Protect your systems with automated patching and server hardening strategies to defend against vulnerabilities like the NTLM zero-day.…

Protect your systems with automated patching and server hardening strategies to defend against vulnerabilities like the NTLM zero-day. Stay proactive and secure your business.

A newly discovered Windows zero-day vulnerability exposes users across multiple Windows versions to credential theft. Discovered by 0patch researchers, this critical security flaw allows attackers to steal NTLM credentials through a deceptive yet simple method.

****What Makes This Vulnerability Dangerous?****

**Widespread Impact**

The vulnerability affects a wide range of Windows systems, including:

*   Windows Server 2022
*   Windows 11 (up to v24H2)
*   Windows 10 (multiple versions)
*   Windows 7 and Server 2008 R2

**Exploitation Mechanism**

Technical details of the vulnerability are withheld to minimize exploitation risk until Microsoft issues a fix to minimize any further risk of exploitation. 

The vulnerability enables attackers to steal a user’s NTLM credentials by luring them into opening a malicious file in Windows Explorer.

Attackers can trigger the vulnerability through minimal user interaction:

*   Opening a shared folder
*   Accessing a USB disk
*   Simply viewing a malicious file in Windows Explorer
*   Accessing the Downloads folder with a strategically placed file

****The Broader Context of Unpatched Vulnerabilities****

This isn’t an isolated incident. The same research team has previously identified multiple unresolved Windows vulnerabilities, including:

*   Windows Theme file issue
*   “Mark of the Web” vulnerability
*   “EventLogCrasher” vulnerability
*   Three NTLM-related vulnerabilities (PetitPotam, PrinterBug/SpoolSample, and DFSCoerce)

****0patch Micropatches****

0patch is offering a free micropatch for the latest NTLM zero-day to all users registered on its platform until Microsoft releases an official fix. The security micropatch has already been automatically deployed to PRO and Enterprise accounts, except in cases where configurations explicitly block automatic updates.

“The impact on enterprises using outdated and legacy infrastructure is more significant than the simple impact on operating costs, said Jim Routh,” Chief Trust Officer at cybersecurity company Saviynt. “In this case, the obsolete authentication application (NTLM) from MS enables threat actors to steal Windows credentials potentially compromising customer experience.”

****Focusing on the proactive approach****

Automated patch management, like the protection provided to PRO and Enterprise accounts through 0patch, is a great start, but organizations need to do more. Implementing strong server-hardening strategies can add multiple layers of defence by setting consistent security configurations across all systems.

This proactive approach goes beyond simply reacting to vulnerabilities, helping businesses stay protected against threats like the recent NTLM zero-day vulnerability.

1.  Hackers Use Excel Files for Remcos RAT Variant on Windows
2.  Godot Engine Exploited for Malware on Windows, macOS, Linux
3.  Windows SmartScreen Flaw Enabling Data Theft in Stealer Attack
4.  Windows Vulnerable to Command Injection via “BatBadBut” Flaw
5.  Russian Hackers Exploit Firefox and Windows 0-Days for Backdoor

Critical Windows Zero-Day Alert: No Patch Available Yet for Users

Luigi Mangione, a 26-year-old graduate of the University of Pennsylvania, was apprehended on Monday after visiting a McDonald's in Altoona, Pennsylvania.

Authorities arrested a man in Pennsylvania on Monday who police say is connected to the shooting death of UnitedHealthcare CEO Brian Thompson in New York City last week.

Police apprehended Luigi Mangione, 26, in Altoona five days after Thompson was shot in Midtown Manhattan in the early hours of Wednesday, December 4, setting off a manhunt for the shooter, whose identity remained unknown. Mangione was detained after he visited a McDonald’s location in Altoona, where other guests noticed his resemblance to images of the suspected shooter released by the New York Police Department and contacted authorities, according to The New York Times.

The NYPD did not immediately respond to WIRED’s request for comment.

Prior to Mangione’s arrest, NYPD investigators mapped the alleged shooter’s movements around New York City since late November, including his stay at a Manhattan hostel, where an image of the suspect was captured without a face mask. Police later found the suspect’s backpack in Central Park, where he fled following the shooting, according to the NYPD. Authorities reportedly believe he left New York City on a bus.

Online records show that Luigi Mangione is an app developer who graduated with bachelor's and master's of science in engineering degrees from the University of Pennsylvania in May 2020. A GitHub account that appears to be Mangione’s and an Instagram account for the game development company AppRoarr Studios indicate that he is a cofounder there. AppRoarr did not immediately respond to WIRED’s request for comment.

A LinkedIn account that appears to be Mangione's lists his employer as TrueCar, an online used vehicle retailer, where he claims to have started work as a data engineer in November 2020. The company confirmed his previous employment but told The New York Times that he has not worked at TrueCar since 2023. The company did not immediately respond to WIRED's request for comment.

At the scene of Thompson’s shooting outside the New York Hilton Midtown, NYPD investigators discovered bullet casings bearing the words “delay,” “depose,” and “deny,” likely references to the ways in which health insurance companies refuse to cover customers’ medical claims. According to the Times, authorities say Mangione was carrying a “manifesto” that included passages “criticizing health care companies for putting profits above care.”

