Securing Entra ID Administration: Tier 0

Source: TrustedSec

Author: Sean Metcalf

URL: https://trustedsec.com/blog/securing-entra-id-administration-tier-0

ONE SENTENCE SUMMARY:

Entra ID is vital for Microsoft 365’s directory and authentication services, making its security crucial for organizational safety.

MAIN POINTS:

  1. Entra ID is the primary directory service for Microsoft 365 applications.
  2. It offers essential authentication services ensuring secure access.
  3. Effective security measures are crucial for protecting organizational data.
  4. Strong authentication protocols safeguard against unauthorized access.
  5. Organizations rely heavily on Entra ID for daily operations.
  6. Ensures seamless integration with Microsoft cloud services.
  7. Enhances user identity management across multiple platforms.
  8. Simplifies access management for various enterprise applications.
  9. Provides multi-factor authentication to enhance security.
  10. Continuously updated to address evolving security threats.

TAKEAWAYS:

  1. Entra ID is fundamental for Microsoft 365 security and operations.
  2. Ensuring Entra ID security protects critical organizational assets.
  3. Multi-factor authentication is key in defense strategies.
  4. Seamless integration with Microsoft services enhances productivity.
  5. Regular updates help mitigate emerging security threats.

Windows shortcut weaponized in Phorpiex-linked ransomware campaign

Source: Windows shortcut weaponized in Phorpiex-linked ransomware campaign | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4130019/windows-shortcut-weaponized-in-phorpiex-linked-ransomware-campaign.html

ONE SENTENCE SUMMARY:

A large phishing campaign distributes Global Group ransomware via weaponized Windows shortcut files, exploiting Phorpiex for massive email spam delivery.

MAIN POINTS:

  1. Phorpiex botnet aids a phishing campaign deploying Global Group ransomware.
  2. Campaign uses LNK files disguised as documents to fool users.
  3. No external C2 infrastructure used; payload executes locally.
  4. Shortcut files leverage Windows utilities for payload retrieval.
  5. Email lure subjects appear as “Your Document” to deceive recipients.
  6. Phorpiex functions as distribution layer, sending phishing emails.
  7. Global Group ransomware operates entirely offline without network communication.
  8. Uses “ChaCha20-Poly1305” algorithm to encrypt and append file extensions.
  9. Drops ransom note with anonymized contact instructions.
  10. Offline execution enhances evasion of network-based detection tools.

TAKEAWAYS:

  1. Attackers exploit common file types for minimal access friction.
  2. Campaign highlights the effectiveness of long-standing malware families like Phorpiex.
  3. Offline ransomware design limits detection opportunities.
  4. Emphasis on endpoint behavior monitoring over network activity.
  5. Trend towards self-contained ransomware increases detection challenges.

OpenClaw integrates VirusTotal malware scanning as security firms flag enterprise risks

Source: OpenClaw integrates VirusTotal malware scanning as security firms flag enterprise risks | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4129393/openclaw-integrates-virustotal-malware-scanning-as-security-firms-flag-enterprise-risks.html

ONE SENTENCE SUMMARY:

OpenClaw integrates VirusTotal malware scanning to enhance security amid reports of misuse and vulnerabilities in its AI platform.

MAIN POINTS:

  1. OpenClaw integrates VirusTotal scanning to its ClawHub marketplace.
  2. Published skills are scanned for malware before download approval.
  3. Skills marked suspicious trigger warnings; malicious ones are blocked.
  4. VirusTotal’s Code Insight analyzes skill packages for malicious behavior.
  5. ClawHavoc campaign exposed security vulnerabilities in cryptocurrency tools and YouTube utilities.
  6. OpenClaw criticized for being an “unacceptable cybersecurity liability.”
  7. Increased unauthorized enterprise deployments raise security concerns.
  8. The malware scanning integration addresses but does not eliminate risks.
  9. Main threats include prompt injection and logic abuse.
  10. OpenClaw plans a comprehensive security initiative to improve platform trust.

TAKEAWAYS:

  1. VirusTotal integration is crucial but not a complete security solution.
  2. Existing threats include prompt injection and misuse of tools.
  3. OpenClaw’s popularity poses increased risks for enterprises.
  4. A comprehensive security roadmap is in development.
  5. Greater governance and technical controls are essential for safety.

Bug Hunting With LLMs: Expert Tool Seeks More ‘True’ Flaws

Source: BankInfoSecurity.com RSS Syndication

Author: unknown

URL: https://www.bankinfosecurity.com/bug-hunting-llms-expert-tool-seeks-more-true-flaws-a-30696

ONE SENTENCE SUMMARY:

Vulnhalla, an AI-driven tool, reduces false positives in bug hunting, aiding software developers in identifying true security vulnerabilities.

