If you’ve been around the governance, risk and compliance (GRC) space for a while, you likely remember the days when GRC workflows involved manually collecting screenshots from several systems, filling out control statuses in spreadsheets and hoping you’re ready for your next audit(s). Those days are gone — or at least, should have, by now...
The post Feel the FOMO: Unlocking the Future of GRC Automation appeared first on Security Boulevard.
While the cloud is generally more secure than on-premise deployments, it is not immune to vulnerabilities.
The post Navigating Data Security Challenges in Cloud Computing for Universities appeared first on Security Boulevard.
The identity industry faces its biggest shift yet: machines now outnumber humans 90:1 in digital systems. From AI-powered authentication to passwordless futures, discover the $61.74B transformation reshaping how we think about digital trust and security.
The post Identity’s New Frontier: AI, Machines, and the Future of Digital Trust appeared first on Security Boulevard.
Tel Aviv, Israel, June 9, 2025, CyberNewswire — Seraphic Security, a leader in enterprise browser security, today announced the launch of BrowserTotal, a unique and proprietary public service enabling enterprises to assess their browser security posture in … (more…)
The post News alert: Seraphic launches BrowserTotal™ — a free AI-powered tool to stress test browser security first appeared on The Last Watchdog.
The post News alert: Seraphic launches BrowserTotal™ — a free AI-powered tool to stress test browser security appeared first on Security Boulevard.
We are entering the age of agentic AI — systems that don’t just assist but act. These agents can make decisions, carry out tasks, and adapt to changing contexts — autonomously. But with autonomy comes accountability. And the question becomes: who is acting? To answer that, we need a new identity model built not for...
The post Why agentic identities matter and what you need to know appeared first on Strata.io.
The post Why agentic identities matter and what you need to know appeared first on Security Boulevard.
With the rise of AI across every industry, the buzzwords are flying fast—AI infrastructure, infrastructure for AI workloads, autonomous infrastructure, and more. The problem? These terms are often used interchangeably, and it’s easy to get lost in the noise.
The post 9 AI Infrastructure Terms: Must-Know Definitions appeared first on Security Boulevard.
BADBOX 2.0, which emerged two years after the initial iteration launched and a year after it was disrupted by vendors, has infected more than one million IoT consumer devices, prompting a warning to such systems from the FBI.
The post BADBOX 2.0 Botnet Infects Million-Plus Devices, FBI Says appeared first on Security Boulevard.
Unauthorized account sharing is a pervasive threat to digital platforms. This widespread issue—often perceived as harmless by consumers—is eating into your revenue, skewing your user metrics, and diminishing the experience for your legitimate customers. The cost is staggering, especially in the streaming industry. The habit of sharing online passwords to streaming and other subscription video-on-demand […]
The post Device ID: Your Secret Weapon Against Unauthorized Account Sharing appeared first on Security Boulevard.
Stay updated on the latest in application security with the OWASP Top 10 vulnerabilities.
The post What is AI Red Teaming? appeared first on Security Boulevard.
Author/Presenter: Joernchen
Our sincere appreciation to OffensiveCon by Binary Gecko, and the Presenters/Authors for publishing their outstanding OffensiveCon 2025 video content. Originating from the conference’s events located at the Hilton Berlin; and via the organizations YouTube channel.
Thanks and a Tip O' The Hat to Verification Labs :: Penetration Testing Specialists :: Trey Blalock GCTI, GWAPT, GCFA, GPEN, GPCS, GCPN, CRISC, CISA, CISM, CISSP, SSCP, CDPSE for recommending the OffensiveCon 25 conference.
The post OffensiveCon25 – Parser Differentials: When Interpretation Becomes a Vulnerability appeared first on Security Boulevard.
Recently, Microsoft changed the way the Entra Connect Connect Sync agent authenticates to Entra ID. These changes affect attacker tradecraft, as we can no longer export the sync account credentials; however, attackers can still take advantage of an Entra Connect sync account compromise and gain new opportunities that arise from the changes.
How It Used To WorkPrior to the change, an “AAD Connector” account would be created upon Entra Connect sync install. Upon creation, a randomized password would be generated and set for the connector account. The AAD Connector account was a user principal that would be assigned a special sync role, and it would authenticate just like any old user. You may have seen these before; they look like this:
In this instance, ENTRACONNECT is the hostname on which the agent is running. There are a wide variety of attack paths that can stem from compromising this account, so it is a very advantageous target for attackers.