UnitedHealthcare did not immediately respond to a request for comment from WIRED. In a statement provided to other media outlets, a company spokesperson said: “Our hope is that today’s apprehension brings some relief to Brian’s family, friends, colleagues and the many others affected by this unspeakable tragedy. We thank law enforcement and will continue to work with them on this investigation. We ask that everyone respect the family’s privacy as they mourn.”

A search of Mangione’s online footprint paints a picture of a typical twentysomething, including accounts on Pinterest, Skype, Instagram, and Facebook. On X, what appears to be his account featured an image of what looks to be an X-ray following major spinal cord surgery, one of the few explicit references to health care in his online account history.

A GoodReads account featuring a photo of the suspect that also shares a username with an email address and GitHub account linked to Mangione includes several books related to back pain, including _Crooked: Outwitting the Back Pain Industry and Getting on the Road to Recovery_. Other titles include _Hillbilly Elegy_, by US vice president-elect JD Vance, and “Industrial Society and Its Future,” the anti-technology diatribe colloquially known as the Unabomber Manifesto. The GoodReads account has since been set to private.

Mangione, who was valedictorian of his private high school in the Baltimore area, appears to have been an avid gamer, with dozens of game titles listed on an Xbox Live account that shares his name. In 2018, Mangione described himself as passionate about making video games, and helped to found a game development club at Penn that was quickly joined by roughly 60 students, according to a since-deleted article on the university's news hub.

On a GitHub page believed to belong to Mangione, he shared code repositories that focused on machine learning and human-computer interaction. Among these is a project titled "Meccanoid-Imitate,” which apparently uses Arduino—an open source and easy-to-use electronics platform—and a programmable Meccanoid robot. The repository, last updated four years ago, includes animated GIFs showing Mangione in what appears to be a classroom, moving his arms while a Meccanoid robot behind him mimics his gestures.

_Updated at 5:30 pm EST, December 9, 2024, to include additional information about Mangione's employment history._

Police Arrest UnitedHealthcare CEO Shooting Suspect, App Developer Luigi Mangione

Researchers demonstrate a proof-of-concept cyberattack vector that gets around remote, on-premises, and local versions of browser isolation security technology to send malicious communications from an attacker-controlled server.

Source: Sasin Paraska via Shutterstock

Security researchers have found a way to bypass three types of browser isolation, which would allow a cyberattacker to send malicious data to a remote device by using QR codes.

Researchers from Mandiant demonstrated a proof-of-concept (PoC) that gets around remote, on-premises, and local browser isolation by overriding HTTP request-based communication with machine-readable QR codes. In this way, the technique allows attackers to send commands from a command-and-control (C2) server to a victim's device.

Browser isolation is often used by organizations to fight phishing threats, protect a device from browser-delivered attacks, and deter typical C2 tactics used by attackers. The technique runs a browser in a secure environment — such as a cloud server or virtual machine — and then streams the visual content to the user's device.

When browser isolation is being used, the remote browser handles everything from page rendering to executing JavaScript, with only the visual appearance of the webpage sent back to the user's local browser.

As attackers generally send commands to and from a victim's device through HTTP requests, browser isolation makes it challenging for attackers to remotely control a device in the typical way. That's because the HTTP response returned to the local browser contains only the streaming engine to render the remote browser's visual page contents, "and only a stream of pixels is sent to the local browser to visually render the webpage," Mandiant principal security consultant Thibault Van Geluwe de Berlaere wrote in the post. "This prevents typical HTTP-based C2 because the local device cannot decode the HTTP response."

Related:Cybercrime Gangs Abscond With Thousands of AWS Credentials

**Bypassing Browser Isolation With QR Codes**

Mandiant researchers developed a PoC that demonstrates how to get around browser isolation using the Puppeteer JavaScript library and the Google Chrome browser in headless mode. However, any modern browser can be used to achieve the PoC, Van Geluwe de Berlaere noted.

Instead of returning the C2 data in the HTTP request headers or body, as a typical attacker-controlled attempt to send commands to a device might, the C2 server returns a valid webpage that visually shows a QR code. "The implant then uses a local headless browser … to render the page, grabs a screenshot, and reads the QR code to retrieve the embedded data," Van Geluwe de Berlaere wrote.

"By taking advantage of machine-readable QR codes, an attacker can send data from the attacker-controlled server to a malicious implant even when the webpage is rendered in a remote browser."

Related:Wyden and Schmitt Call for Investigation of Pentagon's Phone Systems

In the attack sequence, the malicious implant visually renders the webpage from the browser isolation's pixel streaming engine and decodes the command from the QR code displayed on the page. It then retrieves a valid HTML webpage from the C2 server with the command data encoded in a QR code visually shown on the page.

The remote browser then returns the pixel-streaming engine back to the local browser, starting a visual stream that shows the rendered page obtained from the C2 server. The implant waits for the page to fully render, then grabs a screenshot of the local browser that contains the QR code, which the malicious implant reads to execute the C2 command on the compromised device.

The implant then goes through the local browser again to navigate to a new URL that includes the command output encoded in a URL parameter. This parameter is passed through to the remote browser and ultimately to the C2 server, which decodes the command output as in traditional HTTP-based C2.

**Challenges to Implementing the Bypass**

Though the PoC demonstrates how attackers can get around browser isolation, there are some limitations and challenges to consider when using it, the researchers noted.

