In this episode, we explore Amazon Ring’s newly introduced Familiar Faces feature that utilizes AI for facial recognition. We discuss the convenience of identifying familiar people at your doorstep, the privacy concerns it raises, and the legal implications surrounding biometric data. Learn about how this feature works, potential inaccuracies, and privacy laws in certain U.S. […]
Nicholas Moore pleaded guilty to stealing victims’ information from the Supreme Court and other federal government agencies, and then posting it on his Instagram @ihackthegovernment.
A 24-year-old from Tennessee is expected to admit to accessing the Supreme Court’s electronic filing system without authorization dozens of times throughout 2023.
This article was first published at Hackers-Arise in April 2022, just 2 months after the Russians invaded in Ukraine.
At the request of the IT Army of Ukraine, we were asked to help the war efforts by hacking a large number of IP cameras within Ukrainian territory. In this way, we can watch and surveil the Russian army in those areas. Should they commit further atrocities (we certainly pray they will not), we should be able to capture that on video and use it in the International Criminal Court. At the very least, we hope the word goes out to the Russian soldiers that we are watching and that constrains their brutality.
In a collaborative effort, our team (you all) has been able to hack into a very large number. We have nearly 500, and we are working on the remainder.
Here is a sampling of some of the cameras we now own for surveillance in Russia and Ukraine.
To learn more about hacking IP cameras, become aSubscriber Pro and attend our IP Camera Hacking training.
Nowadays, we often discuss the importance of protecting our systems from malware and sophisticated attacks. We install antivirus software, configure firewalls, and maintain vigilant security practices. But what happens when the attack vector isn’t a malicious file or a network exploit, but rather a legitimate browser feature you’ve been trusting?
This is precisely the threat posed by a new command-and-control platform called Matrix Push C2. This browser-native, fileless framework leverages push notifications, fake alerts, and link redirects to target victims. The entire attack occurs through your web browser, without first infecting your system through traditional means.
In this article, we will explore the architecture of browser-based attacks and investigate how Matrix Push C2 weaponizes it. Let’s get rolling!
The Anatomy of a Browser-Based Attack
Matrix Push C2 abuses the web push notification system, a legitimate browser feature that websites use to send updates and alerts to users who have opted in. Attackers first trick users into allowing browser notifications through social engineering on malicious or compromised websites.
Once a user subscribes to the attacker’s notifications, the attacker can push out fake error messages or security alerts at will that look scarily real. These messages appear as if they are from the operating system or trusted software, complete with official-sounding titles and icons.
The fake alerts might warn about suspicious logins to your accounts, claim that your browser needs an urgent security update, or suggest that your system has been compromised and requires immediate action. Each notification includes a convenient “Verify” or “Update” button that, when clicked, takes the victim to a bogus site controlled by the attackers. This site might be a phishing page designed to steal credentials, or it might attempt to trick you into downloading actual malware onto your system. Because this whole interaction is happening through the browser’s notification system, no traditional malware file needs to be present on the system initially. It’s a fileless technique that operates entirely within the trusted confines of your web browser.
Inside the Attacker’s Command Center
Matrix Push C2 is offered as a malware-as-a-service kit to other threat actors, sold directly through crimeware channels, typically via Telegram and cybercrime forums. The pricing structure follows a tiered subscription model that makes it accessible to criminals at various levels of sophistication. According to BlackFog company, the Matrix Push C2 costs approximately $150 for one month, $405 for three months, $765 for six months, and $1,500 for a full year. Payments are accepted in cryptocurrency, and buyers communicate directly with the operator for access.
From the attacker’s perspective, the interface is intuitive. The campaign dashboard displays metrics like total clients, delivery success rates, and notification interaction statistics.
Source: BlackFog
As soon as a browser is enlisted by accepting the push notification subscription, it reports data back to the command-and-control server.
Source: BlackFog
Matrix Push C2 can detect the presence of browser extensions, including cryptocurrency wallets like MetaMask, identify the device type and operating system, and track user interactions with notifications. Essentially, as soon as the victim permits the notifications, the attacker gains a telemetry feed from that browser session.
Social Engineering at Scale
The core of the attack is social engineering, and Matrix Push C2 comes loaded with configurable templates to maximize the credibility of its fake messages. Attackers can easily theme their phishing notifications and landing pages to impersonate well-known companies and services. The platform includes pre-built templates for brands such as MetaMask, Netflix, Cloudflare, PayPal, and TikTok, each designed to look like a legitimate notification or security page from those providers.