MAIN POINTS:

  1. Vulnhalla uses AI and LLMs for improved bug hunting in software development.
  2. It promises up to a 96% reduction in false positives.
  3. Developed by CyberArk Labs, it uses “guided questioning” for efficient analysis.
  4. Works with GitHub code repositories and CodeQL databases.
  5. Early results show significant reduction in false positives, improving static analysis.
  6. Strict and non-strict modes balance between reducing false positives and finding true ones.
  7. Initially works with C and C++ code, with plans for expansion to other languages.
  8. Aims to alleviate the manual review burden of static code analysis.
  9. Uses an $80 budget and two days to find flaws in widely used tools.
  10. The main challenges addressed are context and focus in vulnerability identification.

TAKEAWAYS:

  1. Vulnhalla effectively combines AI with code analysis to reduce false positives.
  2. “Guided questioning” significantly enhances the identification process.
  3. Strict and non-strict modes offer customization based on user needs.
  4. Current development focuses on C and C++ with plans for future language compatibility.
  5. AI-enhanced tools like Vulnhalla support quick and accurate vulnerability detection.

They Got In Through SonicWall. Then They Tried to Kill Every Security Tool

Source: Huntress Blog

Author: unknown

URL: https://www.huntress.com/blog/encase-byovd-edr-killer

ONE SENTENCE SUMMARY:

In February 2026, hackers exploited SonicWall VPN credentials and a revoked EnCase driver to disable security, evading detection.

MAIN POINTS:

  1. Attackers used compromised SonicWall VPN credentials for initial network access.
  2. A revoked Guidance Software forensic driver was abused to disable security processes.
  3. Windows still loads expired certificates, revealing a gap in Driver Signature Enforcement.
  4. Huntress detected and disrupted the attack before ransomware deployment.
  5. Analysis involved SonicWall telemetry and VPN authentication logs.
  6. EDR killer masquerades as a firmware update utility using a wordlist encoding scheme.
  7. Attack bypassed security by using a kernel-mode driver with IOCTL interface.
  8. The compromised driver allows process termination from kernel mode.
  9. Microsoft’s Vulnerable Driver Blocklist is reactive, not preventative.
  10. Recommendations include enabling MFA, HVCI, and adopting Microsoft’s driver block rules.

TAKEAWAYS:

  1. BYOVD attacks are increasingly common for bypassing security measures.
  2. Expired and revoked certificates still pose significant security risks.
  3. Precise monitoring of VPN logs can help detect suspicious activities.
  4. Proactive security measures like MFA are crucial to prevent initial access.
  5. Continuous updates and vigilance are needed to address vulnerabilities promptly.

Zero trust in practice: A deep technical dive into going fully passwordless in hybrid enterprise environments

Source: Going fully passwordless in hybrid enterprise environments | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4126694/zero-trust-in-practice-a-deep-technical-dive-into-going-fully-passwordless-in-hybrid-enterprise-environments.html

ONE SENTENCE SUMMARY:

Transitioning to a passwordless environment in hybrid infrastructures demands extensive planning, foundational adjustments, and a commitment to security principles.

MAIN POINTS:

  1. Passwordless migration removes credentials, complicates phishing, and shifts security from prevention to an assumption of breach.
  2. Successful migration requires rethinking identity architecture, not merely replacing authentication methods.
  3. Essential prerequisites include cloud Kerberos trust, device registration, and enforced Conditional Access policies.
  4. Cloud Kerberos is critical for hybrid authentication, bridging on-premises and cloud identity.
  5. Devices must be Azure AD joined and compliant with security policies for passwordless sign-in.
  6. Conditional Access policies enforce Zero Trust, ensuring continuous verification and explicit access grants.
  7. Architectural choices include Windows Hello for Business, FIDO2 keys, and handling legacy applications.
  8. A phased migration approach is recommended, starting with a pilot group and expanding organization-wide.
  9. Device compliance and connectivity are common troubleshooting areas requiring proactive planning.
  10. Embracing the passwordless shift demands ongoing updates and refinement of security policies.

TAKEAWAYS:

  1. Transition to passwordless requires rethinking identity verification across infrastructure layers.
  2. Ensuring all prerequisites are met is crucial for migration success.
  3. Windows Hello for Business and FIDO2 keys are foundational to secure authentication.
  4. Phased rollout improves user adaptation and troubleshooting efficiency.
  5. Ongoing commitment to policy updates and architecture refinement sustains a secure passwordless environment.