One is that it's not feasible to use the PoC with QR codes that have the maximum data size — i.e., 2,953 bytes, 177x177 grid, Error Correction Level "L" — as "the visual stream of the webpage rendered in the local browser was of insufficient quality to reliably read the QR code contents," Van Geluwe de Berlaere explained. Instead, the researchers used QR codes containing a maximum of 2,189 bytes of content.

Related:Pegasus Spyware Infections Proliferate Across iOS, Android Devices

Moreover, the requests take at least five seconds to reliably show and scan the QR code due to the processing involved when using Chrome in headless mode, as well as the time it takes for the remote browser to start up, page-rendering requirements, and the stream of visual content from the remote browser back to the local browser. "This introduces significant latency in the C2 channel," he wrote.

Finally, the PoC does not consider other security features of browser isolation, such as domain reputation, URL scanning, data-loss prevention, and request heuristics, which may need to be overcome if they are present in the browser-isolation environment on which it is being used.

Despite the success of the bypass, Mandiant still recommends browser isolation as a strong protection measure against client-side browser exploitation and phishing attacks. However, Van Geluwe de Berlaere wrote, it should be used as one part of "a well-rounded cyber defense posture" that also includes monitoring for anomalous network traffic and browser in automation mode to defend against Web-based attacks.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Can Use QR Codes to Bypass Browser Isolation

Discover essential tips to secure your digital assets like crypto, NFTs, and tokens. Learn about wallet safety, avoiding…

Discover essential tips to secure your digital assets like crypto, NFTs, and tokens. Learn about wallet safety, avoiding phishing, 2FA, and protecting your holdings against theft.

As digital assets like cryptocurrencies, tokens, and NFTs grow in popularity, so does the importance of securing them. These assets are valuable, decentralized, and often stored in digital wallets that require specific security measures.

However, this decentralization, due to the lack of central oversight, makes them particularly vulnerable to hacking, phishing, malware, and human error. The good news is that with the right precautions and knowledge, you can significantly reduce the risks of theft or fraud.

This guide will explore the basics of digital asset cybersecurity, including common risks and best practices to help protect your crypto holdings.

****Understanding Digital Asset Security Risks****

Before diving into crypto, it’s crucial to understand the unique security risks that come with managing digital assets. Digital assets are typically stored in wallets, which are secured by private keys and seed phrases. These are the most critical components that control access to your assets, and if compromised, you could lose everything.

Hackers often target exchanges, wallets, and platforms where cryptocurrencies are stored. Phishing scams trick users into revealing their private keys or login details. Malware can infect devices, enabling cybercriminals to steal your credentials. Additionally, human error, such as sending funds to the wrong address or losing your private keys, can result in permanent asset loss.

****Wallets: Private Keys, Seed Phrases, and Passwords****

Your crypto wallet is the most important part of your security setup. Each wallet has a public key (which is shared with others to receive funds) and a private key (which grants access and control over your assets). Most wallets also use a seed phrase to recover access in case the wallet is lost or damaged. This seed phrase consists of 12-24 random words that serve as a backup to your private key.

Backing up your seed phrase securely is essential. Store it offline in a secure location—never on your computer or in the cloud, where it could be hacked. Losing your seed phrase means losing access to your funds permanently. Similarly, ensure your wallet has a strong, unique password for day-to-day access and use a password manager to keep track of it safely.

****Using Non-Custodial Wallets for Better Security****

When choosing a wallet, consider whether it’s custodial or non-custodial. In a custodial wallet, a third party, like an exchange, controls your private keys. This can leave your funds vulnerable if the platform is hacked. A non-custodial wallet gives you full control of your private keys, making it a more secure option. Because non-custodial wallets are so secure, many digital currency enthusiasts consider them the best Bitcoin wallet option for keeping high-value assets safe and secure. 

****Two-factor authentication (2FA)****

Another critical security measure is enabling two-factor authentication (2FA) on your crypto accounts. 2FA requires an additional authentication step (such as a code sent to your phone) when logging into accounts. This makes it much harder for hackers to gain access, even if they have your password. 

Use a 2FA app like Google Authenticator or Authy for better protection. Avoid using SMS-based 2FA, as it’s vulnerable to SIM-swapping attacks, where hackers can hijack your phone number. Additionally, ensure that any backup codes or recovery methods for your 2FA are stored securely, as losing access to your 2FA can lock you out of your accounts permanently.

****Always Double-Check Wallet Addresses****

Cryptocurrency transactions are irreversible, which means once funds are sent, they cannot be recovered. Always double-check wallet addresses before sending or receiving funds. This simple step can save you from accidentally sending assets to the wrong address.

If you receive a request to send crypto, verify the wallet address and ensure it matches the intended recipient. You can also use QR codes to minimize the chance of errors when entering an address manually.

****Beware of Phishing and Social Engineering****

Phishing attacks are one of the most common methods cybercriminals use to steal digital assets. These scams often involve fake websites, emails, or messages that mimic trusted platforms like exchanges, wallet providers, or crypto services. If you’re tricked into entering your credentials on a fraudulent site, hackers can access your wallet and steal your assets.

Always check the URL of the website you’re visiting and look for signs of legitimacy. Never share your private keys, seed phrases, or sensitive information over email, phone, or social media. Be cautious of unsolicited messages, and always verify requests before acting on them.

