Beware the WiFi Mule: A New APT Tactic

March 2, 2026 nlogician Leave a comment

Although the term WiFi Mule is currently not part of the NIST glossary of terms, it is a technique that security teams should be aware of. During a cyber incursion, Incident Response teams will follow a standard set of playbooks: wipe computer systems, disable accounts & reset passwords, block malicious IPs and close firewall holes just to name a few. These steps are done to make sure the adversary is locked out and digital backdoors are closed. But what if the backdoor is sitting in an unsuspecting car in the parking lot?

What is a WiFi Mule?

A WiFi Mule can be either a human or device used by a foreign Advanced Persistent Threat actor to help maintain persistence through a “physical bridge” into a compromised network. While the primary attack my be thousands of miles away, the Mule acts as a local wireless proxy. Usually with a cellular enabled laptop, that sits within range of the target’s WiFi network.

How the Tactic Works?

After the compromise, the APT will use the WiFi network credentials or may even add a hidden or spoofed ssid. Then the hired Mule is instructed to sit at a specific location at a specific time. Companies normally shutdown access to the external networks during their remediation process but will forget to perform physical sweeps and in many cases, leave local WiFi enabled. The APT will use the Mule‘s cellular connection to tunnel back into the network, bypassing newly hardened firewalls, to silently watch and relaunch another attack when the time is right.

Why it’s so effective

There are several reasons why this technique is effective. First, there is plausible deniability on the part of the ignorant Mule that helps to facilitate the attack. They may think they are only doing a WiFi survey. Second, there are no geoblocking alerts since the cellular IP is local and blends in with the WiFi network. Lastly, most organizations are focused on the cloud and don’t disable local WiFi or rotate WPA3 keys, which leaves a window open for the Mule.

Closing the Physical Loop

If the company is compromised by a sophisticated actor, IR playbooks must include physical site surveys that go beyond the walls of the building. These scans should look for rogue access points as well as unauthorized RF signals. Also, password/key rotation and zero-trust for any WiFi network needs to be included within corporate cybersecurity policies, as well as include this type of threat or other physical variations within routine TTX.

In the age of global APTs, the Mule sitting just outside the front door should not be forgotten.

Security

Nirig99: North Korea’s IoT & OT Hackers

August 21, 2025 nlogician Leave a comment

A new North Korean APT, Nirig99 has been responsible for turning industrial and IoT networks into its playground. From smart payment devices to factory controllers, the group exploits poorly secured systems for both financial gain and espionage. This threat actor takes its name from the mythological creature Girin, which is Nirig backwards. It is suspected that the team consists of 99 members.

Nirig99’s attacks are stealthy, using custom malware and supply chain tricks to move undetected across networks that rarely get proper security monitoring. The goal: steal money, harvest industrial intelligence and stay under the radar. Recently, they were seen using CVE-2025-29824, the Windows Common Log File System Driver for local privilege escalation. They have also been known to work directly with disgruntled insiders, who gladly help them get a foothold for payment.

As IoT and OT devices become more interconnected, Nirig99 shows that nation-state hackers aren’t just targeting computers—they’re targeting the machines that run our world. Their persistent techniques continue to cause issues with security teams, even when they thought they were safe within a Tabletop Exercise.

Networks, Security

Firepower Access Control Policy not blocking VPN connections

January 27, 2024 nlogician Leave a comment

So, you have discovered in your authentication logs that an ip range explicitly blocked, denied by default or even geo-blocked is somehow still attempting to gain VPN access? Since VPN traffic is going to the FTD and not through the FTD, it is handled by the control-plane rather than the data-plane. Fortunately, a solution is available, although imperfect, through the use of FlexConfig.