MCP in Burp Suite: From Enumeration to Targeted Exploitation

Source: TrustedSec

Author: Drew Kirkpatrick

URL: https://trustedsec.com/blog/mcp-in-burp-suite-from-enumeration-to-targeted-exploitation

ONE SENTENCE SUMMARY:

The MCP-ASD Burp extension is submitted for BApp Store approval, aiding integration with AI through MCP servers.

MAIN POINTS:

  1. MCP-ASD Burp extension submitted to BApp Store.
  2. Awaiting BApp Store approval.
  3. MCP stands for Model Context Protocol.
  4. MCP servers are increasingly common.
  5. Ease of integration with AI systems.
  6. Submission aimed at enhancing server compatibility.
  7. MCP aids in protocol standardization.
  8. Facilitates interaction between AI and systems.
  9. Offers improvements in AI system integration.
  10. Submission signals growth in MCP usage.

TAKEAWAYS:

  1. MCP enhances AI integration.
  2. Standardized protocols are crucial for AI growth.
  3. BApp Store approval is pending.
  4. MCP-ASD Burp extension aids compatibility.
  5. Growing prevalence of MCP servers.

Wave of Citrix NetScaler scans use thousands of residential proxies

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/wave-of-citrix-netscaler-scans-use-thousands-of-residential-proxies/

ONE SENTENCE SUMMARY:

A coordinated reconnaissance campaign targeted Citrix NetScaler using proxies to discover login panels, indicating organized pre-exploitation mapping efforts.

MAIN POINTS:

  1. Tens of thousands of residential proxies targeted Citrix NetScaler infrastructure to find login panels from January 28-February 2.
  2. Activity involved over 63,000 IPs launching 111,834 sessions, mostly targeting Citrix Gateway honeypots.
  3. 64% of traffic originated from residential proxies, appearing as legitimate ISP traffic.
  4. The scanning targeted version-specific exploit development by focusing on Citrix ADC weaknesses.
  5. Most active reconnaissance generated 109,942 sessions targeting ‘/logon/LogonPoint/index.html’.
  6. A focused six-hour activity launched 1,892 sessions to enumerate Citrix versions via EPA artifacts.
  7. Attackers used an outdated Chrome 50 user agent indicating potential version-specific interest.
  8. Recent critical Citrix vulnerabilities include CVE-2025-5777 (‘CitrixBleed 2’) and CVE-2025-5775.
  9. Detection opportunities include monitoring outdated browser fingerprints and unauthorized access attempts.
  10. Recommendations include reviewing necessity of internet-facing Citrix Gateways and restricting /epa/scripts/ access.

TAKEAWAYS:

  1. Use residential proxies to evade reputation-based filters in reconnaissance activities.
  2. Focus reconnaissance on specific product weaknesses for potential exploit development.
  3. Monitor for unusual access patterns and outdated browser fingerprints.
  4. Restrict unnecessary internet exposure of Citrix systems to reduce vulnerabilities.
  5. Employ automated workflows to handle modern IT infrastructure pace efficiently.

AI Agent Identity Management: A New Security Control Plane for CISOs

Source: BleepingComputer

Author: Sponsored by Token Security

URL: https://www.bleepingcomputer.com/news/security/ai-agent-identity-management-a-new-security-control-plane-for-cisos/

ONE SENTENCE SUMMARY:

AI agents rapidly proliferate in enterprises, challenging traditional identity controls and necessitating adaptive lifecycle management for security.

MAIN POINTS:

  1. Traditional identity management systems struggle to handle autonomous AI agents.
  2. AI agents blur lines between human and machine identities, impacting security.
  3. Lack of visibility leads to unmanaged AI agents creating security risks.
  4. AI agents often possess over-privileged access without governance.
  5. Continuous discovery of AI agents is crucial for identity control.
  6. Effective lifecycle management addresses AI agents’ dynamic nature.
  7. Ownership and accountability are essential for managing AI identities.
  8. Dynamic least privilege principles are needed for AI agent permissions.
  9. Traceability and identity context are critical for compliance and forensics.
  10. AI agents highlight the need for identity as a control plane for security.

TAKEAWAYS:

  1. AI identity governance must be adaptive and continuous.
  2. Unmanaged AI agents create significant security and compliance risks.
  3. Visibility and accountability are foundational for AI identity management.
  4. Lifecycle management ensures AI identities remain secure and manageable.
  5. AI security demands dynamic, traceable, and principle-based identity controls.

GitHub – ArangoGutierrez/agent-identity-protocol: Agent Identity Protocol – Zero-trust security layer for AI agents. Policy enforcement proxy for MCP with Human-in-the-Loop approval, DLP scanning, and audit logging.

