Tag: Cyber Security

An international operation coordinated by Europol has disrupted the infrastructure of a pro-Russian hacktivist group known as NoName057(16) that has been linked to a string of distributed denial-of-service (DDoS) attacks against Ukraine and its allies.

The actions have led to the dismantling of a major part of the group’s central server infrastructure and more than 100 systems across the world. The joint effort also included two arrests in France and Spain, searches of two dozen homes in Spain, Italy, Germany, the Czech Republic, France and Poland, and the issuance of arrest warrants for six Russian nationals.

The effort, codenamed Operation Eastwood, took place between July 14 and 17, and involved authorities from Czechia, France, Finland, Germany, Italy, Lithuania, Poland, Spain, Sweden, Switzerland, the Netherlands, and the United States. The investigation was also supported by Belgium, Canada, Estonia, Denmark, Latvia, Romania and Ukraine.

NoName057(16) has been operational since March 2022, acting as a pro-Kremlin collective that mobilizes ideologically motivated sympathizers on Telegram to launch DDoS attacks against websites using a special program called DDoSia in exchange for a cryptocurrency payment in an effort to keep them incentivized. It sprang up shortly after Russia’s invasion of Ukraine.

Five individuals from Russia have been added to the E.U. Most Wanted list for allegedly supporting NoName57(16) –

• Andrey Muravyov (aka DaZBastaDraw)
• Maxim Nikolaevich Lupin (aka s3rmax)
• Olga Evstratova (aka olechochek, olenka)
• Mihail Evgeyevich Burlakov (aka Ddosator3000, darkklogo)
• Andrej Stanislavovich Avrosimow (aka ponyaska)

“BURLAKOV is suspected of being a central member of the group ‘NoName057(16)’ and as such of having made a significant contribution to performing DDoS attacks on various institutions in Germany and other countries,” according to a description posted on the Most Wanted fugitives site.

“In particular, he is suspected of assuming a leading role within the group under the pseudonym ‘darkklogo’ and in this role of having taken decisions including on the development and further optimisation of software for the strategic identification of targets and for developing the attack software, as well as having executed payments relating to renting illicit servers.”

Evstratova, also believed to be a core member of the group, has been accused of taking on responsibilities to optimize the DDoSia attack software. Avrosimow has been attributed to 83 cases of computer sabotage.

Europol said officials have reached out to more than 1,000 individuals who are believed to be supporters of the cybercrime network, notifying them of the criminal liability they bear for orchestrating DDoS attacks using automated tools.

“In addition to the activities of the network, estimated at over 4,000 supporters, the group was also able to construct their own botnet made up of several hundred servers, used to increase the attack load,” Europol noted.

“Mimicking game-like dynamics, regular shout-outs, leaderboards, or badges provided volunteers with a sense of status. This gamified manipulation, often targeted at younger offenders, was emotionally reinforced by a narrative of defending Russia or avenging political events.”

In recent years, threat actors have been observed staging a series of attacks aimed at Swedish authorities and bank websites, as well as against 250 companies and institutions in Germany over the course of 14 separate waves since November 2023.

Last July, Spain’s La Guardia Civil arrested three suspected members of the group for participating in “denial-of-service cyber attacks against public institutions and strategic sectors of Spain and other NATO countries.”

The development comes as Russian hacktivist groups like Z-Pentest, Dark Engine, and Sector 16 are increasingly training their sights on critical infrastructure, going beyond DDoS attacks and website defacements that are typically associated with ideologically motivated cyber attacks.

“The groups have aligned messaging, coordinated timing, and shared targeting priorities, suggesting deliberate collaboration supporting Russian strategic cyber objectives,” Cyble said.

The Taiwanese semiconductor industry has become the target of spear-phishing campaigns undertaken by three Chinese state-sponsored threat actors.

“Targets of these campaigns ranged from organizations involved in the manufacturing, design, and testing of semiconductors and integrated circuits, wider equipment and services supply chain entities within this sector, as well as financial investment analysts specializing in the Taiwanese semiconductor market,” Proofpoint said in a report published Wednesday.

The activity, per the enterprise security firm, took place between March and June 2025. They have been attributed to three China-aligned clusters it tracks as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp.

UNK_FistBump is said to have targeted semiconductor design, packaging, manufacturing, and supply chain organizations in employment-themed phishing campaigns that resulted in the delivery of Cobalt Strike or a C-based custom backdoor dubbed Voldemort that has been previously used in attacks aimed at over 70 organizations globally.

The attack chain involves the threat actor posing as a graduate student in emails sent to recruitment and human resources personnel, seeking job opportunities at the targeted company.

