All posts by Julle

Web3 Authentication

June 18, 2025 Julle

🔐 Web3 Authentication: How Secure Is It, Really?

Web3 authentication, often dubbed “sign-in with wallet”, is being praised as the future of online identity. Instead of logging in with a password or even a federated login like Google or Facebook, Web3 Auth leverages blockchain wallets like MetaMask, Phantom, or WalletConnect-enabled apps to authenticate users.

But is it truly more secure? Or just a shiny new attack surface in disguise?

Let’s dig deep.

What Is Web3 Authentication?

At its core, Web3 Auth uses cryptographic signatures from a blockchain wallet to verify your identity. When a dApp (decentralized application) wants to log you in, it sends a challenge (usually a random string or nonce). You then sign this with your private key, proving that you own the wallet without revealing your key.

No passwords. No centralized databases.

It’s decentralized identity in action.

How It Works — Step-by-Step

You visit a dApp and click “Connect Wallet”.
The dApp asks your wallet to sign a message (a nonce).
Your wallet signs it using your private key.
The dApp verifies the signature using your public address.
If the signature checks out, you’re authenticated.

No registration required. Your wallet = identity.

🔒 Security Advantages

. No Passwords to Steal

There are no passwords stored anywhere. This kills off the risk of:

Phishing for passwords
Credential stuffing attacks
Database leaks

2. Ownership-based Access

Only the wallet owner can sign the challenge, so access is tied to private key control. It’s like using a digital signature on steroids.

3. Decentralized Authentication

There’s no central server holding user data. No OAuth tokens to intercept. No “Login with Facebook” server to go down.

. Anonymous or Pseudonymous Login

You can use a wallet with no personal info attached. This is a win for privacy-focused users.

⚠️ But Wait — There Are Risks

While Web3 Auth solves some old problems, it introduces new ones.

1. If You Lose Your Wallet, You’re Locked Out

There’s no “forgot password” link. If your seed phrase is gone, so is your identity — unless you’ve set up a recovery system (which most users haven’t).

2. Wallets Aren’t Immune to Phishing

Malicious Apps can trick users into signing dangerous messages:

Fake login messages
Transactions disguised as sign-in challenges
Permissions to drain funds

Signatures are powerful — and dangerous in the wrong hands.

. Lack of Granular Permissions

Most Web3 apps don’t yet support scopes or roles. It’s either full access or nothing. Compare that to OAuth scopes where you can allow read-only access, for example.

4. Poor UX for Non-Crypto Users

MetaMask pop-ups. Confusing messages. Long wallet addresses. For the average user, Web3 Auth can feel clunky and intimidating.

5. No Native Multi-Factor Authentication (MFA)

Unlike Web2 systems, where MFA is common, Web3 often relies on a single key pair — unless the user manually sets up a multisig wallet or smart contract-based auth.

Security Best Practices

If you’re building or using Web3 Auth, keep these in mind:

Use SIWE (Sign-In With Ethereum) or equivalent standards like CAIP-122 for Solana.
Validate the challenge properly. Make sure it’s a fresh nonce, and it expires quickly.
Don’t ask users to sign raw transactions unless necessary.
Add optional 2FA via email, hardware keys, or biometric plugins.
Integrate with DID (Decentralized Identity) frameworks for better interoperability and user control.

🌐 Real-World Use Cases

Use Case	Web3 Auth Role
NFT Marketplaces	Sign in with wallet to list or buy items
DAOs	Voting and identity tied to wallet
DeFi platforms	Authenticate before trading or staking
Gaming	Connect wallet for in-game assets
Token-Gated Content	Prove ownership to gain access

⚖️ Pros and Cons Summary

Pros	Cons
No passwords needed	Loss of wallet = loss of access
Decentralized, censorship-resistant auth	Still vulnerable to phishing
Better privacy and pseudonymity	No standard MFA or recovery for most users
Immutable identity tied to wallet	Risky for newcomers or non-technical users

Final Thoughts

Web3 authentication is a game-changer, especially for crypto-native platforms, but it’s not a silver bullet. Its strength lies in decentralization and cryptographic identity, but its weakness lies in usability, phishing risks, and lack of fallback mechanisms.

If you’re a user: treat wallet logins like root access — and sign carefully.

If you’re a developer: never skip nonce validation and educate your users.

Web3 Auth is powerful — but like all tools, it’s only as safe as the hands it’s in.

Article, Knowledge, News, Uncategorized

Another European Region Ditches Microsoft: Linux Adoption Accelerates

June 18, 2025 Julle

🇩🇪 Another European Region Ditches Microsoft: Linux Adoption Accelerates

Following Denmark’s recent move to transition its digital infrastructure to Linux and LibreOffice, a German federal state has now announced a similar plan — dropping Microsoft Windows and Office in favor of open-source alternatives. The shift is gaining momentum, and it’s starting to look like a growing European movement.

But what does this trend mean for the future of government IT, digital sovereignty, and cybersecurity?

A Growing Pattern Across Europe

First Denmark, now a German state — and this might just be the beginning. In the article published by PC för Alla, the German state has declared its intention to gradually move public institutions away from Microsoft products. The reasons are similar across the board:

Reducing dependence on foreign tech giants
Saving public money
Gaining control over software ecosystems
Ensuring long-term access and compatibility through open standards

Europe has long been debating digital sovereignty, especially as tensions rise globally over data protection and geopolitical control of tech infrastructure. Open-source software offers an escape from this vendor lock-in.

The Positive Outcomes

Economic Savings: No more massive license renewals for operating systems and productivity suites.
Customizability: Open-source allows tailoring to local needs — something large commercial vendors rarely provide.
Transparency: Anyone can audit the code, which is especially important for public institutions handling sensitive data.
Standardization Across Borders: If multiple EU countries use similar open-source stacks, it could lead to better interoperability and shared resources.

