A potential security incident is developing at ServiceNow. Customers received notifications about a suspicious IP accessing multiple customer tenants. The root cause appears to be a Scripted REST API endpoint that required no authentication by logging activity under the "Guest" user with no actual account. The resource had been in this state since at least 2018, and was only patched last Friday when ServiceNow set the requires_authentication flag to true. One affected organization works for critical infrastructure. Their internal security team is now conducting a full investigation. The issue was linked to the Australia platform release. ServiceNow has not issued a public statement and reports are ongoing. Thread: reddit.com/r/servicenow/comm…

CVE-2020-2033, CVE-2020-2021, CVE-2020-2050, CVE-2026-0257, and now CVE-2026-0265 Authentication bypass, as in direct access to your internal networks over the Internet This VPN architecture should be dead, get it off the Internet, it's a time bomb waiting to happen

شرکت Symantec گزارش تکمیلی خودش رو در مورد بدافزار پیشرفته که اخیرا و تحت عنوان Fast16 بصورت عمومی منتشر شده، ارایه کرده. در این گزارش عنوان شده که بر اساس شواهد فنی، احتمال قریب به یقین هدف اصلی این بدافزار دستکاری محاسبات شبیه سازی انفجار اورانیوم، و برنامه هسته ایی ایران بوده. در همون بازه زمانی و به موازات بازه زمانی که بدافزار استاکس نت در حال توسعه و تولید بوده (۲۰۰۵). استاکس نت تقریبا ۲ سال بعد از اون تکمیل و در نهایت بصورت عملیاتی مورد استفاده قرار گرفت. نکته جدید ارایه شده در این گزارش، تطبیق دادن محاسبات هدف قرار گرفته با شاخصه های رفتاری اورانیوم و شبیه سازی انفجار اون (در کلاهک هسته ایی) هست. بر خلاف استاکس نت، روش پخش و آلوده سازی سیستم های دیگه در شبکه در این بدافزار، صرفا سو استفاده از دسترسی های کاربر جاری ویندوز برای اتصال و استفاده از network share های شبکه داخلی هست. بدافزار مشخصا آلوده سازی سیستم ها رو محدود کرده به شبکه داخلی که سیستم در اون قرار داره و از آلوده کردن سیستم های شبکه های دیگه یا روی اینترنت جلوگیری میشه. حداقل تا این تاریخ، شواهدی مبنی بر استفاده از آسیب پذیری های 0day یا شناخته شده دیگه توسط بدافزار برای پخش شدن شناسایی نشده. روند کشف این بدافزار هم در نوع خودش جالب هست. سال ۲۰۱۷ بخش زیادی از مستندات و ابزارهای تهاجمی و سایبری مربوط به NSA منتشر میشه. در بین هزاران فایل