Windows Shortcut (LNK) Malware Strategies

Source: Unit 42

Author: Haizhou Wang, Ashkan Hosseini, Ashutosh Chitwadgi

URL: https://unit42.paloaltonetworks.com/lnk-malware/

  1. ONE SENTENCE SUMMARY: Attackers increasingly exploit Windows LNK files, using varied techniques such as exploits, malicious file execution, and embedded scripts for malware delivery.

  2. MAIN POINTS:

  3. Malicious LNK samples surged from 21,098 in 2023 to 68,392 in 2024.

  4. LNK files act as shortcuts to other files, applications, or folders in Windows.

  5. Attackers abuse LNK flexibility, disguising malware as legitimate files to trick users.

  6. Four types of LNK malware: exploit execution, malicious file execution, in-argument scripts, and overlay content execution.

  7. Most malicious LNK files contain LINKTARGET_IDLIST, RELATIVE_PATH, or COMMAND_LINE_ARGUMENTS structures.

  8. Common system targets abused include powershell.exe, cmd.exe, rundll32.exe, conhost.exe, and mshta.exe.

  9. COMMAND_LINE_ARGUMENTS can embed malicious scripts directly within LNK files.

  10. Overlay content execution techniques involve find/findstr, mshta, or PowerShell commands.

  11. CVE-2010-2568 vulnerability is notably exploited using corrupted LNK binaries.

  12. Users should carefully inspect LNK file properties, especially target paths, to detect malware.

  13. TAKEAWAYS:

  14. Windows users should be cautious and verify LNK files’ properties before execution.

  15. Cybersecurity teams must understand LNK malware techniques to enhance defenses.

  16. Palo Alto Networks products offer protection against various LNK-based attacks.

  17. Overlay content execution techniques are increasingly used to hide malicious payloads.

  18. Awareness of common system targets and malware structures significantly aids malware detection.

NTLM relay attacks are back from the dead

Source: Help Net Security

Author: Help Net Security

URL: https://www.helpnetsecurity.com/2025/07/04/ntlm-relay-attacks/

ONE SENTENCE SUMMARY: NTLM relay attacks remain prevalent, simple to execute, and effective at compromising Active Directory environments, requiring proactive mitigation strategies.

MAIN POINTS:

  1. NTLM relay attacks exploit authentication exchanges without needing password cracking or weak passwords.
  2. Relay attacks often combine with authentication coercion techniques like Printer Bug or PetitPotam.
  3. SMB servers, LDAP/LDAPS services, and ADCS web enrollment are primary NTLM relay targets.
  4. SMB relay attacks can grant attackers access to sensitive shares and enable lateral movement.
  5. LDAP relay attacks exploit unenforced LDAP signing and channel binding on domain controllers.
  6. ADCS web enrollment relay attacks enable attackers to impersonate victims using malicious certificates.
  7. Microsoft is introducing mitigations such as enforced SMB signing and LDAP sealing starting Windows Server 2025.
  8. NTLM is still widely used due to legacy software hard-coded to use it instead of Kerberos.
  9. Default configurations often leave older Windows environments highly vulnerable to relay attacks.
  10. Enforcing signing, channel binding, and regularly evaluating environments are critical for defense.

TAKEAWAYS:

  1. NTLM relay attacks remain a significant threat, commonly used in real-world attacks.
  2. Authentication coercion makes relay attacks viable anytime, not relying on victim-initiated authentication.
  3. Default configurations leave many organizations vulnerable; proactive changes are necessary.
  4. Upcoming Windows Server 2025 security defaults will help, but organizations shouldn’t wait to implement mitigations.
  5. Regular security evaluations, SMB/LDAP signing enforcement, and channel binding are essential defensive practices.

We see what we expect – and miss what matters

Source: Secure by Choice

Author: Sarah Aalborg

URL: https://securebychoice.com/blog/108175-we-see-what-we-expect-and-miss-what

ONE SENTENCE SUMMARY: Forensic investigations are impacted by cognitive biases like confirmation and anchoring, requiring deliberate strategies to mitigate their influence effectively.

MAIN POINTS:

  1. Forensic analysis, despite being data-driven, is heavily influenced by cognitive biases.
  2. Human brains naturally create stories, filtering new data through existing assumptions.
  3. Confirmation bias leads investigators to focus only on evidence supporting initial theories.
  4. Anchoring bias causes undue emphasis on the first piece of evidence discovered.
  5. A Guardian-cited study found forensic experts influenced by contextual biases reached differing conclusions.
  6. Bias affects even highly experienced experts, often without their awareness.
  7. Explicitly naming biases can help teams recognize and counteract their impact.
  8. Conducting pre-mortems encourages consideration of alternative hypotheses before deep investigation.
  9. Introducing fresh perspectives can reduce anchoring effects and improve investigative accuracy.
  10. Tracking multiple scenarios and reflecting on assumptions enhances learning and accuracy in forensics.

TAKEAWAYS:

  1. Recognize that even expert investigators are vulnerable to cognitive biases.
  2. Explicitly acknowledging biases helps mitigate their negative impact.
  3. Regularly question initial assumptions and entertain multiple theories.
  4. Seek input from individuals not influenced by initial investigative contexts.
  5. Reflecting systematically on investigative processes improves future outcomes.

Cisco warns that Unified CM has hardcoded root SSH credentials

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/cisco-removes-unified-cm-callManager-backdoor-root-account/

  1. ONE SENTENCE SUMMARY: Cisco has patched a critical backdoor vulnerability (CVE-2025-20309) in Unified Communications Manager allowing attackers remote root access.