But Not Without Risk

Despite its advantages, the shift comes with challenges:

Learning Curve: Staff accustomed to Windows and Microsoft Office will need training and time to adapt.
Compatibility: Not all workflows or legacy systems migrate smoothly — especially in bureaucracy-heavy sectors.
Support Infrastructure: While Microsoft offers commercial support, governments must now rely on internal expertise or third-party support companies.
Security Target Shift: As mentioned in our earlier coverage of Denmark’s move — the more popular Linux becomes, the more attractive it becomes to attackers.

“Security through obscurity” is no longer an option. If Linux-based systems become the new standard in public administration, they must be secured with the same (or higher) rigor traditionally applied to Windows-based environments.

What the Future Might Hold

If this trend continues, we could see:

A cascade effect, with other regions and countries following suit
The development of new government-funded open-source distributions or tools
A more resilient, independent European digital landscape
But also, a potential rise in Linux-targeted malware, phishing campaigns, and zero-day exploits

Governments must prepare for both the benefits and the responsibilities that come with running an open-source infrastructure.

Final Thoughts

This isn’t just about software — it’s about sovereignty, transparency, and the future of public digital services. If properly managed, the move to Linux can empower governments and protect citizen data. But poor implementation or lack of preparation could lead to service disruptions, user frustration, and even new cyberattack vectors.

Europe is changing. The question is: will the rest of the world follow?

Article, Knowledge, News, Uncategorized

Anubis Ransomware

June 17, 2025 Julle

What is Anubis Ransomware?

Discovered in mid-2025, Anubis is a ransomware variant that takes its name from the Egyptian god of the dead—and for good reason. Instead of merely holding files hostage, it executes them. After encrypting a victim’s files, the malware demands a ransom (usually in cryptocurrency), promising a decryption key upon payment. However, analysis has revealed that the malware has no functional decryption routine—once the files are encrypted, they are irreversibly overwritten or deleted.

Security researchers believe this behavior is intentional, likely designed to cause maximum disruption and psychological damage rather than financial gain.

Who Are the Targets?

Anubis doesn’t discriminate by industry, but critical infrastructure and healthcare institutions appear to be prime targets. Several reported attacks have involved:

Hospitals and clinics, resulting in data loss and halted medical operations.
Municipal networks, affecting emergency response and civic services.
Educational institutions, erasing research and administrative records.
SMBs (small and medium-sized businesses) lacking proper backups.

The choice of targets seems tactical—disrupting organizations where downtime equals danger.

Technical Behavior

While the full technical breakdown is still ongoing, researchers have observed the following behavior:

Payload Delivery: Via phishing emails, malicious attachments, or vulnerable exposed services (e.g. RDP, VPN).
Encryption: Files are encrypted with strong algorithms, but without saving decryption metadata.
Destruction: Files are deleted or corrupted even if ransom is paid.
Anti-Recovery: It wipes shadow copies, disables backups, and often attempts to overwrite files with garbage data before deletion.

Anubis also prevents boot in some cases, corrupting system partitions or disabling key services to paralyze the system further.

How to Protect Yourself

Given Anubis’ non-negotiable nature, prevention is the only real defense. Here are critical steps to minimize your risk:

1. Backups Are King

Maintain regular, offline, and offsite backups.
Test recovery procedures monthly.
Avoid mapping backup storage directly to production systems.

2. Patch and Harden

Keep systems, especially public-facing services, fully patched.
Disable unnecessary ports (like RDP) and use firewalls or VPNs to restrict remote access.
Harden configurations using CIS Benchmarks or similar guidelines.

3. Educate Your Team

Conduct regular phishing training.
Simulate attacks to build awareness.

4. Use EDR and Network Monitoring

Employ Endpoint Detection and Response (EDR) tools with behavioral detection.
Monitor traffic for unusual activity (e.g., outbound traffic spikes, command & control connections).

5. Zero Trust Principles

Limit permissions.
Segment networks.
Authenticate everything—especially internal access.

Should You Ever Pay?

No. Not with Anubis. This is not a ransomware that unlocks your files post-payment—it destroys them. Paying only funds further destruction and emboldens attackers.

Instead, report the attack to national cybersecurity authorities (like CERT-SE in Sweden or CISA in the U.S.), preserve any evidence, and isolate infected systems immediately.

Final Thoughts

Anubis is not just another ransomware strain—it represents a shift in cybercriminal mindset from extortion to pure sabotage. It also underlines the critical importance of preparedness over reaction.

“Hope is not a strategy. Backups, segmentation, and proactive defense are.”

Organizations—especially those in healthcare and critical infrastructure—must now treat ransomware not just as a financial threat, but as a destructive force. With no key, no mercy, and no trust, Anubis lives up to its mythological namesake—ushering victims straight to the digital underwo

Article, News

Hijacked Discord Invites

June 17, 2025 Julle

Hijacked Discord Invites: The New Lure in Phishing Campaigns

Introduction

In a concerning development for the security of social platforms and their users, attackers are now exploiting Discord invite links as a novel vector for phishing and malware distribution. This tactic represents a dangerous blend of social engineering and technical exploitation that can deceive even experienced users. The attack surfaced in a report by The Hacker News on June 17, 2025, highlighting how these malicious campaigns hijack trust by misusing Discord’s legitimate infrastructure.

How the Attack Works

At the core of this campaign is Discord’s invite system. Normally, these links (discord.gg/xyz) are generated by server admins to onboard new users. However, attackers have discovered a method to hijack these links, pointing them to fake landing pages that mimic legitimate Discord content but are instead controlled by the attacker.

1. Spoofed Landing Pages

The fake invite links redirect victims to phishing sites that visually replicate Discord’s invite screen. Users are prompted to “Join Server,” but in reality, these sites serve malware-laced payloads or harvest credentials.

