecterOps sparkle that red teamers will find particularly appealing.

The list is not comprehensive and there are many additional benefits and perks to working here that I won’t cover in this blog.

Focus on Personal Sustainability

Burnout is real in this industry. Most of our leadership, all the way to the top, including our CEO and COO, are former operators and understand the importance of sustainability. We know how easy it is to get sucked down the rabbit hole researching the latest technique or Windows bug (feature). We have a flexible time off policy and we will strongly encourage you to take at least four weeks off during the year.

We also recognize that “utilization” is not the consultant’s responsibility; it’s a function of the sales pipeline and scheduling. While we track time to ensure projects are scoped and effectively resourced, you won’t be stressed about meeting arbitrary utilization targets. Your job is to do your best work.

Consultancies are known for their high travel cadence. That was certainly true before 2020, but on-site assessment requirements have significantly decreased post-COVID. An unfortunate side effect of reduced client travel is reduced face-to-face interactions and collaboration. Do you like to travel occasionally to meet up with your team? We offer a “discretionary travel” benefit, where you can optionally fly out to one of our offices for one week per quarter to collaborate with your project team face-to-face. We also coordinate larger department events, where we run hackathons and play mini-golf. Regardless of your travel appetite, we have something for everyone.

Pro-tip: Instructing our training courses is a great way to travel, especially internationally. I’ve had the privilege to take four trips to Europe in two years to teach Adversary Tactics: Red Team Operations.

Professional Development

Our people are what makes us unique, so we invest in you! The most obvious way we invest in our people is through monetary budget benefits, such as our $5000/year professional development (PD) budget and our $5250/year higher education budget. Still, there’s so much more. Money is only half of the equation. PD requires time and a lot of it. We provide all Specters three weeks of PD time to spend in flexible ways, including (but not limited to) training courses, research, tool development, and blog or conference talk creation.

Most recently, I used some of my PD time to develop the Misconfiguration Manager project, blog, and SO-CON and Troopers conference talks. Other Specters commonly use this time for training or progress toward their professional goals.

Details

In addition to personal PD time, we offer various opportunities for consultants to get hands-on experience for one to six months in other areas of the company outside of consulting. We refer to these temporary assignments as “details.” Some teams you may be assigned or request a detail on include:

Internal and Community Products (ICP): The development team responsible for many of the open-source projects SpecterOps is known for, such as Mythic and Ghostwriter. A detail to this team entails development on one of the projects and serves as a great way to flex and build your development muscles.

Earlier this year, Jonathan Owens, one of our Consultants, spent two months detailed to the ICP team to work on the C# Mythic agent, Apollo.

Research and Development (R&D): Our R&D team focuses on large-scale, open-ended research problems and they’re always looking for more. If you have a research idea, you can submit a proposal and you may earn a detail to the team to research and flesh out your idea!

In 2023, Evan McBroom spent three months with the R&D team to research Windows authentication packages and develop the LSA Whisperer tool. Max Harley also spent three months with the R&D team to help build Nemesis.

Internal Product Discovery: Think R&D but specifically working on creating and proving new attack paths in BloodHound!

Our offensive Principal Consultant, Hope Walker, is working with the Product Discovery team to build additional Azure attack paths into BloodHound.

While not officially a “detail,” we also have ample opportunity to make short-form improvements for Consulting Services, which we call “service improvement.” These assignments may include updates to tradecraft, improvements to our offensive CI/CD pipeline, or new tool features.

Lastly, we offer an awesome program called “ICP Sponsorship” where you can submit a project, tool, or idea for sponsorship under the ICP department. This is official backing of your project by SpecterOps and warrants four weeks of development time and a budget for marketing material or development costs. You retain all intellectual property (see below).

Some recent highlights of our ICP Sponsorship program are Nemesis, HardHatC2, SCCMHunter, Maestro, Misconfiguration Manager, and SharpSCCM.

Operations

At SpecterOps, we like challenges and every assessment is different. Our clients are extremely mature and you may find yourself attacking or evading new technology that you’ve never encountered before. That’s OK because we don’t hire for specific skill sets; we hire for aptitude, ability to adapt, and passionate curiosity. We welcome and encourage failure, as that helps us grow. We require humility in the form of requesting help when you need it. We have a culture of supporting one another where everyone is a resource to everyone else. This approach puts the collective knowledge of SpecterOps behind every operation.

