All posts by nlogician

Security

Nirig99: North Korea’s IoT & OT Hackers

Leave a comment

A new North Korean APT, Nirig99 has been responsible for turning industrial and IoT networks into its playground. From smart payment devices to factory controllers, the group exploits poorly secured systems for both financial gain and espionage. This threat actor takes its name from the mythological creature Girin, which is Nirig backwards. It is suspected that the team consists of 99 members.

Nirig99’s attacks are stealthy, using custom malware and supply chain tricks to move undetected across networks that rarely get proper security monitoring. The goal: steal money, harvest industrial intelligence and stay under the radar. Recently, they were seen using CVE-2025-29824, the Windows Common Log File System Driver for local privilege escalation. They have also been known to work directly with disgruntled insiders, who gladly help them get a foothold for payment.

As IoT and OT devices become more interconnected, Nirig99 shows that nation-state hackers aren’t just targeting computers—they’re targeting the machines that run our world. Their persistent techniques continue to cause issues with security teams, even when they thought they were safe within a Tabletop Exercise.

Networks, Security

Firepower Access Control Policy not blocking VPN connections

Leave a comment

So, you have discovered in your authentication logs that an ip range explicitly blocked, denied by default or even geo-blocked is somehow still attempting to gain VPN access? Since VPN traffic is going to the FTD and not through the FTD, it is handled by the control-plane rather than the data-plane. Fortunately, a solution is available, although imperfect, through the use of FlexConfig.

Continue reading Firepower Access Control Policy not blocking VPN connections
Security

Understanding Right-to-Left Override Attack

Leave a comment

Among the many techniques employed by hackers to lure users into clicking on a malicious file, the “Right-to-Left Override” or RLO attack is an interesting form of obfuscation. It is designed to masquerade the file extension in order to trick unsuspecting users. If you couple this with changing the file icon of an executable or bat file to say a pdf, it will add to the illusion of authenticity.

Continue reading Understanding Right-to-Left Override Attack
Security, Systems

Configuración de un Directorio SFTP en Chroot

Leave a comment

En algún momento, es posible que te encuentres en una situación en la que necesites otorgar acceso SFTP a un usuario, pero debe configurarse para evitar que naveguen por toda la estructura de directorios del sistema. Aquí es donde resulta útil la funcionalidad de chroot incorporada en sshd. Esto te permitirá restringir y aislar al usuario en un directorio específico y evitar fácilmente el acceso no autorizado. En este ejemplo, cubriremos los pasos de configuración para establecer el acceso para un usuario llamado Rafael en el departamento de contabilidad.

1. Crear el Usuario

Como usuario root, crea la cuenta y la contraseña para Rafael. Especificaremos el directorio de inicio como /var/contabilidad. Este será el directorio chroot que vamos a configurar. La shell debe ser /bin/false para evitar inicios de sesión interactivos.

Continue reading Configuración de un Directorio SFTP en Chroot
Security, Systems

Setting Up a Chrooted SFTP Directory

Leave a comment

At some point you might find yourself in a situation where you need to grant sftp access to a user but it should be configured to prevent them from traversing the entire directory structure within the system. This is where the built-in chroot functionality within sshd comes in handy. It will enable you to restrict and isolate the user to a specific directory and easily prevent unauthorized access. In this example, we will cover the configuration steps for setting up access for one user named jsmith within the Accounting department.

1. Create the User

As the root user, create the account & password for jsmith. We will specify the home directory as /var/accounting. This will be the chrooted directory we are going to setup. The shell should be /bin/false to prevent any interactive shell logins.

Continue reading Setting Up a Chrooted SFTP Directory
Security, Systems

Certificate Transparency Logs

Leave a comment

Due to the ever increasing list of network compromises, securing our online presence has become more crucial than ever. One way to ensure online security is to use SSL/TLS certificates, which encrypt data transmissions between servers and clients, making them unreadable to any third-party. However, these certificates can be compromised, causing severe security breaches. This was seen back in 2011 with certificate authorities Comodo & DigiNotar. Read more here. There have been around 10 CA compromises in the last 3 – 4 years. Still a rare issue but one that needs consideration. That is where Certificate Transparency comes in, which is an open framework for monitoring SSL/TLS certificates.

Continue reading Certificate Transparency Logs
Uncategorized

Top 10 Indicators of Corporate Fraud

Leave a comment

It is well understood that corporate fraud can have devastating consequences for an organization and that detecting and preventing fraud is essential for safeguarding the interests of the owners, investors, employees, and customers. Therefore, it is important to be aware of the leading indicators of potential corporate fraud so that companies can take proactive steps to mitigate the risk of fraudulent activity. This post will explore 10 leading indicators of potential fraud that should be taken seriously. It should be noted that the presence of these flaws are no guarantee of fraud and could just point towards poor management practices or errors in accounting procedures. However, it is essential that thorough routine investigations and analysis be conducted to determine if there is actual fraudulent activity taking place.

Continue reading Top 10 Indicators of Corporate Fraud