The messages, likely sent from compromised accounts, include a purported resume (a LNK file masquerading as a PDF) that, when opened, triggers a multi-stage sequence that either leads to the deployment of Cobalt Strike or Voldemort. Simultaneously, a decoy document is displayed to the victim to avoid raising suspicion.

The use of Voldemort has been attributed by Proofpoint to a threat actor called TA415, which overlaps with the prolific Chinese nation-state group referred to as APT41 and Brass Typhoon. That said, the Voldemort activity linked to UNK_FistBump is assessed to be distinct from TA415 due to differences in the loader used to drop Cobalt Strike and the reliance on a hard-coded IP address for command-and-control.

UNK_DropPitch, on the other hand, has been observed striking individuals in multiple major investment firms who focus on investment analysis, particularly within the Taiwanese semiconductor industry. The phishing emails, sent in April and May 2025, embed a link to a PDF document, which, upon opening, downloads a ZIP file containing a malicious DLL payload that’s launched using DLL side-loading.

The rogue DLL is a backdoor codenamed HealthKick that’s capable of executing commands, capturing the results of those runs, and exfiltrating them to a C2 server. In another attack detected in late May 2025, the same DLL side-loading approach has been put to use to spawn a TCP reverse shell that establishes contact with an actor-controlled VPS server 45.141.139[.]222 over TCP port 465.

The reverse shell serves as a pathway for the attackers to conduct reconnaissance and discovery steps, and if deemed of interest, drop the Intel Endpoint Management Assistant (EMA) for remote control via the C2 domain “ema.moctw[.]info.”

Further analysis of the threat actor infrastructure has revealed that two of the servers have been configured as SoftEther VPN servers, an open-source VPN solution widely used by Chinese hacking groups. An additional connection to China comes from the reuse of a TLS certificate for one of the C2 servers. This certificate has been tied in the past in connection with malware families like MoonBounce and SideWalk (aka ScrambleCross).

That said, it’s currently not known if the reuse stems from a custom malware family shared across multiple China-aligned threat actors, such as SideWalk, or due to shared infrastructure provisioning across these groups.

The third cluster, UNK_SparkyCarp, is characterized by credential phishing attacks that single out an unnamed Taiwanese semiconductor company using a bespoke adversary-in-the-middle (AitM) kit. The campaign was spotted in March 2025.

“The phishing emails masqueraded as account login security warnings and contained a link to the actor-controlled credential phishing domain accshieldportal[.]com, as well as a tracking beacon URL for acesportal[.]com,” Proofpoint said, adding the threat actor had previously targeted the company in November 2024.

The company said it also observed UNK_ColtCentury, which is also called TAG-100 and Storm-2077, sending benign emails to legal personnel at a Taiwanese semiconductor organization in an effort to build trust and ultimately deliver a remote access trojan known as Spark RAT.

“This activity likely reflects China’s strategic priority to achieve semiconductor self-sufficiency and decrease reliance on international supply chains and technologies, particularly in light of U.S. and Taiwanese export controls,” the company said.

“These emerging threat actors continue to exhibit long-standing targeting patterns consistent with Chinese state interests, as well as TTPs and custom capabilities historically associated with China-aligned cyber espionage operations.”

Salt Typhoon Goes After U.S. National Guard

The development comes as NBC News reported that the Chinese state-sponsored hackers tracked as Salt Typhoon (aka Earth Estries, Ghost Emperor, and UNC2286) broke into at least one U.S. state’s National Guard, signaling an expansion of its targeting. The breach is said to have lasted for no less than nine months between March and December 2024.

The breach “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” a June 11, 2025, report from the U.S. Department of Defense (DoD) said.

“Salt Typhoon extensively compromised a US state’s Army National Guard’s network and, among other things, collected its network configuration and its data traffic with its counterparts’ networks in every other U.S. state and at least four U.S. territories.”

The threat actor also exfiltrated configuration files associated with other U.S. government and critical infrastructure entities, including two state government agencies, between January and March 2024. That same year, Salt Typhoon leveraged its access to a U.S. state’s Army National Guard network to harvest administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and PII of its service members.

These network configuration files could enable further computer network exploitation of other networks, including data capture, administrator account manipulation, and lateral movement between networks, the report said.

Initial access has been found to be facilitated by the exploitation of known security vulnerabilities in Cisco (CVE-2018-0171, CVE-2023-20198, and CVE-2023-20273) and Palo Alto Networks (CVE-2024-3400) appliances.

“Salt Typhoon access to Army National Guard networks in these states could include information on state cyber defense posture as well as the personally identifiable information (PII) and work locations of state cybersecurity personnel – data that could be used to inform future cyber-targeting efforts.”

Ensar Seker, CISO at SOCRadar, said in a statement that the attack is a yet another reminder that advanced persistent threat actors are going after federal agencies and state-level components, which may have a more varied security posture.