Source: BlackFog
Because these notifications appear in the official notification area of the device, users may assume their own system or applications generated the alert.
Defending Against Browser-Based Command and Control
As cyberwarriors, we must adapt our defensive strategies to account for this new attack vector. The first line of defense is user education and awareness. Users need to understand that browser notification permission requests should be treated with the same skepticism as requests to download and run executable files. Just because a website asks for notification permissions doesn’t mean you should grant them. In fact, most legitimate websites function perfectly well without push notifications, and the feature is often more of an annoyance than a benefit. If you believe that your team needs to update their skills for current and upcoming threats, consider our recently published Security Awareness and Risk Management training.
Beyond user awareness, technical controls can help mitigate this threat. Browser policies in enterprise environments can be configured to block notification permissions by default or to whitelist only approved sites. Network security tools can monitor for connections to known malicious notification services or suspicious URL shortening domains.
Summary
The fileless, cross-platform nature of this attack makes it particularly dangerous and difficult to detect using traditional security tools. However, by combining user awareness, proper browser configuration, and anti-data exfiltration technology, we can defend against this threat.
In this article, we briefly explored how Matrix Push C2 operates, and it’s a first step in protecting yourself and your organization from this emerging attack vector.
In our previous article, we examined the architecture of MCP and explained how to get started with it. Hundreds of MCP servers have been built for different services and tasks—some are dedicated to cybersecurity activities such as reverse engineering or reconnaissance. Those servers are impressive, and we’ll explore several of them in depth here at Hackers‑Arise.
However, before we start “playing” with other people’s MCP servers, I believe we should first develop our own. Building a server ourselves lets us see exactly what’s happening under the hood.
For that reason, in this article, we’ll develop an MCP server for analyzing security logs. Let’s get rolling!
Step #1: Fire Up Your Kali
In this tutorial, I will be using the Gemini CLI with MCP on Kali Linux. You can install Gemini using the following command:
kali> sudo npm install -g @google/gemini-cli
Now, we should have a working AI assistant, but it doesn’t yet have access to any of our security tools.
Step #2: Create a Security Operations Directory Structure
Before we start configuring MCP servers, let’s set up a proper directory structure for our security operations. This keeps everything organized and makes it easier to manage permissions and access controls.
Create a dedicated directory for security analysis work in your home directory.
This creates a security-ops directory with subdirectories for logs, analysis reports, malware samples, and other security artifacts.
Let’s also create a directory to store any custom MCP server configurations we build.
kali> mkdir -p ~/security-ops/mcp-servers
For testing purposes, let’s create some sample log files we can analyze. In a real environment, you’d be analyzing actual security logs from your infrastructure.
Firstly, let’s create a sample web application firewall log.
kali> vim ~/security-ops/logs/waf-access.log
This sample log contains various types of suspicious activity, including SQL injection attempts, directory traversal, authentication failures, and XSS attempts. We’ll use this to demonstrate MCP’s log analysis capabilities.
Let’s also create a sample authentication log.
kali> vim ~/security-ops/logs/auth.log
Now we have some realistic security data to work with. Let’s configure MCP to give Gemini controlled access to these files.
Step #3: Configure MCP Server for Filesystem Access
The MCP configuration file lives at ~/.gemini/settings.json. This JSON file tells Gemini CLI which MCP servers are available and how to connect to them. Let’s create our first MCP server configuration for secure filesystem access.
Check if the .gemini directory exists, and create it if it doesn’t.
kali> mkdir ~/.gemini
Now edit the settings.json file. We’ll start with a basic filesystem MCP server configuration.
This sets up a filesystem MCP server with restricted access to only our security-ops directory. First, it uses npx to run the MCP server, which means it will automatically download and execute the official filesystem server from the Model Context Protocol project. The -y flag tells npx to proceed without prompting. The server-filesystem package is the official MCP server for file operations. Second, and most critically, we’re explicitly restricting access to only the /home/kali/security-ops directory. The filesystem server will refuse to access any files outside this directory tree, even if Gemini tries to. This is defense in depth, ensuring the AI cannot accidentally or maliciously access sensitive system files.
