Security Boulevard

Bloody hell: New York Blood Center Enterprises crippled by ransomware scrotes unknown.

The post Ransomware Scum — Out For Blood: NYBCe is Latest Victim appeared first on Security Boulevard.

As part of our ongoing mission to identify emerging threats to mobile security, our zLabs team shares how we can help protect you against Tria Stealer.

The post Zimperium’s Protection Against Tria Stealer’s SMS Data Theft appeared first on Zimperium.

The post Zimperium’s Protection Against Tria Stealer’s SMS Data Theft appeared first on Security Boulevard.

Authors/Presenters: Elonka Dunin, Klaus Schmeh

Our sincere appreciation to DEF CON, and the Authors/Presenters for publishing their erudite DEF CON 32 content. Originating from the conference’s events located at the Las Vegas Convention Center; and via the organizations YouTube channel.

Permalink

The post DEF CON 32 – Famous and Not So Famous Unsolved Codes appeared first on Security Boulevard.

TLDR: SlackPirate has been defunct for a few years due to a breaking change in how the Slack client interacts with the Slack API. It has a new PR by yours truly to let you loot Slack again out of the box, and a BOF exists to get you all the credential material you need to do it. I recommend you let Nemesis do the heavy lifting of finding interesting data in what you pull back.

Slack Cookies BOF PR

SlackPirate PR

The BOF

This all started because I noticed that my brilliant colleague Matt Creel had added a new BOF to TrustedSec’s CS-Remote-OPs-BOF collection that pulled Slack cookies from the memory of either a browser or Slack client process. This would allow an operator to then utilize the stolen cookies to proxy browser traffic through a compromised machine and access the target organization’s Slack instance. He released a great blog about it if you want to learn more.

Slack is awesome, and full of valuable data about an organization. There’s the obvious stuff like people being lax and pasting credentials, but don’t forget that is also a comprehensive directory of who works there, and probably more valuable than their internal documentation (when was the last time you actually searched Confluence? Exactly.)

I was stoked to start using Matt’s BOF, since there hasn’t been an assessment where I got access to Slack where it didn’t prove useful. That said, something was nagging at me… This is the age of Nemesis! We don’t need to read anymore, reading is for squares! We have computers to do that for us while we watch short-form videos of animals with funny things on their heads (see below). Reading Slack was no exception.

https://medium.com/media/27059ff93db76037ec82d64aa35b9853/href

A classic.

So I set out to find a good Slack looter. I quickly stumbled upon SlackPirate, created by Mikail Tunç, which seemed to be the defacto choice. And for good reason! It is simple, fairly comprehensive, and also quite modular; you can change what is being searched for with relative ease. By default though it does a lot, such as:

• Scraping all messages for private keys, passwords, and cloud provider credentials
• Grabbing a list of all Slack users
• Downloading hosted files en-masse
• Pulling important Slack-specific data, such as pinned messages

Great! I plugged in my cookie and… no dice. I was unable to authenticate to any of the API endpoints I should be able to. I knew the Slack cookie I had was valid, so it was time to investigate.

Troubleshooting

Figuring out what was the matter was pretty breezy! Slack is an Electron app, so you can still access the Chrome dev tools. Slack used to allow this by exporting a particular environment variable:

SET SLACK_DEVELOPER_MENU=TRUE && start C:\Users\<USER>\AppData\Local\slack\slack.exe

You could then access the developer tools by pressing ctrl + alt + i. This no longer works for me, so I instead opted to use Chrome remote debugging, which was successful.

(NOTE: If you’re reading this blog, there’s a good chance your security team will have an alert in place for Chrome remote debugging to prevent cookie crimes. You may want to check with them before doing this on a work computer.)

C:\Users\<USER>\AppData\Local\slack\slack.exe --args --remote-debugging-port=9222

Then when you browse to chrome://inspect/ you will be able to see Slack as with option to inspect:

Chrome remote debugging

By pressing “inspect” you get your dev tools, plus a neat window of the Electron app you are debugging! I have never tried to use this to screen-peek on an Electron app over a proxy, but wouldn’t that be neat.

Inspecting Slack network traffic

My strategy at this point was to record network traffic while performing actions that seemed like they would have to be hitting a defined API endpoint from the client and seeing what the network traffic looked like. For example, going to the “users” page and finding what endpoint got hit to retrieve them. That’s what I am doing in the screenshot above for the BloodHoundGang slack (which you should join if you haven’t).

This allowed me to compare the requests with what was being performed in SlackPirate and determine what had changed to break it.

Turns out, not much! The APIs ended up being the same as before, the only piece that was missing what that now requests were made with a token included in the request payload itself, in addition to the cookie in the headers we already knew about.