“The revelation that Salt Typhoon maintained access to a U.S. National Guard network for nearly a year is a serious escalation in the cyber domain,” Seker said. “This isn’t just an opportunistic intrusion. It reflects deliberate, long-term espionage designed to quietly extract strategic intelligence.”

“The group’s sustained presence suggests they were gathering more than just files, they were likely mapping infrastructure, monitoring communication flows, and identifying exploitable weak points for future use. What’s deeply concerning is that this activity went undetected for so long in a military environment. It raises questions about visibility gaps, segmentation policies, and detection capabilities in hybrid federal-state defense networks.”

Jul 17, 2025Ravie LakshmananVulnerability / Network Security

Cisco has disclosed a new maximum-severity security vulnerability impacting Identity Services Engine (ISE) and Cisco ISE Passive Identity Connector (ISE-PIC) that could permit an attacker to execute arbitrary code on the underlying operating system with elevated privileges.

Tracked as CVE-2025-20337, the shortcoming carries a CVSS score of 10.0 and is similar to CVE-2025-20281, which was patched by the networking equipment major late last month.

“Multiple vulnerabilities in a specific API of Cisco ISE and Cisco ISE-PIC could allow an unauthenticated, remote attacker to execute arbitrary code on the underlying operating system as root. The attacker does not require any valid credentials to exploit these vulnerabilities,” the company said in an updated advisory.

“These vulnerabilities are due to insufficient validation of user-supplied input. An attacker could exploit these vulnerabilities by submitting a crafted API request. A successful exploit could allow the attacker to obtain root privileges on an affected device.”

Kentaro Kawane of GMO Cybersecurity has been credited with discovering and reporting the flaw. Kawane was previously acknowledged for two other critical Cisco ISE flaws (CVE-2025-20286 and CVE-2025-20282) and another critical bug in Fortinet FortiWeb (CVE-2025-25257)

CVE-2025-20337 affects ISE and ISE-PIC releases 3.3 and 3.4, regardless of device configuration. It does not impact ISE and ISE-PIC release 3.2 or earlier. The issue has been patched in the following versions –

• Cisco ISE or ISE-PIC Release 3.3 (Fixed in 3.3 Patch 7)
• Cisco ISE or ISE-PIC Release 3.4 (Fixed in 3.4 Patch 2)

There is no evidence that the vulnerability has been exploited in a malicious context. That said, it’s always a good practice to ensure that systems are kept up-to-date to avoid potential threats.

The disclosure comes as The Shadowserver Foundation reported that threat actors are likely exploiting publicly released exploits associated with CVE-2025-25257 to drop web shells on susceptible Fortinet FortiWeb instances since July 11, 2025.

As of July 15, there are estimated to be 77 infected instances, down from 85 the day before. The majority of the compromises are concentrated around North America (44), Asia (14), and Europe (13).

Data from the attack surface management platform Censys shows that there are 20,098 Fortinet FortiWeb appliances online, excluding honeypots, although it’s currently not known how many of these are vulnerable to CVE-2025-25257.

“This flaw enables unauthenticated attackers to execute arbitrary SQL commands via crafted HTTP requests, leading to remote code execution (RCE),” Censys said.

Jul 16, 2025Ravie LakshmananThreat Intelligence / Vulnerability

Cybersecurity researchers have flagged a new variant of a known malware loader called Matanbuchus that packs in significant features to enhance its stealth and evade detection.

Matanbuchus is the name given to a malware-as-a-service (MaaS) offering that can act as a conduit for next-stage payloads, including Cobalt Strike beacons and ransomware.

First advertised in February 2021 on Russian-speaking cybercrime forums for a rental price of $2,500, the malware has been put to use as part of ClickFix-like lures to trick users visiting legitimate-but-compromised sites not running it.

Matanbuchus stands out among loaders because it’s not usually spread through spam emails or drive-by downloads. Instead, it’s often deployed using hands-on social engineering, where attackers trick users directly. In some cases, it supports the kind of initial access used by brokers who sell entry to ransomware groups. This makes it more targeted and coordinated than typical commodity loaders.

The latest version of the loader, tracked as Matanbuchus 3.0, incorporates several new features, including improved communication protocol techniques, in-memory capabilities, enhanced obfuscation methods, CMD and PowerShell reverse shell support, and the ability to run next-stage DLL, EXE, and shellcode payloads, per Morphisec.

The cybersecurity company said it observed the malware in an incident earlier this month where an unnamed company was targeted via external Microsoft Teams calls that impersonated an IT help desk and tricked employees into launching Quick Assist for remote access and then executing a PowerShell script that deployed Matanbuchus.

