Security Boulevard

In total, including third-party CVEs, in this Patch Tuesday edition, Microsoft published 134 CVEs, including 9 republished CVEs. Overall, Microsoft announced one Zero-Day, 11 Critical, and 113 Important vulnerabilities. From an Impact perspective, Escalation of Privilege (EoP) vulnerabilities accounted for 39%, followed by Remote Code Execution (RCE) at 28% and Information Disclosure (ID) at 13%. …

Read More

The post Patch Tuesday Update – April 2025 appeared first on Security Boulevard.

Author/Presenter: Nick Frost

Our sincere appreciation to BSidesLV, and the Presenters/Authors for publishing their erudite Security BSidesLV24 content. Originating from the conference’s events located at the Tuscany Suites & Casino; and via the organizations YouTube channel.

Permalink

The post BSidesLV24 – Breaking Ground – Chrome Cookie Theft On macOS, And How To Prevent It appeared first on Security Boulevard.

Senator Ron Wyden (D-OR) is demanding CISA release a three-year-old report critical of telecoms' security in the wake of the expansive Salt Typhoon hacks before he lifts a hold on President Trump's nomination of Sean Plankey as head of the agency.

The post Wyden to Hold Up Trump CISA Nominee Over Telecom ‘Cover Up’: Report appeared first on Security Boulevard.

Bots are often used to conduct attacks at scale. They can be used to automatically test stolen credit cards, steal user accounts (account takeover), and create thousands of fake accounts.

Detecting bot activity has traditionally relied on techniques like Web Application Firewalls (WAFs), CAPTCHAs, and static fingerprinting. However, with the

The post Why traditional bot detection techniques are not enough, and what you can do about it appeared first on Security Boulevard.

Google is rolling out end-to-end encrypted (E2EE) email for Gmail enterprise users using Client-Side Encryption (CSE).

The post Gmail End-to-End Email Encryption Explained: A Guide for Enterprise Users appeared first on Security Boulevard.

NIST, which for more than a year has been struggling to address a backlog of CVEs in its database following budget cuts, is now putting pre-2018 vulnerabilities on the back burner to give itself more time to address the rapidly growing number of new software security flaws.

The post NIST Deprioritizes Pre-2018 CVEs as Backlog Struggles Continue appeared first on Security Boulevard.

Okta is stepping forward with its boldest platform evolution yet, aiming to unify identity across human and machine actors, and extend zero-trust all the way from cloud to on-premises.

The post Solving the Identity Crisis: Okta Redefines Security in a Machine-Led World  appeared first on Security Boulevard.

As quantum computing continues to evolve, the security of our digital infrastructure is under increasing scrutiny. While quantum computers promise groundbreaking advancements, they also pose a significant threat to the cryptographic algorithms that protect sensitive information across the internet. Enter Post-Quantum Cryptography (PQC) which is our path to quantum safe security. In this blog, we’ll […]

The post Post-Quantum Cryptography: Preparing for a Quantum Future appeared first on Security Boulevard.

Luxembourg, Luxembourg, 9th April 2025, CyberNewsWire

The post Gcore Super Transit Brings Advanced DDoS Protection and Acceleration for Superior Enterprise Security and Speed appeared first on Security Boulevard.

By taking simple steps like choosing a cost-effective backup storage strategy and minimizing recovery infrastructure costs, you can protect your business without bloating your budget. 

The post Four Tips for Optimizing Data Backup and Recovery Costs appeared first on Security Boulevard.

It comes as no surprise that as the incidence of cybercrime increases, cybersec teams are becoming faster at detecting threats. 

The post The Invisible Data Battle: How AI Became a Cybersec Professional’s Biggest Friend and Foe appeared first on Security Boulevard.

PCI DSS 4.0 compliance raises the regulatory bar with stricter authentication, continuous monitoring and tighter third-party oversight.

The post PCI DSS 4.0: Time to Pay Up, Securely  appeared first on Security Boulevard.

Cyber defense is no longer about hard perimeters or checklists. It’s about adaptability, intelligence, and integration. ICS offers that path forward. It’s time to move beyond SecOps and DevSecOps—the future of cybersecurity is Intelligent Continuous Security.