****Understand the Risks of Crypto Exchanges****

Cryptocurrency exchanges are often targets for cyberattacks, as they store large amounts of digital assets. While exchanges are convenient for trading and holding crypto, they come with risks. For example, if the exchange is hacked or experiences a security breach, your funds could be stolen. Some exchanges also have poorly managed security protocols, putting your assets at risk.

Consider using non-custodial wallets for long-term storage and only keeping small amounts of crypto on exchanges for trading purposes. Research exchanges before using them and check their security track record.

****Stay Informed and Educated About Security****

The crypto space is constantly evolving, and new threats are emerging all the time. Stay informed by following reputable sources on security best practices, crypto news, and updates on potential vulnerabilities. Joining online communities or forums can help you stay up-to-date on the latest trends, security threats, and emerging technologies, ensuring you understand the evolving landscape. 

It’s also important to educate yourself on the specific risks associated with decentralized finance (DeFi) protocols, smart contracts, and other decentralized services. While these platforms offer new opportunities, they can also expose you to unique risks like smart contract bugs, liquidity issues, or governance vulnerabilities that could lead to significant losses. Understanding these risks helps you make informed decisions and protect your assets.

****Crypto Security Best Practices: Do’s and Dont’s********Do’s:****

*   Back up your seed phrase and store it securely in multiple offline locations.
*   Use strong, unique passwords for your crypto accounts and avoid reusing passwords from other sites.
*   Enable two-factor authentication (2FA) for added protection on all platforms.
*   Double-check wallet addresses before sending or receiving funds to avoid errors.
*   Research wallet providers and choose reputable ones that prioritize security features.
*   Stay informed about new security threats and best practices to protect your assets.

****Don’ts:****

*   Never share your private keys or seed phrases with anyone, as this would give them access to your funds.
*   Avoid suspicious links and be cautious of phishing emails or messages that impersonate trusted services.
*   Be wary of centralized exchanges, as they are more vulnerable to hacks. Consider using non-custodial wallets for long-term storage.
*   Exercise caution with DeFi protocols, as they can have vulnerabilities in smart contracts.
*   Don’t trust unverified sources—always verify the legitimacy of platforms and communications before sharing any personal information.

****Conclusion****

Digital assets offer incredible opportunities, but they also come with unique risks. By following these essential cybersecurity practices, you can significantly reduce the chances of falling victim to theft or fraud. Secure your assets by backing up your seed phrase, using strong passwords and 2FA, avoiding phishing scams, and staying informed about the latest threats in the crypto space.

Ultimately, safeguarding your crypto holdings requires a combination of vigilance, knowledge, and secure practices. By adopting these principles, you can enjoy the benefits of digital assets while minimizing the risks.

1.  **Benefits of Using an Anonymous Bitcoin Wallet**
2.  **Outdated Wallets Threatening Billions in Crypto Assets**
3.  **Step-by-Step Guide to Creating Your First Crypto Wallet**
4.  **Trust Wallet Launches Browser Extension Wallet for Desktop**
5.  **Internet Computer Protocol Launches Walletless Verified Credentials**

Digital Assets Cybersecurity Essentials

Authorities were able to intercept the Matrix messaging service’s traffic and monitor criminal activity for three months.

European law enforcement agencies have taken down yet another encrypted messaging service mainly used by criminals.

The Matrix encrypted messaging service was an invite-only service which was also marketed under the names Mactrix, Totalsec, X-quantum, or Q-safe. Dutch and French authorities started an investigation when the service was found on the phone of a criminal convicted for the murder of Dutch journalist Peter R. de Vries in 2021.

The investigators soon found Matrix was technically more complex than previous platforms such as Sky ECC and EncroChat, which were earlier subjects of law enforcement eavesdropping.

Eventually the authorities were able to intercept the messaging service’s traffic and monitor the activity for three months. The authorities intercepted and deciphered over 2.3 million messages in 33 languages during the investigation.

The intercepted messages mostly dealt with serious organized crimes such as international drug trafficking, arms trafficking, and money laundering. Now, visitors to the the messaging service are alerted to the takedown through a splash page telling them the platform has been disabled by international law enforcement:

> “It’s not the first time and will not be the last time we are able to read the messages in real time. We gained access to data related to this service and our investigation does not end here.”

These services don’t come cheap. We don’t know the exact pricing of Matrix, but similar services cost several thousands of dollars per year. Which explains why law enforcement seized four cars, 970 phones, and a house, along with over half a million in crypto and over $150,000 in cash.

With the takedown of Matrix, the encrypted communication landscape for criminals has lost yet another significant player.

Europol stated:

> “Criminals, in response to the disruptions of their messaging services, have been turning to a variety of less-established or custom-built communication tools that offer varying degrees of security and anonymity.”

This offers both a challenge and opportunities for law enforcement, since the smaller fish are less tasty, but easier to catch if you’ll pardon me that analogy.

The Matrix messaging service is in no way related to the legitimate Matrix messaging protocol. We don’t want US citizens looking for an encrypted messaging service to shy away from apps built on the Matrix protocol just because it has the same name.

Although I appreciated the hint of the splash page to the media franchise The Matrix.

**We don’t just report on privacy—we offer you the option to use it.**

Privacy risks should never spread beyond a headline. Keep your online privacy yours by using Malwarebytes Privacy VPN.

 Encrypted messaging service intercepted, 2.3 million messages read by law enforcement 

We can anticipate a growing number of emerging vulnerabilities in the near future, emphasizing the need for an effective prioritization strategy.