It’s worth noting that similar social engineering tactics have been employed by threat actors associated with the Black Basta ransomware operation.

“Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive,” Morphisec CTO Michael Gorelik said. “This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader.”

Matanbuchus 3.0 has been advertised publicly for a monthly price of $10,000 for the HTTPS version and $15,000 for the DNS version.

Once launched, the malware collects system information and iterates over the list of running processes to determine the presence of security tools. It also checks the status of its process to check if it’s running with administrative privileges.

It then sends the gathered details to a command-and-control (C2) server to receive additional payloads in the form of MSI installers and portable executables. Persistence on the shot is achieved by setting up a scheduled task.

“While it sounds simple, Matanbuchus developers implemented advanced techniques to schedule a task through the usage of COM and injection of shellcode,” Gorelik explained. “The shellcode itself is interesting; it implements a relatively basic API resolution (simple string comparisons), and a sophisticated COM execution that manipulates the ITaskService.”

The loader also comes fitted with features that can be invoked remotely by the C2 server to collect all executing processes, running services, and a list of installed applications.

“The Matanbuchus 3.0 Malware-as-a-Service has evolved into a sophisticated threat,” Gorelik said. “This updated version introduces advanced techniques such as improved communication protocols, in-memory stealth, enhanced obfuscation, and support for WQL queries, CMD, and PowerShell reverse shells.”

“The loader’s ability to execute regsvr32, rundll32, msiexec, or process hollowing commands underscores its versatility, making it a significant risk to compromised systems.”

As malware-as-a-service evolves, Matanbuchus 3.0 fits into a broader trend of stealth-first loaders that rely on LOLBins (living-off-the-land binaries), COM object hijacking, and PowerShell stagers to stay under the radar.

Threat researchers are increasingly mapping these loaders as part of attack surface management strategies and linking them to abuse of enterprise collaboration tools like Microsoft Teams and Zoom.

A threat activity cluster has been observed targeting fully-patched end-of-life SonicWall Secure Mobile Access (SMA) 100 series appliances as part of a campaign designed to drop a backdoor called OVERSTEP.

The malicious activity, dating back to at least October 2024, has been attributed by the Google Threat Intelligence Group (GTIG) to a group it tracks as UNC6148.

The tech giant assessed with high confidence that the threat actor is “leveraging credentials and one-time password (OTP) seeds stolen during previous intrusions, allowing them to regain access even after organizations have applied security updates.”

“Analysis of network traffic metadata records suggests that UNC6148 may have initially exfiltrated these credentials from the SMA appliance as early as January 2025.”

The exact initial access vector used to deliver the malware is currently not known due to the steps taken by the threat actors to remove log entries. But it’s believed that access may have been gained through the exploitation of known security flaws such as CVE-2021-20035, CVE-2021-20038, CVE-2021-20039, CVE-2024-38475, or CVE-2025-32819.

Alternately, the tech giant’s threat intelligence team theorized that the administrator credentials could’ve been obtained through information-stealing logs or acquired from credential marketplaces. However, it said it didn’t find any evidence to back up this hypothesis.

Upon gaining access, the threat actors have been found to establish an SSL-VPN session and spawn a reverse shell, although how this was achieved remains a mystery given that shell access should not be possible by design on these appliances. It’s believed that it may have been pulled off by means of a zero-day flaw.

The reverse shell is used to run reconnaissance and file manipulation commands, not to mention export and import settings to the SMA appliance, suggesting that UNC6148 may have altered an exported settings file offline to include new rules so that their operations are not interrupted or blocked by the access gateways.

The attacks culminate in the deployment of a previously undocumented implant named OVERSTEP that’s capable of modifying the appliance’s boot process to maintain persistent access, as well as credential theft and concealing its own components to evade detection by patching various file system-related functions.

This is achieved by implementing a usermode rootkit through the hijacked standard library functions open and readdir, allowing it to hide the artifacts associated with the attack. The malware also hooks into the write API function to receive commands from an attacker-controlled server in the form of embedded within web requests –

• dobackshell, which starts a reverse shell to the specified IP address and port
• dopasswords, which creates a TAR archive of the files /tmp/temp.db, /etc/EasyAccess/var/conf/persist.db, and /etc/EasyAccess/var/cert, and save it in the location “/usr/src/EasyAccess/www/htdocs/” so that it can be downloaded via a web browser

“UNC6148 modified the legitimate RC file ‘/etc/rc.d/rc.fwboot’ to achieve persistence for OVERSTEP,” GTIG said. “The changes meant that whenever the appliance was rebooted, the OVERSTEP binary would be loaded into the running file system on the appliance.”

