Martin Ortner

My team colleague, Florian Scheiber, investigated the compromise of a server that had exposed the Remote Desktop Services (RDS) to the Internet. The attackers were able to brute-force an administrator account and subsequently stole data from the server before encrypting it.  Perimeter security - as already mentioned several times - is an indispensable part of a security dispositive. On the one hand, external port scans could show open ports; on the other hand, as in the screenshot, automated scripts can be used to show open ports in an Azure tenant:  https://lnkd.in/eXczB6bG  The resulting visibility allows us to set up appropriate protective measures, multi-factor, strong passwords, targeted monitoring, or not expose the server or the ports to the Internet at all if it is a misconfiguration.

144

5 Kommentare

Quantum Computers Capable of Breaking Cryptography in 10 years? The Federal Office for Information Security (BSI) in Germany has released an updated study on the development of quantum computing technologies and their impact on cybersecurity. 💡 Key takeaways: 🔑 A cryptographically relevant quantum computer could become a reality within 16 years - 4 years earlier than previously estimated. Advanced developments in error correction and hardware even suggest this timeline might shrink to as little as 10 years, though further verification is needed. Quantum computers hold immense potential as a key technology of the future. However, they also pose a significant threat to cybersecurity. Here's why: Our current digital infrastructure relies heavily on public-key cryptography, which, for now, is secure with classical hardware. But once universal quantum computers with sufficient capabilities emerge, this security paradigm shifts. Data encrypted today but not "quantum-safe" can be intercepted now and decrypted later when such quantum systems are available - what we call "store now, decrypt later." This not only compromises confidentiality but also endangers other critical objectives like authenticity. 🔒 The BSI urges organizations to start transitioning to quantum-safe cryptography now to mitigate these risks and safeguard our future digital infrastructure.

67

Zero-Day Alert: Google Releases Chrome Patch for Exploit Used in Russian Espionage Attacks Google has released out-of-band fixes to address a high-severity security flaw in its Chrome browser for Windows that has been exploited in the wild as part of attacks targeting organizations in Russia. The vulnerability, tracked as CVE-2025-2783, has been described as a case of "incorrect handle provided in unspecified circumstances in Mojo on Windows." Mojo refers to a collection of runtime libraries that provide a platform-agnostic mechanism for inter-process communication (IPC). As is customary, Google did not reveal additional technical specifics about the nature of the attacks, the identity of the threat actors behind them, and who may have been targeted. The vulnerability has been plugged in Chrome version 134.0.6998.177/.178 for Windows. "Google is aware of reports that an exploit for CVE-2025-2783 exists in the wild," the tech giant acknowledged in a terse advisory. It's worth noting that CVE-2025-2783 is the first actively exploited Chrome zero-day since the start of the year. Kaspersky researchers Boris Larin and Igor Kuznetsov have been credited with discovering and reporting the shortcoming on March 20, 2025. The Russian cybersecurity vendor, in its own bulletin, characterized the zero-day exploitation of CVE-2025-2783 as a technically sophisticated targeted attack, indicative of an advanced persistent threat (APT). It's tracking the activity under the name Operation ForumTroll. "In all cases, infection occurred immediately after the victim clicked on a link in a phishing email, and the attackers' website was opened using the Google Chrome web browser," the researchers said. "No further action was required to become infected." "The essence of the vulnerability comes down to an error in logic at the intersection of Chrome and the Windows operating system that allows bypassing the browser's sandbox protection." #cybersecurity #Google #chrome #browser #updatenow

84

20 Kommentare

Isn't encryption at-rest enough? I'm often asked: "why go to all the trouble of encrypting individual values in a database?". Firstly, we've spent 5 years of R&D to make it no trouble it all…but I digress! Encryption at rest and in transit protect against some threats (like stolen disks or intercepted network traffic), but they don’t help once the data is inside the database and accessible to anyone with a query. That’s often where real breaches happen (through compromised credentials, insider abuse, or overly broad access). Remember, that even if you lock your database down tight, chances are your application still has full access and a vulnerability there can lead to DB access for an attacker. Encrypting data in use so even when it sits in Postgres and is being queried, it’s still protected. The database never sees the raw values. Decryption doesn't take place in the database but further up the stack: the application layer or even in the browser. Decryption can also only take place if the user provides an identity assertion so in effect you get a powerful policy system based on encryption that works all the way up the stack. Encryption at rest is a great starting point but it isn't nearly enough to protect against modern threats.

97

23 Kommentare

Uncovered a High vulnerability related to fee collection in Uniswap V4 swaps. For a specific swap scenario (buying BUX with a specified ETH input), the hook is double-charging users! The fee is correctly taken in the _beforeSwap hook, but then erroneously extracted again in _afterSwap for the same transaction. This directly leads to users paying twice the intended fee. Here's the problematic section in _afterSwap where the fee is taken for the second time. This critical flaw impacts fairness and highlights the intricate nature of Uniswap V4 hook development. Always double-check those callback interactions! Full details and recommendations will be in the comprehensive audit report. #Solidity #SmartContract #Audit #DeFi #UniswapV4 #BlockchainSecurity #Vulnerability