Our project managers handle much of the administrative heavy lifting so you can focus on the technical work. Our projects typically span two weeks or more, giving you time to dive deep. And when it’s time to document your findings, we’ll give you an entire week dedicated solely to reporting. Our awesome Technical Editor will ensure your report has that “SpecterOps Sparkle” so you’re not bogged down by style guide rules.

Our infrastructure deployment automation and offensive CI/CD pipeline streamline operations so you can focus on operating, not setup and deployment. Our Technical Services team serves as our “special operations,” providing support on engagements when you get stuck or need advice. You’ll always have a teammate to collaborate with, as we have a two-person integrity requirement for all operations.

Career Progression

At SpecterOps, your technical skills should continue to grow, regardless of your role. Unlike traditional paths that often lead consultants away from hands-on work, we foster a culture where technical expertise is valued at every level. Whether you’re drawn to management, consulting, tool development, or deep technical specialization, your passion for hacking will always have a home here. Our Managers have experience operating in the trenches and understand the importance of career progression. They serve as advocates for Consultants, attempting to align the individual with the projects or focus areas they’re interested in.

Our Associate Consultant position is focused on learning and growth. The manager’s responsibility is to help you develop and evolve into a Consultant and Senior Consultant.

Our Consultant position focuses on being a strong individual contributor. A Consultant can be assigned to any project while developing into a project lead for some service lines.

The Senior Consultant position is meant to be terminal, meaning you don’t have to progress beyond that level if you don’t want to while still earning annual merit salary increases. However, if you do want to progress beyond Senior Consultant, we have three paths available: Principal Consultant, Service Architect, and Managing Consultant.

• Principal Consultants continue consulting while managing client partnerships and performing scoping. They are the people we rely on to solve nebulous consulting-related problems.
• Service Architects are the special operators I mentioned above. In addition to providing technical support on operations, they architect new services and improve existing ones.
• Managing Consultants are the first level of leadership. They manage other consultants of all levels while still performing operations and client projects.

Build Your Brand

Ok, you’re sold, but let me drive the point home…

Remember how I said we invest in you? Much of our marketing material and value comes from our open-source tools, blog posts, research, etc., but we want you to build your own personal brand. SpecterOps will pay the travel costs associated with conference presentations. Want to submit to a CFP in Switzerland? We got you.

We want our Specters to do these things, but we want them to remain yours. SpecterOps has a highly unique open intellectual property (IP) policy. If you perform research or develop an open-source tool, it remains yours. You will publish tools on your personal code repository and blogs on your personal blog of choice.

Take the Next Step

In closing, SpecterOps truly takes a unique approach to employee growth and development. We focus on balance, support, and interesting work.

We are hiring consultants at various levels and would love to hear from you. The job posting (including salary bands) can be found under the Consultant openings here: https://specterops.io/careers/#careers

As a follow-up to this blog, I will publish another short blog about our interview process, what we look for, and the keys to success!

Please feel free to reach out to me on X or LinkedIn if you have any questions about SpecterOps or the role, or directly to careers@specterops.io.

Life at SpecterOps: The Red Team Dream was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Life at SpecterOps: The Red Team Dream appeared first on Security Boulevard.

A Decade of Distilled Phishing Wisdom

I decided to give away all of my phishing secrets for free. I realized at some point that I have been giving away phishing secrets for years, but only to select individuals, and only one at a time. That method of knowledge dissemination is terribly inefficient! So here it is, I’ve written it down for you instead.