Now, let’s verify that the MCP configuration is valid and the server can connect. Start Gemini CLI again.
kali> gemini
After running, we can see that 1 MCP server is in use and Gemini is running in the required directory.
Now, use the /mcp command to list configured MCP servers.
/mcp list
You should see output showing the security-filesystem server with a “ready” status. If you see “disconnected” or an error, double-check your settings.json file for typos and check if you have nodejs, npm, and npx installed.
Now let’s test the filesystem access by asking Gemini to read one of our security logs. This demonstrates that MCP is working and Gemini can access files through the configured server.
> Read the file ~/security-ops/logs/waf-access.log and tell me what security events are present
Pretty clear summary. The key thing to understand here is that Gemini itself doesn’t have direct filesystem access. It’s asking the MCP server to read the file on its behalf, and the MCP server enforces the security policy we configured.
Step #4: Analyzing Security Logs with Gemini and MCP
Now that we have MCP configured for filesystem access, let’s do some real security analysis. Let’s start by asking Gemini to perform a comprehensive analysis of the web application firewall log we created earlier.
> Analyze ~/security-ops/logs/waf-access.log for attack patterns. For each suspicious event, identify the attack type, the source IP, and assess the severity. Then provide recommendations for defensive measures.
The analysis might take a few seconds as Gemini processes the entire log file. When it completes, you’ll get a detailed breakdown of the security events along with recommendations like implementing rate limiting for the attacking IPs, ensuring your WAF rules are properly configured to block these attack patterns, and investigating whether any of these attacks succeeded.
Now let’s analyze the authentication log to identify potential brute force attacks.
> Read ~/security-ops/logs/auth.log and identify any brute force authentication attempts. Report the attacking IP, number of attempts, timing patterns, and whether the attack was successful.
Let’s do something more advanced. We can ask Gemini to correlate events across multiple log files to identify coordinated attack patterns.
> Compare the events in ~/security-ops/logs/waf-access.log and ~/security-ops/logs/auth.log. Do any IP addresses appear in both logs? If so, describe the attack campaign and create a timeline of events.
The AI generated a formatted timeline of the attack showing the progression from SSH attacks to web application attacks, demonstrating how the attacker switched tactics after the initial approach failed.
Summary
MCP, combined with Gemini’s AI capabilities, serves as a powerful force multiplier. It enables us to automate routine analysis tasks, instantly correlate data from multiple sources, leverage AI for pattern recognition and threat hunting, and retain full transparency and control over the entire process.
In this tutorial, we configured an MCP server for file system access and tested it using sample logs.
Keep returning, aspiring hackers, as we continue to explore MCP and the application of artificial intelligence in cybersecurity.
In today’s highly targeted environment, a well-designed Security Operations Center (SOC) isn’t just an advantage – it’s essential for a business’s survival. In addition to that, the job market has far more jobs on the blue team than the red team. Getting into a SOC is often touted as one of the more accessible entry points into cybersecurity.
This article will delve into some of the key concepts of SOC.
Step #1: Purpose and Components
The core purpose of a Security Operations Center is to detect, analyze, and respond to cyber threats in real time, thereby protecting an organization’s assets, data, and reputation. To achieve this, a SOC continuously monitors logs, alerts, and telemetry from networks, endpoints, and applications, maintaining constant situational awareness.
Detection involves identifying four key security concerns.
Vulnerabilities are weaknesses in software or operating systems that attackers can exploit beyond their authorized permissions. For example, the SOC might find Windows computers needing patches for published vulnerabilities. While not strictly the SOC’s responsibility, unfixed vulnerabilities impact company-wide security.
Unauthorized activity occurs when attackers use compromised credentials to access company systems. Quick detection is important before damage occurs, using clues like geographic location to identify suspicious logins.
Policy violations happen when users break security rules designed to protect the company and ensure compliance. These violations vary by organization but might include downloading pirated media or transmitting confidential files insecurely.
Intrusions involve unauthorized access to systems and networks, such as attackers exploiting web applications or users getting infected through malicious websites. Once incidents are detected, the SOC supports the incident response process by minimizing impact and conducting root cause analysis alongside the incident response team.
Step #2: Building a Baseline
Before you can detect threats, you must first understand what “normal” looks like in your environment. This is the foundation upon which all SOC operations are built.