Source: GitHub

Author: dependabot[bot]

URL: https://github.com/ArangoGutierrez/agent-identity-protocol

ONE SENTENCE SUMMARY:

AIP provides a zero-trust identity layer for AI agents, enhancing security by enforcing policy-based authorization and blocking unauthorized actions.

MAIN POINTS:

  1. AI agents often have unrestricted access to infrastructure, creating security vulnerabilities.
  2. AIP addresses vulnerabilities like Indirect Prompt Injection by introducing policy-based authorization.
  3. It acts as a transparent proxy, filtering tool calls through a policy engine.
  4. AIP intercepts and blocks dangerous operations before reaching the tools.
  5. Features include egress filtering, DLP redaction, and immovable JSONL logs.
  6. It complements workforce AI governance by focusing on agent action authorization.
  7. AIP uses YAML policy files for action-level granularity.
  8. OAuth and AIP serve different audiences and purposes in authorization.
  9. Zero-trust authorization ensures requests are blocked and logged before infrastructure access.
  10. AIP is an open specification, inviting community feedback and development.

TAKEAWAYS:

  1. AIP enhances AI agent security with policy-based authorization.
  2. Blocks unauthorized actions, preventing potential security breaches.
  3. Provides detailed audit logs for forensic analysis.
  4. Offers an open specification for community contribution.
  5. Complements workforce AI governance with distinct functions.

Mandiant details how ShinyHunters abuse SSO to steal cloud data

Source: BleepingComputer

Author: Lawrence Abrams

URL: https://www.bleepingcomputer.com/news/security/mandiant-details-how-shinyhunters-abuse-sso-to-steal-cloud-data/

ONE SENTENCE SUMMARY:

Mandiant reports ShinyHunters using advanced phishing and vishing tactics to steal SSO credentials, leading to widespread data theft.

MAIN POINTS:

  1. ShinyHunters employs voice phishing to impersonate IT staff and target MFA details.
  2. Phishing sites mimic company login portals to steal credentials and MFA codes.
  3. Attackers use advanced kits to interact with victims, guiding them through MFA challenges.
  4. Access to SSO dashboards allows exploitation of multiple SaaS services.
  5. ShinyHunters and affiliates confirmed involvement and launched a data-leak site.
  6. UNC6661, UNC6671, and UNC6240 clusters tracked by Mandiant, highlighting attack patterns.
  7. Phishing domains impersonate corporate identities, supporting data theft and extortion.
  8. Threat actors use compromised SSO sessions to steal sensitive cloud data.
  9. Mandiant shares behavior detection tips and hardening recommendations for organizations.
  10. The report emphasizes emerging security trends and priorities for leaders into 2026.

TAKEAWAYS:

  1. Vishing and phishing remain critical threat vectors for stealing credentials.
  2. Centralized SSO access is a significant risk for data exploitation.
  3. Organizations must strengthen MFA and monitor for unusual account activities.
  4. Collaborative efforts necessary to counteract sophisticated phishing attacks.
  5. Security hardening and logging practices are essential for proactive defense.

Zero Trust in the Cloud: Designing Security Assurance at the Control Plane

Source: Cloud Security Alliance

Author: unknown

URL: https://cloudsecurityalliance.org/articles/zero-trust-in-the-cloud-designing-security-assurance-at-the-control-plane

ONE SENTENCE SUMMARY:

Cloud systems now prioritize control plane security for Zero Trust, emphasizing design-time security assurance, policy governance, and continuous validation.

MAIN POINTS:

  1. Cloud systems are designed with policies and automation, shifting risks away from traditional runtime exploits.
  2. Three planes of cloud systems: management, control, and data, with Zero Trust focusing on the control plane.
  3. The control plane governs cloud resources using APIs, policies, and automation, redefining the security perimeter.
  4. Attackers target the control plane for large-scale infrastructure manipulation and policy alteration.
  5. Zero Trust in the cloud treats the control plane as the primary security boundary.
  6. Cloud Security Alliance frameworks emphasize design-time security assurance through identity and policy.
  7. CSA Cloud Controls Matrix and Secure Cloud Control Framework support control plane-focused security design.
  8. Security assurance should be defined at design time, not inferred from runtime or network location.
  9. Workload identities require narrow scope and least privilege permissions for limited timeframes.
  10. Continuous verification and telemetry confirm alignment with intended security architecture and policy compliance.

