+49 89 89082-110

33 Seconds — That’s How Long It Takes Before a New Web Server Comes Under Attack

Imagine opening a new shop — and before the sign above the door has even been hung straight, the first burglars are already at the entrance, checking whether the lock holds.

Anyone who has ever administered a web server is familiar with this phenomenon: such servers are constantly exposed to requests from automated crawlers and bots — often within just seconds of being brought online for the first time.

In this blog post, we want to look into where these bots come from and what they are searching for. We will also show some of the ways bots discover new web services in the first place, and how you can most effectively protect your web server against automated attacks.

[…]

By |2026-05-06T13:14:04+02:006. May 2026|
Read More

Hacktivism and Critical Infrastructure: A New Threat

Introduction

When the group Vulcan—presumed to be a pro-Russian hacktivist network—attacked Berlin’s power grid, no ransom was demanded and no data was stolen. The goal was simpler: to paralyze operations and send a high-profile message (Reuters). This is the defining characteristic of hacktivism. Hacktivists are driven by ideology and politics; their primary goal is visibility and sowing uncertainty in society.

Who Are These Hacktivists—and How Do They Differ?

Most organizations have tailored their cyber defenses to a familiar threat model: a profit-driven attacker who operates quietly, wants to remain undetected, and wants something your organization possesses—data, credentials, intellectual property. Hacktivists break this mold. Visibility is the goal, not risk. While conventional cybercriminals go to great lengths to remain undetected, hacktivists do the exact opposite. They publicly claim […]

By |2026-04-13T15:46:01+02:008. April 2026|
Read More

LFI in Cloud-Managed Kubernetes: How Insecure Default Settings Enable Cluster Compromise

Kubernetes has become an essential component of modern web applications. Its adoption has grown rapidly in recent years, and as penetration testers and red teamers we increasingly encounter infrastructures running on Kubernetes.

However, managing a Kubernetes cluster yourself is a significant undertaking, which is why many organizations rely on managed solutions from Azure, AWS, or GCP. This blog focuses specifically on insecure default configurations in Azure Kubernetes Service (AKS) and how attackers can exploit simple vulnerabilities to potentially compromise an entire cluster.

[…]

By |2026-03-13T15:18:55+01:0013. March 2026|
Read More

Kernel Access Please – BYOVD and Vulnerable Drivers

Introduction

BYOVD attacks (Bring Your Own Vulnerable Driver) have evolved into a serious threat in recent years. Attackers exploit legitimate but vulnerable kernel drivers to execute privileged operations on target systems. What matters here is not which drivers are regularly used on the system, but rather which drivers are supported—in other words, which drivers attackers can subsequently install. A recent blog article by Check Point Research shows that various versions of the Truesight driver are actively being used in the wild for such attacks.

This article explores the technical background of BYOVD attacks: why legacy drivers represent a structural security problem, how Microsoft’s protective measures can be circumvented, and how simple the practical exploitation of the Truesight driver actually is.

Why Old Drivers Are So […]

By |2026-02-02T15:38:54+01:002. February 2026|
Read More

Cybersecurity in Sweden

Cybersecurity in Sweden 2025 – Hybrid Threats, NIS2 & Resilience Strategies

Introduction: Sweden’s digital strength meets new exposure

Sweden’s digital economy is among Europe’s most advanced – and most connected.

Public services, healthcare, and even maritime navigation depend on a seamless data flow.

But 2025 has also marked a turning point: since joining NATO, Sweden has become a visible node in the geopolitical network – and that visibility attracts unwanted attention.

Foreign-sponsored operations, ransomware campaigns against municipalities, and targeted disinformation now appear in parallel.

The question for Swedish organisations is no longer if they’ll be tested – but how prepared they are when it happens.

1. The geopolitical backdrop: a new reality for Swedish cybersecurity

Sweden’s alignment with NATO redefined its threat surface.