The post Why Intelligent Continuous Security is the Future of Cyber Defense appeared first on Security Boulevard.

As digital identities become the new perimeter, IDaaS is no longer a “nice-to-have” but a mission-critical service for any modern website or online business. It centralizes identity operations, supports rapid scaling, and helps organizations stay secure and compliant.

The post Identity as a Service (IDaaS): The Future of Scalable, Secure Identity in the AI Era appeared first on Security Boulevard.

Twenty-one countries signed onto the Pall Mall Process, an effort a year in the making that was created to develop a framework nations could adopt to address the proliferation and malicious use of spyware by governments that want it to track human rights workers, activists, journalists, and other such targets.

The post 21 Countries Sign Onto Voluntary Pact to Stem the Proliferation of Spyware appeared first on Security Boulevard.

In the ever-evolving world of cybersecurity, certain tools and techniques possess a fascinating duality. They're designed to protect our digital lives, yet they can also be wielded by malicious actors to carry out cyberattacks. These are known as "dual-use" techniques and understanding them is crucial for anyone involved in cybersecurity.

What Exactly Are Dual-Use Techniques?

Simply put, dual use in cybersecurity refers to tools and methodologies that have legitimate security purposes but can also be used for malicious activities. Think of it as a double-edged sword: in the right hands, it defends; in the wrong hands, it attacks.

This duality arises from the inherent versatility of many cybersecurity tools. Network scanning tools, for example, are essential for security professionals to assess vulnerabilities. However, attackers can use the same tools to map out a target's network and identify weaknesses to exploit.

Top Dual-Use Techniques in Cybersecurity

Let's delve into some of the key dual-use techniques highlighted in our analysis:

• Network Scanning Tools: Tools like Nmap are vital for both offensive and defensive purposes. Attackers use them for reconnaissance, identifying open ports, operating systems, and vulnerabilities. Defenders use them for vulnerability assessment, network auditing, and maintaining an accurate inventory of digital assets.
• Penetration Testing Frameworks:
  Frameworks like Metasploit simulate real-world attacks to identify security weaknesses. Attackers use them to automate exploits and payloads, while defenders use them to validate their security controls and incident response procedures.
• Encryption Technologies: Encryption protects data confidentiality and integrity, but attackers also use it to conceal malware, establish encrypted communication channels, and secure stolen data.
• Social Engineering Tactics: These tactics exploit human psychology to manipulate individuals. Attackers use phishing, pretexting, and baiting to gain access or information. Defenders use this knowledge to create security awareness training programs and conduct phishing simulations.
• Automation and Scripting: Automation enhances efficiency for both sides. Attackers use scripts to scale attacks, while defenders use them for log analysis, vulnerability scanning, and incident response.
• Artificial Intelligence (AI) and Machine Learning (ML): AI/ML can enhance attack sophistication and scale, but they also improve threat detection and response. AI-driven systems can identify anomalies and automate incident response.
• Cloud Computing Infrastructure: Cloud platforms offer resources for malicious activities, like hosting command and control infrastructure and launching DDoS attacks. However, defenders use the cloud to implement security measures, such as IAM controls and encryption.
• Vulnerability Databases:  Databases like  CVE and  NVD help attackers identify exploitable weaknesses. Defenders use them for proactive patching and mitigation.
• Digital Forensics and Anti-Forensics: Digital forensics investigates cyber incidents. Attackers use anti-forensic techniques to evade detection and hinder investigations.
• Reverse Engineering: This technique analyzes software to understand its design and functionality. Attackers use it to discover vulnerabilities, while defenders use it for malware analysis and software security.
• DNS Tampering, Trusted IP misuse and Redirection: Redirection and tampering of DNS: DNS and trusted host or IP tampering and redirection can be used to redirect users to malicious websites or to disrupt network traffic. Conversely, these techniques can also be used defensively to mitigate attacks and ensure network integrity.

The Importance of Recognizing Dual-Use

Understanding the dual-use nature of these techniques is essential for cybersecurity professionals. By recognizing how attackers might leverage these tools, defenders can better anticipate threats and implement more effective security measures. Conversely, understanding the defensive uses can inform offensive security testing and help identify potential weaknesses.