TAKEAWAYS:

  1. Redesign cloud security by prioritizing the control plane for Zero Trust architecture.
  2. Define and enforce security assurance and access policies at design time.
  3. Control plane acts as the primary security boundary, governing access and policies.
  4. Continuous validation through telemetry ensures ongoing alignment with security intentions.
  5. Support frameworks emphasize identity and policy as foundational controls for cloud environments.

Security teams are carrying more tools with less confidence

Source: Help Net Security

Author: Anamarija Pogorelec

URL: https://www.helpnetsecurity.com/2026/01/30/security-operations-tooling-confidence/

ONE SENTENCE SUMMARY:

Hybrid and multi-cloud environments challenge security leaders with tooling inadequacies, staffing strain, and operational alignment, driving automation and AI adoption.

MAIN POINTS:

  1. Hybrid and multi-cloud setups lead to increased logs and operational data.
  2. Security tooling inadequately supports modern application environments like microservices and cloud-native architectures.
  3. Cloud adoption and application complexity drive changes in security tooling.
  4. Confidence in SIEM performance is mixed with scalability concerns.
  5. Staffing limitations challenge security operations, affecting alert management efficiency.
  6. Automation is common, with AI usage concentrated in threat detection.
  7. Tool sprawl creates cost and operational inefficiencies within security teams.
  8. Siloed tools hinder threat analysis and response efforts.
  9. Security and DevOps teams struggle with workflow and tool ownership alignment.
  10. Stronger security and DevOps alignment improves tooling satisfaction and confidence.

TAKEAWAYS:

  1. Tooling inadequacies hamper alignment with dynamic application environments.
  2. Automation and AI reduce alert fatigue but are limited in scope.
  3. Tool sprawl increases operational costs and complicates threat analysis.
  4. Staffing constraints lead to operational strain and elongated investigation cycles.
  5. Strong security-DevOps alignment enhances tooling effectiveness and operational confidence.

ROC vs. CTEM: How a Risk Operations Center Evolves Beyond Continuous Threat Exposure Management in 2026

Source: Qualys Security Blog

Author: Lisa Bilawski

URL: https://blog.qualys.com/qualys-insights/2026/01/30/roc-vs-ctem-how-a-risk-operations-center-evolves-beyond-continuous-threat-exposure-management-in-2026

ONE SENTENCE SUMMARY:

A Risk Operations Center (ROC) centralizes cyber risk management, enhancing Continuous Threat Exposure Management (CTEM) with AI-driven real-time prioritization and automation.

MAIN POINTS:

  1. ROC centralizes cyber risk management with real-time insights and business alignment.
  2. CTEM is a five-step framework for proactive threat exposure management.
  3. ROC integrates data from security, IT, and compliance for a unified view.
  4. Agentic AI enables autonomous threat detection and response in ROC.
  5. CTEM outlines risk reduction strategies; ROC decides if risks are actionable.
  6. A ROC provides detailed financial risk quantification for business decisions.
  7. ROC enhances CTEM by automating workflows and compliance monitoring.
  8. Cross-functional data sharing in ROC supports unified decision-making.
  9. A ROC updates and prioritizes risk responses in real time.
  10. CTEM’s structured approach is operationalized by ROC’s real-time execution.

TAKEAWAYS:

  1. ROC adds operational power to CTEM with real-time decision-making and automation.
  2. Agentic AI enhances cybersecurity through continuous monitoring and rapid response.
  3. ROC integrates business, security, and compliance for holistic risk management.
  4. Financial quantification in ROC aligns security strategies with business objectives.
  5. A ROC fosters cross-functional collaboration, breaking down data silos.

Conditional Access enforcement change coming to Microsoft Entra

Source: Help Net Security

Author: Sinisa Markovic

URL: https://www.helpnetsecurity.com/2026/01/29/microsoft-entra-conditional-access-policy-enforcement/

ONE SENTENCE SUMMARY:

Microsoft will enforce Conditional Access policies for all resources, affecting certain client applications, starting March 2026.

MAIN POINTS:

  1. Enforcement change begins March 27, 2026, with rollout through June 2026.
  2. Affects sign-ins via client apps requesting only OIDC or limited directory scopes.
  3. Enforced during sign-in even with resource exclusions in policies.
  4. Users may receive Conditional Access challenges like MFA or device compliance.
  5. Enforcement depends on access controls configured in target policies.
  6. Applies to tenants with policies targeting all resources and exclusions.
  7. Tenants lacking this specific policy configuration remain unaffected.
  8. Swaroop Krishnamurthy provided details on this change.
  9. Azure AD Graph explicitly mentioned as a target resource.
  10. Change aims to enhance security measures across Microsoft Entra.