Your baseline should include detailed documentation of:
Network Architecture: Map out all network segments, VLANs, DMZs, and trust boundaries. Understanding how data flows through your network is critical for detecting lateral movement and unauthorized access attempts. Document which systems communicate with each other, what protocols they use, and what ports are typically open.
Normal Traffic Patterns: Establish what typical network traffic looks like during different times of day, days of the week, and during special events like month-end processing or quarterly reporting. This includes bandwidth utilization, connection counts, DNS queries, and external communications.
User Behavior Baselines: Document normal user activities, including login times, typical applications accessed, data transfer volumes, and geographic locations. For example, if your accounting department typically logs in between 8 AM and 6 PM local time, a login at 3 AM should trigger an investigation. Similarly, if a user who normally accesses 5-10 files per day suddenly downloads 5,000 files, that’s a deviation worth investigating.
System Performance Metrics: Establish normal CPU usage, memory consumption, disk I/O, and process execution patterns for critical systems. Cryptocurrency miners, rootkits, and other malware often create performance anomalies that stand out when compared against baselines.
Step #3: The Role of People
Despite increasing automation, human oversight remains essential in SOC operations. Security solutions generate numerous alerts that create significant noise. Without human intervention, teams waste time and resources investigating irrelevant issues.
The SOC team operates through a tiered analyst structure with supporting roles.
Level 1 Analysts serve as first responders, performing basic alert triage to determine if detections are genuinely harmful and reporting findings through proper channels. When detections require deeper investigation, Level 2 Analysts correlate data from multiple sources to conduct thorough analysis. Level 3 Analysts are experienced professionals who proactively hunt for threat indicators and lead incident response activities, including containment, eradication, and recovery of critical severity incidents escalated from lower tiers.
Supporting these analysts are Security Engineers who deploy and configure the security solutions the team relies on. Detection Engineers develop the security rules and logic that enable these solutions to identify harmful activities, though Level 2 and 3 Analysts sometimes handle this responsibility. The SOC Manager oversees team processes, provides operational support, and maintains communication with the organization’s CISO regarding security posture and team efforts.
Step # 4: The Detection-to-Response Pipeline
When a potential security incident is detected, every second counts. Your SOC needs clearly defined processes for triaging, investigating, and responding to alerts.
This pipeline typically follows these stages:
Alert Triage: Not all alerts are created equal. Your SOC analysts must quickly determine which alerts represent genuine threats versus false positives. Implement alert enrichment that automatically adds context—such as asset criticality, user risk scores, and threat intelligence—to help analysts prioritize their work. Use a tiered priority system (P1-Critical, P2-High, P3-Medium, P4-Low) based on potential business impact.
Elastic Security Priority List
Investigation and Analysis: Once an alert is prioritized, analysts must investigate to determine the scope and nature of the incident. This requires access to multiple data sources, forensic tools, and the ability to correlate events across time and systems. Document your investigation procedures for common scenarios (phishing, malware infection, unauthorized access) to ensure consistent and thorough analysis. Every investigation should answer the five Ws: what happened? where it occurred? When did it take place? Why did it happen? And how did it unfold?
Containment and Eradication: When you confirm a security incident, your first priority is containment to prevent further damage. This might involve isolating infected systems, disabling compromised accounts, or blocking malicious network traffic.
Recovery and Remediation: After eradicating the threat, safely restore affected systems to normal operation. This may involve rebuilding compromised systems from clean backups, rotating credentials, patching vulnerabilities, and implementing additional security controls.
Post-Incident Review: Every significant incident should conclude with a lessons-learned session. What went well? What could be improved? Were our playbooks accurate? Did we have the right tools and access? Use these insights to update your procedures, improve your detection capabilities, and refine your security controls.
Step #5: Technology
At a minimum, a functional SOC needs several essential technologies working together:
SIEM Platform: The central nervous system of your SOC that aggregates, correlates, and analyzes security events from across your environment. Popular options include Splunk, for which we offer a dedicated course.
Splunk
Endpoint Detection and Response (EDR): Provides deep visibility into endpoint activities, detects suspicious behavior, and enables remote investigation and response.
Firewall: A firewall functions purely for network security and acts as a barrier between your internal and external networks (such as the Internet). It monitors incoming and outgoing network traffic and filters any unauthorized traffic.