In our exclusive white paper, we delve deep into how AI is reshaping cybercrime, the methods attackers use, and actionable strategies to keep your organization protected. Download How Cybercriminals Are Using AI: Exploring the New Threat Landscape White Paper.

Staying Ahead of the Curve

The cybersecurity landscape is constantly evolving and so are dual-use tools and techniques. Continuous learning and adaptation are crucial for staying ahead of emerging threats. Defenders must proactively leverage these tools for enhanced security, using penetration testing frameworks, AI for advanced threat detection, and reverse engineering for malware analysis.

Conclusion

The strategic significance of recognizing dual-use capabilities in cybersecurity cannot be overstated. It requires a nuanced understanding of both offensive and defensive perspectives to effectively protect digital assets and mitigate the risks posed by increasingly sophisticated cyber threats.

By staying informed and adaptable, we can navigate the complex world of cybersecurity and turn the double-edged sword into a powerful tool for defense. To effectively navigate the complexities of cybersecurity and the dual-use nature of many technologies, organizations should consider implementing solutions like Dispersive Stealth Networking. Understanding both the potential benefits and risks associated with these tools is crucial for maintaining a strong security posture.

Dispersive's unique architecture and capabilities offer significant value in mitigating risks associated with dual-use technologies, particularly in scenarios involving sensitive data and critical infrastructure. For instance, Dispersive can be leveraged to:

• Securely manage and control access to sensitive data: By creating isolated and encrypted network segments, Dispersive helps prevent unauthorized access and exfiltration of sensitive information, even if a device or user is compromised.
• Protect critical infrastructure from cyberattacks: Dispersive's ability to segment and isolate critical systems helps limit the impact of a cyberattack, preventing lateral movement and minimizing damage.
• Enable secure collaboration and data sharing: Dispersive allows organizations to securely share data and collaborate with external partners without compromising security or control.
• Enhance regulatory compliance: By providing strong multi-factor user access controls and detailed authorization of access, Dispersive helps organizations meet regulatory requirements and demonstrate compliance with authentication and authorization needs.

By incorporating Dispersive into their cybersecurity strategy, organizations can proactively address the challenges posed by dual-use technologies and enhance their overall security posture.

Cover image courtesy of Placidplace from Pixabay.

The post When Good Tools Go Bad: Dual-Use in Cybersecurity appeared first on Security Boulevard.

In a bold move that’s shaking up the cybersecurity industry, Google announced its intent to acquire cloud security unicorn Wiz for $32 billion—one of the largest cybersecurity acquisitions in history. The deal has drawn widespread attention not just for its size, but for what it signals about the future of cloud security, competition in the

The post Google’s $32 Billion Wiz Acquisition: What It Means for Cloud Security — and What It Doesn’t appeared first on Seceon Inc.

The post Google’s $32 Billion Wiz Acquisition: What It Means for Cloud Security — and What It Doesn’t appeared first on Security Boulevard.

As part of my role as Service Architect here at SpecterOps, one of the things I’m tasked with is exploring all kinds of technologies to help those on assessments with advancing their engagement.

Not long after starting this new role, I was approached with an interesting problem. A SQL Server database backup for a ManageEngine’s ADSelfService Plus product had been recovered and, while the team had walked through the database recovery, SQL Server database encryption was in use. With a ticking clock, the request was clear… can we do anything to recover sensitive information from the database with only a .bak file available?

One of the things that I love about this job is getting to dig into various technologies and seeing the resulting research being used in real-time. After some research, we had decryption keys, a method of decrypting sensitive data, and DA credentials extracted and ready to go!

This post will explore how this was done, look at how SQL Server encryption works, introduce some new methods of brute-forcing database encryption keys, and show a mistake in ManageEngine’s ADSelfService product which allows compromised database backups to reveal privileged credentials.

Manage Engine Protected Data

Let’s start with Manage Engine’s ADSelfService product. Documentation shows that Domain Admin credentials are likely present:

If we setup this tool in a lab environment, we find encrypted fields such as the below USER_NAME column:

Further, if we review the configuration of the database, we see that this is SQL Server’s builtin encryption functionality that is being used to protect these fields. So the mission is clear: we need to understand SQL Server Encryption before we can hope to retrieve this data in cleartext.