An API request for user data containing an API token

As you can see, this token is also in a nice searchable format, starting with “xoxc”, so the same technique used by Matt’s BOF to pull the cookie from memory can be used for the token. Now the BOF pulls both, and can be used not only get the credential material needed to browse a target organization’s Slack via a proxy, but also interact with it programmatically.

With these two pieces of information, you can hit the Slack API just as if you were the client when a user clicks around and types. You can even make your own janky Slack bots that post out of your account… which of course I did. But you already knew that from the title. So here’s screenshots of my fellow Specters suffering while I posted the entire Bee Movie into our group chat, each line as its own message. We all know it’s what you’re here for.

🐝 The aftermath

Quick aside — you may be thinking: Why go through all the trouble of doing this with the Electron client? Why not just open Slack in a web browser and inspect that traffic?

Anecdotally, I see people using the client way more often, so I wanted to make sure whatever I looked at would be representative of that. Also developers seem to trust dedicated clients more, so the tokens and cookies you snoop from them last much longer. For instance my buddy Jesko got tired of having to reauth to Slack, so he snagged a token from his phone’s client that never expires. My janky Slack bots haven’t had to reauth yet either.

SlackPirate Updates

So with our new programmatic access, it is time to loot! For the most part all of my changes to SlackPirate were updating the script to utilize the new token in addition to a cookie. There are a few other changes I threw in though that you may want to be aware of:

• There was an “interactive mode” that let you interact with multiple workspaces. This functionality has been removed and you will always need to provide the appropriate token and cookie for the individual workspace you want to target as arguments to the script
• The list of what files and strings are searched for by default is more focused on finding credential material, especially in file formats that are easy for Nemesis to parse
• Various functions targeting AWS data have been changed to also look for Azure data

And there you have it. With these new updates, you are ready to get back to a nice easy life of not reading and letting Nemesis read your target’s whole Slack for you. So kick back and let your reading comprehension regress to a third-grade level with another classic animal-with-thing-on-head video from the cellar. It is a fine vintage.

https://medium.com/media/c6c2f8d56966e8eab40b836e1e4567ea/href

SlackPirate Set Sails Again! Or: How to Send the Entire “Bee Movie” Script to Your Friends in Slack was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post SlackPirate Set Sails Again! Or: How to Send the Entire “Bee Movie” Script to Your Friends in Slack appeared first on Security Boulevard.

DeepSeek, a disruptive new AI model from China, has shaken the market, sparking both excitement and controversy. While it has gained attention for its capabilities, it also raises pressing security concerns. Allegations have surfaced about its training data, with claims that it may have leveraged models like OpenAI’s to cut development costs. Amid these discussions, [...]

The post Analyzing DeepSeek’s System Prompt: Jailbreaking Generative AI appeared first on Wallarm.

The post Analyzing DeepSeek’s System Prompt: Jailbreaking Generative AI appeared first on Security Boulevard.

Fenix24 this week acquired vArmour to add an ability to detect the relationship between software, as part of an effort to extend the services it provides to enable organizations to recover faster from a cyberattack.

The post Fenix24 Acquires vArmour to Boost Cyber Resiliency Services appeared first on Security Boulevard.

The food delivery industry has a fraud problem. With slim profit margins already under pressure, bad actors are exploiting vulnerabilities on both the consumer and courier sides of delivery platforms.

The post How Fraud is Eating Away at Food Delivery Profits appeared first on Security Boulevard.

Searchlight Cyber this week revealed it has acquired Assetnote as part of an effort to unify attack surface management with its platform for detecting stolen data that has been published on the Dark Web.

The post Searchlight Cyber Acquires Assetnote to Accelerate Remediation appeared first on Security Boulevard.

JumpCloud this week revealed it has acquired Stack Identity to fuel an effort to add identity security and access visibility capabilities to its directory.

The post JumpCloud Acquires Stack Identity to Extend Access Management Reach appeared first on Security Boulevard.

By 2028, SSL/TLS certificate lifecycles may be cut down to just 47 days - a dramatic shift from the current 398-day maximum. Apple’s recent ballot submission to the CA/Browser Forum proposes this change, and it’s gaining traction among industry leaders, including Sectigo. While some enterprises may see this as an operational burden, the reality is clear: shorter certificate lifespans are a necessary and positive step for digital security and trust.

The post The push for 47-day certificates: a win for digital security and trust appeared first on Security Boulevard.

Hubelia, a Canada-based MSP, automated DMARC, SPF & DKIM with PowerDMARC, improving security, compliance, and deliverability.

The post MSP Case Study: Hubelia Simplified Client Domain Security Management with PowerDMARC appeared first on Security Boulevard.

Exploring how AI can help service providers and cloud builders keep their networks secure and why “feeding your AI dragons” with relevant, high-quality data is essential for implementing AI for DDoS security. 