2. SEO Poisoning

To increase visibility and trust, attackers use SEO techniques to make these hijacked links appear in Google Search results for specific Discord communities or NFT/gaming groups. This ensures organic reach, drawing in users who are actively searching for the real servers.

3. Redirection to Malware

Upon clicking the spoofed invite, users are often redirected to:

.exe downloads posing as Discord installers
Fake giveaways or NFT drops
Credential harvesting forms asking for Discord login or email credentials

Real-World Example

The article highlights a particular case where users searching for a popular gaming Discord server landed on a hijacked link. Instead of joining the server, they were redirected to a page that prompted them to download a malicious file disguised as a “Discord verification” tool. The file deployed information-stealing malware on execution, targeting browser cookies, Discord tokens, and saved passwords.

Technical Breakdown

Domain Spoofing: Attackers registered domains resembling legitimate Discord or community URLs (e.g., discords-giveaway.com, discord.gg.login-secure.com).
Link Cloaking: Shortened URLs (e.g., bit.ly, tinyurl) hide the true destination.
Payload Delivery: Malware such as RedLine Stealer, RATs, and browser hijackers were commonly delivered.
Token Grabbers: JavaScript was used in some cases to harvest Discord tokens directly from localStorage or the leveldb directory.

Why It Works

This method is particularly effective because:

Users trust the Discord brand
Invite links look legitimate
No immediate signs of compromise appear
Users are often distracted by the lure (NFT drop, giveaway, invite-only access)

Mitigation & Protection

For Users:

Double-check links: Always verify the full URL before clicking. Look out for extra domains or misspellings.
Avoid third-party sites: Only join Discord servers via official websites or known communities.
Use browser isolation or sandboxes when interacting with unknown links.
Enable 2FA on Discord to protect your account even if credentials are stolen.

For Server Admins:

Monitor for clones: Search for lookalike domains mimicking your community.
Report phishing sites: Use services like Google Safe Browsing or Discord’s abuse portal.
Educate your users: Share awareness guides on your server.

For Security Teams:

Add Discord invite domains to watchlists
Use DNS filtering and threat intel tools to detect malicious redirects
Monitor employee devices for suspicious Discord token activity

Implications for the Future

This campaign is a wake-up call for platform security. It shows how trust can be weaponized through very subtle infrastructure manipulation. Discord, known for its developer-friendly APIs and widespread use among gamers and professionals alike, is now part of a broader attack surface. If attackers can continue to abuse invite-based ecosystems, other platforms like Slack, Telegram, and Microsoft Teams may also see similar exploitation.

Final Thoughts

As phishing tactics evolve, attackers are moving beyond fake login pages and into ecosystem manipulation. The hijacking of Discord invites marks a shift in adversarial strategy—where the infrastructure of trust becomes the attack vector itself. Users, communities, and security teams must respond by raising awareness, monitoring DNS and SEO vectors, and enforcing zero-trust link policies.

Source: https://thehackernews.com/2025/06/discord-invite-link-hijacking-delivers.html

Article, Knowledge, Tips

Privilege Escalation

June 16, 2025 Julle

Deep Dive: How it works and how to stop it

Privilege escalation (often shortened to priv-esc) is one of the most critical steps in an attack chain. It allows an attacker to gain higher privileges after compromising a low-level account — ultimately leading to root or SYSTEM access. In this article, we’ll explore how it works, real-world examples, and how to protect your systems.

Types of Privilege Escalation

Vertical: Gaining higher-level privileges (e.g., from user to root).
Horizontal: Gaining access to another user’s data or processes at the same privilege level.

Common Linux Techniques

Sudo misconfigurations: E.g., sudo vim → :!bash for root shell.
SUID binaries: Exploiting binaries like /usr/bin/python with setuid bit.
Kernel exploits: DirtyCow (CVE-2016-5195), OverlayFS, etc.
Writable /etc/passwd: Injecting a fake root user.

Common Windows Techniques

Unquoted service paths: Abuse poor service path handling.
AlwaysInstallElevated: MSI abuse to gain SYSTEM access.
Token impersonation: Tools like Juicy Potato or PrintSpoofer.

Tools for Enumeration

Linux: LinPEAS, LES.sh, pspy, GTFOBins
Windows: WinPEAS, Seatbelt, PowerUp.ps1

Defense Strategies

Enforce the Principle of Least Privilege (PoLP).
Audit sudoers and SUID binaries regularly.
Monitor for suspicious cron jobs and startup tasks.
Apply patches early to reduce kernel and service exploits.
Use Sysmon, auditd, and log management for detection.

Final Thoughts

Privilege escalation is powerful — and dangerous. Whether you’re a penetration tester or a system administrator, understanding both attack and defense is critical for keeping systems secure. Always think like an attacker… before they do.

News

Danish Government Shifts to Linux

June 15, 2025 Julle

🇩🇰 Danish Government Shifts to Linux – A Smart Move with Hidden Risks?

In a bold and future-oriented decision, Denmark’s Agency for Digital Government has announced a plan to transition from Microsoft Windows and Office to Linux and LibreOffice. The shift is part of a larger effort to reduce dependency on proprietary software and embrace open standards and open-source alternatives.

But while this is a progressive and cost-effective step, it also comes with both challenges and unforeseen cybersecurity implications.

The Benefits of Going Open Source

There are many advantages to this decision:

Cost Efficiency: Eliminating costly Microsoft licenses can save millions of Danish kroner over time.
Sovereignty and Control: By using open-source software, the government avoids vendor lock-in and gains greater control over its digital infrastructure.
Transparency and Security: Open-source code can be audited by anyone, potentially increasing trust and reducing hidden backdoors or telemetry.
Flexibility: Linux systems are highly customizable and often more efficient on older hardware.

This move mirrors similar actions taken by other governments and institutions over the years — like Munich’s initial Linux migration or France’s adoption of open-source in the military sector.