Old Attacker TradecraftThanks to AADInternals, it was simple to obtain the sync password of the AAD Connector Account used to import and export data from Entra ID. Some decryption steps are documented here, but that mostly focuses on the on-premises accounts. If you are an AADInternals user, you would need to impersonate the context of the Entra Connect sync account and run the command:
Get-AADIntSyncCredentials
And that’s it! You could use your creds to do all sorts of sync mischief. Under the hood, the ADSync service account would connect to a SQL database where it would obtain a key to decrypt an “AAD configuration” blob. The plaintext password of the AAD Connector Account (Connects to Entra ID) would be in that blob. If an attacker got privileged access to a host running Entra Connect Sync, they could obtain this plaintext password and authenticate off-host, conditional access policies (CAPs) permitting. The theft of such a credential would have a huge impact on any organization, so I presume that Microsoft moved over to an application registration to reduce such a risk.
The Client Credentials FlowIf you are new to Entra ID, you can read how the Client Credentials flow works here. In a nutshell, an application registration can authenticate as itself utilizing the app roles assigned to it. To authenticate and obtain access tokens, it needs credentials provisioned to it. These credential types aren’t exclusive, and an application can have multiple. They can be in the form of:
If the application uses a certificate, it will sign an attestation when authenticating to obtain an access token. Here is an example:
POST /{tenant}/oauth2/v2.0/token HTTP/1.1 // Line breaks for clarityThe new Entra Connect Sync agent moved from a “user” centric authentication mechanism to an app registration, which uses the client credentials flow. Since app registrations support certificate authentication, a self-signed certificate is generated on install and saved in the NGC Crypto Provider store. The installer will use the login information you provided (which must be a Global Administrator or Hybrid Identity Administrator) to create a new application registration with the self-signed certificate as an authentication certificate. Once Entra Connect sync completes installation, an application will exist in Entra ID that looks like this:
And the configured app roles:
New TradecraftIn a perfect world, an attacker could no longer dump plaintext credentials (because there are none) and the private key that corresponds to the certificate is sitting on a TPM. It would appear that any AD Connector account abuses must be performed on-host from here on out, forcing an attacker to persist on a Tier Zero asset. If there is no TPM support, we may be able to export the certificate private key, but I don’t want to rely on that. To the red teamer, it may seem all is lost–but fret not; there is still hope.
After examining the .NET assemblies provided in the new release, it appeared that a graph token of a Global Administrator or Hybrid Identity Administrator was not required to add a new key to the application registration.
This came off as strange because the application was not provisioned with either Application.ReadWrite.All or Application.ReadWrite.OwnedBy. Let’s take a look at the decompiled code in Microsoft.Azure.ActiveDirectory.AdsyncManagement.Server:
if (!string.IsNullOrEmpty(graphToken))That whole else block is handling the case for when a graph token (presumably that of a Global Administrator or Hybrid Identity Administrator) is not provided. How interesting!
The aadCredential username and password is a bit misleading, as it’s actually holding the UUID of the application registration and the sha256 hash of the existing certificate, as this function call shows:
public void UpdateADSyncApplicationKey(string graphToken, string azureInstanceName, string newCertificateSHA256Hash, AADConnectorCredential currentCredential)So what we need is the cert hash of the existing certificate credential and the ability to load it into our AzureAuthenticationProviderFactory. Once we do, we can use that certificate to do two things:
Further down in the function, the following code executes if no graph token is provided:
string proof = azureAuthenticationProvider.GenerateProofOfPossessionToken(applicationByAppId.id);The graphApplication already has an HTTPClient with a Bearer token set:
private static Guid AddApplicationKey(GraphApplication graphApplication, Guid applicationId, string proof, X509Certificate2 cert)We now know what is needed to add a new key. As an attacker, we can generate a new private key, build a certificate, obtain a POP token, and register it with the application registration. This provides us persistent, off-host, access to the application registration. To do this, we can build out a .NET assembly that performs the necessary steps in the context of the ADSync account.
Proof of ConceptOur goal is to prove that we can still persist our access to a compromised AAD connector account, even if a TPM protects the private key. We can accomplish this by generating our own certificate and adding it to the service principal.
First, we need to obtain an access token and a signed POP assertion. We can do this with the certificate that is installed on the host and can be performed by running this program here:
Our graph token looks like this:
And the POP assertion looks like this:
According to the documentation here, this should be enough to add credentials to our application registration, given that we have at least Application.ReadWrite.OwnedBy.
However, our application does not have any required app roles!
How can this be? Well, if you are an astute reader, or simply have an attention span past the first paragraph of Graph documentation, you’ll see this banger on the addKeys page:
As it turns out, if you have access to an existing key, you can just add your own with no permissions needed!
How have I missed this?!
Mystery solved, and our path is clear for how we can persist our access to the AAD connector account off-host.
If we run our AddKey binary (posted here) with just our access token and POP assertion, you can see that we successfully added our key.
And the updated key is reflected here:
Red team crisis averted; we can keep our sync tradecraft, albeit a bit more “detectable”. Also, as a general takeaway, the ability to sign POP assertions equals the ability for any application to add new certificates to itself, which is pretty cool.