Once the deployment step is complete, the threat actor then proceeds to clear the system logs and reboots the firewall to activate the execution of the C-based backdoor. The malware also attempts to remove the command execution traces from different log files, including httpd.log, http_request.log, and inotify.log.

“The actor’s success in hiding their tracks is largely due to OVERSTEP’s capability to selectively delete log entries [from the three log files],” Google said. “This anti-forensic measure, combined with a lack of shell history on disk, significantly reduces visibility into the actor’s secondary objectives.”

Google has evaluated with medium confidence that UNC6148 may have weaponized an unknown, zero-day remote code execution vulnerability to deploy OVERSTEP on targeted SonicWall SMA appliances. Furthermore, it’s suspected that the operations are carried out with the intent to facilitate data theft and extortion operations, and even ransomware deployment.

This connection stems from the fact that one of the organizations that was targeted by UNC6148 was posted on the data leak site operated by World Leaks, an extortion gang run by individuals previously associated with the Hunters International ransomware scheme. It’s worth noting that Hunters International recently shuttered its criminal enterprise.

According to Google, UNC6148 exhibits tactical overlaps with prior exploitation of SonicWall SMA devices observed in July 2023 that involved an unknown threat actor deploying a web shell, a hiding mechanism, and a way to ensure persistence across firmware upgrades, per Truesec.

The exploitation activity was subsequently linked by security researcher Stephan Berger to the deployment of the Abyss ransomware.

The findings once again highlight how threat actors are increasingly focusing on edge network systems that aren’t usually covered by common security tools like Endpoint Detection and Response (EDR) or antivirus software and slip into target networks unnoticed.

“Organizations should acquire disk images for forensic analysis to avoid interference from the rootkit anti-forensic capabilities. Organizations may need to engage with SonicWall to capture disk images from physical appliances,” Google said.

Jul 16, 2025The Hacker NewsIdentity Management / AI Security

The AI gold rush is on. But without identity-first security, every deployment becomes an open door. Most organizations secure native AI like a web app, but it behaves more like a junior employee with root access and no manager.

From Hype to High Stakes

Generative AI has moved beyond the hype cycle. Enterprises are:

• Deploying LLM copilots to accelerate software development
• Automating customer service workflows with AI agents
• Integrating AI into financial operations and decision-making

Whether building with open-source models or plugging into platforms like OpenAI or Anthropic, the goal is speed and scale. But what most teams miss is this:

Every LLM access point or website is a new identity edge. And every integration adds risk unless identity and device posture are enforced.

What Is the AI Build vs. Buy Dilemma?

Most enterprises face a pivotal decision:

• Build: Create in-house agents tailored to internal systems and workflows
• Buy: Adopt commercial AI tools and SaaS integrations

The threat surface doesn’t care which path you choose.

• Custom-built agents expand internal attack surfaces, especially if access control and identity segmentation aren’t enforced at runtime.
• Third-party tools are often misused or accessed by unauthorized users, or more commonly, corporate users on personal accounts, where governance gaps exist.

Securing AI isn’t about the algorithm, it’s about who (or what device) is talking to it, and what permissions that interaction unlocks.

What’s Actually at Risk?

AI agents are agentic which is to say they can take actions on a human’s behalf and access data like a human would. They’re often embedded in business-critical systems, including:

• Source code repositories
• Finance and payroll applications
• Email inboxes
• CRM and ERP platforms
• Customer support logs and case history

Once a user or device is compromised, the AI agent becomes a high-speed backdoor to sensitive data. These systems are highly privileged, and AI amplifies attacker access.

Common AI-Specific Threat Vectors:

• Identity-based attacks like credential stuffing or session hijacking targeting LLM APIs
• Misconfigured agents with excessive permissions and no scoped role-based access control (RBAC)
• Weak session integrity where infected or insecure devices request privileged actions through LLMs

How to Secure Enterprise AI Access

To eliminate AI access risk without killing innovation, you need:

• Phishing-resistant MFA for every user and device accessing LLMs or agent APIs
• Granular RBAC tied to business roles—developers shouldn’t access finance models
• Continuous device trust enforcement, using signals from EDR, MDM, and ZTNA

AI access control must evolve from a one-time login check to a real-time policy engine that reflects current identity and device risk.

The Secure AI Access Checklist:

• No shared secrets
• No trusted device assumptions
• No over-permissioned agents
• No productivity tax

The Fix: Secure AI Without Slowing Down

You don’t have to trade security for speed. With the right architecture, it’s possible to:

• Block unauthorized users and devices by default
• Eliminate trust assumptions at every layer
• Secure AI workflows without interrupting legitimate use

Beyond Identity makes this possible today.

Beyond Identity’s IAM platform makes unauthorized access to AI systems impossible by enforcing phishing-resistant, device-aware, continuous access control for AI systems. No passwords. No shared secrets. No untrustworthy devices.