TAKEAWAYS:

  1. Prepare for enforcement changes starting March 2026.
  2. Review Conditional Access policies with resource exclusions.
  3. Anticipate increased security challenges during sign-ins.
  4. Understand impact on client apps with specific scope requests.
  5. Monitor updates and adapt policies as needed for compliance.

CISA Adds Actively Exploited VMware vCenter Flaw CVE-2024-37079 to KEV Catalog

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/01/cisa-adds-actively-exploited-vmware.html

ONE SENTENCE SUMMARY:

CISA added a critical VMware vCenter Server security flaw to its KEV catalog due to active exploitation evidence.

MAIN POINTS:

  1. CISA listed VMware vCenter Server flaw CVE-2024-37079 as exploited.
  2. The flaw allows remote code execution via DCE/RPC protocol heap overflow.
  3. Broadcom patched CVE-2024-37079 and CVE-2024-37080 in June 2024.
  4. QiAnXin LegendSec researchers identified four related vulnerabilities.
  5. Two other flaws, CVE-2024-38812 and CVE-2024-38813, fixed in September 2024.
  6. One vulnerability can be combined with privilege escalation for root access.
  7. It’s unclear who exploits CVE-2024-37079 or the attack scale.
  8. Broadcom confirmed in-the-wild abuse of CVE-2024-37079.
  9. Agencies must update to the latest version by February 13, 2026.
  10. Security flaw poses serious risks to vCenter Server environments.

TAKEAWAYS:

  1. Keeping software updated is critical due to active exploitations.
  2. Awareness of vulnerability details can mitigate potential risks.
  3. Collaboration between companies and researchers improves security.
  4. Rapid response to patches reduces exposure to threats.
  5. Agencies should prioritize timely updates for optimal protection.

Microsoft updates the security baseline for Microsoft 365 Apps for enterprise

Source: Help Net Security

Author: Anamarija Pogorelec

URL: https://www.helpnetsecurity.com/2026/01/22/microsoft-365-security-baseline-2512/

ONE SENTENCE SUMMARY:

Microsoft’s v2512 security baseline for Microsoft 365 Apps offers recommended policy settings to enhance enterprise security across Office applications.

MAIN POINTS:

  1. Version 2512 covers Word, Excel, PowerPoint, Outlook, and Access.
  2. Includes controls for macros, add-ins, ActiveX, Protected View, and updates.
  3. Aligns with Group Policy and Microsoft Intune for enterprise workflows.
  4. Provides descriptions and recommended values for each setting.
  5. Updates align with current Microsoft 365 Apps versions and recent releases.
  6. Documents reflect changes in policy availability and naming.
  7. Highlights shifts in administrative templates compared to earlier baselines.
  8. Baselines aid in hardening enterprise environments by identifying inconsistencies.
  9. Organizations can test and implement recommendations via Intune or Group Policy.
  10. Available through Microsoft Security Compliance Toolkit for download and testing.

TAKEAWAYS:

  1. Enhances enterprise security by standardizing Office application settings.
  2. Supports alignment with current Microsoft 365 versions and updates.
  3. Offers clear documentation for administrators to adjust configurations.
  4. Facilitates testing in controlled environments before deployment.
  5. Accessible through Microsoft Security Compliance Toolkit for easy implementation.

Defender Timeline Downloader: Extending Data Retention for Incident Response

Source: www.binaryanalys.is

Author: Matthieu Gras

URL: https://binaryanalys.is/posts/defender_timeline/

ONE SENTENCE SUMMARY:

A new tool automates full six-month data retrieval from Microsoft Defender for Endpoint, overcoming manual limitations and API restrictions.

MAIN POINTS:

  1. Microsoft Defender for Endpoint retains telemetry data for 180 days.
  2. API access is limited to 30 days, restricting programmatic investigations.
  3. The Timeline in the portal accesses older data but lacks API support.
  4. Exporting from the UI is limited to specific intervals and formats.
  5. A tool was developed to automate data extraction, bypassing the 30-day limit.
  6. It interacts with hidden proxy endpoints and authenticates via cookies.
  7. Reverse engineering enables complete, structured JSON log retrieval.
  8. The tool uses concurrency to efficiently handle large data volumes.
  9. A high-concurrency architecture optimizes download speed.
  10. Performance benchmarks demonstrate significant efficiency gains over existing methods.

TAKEAWAYS:

  1. The tool provides automated access to six-month endpoint data, overcoming API limits.
  2. By using proxy endpoints, it captures complete data sets not available through UI exports.
  3. Authentication complexities are handled with advanced session management.
  4. The high-concurrency design ensures fast, scalable data processing.
  5. Available open source on GitHub for use and adaptation in incident response.