Audra Streetman, Senior Threat Intelligence Analyst, Splunk

December 9, 2024

4 Min Read

Source: Skorzewiak via Alamy Stock Photo

COMMENTARY

The work of cybersecurity defenders continues to evolve. The sheer amount of software and applications within an organization's IT environment has increased the attack surface and, consequently, the number of vulnerabilities. According to the Verizon "2024 Data Breach Investigations Report," "14% of breaches involved the exploitation of vulnerabilities as an initial access step, almost triple the amount from last year's report."

With vulnerability exploitation increasing, prioritization can be difficult and time-consuming if you don't have a clear plan. The consequences of large-scale incidents, such as Log4j and the MOVEit breach, have had lasting impacts on the cybersecurity world. However, cybersecurity defenders can learn from these experiences.

**Key Considerations for Vulnerability Evaluation**

The first step in vulnerability evaluation mirrors the basics of reading comprehension: understanding the who, what, when, where, and why:

Who: Who is discussing vulnerabilities? Pay attention to peers, industry experts, and government advisories. Know that vulnerability discourse on social media and online forums may include fear-mongering and hyperbole. 

What: After identifying a vulnerability, analyze its exploitability. Determine if it is exploitable over a network or requires local access, or if exploit code is public. 

When: Timing is crucial. Know when the vulnerability was disclosed and if it has been exploited in the wild.

Where: Know where the vulnerability exists in your environment, which can influence the impact of exploitation. Check if it appears in a software bill of materials (SBOM) or a vendor advisory, as this can direct your remediation efforts.

If a patch is available, determine if it will cause downtime and if you are bound by a service-level agreement. If you opt to not patch, or if a patch is not available, research mitigation guidance to minimize risk.

Why: Understand how the vulnerability aligns with recent trends in adversary behavior. Also, Common Vulnerability scores and Exploit Prediction scores can inform prioritization, but should not be relied upon as the only factor when evaluating vulnerabilities.

**Learning From Large-Scale Incidents****MOVEit **

A great way to combat vulnerabilities is to learn from the past. For example, when the MOVEit Transfer vulnerability emerged in 2023, there were early signs pointing to the potential for mass exploitation. The cybercriminal group behind the breach was known to target vulnerabilities in file transfer software for spray-and-pray attacks that relied on data exfiltration without encryption to reach more victims. Ultimately, more than 2,700 organizations and 95.8 million people were impacted by the breach, according to cybersecurity firm Emsisoft, teaching the cybersecurity world three things:

1.  Adversary behavior can influence the likelihood of exploitation. A critical vulnerability in a file transfer appliance carried additional urgency in 2023 because of the strategies employed by cybercriminals. 
    
2.  Zero-day vulnerabilities with low attack complexity are a higher priority. Attacks began days before the MOVEit vulnerability was publicly disclosed and one attack vector allowed data exfiltration directly from the MOVEit application. One caveat here is that not all zero-day vulnerabilities are a high priority; there are other factors to consider, such as attack complexity. 
    
3.  Vulnerabilities with cascading effects on the supply chain are critical priorities. Some organizations were impacted by the breach because their vendor's contractor's subcontractor used MOVEit Transfer.
    

**Log4j**

The 2021 Log4j incident highlights the challenges with identifying vulnerable software components in your environment. This vulnerability was a high priority for several reasons:

1.  It was remotely exploitable.
    
2.  It was publicly disclosed before a fix was available.
    
3.  Exploit code circulated online.
    
4.  Because the Log4j library was popular among Java developers, it was embedded into thousands of software packages and integrated into millions of systems worldwide. 
    

Many organizations struggled to identify where Log4j was present in their environment, as these open source components aren't always readily listed. Accurate asset inventories and widespread SBOM adoption — which is essentially an ingredients list of software components — can go a long way in improving how organizations identify and respond to future vulnerabilities. 

**Knowing the Score With Vulnerabilities**

Cybersecurity defenders have at their disposal a number of vulnerability databases and scoring frameworks, such as the Cybersecurity and Infrastructure Security Agency's (CISA's) Known Exploited Vulnerabilities (KEV) catalog and the National Vulnerability Database (NVD). As organizations mature and refine their vulnerability management program, they can begin to implement additional steps, such as continuous monitoring, automation, and the integration of vulnerability management tools with configuration management databases (CMDBs) to improve detection and remediation.

In the future, we may see software suppliers adopt a secure-by-design philosophy that takes greater ownership of customer security outcomes. This could be influenced by future regulations, heightened liability for security executives, and the loss of customer trust. We may also see new use cases for emerging technologies, like machine learning and artificial intelligence, to help speed up and guide the vulnerability prioritization process, while maintaining a human-in-the-loop approach. In the meantime, we can anticipate a growing number of emerging vulnerabilities, emphasizing the need for an effective prioritization strategy.

**About the Author**

Senior Threat Intelligence Analyst, Splunk

Audra Streetman is an active member of Splunk's global security team and previously contributed to Splunk's SURGe research team. Before arriving at Splunk, Audra worked as a reporter, producer, and news anchor at local TV stations in Indiana, California, Kentucky, and Colorado. Audra produced and co-hosted a podcast called The Security Detail, which examined the cyber threat landscape in different industries. Audra is a member of the GIAC Advisory Board and has several certifications, including GDAT, GCTI, Security+, Linux+, Network+, AWS Cloud Practitioner, and Splunk Enterprise Certified Admin.