34

2 Kommentare

🔐 If user consent can’t be objectively proven, can parties really trust the wallet? Last week I explored ‘PIN-data leakage’ vulnerabilities in two HSM-based EUDI wallet designs: Cleverbase (*) and the recent German proposal (**). In these designs, wallet keys are not managed on the user’s device but in a central HSM managed by the wallet provider. Authentication towards the wallet provider relies on two digital signatures: one from the device (‘possession’) and one from a PIN (‘knowledge’). These are verified in the Wallet Secure Cryptographic Application (WSCA) of the wallet provider, which then performs key operations in the HSM. The issue: in both designs the PIN-signature leaks data allowing strong adversaries (e.g. nation states) obtaining the PIN by brute-force. To mitigate this, I argued last week the WSCA in these designs must run inside the HSM as firmware and PIN-signatures must be end-to-end encrypted for the WSCA. However, such protection has a negative side-effect: it prevents logging the PIN-signature in the Transaction Log required by Article 9 of CIR 2024/2979. Without it, the wallet can't fully mitigate the repudiation risk (Risk 11 in CIR 2024/2981): “a situation where a stakeholder can deny performing an action or being involved in a transaction, and other stakeholders do not have proper evidence to contradict them.” For instance, a relying party, e.g. a bank, claims a user has consented to a transaction which the user did not do, or vice versa. To settle such disputes satisfactorily for all parties, strong objective evidence on user consent is required settling whether the user consented to the transaction or not by entering the PIN, i.e. the PIN-signature in the designs discussed. This tension between security and auditability is also seen in online banking, but privacy constraints in wallets make it harder. In my HSM-based wallet paper (https://lnkd.in/esrs_GFp) repudiation risk mitigation has led to the formulation of security objective G (Transaction Transparency): “The wallet provider records publicly verifiable transcripts in the wallet irrefutably proving that the wallet provider correctly and unambiguously followed instructions consented by the user.” In this paper I also demonstrate how this objective can be achieved using standard (PKCS#11) HSMs only, i.e. not requiring bespoke HSM-firmware. (*) https://lnkd.in/evqQidRG (**) https://lnkd.in/e44YMmA8 

32

3 Kommentare

🥊 The Google Red Team vs. Google’s defense teams The Google Red Team is a team of hackers that simulates real cyberattacks against Google’s networks, systems, and devices. The best red teams are creative sparring partners for defenders, probing for weaknesses. Stefan Friedli, one of Google's staff security engineers and a global lead for the Red Team, dives into the critical role the Google Red Team plays in helping to defend Google, and shares some insights into what makes our approach unique → https://goo.gle/41KYZAL

291

15 Kommentare

Most companies invest heavily in employee phishing training. Yet phishing still drives most breaches. Recent research from ETH Zurich shows “embedded” phishing training reduced click rates by only 2% over eight months. The small drop came from short-term reminders, not real learning. Even worse, 75% of employees spent less than one minute reviewing post-click materials, and many closed them immediately. Some even finished training more confident but not more capable, a false sense of security that increases risk. Awareness training is not a viable defense. Human error is steady and predictable. Real protection comes from speed, automation, and visibility.

37

5 Kommentare

Today I read Dirk-jan’s write-up on CVE-2025-55241: “One Token to rule them all - obtaining Global Admin in every Entra ID tenant via Actor tokens”.  Here’s what makes it insane: 🔍 What was the vulnerability • Microsoft uses Actor tokens for S2S communication like Exchange and SharePoint. These tokens bypass key security controls like conditional access and audit trails. • A flaw in Azure AD Graph API allowed cross-tenant access, letting attackers use an Actor token from a lab tenant to impersonate users, including Global Admins, in other tenants with full control. • Due to weak signing and validation, actions by impersonated Global Admins appeared legitimate, with little to no logging or telemetry in victim tenants. ⚠️ Why it’s a massive problem • No tenant could ��opt out” via conditional access or tighten settings to stop this - because the tokens bypass those protections.  • An attacker doesn’t need to break in; they just need to know two things: the ID of the target tenant (public) + a “netId” of a user in that tenant (which can often be found or bruteforced) to execute.  • The scale: this isn’t an isolated risk. It could affect every Entra ID tenant (except maybe national-cloud ones) globally. One exploit, total takeover.  ✅ What Microsoft did & what everybody should do • MSRC got the report the same day. Fixes and mitigations were rolled out within days.  • They blocked apps from requesting these Actor tokens via Azure AD Graph with SP credentials, and restricted privileged operations.  • But: legacy APIs (Azure AD Graph) are still problematic. They lack sufficient logging and telemetry. Many tenants may never have had visibility into these threats.  💡 My take / what to check TODAY 1. Confirm whether your tenant still allows Azure AD Graph usage in risky ways. If you’ve got SPs (Service Principals) that can request Actor tokens, they should be reviewed. 2. Audit logging & telemetry: make sure you have visibility across your Entra / Azure AD environments. If some operations aren’t logged (or only partially), that’s a gap. 3. Incident response readiness: think “worst-token abuse” scenario. What would compromise look like? What logs would show up? How can you detect something going wrong even if an attacker is impersonating a Global Admin? This vulnerability highlights a critical point: unsecured internal elements (legacy APIs, implicit trust, internal tokens) can lead to major security failures. Organizations considering themselves "secure enough" should assess not just user actions but also potential leaks or bypasses from internal tokens and legacy API paths.

45

Cool new tool by Scarther: OSINT Dorking Tool The tool automates 600+ templates for automating Dorking Searches. The file is HTML and is meant to run in your browser. The file generates the URL and opens a new tab when clicked. The file also has multiple different types of searches to focus investigation time. Catch all resources: https://lnkd.in/g_qvhFyr Dork Tool: https://lnkd.in/gAcP6wmz In the dork tool, the Virus Total hash is attached for verification and vetting. Please reach on GitHub for problem reports.

89