The Migration Challenge

However, the human aspect of this change shouldn’t be underestimated. Many public employees are deeply familiar with Windows and Microsoft Office. Transitioning to Linux desktops and tools like LibreOffice will require:

Training programs
Documentation and support
Patience during the adaptation period

This learning curve could lead to temporary productivity loss — a factor that must be managed carefully through strong onboarding strategies.

🛡️ Linux as a New Target?

A crucial and often overlooked consequence of such transitions is the shifting threat landscape.

“If more governments and major institutions adopt Linux, attackers will follow.”

Historically, Linux desktops have enjoyed a degree of “security through obscurity” — not because they are invulnerable, but because attackers focused primarily on Windows, which dominates the desktop market.

However, this shift means:

More Linux systems in high-value environments (like government agencies)
Increased attacker interest in Linux vulnerabilities, malware, and privilege escalation techniques
More Linux-targeted phishing campaigns and social engineering

🔐 The Security Paradox

Linux is often seen as more secure by design. Features like strict user privilege models, package repositories with signature verification, and SELinux/AppArmor profiles can offer enhanced protection. But more usage equals more risk:

Unpatched third-party software becomes a bigger problem
Threat actors may begin crafting more Linux-specific rootkits and ransomware
Public institutions may lack deep Linux security expertise at scale

A Shift Worth Watching

Denmark’s move may signal the beginning of a larger trend. If successful, other EU countries and institutions may follow suit, especially in the context of digital sovereignty and tightening IT budgets.

But with great power comes great responsibility. As Linux gains adoption, defenders must be proactive in adapting their cybersecurity strategies to cover this new threat surface.

What do you think? Will Linux dominate the public sector in the next decade, or will it remain a niche choice? And are we prepared for the security consequences of such a shift?

Article, Knowledge, Thoughts, Tips

Pentest / Hacking OS – not just Kali…

June 13, 2025 Julle

Exploring the Best Operating Systems for Pentesting & Security: Beyond Kali and Parrot

By Jull3Haxor | jull3.net

When it comes to penetration testing, red teaming, and security research, your choice of operating system is more than just personal preference—it shapes your daily workflow, the tools you have on hand, and even your security posture. While everyone knows about Kali Linux and Parrot OS, the landscape is much broader and more nuanced. In this article, I’ll break down popular, niche, and advanced options—plus share why I personally choose Arch with BlackArch tools for ultimate flexibility.

1. Kali Linux

What it is: The gold standard for many pentesters, Kali is based on Debian and comes preloaded with hundreds of security tools.
Pros:
- Massive toolset out of the box—almost everything you need is preinstalled.
- Huge community, lots of documentation and tutorials.
- Available for ARM, Docker, VM, WSL, and even Android (Nethunter).
- Frequent updates, maintained by Offensive Security.
Cons:
- Can feel bloated if you only use a handful of tools.
- Not ideal for daily-driver use (security first, convenience second).
- Everyone uses it—malware often targets default Kali environments.
Best for: Fast deployment, learning, CTFs, labs, when you want “everything” ready.

2. Parrot Security OS

What it is: Debian-based, privacy-focused alternative to Kali, with additional features for forensics and anonymity.
Pros:
- Lightweight compared to Kali; more privacy tools (Tor, Anonsurf, etc.).
- Offers “Home” edition for regular use and “Security” edition for pentesting.
- Sandbox support, secure browser options.
- Active community and attractive UI (MATE by default).
Cons:
- Slightly smaller tool selection than Kali, but most popular tools included.
- Can be buggy after big updates.
Best for: Those who value anonymity, privacy, and want a lighter pentesting distro.

3. BlackArch

What it is: An Arch Linux-based penetration testing distribution/repo with 2,800+ tools.
Pros:
- Ultra-flexible—use as a full distro or just add BlackArch repo to your existing Arch setup.
- Rolling release model—always up-to-date.
- Install only what you need (not a “kitchen sink” like Kali).
- Hardcore minimalist design for those who like to customize.
Cons:
- Steeper learning curve (it’s Arch!).
- Fewer “hand-holding” scripts; expect to configure things yourself.
- Not ideal for total beginners.
Best for: Advanced users who want granular control and minimal bloat.

4. Arch Linux (with BlackArch or custom tools)

What it is: Vanilla Arch Linux with just the tools you want (e.g., via BlackArch repo or manual install).
Pros:
- Absolute minimalism—install only what you’ll actually use.
- Extreme customization, ultra-modern package management (Pacman).
- Rolling release: bleeding-edge kernel, drivers, and software.
- Faster and lighter than most “out-of-the-box” pentesting distros.
Cons:
- Requires time and willingness to maintain and troubleshoot.
- Initial setup can be intimidating.
Best for: Power users, people who want their OS “their way,” and want to avoid bloat.

5. BackBox Linux

What it is: Ubuntu-based distro tailored for security assessment, penetration tests, and analysis.
Pros:
- Lighter than Kali or Parrot.
- XFCE desktop—fast and resource-efficient.
- Good set of preinstalled tools.
- Familiar Ubuntu ecosystem—great for those coming from Ubuntu.
Cons:
- Smaller community.
- Fewer updates/tools than Kali/Parrot/BlackArch.
Best for: Users who want a familiar, lightweight, and stable pentesting environment.

6. Pentoo

What it is: A Gentoo-based live CD for pentesting and security assessment.
Pros:
- All the power of Gentoo (highly customizable, optimized).
- Hardened kernel, advanced kernel features for pentesting.
- Perfect for “live” operations and advanced hardware configs.
Cons:
- Gentoo learning curve—steep!
- Fewer tools than Kali/Parrot unless you build them.
Best for: Advanced users, those who want Gentoo’s flexibility and optimization.

7. CAINE (Computer Aided INvestigative Environment)

What it is: Ubuntu-based, focused on digital forensics.
Pros:
- Tailored for evidence collection, chain-of-custody, disk analysis.
- Useful forensic tools out of the box (Autopsy, The Sleuth Kit, etc.).
Cons:
- Not a general-purpose pentesting distro.
- Limited pentesting tools.
Best for: Incident response, forensics, digital investigations.