Large-Scale Incidents &amp; the Art of Vulnerability Prioritization

Introduction In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.

**Introduction**

In February 2024, we released an update to Exchange Server which contained a security improvement referenced by CVE-2024-21410 that enabled Extended Protection for Authentication (EPA) by default for new and existing installs of Exchange 2019. While we’re currently unaware of any active threat campaigns involving NTLM relaying attacks against Exchange, we have observed threat actors exploiting this vector in the past.  

With the release of Windows Server 2025 earlier this month, we released a similar security improvement to Azure Directory Certificate Services (AD CS) by enabling EPA by default. Additionally, as part of the same Windows Server 2025 release, LDAP now has channel binding enabled by default. These security enhancements mitigate risk of of NTLM relaying attacks by default across three on-premise services: Exchange Server, Active Directory Certificate Services (AD CS), and LDAP.

**Background**

NTLM relaying is a popular attack method used by threat actors that allows for identity compromise. An NTLM relay attack typically involves two steps:

1.  Coercing a victim to authenticate to an arbitrary endpoint.
    
2.  Relaying the authentication against a vulnerable target.
    

By forwarding or relaying credentials to a vulnerable endpoint, attackers can authenticate and perform actions on behalf of the victim. This gives attackers an initial foothold for further domain compromise. To stop exploitation in its tracks, it’s essential to address the first class of issues. These vulnerabilities provide attackers with an initial primitive for exploitation. However, to comprehensively mitigate relaying attacks, we need to holistically address vulnerable services by default. Since EPA or other channel binding mechanisms ensure that clients can only authenticate to their intended server, these mitigations play an important role in securing services against NTLM relay attacks.

**Enabling NTLM Relay mitigations**

In the past, Microsoft observed threat actors exploiting services that lack NTLM relaying protections. These include CVE-2023-23397 (an Outlook entry point relayed against Exchange server), CVE-2021-36942 (a LSARPC entry point relayed against Active Directory Certificate Services (AD CS)), and ADV190023 (a WPAD entry point relayed against Lightweight Directory Access Protocol (LDAP)). From these instances, attackers clearly leverage relaying attacks in their campaigns.

In response to these observed NTLM relaying attacks, Microsoft released guidelines for enabling EPA on AD CS, LDAP, and Exchange Server. While this measure does help protect domains against NTLM relaying attacks, it requires manual intervention from a network administrator, which may not be feasible in all environments. Therefore, we have been working to enable NTLM relaying protections by default, which would automatically safeguard environments against such attacks.  

**Exchange Server**

It is important to note the unique role that Exchange Server plays in the NTLM threat landscape, which is why we prioritized hardening it by default. Office documents and emails sent through Outlook serve as effective entry points for attackers to exploit NTLM coercion vulnerabilities, given their ability to embed UNC links within them. Recent vulnerabilities involving NTLM and Office applications include CVE-2024-21413, CVE-2023-23397, and CVE-2023-36563. While we actively fix specific instances of NTLM authentication coercion, attackers often use these vulnerabilities to relay authentication against a vulnerable server, which can lead to compromise of a victim’s account. Exchange Server can be the prime target in such cases since it is a frequently used mail provider across enterprises.  

Earlier this year, with the release Exchange Server 2019 CU 14, Exchange Server now has EPA enabled by default. Exchange Server 2016 is in extended support, and no further CUs are planned for this version. Customers using Exchange Server 2016 can enable EPA via a script.

We recognize that EPA may not be trivial to enable for all environments. A significant portion of enabling EPA by default involved supporting additional scenarios that were not compatible with EPA before. For more information on EPA enablement in your environment, refer to the guidance provided in both the security advisory and the Exchange update blog.

**AD CS and LDAP**

We are also excited to announce that the latest Windows Server 2025, which is now generally available, ships with EPA enabled by default for both AD CS and LDAP. Note that the current default setting for EPA in Server 2025 is Enabled - When Supported, to allow clients that do not support channel bindings to omit them. A stronger EPA security setting for enterprises who do not need to support legacy clients is Enabled – Always, and we hope to move the needle further in future versions of Windows. Additionally, Administrators on Windows Server 2022 and 2019 can manually enable EPA for AD CS and Channel binding for LDAP. We have enabled auditing support for LDAP to identify machines that do not support channel binding to help IT administrators move towards enabling channel binding by default by upgrading to versions that support channel binding.  

With the security-focused default settings for EPA on Exchange Server 2019 CU14 released earlier this year and for AD CS and LDAP released as part of Windows Server 2025, we have enforced strong defenses against preventing NTLM relay attacks on those versions. Additional changes to default EPA enablement are currently in the pipeline for more Windows services. Moving forward, we will continue our efforts to enable EPA across more services by default in future versions, aiming to eliminate this class of NTLM relay attacks entirely.

**Looking ahead: The future of NTLM**

NTLM is a legacy protocol and we have been recommending users to prepare for NTLM being disabled by default in a future version of Windows. We have also been encouraging customers to catalogue and reduce dependencies of NTLM usage and explore moving over to modern authentication protocols like Kerberos. In the interim, we are exploring various strategies to harden against NTLM attacks. A notable development is that in Windows Server 2025 and Windows 11 24H2, NTLMv1 has been removed and the more commonly used NTLM v2 is deprecated. Additionally, admins now have the option to configure SMB to block NTLM.  

