🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Offensive DPAPI With Nemesis - SpecterOps 🔍 Show Kagi Synopsis
  The cybersecurity article details advancements in the **Nemesis tool (version 2.2)**, which now automates the decryption of **Windows Data Protection API (DPAPI)** protected data, including SYSTEM and user masterkeys, Cryptography API: Next Generation (CNG) keys, and **App-Bound Encryption (ABE)** used by Chromium-based browsers 【1】.
  
  **What Happened:**
  Nemesis 2.2 has been updated to automate the entire DPAPI decryption process. This includes handling various masterkeys and decrypting CNG keys. It can process inputs like registry hives, LSASS dumps, and provided credential materials to decrypt protected data 【1】.
  
  **Who is Affected:**
  * **Windows Users:** Individuals whose sensitive data is protected by DPAPI, especially those using **Chromium-based browsers** (Chrome, Edge, Brave, etc.), as their cookies and saved login data are primary targets 【1】.
  * **Organizations:** All organizations using Windows operating systems are affected, as compromised systems can lead to the exfiltration of critical user credentials and browsing data 【1】.
  
  **Security Implications:**
  * **Enhanced Attacker Capabilities:** Nemesis 2.2 significantly lowers the barrier for attackers to access sensitive information previously protected by DPAPI and Chromium's ABE 【1】.
  * **Data Exfiltration:** Attackers can more easily extract valuable data for identity theft, financial fraud, or further network compromise 【1】.
  * **Circumvention of Protections:** The tool bypasses the intended security mechanisms of DPAPI and ABE, which were designed to make data harder to access 【1】.
  * **Streamlined Operations:** The automation allows attackers to perform complex decryption tasks faster and with less manual effort 【1】.
  
  **Technical Details:**
  * **DPAPI:** Encrypts data using masterkeys derived from SYSTEM or user credentials. SYSTEM masterkeys are typically found in `C:\Windows\System32\Microsoft\Protect\S-1-5-18\User\` and are protected by the DPAPI_SYSTEM LSA secret. User masterkeys are located in `%APPDATA%\Microsoft\Protect\<user_sid>\<guid>` and are protected by keys derived from user passwords/NTLM hashes and the domain DPAPI backup key <kcite ref="1"/>.
  * **Chromium ABE:** Modern Chromium browsers protect sensitive data using ABE. This involves an `encrypted_key` in the `Local State` file, first encrypted by a SYSTEM DPAPI masterkey, then decrypted by the user's DPAPI masterkey. The final app-bound key is protected by a CNG key (Google Chromekey1) <kcite ref="1"/>.
  * **Nemesis Functionality:** The tool automates the collection and decryption of these components, supporting retroactive decryption by processing submitted files in any order and using newly provided keys <kcite ref="1"/>. It can also decrypt software-based CNG keys found in `C:\ProgramData\Microsoft\Crypto\SystemKeys\` if they are protected by a SYSTEM DPAPI masterkey 【1】.
  
  **What Defenders Should Know:**
  * **DPAPI is a Critical Target:** DPAPI remains a significant target for attackers due to its widespread use in protecting sensitive data on Windows 【1】.
  * **Browser Data Vulnerability:** Cookies and login data from Chromium-based browsers are particularly at risk 【1】.
  * **LSASS Protection is Crucial:** Protecting the LSASS process is paramount, as dumps of its memory can yield critical DPAPI masterkeys and credential keys 【1】.
  * **Monitor for Suspicious Activity:** Look for unusual access patterns to DPAPI-related files, LSASS memory dumps, or the submission of unusual files to analysis tools 【1】.
  * **Understand the Decryption Chain:** Defenders need to be aware of the multi-step decryption process for ABE and how tools like Nemesis automate it, understanding the roles of SYSTEM masterkeys, user masterkeys, and CNG keys 【1】.
  * **Consider Advanced Protections:** Advanced Endpoint Detection and Response (EDR) solutions can help detect DPAPI abuse or data exfiltration. Hardware-backed key storage (TPM) for CNG keys can add protection, though software-based CNG keys remain vulnerable 【1】.
  * **Stay Updated:** It is crucial to stay informed about new attack techniques and defensive measures as DPAPI libraries and ABE implementations evolve 【1】.
• jailer: Jailer is an eBPF-based process jailing system that provides mandatory access control (MAC) for Linux. It tracks processes using BPF task_storage maps and enforces role-based policies - gen0sec 🔍 Show Kagi Synopsis
  The cybersecurity article details **Jailer**, an eBPF-based Mandatory Access Control (MAC) system for Linux designed to enhance process containment. 【1】
  