8. Fedora Security Spin

What it is: Fedora-based live distro with a security toolset.
Pros:
- Updated, secure Fedora base.
- Gnome environment; familiar for Fedora users.
- Good mix of tools for network analysis, forensics, web app testing.
Cons:
- Not as tool-rich as Kali/BlackArch.
- Smaller security community.
Best for: Fedora fans, Red Hat ecosystem users.

9. REMnux

What it is: Ubuntu-based distro for reverse engineering and malware analysis.
Pros:
- Specialized tools for analyzing malware, binaries, memory dumps, network traffic.
- Well-documented and actively maintained.
Cons:
- Not a general pentesting OS; focused on malware/reverse engineering.
Best for: Blue team, malware analysts, researchers.

10. Tails / Whonix

What it is: Security-focused live OS with strong anonymity features.
Pros:
- Leaves no trace on host hardware.
- Designed for privacy, with Tor routing, strong anti-forensics.
Cons:
- Not built for pentesting per se—lacks pentesting tools out of the box.
Best for: Private browsing, whistleblowing, research, safe anonymous comms.

11. Qubes OS

What it is: Security-focused desktop OS that compartmentalizes applications into isolated VMs (qubes).
Pros:
- Top-tier isolation: each VM runs its own instance for apps/tasks/networks.
- Supports disposable VMs for risky operations.
- Backed by serious security research and trusted by pros.
Cons:
- Hardware compatibility can be tricky.
- Steeper learning curve, resource-intensive.
Best for: Advanced security researchers, those needing strict compartmentalization.

12. Windows + WSL (Windows Subsystem for Linux)

What it is: Windows environment with Linux integration via WSL/WSL2.
Pros:
- Great for mixed environments (use Linux tools natively on Windows).
- Supports most pentesting tools (with some limitations).
Cons:
- Not as “stealthy” or flexible as pure Linux.
- Some hardware/networking limitations.
Best for: Professionals who need both Windows and Linux tools simultaneously.

13. Other Notables

Alpine Linux: Ultra-light, good for custom builds, Docker pentest containers.
Buscador: OSINT investigation distro (OSINT tools preinstalled).
Kali Nethunter: Android-based, mobile pentesting.
Samurai Web Testing Framework: Web app pentest distro.
Cyborg Hawk, Dracos Linux, Network Security Toolkit, RedHawk, Matriux: Specialized/experimental, often for CTFs, learning or specific domains.

Rolling vs. Fixed Releases

Rolling (Arch, BlackArch, Parrot, etc.): Always up-to-date, but potentially less stable. Great for latest tools and kernel features.
Fixed (Kali, Ubuntu-based, Fedora Security): More predictable, tested environments. Good for enterprise or when stability is critical.

Personal Workflow: Arch + BlackArch Tools + Proxmox

Personally, I run Arch Linux as my daily driver and pull in only the tools I actually use (from the BlackArch repo or the AUR). This gives me a lean, blazing-fast system—no bloat, just exactly what I need. If I ever require the “full Kali/Parrot experience” (for example, when tackling a CTF box or running a full red team engagement), I simply SSH into my Proxmox server and spin up a dedicated VM with Kali or Parrot. This setup lets me sandbox my activities, test exploits safely, and avoid polluting my main environment with tools or configs I rarely touch.

Why this workflow rocks:

Ultimate flexibility: My host system stays clean, minimal, and stable.
On-demand power: I get access to the full toolset when needed—without having to dual boot or clutter my laptop.
Safe testing: Anything risky stays isolated on its own VM, snapshot-ready.
Resource efficiency: My main system isn’t running hundreds of pentest tools I’ll never use.

Choosing the Right Distro: What Matters Most

Experience level: New to pentesting? Kali or Parrot gets you started quick. Power user? Build your own from Arch or Gentoo.
Preferred tools and workflow: Do you want everything out-of-the-box, or do you prefer building your own toolkit?
Stability vs. bleeding edge: Need latest exploits or rock-solid reliability?
Hardware support: Some distros (Qubes, Pentoo) are pickier about hardware.
Anonymity/forensics needs: Some are better for red teaming, others for forensics, blue teaming, or OSINT.

Summary Table

Distro	Base	Use Case	Pros	Cons
Kali Linux	Debian	Pentest, CTF	Huge toolset, docs	Bloated, targeted, not daily
Parrot Security	Debian	Privacy, Pentest	Lighter, privacy tools	Fewer tools, bugs
BlackArch	Arch	Custom, Power user	Modular, latest tools	Arch learning curve
Arch + BlackArch	Arch	Custom daily driver	Minimal, blazing fast	Setup/time investment
BackBox	Ubuntu	Lightweight pentest	XFCE, familiar, stable	Smaller, less active
Pentoo	Gentoo	Advanced, live use	Hardened, optimized	Gentoo curve, fewer tools
Fedora Sec Spin	Fedora	RedHat ecosystem	Secure, modern	Fewer tools, small community
CAINE, REMnux, etc.	Varies	Forensics/Malware	Specialized	Niche only
Qubes OS	Fedora	Isolation, research	Compartmentalization	Resource heavy, tricky HW
Windows + WSL	Windows	Hybrid workflow	Win+Linux together	Not pure, limited tools

Final Thoughts

There’s no “one size fits all” in the world of pentesting OSes. Kali is not the only way—and for many, it’s not even the best. Try a few, experiment with minimalism, and don’t be afraid to build a workflow that fits your needs, not the marketing hype.

What’s your favorite setup? Want to know more about BlackArch, Proxmox labs, or building your own security toolkit? Drop a comment or connect at jull3.net or Facebook!

Stay safe—and hack the planet!

