Tag: ACTIVE DIRECTORY

Credential-based attacks pose significant risks to organizations, leveraging weak credentials for unauthorized access. Picus Attack Path Validation (APV) helps identify and mitigate these vulnerabilities through automated penetration testing and credential harvesting simulations. #CyberSecurity #CredentialAttacks #PenetrationTesting

Keypoints :

Credential-based attacks exploit weak or misconfigured credentials for unauthorized access.…
Read More

Summary :

As the holiday season approaches, threat actors are exploiting people’s desires for deals and bonuses through malware and phishing campaigns. Recent activities include credential phishing and employment fraud, targeting individuals with deceptive messages. #HolidayScams #Phishing #CyberSecurity

Keypoints :

Increased malware and phishing campaigns during the holiday season.…
Read More

Summary :

Unit 42 researchers uncovered a phishing campaign targeting European companies, particularly in the automotive and chemical sectors, aiming to harvest Microsoft Azure credentials. The campaign peaked in June 2024, impacting around 20,000 users through malicious links and documents. #Phishing #CyberSecurity #CredentialHarvesting

Keypoints :

The phishing campaign targeted European companies, primarily in the automotive and chemical industries.…
Read More

Summary :

This article offers a comprehensive guide to detecting LDAP-based attacks, highlighting the challenges of distinguishing between benign and malicious activities. It discusses real-world examples of threat actors exploiting LDAP for lateral movement and critical asset enumeration, as well as effective detection strategies. #LDAPAttacks #CyberSecurity #ThreatDetection

Keypoints :

LDAP is commonly abused by threat actors for lateral movement and enumeration of critical assets in cyberattacks.…
Read More

### #CleoHarmonyExploitation #RCEThreats #FileTransferVulnerabilities

Summary: Huntress Labs has alerted organizations about the exploitation of a critical vulnerability (CVE-2024-50623) in Cleo’s software, allowing unauthenticated remote code execution. This vulnerability poses significant risks to industries reliant on file transfer management, with evidence of widespread attacks emerging.

Threat Actor: Unknown | unknown Victim: Various organizations | various organizations

Key Point :

Active exploitation of CVE-2024-50623 affects Cleo’s Harmony, VLTrader, and LexiCom software, allowing remote code execution.…
Read More

Cozy Bear, also known as APT29, is a sophisticated cyber espionage group believed to operate under the Russian Foreign Intelligence Service. This article explores their history, notable attacks, and advanced tactics that highlight their persistent threat to organizations worldwide. #CozyBear #CyberEspionage #APT29

Keypoints :

Cozy Bear is linked to the Russian SVR and targets government and private sectors for intelligence gathering.…
Read More

### #ActiveDirectoryExploitation #CertificateTemplateVulnerability #PrivilegeEscalation

Summary: Security researchers have identified a critical zero-day vulnerability, CVE-2024-49019, in Active Directory Certificate Services that allows attackers to escalate privileges through manipulation of version 1 certificate templates. This vulnerability, with a CVSS score of 7.8, was patched in Microsoft’s November Patch Tuesday but poses significant risks if left unaddressed.…

Read More

### #EarthKasha #APT10 #CyberEspionage

Summary: Earth Kasha, a threat actor associated with APT10, has broadened its targeting to India, Taiwan, and Japan, employing advanced tactics such as spear-phishing and exploiting vulnerabilities in public-facing applications. Their operations involve the use of various backdoors, including NOOPDOOR, to maintain persistent access to compromised networks, posing a significant threat to organizations in advanced technology and government sectors.…

Read More

### #RansomwareTrends #HolidayCyberAttacks #SOCChallenges Summary: A recent report reveals that ransomware gangs are increasingly targeting organizations during weekends and holidays, capitalizing on reduced cybersecurity staffing. Despite many companies maintaining 24/7 security operations centers, staffing is often cut by up to 50% during these times, leaving them vulnerable to attacks.…

Read More

Summary:

PowerHuntShares v2 introduces enhanced functionalities for analyzing SMB shares with excessive privileges, aiding cybersecurity teams in identifying and remediating vulnerabilities. Key features include automated secrets extraction, share similarity scoring, and a new ShareGraph Explorer for visualizing share relationships.

Keypoints:

PowerHuntShares is an open-source tool designed to analyze SMB shares with excessive privileges.…
Read More

Summary: Bitdefender has developed a decryptor for the ShrinkLocker ransomware, which exploits Windows’ BitLocker encryption to lock victims’ files. Despite its low sophistication, ShrinkLocker has successfully targeted corporate networks, including healthcare organizations, causing significant operational disruptions.

Threat Actor: Unknown | ShrinkLocker Victim: Healthcare organization | healthcare organization

Key Point :

ShrinkLocker uses Windows BitLocker with a randomly generated password sent to attackers, rather than custom encryption methods.…
Read More

Summary: Citrix has released patches for two critical vulnerabilities in its Virtual Apps and Desktop technology that could allow remote code execution or privilege escalation, despite the company initially downplaying their severity. Researchers from watchTowr argue that the vulnerabilities can be exploited by unauthenticated attackers, raising concerns about the security of widely used Citrix products.…

Read More

Summary: Microsoft’s November 2024 Patch Tuesday addresses 91 vulnerabilities, including four critical zero-days, two of which are actively exploited. The updates include fixes for various types of flaws, such as remote code execution and elevation of privilege vulnerabilities.

Threat Actor: Unknown | unknown Victim: Microsoft | Microsoft

Key Point :

Four zero-day vulnerabilities were disclosed, two of which were actively exploited in attacks.…
Read More

Summary:

CosmicBeetle, also known as NoName, is a ransomware group that has emerged as a significant threat since its inception in 2020. Targeting small to medium enterprises globally, the group employs customized ransomware tools like ScRansom and mimics established ransomware tactics to extort victims. Their operations have intensified in 2023, focusing on exploiting vulnerabilities and employing psychological tactics to pressure victims into paying ransoms.…
Read More

Summary:

Earth Estries employs sophisticated attack chains utilizing various malware, including Zingdoor and Snappybee, to exploit vulnerabilities in systems like Microsoft Exchange servers. Their tactics involve maintaining persistence, lateral movement, and data exfiltration through a combination of custom tools and established malware.

Keypoints:

Earth Estries targets government and tech sectors since at least 2020.…
Read More

Summary: Cable is an open-source post-exploitation tool designed for the enumeration and exploitation of Active Directory (AD) environments, aiding security professionals in assessing vulnerabilities and performing privilege escalation. It offers various features, including Kerberoasting, DACL manipulation, and RBCD exploitation, to enhance understanding and security of AD systems.…

Read More

Summary:

The Mandiant Red Team conducted an assessment to illustrate how advanced threat actors can exploit Microsoft Entra ID environments, particularly through Intune-managed Privileged Access Workstations (PAWs). By abusing specific Intune permissions, the team demonstrated lateral movement and privilege escalation techniques, ultimately compromising Entra ID service principals.…
Read More