SQL Server Encryption Overview

The root of the cryptography chain in SQL Server is the Service Master Key (SMK). This key is associated and stored in the master database for the server.

At a database layer, the Database Master Key (DMK) is the start of the encryption chain for each database. This diagram from Microsoft gives a brilliant visualisation of this in action:

https://learn.microsoft.com/en-us/sql/relational-databases/security/encryption/encryption-hierarchy?view=sql-server-ver16

For us to explore this encryption functionality, let’s run a few TSQL commands on a lab instance of SQL Server 2019.

First up, we create a new database and master key:

USE CryptoDB;
CREATE MASTER KEY ENCRYPTION BY PASSWORD='Password123'

We can then view our created master key with:

SELECT * FROM sys.symmetric_keys

Now this doesn’t show the actual content of the master key. Instead, to see this, we can use the query to list encryption keys in a database:

SELECT * FROM sys.key_encryptions

The crypt_property field shows our newly created master key in some form. We can also see that the crypt_type and crypt_type_description fields give a good indication as to each key’s type.

After searching Microsoft’s documentation for how these keys are actually stored, or ways that we can extract them, I found a few snippets of information:

Unfortunately none of this is useful for our purpose, so into the disassembler and debugger I needed to go.

Strap In Peeps.. We’re Going Low Level!

For this exercise, it usually makes sense to try and find a good lead as to the APIs that Microsoft SQL Server may use to handle encryption/decryption. My lab ran SQL Server 2017 on Microsoft Windows Server 2019 and installing WinDBG Preview was too much of a pain without access to the Windows Store, so I spun up API Monitor and hooked the Crypto APIs to see if anything indicated their use during cryptographic operations on SQL Server. We execute the TSQL to open the master key and:

As far as indicators go, this was a good one. We see that BCryptHashData was used along with a password provided during the opening of the database master key.

The important part for us is the call stack, which showed sqllang.dll and sqlmin.dll were prime candidates for reversing:

Symbols were available for both of these dynamic-link libraries (DLLs) are grabbed using symchk.exe:

Service Master Key Encryption

Let’s look at how the Service Master Key is generated and stored on SQL Server. This is the root of the encryption chain as shown in Microsoft’s diagram, so if we can find a vulnerability here, or some method of cracking this key, everything else will fall!

We know that a Database Master Key is encrypted using the Service Master Key. We also know from Microsoft’s documentation that this is likely protected using the data protection APIs (DPAPIs), which means that if we add a breakpoint on CryptUnprotectData / CryptProtectData and create a new DMK, we are in with a shot of seeing where in SQL Server is responsible for using the SMK.

To create the new key we use:

CREATE MASTER KEY ENCRYPTION BY PASSWORD='Password123'

And we hit a breakpoint with a valuable stack trace:

Here we see two method calls which tell us a story:

CSECDBMasterKey::Decrypt

CSECServiceMasterKey::Initialize

This makes sense, because we know that the SMK is used to decrypt the DMK and the DPAPI should protect the SMK.

We can pull out the arguments to CryptoUnprotectData and find the following value being decrypted:

And if we use the following TSQL query:

SELECT * FROM master.sys.key_encryptions

We find that the encrypted SMK matches the encrypted key stored in the master database:

Another caveat is a value passed to CryptUnprotectData as the optional entropy value. After a bit of digging, we find that this value is taken from the registry key:

HKLM\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL14.MSSQLSERVER\Security

So what does this mean? Well, if you have execution rights on a machine running SQL Server, we can use the following C# to recover the SMK:

using System;
using System.Security.Cryptography;
using Microsoft.Win32;

namespace ConsoleApp1
{
internal class Program
{
static void Main(string[] args)
{
// Read registry key
var rk = Registry.LocalMachine.OpenSubKey(@"SOFTWARE\\Microsoft\\Microsoft SQL Server\\MSSQL14.MSSQLSERVER\\Security");
byte[] entropy = (byte[])rk.GetValue("Entropy", new byte[] { 0x41 });
// SQL Encrypted SMK (minus the first 8 bytes)
byte[] encryptedData = new byte[]
{
0x01, 0x00, 0x00, 0x00, 0xD0, 0x8C, 0x9D, 0xDF, 0x01, 0x15, 0xD1, 0x11, 0x8C, 0x7A, 0x00, 0xC0, 0x4F, 0xC2, 0x97, 0xEB, 0x01, 0x00, 0x00, 0x00, 0xAC, 0x5E, 0xB2, 0x87, 0xF5, ... 0x8E, 0x50, 0x44, 0xFA, 0xDC, 0xBE, 0x47, 0x88, 0x16, 0x57, 0xBF, 0xCB, 0xB3, 0x56, 0x7B, 0x43, 0x86, 0x68, 0x31, 0x7E, 0x30, 0xE3, 0xE4, 0x3A, 0x14, 0xB4
};
try
{
// Decrypt key
byte[] data = ProtectedData.Unprotect(encryptedData, (byte[])entropy, DataProtectionScope.LocalMachine);
Console.WriteLine("Key Recovered");
} catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
}
}
}

Unfortunately with only the database backup that we hold for ADSelfService, this isn’t an option, so we move onto the next crypto layer, the Database Master Key.

Database Master Key Encryption

With DPAPI being used to protect the SMK, next up we tackle the DMK to see what we can unearth here.

We know from our TSQL that when we initialized the DMK, we used a password:

CREATE MASTER KEY ENCRYPTION BY PASSWORD='Password123'

This password is surely a weak link in the chain, but there are a few questions that come up:

1. How is this password stored in the database?
2. Is all of the keying material for this password stored in a database backup?
3. Can we bruteforce this key?

First up, we need to understand how this key is actually stored in the database. We attach a debugger to SQLServr.exeand use a password to attempt to open the DMK:

OPEN MASTER KEY DECRYPTION BY PASSWORD='ABCDE'

We add breakpoints to the previously observed BCrypt suite of APIs and we find that, after being executed, we land on a method called BCryptHashData:

The call stack shows where this is invoked:

What’s interesting is the use of the word Obfus in the method CMEDProxyObfusKey::SearchEncryptionByUserData . Obfuscation usually means something fishy is going on, so we dig into this method a bit more and we find reference to a key thumbprint:

Add a breakpoint to ComparePartialThumbPrint and attempt to open the master key again with an invalid password using:

OPEN MASTER KEY DECRYPTION BY PASSWORD='password123'

This time we find that our password is passed to this method as an argument, along with the unicode byte length:

But what is this being compared to? Dumping the third argument to this method call shows the following memory content:

This is not something that we’ve seen so far, but a bit of digging in SQL reveals the following table (requires DAC / diagnostic connection on a live database):

SELECT * FROM sys.sysobjkeycrypts

This looks similar to the previous sys.key_encryptions table; however, the thumbprint value is populated this time. What is going on here?

At this point, we know that the thumbprint is being used alongside our plaintext password. Let’s look in ComparePartialThumbPrint to see what the comparison is doing.

First the provided password is hashed:

Then the hash is salted:

And then the result is compared to the thumbprint:

If this is the case, this gives us a brilliant opportunity to create a brute-force method for our target database. After all:

1. All of the keying material is stored in the database (and therefore the database backup)
2. Nothing relates to the SMK and, therefore, DPAPI

But what are the algorithms used to hash the password? Well, in the type field of sys.key_encryptions we have a number of values:

• ESKP - Observed in databases starting at SQL Server 2008
• ESP2 - Observed in databases starting at SQL Server 2012

Starting with ESP2, if we add a breakpoint to BCryptHashData, we find that this is SHA-512 salted with 8 bytes. The resulting hash is then truncated to 24 bytes and then compared to the thumbprint.

Unfortunately for us, there is an additional step that SQL Server takes when storing the SHA-512 hash of the DMK: the hash truncates to 24 bytes.

This step alone appears to put it out of the reach of stock Hashcat rules; however, if we turn to John The Ripper, we have the option of Dynamic Rules.