Key Takeaways

If I could teach you only three things about phishing:

1. Phishing can be an absolute thrill: The effort is worth the payoff!
2. Canned templates won’t get you far: Just a little creativity goes a long way
3. Whatever controls you are up against, there is probably a bypass (or multiple): Play around with multiple techniques and document what works for your team

Distilled Wisdom

This whole series was designed to break down phishing into its individual challenges, and provide advice for each. Here’s the list of lessons learned from each post:

Phish Sticks; Hate the Smell, Love the Taste: I’ll Make You Great at Phishing, Or Your Money Back

1. Don’t quit before you start! You secretly love phishing (trust me)
2. To be successful, we must recognize and address each control that will try to stop us
3. Logging is your friend and will guide you if you pay attention

Plenty of Phish in the Sea: How to Find the Right Phishing Targets

1. Cast a wide net. Get all the contacts you can; then pair down the list
2. Use industry specific sources when you can
3. Focus on small groups so we can be targeted with our pretexts

One Phish Two Phish, Red Teams Spew Phish: How to Give your Phishing Domains a Reputation Boost

1. SPF is not a silver bullet. We can take advantage of misconfigurations
2. When you buy domains for phishing, set up your own mail security records
3. There are many options to get our domains categorized. Make sure to use at least one

Fly Phishing: How to Bypass Spam Filters

1. “Click” is a very dirty word. Don’t use foul language like that in your emails
2. There are many tricks we can use to disguise our message. Experiment with many
3. AI is not a silver bullet against phishing messages
4. Test, Measure, Repeat!

Feeding the Phishes: Bypass Phishing Link Filters

1. Most link filters use simple string matching. There are several tricks to bypass them
2. Sometimes it’s more useful to put your link inside an attachment

I Will Make you Phishers of Men: Convincing Targets to Click Your Links

1. Phishing is a game of odds. If we understand the math, we can boost our success
2. Targeted campaigns are always better than generic emails
3. We can appeal to a variety of emotions and motivations to drive click rates
4. People love furry animals

Like Shooting Phish in a Barrel: How to Bypass Link Crawlers

1. Link crawlers are pretty basic bots. Classic bot protections like CAPTCHAs work fine
2. Fingerprinting using JavaScript can be even more effective

Drink Like a Phish: How to Make Your Phishing Sites Blend In

1. Expect your phishing sites to be crawled, and prepare for it
2. Don’t just directly clone sites
3. Don’t server phishing site contents to just anyone
4. Browser-in-the-Middle can be extremely effective

Phish Out of Water: Bypass Web Proxies so Your Phish Don’t Suffocate

1. Most attempts to block malicious file types only look for one of three indicators: Extension, MIME, or Magic number. We can control all three.
2. There are tons of malicious file types we can use for initial access. It’s unlikely that every one will be blocked
3. When in doubt, just ask the phishing target to circumvent controls for you

Deep Sea Phishing Pt. 1: How to Bypass EDR With Custom Payloads

1. We need our payloads to stay off the “known bad” list
2. Writing your own payloads is one of the best ways to achieve “unknown bad” status
3. Make your code modular, and keep it as simple as possible
4. You don’t always need a super feature rich implant to be successful

Deep Sea Phishing Pt. 2: Making Your Malware Look Legit So It Bypasses EDR

1. EDR evasion is all about looking like legitimate software
2. There are many ways we can trick trusted, signed binaries into doing our bidding
3. Help desk software can be a bombshell when used with social engineering

Sleeping With the Phishes: Hide C2 With Stealthy Callback Channels

1. HTTP(S) and DNS are not the only C2 channels out there
2. SMTP is a hidden gem of a C2 channel
3. Have you heard of STUN and TURN? They are protocols that traverse firewalls by design, and your target network probably allows them
4. Data in and data out don’t have to take the same path

Bon Voyage

That’s 42 practical phishing lessons, and only just my top picks. There are many more nuggets of wisdom throughout the series, but I understand if you don’t have time to basically read a whole book about phishing. Feel free to skip around and reference as needed.

Hope you’ve had fun learning at my school of phish. Tight lines my friends!

Teach a Man to Phish was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Teach a Man to Phish appeared first on Security Boulevard.

The post Unmasking the Sophisticated: How AI-Powered Defenses Thwart Advanced Phishing Attacks first appeared on SlashNext.

The post Unmasking the Sophisticated: How AI-Powered Defenses Thwart Advanced Phishing Attacks appeared first on Security Boulevard.

Amid customer and regulatory pressure and intensifying cyberattacks, organizations must ensure their identity verification strategies match up against AI-powered fraud techniques.

The post The Essential Guide to Evaluating Competitive Identity Verification Solutions appeared first on Security Boulevard.