The post How to Train AI Dragons to Solve Network Security Problems appeared first on Security Boulevard.

A secure access service edge (SASE) solution offers the promise of a unified and cost-effective approach to modern networking: Enhancing security, performance and scalability to meet dynamic business needs.

The post 5 Steps to a Secure and Streamlined SASE Rollout appeared first on Security Boulevard.

Background The rise of DeepSeek is undoubtedly a milestone in the development of AI technology in China. As a representative AI enterprise, DeepSeek has not only made breakthrough progress in technological innovation and commercial application, but also demonstrated the outstanding strength and great potential of Chinese technology enterprises in the global AI competition. However, as […]

The post The Undercurrent Behind the Rise of DeepSeek: DDoS Attacks in the Global AI Technology Game appeared first on NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks..

The post The Undercurrent Behind the Rise of DeepSeek: DDoS Attacks in the Global AI Technology Game appeared first on Security Boulevard.

 

For over a decade, we warned the healthcare industry this was coming. They ignored us. Their sole focus was HIPAA compliance — checking regulatory boxes rather than securing critical systems. We told them that system and service availability attacks were coming too. They didn’t care — until they were hit, and hospitals could no longer process new patients or handle billing.

The gravest threat are attacks on critical medical devices and the infrastructures that support patient care. That moment has arrived. We now stand on that precipice. Will the healthcare industry finally take appropriate action, or will their silence be deafening?

In this particular case, on January 30, 2025, the FDA confirmed what we feared: attackers can remotely control specific patient monitors and cause them to work in unintended ways. A backdoor exists, providing attackers a direct entry point into hospital networks that could bypass primary network defenses. Additionally, these devices are gathering sensitive patient data and exfiltrating it outside the network into the hands of unauthorized and potentially malicious actors.

These capabilities align perfectly with malicious attackers’ goals — disrupting operations, infiltrating networks, and stealing sensitive data. And this is just the beginning. Expect more vulnerabilities in medical devices, including those that have direct impacts on patient health and safety.

Cybersecurity is more important than ever in the healthcare sector — it will become a matter of life and death!

Read the FDA alert: https://www.fda.gov/medical-devices/safety-communications/cybersecurity-vulnerabilities-certain-patient-monitors-contec-and-epsimed-fda-safety-communication

The post Healthcare Crisis Emerges: Cybersecurity Vulnerabilities in Patient Monitors Confirmed by FDA appeared first on Security Boulevard.

The pace of change in the technology industry has never been faster, and 2025 will be no exception. As businesses adapt to new threats, regulatory pressures, and AI-driven innovations, security and software development teams will need to rethink their strategies to stay ahead.

The post 2025 predictions: Security industry appeared first on Security Boulevard.

Payment Card Industry Data Security Standard (PCI DSS) was developed to strengthen payment account data security and standardize globally the necessary security controls. The transition from PCI DSS 3.2.1 and earlier versions to v4.0 involves significant changes aimed at enhancing payment security, providing flexibility in implementation, and addressing emerging threats.

The post Preparing for PCI DSS 4.0: How Sonatype SBOM Manager can streamline and accelerate your transition appeared first on Security Boulevard.

How Critical is Secrets Rotation in Building Trust in Cloud Security? Are you aware that proper management of Non-Human Identities (NHIs) and Secrets is a cornerstone of robust cloud security? Indeed, incorporating effective secrets rotation in your cybersecurity strategy leads to far-reaching control, considerably reducing the risk of security breaches and data leaks. But, how […]

The post Trust in Cloud Security with Effective Secrets Rotation appeared first on Entro.

The post Trust in Cloud Security with Effective Secrets Rotation appeared first on Security Boulevard.

How Essential are Innovative PAM Strategies for Modern Enterprises? Where technology advances at an unprecedented rate, a question emerges for modern businesses: How pivotal are innovative Privileged Access Management (PAM) strategies for your enterprise’s security? With the rise of cloud-based technologies and automated systems, the anatomy of cyber threats is also evolving. The introduction of […]

The post Innovative PAM Strategies for Modern Enterprises appeared first on Entro.

The post Innovative PAM Strategies for Modern Enterprises appeared first on Security Boulevard.

How Can Proactive Measures Enhance Cloud Compliance? Advancements in digital security manifest as a double-edged sword. While they provide efficient tools to safeguard sensitive data, they concurrently create complex cybersecurity challenges. This conundrum brings us to an important question: How can proactive measures enhance cloud compliance? In simpler terms, can an organization not merely react […]

The post Advancing Cloud Compliance with Proactive Measures appeared first on Entro.

The post Advancing Cloud Compliance with Proactive Measures appeared first on Security Boulevard.