  Here's a breakdown of the information:
  
  - **What happened:** The article describes the architecture, enrollment process, policy enforcement, and installation methods of Jailer. It highlights that the project is in active development and not yet production-ready, but demonstrates its capabilities in restricting access and defending against common attacks. 【1】
  - **Who is affected:** The system primarily affects **Linux environments** where process containment is a goal. This includes developers and security teams deploying Jailer, administrators managing its daemon or daemonless modes, and users running applications that are subject to Jailer's restrictions. Systems must meet specific kernel configuration prerequisites, such as support for BPF, LSM, and BTF, and may require root access for certain configurations. 【1】
  - **Security implications:** Jailer enforces MAC by using eBPF and LSM hooks to restrict file access, network usage, and execution. When properly configured, it can mitigate threats like path traversal, command injection, reverse shells, Server-Side Request Forgery (SSRF), arbitrary writes, and credential access. The two deployment modes (daemon and daemonless) offer different trade-offs in terms of attack surface and flexibility. However, the ongoing development means potential changes to APIs and policy formats, and reliance on carefully configured kernel features. 【1】
  - **Technical details:** Key technical components include BPF maps (e.g., `pending_enrollments`, `task_storage`, `role_flags`) and BPF LSM hooks for actions like `task_alloc`, `file_open`, and `socket_bind/connect`. The enrollment flow utilizes a socket (`/run/bpfjailer/enrollment.sock`) and supports various methods, including executable-based, cgroup-based, and xattr-based auto-enrollment. The system uses a `policy.json` file to define roles and their associated access controls, including network rules with per-role and per-port filtering. Building Jailer requires Rust and a BPF toolchain, with specific kernel boot parameters needed to enable LSM. 【1】
  - **What defenders should know:**
  - **Kernel Requirements:** Ensure the Linux kernel supports BPF and LSM (specifically `CONFIG_BPF`, `CONFIG_BPF_LSM`, `CONFIG_DEBUG_INFO_BTF`) and that LSM is enabled in the boot parameters. 【1】
  - **Deployment Strategy:** Choose between the daemon mode (with an enrollment server and hot policy reload) or the daemonless mode (pinning programs at boot for a reduced runtime attack surface). 【1】
  - **Policy Configuration:** Utilize `policy.json` to define strict roles and enforce access controls for files, networks, and execution. 【1】
  - **Enrollment:** Employ enrollment mechanisms to secure processes, considering auto-enrollment for scalability. 【1】
  - **Auditing:** Leverage the perf buffer for auditing and logging, which can be directed to `journald`. 【1】
  - **Development Status:** Be aware that Jailer is under active development, so monitor for documentation and policy format changes. 【1】
  - **Performance and Testing:** Assess the performance impact of policies, especially concerning BPF map entries for large port ranges, and thoroughly test in a staging environment. 【1】
  - **Permissions:** Understand that root privileges are necessary for configuration and enrollment, and verify socket permissions for enrollment. 【1】
  - **Security Validation:** Familiarize yourself with the provided security tests to understand how restricted roles defend against various attack vectors. 【1】
• First CHERIoT Silicon! - The content posted on the page is controlled by the author, who is a co-founder of SCI Semiconductor . 🔍 Show Kagi Synopsis
  The article announces the **first silicon implementation of the CHERIoT architecture**, named **ICENI**, developed by SCI Semiconductor. This marks a significant step beyond previous software and FPGA simulations, providing a complete CHERIoT system on a chip.
  
  **Who is Affected:**
  Developers and users of the CHERIoT platform will be directly affected, as this silicon implementation allows for production use of CHERIoT systems. Software developed for CHERIoT SAFE or Sonata FPGA boards, as well as software simulators, should be easily portable to the ICENI chip.
  