و سند، بخشی از اونها مربوط به بسته نرم افزاری مورد استفاده اپراتورهای عملیاتی NSA بودن، برای اکسپلویت کردن و دسترسی گرفتن از سیستم ها در شبکه. یک رویه مرسوم بین مهاجمین سایبری حرفه ایی و دولتی وجود داره که تحت اصطلاح Deconfliction شناخته میشه. در این رویه، قبل از اینکه اپراتور و حمله کننه هر کاری روی سیستمی که ازاون دسترسی گرفته شده انجام بده، سیستم کنترل میشه برای وجود نرم افزارهای ضد بد افزار، مانیتورینگ ، رد پاهای شناخته شده مربوط به سایر threat actor ها و مشخصا بدافزارهای دولت های دیگه، و حتی گروه های دیگه (دولتی/خصوصی) خودی. یکی از فایل های نشت شده و موجود در آرشیو NSA دقیقا همین چک لیست بود. خیلی از موارد لیست شده در این لیست بعد ها شناسایی شدن یا حتی در همون زمان هم با نمونه بدافزارهای شناخته شده تطبیق داده شدن. یک خط جالب و مرموز توی اون فایل اما سالها ناشناخته باقی موند: "ٔNOTHING TO SE HERE - CARRY ON, fast16" چندین سال بعد، محقق امنیتی شناخته شده @juanandres_gs یک کار تحقیقی غیر مرتبط رو شروع میکنه. با توجه به اینکه اکثر بدافزارهای دولتی و پیشرفته در اون سالها (و حتی الان) بخشی از رویه های کاری و عملیاتی خودشون رو توسط زبان برنامه نویسی LUA انجام میدن، و بر همین اساس معمولا موتور مفسر این زبان هم توی بد افزار گنجانده میشه، Juan شروع به جمع آوری و بررسی تمام نمونه فایل هایی میکنه که ردپایی از LUA و مفسر این زبان در اونها دیده میشه، و یکسری شاخصه های دیگه. تعداد زیادی نمونه به این روش کشف و جمع آوری میشه و بخشی از اونها هم تحلیل میشن. فایل درایور مربوط به بدافزار Fast16 هم جزو همین دسته بوده. این بدافزار حتی توسط با چند متخصص دیگه هم به اشتراک گذاشته و بررسی میشه ولی تا همین اواخر، هیچ کدوم از افرادی که اون رو بررسی کردن موفق نمیشن به درستی رویه دستکاری محاسباتی این بدافزار رو به چیزی خارج از اون و هدف اصلی نرم افزار مرتبط کنن. تا اینکه بواسطه بهتر شدن کیفیت و قابلیت های LLM ها و با کمک هوش مصنوعی، Juan و همکارش یک بار دیگه این نمونه رو عمیق تر بررسی میکنن، و هوش مصنوعی (بعد از چند دوره اصلاح و تبادل با محقق) بالاخره به این نتیجه میرسه که بخشی از موارد دستکاری شده توسط بدافزار مشخصا مربوط به رویه های کاری در نرم افزارهای LS-DYNA و AUTODYN هستن... و بعد از این جرقه قسمت های دیگه پازل هم کنار هم قرار میگیرن و تکمیل میشن. گزارش جدید و تکمیلی Symantec: security.com/threat-intellig… گزارش خبری تکمیلی مرتبط: zetter-zeroday.com/experts-c… چک لیست قدیمی و مشهور Deconfliction: github.com/DonnchaC/shadowbr…

Hey folks, some personal news. I’m leaving Microsoft. It’s been a privilege to work here, and I’m incredibly grateful for the people I’ve worked with, the customers I’ve learned from, and the support so many of you have shown me along the way. I’m now starting out on my own and chasing a dream I’ve had for a long time: building software that makes security more practical, accessible, and useful for the people doing the work every day. Why now? With all the change happening around us, I feel like new possibilities are opening up. I want to spend this next chapter building things I care deeply about, solving problems that matter, and doing work that brings me joy. I’m excited. Nervous. Grateful. My newsletters, podcast, Maester and other tools will all be part of this next chapter, and I’ll share more in the coming weeks. Thank you for being part of the journey so far. I’m looking forward to building this next chapter with your support.

If you have ever attempted to perform capacity planning for 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗦𝗲𝗻𝘁𝗶𝗻𝗲𝗹 maybe 4 or 5 years ago, I am sure you remember the struggle. Archiving was harder (and often more expensive), log ingestion required far more complex technical architecture, and estimating costs with confidence was… let’s just say, not straightforward. Fast forward to today, and things have changed s̲i̲g̲n̲i̲f̲i̲c̲a̲n̲t̲l̲y̲. Microsoft has just introduced a new 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗦𝗲𝗻𝘁𝗶𝗻𝗲𝗹 𝗖𝗼𝘀𝘁 𝗖𝗮𝗹𝗰𝘂𝗹𝗮𝘁𝗼𝗿, and it is a major step forward in simplifying how we approach planning and cost estimation for SIEM deployments. With this new experience, estimating Sentinel costs becomes: 𝗠𝗼𝗿𝗲 𝘁𝗿𝗮𝗻𝘀𝗽𝗮𝗿𝗲𝗻𝘁 – clearer visibility into ingestion, retention, and archive scenarios 𝗠𝗼𝗿𝗲 𝗽𝗿𝗲𝗱𝗶𝗰𝘁𝗮𝗯𝗹𝗲 – better alignment between expected and actual costs 𝗠𝗼𝗿𝗲 𝗮𝗰𝗰𝗲𝘀𝘀𝗶𝗯𝗹𝗲 – no need to build complex spreadsheets or reverse-engineer pricing models This is important for potential customers who consider moving to Sentinel, as well as for existing customers who need to continuously review and optimize their environment. What is even more significant is the impact on 𝗗𝗢𝗥𝗔-𝗿𝗲𝗴𝘂𝗹𝗮𝘁𝗲𝗱 𝗶𝗻𝘀𝘁𝗶𝘁𝘂𝘁𝗶𝗼𝗻𝘀. The ability to model and reassess capacity in a structured and repeatable way provides strong support for 𝗔𝗿𝘁𝗶𝗰𝗹𝗲 𝟳 (𝗜𝗖𝗧 𝘀𝘆𝘀𝘁𝗲𝗺𝘀, 𝗽𝗿𝗼𝘁𝗼𝗰𝗼𝗹𝘀 𝗮𝗻𝗱 𝘁𝗼𝗼𝗹𝘀), specifically the requirement to 𝗿𝗲𝗴𝘂𝗹𝗮𝗿𝗹𝘆 𝗮𝘀𝘀𝗲𝘀𝘀 𝗶𝗻𝗳𝗿𝗮𝘀𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗰𝗮𝗽𝗮𝗰𝗶𝘁𝘆 𝗮𝗻𝗱 𝗽𝗹𝗮𝗻 𝗳𝗼𝗿 𝗴𝗿𝗼𝘄𝘁𝗵. In other words, this is not just a pricing tool, it is becoming an enabler for both better architecture decisions and stronger regulatory alignment. Check the tool here: microsoft.com/en-us/security…

Want to ship syslog to Sentinel? You can't do that directly, install AMA Oh, it's an appliance? You need a syslog server with AMA installed Oh, it's on-prem? You need to install Arc, onboard it to Azure, then install AMA, then you can do it Forget it... I'm shipping to cribl

We’ve received quite a few messages over the past few days about Get-UAL being broken. It turns out Microsoft made an update that impacted the script, but this has now been fixed in our latest release. 𝘜𝘱𝘥𝘢𝘵𝘦-𝘔𝘰𝘥𝘶𝘭𝘦 -𝘕𝘢𝘮𝘦 𝘔𝘪𝘤𝘳𝘰𝘴𝘰𝘧𝘵-𝘌𝘹𝘵𝘳𝘢𝘤𝘵𝘰𝘳-𝘚𝘶𝘪𝘵𝘦 While we were at it, we also added some additional features and improvements. Check out the release notes for all the details. github.com/invictus-ir/Micro… #stayInvictus #CloudIncidentResponse #MicrosoftExtractorSuite

𝐀𝐀𝐃𝐆𝐫𝐚𝐩𝐡𝐀𝐜𝐭𝐢𝐯𝐢𝐭𝐲𝐋𝐨𝐠𝐬: 𝐇𝐨𝐰 𝐭𝐨 𝐃𝐞𝐭𝐞𝐜𝐭 𝐋𝐞𝐠𝐚𝐜𝐲 𝐀𝐳𝐮𝐫𝐞 𝐀𝐃 𝐆𝐫𝐚𝐩𝐡 𝐀𝐭𝐭𝐚𝐜𝐤𝐬 Today is a great day for Blue Teamers in the Microsoft Cloud! There are finally logs streaming into the #aadgraphactivitylogs table. If you want to know what's inside the logs and how to detect some #RoadRecon check out our write-up 👇 invictus-ir.com/news/the-mis… #stayInvictus #CloudIncidentResponse

Together with @bzvr_, @2igosha and Anton Kargin, we identified that the DAEMON Tools software has been compromised in a complex supply chain attack since April 8. We see thousands of infections across 100 countries. If you use DAEMON Tools, run a malware scan immediately! [1/7]

We didn't know how an actor was using EV Certificates issued to Lenovo and others. We now do. From DigiCert's incident report: "the threat actor used a compromised analyst endpoint to access DigiCert's internal support portal. The threat actor used a limited function within the customer-support portal which allows authenticated DigiCert support analysts to access customer accounts from the customer's perspective to facilitate support tasks. The threat actor was able to use this function to access initialization codes for orders that were approved but pending delivery for EV Code Signing certificate orders across a finite set of customer accounts." "Possession of the initialization code, combined with an approved order, is functionally sufficient to generate and retrieve the corresponding certificate." The full report can be found here and explains the incident in great detail: bugzilla.mozilla.org/show_bu… The report mentions "Where we got lucky: A community member involved in security research reported the evolving pattern of misused certificates and engaged in dialogue with our support team. Without that report, the undetected compromise of ENDPOINT2 and the associated mis-issuance might have remained undiscovered for a longer period." Special thanks goes to the regular contributors to the Cert Graveyard; @g0njxa , @malwrhunterteam , and others. Also special thanks to DigiCert: this report has a high level of transparency, which is warranted, and also well executed.

If you have worked with the make-graph operator, you know the struggle for building a well-defined query for bringing together nodes and edges. Well, that's history. Lift_To_Graph() and Graph_Render_View() can do the heavy work now. The era of shifting to relationships instead of tables is already here. #kql #kustoquery

The #axios maintainer just confirmed #UNC1069 🇰🇵 used the same playbook we documented in February. Cloned a founder's identity. Built a convincing Slack workspace. Scheduled a call. Fake "update" deployed WAVESHAPER.V2. npm creds stolen. Trojanized axios update pushed.

How Axios was compromised 🤯

New Skills Vault Lesson!: Dan Marr shows how attackers use ICMP tunneling for covert data transmission and how you can detect and investigate it.

We’re seeing a “Missing Font” ClickFix chain in the wild. Flow: 1️⃣ Fake “Missing Font” prompt 2️⃣ Leads to a BSOD-style recovery screen 3️⃣ Prompts users to open Terminal/PowerShell directly (skipping the Run dialog) and execute commands #infosec #DFIR #threatintel

I wrote a blog post detailing what logs you need in your SIEM and why. isaacdunham.github.io/posts/… #SIEM #SecurityOperations #SOC #DetectionEngineering #cybersecurity

🦔 📹 Video: Building your own AI Malware Analysis Lab ➡️ old system, 16 GB RAM ➡️ using Remnux #MalwareAnalysisForHedgehogs #LLM youtube.com/watch?v=YOduz8VI…

