Posts

Microsoft has patched a critical Active Directory Domain Services (AD DS) vulnerability (CVE‑2026‑25177)

Image
  Microsoft has patched a critical Active Directory Domain Services (AD DS) vulnerability (CVE‑2026‑25177) that allows attackers with minimal privileges to escalate to full SYSTEM access. The flaw, rated 8.8 CVSS, affects Windows Server environments and was fixed in the March 2026 Patch Tuesday update. How the Exploit Works Unicode manipulation : Attackers use hidden Unicode characters to create duplicate SPNs or UPNs . Kerberos confusion : When a client requests a Kerberos ticket for a duplicate SPN, the domain controller issues a ticket encrypted with the wrong key. Fallback risk : This can trigger NTLM fallback (if enabled) or cause denial-of-service . Privilege escalation : With SPN write access, attackers can escalate to SYSTEM without touching the target server directly. Affected Systems Windows Server 2012 → Server 2025 Windows 10 and 11 (if acting as domain controllers) Any AD DS deployment with Kerberos and NTLM enabled Security Implications Domain-wide compro...

Entra Passkeys

Image
  Phishing‑resistant Windows sign‑ins via Entra passkeys Microsoft is adding passkey support for Microsoft Entra on Windows devices, enabling passwordless, phishing‑resistant authentication using Windows Hello (face, fingerprint, or PIN). Public preview rollout: mid‑March → late April 2026 Government clouds (GCC, GCC High, DoD): mid‑April → mid‑May 2026 This is part of Microsoft’s broader push to make all accounts passwordless by default , reducing credential‑theft attack surfaces. How Entra Passkeys Work Device‑bound, cryptographic, and non‑transmittable Passkeys are: Generated and stored locally in the Windows Hello secure container Bound to the device (not synced across machines) Unlocked via biometrics or PIN Never transmitted over the network , making them resistant to phishing, replay, and credential‑stealing malware Each Entra account registers its own passkey per device , and multiple accounts can coexist on one machine. Why This Matters for Unmanaged De...

My Site (has stopped producing)

Image
  It turns out the AI Security new information security bot decided to break free and call it a day, sorry for the delay in news alerts off. It will be back. -Corerouter

Notepad++ update service was compromised

Image
  Notepad++ update service was compromised Multiple independent security investigations confirm that Notepad++’s update infrastructure was hijacked between June and December 2025 . This was a supply-chain attack originating from a compromise at the hosting‑provider level , not from Notepad++’s code. What exactly was compromised? 1. Update traffic was intercepted and redirected Attackers manipulated the update endpoint ( getDownloadUrl.php ) so that some users requesting updates were silently redirected to malicious servers serving tampered executables . 2. It was targeted , not widespread All sources emphasize that only specific users were affected, likely in an espionage‑focused campaign , not a mass malware distribution effort. 3. Hosting provider compromise, not a Notepad++ bug The attackers gained access to the shared hosting environment , losing direct access in September 2025 but maintaining stolen internal service credentials through December 2, 2025. Attribution: Likely...

Broadcom is dismantling of VMware Cloud Service Providers (VCSPs)

Image
  What Broadcom Is Doing to the VCSP Program 1. Broadcom is shutting down the existing VCSP program Multiple sources confirm that Broadcom issued formal non‑renewal notices to many VMware Cloud Service Providers, ending contracts as of January 26, 2026 . Partners may finish existing commitments but cannot renew or create new long‑term contract commitments . 2. Moving to an invite‑only VCSP ecosystem Broadcom is replacing the open VCSP model with a highly selective, invite‑only program , keeping only a small fraction of providers . For example: • Only 19 providers in the U.S. were retained out of thousands. • Hundreds of European providers are being cut loose. 3. White Label program sunset (critical for smaller providers) The White Label model—previously the path for smaller CSPs—has been terminated (or will be phased out depending on region). This effectively eliminates market access for many small providers. 4. Providers that are cut must hand off customers Broadcom directs ...

Microsoft 365 Outlook Add-ins Being Weaponized

Image
  What’s Happening Multiple independent cybersecurity research labs (Varonis, KPMG, others) and news outlets confirm that Microsoft 365 Outlook add-ins are actively being weaponized to perform stealthy data exfiltration, persistence, phishing, and command‑and‑control (C2) —often without leaving forensic traces . Below is the detailed, source‑grounded breakdown. 1. Zero‑Trace Email Exfiltration via Malicious Outlook Add-ins  (Exfil Out&Look) Most significant attack technique identified. Varonis Threat Labs discovered a method— “Exfil Out&Look” —that abuses the Outlook add-in framework to silently exfiltrate sensitive email data. Key points: Silent deployment & execution Add-ins are just web apps defined by XML manifests (HTML/JS/CSS) with permissions. Attackers can deploy them: Per-user via Outlook Web Access (OWA) Tenant‑wide via admin permissions Massive blind spot for defenders OWA-installed add-ins generate no Unified Audit Log entries (even in E5 tenants). ...

FBI Seizes RAMP Cybercrime Forum

Image
The FBI has taken down RAMP (Russian Anonymous Marketplace) , one of the most active cybercrime forums used by ransomware gangs, initial access brokers, malware sellers, and extortion groups . The takedown affected both the clearnet and dark‑web (Tor) domains, which now display official FBI/DOJ seizure notices. Why RAMP Was Significant RAMP was: Known as “the only place ransomware allowed.” A major hub for groups including LockBit, ALPHV/BlackCat, Conti, DragonForce, Qilin, RansomHub , and more. A high‑trust marketplace offering malware, exploits, tutorials, and escrow services . Home to 14,000+ vetted users , some paying fees for anonymity. Impact of the Seizure 1. Major Disruption to Criminal Infrastructure The takedown is seen as a meaningful blow against ransomware‑as‑a‑service communities. 2. Forced Migration to Other Forums Criminal groups are already shifting activity to alternative platforms like Rehub . These migrations are chaotic and risky for criminals due to: Loss of rep...