  2. MAIN POINTS:

  3. Cisco Unified CM had a critical backdoor root account vulnerability identified as CVE-2025-20309.

  4. The vulnerability arises from static, default credentials used during development and testing.

  5. CVE-2025-20309 affects Unified CM and SME Engineering Special releases 15.0.1.13010-1 to 15.0.1.13017-1.

  6. Exploitation allows unauthenticated attackers root-level remote access to affected systems.

  7. No workarounds exist; admins must upgrade or apply the CSCwp27755 security patch.

  8. Cisco provided indicators of compromise to assist detection and response efforts.

  9. Successful exploitation creates log entries under /var/log/active/syslog/secure accessible by admins.

  10. Cisco previously experienced similar backdoor vulnerabilities in IOS XE, DNA Center, and Emergency Responder.

  11. Earlier this year, Cisco patched similar issues in Smart Licensing Utility and IOS XE devices.

  12. No current evidence indicates active exploitation or available proof-of-concept code online.

  13. TAKEAWAYS:

  14. Immediately apply the Cisco-provided security patch or upgrade to mitigate this severe vulnerability.

  15. Regularly check logs at /var/log/active/syslog/secure for suspicious root user activities.

  16. Stay vigilant for security advisories from Cisco regarding hardcoded credential vulnerabilities.

  17. Maintain awareness that even reputable products may have hidden backdoor accounts.

  18. Prioritize patch management to rapidly address high-severity vulnerabilities in critical infrastructure.

5 Critical Security Risks Facing COBOL Mainframes

Source: Blog RSS Feed

Author: Gilad David Maayan

URL: https://www.tripwire.com/state-of-security/critical-security-risks-facing-cobol-mainframes

  1. ONE SENTENCE SUMMARY: COBOL remains vital in global enterprise systems yet faces significant security risks requiring proactive measures and modern security practices.

  2. MAIN POINTS:

  3. COBOL is deeply embedded in critical global systems like banking, insurance, and government.

  4. Legacy COBOL systems face growing cybersecurity threats due to outdated security configurations.

  5. COBOL’s stability and batch processing efficiency sustain its widespread use in mainframe environments.

  6. Industries relying on COBOL include finance, insurance, government, retail, manufacturing, and healthcare.

  7. Dynamic SQL in COBOL applications can lead to SQL injection attacks if input isn’t sanitized.

  8. Legacy communication protocols (FTP, TN3270) transmit sensitive data without encryption, increasing vulnerability.

  9. Weak authentication and outdated access control methods expose COBOL systems to unauthorized access risks.

  10. Privilege escalation vulnerabilities arise from poor application logic, misconfigurations, or insecure scripts.

  11. COBOL applications often lack adequate input validation and error handling, risking exploitation.

  12. Best practices include regular code reviews, pentesting, proactive patching, developer training, and compliance adherence.

  13. TAKEAWAYS:

  14. Regularly review and update legacy COBOL code to address potential vulnerabilities.

  15. Employ comprehensive mainframe penetration testing to identify hidden security weaknesses.

  16. Implement proactive patch management strategies to protect against known threats.

  17. Provide ongoing developer training on secure coding practices specific to COBOL environments.

  18. Ensure strict adherence to industry compliance standards for maintaining secure COBOL-based systems.

CrowdStrike/VirtualGHOST: VirtualGHOST Detection Tool

Source: GitHub

Author: unknown

URL: https://github.com/CrowdStrike/VirtualGHOST

ONE SENTENCE SUMMARY: The repository provides a PowerShell script (Detect-VirtualGHOST.ps1) using VMWare PowerCLI to detect unregistered, powered-on VMware VMs (“VirtualGHOSTs”) that evade standard management processes.

MAIN POINTS:

  1. VirtualGHOST refers to VMware VMs powered on manually via command line, not registered in inventory.
  2. Detect-VirtualGHOST.ps1 script identifies VirtualGHOST VMs by comparing inventory and active VM lists.
  3. Script requires “Server” (IP/DNS) and “Credential” parameters for VMware API access.
  4. If parameters aren’t provided initially, the script interactively prompts for necessary inputs.
  5. Positive detection results list hypervisor, VM name, VM configuration file, and VMWorldID clearly.
  6. Script alerts on network connections associated with detected VirtualGHOST VMs, including MAC addresses.
  7. Negative results explicitly indicate no unregistered VMs were found on checked hypervisors.
  8. VirtualGHOSTs evade standard VMware management tools like vCenter and ESXi web UI.
  9. For forensic analysis, SSH into ESXi host and manually copy VM files due to locked resources.
  10. VMware logs (vmware*.log) from VM directories are critical resources for further investigation.

TAKEAWAYS:

  1. Regularly run Detect-VirtualGHOST.ps1 to proactively identify hidden VMware VMs in your environment.
  2. Treat any positive result seriously, even though some false positives from normal lifecycle activities may occur.
  3. Always preserve VM files and vmware logs immediately following discovery for forensic analysis.
  4. Registration and suspension of a detected VirtualGHOST VM via ESXi web UI facilitates investigative documentation.
  5. Engage with community via GitHub issues for script support, as official CrowdStrike support isn’t available.

Program Execution, follow-up pt II

Source: Windows Incident Response

Author: Unknown

URL: http://windowsir.blogspot.com/2025/06/program-execution-follow-up-pt-ii.html

ONE SENTENCE SUMMARY: Validating program execution through multiple correlated data sources is crucial, rather than assuming artifacts alone indicate successful execution.

