Cybersecurity on {IT}

Solving the Openfire Lab Blue team challenge

Sun, 24 Aug 2025 11:34:34 +0000

Today we’re reviewing a vulnerability in Openfire. It is a self-hosted alternative to Slack/Teams: you run it on your own infrastructure, control the data, and extend it with plugins.

As a cybersecurity analyst, you are tasked with investigating a data breach targeting your organization’s Openfire messaging server.

Attackers have exploited a vulnerability in the server, compromising sensitive communications and potentially exposing critical data.

Your task is to analyze the provided network capture files using Wireshark. Identify evidence of the exploitation, trace the attacker’s actions, and uncover indicators of compromise.

Solving the ShadowCitadel Lab Blue team challenge 🫆

Sun, 10 Aug 2025 19:33:14 +0000

Today, we dive into a host-based forensics investigation − a curious case of a breach inside the enterprise environment of a company called TechSynergy:

A leading tech firm, TechSynergy, has detected an anomaly after an employee engaged with an unexpected email attachment. This triggered a series of covert operations within the network, including unusual account activity and system alterations.

Security alerts indicate potential access to sensitive infrastructure, with suspicious outbound traffic raising red flags. The incident response team fears a sophisticated attack may be underway, threatening critical data.

How to prevent token misuse in LLM integrations

Tue, 22 Jul 2025 19:46:56 +0000

LLMs are powerful. And expensive. Every token counts, and if you’re building something that uses an LLM API (Claude, OpenAI, Gemini or PaLM, Mistral, etc.), malicious users can abuse it to burn through your credits. This is especially true for apps that take user input and feed it to the model.

The trick is that an attacker doesn’t have to hack your servers. Not even SQL-inject it. They just have to convince the LLM to do something it shouldn’t by crafting a proper prompt. So, actually, it does look a bit like an SQL injection, but for AI prompts.

Solving the XLMRat Blue team challenge

Sat, 28 Jun 2025 13:46:59 +0000

Today we’re looking at the XLMRat malware. It is a remote access trojan (hence the RAT part) built to be small, sneaky, and stupidly persistent. It typically rides in via phishing or social engineering, often disguised as something mundane, like a JPG or TXT file. It targets Windows systems and speaks fluent PowerShell.

It’s popular among low-effort attackers looking for ready-made tools that still pack a punch. Especially in campaigns targeting individuals or small orgs where endpoint hygiene is weak. There’s a block with more information at the end of this post ⬇️

Solving the BlueSky Ransomware Blue team challenge

Sun, 18 May 2025 16:35:26 +0000

Today we’re looking at the BlueSky ransomware, a strain of malicious software that encrypts files on a victim’s system, rendering them inaccessible until a ransom is paid. First detected in June 2022, it shares similarities with other notorious ransomware families like Conti and Babuk.

BlueSky spreads through methods such as phishing emails, malicious links, and network protocols like SMB (port 445 TCP). Once inside a system, it uses advanced evasion techniques, such as hiding threads from debuggers, to avoid detection. It targets both files and processes, encrypting files with RSA encryption and adding the .bluesky extension to them while maintaining operational stability by avoiding critical system processes.

Solving the DanaBot Blue team challenge

Sun, 04 May 2025 19:54:58 +0000

In this blog post, we’ll walk through a Blue Team lab challenge hosted by CyberDefenders, specifically investigating a breach scenario involving DanaBot malware.

The SOC team has detected suspicious activity in the network traffic, revealing that a machine has been compromised. Sensitive company information has been stolen. Your task is to use Network Capture (PCAP) files and Threat Intelligence to investigate the incident and determine how the breach occurred.

The challenge is presented by CyberDefenders (https://cyberdefenders.org) and can be found here: https://cyberdefenders.org/blueteam-ctf-challenges/danabot.

The unboring NIST SP 800-190

Tue, 18 Mar 2025 05:14:00 +0000

When most of us hear “NIST guidelines”, our first reaction might be “another boring PDF I’ll never open again”.

My first encounter with NIST Special Publication 800-190 happened when I was studying for the GIAC GCSA exam, which is focused on DevSecOps and container security. The SP 800-190 is refreshingly different. It isn’t just another checkbox compliance document – it genuinely provides practical, actionable steps to enhance container security posture.

Passkeys – the future of secure authentication

Mon, 02 Dec 2024 13:44:25 +0000

As a long-term fan of Yubikeys, I quickly got curious about this relatively new concept called “passkeys”. Big companies like Apple, Amazon, and Mastercard are nudging their users to adopt passkeys and use them instead of passwords. The “instead of passwords” part really got me curious!

Since forever, passwords have been a part of our online lives for as long as we can remember. But let’s be honest: most of us have a love-hate relationship with them. They’re either too easy to guess or so complex that we forget them entirely. Yes, even if it’s just one master password to a password vault like Bitwarden or LastPass.

Say “yes” to SBOMs!

Fri, 22 Nov 2024 14:11:03 +0000

Picture this: your software application is running smoothly in production, serving thousands of users. Then, you hear about a new critical vulnerability affecting open-source libraries, and panic sets in. Is your application exposed? If so, which part is at risk? Without a clear map of your software’s components, answering these questions can feel like searching for a needle in a haystack.

This is where a Software bill of materials, or SBOM, becomes invaluable. An SBOM is like a recipe list for your software, cataloging every ingredient − libraries, dependencies, and components making up your application. Just as food labels provide transparency (‑ish) about what you’re consuming, an SBOM ensures full visibility into what’s inside your apps.

Is my business secure? First look at the SAMM framework

Tue, 09 Apr 2024 04:15:00 +0000

Security is becoming more important for businesses operating in an increasingly complex landscape of cyber threats and data breaches. Small businesses often don’t have the advanced security measures and resources that larger enterprises possess, making them particularly vulnerable targets for cyberattacks.

A breach can result in significant financial losses, reputational damage, and legal liabilities, which can be catastrophic for small businesses. Therefore, investing in adequate security measures is essential, and in this post, we will look at the SAMM framework that allows us to take control of the situation.

Solving the WebStrike Blue Team Challenge

Sun, 17 Dec 2023 21:12:03 +0000

The challenge

In the intricate world of cybersecurity, every attack leaves behind digital footprints waiting to be deciphered. In this post, we embark on a brief journey to unravel a cyber threat, dissecting each element that reveals an attacker’s origin, tactics, and motives. Let’s dive in.

The challenge is presented by CyberDefenders (https://cyberdefenders.org) and can be found here: https://cyberdefenders.org/blueteam-ctf-challenges/webstrike/.

Note: This post is not sponsored by or affiliated with CyberDefenders.

Crimediggers: solving the cyber challenge

Sun, 16 Apr 2023 15:37:09 +0000

Crimediggers is a promotional escape game brought out by the Dutch police. It’s a very high-quality, realistic challenge and generally aimed at recruiting digital specialists for the police’s cybercrime teams. Completing Crimediggers requires previous knowledge in the computer security domain.

In this post, I share my path of progressing through the challenges. Solutions to the individual objectives will not be included, where possible, to avoid taking the fun away from other participants. DM me if you need help with any of these, and I’ll be happy to assist. Let’s get started!