All posts by nlogician

Beware the WiFi Mule: A New APT Tactic

March 2, 2026 nlogician Leave a comment

Although the term WiFi Mule is currently not part of the NIST glossary of terms, it is a technique that security teams should be aware of. During a cyber incursion, Incident Response teams will follow a standard set of playbooks: wipe computer systems, disable accounts & reset passwords, block malicious IPs and close firewall holes just to name a few. These steps are done to make sure the adversary is locked out and digital backdoors are closed. But what if the backdoor is sitting in an unsuspecting car in the parking lot?

What is a WiFi Mule?

A WiFi Mule can be either a human or device used by a foreign Advanced Persistent Threat actor to help maintain persistence through a “physical bridge” into a compromised network. While the primary attack my be thousands of miles away, the Mule acts as a local wireless proxy. Usually with a cellular enabled laptop, that sits within range of the target’s WiFi network.

How the Tactic Works?

After the compromise, the APT will use the WiFi network credentials or may even add a hidden or spoofed ssid. Then the hired Mule is instructed to sit at a specific location at a specific time. Companies normally shutdown access to the external networks during their remediation process but will forget to perform physical sweeps and in many cases, leave local WiFi enabled. The APT will use the Mule‘s cellular connection to tunnel back into the network, bypassing newly hardened firewalls, to silently watch and relaunch another attack when the time is right.

Why it’s so effective

There are several reasons why this technique is effective. First, there is plausible deniability on the part of the ignorant Mule that helps to facilitate the attack. They may think they are only doing a WiFi survey. Second, there are no geoblocking alerts since the cellular IP is local and blends in with the WiFi network. Lastly, most organizations are focused on the cloud and don’t disable local WiFi or rotate WPA3 keys, which leaves a window open for the Mule.

Closing the Physical Loop

If the company is compromised by a sophisticated actor, IR playbooks must include physical site surveys that go beyond the walls of the building. These scans should look for rogue access points as well as unauthorized RF signals. Also, password/key rotation and zero-trust for any WiFi network needs to be included within corporate cybersecurity policies, as well as include this type of threat or other physical variations within routine TTX.

In the age of global APTs, the Mule sitting just outside the front door should not be forgotten.

Security, Systems

AIDE – File Integrity Monitoring

April 24, 2021 nlogician Leave a comment

The idea of using file integrity monitoring to validate your operating system and applications has been around since the late ’90s, with programs like Tripwire. Today, we have a steady stream of companies offering their own version for FIM. However, one consistent and reliable open source solution for Linux is AIDE or the Advanced Intrusion Detection Environment.

Continue reading →

Security, Systems

Sniffing SSH Passwords

April 17, 2021 nlogician Leave a comment

Is it possible to get someone’s password in plaintext over ssh? Yes! Surely, this makes no sense when the purpose of ssh is to prevent such a thing. Well, I’m speaking of monitoring the session directly from the server the user is connecting to and not across the network.

Continue reading →

Quick Tips

Disable null passwords

April 11, 2021 nlogician Leave a comment

By default, the PAM configuration files in Linux allow for null or empty passwords due to the nullok feature. From the manpage,

# man pam_unix
nullok
        The default action of this module is to not permit the user access to a service if their official password is blank. The nullok argument overrides this default.

Continue reading →

Quick Tips, Systems

Configuring snmpv3 in Linux

April 4, 2021 nlogician Leave a comment

We have all used snmp for many years to help monitor our systems and networks but most admins have been reluctant to migrate to v3 due to the perceived increase in complexity. This post will show you how to quickly and easily enable snmpv3 on your linux system to take advantage of the additional security features to support authentication and privacy.

Install software packages

# yum install net-snmp net-snmp-utils

Continue reading →

Labs, Systems

Linux Lab – Access Control Lists

March 28, 2021 nlogician Leave a comment

Overview

As you know, Linux has a standard set of file access settings based on the concept of read, write, and execute permissions that determine who may access the file or directory in question. The most common way to set and change these permissions is to use commands like chmod, chown or chgrp. While these are powerful commands and have their place, there are occasions where it may be advantageous to fine tune the access to a file or directory. This is where file access control lists or FACLS come in.

Continue reading →

Quick Tips, Systems

RHEL 8 and Chrony – Part 3

March 21, 2021 nlogician Leave a comment

After setting up your Chrony NTP Server and Client, we are now ready to configure authentication using randomly generated symmetric keys. This is an important option beyond the allow/deny rules within your /etc/chrony.conf file to maintain the integrity of the service.

Continue reading →

Quick Tips, Systems

RHEL 8 and Chrony – Part 2

March 20, 2021 nlogician Leave a comment

In Part 1, we discussed setting up Chrony from a client perspective. This post will show how to configure the server side and investigate some of the options available within the /etc/chrony.conf configuration file.

Server Setup

Install the Chrony package

Continue reading →

Quick Tips, Systems

RHEL 8 and Chrony – Part 1

March 19, 2021 nlogician Leave a comment

The Network Time Protocol or NTP is essential for synchronizing system clocks across your environment. Having a reliable and accurate time service is not only important for many different applications but for logging and auditing as well. In RHEL 8, Chrony is used for implementing NTP. In Part 1, we will review setting this service up as a client and look at the basic functionality of the chronyc command to interact with the chrony daemon, chronyd.

Continue reading →

Networks, Quick Tips

Blacklist an IP in Firepower

March 7, 2021 nlogician Leave a comment

Sometimes you may want to quickly block a scanning/probing IP address without having to deal directly with the Access Control Policy. This can be done in the FMC within the Events view. Go to Analysis -> Connections -> Events

Depending on volume of traffic, you may have to click ‘Edit Search‘ and look by Initiator or Responder IP. Once found, right-click on the IP address and select ‘Blacklist IP Now‘ and confirm,

Continue reading →

M	T	W	T	F	S	S
						1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31