MAIN POINTS:

  1. ShimCache and AmCache artifacts alone do not reliably indicate successful program execution.
  2. Security Event Log (4720) confirms successful creation of user accounts beyond just command execution.
  3. “net user” commands may inaccurately imply new account creation when only password is changed.
  4. Application Event Log MsiInstaller records confirm actual installations via msiexec.exe.
  5. Application Pop-up or Windows Error Reporting logs can show unsuccessful program launches.
  6. Antivirus logs indicate if threats were successfully quarantined or if malware execution continued.
  7. WMI-Activity/5861 event logs confirm successful creation of malicious WMI event consumers.
  8. Parsing Objects.DATA file can verify if malicious event consumers persist in the WMI repository.
  9. Correlating multiple data sources provides a system-level confirmation of actual execution outcomes.
  10. Validating findings prevents incorrect decisions and ensures accurate resource allocation.

TAKEAWAYS:

  1. Always validate artifact interpretations with complementary log sources.
  2. Single artifacts alone rarely indicate successful execution; cross-reference multiple logs.
  3. Consider transient and persistent data sources when confirming program execution.
  4. Build timelines from multiple event logs to accurately validate threat actor actions.
  5. Ensure your analysis is robust and data-supported, as critical decisions depend on accurate findings.

Microsoft 365 ‘Direct Send’ abused to send phishing as internal users

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/security/microsoft-365-direct-send-abused-to-send-phishing-as-internal-users/

  1. ONE SENTENCE SUMMARY: A phishing campaign exploiting Microsoft 365’s Direct Send feature bypasses security measures, targeting numerous U.S. organizations to steal credentials.

  2. MAIN POINTS:

  3. Phishing attacks exploit Microsoft 365’s Direct Send, bypassing standard authentication and email security protocols.

  4. Direct Send enables unauthenticated email delivery via a tenant’s smart host, designed for devices like printers.

  5. Microsoft advises using Direct Send only if companies can properly manage and configure email servers.

  6. Varonis MDDR team discovered the phishing campaign targeting over 70 U.S. organizations since May 2025.

  7. Attackers primarily target financial services, manufacturing, healthcare, insurance, construction, and engineering sectors.

  8. Phishing emails impersonate voicemail or fax notifications, including PDF attachments branded with company logos.

  9. PDFs instruct victims to scan QR codes, redirecting them to fake Microsoft login pages for credential theft.

  10. Attackers utilize PowerShell scripts sent from external IP addresses to send internal-looking emails.

  11. Emails fail SPF, DKIM, DMARC checks yet pass through security as trusted internal traffic via smart host.

  12. Microsoft introduced “Reject Direct Send” setting in Exchange Admin Center to mitigate these phishing attacks.

  13. TAKEAWAYS:

  14. Carefully evaluate if Direct Send is necessary, and if not, disable or restrict it immediately.

  15. Enable “Reject Direct Send” in Exchange Online to prevent unauthorized internal-looking emails.

  16. Implement strict DMARC policies (p=reject) to block unauthorized internal domain usage.

  17. Train employees regularly to recognize and avoid phishing attempts, especially those involving QR codes.

  18. Regularly monitor internal email traffic for signs of spoofing or abnormal behavior.

New ‘CitrixBleed 2’ NetScaler flaw let hackers hijack sessions

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/new-citrixbleed-2-netscaler-flaw-let-hackers-hijack-sessions/

  1. ONE SENTENCE SUMMARY: Citrix warns of critical “CitrixBleed 2” vulnerabilities affecting NetScaler ADC and Gateway devices, potentially exposing sensitive user data.

  2. MAIN POINTS:

  3. Citrix disclosed vulnerabilities CVE-2025-5777 and CVE-2025-5349 affecting NetScaler ADC and Gateway devices.

  4. CVE-2025-5777 is an out-of-bounds memory read allowing unauthenticated attackers memory access.

  5. Vulnerable configurations include Gateway setups like VPN virtual servers, ICA Proxy, CVPN, and AAA servers.

  6. Cybersecurity researcher named flaw “CitrixBleed 2” due to similarities with older CitrixBleed vulnerability.

  7. Attackers exploiting CVE-2025-5777 could hijack sessions, bypass MFA, and access sensitive credentials.

  8. CVE-2025-5349 involves improper access control in NetScaler Management Interface through various IPs.

  9. Citrix recommends updating to safe versions: 14.1-43.56, 13.1-58.32, 13.1-NDcPP 13.1-37.235 (FIPS), and 12.1-55.328 (FIPS).

  10. Admins should terminate all active ICA and PCoIP sessions after installing patches.

  11. End-of-life versions ADC/Gateway 12.1 (non-FIPS) and ADC/Gateway 13.0 will not receive patches.

  12. Over 56,500 publicly exposed NetScaler endpoints exist, unclear how many remain vulnerable.

  13. TAKEAWAYS:

  14. Immediately update NetScaler ADC and Gateway devices to mitigate “CitrixBleed 2” vulnerabilities.

  15. Regularly monitor and terminate suspicious ICA and PCoIP sessions post-update.

  16. Replace unsupported end-of-life versions promptly to maintain security posture.

  17. Assess publicly exposed NetScaler endpoints to prioritize patching vulnerable systems.

  18. Leverage automation to simplify and accelerate patch management processes.

Why Kerberoasting Still Matters for Security Teams 

Source: Varonis Blog

Author: Simon Biggs

URL: https://www.varonis.com/blog/kerberoasting-still-matters

  1. ONE SENTENCE SUMMARY: Kerberoasting remains a prevalent and effective attack technique exploiting Windows Kerberos authentication to capture encrypted credentials for lateral movement.