Beyond Identity is also prototyping a secure-by-design architecture for in-house AI agents that binds agent permissions to verified user identity and device posture—enforcing RBAC at runtime and continuously evaluating risk signals from EDR, MDM, and ZTNA. For instance, if an engineer loses CrowdStrike full disk access, the agent immediately blocks access to sensitive data until posture is remediated.

Want a First Look?

Register for Beyond Identity’s webinar to get a behind-the-scenes look at how a Global Head of IT Security built and secured his internal, enterprise AI agents that’s now used by 1,000+ employees. You’ll see a demo of how one of Fortune’s Fastest Growing Companies uses phishing-resistant, device-bound access controls to make unauthorized access impossible.

Jul 16, 2025Ravie LakshmananWindows Server / Enterprise Security

Cybersecurity researchers have disclosed what they say is a “critical design flaw” in delegated Managed Service Accounts (dMSAs) introduced in Windows Server 2025.

“The flaw can result in high-impact attacks, enabling cross-domain lateral movement and persistent access to all managed service accounts and their resources across Active Directory indefinitely,” Semperis said in a report shared with The Hacker News.

Put differently, successful exploitation could allow adversaries to sidestep authentication guardrails and generate passwords for all Delegated Managed Service Accounts (dMSAs) and group Managed Service Accounts (gMSAs) and their associated service accounts.

The persistence and privilege escalation method has been codenamed Golden dMSA, with the cybersecurity company deeming it as low complexity owing to the fact that the vulnerability simplifies brute-force password generation.

However, in order for bad actors to exploit it, they must already be in possession of a Key Distribution Service (KDS) root key that’s typically only available to privileged accounts, such as root Domain Admins, Enterprise Admins, and SYSTEM.

Described as the crown jewel of Microsoft’s gMSA infrastructure, the KDS root key serves as a master key, allowing an attacker to derive the current password for any dMSA or gMSA account without having to connect to the domain controller.

“The attack leverages a critical design flaw: A structure that’s used for the password-generation computation contains predictable time-based components with only 1,024 possible combinations, making brute-force password generation computationally trivial,” security researcher Adi Malyanker said.

Delegated Managed Service Accounts is a new feature introduced by Microsoft that facilitates migration from an existing legacy service account. It was introduced in Windows Server 2025 as a way to counter Kerberoasting attacks.

The machine accounts bind authentication directly to explicitly authorized machines in Active Directory (AD), thus eliminating the possibility of credential theft. By tying authentication to device identity, only specified machine identities mapped in AD can access the account.

Golden dMSA, similar to Golden gMSA Active Directory attacks, plays out over four steps once an attacker has obtained elevated privileges within a domain –

• Extracting KDS root key material by elevating to SYSTEM privileges on one of the domain controllers
• Enumerating dMSA accounts using LsaOpenPolicy and LsaLookupSids APIs or via a Lightweight Directory Access Protocol (LDAP)-based approach
• Identifying the ManagedPasswordID attribute and password hashes through targeted guessing
• Generating valid passwords (i.e., Kerberos tickets) for any gMSA or dMSA associated with the compromised key and testing them via Pass the Hash or Overpass the Hash techniques

“This process requires no additional privileged access once the KDS root key is obtained, making it a particularly dangerous persistence method,” Malyanker said.

“The attack highlights the critical trust boundary of managed service accounts. They rely on domain-level cryptographic keys for security. Although automatic password rotation provides excellent protection against typical credential attacks, Domain Admins, DnsAdmins, and Print Operators can bypass these protections entirely and compromise all of the dMSAs and gMSAs in the forest.”

Semperis noted that the Golden dMSA technique turns the breach into a forest-wide persistent backdoor, given that compromising the KDS root key from any single domain within the forest is enough to breach every dMSA account across all domains in that forest.

In other words, a single KDS root key extraction can be weaponized to achieve cross-domain account compromise, forest-wide credential harvesting, and lateral movement across domains using the compromised dMSA accounts.

“Even in environments with multiple KDS root keys, the system consistently uses the first (oldest) KDS root key for compatibility reasons,” Malyanker pointed out. “This means that the original key we’ve compromised could be preserved by Microsoft’s design – creating a persistent backdoor that could last for years.”

Even more concerning is that the attack completely sidesteps normal Credential Guard protections, which are used to secure NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials so that only privileged system software can access them.

Following responsible disclosure on May 27, 2025, Microsoft said, “If you have the secrets used to derive the key, you can authenticate as that user. These features have never been intended to protect against a compromise of a domain controller.” Semperis has also released an open-source as proof-of-concept (PoC) to demonstrate the attack.