A warning in advance: this is going to be slow, but we can add the following dynamic rule which will crack ESP2 keys:

[List.Generic:dynamic_2020]
Expression=sha512(utf16le($p).$s) (hash truncated to length 24)
Flag=MGF_SALTED
Flag=MGF_FLAT_BUFFERS
Flag=MGF_INPUT_24_BYTE
SaltLen=8
Func=DynamicFunc__clean_input_kwik
Func=DynamicFunc__setmode_unicode
Func=DynamicFunc__append_keys
Func=DynamicFunc__setmode_normal
Func=DynamicFunc__append_salt
Func=DynamicFunc__SHA512_crypt_input1_to_output1_FINAL
Test=$dynamic_2020$E45AF6FA6601E13A8F2B620FF8A859AE4B459B848D06F5C7$HEX$28E3C09896ED6177:Wibble123

This dynamic format can then be used with:

./run/john --format=dynamic_2020 /tmp/hashes --wordlist=/tmp/wordlist --encoding=raw

A quick demo to show how this works:

https://medium.com/media/4496dfd9e4e1bb1e5da3e85901d48ac1/href

The second type is ESKP, which is using MD5 salted with four bytes. The result is then compared to the thumbprint.

Looking at Hashcat, we find a format which suits our cracking format:

md5(utf16le($pass).$salt)

This means we can crack using:

hashcat -m 30 --hex-salt /tmp/hashes /tmp/uberwordlist.txt

A quick demo to show how this works:

https://medium.com/media/5f286afa8078622cd8482f3b129c1535/href

Brute-Forcing the ManageEngine Hashed Database Master Key

So now we have a technique to hopefully recover database encryption keys. We cross our fingers and look in our target database backup and we find ESKP. This means that we have a DMK protected using MD5 and, thankfully, a GPU cracking rig just waiting for us to feed it hashes!

Adding our hash to a file, we fire up our cracking job and…nothing.

The key hasn’t been rotated in a long time. Experience tells us that something is wrong here, so I did what I should have done in the first place. I spun up a local instance of ManageEngine to take a look at what was happening.

After reviewing, I found a file named product-config.xml, which looks like this:

The masterkey.password property has a value of 23987hxJ#KL95234nl0zBe, and if we throw this into our new method of cracking database encryption keys, we find that it cracks.

More concerningly, I then try this against the provided .bak file from the client environment and it cracks!

So what is this key: just a hardcoded value? A quick throw of this password into Google and…

The key is the example key used in Microsoft’s documentation for setting up a DMK!

TADA, dopamine hit! Using the database backup, we can now unseal the certificate and symmetric keys ManageEngine uses for decryption and pull out those sensitive credentials:

use DATABASE_NAME_HERE -- Update to contain the restored database name
OPEN MASTER KEY DECRYPTION BY PASSWORD = '23987hxJ#KL95234nl0zBe'
OPEN SYMMETRIC KEY ZOHO_SYMM_KEY DECRYPTION BY CERTIFICATE ZOHO_CERT;

And we can use this to decrypt any sensitive data contained within:

SELECT CONVERT(NVARCHAR(MAX), DecryptByKey((SELECT [Password] FROM ADSMDomainConfiguration))) as Password, CONVERT(NVARCHAR(MAX), DecryptByKey((SELECT [USER_NAME] FROM ADSMDomainConfiguration))) as UserName

Here’s what we’ve learned during this exercise:

1. ManageEngine ADSelfService backups created use an example key Microsoft provides
2. If you find a database backup that uses a DMK with the ESKP type, you can brute-force the decryption password with the speed of MD5
3. Always lab your target product before spending so much time in a disassembler

This blog post was presented at SOCON 2025. Stay tuned for the video!

The SQL Server Crypto Detour was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post The SQL Server Crypto Detour appeared first on Security Boulevard.

Traditional security fails with AI systems. Discover Microsoft's RAI Maturity Model and practical steps to advance from Level 1 to Level 5 in AI security governance.

The post What Microsoft Knows About AI Security That Most CISOs Don’t? appeared first on Security Boulevard.

Credential leaks are fueling cyberattacks. Learn how credential stuffing works—and how to stop account takeovers before they start.

The post How Credential Leaks Fuel Cyberattacks appeared first on Security Boulevard.