Uncategorized

Common ports

June 13, 2025 Julle

The Most Common Network Port Attacks – And How to Defend Against Them

When it comes to cybersecurity, attackers rarely go in blind. They systematically scan for open ports—the digital doors and windows into your network. Some ports are more popular targets than others, simply because of the critical services running behind them. In this article, we break down the typical attacks seen on the most common ports and provide actionable defense strategies to help keep your systems secure.

1. FTP (Port 21) – File Transfer Protocol

Attacks:

Brute-force & Anonymous Login: Attackers attempt to guess passwords or exploit misconfigurations allowing “anonymous” access, gaining entry without credentials.
Directory Traversal: Malicious actors manipulate file paths to access directories and files outside the permitted scope, sometimes leading to full system compromise.

Defense:

Disable anonymous access unless absolutely necessary.
Enforce strong, unique passwords and limit failed login attempts.
Restrict FTP access to trusted IP addresses or internal networks.
Replace plain FTP with SFTP or FTPS for encrypted transfers.
Keep your FTP server updated with the latest security patches.

2. SSH (Port 22) – Secure Shell

Attacks:

Brute-force & Credential Stuffing: Attackers use automated tools to try common passwords or leaked credentials.
Exploiting Old Vulnerabilities: Outdated SSH software may have known exploits (e.g., CVEs).

Defense:

Disable password authentication; use SSH keys instead.
Change the default SSH port to a non-standard number (security through obscurity).
Use fail2ban or similar tools to block repeated failed login attempts.
Regularly patch your SSH server.
Allow SSH access only from trusted networks or via VPN.

3. Telnet (Port 23) – Unencrypted Remote Login

Attacks:

Brute-force: Attackers try various credential combinations.
Man-in-the-Middle (MitM): Data sent in plaintext can be intercepted.
Sniffing: Passwords and commands are easily captured on the network.

Defense:

Avoid Telnet. Use SSH instead.
If you must use Telnet, restrict access to local networks and use strong, unique passwords.
Monitor network traffic for unexpected Telnet activity.

4. SMTP (Port 25) – Simple Mail Transfer Protocol

Attacks:

Spamming & Open Relay Abuse: Misconfigured servers relay spam.
Phishing: Attackers send malicious emails that appear legitimate.

Defense:

Disable open relay functionality.
Implement SPF, DKIM, and DMARC to prevent email spoofing.
Use email filtering and anti-spam solutions.
Educate users about phishing risks.

5. DNS (Port 53) – Domain Name System

Attacks:

DNS Amplification: Attackers exploit open resolvers for DDoS attacks.
Cache Poisoning: Malicious responses trick DNS servers into saving false records.
Tunneling: DNS is abused as a covert channel to exfiltrate data.

Defense:

Disable recursion for external clients.
Use DNSSEC to protect against spoofing and cache poisoning.
Monitor DNS traffic for anomalies.
Harden your DNS server with regular updates.

6. HTTP (Port 80) – Web Traffic (Unencrypted)

Attacks:

Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages.
SQL Injection: Malicious input alters database queries.
Directory Traversal: Exploiting poor input validation to access sensitive files.

Defense:

Validate and sanitize all user input.
Implement Content Security Policy (CSP) for web applications.
Use Web Application Firewalls (WAFs).
Keep your web server and frameworks updated.
Migrate to HTTPS to prevent eThe Most Common Network Port Attacks – And How to Defend Against Them
By Jull3Haxor
When it comes to cybersecurity, attackers rarely go in blind. They systematically scan for open ports—the digital doors and windows into your network. Some ports are more popular targets than others, simply because of the critical services running behind them. In this article, we break down the typical attacks seen on the most common ports and provide actionable defense strategies to help keep your systems secure.
FTP (Port 21) – File Transfer Protocol
Attacks:
Brute-force & Anonymous Login: Attackers attempt to guess passwords or exploit misconfigurations allowing “anonymous” access, gaining entry without credentials.
Directory Traversal: Malicious actors manipulate file paths to access directories and files outside the permitted scope, sometimes leading to full system compromise.
Defense:
Disable anonymous access unless absolutely necessary.
Enforce strong, unique passwords and limit failed login attempts.
Restrict FTP access to trusted IP addresses or internal networks.
Replace plain FTP with SFTP or FTPS for encrypted transfers.
Keep your FTP server updated with the latest security patches.
SSH (Port 22) – Secure Shell
Attacks:
Brute-force & Credential Stuffing: Attackers use automated tools to try common passwords or leaked credentials.
Exploiting Old Vulnerabilities: Outdated SSH software may have known exploits (e.g., CVEs).
Defense:
Disable password authentication; use SSH keys instead.
Change the default SSH port to a non-standard number (security through obscurity).
Use fail2ban or similar tools to block repeated failed login attempts.
Regularly patch your SSH server.
Allow SSH access only from trusted networks or via VPN.
Telnet (Port 23) – Unencrypted Remote Login
Attacks:
Brute-force: Attackers try various credential combinations.
Man-in-the-Middle (MitM): Data sent in plaintext can be intercepted.
Sniffing: Passwords and commands are easily captured on the network.
Defense:
Avoid Telnet. Use SSH instead.
If you must use Telnet, restrict access to local networks and use strong, unique passwords.
Monitor network traffic for unexpected Telnet activity.
SMTP (Port 25) – Simple Mail Transfer Protocol
Attacks:
Spamming & Open Relay Abuse: Misconfigured servers relay spam.
Phishing: Attackers send malicious emails that appear legitimate.
Defense:
Disable open relay functionality.
Implement SPF, DKIM, and DMARC to prevent email spoofing.
Use email filtering and anti-spam solutions.
Educate users about phishing risks.
DNS (Port 53) – Domain Name System
Attacks:
DNS Amplification: Attackers exploit open resolvers for DDoS attacks.
Cache Poisoning: Malicious responses trick DNS servers into saving false records.
Tunneling: DNS is abused as a covert channel to exfiltrate data.
Defense:
Disable recursion for external clients.
Use DNSSEC to protect against spoofing and cache poisoning.
Monitor DNS traffic for anomalies.
Harden your DNS server with regular updates.
HTTP (Port 80) – Web Traffic (Unencrypted)
Attacks:
Cross-Site Scripting (XSS): Attackers inject malicious scripts into web pages.
SQL Injection: Malicious input alters database queries.
Directory Traversal: Exploiting poor input validation to access sensitive files.
Defense:
Validate and sanitize all user input.
Implement Content Security Policy (CSP) for web applications.
Use Web Application Firewalls (WAFs).
Keep your web server and frameworks updated.
Migrate to HTTPS to prevent eavesdropping.
HTTPS (Port 443) – Web Traffic (Encrypted)
Attacks:
SSL/TLS Attacks: Outdated or misconfigured protocols can be exploited (e.g., Heartbleed).
Phishing & Credential Harvesting: Malicious websites using HTTPS trick users into entering sensitive data.
Defense:
Disable insecure SSL/TLS versions (use TLS 1.2+).
Use strong certificates from a trusted CA.
Enable HSTS (HTTP Strict Transport Security).
Monitor for phishing sites mimicking your domain.
SMB (Port 445) – Server Message Block (File Sharing, Windows)
Attacks:
EternalBlue: A famous exploit used in ransomware attacks like WannaCry.
Ransomware Spreading: Malware moves laterally through open SMB shares.
Pass-the-Hash: Attackers reuse stolen password hashes to gain access.
Defense:
Disable SMBv1; use SMBv2/v3.
Patch systems regularly (especially Windows).
Restrict SMB access to local networks.
Segment your network and monitor lateral movement.
Use strong passwords and enable account lockout policies.
RDP (Port 3389) – Remote Desktop Protocol
Attacks:
Brute-force: Attackers try to guess RDP credentials.
BlueKeep: A critical RDP vulnerability allowing remote code execution.
Defense:
Limit RDP exposure to the internet—use VPN for remote access.
Implement Network Level Authentication (NLA).
Use account lockout and two-factor authentication.
Patch Windows regularly.
Monitor RDP logs for suspicious activity.
Final Tips for Network Defense
Close all unnecessary ports.
Use a layered defense (firewalls, IDS/IPS, endpoint protection).
Conduct regular vulnerability scans and penetration tests.
Keep software and operating systems up to date.
Train users on cybersecurity best practices.
By understanding these common port-based attacks and applying strong, multi-layered defenses, you significantly reduce your risk of compromise—no matter the size of your network.
Stay secure. Patch often. Hack the hackers!
Did you enjoy this article? For more tips and deep dives, check out jull3.netavesdropping.