Bandit: Open-source tool designed to find security issues in Python code

Source: Help Net Security

Author: Sinisa Markovic

URL: https://www.helpnetsecurity.com/2026/01/21/bandit-open-source-tool-find-security-issues-python-code/

ONE SENTENCE SUMMARY:

Bandit is an open-source tool that scans Python code for security issues, helping developers identify and address potential vulnerabilities.

MAIN POINTS:

  1. Bandit scans Python source code to detect security issues.
  2. It checks code against security-focused rules to identify risks.
  3. Detects issues like unsafe function use, weak cryptography, and hard-coded passwords.
  4. Each finding includes severity and confidence for prioritization.
  5. Commonly run from the command line on code repositories.
  6. Configuration is defined alongside code, often in config files.
  7. Findings can be suppressed with inline comments for accepted risks.
  8. Supports baseline reports to track findings over time.
  9. Severity and confidence thresholds assist in prioritizing findings.
  10. Maintained by PyCQA, focusing on stability and compatibility.

TAKEAWAYS:

  1. Bandit is essential for early security issue detection in Python projects.
  2. Customizable rules and configurations support automated security checks.
  3. Inline comments and baselines help manage long-term security risks.
  4. Severity and confidence metrics guide issue prioritization.
  5. Freely available on GitHub, maintained by the PyCQA community.

Mandiant pushes organizations to dump insecure NTLMv1 by releasing a way to crack it

Source: Mandiant pushes organizations to dump insecure NTLMv1 by releasing a way to crack it | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4118800/mandiant-pushes-organizations-to-dump-insecure-ntlmv1-by-releasing-a-way-to-crack-it.html

ONE SENTENCE SUMMARY:

Google’s Mandiant releases a tool highlighting NTLMv1’s insecurity, urging organizations to abandon this outdated authentication protocol.

MAIN POINTS:

  1. Mandiant aims to expose NTLMv1’s insecurity through a data lookup tool.
  2. NTLMv1, despite being outdated, remains used due to organizational inertia.
  3. Mandiant’s rainbow table allows swift NTLMv1 key recovery.
  4. NTLMv1’s vulnerability is highlighted by recent cyberattacks.
  5. Organizations often overlook NTLMv1’s presence in legacy systems.
  6. Legacy applications use NTLMv1, fearing operational disruptions if removed.
  7. NTLMv1 often lurks in obsolete third-party firmware.
  8. Attacks target NTLMv1 using techniques like relay attacks.
  9. Microsoft has recommended upgrading from NTLMv1 for decades.
  10. Proactive scanning and removal of NTLMv1 is crucial for security.

TAKEAWAYS:

  1. Organizations must prioritize removing NTLMv1 to enhance security.
  2. Legacy systems can harbor hidden vulnerabilities like NTLMv1.
  3. Awareness of NTLMv1’s presence is critical for security measures.
  4. Mandiant’s tool serves as a wake-up call for cybersecurity risks.
  5. Updating to modern protocols is essential despite potential operational fears.

Palo Alto Networks warns of DoS bug letting hackers disable firewalls

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-dos-bug-letting-hackers-disable-firewalls/

ONE SENTENCE SUMMARY:

Palo Alto Networks fixed a high-severity vulnerability affecting firewalls, advising upgrades to prevent potential denial-of-service attacks.

MAIN POINTS:

  1. A high-severity vulnerability (CVE-2026-0227) affects next-gen firewalls with GlobalProtect enabled.
  2. Vulnerability allows unauthenticated attackers to perform denial-of-service (DoS) attacks.
  3. Most cloud-based Prisma Access instances have been patched with ongoing updates for remaining systems.
  4. Nearly 6,000 firewalls are exposed online, with some configurations potentially still vulnerable.
  5. No current evidence of the vulnerability being exploited in attacks.
  6. Security updates are released, advising admins to upgrade to the latest versions.
  7. Suggested upgrades for PAN-OS and Prisma Access versions ensure system security.
  8. Palo Alto Networks firewalls have been previously targeted using zero-day vulnerabilities.
  9. Recent threats include automated campaigns targeting GlobalProtect portals with brute-force attempts.
  10. Palo Alto products are widely used by major U.S. banks and Fortune 10 companies.

TAKEAWAYS:

  1. Ensure firewalls are updated to the recommended software versions promptly.
  2. Monitor for ongoing threats targeting Palo Alto Networks’ products.
  3. Recognize the critical importance of regular security updates.
  4. Large enterprises and banks heavily rely on Palo Alto Networks’ security solutions.
  5. GlobalProtect portals remain a common target for cyberattacks.