  2. MAIN POINTS:

  3. Kerberoasting targets Kerberos authentication, extracting encrypted credentials from Active Directory.

  4. Attackers require only a valid domain user account to perform Kerberoasting.

  5. The technique involves requesting service tickets encrypted with service account password hashes.

  6. Password hashes are cracked offline, minimizing detection opportunities.

  7. Real-world attacks commonly exploit service accounts with weak or predictable passwords.

  8. Service accounts typically have high privileges, making them desirable targets.

  9. Kerberoasting is stealthy, produces minimal telemetry, and avoids malware deployment.

  10. Effective mitigation involves using Group Managed Service Accounts (gMSA) with complex passwords.

  11. Configure service accounts to use AES encryption instead of RC4 to strengthen security.

  12. Regular auditing and least-privilege principles help prevent Kerberoasting vulnerabilities.

  13. TAKEAWAYS:

  14. Prioritize implementing Group Managed Service Accounts (gMSA) for improved password security.

  15. Regularly audit Active Directory SPNs and remove unnecessary or risky accounts.

  16. Utilize AES encryption for Kerberos tickets to enhance resistance against offline cracking.

  17. Continuously monitor and manage service account password policies and privileges.

  18. Focus on making lateral movement difficult to detect and mitigate intrusions quickly.

ADCS Exploitation Part 3: Living Off The Land

Source: Medium

Author: Giulio Pierantoni

URL: https://medium.com/@offsecdeer/adcs-exploitation-part-3-living-off-the-land-9c6494d6a84e

ONE SENTENCE SUMMARY: The article outlines techniques for exploiting Active Directory Certificate Services (ADCS) using native Windows tools certutil and certreq.

MAIN POINTS:

  1. ADCS exploitation can be performed using built-in Windows tools certutil and certreq.
  2. Enumeration of enterprise CAs involves commands like certutil -TCAInfo and certutil -dump.
  3. Validation of CA certificates and trust hierarchy is critical before exploitation.
  4. Certificate templates can be analyzed using certutil -dsTemplate and certutil -Template.
  5. ESC1 exploits involve generating a CSR with user-supplied SAN through policy files.
  6. ESC2 and ESC3 exploits require Enrollment Agent certificates and EOBO (Enroll-On-Behalf-Of) CSRs.
  7. ESC15 vulnerabilities allow injection of custom EKU OIDs into certificates.
  8. Golden Certificate creation involves backing up CA private keys using certutil -backupkey.
  9. ESC4 exploits involve modifying template attributes temporarily to enable enrollment.
  10. Certificates obtained can be leveraged for authentication via CredMarshalCredential and PSSession.

TAKEAWAYS:

  1. Native Windows tools offer stealthier methods for ADCS exploitation compared to external tools.
  2. Proper enumeration and validation steps are essential for successful exploitation.
  3. Understanding template attributes and DACLs helps identify exploitable vulnerabilities.
  4. Certificate-based authentication provides powerful lateral movement capabilities in Windows domains.
  5. Monitoring and restricting usage of certutil and certreq by regular users improves security posture.

Kali Linux 2025.2 released with 13 new tools, car hacking updates

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/kali-linux-20252-released-with-13-new-tools-car-hacking-updates/

ONE SENTENCE SUMMARY: Kali Linux 2025.2 features a refreshed UI, expanded car hacking tools, new cybersecurity utilities, and enhanced Kali NetHunter support.

MAIN POINTS:

  1. Kali Linux 2025.2 released, adding 13 new cybersecurity tools.
  2. Car hacking toolkit renamed “CARsenal” with improved interface.
  3. New car hacking tools include hlcand, VIN Info, CaringCaribou, and ICSim.
  4. Kali Menu reorganized using MITRE ATT&CK framework for easier tool discovery.
  5. GNOME updated to version 48 with performance boosts and digital well-being tools.
  6. KDE Plasma 6.3 introduces better fractional scaling and improved CPU monitoring.
  7. Evince replaced by Papers app in GNOME for document viewing.
  8. Kali NetHunter adds wireless injection support on TicWatch Pro 3 smartwatch.
  9. NetHunter now runs Kali NetHunter KeX on Android Auto head units.
  10. New and updated NetHunter kernels available for Xiaomi, Realme, and Samsung devices.

TAKEAWAYS:

  1. Improved UI and menu structure make tool navigation easier for cybersecurity professionals.
  2. CARsenal toolkit offers comprehensive solutions for automotive security testing.
  3. GNOME and KDE updates deliver significant user experience and performance enhancements.
  4. Expanded Kali NetHunter capabilities broaden mobile and wearable penetration testing opportunities.
  5. Upgrading Kali Linux installations streamlined with clear instructions and commands.

NIST Outlines Real-World Zero-Trust Examples

Source: Dark Reading

Author: Fahmida Y. Rashid

URL: https://www.darkreading.com/endpoint-security/nist-outlines-real-world-zero-trust-examples

ONE SENTENCE SUMMARY: NIST’s new SP 1800-35 guidance provides practical examples and phased implementation strategies for organizations adopting end-to-end zero-trust architectures.