7. HTTPS (Port 443) – Web Traffic (Encrypted)

Attacks:

SSL/TLS Attacks: Outdated or misconfigured protocols can be exploited (e.g., Heartbleed).
Phishing & Credential Harvesting: Malicious websites using HTTPS trick users into entering sensitive data.

Defense:

Disable insecure SSL/TLS versions (use TLS 1.2+).
Use strong certificates from a trusted CA.
Enable HSTS (HTTP Strict Transport Security).
Monitor for phishing sites mimicking your domain.

8. SMB (Port 445) – Server Message Block (File Sharing, Windows)

Attacks:

EternalBlue: A famous exploit used in ransomware attacks like WannaCry.
Ransomware Spreading: Malware moves laterally through open SMB shares.
Pass-the-Hash: Attackers reuse stolen password hashes to gain access.

Defense:

Disable SMBv1; use SMBv2/v3.
Patch systems regularly (especially Windows).
Restrict SMB access to local networks.
Segment your network and monitor lateral movement.
Use strong passwords and enable account lockout policies.

9. RDP (Port 3389) – Remote Desktop Protocol

Attacks:

Brute-force: Attackers try to guess RDP credentials.
BlueKeep: A critical RDP vulnerability allowing remote code execution.

Defense:

Limit RDP exposure to the internet—use VPN for remote access.
Implement Network Level Authentication (NLA).
Use account lockout and two-factor authentication.
Patch Windows regularly.
Monitor RDP logs for suspicious activity.

Final Tips for Network Defense

Close all unnecessary ports.
Use a layered defense (firewalls, IDS/IPS, endpoint protection).
Conduct regular vulnerability scans and penetration tests.
Keep software and operating systems up to date.
Train users on cybersecurity best practices.

By understanding these common port-based attacks and applying strong, multi-layered defenses, you significantly reduce your risk of compromise—no matter the size of your network.

Stay secure. Patch often. Hack the hackers!

News

Cyberattacks against Sweden: What’s happening – and how can we ALL prepare?

June 12, 2025 Julle

Cyberattacks against Sweden: What is happening – and how can we ALL prepare?
Published: June 12, 2025

In recent weeks, cyberattacks against Sweden’s critical societal functions have completely exploded. Public services, authorities and banks have all been hit by various types of attacks – from overload attacks to targeted intrusions. Most of the evidence points to a foreign power – probably Russia – being behind it. But why is this happening right now, and what does it mean for you and me? Can we do something, or are we just spectators while the great powers fight?

Why is this happening right now?

The attacks do not come out of nowhere. Here are some explanations:

NATO and geopolitics
Sweden’s rapprochement with NATO and our changed security policy have provoked Russia. Historically, they respond with hybrid attacks: cyberattacks, influence operations and disinformation.
Election year and societal impact
Ahead of the 2026 election, attackers want to sow division, create unrest and test how robust our digital society really is.
Vulnerabilities in the systems
Many systems are vulnerable and not sufficiently protected. This applies to both authorities, companies and private individuals.

Is this the beginning of something bigger?