New OpportunitiesHere is a list of users who could compromise the sync account previously:
Previously, a privileged auth administrator or higher could change the password of the Sync account; however, since the sync agent would no longer successfully authenticate, it would break the functionality of the sync agent. This left only Global Administrator and Hybrid Identity Administrator as viable attack paths for a red teamer. Let’s look at the new pseudo-graph:
This update presents an attacker with the opportunity to add credentials without interrupting the normal day-to-day flow of the sync agent. In addition, it is far more common to have principals assigned the Application/Cloud Application administrator, making the attack surface larger for sync attacks. While tradecraft may have shifted for on-premises attackers, the Entra ID attack surface has expanded. In addition, Conditional Access typically doesn’t affect service principals, so the likelihood of being able to use these credentials off-target is significantly higher. Ultimately, this is a cleaner yet more abuse-prone implementation.
DetectionsHere is the good news. Detecting a new credential on an Application Registration is easy and a dead giveaway that something interesting is happening. Since the normal flow of UpdateADSyncApplicationKey removes the old key, the existence of more than one certificate on the Entra Connect application registration is a good indication that something is amiss. Should an attacker choose to be stealthy and actually replace the certificate that the Entra Connect Sync agent uses, then there are still detections for credential manipulation on an application registration. Here is a KQL query that surfaced all of my key additions:
AuditLogsThis is a brand-new update for Entra Connect Sync, so I don’t expect to see it in the wild for some time. I’m not quite sure I’m sold on the ability for an application to “roll its own keys”, as the documentation states. If access to a key is equivalent to the ability to produce more keys, then what’s the point of an expiration date?
Update: Dumping Entra Connect Sync Credentials was originally published in Posts By SpecterOps Team Members on Medium, where people are continuing the conversation by highlighting and responding to this story.
The post Update: Dumping Entra Connect Sync Credentials appeared first on Security Boulevard.
via the comic artistry and dry wit of Randall Munroe, creator of XKCD
The post Randall Munroe’s XKCD ‘Bridge Types’ appeared first on Security Boulevard.
At this year’s RSAC Conference, one theme loomed large: AI isn’t just a tool anymore—it’s a battleground. Industry veteran Anand Oswal discussed how AI is reshaping both sides of the cybersecurity equation: It’s amplifying the speed and scale of attacks while simultaneously offering new ways to fight back. The complexity of securing AI applications is..
The post Security in the Age of AI with Anand Oswal appeared first on Security Boulevard.
Authors/Presenters: Matteo Rizzo, Kristoffer `spq` Janke, Eduardo Vela Nava and Josh Eads
Our sincere appreciation to OffensiveCon by Binary Gecko, and the Presenters/Authors for publishing their outstanding OffensiveCon 2025 video content. Originating from the conference’s events located at the Hilton Berlin; and via the organizations YouTube channel.
Thanks and a Tip O' The Hat to Verification Labs :: Penetration Testing Specialists :: Trey Blalock GCTI, GWAPT, GCFA, GPEN, GPCS, GCPN, CRISC, CISA, CISM, CISSP, SSCP, CDPSE for recommending the OffensiveCon 25 conference.
The post OffensiveCon25 – Entrysign: Create Your Own x86 Microcode for Fun and Profit appeared first on Security Boulevard.
Cisco IOS XE Flaw: The security experts are all in agreement that organizations should rush to fix the vulnerability.
The post No Lollygagging: Cisco IOS XE Flaw With 10.0 Rating Should be Patched Now appeared first on Security Boulevard.
Tel Aviv, Israel, 9th June 2025, CyberNewsWire
The post Seraphic Security Unveils BrowserTotal™ – Free AI-Powered Browser Security Assessment for Enterprises appeared first on Security Boulevard.
RSA has updated its passwordless identity management platform to add support for desktops that are connected to the Microsoft Entra ID directory service.
The post RSA Extends Reach of Passwordless Management Platform appeared first on Security Boulevard.
Contrast Security today made available an update to its application detection and response platform that leverages graph and artificial intelligence (AI) technologies to provide security operations teams with a digital twin of the applications and associated application programming interfaces (APIs) that need to be secured.
The post Contrast Security Combines Graph and AI Technologies to Secure Applications appeared first on Security Boulevard.
Explore the latest features and enhancements in CodeSentry 7.2! CodeSentry 7.2 SaaS introduces AI Component Detection, which highlights the use of Artificial Intelligence (AI) or Machine Learning (ML) software packages in the Software Bill Of Materials using component tags. This includes the most popular open source tools such as TensorFlow and SciKit among many others. …
The post What’s New in CodeSentry 7.2 appeared first on CodeSecure.
The post What’s New in CodeSentry 7.2 appeared first on Security Boulevard.
New Zealand mandates DMARC enforcement under its new Secure Government Email framework. Learn what this means and how agencies can ensure compliance.
The post New Zealand Government Mandates DMARC Under New Secure Email Framework appeared first on Security Boulevard.
