Volkis Preso Day Q1 - Sydney

Being a remote company, we make it a point to catch up regularly. Every quarter, the Volkis team gets together to swap stories from the security world at what we call ‘Presentation Day’ or ‘Preso Day’ for short.

Matt and Alexei have been running Preso Days long before Volkis was a twinkle in their eyes. We often bring in guests from across the security industry - and just like fight club, if it’s your first time attending, you have to present! Here is a recap of the day;

• Matt - A more reliable red team implant - looking to improve our current design using 4G to make a more reliable swiss army knife of a physical implant.

• Annie-Mei did a presentation about her time living in China. ‘China’s Great Firewall‘ This included Instagram getting blocked during the Umbrella Movement & how the CCP is able to block applications. Annie-Mei also highlighted a report by The Citizen Lab, diving into how platforms like WeChat filter and censor information.

• Anika spoke about the current landscape of Cybercrime Policing in Australia. - How cyber harassment and fraud get neglected, while cyber dependent crimes such as ransomware get all the attention.

• Victoria - Ch-ch-ch-ch-change and getting comfortable with the uncomfortable. A short rant about change management, human nature and five strategies to move through organisational change with confidence. Vic just completed study Change Management Practitioner through APMG International.

• Josh’s presentation was called ‘Bypassing Windows Defender for Endpoint Using BallisKit and Mythic C2’ - walking through the setup of Mythic C2, Defender for Endpoint, Cloudflare Tunnels & the use of BallisKit Shellcode Packer.

• Alexei spoke to us about Domains & Privacy, and shared how to retain your privacy while purchasing domain names.

• Matt spoke again in the afternoon, asking us - Can you trust your identity provider? The geopolitical situation in the world is becoming more conflicted and troubled. Will we get to the point where cloud authentication providers such as Entra ID, Google Workspaces, and Okta are used as a political bargaining chip?

• Finn finished up the day with a walk through of our latest Red Team, while we can’t share much just now, stay tuned for more internal interviews on our Youtube!

Lost in Cyberia - Podcast

Speaking of Annie-Mei Forster & Anika Guenov, while the team were in Sydney last Month we also recorded a podcast featuring our own Hortense Rothery 🐺 Sharing her journey from Fashion to cyber security. You can listen here

Red Team War Stories - Youtube

We have been having more conversations (with client permission!) about the more entertaining parts of Red teams.

Unsolicited advice from our Managing Director

Matthew Strahan

There's a method for installing malware on Wordpress sites that popped up in the last few weeks. (https://thehackernews.com/2025/03/hackers-exploit-wordpress-mu-plugins-to.html)

It got me thinking about the crazy speed that vulnerabilities in content management systems like Wordpress are exploited. Here's what happens:

A vulnerability is found in a content management system or plugin. The hacking groups then use tools like Shodan (https://www.shodan.io/) or run internet-wide scans to find every single internet-facing server that can be exploited. When they're ready, they exploit every server on the internet, all at once.

Ten thousand servers compromised in minutes. How do you respond in that time? Well...you can't. No matter how often you check for automatic updates, your server will be exploited before the update arrives. No matter how quickly you find out about the exploitation, it's already too late.That said, there are ways of protecting yourself and make it so your server isn't one of the ten thousand that's automatically compromised in minutes. Often you just need to raise the bar just a little to make it so the exploitation doesn't work.

Maybe this month you should take some time out and ensure your web servers running content management systems like Wordpress are appropriately hardened.The Wordpress Hardening Guide (https://developer.wordpress.org/advanced-administration/security/hardening/) is a great resource for Wordpress specifically.

No matter what system you're using, though, you should at least:

• Limit the access to administration consoles to only users from your organisation using IP allowlists.

• Rename the administration account to something other than "admin".

• Limit file permissions and user permissions to only what is necessary for the running of the website.

• Ensure the database and web server runs with low privileged users.

• Consider putting the site behind a web application firewall. You can also take some sensible steps so that you're limiting the damage even if the web server is compromised:

• The web server should be separated from your internal network either using a DMZ or cloud based services.

• Customer data (for example through contact forms) should be deleted from the server when it's no longer needed.

• Make sure you back up your web server - if it's defaced you can be ready to redeploy in minutes if you're prepared.Taking a bit of time out to perform these sensible steps can save a lot of grief later!

Thanks again for making it this far down! Please let us know if you like what we have to say or if we are yapping too much!

Matt, Alexei & the Volkis team 🐺