Microsoft’s January 2026 Patch Tuesday Addresses 113 CVEs (CVE-2026-20805)

Source: Tenable Blog

Author: Research Special Operations

URL: https://www.tenable.com/blog/microsofts-january-2026-patch-tuesday-addresses-113-cves-cve-2026-20805

ONE SENTENCE SUMMARY:

Microsoft’s January 2026 Patch Tuesday addressed 113 CVEs, including two zero-days, with significant vulnerabilities in Office and NTFS.

MAIN POINTS:

  1. Patched 113 CVEs, with 8 critical and 105 important.
  2. Two zero-day vulnerabilities, one already exploited.
  3. Multiple critical RCE vulnerabilities in Microsoft Office.
  4. Key vulnerabilities found in NTFS affecting code execution.
  5. Secure Boot certificate expiration poses security threats.
  6. Many vulnerabilities involve elevation of privilege and remote code execution.
  7. Exploitation of Preview Pane in Office doesn’t require file opening.
  8. Specific CVEs include CVE-2026-20805 and CVE-2026-20952/53.
  9. Important components patched include Windows, Azure, and SQL Server.
  10. Tenable recommends prompt patching and vulnerability scanning.

TAKEAWAYS:

  1. Prioritize patching critical and exploited vulnerabilities.
  2. Monitor Secure Boot certificate expirations for security maintenance.
  3. Be aware of Office vulnerabilities exploiting Preview Pane.
  4. Ensure comprehensive vulnerability assessments and updates.
  5. Engage with cyber threat discussions for ongoing security awareness.

What’s on your clipboard?

Source: Windows Incident Response

Author: Unknown

URL: http://windowsir.blogspot.com/2026/01/whats-on-your-clipboard.html

ONE SENTENCE SUMMARY:

Windows clipboard poses significant data security risks through potential malware exploitation in clipboard history and synchronization across devices.

MAIN POINTS:

  1. Clipboard exploitation by malware is a common tactic in Windows systems for data exfiltration.
  2. Infostealers can dump clipboard contents; some malware replaces bitcoin wallet addresses.
  3. Early DF/IR practices didn’t prioritize clipboard data collection.
  4. The MITRE ATT&CK framework now includes clipboard data technique T1115.
  5. The ClipboardHistoryThief tool reveals clipboard history, increasing attack surface.
  6. Clipboard history enables potential automated data collection by attackers.
  7. Regular clipboard audits can help mitigate data exfiltration risks.
  8. Clipboard history settings and sync options must be reviewed, especially against corporate policies.
  9. Potential sync across devices heightens security concerns regarding data transfer.
  10. Insider threats can exploit clipboard sync to exfiltrate data easily.

TAKEAWAYS:

  1. Prioritize clipboard data in DF/IR engagements due to evolving malware tactics.
  2. Regularly audit system settings for clipboard history and synchronization options.
  3. Understand the implications of clipboard automation for data exfiltration.
  4. Incorporate clipboard monitoring in incident analysis and endpoint audits.
  5. Be vigilant about clipboard-sync settings for potential insider threats.

How OffSec Maps Cybersecurity Training to Industry Frameworks

Source: OffSec

Author: OffSec Team

URL: https://www.offsec.com/blog/nist-nice-mitre/

ONE SENTENCE SUMMARY:

Aligning cybersecurity training with frameworks like MITRE ATT&CK, D3FEND, and NICE/NIST enhances structure, consistency, and relevant skill development.

MAIN POINTS:

  1. Cybersecurity teams rely on shared models and frameworks for effective operations.
  2. Framework alignment helps connect hands-on skills with daily cyber systems.
  3. Frameworks clarify team learning priorities and real job role applications.
  4. Consistent framework language aids communication across the industry.
  5. MITRE ATT&CK details adversary behaviors and supports defensive modeling.
  6. MITRE D3FEND focuses on defensive countermeasures and real-world application.
  7. NICE/NIST outlines roles, responsibilities, and required skills for cybersecurity jobs.
  8. OffSec training maps skills directly to framework-aligned learning paths.
  9. Frameworks facilitate the creation of specific development plans for roles.
  10. Structured training helps cybersecurity teams think, communicate, and operate effectively.

TAKEAWAYS:

  1. Frameworks bring order to chaotic cybersecurity work.
  2. Aligning training with frameworks makes skill translation practical and measurable.
  3. OffSec’s courses directly connect teaching with industry standards.
  4. Universal frameworks enhance cross-industry communication and collaboration.
  5. Training alignment removes ambiguity in skill and role expectations.