“What starts as one DC compromise escalates to owning every dMSA-protected service across an entire enterprise forest,” Malyanker said. “It’s not just privilege escalation. It’s enterprise-wide digital domination through a single cryptographic vulnerability.”

Jul 16, 2025The Hacker NewsAI Security / Fraud Detection

Social engineering attacks have entered a new era—and they’re coming fast, smart, and deeply personalized.

It’s no longer just suspicious emails in your spam folder. Today’s attackers use generative AI, stolen branding assets, and deepfake tools to mimic your executives, hijack your social channels, and create convincing fakes of your website, emails, and even voice. They don’t just spoof—they impersonate.

Modern attackers aren’t relying on chance. They’re running long-term, multi-channel campaigns across email, LinkedIn, SMS, and even support portals—targeting your employees, customers, and partners.

Whether it’s a fake recruiter reaching out on LinkedIn, a lookalike login page sent via text, or a cloned CFO demanding a wire transfer, the tactics are faster, more adaptive, and increasingly automated using AI.

The result? Even trained users are falling for sophisticated fakes—because they’re not just phishing links anymore. They’re operations.

This Webinar Shows You How to Fight Back

Join us for a deep dive into how Doppel’s real-time AI platform detects and disrupts social engineering threats before they escalate.

You’ll learn how AI can be used not just to spot suspicious signals, but to understand attacker behavior, track impersonation campaigns across platforms, and respond instantly—before reputational or financial damage occurs.

What You’ll Learn

• The Modern Threat Landscape: How AI-powered social engineering campaigns are evolving—and what that means for your current defenses.
• Real-Time Defense: How Doppel identifies impersonation attempts and shuts them down before users engage.
• Shared Intelligence at Scale: How learning from attacks across thousands of brands helps make deception unprofitable.

Impersonation attacks are scaling faster than any human team can monitor manually. Security awareness training isn’t enough. Static detection rules fall short. You need a defense that thinks and adapts in real-time.

Doppel’s AI learns from every attack attempt—so your protection keeps getting smarter.

Who Should Attend: Security leaders responsible for brand trust and executive protection, SOC teams overwhelmed by phishing and impersonation alerts, and risk, fraud, or threat intelligence professionals seeking faster, smarter signal-to-action.

Watch this Webinar

Don’t wait for an impersonation attack to make the first move. Learn how to fight back—before it happens. Save Your Spot. Register Now →

Cybersecurity researchers have discovered a new, sophisticated variant of a known Android malware referred to as Konfety that leverages the evil twin technique to enable ad fraud.

The sneaky approach essentially involves a scenario wherein two variants of an application share the same package name: A benign “decoy” app that’s hosted on the Google Play Store and its evil twin, which is distributed via third-party sources.

It’s worth pointing out that the decoy apps don’t have to be necessarily published by threat actors themselves and could be legitimate. The only caveat is that the malicious apps share the exact same package names as their real counterparts already available on the Play Store.

“The threat actors behind Konfety are highly adaptable, consistently altering their targeted ad networks and updating their methods to evade detection,” Zimperium zLabs researcher Fernando Ortega said. “This latest variant demonstrates their sophistication by specifically tampering with the APK’s ZIP structure.”

By using malformed APKs, the tactic allows threat actors to sidestep detection and challenge reverse engineering efforts. Besides dynamically loading the main DEX (Dalvik Executable) payload at runtime, the newly discovered versions enable the general-purpose bit flag by setting it to “Bit 0,” signaling to the system that the file is encrypted.

This behavior, in turn, triggers a false password prompt when attempting to inspect the Android package, thereby blocking access and complicating attempts to analyze its contents.

The second technique entails falsely declaring the use of BZIP compression method in the app’s manifest XML file (“AndroidManifest.xml”), causing analysis tools like APKTool and JADX to crash due to a parsing failure. A similar compression-based defense evasion technique was previously highlighted by Kaspersky in another Android malware called SoumniBot.

The use of dynamic code loading to execute the primary payload affords added stealth during initial scans or reverse engineering, Zimperium noted. During execution, the DEX payload is decrypted and loaded directly into memory without attracting any red flags.

“This multi-layered obfuscation approach, combining encrypted assets, runtime code injection, and deceptive manifest declarations, demonstrates the evolving sophistication of the Konfety operation and its continuous efforts to evade analysis and bypass detection mechanisms,” Ortega said.

Like the previous iteration reported by HUMAN last year, Konfety abuses the CaramelAds software development kit (SDK) to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers.

It comes with capabilities to redirect users to malicious websites, prompt unwanted app installs, and trigger persistent spam-like browser notifications. Furthermore, the malware hides its app icon and uses geofencing to alter its functionality based on the victim’s region.