MAIN POINTS:

  1. NIST released SP 1800-35 guidance demonstrating real-world zero-trust architectures using commercial technologies.
  2. The guidance includes 19 practical example implementations developed over four years with 24 industry partners.
  3. SP 1800-35 builds upon NIST SP 800-207, moving from conceptual to practical ZTA implementation advice.
  4. Organizations must customize zero-trust deployments due to their unique network environments and security requirements.
  5. Zero-trust architectures continuously evaluate and verify access requests, removing implicit trust in users or devices.
  6. Implementing zero trust significantly reduces lateral movement and privilege escalation by malicious actors.
  7. NCCoE team installed, configured, and tested each example, providing troubleshooting assistance and best practices.
  8. Guidance aligns solutions with NIST Cybersecurity Framework and NIST SP 800-53 standards.
  9. Organizations should incrementally adopt foundational elements like identity management and multifactor authentication.
  10. Zero trust is an ongoing journey requiring continual adaptation to evolving threats, technologies, and organizational needs.

TAKEAWAYS:

  1. Leverage NIST’s practical examples to start customized zero-trust deployments.
  2. Begin ZTA implementation with a thorough inventory of existing organizational assets and capabilities.
  3. Formulate clear access policies based on least privilege and continuous verification principles.
  4. Incrementally implement ZTA components, starting with foundational security solutions.
  5. Continuously monitor and evolve zero-trust architectures to address changing threats and business requirements.

How to log and monitor PowerShell activity for suspicious scripts and commands

Source: How to log and monitor PowerShell activity for suspicious scripts and commands | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4006326/how-to-log-and-monitor-powershell-activity-for-suspicious-scripts-and-commands.html

ONE SENTENCE SUMMARY:

Attackers exploit consultants’ systems using legitimate tools and remote access methods, highlighting the need for enhanced workstation protection strategies.

MAIN POINTS:

  1. Consultants’ computers are attractive targets due to their access across multiple organizations.
  2. Recent attack involved installing Alpha Agent and updating Splashtop for remote access.
  3. Attackers employed legitimate tools and normal processes, avoiding antivirus detection.
  4. Entry point of the initial attack remains unknown.
  5. Adjust attack surface reduction rules to prevent common attack techniques.
  6. Enable PowerShell script logging via Group Policy or Intune for monitoring.
  7. Regularly review logs for suspicious scripts, encoding, and obfuscation techniques.
  8. Microsoft Defender for Cloud can detect suspicious PowerShell and script activities.
  9. Maintain awareness of authorized remote access tools and restrict unauthorized ones.
  10. Monitor consultant workstations closely to detect abnormal activities quickly.

TAKEAWAYS:

  1. Tighten security rules to block execution of potentially malicious scripts.
  2. Enable detailed PowerShell logging on all critical workstations.
  3. Regularly analyze logs for unusual activities or attempts to harvest credentials.
  4. Clearly document approved remote access tools and restrict unauthorized installations.
  5. Increase monitoring and alerts specifically on consultant machines accessing internal resources.

Hunting Deserialization Vulnerabilities With Claude

Source: TrustedSec

Author: James Williams

URL: https://trustedsec.com/blog/hunting-deserialization-vulnerabilities-with-claude

ONE SENTENCE SUMMARY: This post explores using Model Context Protocol (MCP) to identify zero-day vulnerabilities in .NET assemblies through disassembly techniques.

MAIN POINTS:

  1. Model Context Protocol (MCP) helps discover zero-day vulnerabilities in .NET assemblies.
  2. MCP setup involves preparing Claude for effective .NET assembly disassembly.
  3. Zero-day vulnerabilities are previously unknown security flaws in software.
  4. Analyzing .NET assemblies can reveal potential zero-day exploits.
  5. MCP aids in systematically uncovering security weaknesses in compiled code.
  6. Disassembling .NET assemblies provides insight into underlying software vulnerabilities.
  7. The MCP-driven approach streamlines vulnerability identification processes.
  8. Proper MCP setup ensures accurate and efficient .NET code analysis.
  9. Understanding .NET assembly structure is crucial for zero-day discovery.
  10. MCP enhances security assessments through comprehensive assembly analysis.

TAKEAWAYS:

  1. MCP is valuable for identifying previously unknown vulnerabilities in .NET software.
  2. Setting up MCP correctly is essential for effective disassembly and vulnerability detection.
  3. Detailed analysis of assemblies enables discovery of hidden security flaws.
  4. Familiarity with .NET assembly internals significantly improves zero-day research outcomes.
  5. Leveraging MCP streamlines and improves accuracy of security assessments.

GitLab patches high severity account takeover, missing auth issues

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/gitlab-patches-high-severity-account-takeover-missing-auth-issues/

  1. ONE SENTENCE SUMMARY: GitLab urgently released patches for critical vulnerabilities allowing account takeover, malicious CI/CD job injections, and denial-of-service attacks.

  2. MAIN POINTS:

  3. GitLab issued security updates for Community and Enterprise editions 18.0.2, 17.11.4, and 17.10.8.

  4. CVE-2025-4278 vulnerability allows attackers to hijack accounts through HTML injection.

  5. CVE-2025-5121 flaw permits malicious CI/CD job injection into future project pipelines.

  6. CVE-2025-2254 addresses a cross-site scripting vulnerability affecting legitimate user sessions.

  7. CVE-2025-0673 fixes a denial-of-service issue involving infinite redirect loops and memory exhaustion.

  8. GitLab.com and Dedicated customers already have the security patches applied.

  9. GitLab strongly urges immediate upgrades for all self-managed installations.

  10. Attackers exploiting CVE-2025-5121 require authenticated access to GitLab Ultimate licensed instances.

  11. Recent breaches affected Europcar Mobility Group and Pearson through compromised GitLab repositories.

  12. GitLab platform serves over 30 million users, including half of Fortune 100 companies.

  13. TAKEAWAYS:

  14. Immediately upgrade self-managed GitLab instances to patched versions.

  15. Ensure strict authentication and access controls, especially for GitLab Ultimate environments.

  16. Recognize the high-value target GitLab represents due to sensitive information in repositories.

  17. Regularly monitor GitLab security advisories to respond swiftly to emerging threats.

  18. Automate patching processes to streamline security updates and reduce administrative overhead.

Over 80,000 Microsoft Entra ID Accounts Targeted Using Open-Source TeamFiltration Tool