The progress towards enforcing secure by default across the ecosystem is aligned with principles from Microsoft’s Secure Future Initiative. As we progress towards disabling NTLM by default, immediate, short-term changes, such as enabling EPA in Exchange Server, AD CS and LDAP reinforce a ‘secure by default’ posture and safeguard users from real-world attacks. We look forward to investing in more secure-by-default NTLM hardening measures across supported versions in the near future.

The security mitigations here are a result of the tremendous work across multiple teams and organizations within Microsoft, notably, Exchange and Windows. Special thanks to Nino Bilic, Matthew Palko, and Wayne McIntyre for their help and support with this blog.

_Rohit Mothe_

_George Hughey_

_MSRC Vulnerabilities & Mitigations Team_

Mitigating NTLM Relay Attacks by Default

Plus: Russian spies keep hijacking other hackers’ infrastructure, Hydra dark web market admin gets life sentence in Russia, and more of the week’s top security news.

A consortium of global law enforcement agencies led by Britain’s National Crime Agency announced a takedown operation this week against two major Russian money-laundering networks that process billions of dollars each year in more than 30 locations around the world. WIRED had exclusive access to the investigation, which uncovered new and troubling laundering techniques, particularly schemes to directly change cryptocurrency for cash. As the United States government scrambles to address China’s “Salt Typhoon” digital espionage campaign into US telecoms, two senators demanded this week that the Department of Defense investigate its failure to secure its own communications and address known vulnerabilities in US telecom infrastructure. Meanwhile, Signal Foundation president Meredith Whittaker spoke at WIRED’s The Big Interview event in San Francisco this week about Signal’s enduring commitment to bring private, end-to-end encrypted communication services to people all over the world regardless of geopolitical climate.

A new smartphone scanner from the mobile device security firm iVerify can quickly and easily detect spyware and has already flagged seven devices infected with the invasive Pegasus surveillance tool. Programmer Micah Lee built a tool to help you save and delete your X posts after he offended Elon Musk and was banned from the platform. And privacy advocate Nighat Dad is fighting to protect women from digital harassment in Pakistan after escaping from an abusive marriage.

The US Federal Trade Commission is targeting data brokers who it says unlawfully tracked protesters and US military personnel, but the enforcement efforts seem likely to trail off under the Trump administration. Similarly, the US Consumer Financial Protection Bureau has devised a strategy to impose new oversight on predatory data brokers, but the new administration may not continue the initiative. Some new laws are finally coming around the world in 2025 that will attempt to regulate the dysfunction of the digital advertising industry, but malicious advertising is still booming around the world and continues to play a big role in global scamming.

And there’s more. Each week, we round up the security and privacy news we didn’t cover in-depth ourselves. Click the headlines to read the full stories. And stay safe out there.

**US Officials Urge Americans to Encrypt Calls and Texts After Chinese Telecom Hacking**

Remember how the US federal government spent much of the last three decades periodically decrying the dangers of strong, freely available encryption tools, arguing that because they enable criminals and terrorists, they should be outlawed or required to implement government-approved backdoors? As of this week, the government will never again be able to make that argument without privacy advocates pointing to a particular phone call where two officials recommended Americans use exactly those encryption tools to protect themselves amidst an ongoing massive breach of US telecoms by Chinese hackers.

In a briefing with reporters about the breach of no fewer than eight phone companies by the Chinese state-sponsored espionage hackers known as Salt Typhoon, officials from the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI both said that amid the still-uncontrolled infiltration of US telecoms that have exposed calls and texts, Americans should use encryption apps to safeguard their privacy. “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication,” said Jeff Greene, CISA’s executive assistant director for cybersecurity. (Signal and WhatsApp, for instance, end-to-end encrypt calls and texts, though the officials didn’t name any particular apps.)

The recommendation amid what one senator has called “the worst telecom hack in our nation’s history” represents a stunning reversal from previous US officials’ rhetoric on encryption, and in particular the FBI’s repeated calls for access to backdoors in encryption. In fact, it was exactly this sort of government-approved wiretap capability requirement for US telecoms that the Salt Typhoon hackers in some cases exploited to access Americans communications.

**Russia’s FSB Hackers Keep Hijacking Other Hackers’ Infrastructure for Spying**

The hacker group known as Secret Blizzard, Snake, or Turla, widely believed to work for Russia’s FSB intelligence agency, is known for using some of the most ingenious hacking techniques ever seen to spy on its victims. One of the tricks that’s now become its signature move: hacking the infrastructure of other hackers to stealthily piggyback on their access. This week Microsoft’s threat intelligence researchers and security firm Lumen Technologies revealed that Turla gained access to the servers of a Pakistan-based hacker group and used its visibility into victim networks to spy on government, military and intelligence targets in India and Afghanistan of interest to the Kremlin. In some cases, Turla hijacked the Pakistani hackers’ access to install their own malware, while in other instances they appear to have used the other group’s tools for even greater stealth and deniability. The incident marks the fourth known time since 2017, when it penetrated an Iranian hacker group’s command-and-control servers, that Turla has freeloaded on another hacker group’s infrastructure and tooling, according to Lumen.