Continue reading →

Security

SY0-701 Objectives Reference Guide

January 12, 2024 nlogician Leave a comment

This reference guide covering the objectives for the SY0-701 CompTIA Security+ exam is designed to act as a supplement to your course book. Using this guide, along with the acronym list, should help you save time by quickly referring to key topics within the exam objections.

sy0-701-objectives-reference Download

Security

Understanding Right-to-Left Override Attack

December 24, 2023 nlogician Leave a comment

Among the many techniques employed by hackers to lure users into clicking on a malicious file, the “Right-to-Left Override” or RLO attack is an interesting form of obfuscation. It is designed to masquerade the file extension in order to trick unsuspecting users. If you couple this with changing the file icon of an executable or bat file to say a pdf, it will add to the illusion of authenticity.

Continue reading →

Uncategorized

Security+ SY0-701 Acronym List

September 7, 2023 nlogician Leave a comment

Familiarizing yourself with the acronym list used for the Security+ SY0-701 exam is not only crucial in preparing for
the certification but also for individuals pursuing a career in cybersecurity. This quick reference guide is a comprehensive
list, containing abbreviations and technical acronyms commonly used in the security field as well as required by CompTIA.

sy0-701-acronyms Download

Security, Systems

Configuración de un Directorio SFTP en Chroot

August 22, 2023 nlogician Leave a comment

En algún momento, es posible que te encuentres en una situación en la que necesites otorgar acceso SFTP a un usuario, pero debe configurarse para evitar que naveguen por toda la estructura de directorios del sistema. Aquí es donde resulta útil la funcionalidad de chroot incorporada en sshd. Esto te permitirá restringir y aislar al usuario en un directorio específico y evitar fácilmente el acceso no autorizado. En este ejemplo, cubriremos los pasos de configuración para establecer el acceso para un usuario llamado Rafael en el departamento de contabilidad.

1. Crear el Usuario

Como usuario root, crea la cuenta y la contraseña para Rafael. Especificaremos el directorio de inicio como /var/contabilidad. Este será el directorio chroot que vamos a configurar. La shell debe ser /bin/false para evitar inicios de sesión interactivos.

Continue reading →

Security, Systems

Setting Up a Chrooted SFTP Directory

August 21, 2023 nlogician Leave a comment

At some point you might find yourself in a situation where you need to grant sftp access to a user but it should be configured to prevent them from traversing the entire directory structure within the system. This is where the built-in chroot functionality within sshd comes in handy. It will enable you to restrict and isolate the user to a specific directory and easily prevent unauthorized access. In this example, we will cover the configuration steps for setting up access for one user named jsmith within the Accounting department.

1. Create the User

As the root user, create the account & password for jsmith. We will specify the home directory as /var/accounting. This will be the chrooted directory we are going to setup. The shell should be /bin/false to prevent any interactive shell logins.

Continue reading →

Security, Systems

Certificate Transparency Logs

January 24, 2023 nlogician Leave a comment

Due to the ever increasing list of network compromises, securing our online presence has become more crucial than ever. One way to ensure online security is to use SSL/TLS certificates, which encrypt data transmissions between servers and clients, making them unreadable to any third-party. However, these certificates can be compromised, causing severe security breaches. This was seen back in 2011 with certificate authorities Comodo & DigiNotar. Read more here. There have been around 10 CA compromises in the last 3 – 4 years. Still a rare issue but one that needs consideration. That is where Certificate Transparency comes in, which is an open framework for monitoring SSL/TLS certificates.

Continue reading →

Uncategorized

Top 10 Indicators of Corporate Fraud

September 7, 2022 nlogician Leave a comment

It is well understood that corporate fraud can have devastating consequences for an organization and that detecting and preventing fraud is essential for safeguarding the interests of the owners, investors, employees, and customers. Therefore, it is important to be aware of the leading indicators of potential corporate fraud so that companies can take proactive steps to mitigate the risk of fraudulent activity. This post will explore 10 leading indicators of potential fraud that should be taken seriously. It should be noted that the presence of these flaws are no guarantee of fraud and could just point towards poor management practices or errors in accounting procedures. However, it is essential that thorough routine investigations and analysis be conducted to determine if there is actual fraudulent activity taking place.

Continue reading →