Besides those core platforms, other security solutions such as antivirus, SOAR, and various niche tools each play distinct roles. Each organization selects technology that matches its specific requirements, so no two SOCs are exactly alike.
Summary
A Security Operations Center (SOC) protects organizations from cyber threats. It watches networks, computers, and applications to find problems like security weaknesses, unauthorized access, rule violations, and intrusions.
A good SOC needs three things: understanding what normal activity looks like, having a skilled team with clear roles, and following a structured process to handle threats. The team works in levels – starting with basic alert checking, then deeper investigation, and finally threat response and recovery.
If you want to get a deep understanding of SIEM and SOC workflow, consider our SOC Analyst Lvl 1 course.
We’ve come to treat AI assistants like ChatGPT and Copilot as knowledgeable partners. We ask questions, and they provide answers, often with a reassuring sense of authority. We trust them. But what if that very trust is a backdoor for attackers?
This isn’t a theoretical threat. At the DEF CON security conference, offensive security engineer Tobias Diehl delivered a startling presentation revealing how he could “poison the wells” of AI. He demonstrated that attackers don’t need to hack complex systems to spread malicious code and misinformation; they just need to exploit the AI’s blind trust in the internet.
Let’s break down Tobias Diehl’s work and see what lessons we can learn from it.
Step #1: AI’s Foundational Flaw
The core of the vulnerability Tobias discovered is really simple. When a user asks Microsoft Copilot a question about a topic outside its original training data, it doesn’t just guess. It performs a Bing search and treats the top-ranked result as its “source of truth.” It then processes that content and presents it to the user as a definitive answer.
This is a critical flaw. While Bing’s search ranking algorithm has been refined for over a decade, it’s not infallible and can be manipulated. An attacker who can control the top search result for a specific query can effectively control what Copilot tells its users. This simple, direct pipeline from a search engine to an AI’s brain is the foundation of the attack.
Step #2: Proof Of Concept
Tobias leveraged a concept he calls a “data void,” which he describes as a “search‑engine vacuum.” A data void occurs when a search term exists but there is little or no relevant, up‑to‑date content available for it. In such a vacuum, an attacker can more easily create and rank their own content. Moreover, data voids can be deliberately engineered.
Using the proof‑of‑concept from Microsoft’s Zero Day Quest event, we can see how readily our trust can be manipulated. Zero Day Quest invites security researchers to discover and report high‑impact vulnerabilities in Microsoft products. Anticipating a common user query—“Where can I stream Zero Day Quest?”—Tobias began preparing the attack surface. He created a website, https://www.watchzerodayquest.com, containing the following content:
As you can see, the page resembles a typical FAQ, but it includes a malicious PowerShell command. After four weeks, Tobias managed to get the site ranked for this event.
Consequently, a user could receive the following response about Zero Day Quest from Copilot:
At the time of writing, Copilot does not respond that way.
But there are other AI assistants.
And as you can see, some of them easily provide dangerous installation instructions for command‑and‑control (C2) beacons.
Summary
This research shows that AI assistants that trust real‑time search results have a big weakness. Because they automatically trust what a search engine says, attackers can easily exploit them, causing serious damage.
Sherpa Intelligence is accepting new clients! If your organization needs assistance with Information Security Research, Technical Writing or Leadership Development & Technical Training, visit sherpaintel.net for more information.Image: Trinidad & Tobago, Source: Kreol Magazine
Read more InfoSecSherpa news roundups here!Sherpa Intelligence is accepting new clients! If your organization needs assistance with Information Security Research, Technical Writing or Leadership Development & Technical Training, visit sherpaintel.net for more information.
Read more InfoSecSherpa news roundups here!Sherpa Intelligence is accepting new clients! If your organization needs assistance with Information Security Research, Technical Writing or Leadership Development & Technical Training, visit sherpaintel.net for more information.
Read more InfoSecSherpa news roundups here!Sherpa Intelligence is accepting new clients! If your organization needs assistance with Information Security Research, Technical Writing or Leadership Development & Technical Training, visit sherpaintel.net for more information.
Read more InfoSecSherpa news roundups here!Sherpa Intelligence is accepting new clients! If your organization needs assistance with Information Security Research, Technical Writing or Leadership Development & Technical Training, visit sherpaintel.net for more information.
Login