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/06/over-80000-microsoft-entra-id-accounts.html

ONE SENTENCE SUMMARY: Attackers exploit TeamFiltration to target Microsoft Entra ID accounts, compromising over 80,000 users via password spraying and enumeration methods.

MAIN POINTS:

  1. New ATO campaign named UNK_SneakyStrike targets Microsoft Entra ID user accounts.
  2. Attackers leveraged open-source framework TeamFiltration, originally for penetration testing.
  3. Over 80,000 user accounts breached across numerous cloud tenants since December 2024.
  4. Microsoft Teams API and AWS servers were utilized to perform attacks.
  5. Primary attack methods include password spraying, user enumeration, and data exfiltration.
  6. Malicious files were uploaded to victims’ Microsoft OneDrive accounts for persistent access.
  7. Attack waves originated from geographically dispersed AWS servers to evade detection.
  8. Top attacking regions were United States (42%), Ireland (11%), and Great Britain (8%).
  9. Attacks occurred in concentrated bursts followed by quiet periods of four to five days.
  10. Smaller cloud tenants experienced broad targeting, while larger tenants had selective targeting.

TAKEAWAYS:

  1. Security tools intended for protection can be weaponized by attackers.
  2. Organizations must monitor for abnormal login attempts and geographic patterns.
  3. Regularly review and tighten user account access and permissions in cloud environments.
  4. Implement proactive defenses such as multi-factor authentication to counteract password spraying.
  5. Remain vigilant about publicly available security frameworks being misused by threat actors.

Microsoft Outlook to block more risky attachments used in attacks

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/microsoft-outlook-to-block-more-risky-attachments-used-in-attacks/

ONE SENTENCE SUMMARY: Microsoft will block .library-ms and .search-ms attachments in Outlook starting July 2025 to counter phishing and malware threats.

MAIN POINTS:

  1. Microsoft expands Outlook’s blocked attachment list to include .library-ms and .search-ms files.
  2. The update applies to Outlook Web and the new Outlook for Windows starting July 2025.
  3. Attackers previously exploited .library-ms files in phishing campaigns targeting governments and companies.
  4. .search-ms protocol handler was exploited since June 2022 for phishing and malware delivery.
  5. Most organizations will not be affected due to rarity of these file types’ usage.
  6. Organizations relying on these file types must manually adjust allowed file type settings.
  7. Microsoft provides documentation to help Exchange Server administrators manage attachment security.
  8. Blocking these files is part of Microsoft’s larger strategy to eliminate exploited features.
  9. Microsoft previously disabled Office VBA macros, XLM macros, XLL add-ins, and ActiveX controls.
  10. VBScript support will also be discontinued by Microsoft starting April 2025.

TAKEAWAYS:

  1. Outlook security updates proactively block file types historically exploited by attackers.
  2. Organizations should review attachment policies to ensure operational continuity.
  3. Microsoft continues to remove legacy features to reduce security risks.
  4. Administrators can manually configure allowed file types to accommodate business requirements.
  5. Regularly reviewing Microsoft’s security documentation can help organizations stay informed and prepared.

Patch Tuesday – June 2025

Source: Rapid7 Cybersecurity Blog

Author: Adam Barnett

URL: https://www.rapid7.com/blog/post/2025/06/10/patch-tuesday-june-2025/

ONE SENTENCE SUMMARY:

Microsoft’s June 2025 Patch Tuesday addresses 67 vulnerabilities, including two notable zero-days and eight critical remote code execution flaws.

MAIN POINTS:

  1. Microsoft released patches for 67 vulnerabilities in June 2025 Patch Tuesday update.
  2. Only one vulnerability, CVE-2025-33053 (WebDAV RCE), is actively exploited in-the-wild.
  3. WebDAV vulnerability exploited by threat actor Stealth Falcon targeting Middle Eastern governments.
  4. Windows WebDAV implementation has been deprecated since November 2023, reducing default exposure risk.
  5. CVE-2025-33073 in Windows SMB Client is a publicly disclosed elevation of privilege vulnerability.
  6. Critical RCE vulnerability CVE-2025-33071 affects Windows KDC Proxy Service with exploitation considered likely.
  7. Three Office vulnerabilities (CVE-2025-47162, CVE-2025-47164, CVE-2025-47167) leverage Preview Pane for exploitation.
  8. Microsoft 365 Apps for Enterprise patches for critical Office vulnerabilities not yet available.
  9. Eight critical remote code execution vulnerabilities were disclosed, requiring immediate attention.
  10. Two browser vulnerabilities previously published separately are not included in the June 2025 totals.