**Admin of Russian Dark Web Market Hydra Sentenced to Life in Prison**

The Russian government is known for turning a blind eye to cybercrime—until it doesn’t. This week 15 convicted members of the notorious dark web market Hydra learned the limits of that forbearance when they reportedly received prison sentences ranging from 8 years to 23 years, as well an unprecedented life sentence for the site’s creator Stanislav Moiseyev. Before it was taken down two years ago in a law enforcement operation led by IRS criminal investigators in the US and Germany’s BKA police agency, Hydra was a uniquely sprawling dark web marketplace, one that not only served as the post-Soviet world’s biggest online bazaar for narcotics but also a vast money laundering machine for crimes including ransomware, scams, and sanctions evasion. In total, Hydra enabled more than $5 billion dollars in dirty cryptocurrency transactions since 2015, according to crypto tracing firm Elliptic.

**Suspected Ransomware Actor “Wazawaka” Reportedly Charged and Apprehended by Russia**

Russian law enforcement charged and arrested a software developer last week who is suspected of prolific contributions to multiple ransomware groups, including building malware to extort money from businesses and other targets. The suspect is reportedly Mikhail Matveev, or “Wazawaka,” who has worked as an affiliate with ransomware gangs like Conti, LockBit, Babuk, DarkSide, and Hive. Social media reports indicate that Matveev confirmed his indictment and said that he has been released from law enforcement custody on bail.

Russia’s prosecutor general did not name Matveev, but described charges last week against a 32-year-old hacker under Article 273 of Russia’s Criminal Code, which bans the creation or use of malware. The move came as Russia seemed to be sending some sort of message about its tolerance for cybercrime with the sentencing of the dark web marketplace Hydra’s staff, including a life sentence for its administrator. In 2023, the US government indicted and sanctioned Matveev.

**FBI Is Investigating Exxon Lobbyist Firm Over Hack-and-Leak Operation Targeting Activists**

In a disturbing scoop (one we didn’t cover last week due to the Thanksgiving holiday), Reuters reporters have revealed that the FBI is now investigating a lobbying consultancy hired by Exxon over the firm’s role in a hack-and-leak operation that targeted climate change activists. DCI Group, a lobbying firm hired at the time by Exxon, allegedly gave a list of target activists to a private investigator who then outsourced a hacking operation against those targets to mercenary hackers. After the private investigator—an Israeli man named Amit Forlit, who was later arrested in London and faces US hacking charges—allegedly gave the hacked material to DCI, it leaked the activists’ internal communications about climate change litigation against Exxon to the media, Reuters discovered. The FBI, according to Reuters, has determined that DCI also first previewed that material to Exxon before leaking it. “Those documents were directly employed by Exxon to come after me with all guns blazing,” one attorney working with the activist group, the Center for Climate Integrity, told Reuters. “It turned my life upside down.”

Exxon has denied knowing about any hacking activities and DCI told Reuters in a statement that “we direct all our employees and consultants to comply with the law.”

US Officials Recommend Encryption Apps Amid Chinese Telecom Hacking

Cybersecurity researchers have warned of a new scam campaign that leverages fake video conferencing apps to deliver an information stealer called Realst targeting people working in Web3 under the guise of fake business meetings.
"The threat actors behind the malware have set up fake companies using AI to make them increase legitimacy," Cado Security researcher Tara Gould said. "The company

Hackers Using Fake Video Conferencing Apps to Steal Web3 Professionals' Data

The activity-recording capability has drawn concerns from the security community and privacy experts, but the tech giant is being measured in its gradual rollout, which is still in preview mode.

Source: Pictorial Press Ltd via Alamy Stock Photo

NEWS BRIEF

Microsoft has expanded access for its Windows Recall feature to Copilot+ PCs that use AMD and Intel chipsets, after initially offering it to users with Snapdragon-powered machines. And, it has now launched in Europe.

The launch is part of a gradual rollout that for now is in a preview phase within the Windows Insiders testing community.

Recall is an AI-powered feature that allows PC users to record everything they do on their computers, and then go back to a desired "snapshot" of activity later. It's a useful tool, as Microsoft pointed out in its expansion announcement on Dec. 6: "It's now possible to quickly find and get back to apps, websites, images, or documents just by describing its content." But the capability also has sparked ongoing concerns about privacy and data security (Microsoft keeps and hosts the recorded content in the cloud), as well as the potential for the feature to be compromised and used for cyber-espionage ends.

The tech giant appears to be taking those concerns seriously; in June, it beefed up its planned privacy and security features for Recall, including data encryption, turning Recall off by default, and requiring users to enroll in Windows Hello biometrics authentication to prove they're present at the keyboard as recording is happening. It also added it to its bug bounty program to track down exploitable security vulnerabilities.

Microsoft has taken its time with the launch in light of the concerns; after being set to go live in June, Redmond pushed the release date for Recall back to October, and then to November, when it finally became available in limited release.

**About the Author**

Tara Seals has 20+ years of experience as a journalist, analyst and editor in the cybersecurity, communications and technology space. Prior to Dark Reading, Tara was Editor in Chief at Threatpost, and prior to that, the North American news lead for Infosecurity Magazine. She also spent 13 years working for Informa (formerly Virgo Publishing), as executive editor and editor-in-chief at publications focused on both the service provider and the enterprise arenas. A Texas native, she holds a B.A. from Columbia University, lives in Western Massachusetts with her family and is on a never-ending quest for good Mexican food in the Northeast.

Tag

#mac