Posts

In February of this year (2025), Microsoft discovered cyberattacks being launched by a group they call Storm-2372, which is suspected to be associated with Russian interests. The attacks have been ongoing since August 2024 and have targeted governments, NGOs, and a wide range of industries across multiple regions. These attacks use a phishing technique called “device code phishing,” in which the user is brought to a legitimate Microsoft website to log in—but their access and refresh tokens are still harvested. ...

Background Recently, cybersecurity researchers discovered a large-scale campaign compromising legitimate websites via JavaScript injection — over 269,000 in just the last month. These malicious injections are obfuscated using a humorously named service called JSFuck, which has since been renamed “JSFireTruck” by security researchers to avoid profanity. The service uses just six characters: [] () ! + to write and execute JavaScript code. This is made possible through JavaScript’s loose type coercion rules and strange expression evaluation. Surprisingly, it’s just normal JavaScript — no special library required — and it can even run on Node.js. ...

As we know, the internet is like a giant web that connects different machines to one another. These are mainly computers, servers, or other devices with internet access. But the question is: how exactly does information get from one computer to another? And more importantly, how can we trust that its transit is secure and won’t be interrupted? Some information needs to be absolutely secure, while other information just needs to be broadcast — it’s not necessary that it reaches a specific person. For example, take email. Email must be secure because it’s used for things like court evidence, proprietary business documents, and other sensitive communication. ...

When building my project Process Sentinel, I came across what I thought was an opportunity for optimization. The problem was essentially I have a list of chains which represent process parent-child relationships. I would compare these chains against a set of suspicious chains, which would then report back if a process chain was suspicious and the severity of it. Initially, I took a sort of naive approach: func containsExactPattern(chain []string, pattern []string) bool { if len(chain) < len(pattern) { return false } for i := 0; i <= len(chain)-len(pattern); i++ { match := true for j := 0; j < len(pattern); j++ { if chain[i+j] != pattern[j] { match = false break } } if match { return true } } return false } Here I am just doing a simple sliding window that compares a pattern—a given suspicious chain—against each process in a chain. While this absolutely works for this project and any optimization would absolutely be over-engineering, I was curious if there was a better way to do this if I had a very large amount of patterns to check against a given chain. ...

In the MITRE ATT&CK Framework, which classifies and creates chains of events for certain kinds of hacker behavior, Initial Access is one of the first tactics used in an attack. It’s sort of self-explanatory—it describes how the attacker first got into a system. I’m just learning about these concepts, so I wanted to start from the beginning. I’m interested in a few techniques, and I’ll go over them in my next few posts. ...

On March 26, 2020, a hacker group identified by Microsoft as Nobelium launched what is widely considered the biggest supply chain hack of the 21st century. Known as the SolarWinds Hack, this event wasn’t significant because it affected a single company—it was significant because it compromised software used by thousands of organizations, including 6 U.S. federal agencies. The attackers accessed sensitive internal communications, email systems, and identity systems, potentially for months without detection. ...

Once a hacker has gained access to a system through their path of choice, the next usual step is to try and gain access to other—usually more high-profile machines on the network. This process is known as lateral movement, and it can be done in a variety of ways. To be more specific about why hackers do this, let’s talk about the advantages of gaining access to other machines. Why? Gain access to more privileged accounts Reach valuable data (like on a file server) Spread persistence across the network (creating re-entry points or backdoors) Having skill in lateral movement is arguably one of the most important things for a hacker. It’s their ability to move through the environment once they get in, and it must be done with precision and stealth. It’s also where many attackers get caught, since they can leave plenty of breadcrumbs along the way. ...

A Brief History As cyber defenses evolved beyond file-based malware, hackers and red teamers had to develop new strategies for maintaining unauthorized access to systems. While they still needed some kind of initial foothold—through things like phishing links, stolen remote desktop credentials, or other methods—once inside, maintaining access became a challenge. Antivirus software was getting stronger, and simply dropping suspicious binaries was no longer effective. To adapt, some hackers in the 2010s developed what is now known as a Living off the Land (LotL) attack. This type of attack uses already trusted system tools like PowerShell, WMI, or certutil to run malicious commands, download payloads, or exfiltrate data—often without writing anything to disk. It’s hard to detect because the behavior doesn’t originate from some unknown file or process like traditional malware—it comes from legitimate processes that the system is likely already using, allowing it to blend into the background. ...

Crowdstrike Article While AI is on the rise and seems to be unstoppable, its applications to threat detection—specifically in cybersecurity—have yet to show great promise. Traditional approaches to applying machine learning to threat detection overlook some important factors. The first is the sheer amount of data required to train a reliable detection model. While there is no shortage of data in areas like memory usage, CPU usage, file changes, and other system activity, the data for successfully flagging actual malicious behavior—especially malware executions—is sparse. ...