TAKEAWAYS:

  1. Prioritize patching actively exploited WebDAV vulnerability CVE-2025-33053 immediately.
  2. Urgently address critical Windows KDC Proxy vulnerability CVE-2025-33071 on exposed servers.
  3. Monitor closely the SMB Client vulnerability CVE-2025-33073 due to public disclosure and potential exploitation.
  4. Understand Office Preview Pane vulnerabilities significantly increase exploitation risk.
  5. Keep aware of the delayed availability of patches for Microsoft 365 Apps for Enterprise.

How to use on-demand rotation for AWS KMS imported keys

Source: AWS Security Blog

Author: Jeremy Stieglitz

URL: https://aws.amazon.com/blogs/security/how-to-use-on-demand-rotation-for-aws-kms-imported-keys/

  1. ONE SENTENCE SUMMARY: AWS KMS now supports on-demand rotation of imported symmetric encryption key material, enabling compliance without changing key identifiers.

  2. MAIN POINTS:

  3. AWS KMS introduces on-demand rotation for imported symmetric encryption key material (EXTERNAL origin).

  4. Previously, rotation required creating new keys and updating references; now identifiers remain constant.

  5. Imported keys can hold multiple key materials, rotating to the latest imported material on-demand.

  6. Ciphertext includes a key material identifier for automatic selection during decryption.

  7. API responses now include KeyMaterialId and CurrentKeyMaterialId for greater rotation transparency.

  8. Rotation process involves importing new key material, setting rotation state, and initiating rotation.

  9. AWS CLI and SDKs support on-demand key rotation, with new parameters for import-type.

  10. Imported keys uniquely offer immediate expiry and deletion capabilities for enhanced control.

  11. CloudTrail logging includes key material ID for improved auditability and compliance.

  12. Pricing is simplified with a base cost and capped additional rotation charges after two rotations.

  13. TAKEAWAYS:

  14. Simplifies compliance and security audits through seamless, non-disruptive key rotation.

  15. Enhances transparency and auditability with new API response fields and detailed CloudTrail logs.

  16. Provides greater flexibility and control with immediate expiry and deletion of imported key material.

  17. Reduces operational overhead by maintaining unchanged key identifiers during rotation.

  18. Offers predictable costs by capping additional charges beyond the second rotation per month.

Critical Cisco ISE Auth Bypass Flaw Impacts Cloud Deployments on AWS, Azure, and OCI

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2025/06/critical-cisco-ise-auth-bypass-flaw.html

ONE SENTENCE SUMMARY: Cisco issued critical patches addressing a static credential vulnerability in cloud-based Identity Services Engine deployments, allowing unauthorized access.

MAIN POINTS:

  1. Cisco released patches for critical vulnerability CVE-2025-20286 in Identity Services Engine (ISE).
  2. The flaw has a critical CVSS severity rating of 9.9 out of 10.
  3. Issue stems from improperly generated static credentials in cloud deployments.
  4. Affected platforms include AWS, Microsoft Azure, and Oracle Cloud Infrastructure (OCI).
  5. Exploitation allows attackers access to sensitive data and limited administrative tasks.
  6. Vulnerability affects cloud-based Primary Administration nodes only; on-premises nodes are safe.
  7. Credentials are identical across deployments of same Cisco ISE release and cloud platform.
  8. Exploit could allow attacker to disrupt services or change system configurations.
  9. Proof-of-concept exploit exists, but no evidence of malicious exploitation yet.
  10. Cisco recommends restricting administrator traffic or performing a factory reset as mitigation.

TAKEAWAYS:

  1. Immediately apply Cisco’s security patches to affected cloud deployments.
  2. Restrict administrative access to trusted sources to mitigate potential exploits.
  3. Consider resetting Cisco ISE passwords using provided command, despite configuration reset risks.
  4. Regularly monitor for unusual activity, given the availability of proof-of-concept exploit.
  5. Evaluate and plan migration strategies to unaffected software versions or on-premises nodes.

1.1 Identity Governance in a Zero-Trust World

Source: Medium

Author: James Booth

URL: https://jmspbooth.medium.com/1-1-identity-governance-in-a-zero-trust-world-1ca5b58c4b8c

ONE SENTENCE SUMMARY: Identity governance operationalizes Zero Trust security by continuously managing user access, entitlements, and lifecycle events through automated, policy-driven controls.

MAIN POINTS:

  1. Most breaches occur due to unmanaged identities, orphaned accounts, and excess permissions.
  2. Zero Trust requires continuous verification of identity and entitlements in real-time.
  3. Identity governance ensures accurate user verification through robust identity proofing methods.
  4. Centralized directories with policy-as-code enforce consistent access controls across all systems.
  5. Decentralized identity (DIDs) enhances trust through cryptographically verified credentials.
  6. Automated lifecycle management rapidly revokes permissions when users change roles or leave.
  7. Non-human identities (bots, containers) require similar rigorous lifecycle governance controls.
  8. Conditional access dynamically evaluates real-time risk signals to adjust access levels immediately.
  9. Governance-as-code provides auditable, immutable records of entitlement changes and compliance.
  10. Effective identity governance significantly reduces breach probability and audit overhead costs.

TAKEAWAYS:

  1. Implement identity proofing and high-assurance authentication to enhance trust in user identities.
  2. Leverage centralized, policy-as-code IAM systems for consistent and secure access management.
  3. Adopt automated processes for join-move-leave events to mitigate risks from orphaned accounts.
  4. Include non-human identities in governance frameworks to address all possible security threats.
  5. Use decentralized identity and conditional access to build resilience against single points of failure.

msdirtbag/MDEAutomator: PowerShell-based Automation of Defender for Endpoint

Source: GitHub

Author: unknown

URL: https://github.com/msdirtbag/MDEAutomator

  1. ONE SENTENCE SUMMARY: MDEAutomator is a modular, serverless Azure Function and PowerShell-based solution streamlining endpoint management, incident response, threat hunting, and custom detection synchronization for Microsoft Defender for Endpoint (MDE).