It is very possible. Overload attacks, intrusion attempts and influence against the media are classic steps in major campaigns – especially from state actors. The next step could very well be:

Destructive attacks on infrastructure (electricity, water, communication)

Targeted extortion attempts against companies or authorities

Massive disinformation spread on social media and via news sites

What can YOU do as a private individual?

It can feel overwhelming when the “cyber war of the great powers” seems to be beyond your control. But the fact is that the digital resilience of private individuals plays a major role – not just for yourself but for the entire society. Here are some simple but powerful tips:

Review your passwords
Use unique, strong passwords for each service.

Enable two-factor authentication (2FA) where possible – especially on email, social media and important apps.

Use a password manager (e.g. Bitwarden, 1Password, KeePassXC).

Update your devices and applications
Make sure your phone, computer and tablet have the latest updates.

Also update your apps and browsers regularly.

Be vigilant about scams and disinformation
Don’t click on links in strange emails or SMS – even if they appear to come from “your bank” or “the Swedish Tax Agency”.

Don’t blindly trust sensational news on social media. Always check the sender and source.

If you get “urgent” messages (“you need to log in NOW or your account will be closed”) – take a deep breath and check first.

Back up what’s important
Save important files and photos both in the cloud and on an external hard drive.

If something happens (e.g. ransomware), you can restore without paying a ransom.

Talk about digital risks with family and friends
Help those who are less digitally savvy – especially older relatives – to set up 2FA, choose good passwords and recognize scams.
Have a plan B in case of major disruptions
Think about what you will do if the internet or banking services are down for a few days. Have some cash at home, and think about how you will contact loved ones without the internet.

Community defense starts at home
Swedish cyber defense is stronger than it was just a few years ago – but every individual is also part of the defense. If we all raise our digital threshold, we make society less vulnerable, both to state actors and cybercriminals.

Conclusion
Sweden is currently under attack – and it is no coincidence. Geopolitics is shaking, and cybersecurity is the new front line. But we are not powerless: if companies, governments and individuals do their part, we will be much stronger when the next big wave comes.

Be critical, be prepared – and stay informed!

CVE, News

CVE-2025-33053 & Stealth Falcon’s Espionage Campaign: Everything You Need to Know

June 12, 2025 Julle

CVE-2025-33053 & Stealth Falcon’s Espionage Campaign: Everything You Need to Know

A critical zero-day vulnerability, CVE-2025-33053, has recently been exploited in the wild by the APT group known as Stealth Falcon (also identified as “FruityArmor”). This attack targets a flaw in Windows’ WebDAV implementation and employs sophisticated payloads—including a custom implant dubbed Horus Agent. Here’s a full breakdown and advice on how to safeguard your systems.

🕵️ Who is Stealth Falcon?
Stealth Falcon is an Advanced Persistent Threat (APT) group active since at least 2012, known for targeting government and defense organizations—primarily in the Middle East and Africa

Also referred to as “FruityArmor,” the group is believed to have backing ties to the UAE

Vulnerability Overview: CVE-2025-33053
Type: Remote Code Execution (RCE) in Windows’ WebDAV via manipulation of the working-directory during execution

CVSS Score: 8.8 (High severity)

Attack Vector: A phishing-based .url shortcut triggers a legitimate Windows tool (e.g., iediagcmd.exe) to run malicious executables hosted on attacker-controlled WebDAV servers

Microsoft released a patch for this flaw on June 10, 2025, even extending updates to legacy systems like Windows 8 and Server 2012

Attack Kill Chain
Phishing delivery: A .url file disguised as a PDF (e.g., TLM.005_…pdf.url) tricks recipients into clicking a malicious link

Remote executable hijack: Using Windows’ working-directory resolution, iediagcmd.exe launches a malicious route.exe hosted on WebDAV

Loader deployment: route.exe, the Horus Loader, uses code virtualization to evade detection, displays decoy docs, and drops the payload

Implant installation: The final payload, Horus Agent, a custom C++ implant built on the Mythic C2 framework, enables system fingerprinting, shellcode injection, backdoor communication, keylogging, and credential theft

Who’s at Risk?
High-value targets: Defense and government entities in the Middle East (e.g., Turkey, Qatar, Egypt, Yemen)

Broader threat: Now that the patch is public, cybercriminals may begin exploiting the vulnerability more widely—including ransomware actors

🛡️ How to Protect Yourself
1. Patch Immediately
Apply Microsoft’s June 10, 2025 update for CVE‑2025‑33053—available even for legacy Windows versions
darkreading.com

2. Limit .url/.lnk Exposure
Block execution of .url, .lnk, .cpl files from email/download folders using Group Policy, AppLocker, or WDAC
ampcuscyber.com
.

Train users to recognize suspicious shortcuts disguised as attachments.

3. Restrict WebDAV Access
Monitor or block connections to unknown WebDAV servers on port 443.

Detect when trusted Windows tools spawn from non-standard working directories
kaspersky.com

4. Deploy Defense-in-Depth
Use threat emulation, intrusion prevention systems, and endpoint protection (e.g., Check Point Harmony, PTR IPS)
research.checkpoint.com

Monitor logs for unusual service installations (Event ID 7045), creation of PDF or VHD files, or .url files launching legitimate processes – indicators include filenames like TLM.005_*.pdf, %TEMP%\…vhdx, ds_notifier, etc.

5. Incident Response & Visibility
Watch for new executables named route.exe, unusual file drops, or anomalous behavior from Edge/IE diagnostic tools.

Keep threat intelligence feeds up-to-date with IOCs like URL hashes provided by Check Point.

Summary
CVE-2025-33053, exploited by Stealth Falcon, is a potent zero-day involving deceptive shortcut files and a sophisticated implant deployment pipeline culminating in the stealthy Horus Agent. If you haven’t already, patch now, enforce strict execution controls, and monitor your network for signs of exploitation.

Need help with implementation or want a deeper technical breakdown? Just reach out or leave a comment!

How it works: