InfoSec Briefing - February 08, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Saturday, February 07, 2026, covering 15 articles analyzed overnight. All attribution is by the article authors. All article analysis is automated.

S12 Dark Development published research on a technique for disabling Windows Protected Process Light security using a custom kernel driver that modifies the PS_PROTECTION field in the EPROCESS structure. The method allows attackers with kernel access to remove PPL protections from critical processes like LSASS and anti-malware services, enabling privilege escalation and credential theft.

S2W TALON reports that North Korean APT group ScarCruft has modified its ROKRAT malware distribution methods, shifting from LNK-based attacks to using OLE objects embedded in Hangul documents. The new approach deploys Dropper and Downloader malware that execute ROKRAT directly in memory, utilizing ROR13-based API resolving, XOR decryption, and C2 communication through legitimate cloud services like pCloud and Yandex.

According to research from yi-barrack, security researchers discovered a pre-authentication remote code execution vulnerability chain in TP-Link Omada ER605 VPN routers affecting firmware versions prior to 2.2.4. The exploit chains buffer overflow vulnerabilities in the cmxddnsd daemon to bypass ASLR and achieve root-level control, though TP-Link has patched these vulnerabilities in firmware version 2.2.4.

MrBruh's Epic Blog disclosed a Remote Code Execution vulnerability in AMD AutoUpdate software that allows attackers to perform man-in-the-middle attacks and replace legitimate executable downloads with malicious ones due to the use of HTTP and lack of validation. AMD has classified this as out of scope and will not provide a patch, leaving users vulnerable to complete system compromise.

WatchGuard Technologies announced an LDAP Injection vulnerability in Fireware OS versions 12.0 through 12.11.6 and 2025.1 through 2025.1.4. The vulnerability allows remote, unauthenticated attackers to retrieve sensitive information from connected LDAP authentication servers and potentially authenticate as valid users, with patches now available in versions 12.11.7, 12.5.16, and 2026.1.

Decalage2 reports that CVE-2026-21509 is a zero-day vulnerability in Microsoft Office that was exploited in the wild before patching on January 26, 2026. Attackers used specially crafted RTF documents containing Shell.Explorer.1 OLE objects to embed malicious LNK files that execute automatically via the legacy Internet Explorer engine, with defenders able to detect exploitation using YARA rules targeting the specific CLSID pattern.

Microsoft has released tools and guidance for organizations to update Secure Boot certificates before their expiration in June 2026. The updates are necessary to address the BlackLotus UEFI bootkit vulnerability and maintain boot process integrity, with organizations running Windows devices manufactured before 2024 needing to install updated 2023 certificates to prevent boot failures.

The Mysterium VPN research team identified approximately 4.96 million web servers exposing Git repository metadata due to misconfigurations, with the United States, Germany, and France most affected. Critically, 252,733 git config files contained deployment credentials providing unauthorized access, enabling attackers to perform repository takeovers, supply chain attacks, and lateral movement within cloud infrastructure.

Microsoft announced it is evolving its Secure Development Lifecycle to address AI-specific security challenges including expanded attack surfaces, collapsed trust boundaries, and novel attack vectors like prompt injection and data poisoning. The updated SDL framework targets developers, security professionals, and organizations building AI systems to mitigate risks from non-deterministic outputs, model exploits, and training data integrity issues.

Researchers at Ben Gurion University developed Peacock, a UEFI firmware runtime observability framework that monitors and detects bootkit activity before OS load. The system successfully detected known UEFI bootkits including BlackLotus, Glupteba, LoJax, and MosaicRegressor by logging firmware service calls with TPM-protected attestation and integrating telemetry into SIEM systems.

Black Lantern Security released MANSPIDER, an open-source tool designed to crawl SMB shares across networks to discover sensitive files through filename and content searches with regex support. The tool can extract data from multiple file formats including documents and images with OCR capabilities, presenting both a legitimate security assessment capability and a potential threat for unauthorized data discovery.

FuzzySecurity introduced Kahlo MCP, a Frida-based server that enables AI agents to autonomously perform Android dynamic instrumentation tasks. The tool allows AI systems to attach to processes, inject code, and collect data for security analysis, automating Android application security research and vulnerability discovery through AI-driven instrumentation.

The Windows Insider Program Team released Windows 11 Insider Preview Build 26220.7752 to the Beta Channel with native integration of Sysmon. The system monitoring tool captures detailed system events and logs them to Windows event log for security analysis, though it remains disabled by default and requires manual activation.

FalconForce discusses the implementation of near-real-time detection rules in cybersecurity environments to combat increasingly faster and sophisticated threat actors. The approach enables security teams to identify malicious activities as they occur, reducing adversary dwell time and representing a technical shift from traditional slower detection methods to real-time security telemetry processing.

Gyp the Cat describes the integration of external Kusto tables into Microsoft security platforms including Defender for Endpoint, Sentinel, and Azure Monitor to enrich threat intelligence data. These tables include threat feed sources like ASN data, blocklist.de, Spamhaus, Tor exit nodes, and geo IP information that can be queried using KQL to enhance threat detection and analysis capabilities.

That concludes today's briefing.

📰 Articles Covered

Disabling PPL Protection on Windows Processes - S12 - 0x12Dark Development

The cybersecurity article details a method for **disabling Windows' Protected Process Light (PPL) security feature** using a custom kernel driver.

**What Happened:**
A custom kernel driver was developed to bypass PPL protection on Windows processes. This driver, when instructed by a userland application, directly modifies the `PS_PROTECTION` field within the `_EPROCESS` structure of a target process. By setting this field to `0`, the driver effectively disables PPL for that specific process.

**Who is Affected:**
PPL is designed to safeguard critical system processes, including **LSASS (Local Security Authority Subsystem Service), anti-malware services, and other vital components**, from unauthorized access and manipulation. The described method can disable this protection for any process, including these sensitive ones.

**Security Implications:**
The ability to disable PPL protection carries significant security risks. It can enable malicious actors or unauthorized users to **gain elevated privileges, tamper with, or extract sensitive information from protected processes**. This could lead to system compromise, data theft, or the evasion of security software.

**Technical Details:**
The technique relies on a Windows kernel driver that exposes an IOCTL (`IOCTL_CLEAR_PROTECTION`). A userland application sends a Process ID (PID) to this driver. The driver then uses `PsLookupProcessByProcessId` to find the target process's `_EPROCESS` structure. It calculates the memory address of the `PS_PROTECTION` structure within `_EPROCESS` using a version-dependent offset (e.g., `0x5fa` for a specific Windows 11 build) and sets its `Level` member to `0`, thereby removing PPL protection 【1】.

**What Defenders Should Know:**
Defenders need to be aware that PPL's security is dependent on kernel-level integrity. Methods that involve direct kernel memory manipulation can bypass PPL 【1】.
- **Kernel-Level Vulnerabilities:** The technique exploits the fact that PPL is enforced by the kernel. If the kernel can be compromised or manipulated (e.g., through a loaded driver), PPL can be disabled.
- **Offset Dependency:** The specific memory offset for the `PS_PROTECTION` field varies across Windows versions and builds, making hardcoded offsets unreliable.
- **Detection:** While some antivirus software may detect the malicious driver, defenders should focus on detecting the loading of **unsigned kernel drivers** or suspicious `DeviceIoControl` calls targeting system functions. Monitoring for unexpected changes in process protection levels could also be a detection method.
- **Mitigation:** Implementing robust security measures such as **driver signature enforcement, kernel patch protection (PatchGuard), and advanced endpoint detection and response (EDR) solutions** is crucial to prevent the loading and execution of such malicious drivers 【1】.
Scarcruft’s ROKRAT Malware: Recent Changes - S2W TALON

The cybersecurity article details recent changes in the attack methods employed by the North Korean-backed APT group **ScarCruft** for distributing their **ROKRAT malware** 【1】.

**What Happened:**
ScarCruft has shifted its distribution strategy from traditional LNK-based attacks, which previously involved dropping BAT scripts and shellcode, to a new method utilizing **OLE objects embedded within Hangul (HWP) documents** 【1】. These OLE objects contain newly developed Dropper and Downloader malware that ultimately deliver and execute the ROKRAT payload directly in memory 【1】.

**Who is Affected:**
The article does not specify particular industries or individuals targeted. However, the use of HWP documents suggests a potential focus on entities that commonly use this file format, which is prevalent in South Korea. The general nature of APT attacks implies that organizations and individuals could be at risk if they interact with malicious HWP files.

**Security Implications:**
The use of OLE objects within HWP documents presents a significant security risk, as it allows for **arbitrary code execution** 【1】. This new approach bypasses previous detection methods tied to LNK files and introduces new malware components designed to evade analysis and deliver the ROKRAT info-stealer 【1】. ROKRAT is known for its ability to steal sensitive information 【1】.

**Technical Details:**
Recent ScarCruft campaigns share common technical characteristics:
- **API Resolving:** ROR13-based API resolving is used 【1】.
- **Payload Decryption:** A **0x29 XOR key** is employed for ROKRAT decryption 【1】.
- **C2 Communication:** Legitimate cloud services like **pCloud and Yandex** are abused for Command and Control (C2) communication 【1】.
- **Dropper/Loader Functionality:** While Droppers and Downloaders have functional differences (e.g., file dropping, environment checks, memory loading), their common goal is to execute ROKRAT in memory 【1】.
- **Distribution Methods:**
- Case 1: `mpr.dll` executed via DLL side-loading, with the Dropper dropping a payload from its resource area and the Loader executing shellcode in memory 【1】.
- Case 2: `credui.dll` likely executed via DLL side-loading. The Downloader retrieves shellcode hidden via steganography from a Dropbox link 【1】.
- Case 3: `version.dll` likely executed via side-loading. The Dropper and Loader restore the payload using a 1-byte XOR key and execute ROKRAT in memory 【1】.

**What Defenders Should Know:**
Defenders need to exercise **extreme caution with HWP files**, especially those received via phishing emails or from untrusted sources 【1】.
- **Strengthen Detection:** Implement enhanced detection mechanisms for **abnormal OLE objects embedded within HWP files** 【1】.
- **User Education:** Educate users about the risks associated with opening documents containing OLE objects, as they can lead to arbitrary code execution 【1】.
- **Monitor Network Traffic:** Be vigilant for C2 communication patterns that abuse legitimate cloud services like pCloud and Yandex 【1】.
- **Threat Intelligence:** Stay updated on ScarCruft's evolving TTPs, recognizing that their malware distribution methods are continuously being refined 【1】.
TP-Link ER605 DDNS Pre-Auth RCE: Chaining CVE-2024-5242, CVE-2024-5243, CVE-2024-5244 - The content posted at the URL is controlled by yi-barrack.

A cybersecurity article details the discovery and exploitation of a **Pre-Authentication Remote Code Execution (RCE)** vulnerability in the **TP-Link Omada ER605 VPN Router** 【1】. This vulnerability allows an attacker to gain root-level control over the affected devices 【1】.

**What Happened:**
The exploit chains together three vulnerabilities: **CVE-2024-5244, CVE-2024-5242, and CVE-2024-5243** 【1】. These vulnerabilities were found within the `cmxddnsd` daemon, which is responsible for Dynamic DNS updates using a custom Comexe protocol 【1】.

**Who is Affected:**
The affected devices are **TP-Link Omada ER605 VPN Routers** with firmware versions **prior to ER605(UN)_V2_2.2.4**. Version 2.2.2 was specifically tested 【1】.

**Security Implications:**
The security implications are severe, as a successful exploit grants an attacker **root-level control** over the router 【1】. This level of access could allow for various malicious activities, such as network surveillance, data interception, or using the compromised router as a pivot point for further attacks.

**Technical Details:**
The attack is a two-stage process 【1】:
1. **Information Leak:** A buffer overflow in the `UpdateSvr1` field is exploited to leak a libc address. This bypasses Address Space Layout Randomization (ASLR), a security mechanism that makes it harder for attackers to predict memory locations 【1】.
2. **Control Flow Hijack:** A stack-based buffer overflow in the `ErrorCode` field is then used to hijack the control flow. This is achieved through Return-Oriented Programming (ROP), a technique that chains together small pieces of existing code (gadgets) to execute arbitrary commands 【1】. The exploit also involves custom Base64 encoding, DES encryption with a bit-reversed key, and specific MIPS ROP gadgets 【1】.

**What Defenders Should Know:**
TP-Link has addressed these vulnerabilities in **firmware version 2.2.4** 【1】. Defenders should ensure their TP-Link Omada ER605 routers are updated to this version or later. The fix involves implementing length checks in the vulnerable parsing functions, which prevents the buffer overflows that were exploited 【1】.
The RCE that AMD won't fix - they store their update URL in the program’s app.config, although its a little odd that they use their “Develpment” URL in production, - The content posted at the URL is associated with **MrBruh's Epic Blog** . While the specific organization or individual controlling the content isn't explicitly stated for the domain `mrbruh.com` itself, the website features blog posts authored by "MrBruh" . One of the blog posts provides a contact email address: `contact [at] mrbruh.com` . There are also company registrations in the UK for entities named "BRUH LTD" and "BRUH HOLDINGS LTD," with individuals named Dhirish Arvin Chumroo, Daniel Bruh, Adam Bruh, and Katherina Weiwei Bruh listed as persons with significant control . Additionally, a "Brian Bruh" is listed as the owner of "Brian Bruh Associates LLC" . However, there is no direct link provided in the search results to connect these entities or individuals to the ownership or control of the `mrbruh.com` domain.

A **Remote Code Execution (RCE) vulnerability** has been discovered in AMD's AutoUpdate software, which AMD has stated it will not fix 【1】.

**What Happened:**
The vulnerability allows an attacker to perform a **Man-in-the-Middle (MITM) attack** on a user's network. This enables the attacker to replace legitimate executable downloads from AMD with malicious ones. The AMD AutoUpdate software then executes these malicious files without performing any validation 【1】.

**Who is Affected:**
Users of **AMD AutoUpdate software** are potentially affected. The vulnerability can be exploited by an attacker on the same network or by an Internet Service Provider (ISP) 【1】.

**Security Implications:**
The primary security implication is the execution of **malicious code** on a user's system. This could lead to a complete system compromise, data theft, or further malware deployment 【1】.

**Technical Details:**
The vulnerability stems from the AMD AutoUpdate software's use of **HTTP** (instead of HTTPS) for downloading executable files. Furthermore, the software **lacks proper validation**, such as certificate validation or checks for unsigned executables, before executing downloaded files 【1】.

**What Defenders Should Know:**
Defenders need to be aware that **AMD has classified this vulnerability as "out of scope" and will not provide a patch**. This means users remain vulnerable if their network traffic can be intercepted during the AMD AutoUpdate process. It is crucial to understand that the software does not validate downloaded executables, leaving systems exposed to malicious replacements 【1】.
WatchGuard Firebox LDAP Injection - WatchGuard Technologies

A **LDAP Injection vulnerability** has been identified in **WatchGuard Fireware OS** 【1】.

**What Happened:**
This vulnerability allows a remote, unauthenticated attacker to potentially retrieve sensitive information from a connected LDAP authentication server. Additionally, if the attacker possesses a valid passphrase for an LDAP user, they might be able to authenticate as that user by exploiting this vulnerability with a partial identifier 【1】.

**Who is Affected:**
The vulnerability affects **Fireware OS versions 12.0 through 12.11.6** and **2025.1 through 2025.1.4** 【1】. Specific affected product branches and models include:
- Firebox T15 and T35 running Fireware OS 12.5.x 【1】
- Fireware OS 2025.1.x on models T115-W, T125, T125-W, T145, T145-W, T185, M295, M395, M495, M595, M695 【1】
- Fireware OS 12.x on models T20, T25, T40, T45, T55, T70, T80, T85, M270, M290, M370, M390, M470, M570, M590, M670, M690, M440, M4600, M4800, M5600, M5800, Firebox Cloud, Firebox NV5, and FireboxV 【1】

**Security Implications:**
The primary security implications include **unauthorized access to sensitive information** stored on the LDAP server and the **potential for unauthorized authentication** as an existing LDAP user 【1】. This could lead to further compromise of systems and data.

**Technical Details:**
The vulnerability is an **LDAP Injection** flaw that can be exploited through an exposed authentication or management web interface 【1】. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N 【1】.

**What Defenders Should Know:**
Defenders should be aware that this vulnerability is present in specific versions of Fireware OS. **There is no workaround available** for this vulnerability 【1】. The recommended action is to **update to the resolved versions**:
- Fireware OS 2025.1 should be updated to **2026.1** 【1】
- Fireware OS 12.x should be updated to **12.11.7** 【1】
- Fireware OS 12.5.x (for T15 & T35 models) should be updated to **12.5.16** 【1】
How to detect CVE-2026-21509 exploits - The content posted at the URL is controlled by **decalage2**.

**CVE-2026-21509** is a vulnerability in **Microsoft Office** that was exploited in the wild before a patch was released on January 26, 2026.

**What Happened:**
The vulnerability allowed attackers to execute malicious code through specially crafted Microsoft Office documents. This was achieved by embedding OLE objects of the type `Shell.Explorer.1` within Office files. This object, which utilizes the legacy Internet Explorer engine (Trident/MSHTML), was overlooked in previous security measures that blocked similar insecure OLE objects. Attackers leveraged this by embedding URLs pointing to LNK files, which would then execute automatically, bypassing security measures designed to block insecure file downloads.

**Who is Affected:**
Users of **Microsoft Office** are affected by this vulnerability. Specifically, the exploitation involves RTF documents containing `Shell.Explorer.1` OLE objects.

**Security Implications:**
The primary security implication is the **unauthorized execution of malicious code** on a user's system without explicit confirmation. This bypasses security measures that would typically prevent the download and execution of dangerous files, potentially leading to further compromise of the system.

**Technical Details:**
The vulnerability stems from the use of the `Shell.Explorer.1` CLSID (`{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}`). This COM object allows the embedding of the legacy Internet Explorer engine within Office applications. Unlike other `Shell.Explorer` variants, `Shell.Explorer.1` was not "kill-bit" disabled by Microsoft, meaning it could still be instantiated. Attackers embed URLs within these objects that point to LNK files. When the Office document is opened, the `Shell.Explorer.1` object loads the URL, and the LNK file is executed, initiating the malicious payload. This method was observed in RTF documents.

**What Defenders Should Know:**
Defenders can automate the detection of exploits for CVE-2026-21509 using **YARA rules**. These rules can identify RTF documents containing the specific `Shell.Explorer.1` CLSID, which is encoded in a particular hexadecimal format within RTF files. The presence of this CLSID, along with RTF headers and OLE object keywords, is a strong indicator of malicious activity, as legitimate documents typically do not contain such objects. Microsoft has released a patch for this vulnerability, so ensuring systems are updated is crucial.
Secure Boot playbook for certificates expiring in 2026 - Microsoft

The article addresses the proactive update of **Secure Boot certificates** before their expiration in June 2026. This is a critical security measure to ensure the continued integrity of the boot process on Windows devices.

### What Happened

Microsoft has released tools and guidance to help organizations update their Secure Boot certificates. These updates are necessary because the existing Secure Boot certificates have expiration dates, and new ones are required to maintain up-to-date security protections. The primary driver for these updates is to address the **BlackLotus UEFI bootkit vulnerability (CVE-2023-24932)** 【1】.

### Who is Affected

**Organizations using Windows devices** are affected, particularly those with devices manufactured before 2024 that may not have the updated 2023 certificates pre-installed 【1】. Most devices manufactured since 2012 have Secure Boot enabled, making them potentially impacted if not updated 【1】.

### Security Implications

Secure Boot, in conjunction with UEFI firmware, uses cryptographic keys (CAs) to verify firmware modules, preventing malware from executing during the system's startup sequence 【1】. If these certificates expire without being updated, the validation process will fail, potentially allowing unauthorized or malicious code to run, compromising the device's security from the earliest stages of boot-up 【1】. This could lead to a complete system compromise, data breaches, and the inability to trust the operating system's integrity.

### Technical Details

- **Secure Boot Mechanism**: Secure Boot relies on a chain of trust, starting with root certificates embedded in the firmware. These certificates are used to sign bootloaders and operating system components. If the signing certificates expire, the system can no longer trust the components, leading to boot failures or security vulnerabilities 【1】.
- **Certificate Expiration**: The current set of Secure Boot CAs (2011) will begin expiring in June 2026. Organizations must install the updated 2023 CAs before this date 【1】.
- **Update Distribution**: New Secure Boot certificates are being delivered through monthly Windows updates. Original Equipment Manufacturers (OEMs) are also providing firmware updates to ensure compatibility 【1】.
- **Verification**: The status of Secure Boot certificates can be verified using PowerShell commands or by checking the `UEFICA2023Status` registry key, which should eventually display "updated" 【1】. Event ID 1808 in the Windows System Event Log is an informational event indicating successful application of new certificates 【1】. Event ID 1801 indicates an error where certificates have not been applied 【1】.
- **Management Tools**: Organizations can manage these updates using various methods:
- **Registry Keys**: Specific keys under `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot` and `\Servicing` are used for configuration 【1】.
- **Group Policy**: Settings are available under `Computer Configuration > Administrative Templates > Windows Components > Secure Boot` 【1】.
- **Microsoft Intune**: Offers specific policies for managing Secure Boot certificate updates 【1】.
- **Command-line Tools**: New tools for domain-joined Windows 11 clients (versions 25H2, 24H2, 23H2) are available for local querying and application of configurations 【1】.
- **Deployment**: Updates typically take around 48 hours and may require one or more restarts. It is crucial to avoid mixing deployment methods on the same device 【1】.

### What Defenders Should Know

- **Proactive Planning**: Organizations must proactively plan and deploy the new 2023 Secure Boot CAs before the 2011 CAs expire in June 2026 【1】.
- **Device Inventory and Verification**: Identify devices with Secure Boot enabled and verify the status of their current certificates. Use tools like PowerShell, Windows Autopatch reports, or registry keys (`UEFICA2023Status`) for this purpose 【1】.
- **Deployment Strategy**: Choose a deployment method (Group Policy, Intune, registry keys, command-line tools) and pilot it on a representative set of devices before a full rollout 【1】.
- **OEM Firmware Updates**: Be aware that some devices may require updated firmware from their OEM to ensure compatibility with the new certificates 【1】.
- **Monitoring and Troubleshooting**: Monitor the deployment status using Event Logs (Event IDs 1808 for success, 1801 for errors) and registry keys (`UEFICA2023Status`, `UEFICA2023Error`) 【1】. If errors occur, consult OEM documentation or Microsoft's guidance for troubleshooting 【1】.
- **Opt-out Options**: Understand the options for opting out of automatic updates if necessary, using registry keys like `HighConfidenceOptOut` or Group Policy settings 【1】.
Nearly 5 Million Web Servers Found Exposing Git Metadata – Study Reveals Widespread Risk of Code and Credential Leaks - Mysterium VPN research team

A recent study by Mysterium VPN's research team revealed that approximately **4.96 million web servers** were found to be exposing their **Git repository metadata** due to misconfigurations 【1】. This widespread issue poses significant security risks, including the potential for source code leaks and credential compromise 【1】.

**What Happened:**
Web servers were misconfigured, leading to the public exposure of their Git metadata. This means that information typically stored within a Git repository, which is crucial for version control and development, was accessible to anyone on the internet 【1】.

**Who is Affected:**
The study identified **nearly 5 million web servers** with exposed Git metadata. The **United States** had the highest number of affected IP addresses, followed by Germany and France 【1】. Any organization with a web server that has an improperly configured Git repository is potentially affected.

**Security Implications:**
The exposure of Git metadata has severe security implications:
- **Source Code Reconstruction:** Attackers can reconstruct the source code of applications 【1】.
- **Vulnerability Discovery:** This allows attackers to identify and exploit vulnerabilities within the code 【1】.
- **Credential Exposure:** Critically, **252,733 `.git/config` files contained deployment credentials**, providing a direct pathway for unauthorized access to repositories and potentially other systems 【1】.
- **Repository Takeover:** Exposed credentials can lead to the compromise and takeover of Git repositories 【1】.
- **Supply Chain Attacks:** Compromised repositories can be used to inject malicious code into software supply chains 【1】.
- **Internal Infrastructure Mapping and Lateral Movement:** Attackers can gain insights into an organization's internal infrastructure, facilitating further attacks and movement within cloud services 【1】.

Attackers can automate the discovery of these exposed credentials, which are considered more damaging than just source code exposure 【1】.

**Technical Details:**
The core technical issue lies in the misplacement of `.git` directories, which contain the entire history and metadata of a Git repository. When these directories are not properly secured and are placed within the web root of a production server, they become accessible via HTTP requests 【1】. The `.git/config` file specifically can store sensitive information like usernames, passwords, and API keys used for deployment or access 【1】.

**What Defenders Should Know:**
Defenders need to take immediate action to mitigate these risks:
- **Block Public Access:** Ensure that Git metadata is never publicly accessible on the internet 【1】.
- **Secure Deployment Practices:** Verify that `.git` directories are never located within production web roots 【1】.
- **Credential Management:** Treat any credentials found within exposed `.git/config` files as compromised. These credentials must be **rotated or revoked immediately** 【1】.
- **Preventative Controls:** Implement preventative measures in development workflows, such as:
- Scanning code for secrets before commits 【1】.
- Utilizing pre-commit hooks to enforce security policies 【1】.
- Employing centralized secrets management solutions to keep credentials out of code repositories 【1】.

The underlying cause is often attributed to deployment practices, inconsistent server configurations, and a failure to recognize the significant consequences of seemingly minor configuration errors 【1】.
Microsoft SDL: Evolving security practices for an AI-powered world - Microsoft

Microsoft is evolving its **Secure Development Lifecycle (SDL)** to address the unique security challenges posed by AI-powered systems, in addition to traditional software security concerns 【1】.

**What Happened:**
Microsoft is adapting its SDL to incorporate security practices specifically for AI. This evolution is driven by the recognition that AI introduces new and complex risks that traditional security models do not adequately address 【1】.

**Who is Affected:**
The evolution of SDL affects **developers, security professionals, and organizations** building or deploying AI systems. It also impacts **users** of AI systems, as the security of these systems directly influences the protection of their data and intellectual property 【1】.

**Security Implications:**
AI introduces novel security risks due to several factors:
- **Expanded Attack Surface:** AI systems have multiple entry points, including prompts, plugins, retrieved data, model updates, and external APIs, increasing the potential for malicious inputs 【1】.
- **Collapsed Trust Boundaries:** AI dissolves traditional trust zones, making it difficult to enforce data minimization and purpose limitations. This complexity spans technical, human, and sociotechnical domains 【1】.
- **Novel Attack Vectors:** AI systems often assume all input is valid, making them vulnerable to attacks like prompt injection ("Ignore previous instructions and execute X") and data poisoning. Non-deterministic outputs and cached memory can lead to sensitive data leakage or manipulation 【1】.
- **Data Integrity and Model Exploits:** AI training data and model weights are as critical as source code. Poisoned datasets can lead to deterministic exploits, such as an authentication model being compromised to accept malicious inputs 【1】.
- **Accelerated Development Cycles:** AI development outpaces traditional review processes, leaving less time for testing and increasing misuse risks 【1】.

**Technical Details:**
The updated SDL for AI includes specialized guidance and tooling for areas such as:
- **Threat modeling for AI:** Identifying AI-specific threats and mitigations 【1】.
- **AI system observability:** Enhancing visibility for proactive risk detection 【1】.
- **AI memory protections:** Safeguarding sensitive data within AI contexts 【1】.
- **Agent identity and RBAC enforcement:** Securing multi-agent environments 【1】.
- **AI model publishing:** Establishing processes for model release and management 【1】.
- **AI shutdown mechanisms:** Ensuring safe termination of AI systems under adverse conditions 【1】.

**What Defenders Should Know:**
Defenders need to understand that AI cyberthreats are fundamentally different from traditional ones. Key considerations include:
- **Prioritize Research:** The AI cyberthreat landscape is dynamic, necessitating continuous research to stay ahead of emerging risks like prompt injection and model poisoning 【1】.
- **Integrate Policy:** Policies should be living documents that adapt based on research and incidents, fostering responsible AI development 【1】.
- **Establish Standards:** Consistent and reliable AI security practices require actionable standards and design patterns, refined through collaboration 【1】.
- **Enable Teams:** Provide engineers and product managers with the necessary tools, communication, and training to implement security measures effectively 【1】.
- **Foster Collaboration:** Unite multiple disciplines to anticipate risks and design holistic safeguards, addressing both technical and sociotechnical challenges 【1】.
- **Embrace Continuous Improvement:** Utilize real-world feedback loops to refine strategies, update standards, and evolve policies and training, ensuring security remains resilient and responsive 【1】.
Peacock: UEFI Firmware Runtime Observability Layer for Detection and Response - Ben Gurion University of the Negev

The cybersecurity article introduces **Peacock**, a framework designed to provide observability into UEFI firmware runtime activity for enhanced detection and response capabilities.

**What Happened:**
The researchers developed Peacock, a system that monitors UEFI firmware at runtime. It consists of three main components:
- A **UEFI Agent** (a DXE driver) that logs calls to UEFI Boot and Runtime Services. This logging is protected for integrity using TPM PCR extensions.
- An **OS Agent** that collects these logs and attestation data from the UEFI Agent.
- A **Peacock Server** that verifies the attestation, reconstructs measurements, and sends structured telemetry data to a Security Information and Event Management (SIEM) system for detection.
The system was tested against known UEFI bootkits, including Glupteba, BlackLotus, LoJax, and MosaicRegressor, and demonstrated its ability to detect various malicious activities such as manipulation of service tables, bypasses of Secure Boot, persistence mechanisms on the filesystem, and multi-component implants.

**Who is Affected:**
**Enterprise endpoints** utilizing UEFI firmware are affected. This includes both **virtualized and physical hardware**. The primary threat actors are those employing **UEFI bootkits** that aim to bypass security measures like Secure Boot and manipulate critical firmware services during the boot process.

**Security Implications:**
Peacock offers significant security implications by providing **runtime visibility within the pre-OS environment**. It leverages **tamper-evident logging via the TPM** and enables **remote attestation**, integrating with existing SIEM solutions. This shifts defensive capabilities from being solely OS-centric to including **firmware-level monitoring**, thereby reducing the stealth capabilities of attackers and enabling the detection of attacks that occur before the operating system loads and bypasses static signature checks.

**Technical Details:**
The core technical components of Peacock are:
- **UEFI Agent:** This DXE driver hooks into Boot and Runtime Services tables. The logs it generates include information such as the logged item (LID), timestamp (T), component ID (CID), caller, service name, arguments, and status. It utilizes TPM PCR extensions and an Attestation Key (AK) for generating security quotes. A whitelisting mechanism is employed for hooking drivers, and logs are stored on the EFI System Partition (ESP).
- **OS Agent:** This component gathers logs and TPM measurements from the UEFI Agent and constructs an attestation bundle.
- **Peacock Server:** This server validates the TPM quotes, reconstructs the PCR values, parses the logs into a structured JSON format, and forwards this data to SIEM platforms like Splunk.
The threat model assumes an attacker operating at the DXE stage. Peacock can detect activities like service table hooking, unauthorized `LoadImage` or `StartImage` calls, registration of `READY_TO_BOOT` callbacks, and the presence of a fTA NVRAM marker. The framework is designed for low overhead and offers configurable logging depth.

**What Defenders Should Know:**
Defenders should be aware that **pre-OS monitoring solutions are available**. It is crucial to **ensure trust in TPM-based attestation and server-side verification processes**. Enforcing a **whitelist for hooking drivers** is recommended. When considering deployment, defenders should account for potential constraints related to firmware updates (capsule updates) and the necessity of **SIEM integration for effective correlation**. Potential limitations to consider include co-residency risks, the time window before the OS agent loads, and the possibility of an OS compromise affecting the OS Agent. Future work may involve developing anomaly detection capabilities and out-of-band collection methods.
MANSPIDER: Spider entire networks for juicy files sitting on SMB shares. Search filenames or file content - regex supported! - blacklanternsecurity

The GitHub repository MANSPIDER is a tool for crawling SMB shares, not an article detailing a specific cybersecurity incident. Therefore, the requested precis cannot be provided in the context of a past event. However, the repository itself outlines the tool's capabilities and potential security implications.

Here's a breakdown based on the information available:

* **What Happened:** This section is not applicable as there is no incident described. MANSPIDER is a tool that *can be used* in security assessments or by malicious actors.
* **Who is Affected:** Organizations that utilize **SMB shares** are potentially affected. If these shares are not properly secured, they can be targets for information discovery and exfiltration.
* **Security Implications:** The primary security implication is the **potential for sensitive data discovery and exfiltration**. MANSPIDER can find credentials, financial data, private keys, and other confidential information stored on SMB shares. This could lead to unauthorized access, data breaches, and further compromise of an organization's network.
* **Technical Details:**
* MANSPIDER is designed to **crawl SMB shares**.
* It supports searching within **file content** and by **filenames**.
* It can extract data from various file formats, including **PDF, DOCX, XLSX, PPTX, and images (with OCR)**.
* Features include filtering by **file extensions** and **modification dates**.
* It supports multiple **authentication methods**.
* Installation can be done via `uvx`, `uv`, `pipx`, or Docker.
* **What Defenders Should Know:**
* Defenders should be aware that **tools like MANSPIDER exist** and can be used to probe their network.
* It is crucial to **properly secure SMB shares** with strong access controls and permissions.
* **Monitoring SMB share access and activity** is essential to detect unauthorized crawling or data access attempts.
* Organizations should consider implementing measures to **prevent the exfiltration of sensitive data** from their network.
kahlo-mcp: A Frida MCP server to enable autonomous AI assistance for Android instrumentation - FuzzySecurity

The cybersecurity article describes **Kahlo MCP**, a Frida-based MCP (Meta-Command Protocol) server designed to expose Android dynamic instrumentation capabilities to AI agents.

**What Happened:**
Kahlo MCP was developed to bridge the gap between AI agents and the complex process of Android dynamic instrumentation. It provides a structured interface that allows AI systems to perform tasks like attaching to processes, injecting code, collecting data, and iterating on analysis workflows without direct human intervention.

**Who is Affected:**
The primary users of Kahlo MCP are **AI agents and researchers** who need to perform dynamic analysis on Android applications. It enables AI systems to automate and scale security research and analysis tasks on Android devices.

**Security Implications:**
Kahlo MCP's core function is dynamic instrumentation, which has significant security implications:
- **Enhanced Analysis:** It allows for deep inspection of application behavior, potentially uncovering vulnerabilities, malware, or other security-sensitive activities that might be missed by static analysis.
- **Automation of Security Research:** By enabling AI agents to perform instrumentation, it can significantly speed up the process of finding and understanding security flaws in Android applications.
- **Potential for Misuse:** Like any powerful instrumentation tool, Kahlo MCP could be misused by malicious actors to analyze applications for exploitation or to develop more sophisticated attacks.

**Technical Details:**
- **Frida Integration:** Kahlo MCP is built on top of **Frida**, a dynamic instrumentation toolkit. It wraps Frida's runtime manipulation APIs.
- **MCP Server:** It acts as an MCP server, translating AI agent commands into Frida operations.
- **Lifecycle Management:** The server manages the entire lifecycle of instrumentation sessions, including device discovery, process attachment/spawning, job execution with script isolation, event streaming, and artifact storage.
- **Job Isolation:** Instrumentation code runs in isolated Frida scripts, with automatic cleanup.
- **Standard Library (stdlib):** Kahlo MCP includes a preloaded standard library within job scripts, offering primitives for Java object inspection, stack trace capture, Intent parsing, and method hooking.
- **Configuration:** Requires configuration of the ADB path and installation of a compatible `frida-server` on the target Android device.
- **Integration:** It can be integrated with AI platforms like Claude, Cursor, and Codex CLI by configuring their MCP settings.
- **Tool Surface:** Provides a set of commands for device management, process introspection, target application management (attach/spawn), job execution, telemetry fetching, artifact retrieval, and module/draft management for reusable code.

**What Defenders Should Know:**
- **Visibility is Key:** Defenders should be aware that tools like Kahlo MCP can enable deep, automated inspection of applications. This means that vulnerabilities or malicious behaviors that might be hidden could be uncovered more easily.
- **Attack Surface:** The ability to attach to processes and inject code means that applications running on devices where Kahlo MCP is active could be subject to dynamic analysis by an AI agent.
- **Automated Vulnerability Discovery:** Defenders should anticipate that security researchers (both ethical and malicious) can leverage such tools to automate the discovery of vulnerabilities in their applications.
- **Frida's Presence:** The presence of `frida-server` on a device is a strong indicator that dynamic instrumentation is possible and potentially occurring.
- **Defensive Instrumentation:** While Kahlo MCP is primarily for research, the underlying Frida technology can also be used for defensive purposes, such as runtime application self-protection (RASP) or enhanced logging.
Announcing Windows 11 Insider Preview Build 26220.7752 (Beta Channel) - with built in Sysmon - Windows Insider Program Team

The article announces the release of **Windows 11 Insider Preview Build 26220.7752** to the Beta Channel, which includes the native integration of **Sysmon** functionality.

**What Happened:**
Microsoft has released a new Windows 11 Insider Preview build that natively incorporates Sysmon. Sysmon is a system monitoring tool that captures detailed system events to aid in threat detection. This build also includes fixes for File Explorer and issues with applications interacting with cloud storage services like OneDrive and Dropbox. An update to Voice Access, adding support for the Netherlands locale, is also mentioned.

**Who is Affected:**
This build is primarily for **Windows Insiders in the Beta Channel**. The native Sysmon functionality, once enabled, will affect users who choose to utilize it for system monitoring and threat detection. The fixes for File Explorer and cloud storage issues will benefit users experiencing those specific problems.

**Security Implications:**
The most significant security implication is the **native integration of Sysmon** 【1】. Sysmon allows for the capture of detailed system events, which can be crucial for **threat detection and analysis** 【1】. By writing events to the Windows event log, Sysmon enables security applications to monitor and respond to potential threats more effectively. However, Sysmon is **disabled by default** and requires explicit user action to be enabled 【1】. This means users must actively choose to leverage this enhanced security monitoring capability.

**Technical Details:**
- **Sysmon Integration:** Sysmon is now a built-in feature of Windows 11. It captures system events that can be filtered using custom configuration files and are logged in the Windows event log 【1】.
- **Enabling Sysmon:** To enable Sysmon, users can navigate to Settings > System > Optional features > More Windows features and select Sysmon, or use PowerShell/command prompt with the command `Dism /Online /Enable-Feature /FeatureName:Sysmon`. A subsequent command, `sysmon -i`, is required to complete the installation 【1】.
- **Prior Installation:** Users who previously installed Sysmon from the website must uninstall it before enabling the built-in version 【1】.
- **File Explorer Fixes:** Improvements include better accessibility (keyboard navigation, access keys), enhanced folder renaming, and resolution of issues with missing favorite icons/tooltips 【1】.
- **Cloud Storage Fixes:** An issue causing applications to freeze when working with files on OneDrive or Dropbox has been resolved. Potential hangs or reloads of email data for Outlook PST files on OneDrive have also been addressed 【1】.
- **Voice Access:** Support for the Netherlands locale has been added 【1】.

**What Defenders Should Know:**
Defenders should be aware that **Sysmon is now natively available** in Windows 11 Insider builds 【1】. While it is disabled by default, its integration provides a powerful tool for **enhanced system monitoring and threat hunting**. Defenders can leverage Sysmon to capture detailed event data, such as process creation, network connections, and file modifications, which can be invaluable for detecting and investigating security incidents 【1】. They should understand the process for enabling Sysmon and be prepared to configure and utilize its capabilities for their security monitoring strategies. Additionally, the fixes in this build address potential application stability issues when interacting with cloud storage, which could indirectly impact data access and security workflows.
FalconFriday: Need for Speed: going underground with near-real-time (NRT) rules - falconforce.nl

The article discusses the emergence of **near-real-time (NRT) detection rules** in cybersecurity, which allow for faster identification and response to threats.

**What Happened:**
The cybersecurity landscape is evolving with threat actors becoming more sophisticated and faster in their attacks. This necessitates a shift from traditional, slower detection methods to NRT rules that can identify malicious activities as they happen or very shortly after. The article highlights the need for speed in cybersecurity and how NRT rules are becoming crucial for effective defense.

**Who is Affected:**
**Organizations and individuals** are affected by the increasing speed and sophistication of cyber threats. This includes businesses of all sizes, government agencies, and critical infrastructure, as well as the end-users whose data and systems are at risk.

**Security Implications:**
The adoption of NRT rules has significant security implications:
- **Faster Threat Detection:** Enables quicker identification of ongoing attacks, reducing the dwell time of adversaries.
- **Proactive Response:** Allows security teams to respond to threats before significant damage occurs.
- **Evolving Threat Landscape:** Forces defenders to continuously adapt their strategies to keep pace with evolving attacker techniques.
- **Increased Complexity:** Implementing and managing NRT rules can be more complex, requiring advanced tools and expertise.

**Technical Details:**
NRT rules are designed to process security telemetry and trigger alerts with minimal delay. This often involves:
- **High-Volume Data Processing:** Handling large amounts of data from various sources like endpoints, networks, and cloud environments.
- **Stream Processing:** Utilizing technologies that can analyze data in motion rather than in batches.
- **Rule Optimization:** Crafting efficient detection logic that can be executed rapidly without impacting system performance.
- **Integration with Security Tools:** Seamless integration with Security Information and Event Management (SIEM), Security Orchestration, Automation, and Response (SOAR), and Endpoint Detection and Response (EDR) platforms.

**What Defenders Should Know:**
Defenders need to understand the following regarding NRT rules:
- **The Importance of Speed:** Recognize that attackers are operating at machine speed, and detection must match this pace.
- **Tooling and Infrastructure:** Invest in security tools and infrastructure capable of supporting NRT detection, including robust data pipelines and processing capabilities.
- **Rule Development and Tuning:** Develop and maintain a library of effective NRT detection rules, ensuring they are well-tuned to minimize false positives while maximizing true positives.
- **Automation:** Leverage automation for response actions triggered by NRT alerts to ensure timely mitigation.
- **Continuous Learning:** Stay updated on emerging threats and attacker tactics to continuously refine NRT detection strategies 【1】.
Kusto Tables | Firewall IP Lists - Gyp the Cat

The cybersecurity article discusses the use of **external Kusto tables** to enrich data within security platforms like Microsoft Defender for Endpoint and Microsoft Sentinel 【1】.

**What happened:**
The article explains the availability and integration of external Kusto tables, which allow users to incorporate external data sources into their Kusto Query Language (KQL) queries 【1】.

**Who is affected:**
**Security professionals and organizations** utilizing Microsoft Defender for Endpoint, Microsoft Sentinel, and Azure Monitor can benefit from these external tables to enhance their threat intelligence and data analysis capabilities 【1】.

**Security implications:**
The primary implication is the **enhancement of threat detection and analysis** by enriching existing datasets with external information. However, the article cautions that **no guarantees are made regarding data correctness**, and users should not solely rely on these external tables for definitive truth 【1】.

**Technical details:**
The article details how KQL engines cache external data. It lists various types of available Kusto tables, including those for ASN, blocklist.de, Bogon Networks, Geo IP, Spamhaus, and Tor Exit Nodes. It also provides guidance on how to execute queries using these tables 【1】.

**What defenders should know:**
Defenders can use these external Kusto tables to **gain broader context and improve their threat intelligence**. It is crucial to understand that the data provided by these external tables is not guaranteed to be accurate and should be **used in conjunction with other data sources** rather than as a sole source of truth 【1】.