  2. MAIN POINTS:

  3. Provides bulk automation of response actions, live response commands, and threat indicator management.

  4. Utilizes Azure Functions (Dispatcher, Orchestrator, Profiles, TIManager, AutoHunt, CDManager) for endpoint orchestration.

  5. Supports multi-tenant operations using User Managed Identity and App Registration federation.

  6. Enables bulk threat hunting using KQL queries via Microsoft Graph API, exporting results to Azure Storage.

  7. Allows bulk synchronization of Custom Detections with Azure Storage, including backup capabilities.

  8. Offers convenient uploading/downloading of files and scripts to/from endpoints and Azure Storage.

  9. Implements Python/Flask-based GUI hosted in Azure App Service with Entra ID authentication.

  10. Provides cmdlets for essential operations such as device isolation, application execution restriction, and forensic package collection.

  11. Supports advanced security practices including signed PowerShell scripts via Azure Trusted Signing.

  12. Has an estimated monthly Azure cost of approximately $210 USD.

  13. TAKEAWAYS:

  14. MDEAutomator significantly enhances Defender endpoint management through serverless automation and orchestration.

  15. Customizable PowerShell modules simplify complex MDE tasks like live response and threat indicator management.

  16. Multi-tenant readiness and federated identity options support scalable deployments.

  17. Advanced security measures like signed scripts and App Service authentication are strongly recommended.

  18. Comprehensive automation of custom detections and threat hunting greatly improves operational efficiency.

Kerberos AS-REP roasting attacks: What you need to know

Source: BleepingComputer

Author: Sponsored by Specops Software

URL: https://www.bleepingcomputer.com/news/security/kerberos-as-rep-roasting-attacks-what-you-need-to-know/

ONE SENTENCE SUMMARY: AS-REP Roasting attacks exploit Active Directory accounts without Kerberos pre-authentication, highlighting the critical importance of enforcing strong, secure passwords.

MAIN POINTS:

  1. AS-REP Roasting targets Active Directory user accounts lacking Kerberos pre-authentication.
  2. Normally, Kerberos pre-authentication securely transmits timestamps encrypted with user password hashes.
  3. Attackers exploit disabled pre-authentication, capturing AS-REP responses containing Ticket Granting Tickets (TGT).
  4. Criminals extract passwords from TGTs offline, often using brute-force techniques.
  5. Tools like Rubeus or Impacket facilitate AS-REP Roasting attacks.
  6. Cybersecurity agencies identify AS-REP Roasting among top Active Directory threats.
  7. Verizon reports stolen credentials involved in nearly half of data breaches.
  8. Organizations must identify vulnerable accounts using specialized detection scripts.
  9. Monitoring specific Windows Event IDs (4625, 4768, 4738, 5136) can detect ongoing attacks.
  10. Strong, uncompromised passwords and strict password policies significantly mitigate AS-REP Roasting risks.

TAKEAWAYS:

  1. Enforce Kerberos pre-authentication on Active Directory accounts to prevent AS-REP Roasting.
  2. Monitor and log key Windows security events to detect malicious activity promptly.
  3. Limit privileges and isolate accounts that must bypass Kerberos pre-authentication.
  4. Implement robust, compliant password policies to protect accounts against brute-force attacks.
  5. Regularly audit passwords against breached databases to maintain security and compliance.

Rapid7 Q1 2025 Incident Response Findings

Source: Rapid7 Cybersecurity Blog

Author: Chris Boyd

URL: https://www.rapid7.com/blog/post/2025/06/04/rapid7-q1-2025-incident-response-findings/

ONE SENTENCE SUMMARY:

Rapid7’s Q1 2025 report highlights stolen credentials without MFA as the top initial access vector, widespread BunnyLoader malware, and targeted ransomware attacks primarily affecting manufacturing.

MAIN POINTS:

  1. Stolen credentials without MFA remain the leading initial access vector, causing 56% of incidents.
  2. Exposed RDP services were the initial access vector in 6% but exploited further in 44% of incidents.
  3. Vulnerability CVE-2024-55591 in Fortinet appliances widely exploited, enabling attacker control and data exfiltration.
  4. Exploited SimpleHelp RMM vulnerabilities (CVE-2024-57726/57727/57728) facilitated ransomware deployment.
  5. SEO poisoning via sponsored search ads led directly to malware downloads and ransomware attacks.
  6. BunnyLoader malware observed in 40% of incidents, prevalent across nearly all industries.
  7. Fake CAPTCHA attacks accounted for half of BunnyLoader malware deployments.
  8. Manufacturing was the most targeted industry, involved in over 24% of incidents.
  9. Qilin ransomware group actively targeted healthcare, manufacturing, financial sectors through double-extortion attacks.
  10. Attackers frequently disabled security tools and backups to prevent recovery post-compromise.

TAKEAWAYS:

  1. Implementing MFA remains critical, as attackers consistently exploit unprotected valid credentials.
  2. Organizations must secure exposed RDP and RMM tooling to prevent ransomware infections.
  3. Be cautious of sponsored search results to avoid SEO poisoning and malware downloads.
  4. Strengthen defenses against BunnyLoader malware, particularly fake CAPTCHA and compromised sites.
  5. Manufacturing organizations should prioritize securing legacy systems and complex supply chains.