While state-sponsored cyber campaigns […]

By |2025-12-19T15:17:15+01:003. November 2025|
Read More

Exploitation of a Vanilla Buffer Overflow in the o2 HomeBox 6441 Router (unauthenticated) – A Step by Step Abuse Guide

Introduction

We regularly investigate the security of Customer Premises Equipment (CPEs), also known as SOHO routers. One important aspect of these investigations is to check for memory corruption vulnerabilities like buffer overflows. While these types of bugs were discovered in 1996[1] and secure coding practices as well as exploitation mitigation techniques should render these issues to a vanishing phenomenon, we still encounter them on today’s devices.
In August 2018, NSIDE investigated the O2 HomeBox 6441 in terms of memory corruption vulnerabilities and discovered a buffer overflow in the embedded webserver. Most of the time NSIDE doesn’t publish such findings, because we are bound by NDAs

The Vulnerability

Usually all parameters that are accepted by the webserver get sanitized and their length is checked or ceiled against/to an upper bound. […]

By |2021-03-16T14:28:20+01:0011. March 2019|
Read More

Dumping SPI Flash Memory of Embedded Devices

Introduction

While auditing the security of embedded devices we often face situations where the firmware of the system under test is either not publicly available or the vendor can’t provide it due to legal issues. Accessing the firmware gives a lot of insight on how the device actually works. Even in assessments, where scope is limited to Web Application Testing only, helpful information can be gathered by having access to the firmware.

This blog post depicts the general approach for retrieving the firmware from such devices by accessing the flash memory chip directly. Please note the provided information in this example is limited to the flash memory chip only, as the tested system cannot be disclosed due to legal constraints.

Accessing the hardware

After opening the housing […]

By |2026-01-12T11:56:22+01:0011. June 2018|
Read More

Android Apps: From Simple Vulnerabilities to Permanent Malware Infection

Introduction

Many people underestimate the possibilities a remote attacker has who managed to exploit a remote code execution vulnerability on Android devices.

On Windows systems, it is widely accepted that a vulnerability in one software can lead to the compromise of other software and, ultimately, to the infection of the whole system. The same is, in fact, also possible for Android, even though many people believe the attacker would be confined to the vulnerable app’s context (in the Android file system and UID/GID sandboxing sense).

In this blog post we will show how a vulnerability in one single app can lead to the permanent (and virtually irreversible) infection of an Android device with malware. To this end we will walk the reader through the single steps that lead […]

By |2021-03-16T14:28:54+01:0031. March 2016|
Read More

Burp and TCP Connection Reuse / TCP Streaming

Recently we were working on an engagement to test a fat client using a web service and ran into a problem with Burp. Surprisingly enough, there was not a single resource on the Internet to help us out. Hoping that others dealing with the same issue won’t lose their sanity like we almost did, I am writing this blog post now ;)

We were trying to test a web application, or rather a client application (a binary!) communicating with a web service built on top of an HTTP REST API, with Burp as a transparent/invisible proxy in between. For some completely unknown reason, when Burp was between the client software and the server, the client application just refused to log in.

A comparison of HTTP requests and […]

By |2021-03-16T14:28:47+01:0019. June 2015|
Read More

[CVE-2014-5335] CSRF in Innovaphone PBX

Innovaphone PBX Admin-GUI CSRF

Impact: High
CVSS2 Score: 7.8 (AV:N/AC:M/Au:S/C:P/I:C/A:C/E:F/RL:U/RC:C)
Announced: August 21, 2014
Reporter: Rainer Giedat (NSIDE ATTACK LOGIC GmbH, https://www.nsideattacklogic.de/)
Products: Innovaphone PBX Administration GUI
Affected Versions: all known versions (tested 10.00 sr11)
CVE-id: CVE-2014-5335

Summary

The innovaphone PBX is a powerful and sophisticated VoIP telephone system for use in professional business environments. In addition to a wide range of IP telephony functionalities, the innovaphone PBX is also equipped with a perfectly integrated Unified Communications solution that can be enabled as needed at any time and at any workspace.

The innovaphone PBX uses a web-based user interface. This UI is vulnerable to cross-site request forgery attacks (CSRF).

Description

The UI does not check if a request was sent originating from a page it delivered before or from an untrusted and potentially malicious source. With a […]

By |2022-05-19T17:10:09+02:0021. August 2014|
Read More

 

STAY UP TO DATE

Subscribe to our newsletter and receive important and interesting news about cyber security once a quarter

CONTACT

NSIDE ATTACK LOGIC GmbH
Landshuter Allee 8
80637 München
Tel.: +49 89 89082-110
E-Mail: info@nsideattacklogic.de

ABOUT

Why NSIDE?
Management
Carreer
References
Media coverage

SERVICES

Red Teaming
Purple Teaming
Penetration Testing
Phishing-Simulation

KNOWLEDGE

Blog
Advisories
FAQ
Newsletter

FOLLOW US!

    

Imprint
Data protection & privacy

© 2025 – NSIDE ATTACK LOGIC GmbH

Go to Top