The development comes as ANY.RUN detailed a Chinese Android packer tool known as Ducex that’s mainly designed to conceal embedded payloads like Triada within fake Telegram apps.

“The packer employs serious obfuscation through function encryption using a modified RC4 algorithm with added shuffling,” ANY.RUN researcher Alina Markova said. “Ducex creates major roadblocks for debugging. It performs APK signature verification, failing if the app is re-signed. It also employs self-debugging using fork and ptrace to block external tracing.”

On top of that, Ducex is designed to detect the presence of popular analysis tools such as Frida, Xposed, and Substrate, and if present, terminate itself.

The findings also follow a new study published by a team of researchers from TU Wien and the University of Bayreuth about a novel technique dubbed TapTrap that can be weaponized by a malicious app to covertly bypass Android’s permission system and gain access to sensitive data or execute destructive actions.

The attack, in a nutshell, hijacks user interactions on Android devices by overlaying animations or games on a user’s screen, while surreptitiously launching user interface elements underneath that trick users into performing undesirable actions, such as installing malware or granting the app intrusive permissions.

“Normally, Android shows an animation when the screen changes, such as the new screen sliding or fading in,” researchers Philipp Beer, Marco Squarcina, Sebastian Roth, and Martina Lindorfer said. “However, the app can tell the system that a custom animation should be used instead that is long-running and makes the new screen fully transparent, keeping it hidden from you.”

“Any taps you make during this animation go to the hidden screen, not the visible app. The app can then use this to lure you into tapping on specific areas of the screen that correspond to sensitive actions on the hidden screen, allowing it to perform actions without your knowledge.”

In a hypothetical attack scenario, a threat actor-released game installed by the victim can secretly open a web browser session and dupe them into granting camera permissions to a malicious website.

That said, TapTrap’s impact extends beyond the Android ecosystem, opening the door to tapjacking and web clickjacking attacks. The issue has been addressed in GrapheneOS, Chrome 135 (CVE-2025-3067), and Firefox 136 (CVE-2025-1939). Android 16 continues to remain susceptible to the attack.

Jul 16, 2025Ravie LakshmananBrowser Security / Zero-Day

Google on Tuesday rolled out fixes for six security issues in its Chrome web browser, including one that it said has been exploited in the wild.

The high-severity vulnerability in question is CVE-2025-6558 (CVSS score: 8.8), which has been described as an incorrect validation of untrusted input in the browser’s ANGLE and GPU components.

“Insufficient validation of untrusted input in ANGLE and GPU in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page,” according to the description of the flaw from the NIST’s National Vulnerability Database (NVD).

ANGLE, short for “Almost Native Graphics Layer Engine,” acts as a translation layer between Chrome’s rendering engine and device-specific graphics drivers. Vulnerabilities in the module can let attackers escape Chrome’s sandbox by abusing low-level GPU operations that browsers usually keep isolated, making this a rare but powerful path to deeper system access.

For most users, a sandbox escape like this means that visiting a malicious site is sufficient to potentially break out of the browser’s security bubble and interact with the underlying system. This is especially critical in targeted attacks where just opening a webpage could trigger a silent compromise without requiring any download or click.

Clément Lecigne and Vlad Stolyarov of Google’s Threat Analysis Group (TAG) have been credited with discovering and reporting the zero-day vulnerability on June 23, 2025.

The exact nature of the attacks weaponizing the flaw has not been disclosed, but Google acknowledged that an “exploit for CVE-2025-6558 exists in the wild.” That said, the discovery by TAG alludes to the possibility of nation-state involvement.

The development comes about two weeks after Google addressed another actively exploited Chrome zero-day (CVE-2025-6554, CVSS score: 8.1), which was also reported by Lecigne on June 25, 2025.

Google has resolved a total of five zero-day vulnerabilities in Chrome that have been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. This includes: CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, and CVE-2025-6554.

To safeguard against potential threats, it’s advised to update their Chrome browser to versions 138.0.7204.157/.158 for Windows and Apple macOS, and 138.0.7204.157 for Linux. To make sure the latest updates are installed, users can navigate to More > Help > About Google Chrome, and select Relaunch.

Users of other Chromium-based browsers such as Microsoft Edge, Brave, Opera, and Vivaldi are also advised to apply the fixes as and when they become available.

Issues like this often fall under broader categories like GPU sandbox escapes, shader-related bugs, or WebGL vulnerabilities. While not always headline-grabbing, they tend to resurface in chained exploits or targeted attacks. If you follow Chrome security updates, it’s worth keeping an eye out for graphics driver flaws, privilege boundary bypasses, and memory corruption in rendering paths, as they often point to the next round of patch-worthy bugs.