COMMANDER: We’re fighting for freedom. And part of that freedom… is the freedom to retire with dignity. So we’re going to start accounts called 401(k)s. SOLDIER 1: What’s a 401(k)? COMMANDER: It’s a retirement account. You put money in, it grows tax-free, you take it out when you’re old. SOLDIER 2: So I don’t pay taxes on it? COMMANDER: Well, you pay taxes later. When you withdraw. SOLDIER 2: So it’s not tax-free. COMMANDER: It’s…tax-deferred. SOLDIER 2: What’s the difference? COMMANDER: You pay taxes later instead of now. SOLDIER 1: What if I want to pay taxes now? COMMANDER: Then you do a Roth 401(k). SOLDIER 3: What’s a Roth? COMMANDER: You pay taxes now, and it grows tax-free. SOLDIER 2: That’s what I thought the first one was. COMMANDER: No, the first one you pay taxes later. SOLDIER 1: Which one’s better? COMMANDER: Depends on your tax bracket in retirement. SOLDIER 1: …How would I…know that? COMMANDER: You don’t. You just guess. ⸻ SOLDIER 4: What if I don’t have a 401(k) through my employer? COMMANDER: Then you open an IRA. SOLDIER 4: What’s the difference? COMMANDER: One’s through your job, one’s on your own. SOLDIER 4: Can I have both? COMMANDER: Yes. SOLDIER 4: Should I? COMMANDER: Maybe. SOLDIER 3: Can I do a Roth IRA? COMMANDER: Only if you make under a certain amount. SOLDIER 3: What’s the limit? COMMANDER: Changes every year. SOLDIER 2: What if I make too much? COMMANDER: Then you do a backdoor Roth by putting it in a Traditonal first. SOLDIER 2: …Is that legal? COMMANDER: Surprisingly, yes. SOLDIER 1: What’s a backdoor Roth? COMMANDER: You contribute to a traditional IRA, then convert it to a Roth…but watch out for “pro rata”. SOLDIER 1: Why wouldn’t I just contribute to the Roth directly? COMMANDER: Because you make too much money. SOLDIER 1: But this way I can? COMMANDER: Yes. SOLDIER 1: That feels like a loophole. COMMANDER: It is. But the IRS is cool with it. ⸻ SOLDIER 5: I just changed battalions. What do I do with my old 401(k)? COMMANDER: You roll it over. SOLDIER 5: Into what? COMMANDER: An IRA. Or your new 401(k). Depends. SOLDIER 5: On what? COMMANDER: The funds. The fees. Whether your new plan accepts rollovers. SOLDIER 5: What if I just take the money out? COMMANDER: You’ll pay taxes plus a 10% penalty. SOLDIER 5: What if I’m 59? COMMANDER: Penalty. SOLDIER 5: 59 and a half? COMMANDER: No penalty. SOLDIER 5: …The half matters? COMMANDER: The half matters. ⸻ SOLDIER 3: What’s a mega backdoor Roth? COMMANDER: Okay. So. Your 401(k) has a limit of how much you can contribute. SOLDIER 3: Right. COMMANDER: But the total limit including employer contributions is higher. SOLDIER 3: Okay… COMMANDER: So if your plan allows ~after-tax~ contributions, you can put in more, then convert that to Roth. SOLDIER 3: Does my plan allow that? COMMANDER: I don’t know. You have to ask Betsy. SOLDIER 3: Will Betsy know? COMMANDER: Probably not. ⸻ SOLDIER 2: Can I deduct my IRA contribution on my taxes? COMMANDER: Are you covered by a retirement plan at work? SOLDIER 2: Yes. COMMANDER: Then only if you make under a certain amount per year. SOLDIER 2: What’s the amount? COMMANDER: Depends if you’re married. SOLDIER 2: What if my wife has a plan but I don’t? COMMANDER: Different limit. SOLDIER 2: What if neither of us has a plan? COMMANDER: Full deduction. SOLDIER 2: So it’s better to not have a 401(k)? COMMANDER: No… ⸻ SOLDIER 1: Can I just keep my money in a sock? COMMANDER: You could. But inflation will slowly destroy it. SOLDIER 1: What’s inflation? COMMANDER: (sighs)…

Risk-based alerting (only surfacing alerts that *truly* pose a risk to your organization) is all the rage in detection engineering. I threw together a guide to quickly getting started with RBA in Microsoft Sentinel. isaacdunham.github.io/posts/… #DetectionEngineering #SIEM #Sentinel

New research shows Credential Guard can still leak creds By abusing Remote Credential Guard, attackers can request NTLMv1 challenge responses and recover NT hashes - even on fully patched Windows 11 with VBS and PPL - Microsoft confirmed and marked it “won’t fix.” - PoC called DumpGuard Full write-up by @SpecterOps specterops.io/blog/2025/10/2…