  **Security Implications:**
  The ICENI chip brings the core CHERI properties of **spatial memory safety and no pointer injection** to silicon. Additionally, it incorporates CHERIoT extensions that offer **deterministic use-after-free protection**, **auditable control over interrupt state**, and support for **aggressively compartmentalized Real-Time Operating Systems (RTOS)**. These features collectively aim to provide deterministic mitigation of memory safety bugs, ranging from buffer overflows to use-after-free vulnerabilities, and enable fine-grained compartmentalization with a small Trusted Computing Base (TCB).
  
  **Technical Details:**
  - The ICENI chip utilizes the **CHERIoT Ibex core**.
  - It can operate at clock speeds of **up to 250 MHz**.
  - Key features include enhancements for **temporal safety** and **interrupt determinism**.
  - The chip is designed as a **complete CHERIoT system**, integrating all core CHERI properties and CHERIoT extensions.
  
  **What Defenders Should Know:**
  Defenders should be aware that CHERIoT silicon offers a robust approach to mitigating common memory safety vulnerabilities deterministically. The architecture's focus on compartmentalization and a small TCB can significantly reduce the attack surface. The ease of porting existing CHERIoT software to this silicon means that these enhanced security features are becoming more accessible for production environments. The CHERIoT platform, now with silicon implementations, represents a move towards more secure computing architectures.
• Interplay between Iranian Targeting of IP Cameras and Physical Warfare in the Middle East - Check Point Research - Check Point Research 🔍 Show Kagi Synopsis
  A cybersecurity report details intensified targeting of IP cameras by Iran-nexus threat actors, coinciding with physical warfare and geopolitical events in the Middle East 【1】</kcite>【1】</kcite>. This activity is believed to be part of Iran's doctrine to leverage compromised cameras for operational support and battle damage assessment (BDA) for missile operations 【1】</kcite>.
  
  **What Happened:**
  Beginning on February 28, there was a significant increase in attempts to exploit IP cameras from manufacturers **Hikvision** and **Dahua** 【1】</kcite>. This activity originated from infrastructure that includes commercial VPN exit nodes and virtual private servers, attributed to multiple Iran-nexus threat actors 【1】</kcite>. Earlier, more targeted activity was observed on January 14-15, coinciding with Iran's temporary airspace closure amid expectations of a potential U.S. strike 【1】</kcite>【1】</kcite>. Similar targeting patterns were also observed during a previous conflict in June 2025 【1】</kcite>.
  
  **Who is Affected:**
  The targeting has been observed across several countries, including **Israel, Qatar, Bahrain, Kuwait, the UAE, and Cyprus** 【1】</kcite>【1】</kcite>. Activity was also focused on specific areas in **Lebanon** 【1】</kcite>【1】</kcite>. Earlier scans also targeted cameras in **Iraqi Kurdistan** 【1】</kcite>.
  
  **Security Implications:**
  The compromise of IP cameras can provide threat actors with **intelligence for physical operations**, including **battle damage assessment (BDA)** and potentially **pre-missile launch targeting correction** 【1】</kcite>【1】</kcite>. The tracking of such camera-targeting activity can serve as an **early indicator of potential kinetic activity** 【1】</kcite>.
  
  **Technical Details:**
  The threat actors are scanning for and attempting to exploit specific vulnerabilities in Hikvision and Dahua IP cameras 【1】</kcite>. These vulnerabilities include:
  - **CVE-2017-7921**: Improper authentication in Hikvision IP camera firmware 【1】</kcite>.
  - **CVE-2021-36260**: Command injection in the Hikvision web server component 【1】</kcite>.
  - **CVE-2023-6895**: OS command injection in Hikvision Intercom Broadcasting System 【1】</kcite>.
  - **CVE-2025-34067**: Unauthenticated remote code execution in Hikvision Integrated Security Management Platform 【1】</kcite>.
  - **CVE-2021-33044**: Authentication bypass in multiple Dahua products 【1】</kcite>.
  Patches are available for all these vulnerabilities 【1】</kcite>. The attack infrastructure utilizes commercial VPNs (Mullvad, ProtonVPN, Surfshark, NordVPN) and VPS 【1】</kcite>.
  
  **What Defenders Should Know:**
  Defenders are advised to take the following measures:
  - **Eliminate public exposure**: Remove direct WAN access to cameras and Network Video Recorders (NVRs). Place them behind a VPN or a zero-trust access gateway and block inbound port-forwards 【1】</kcite>.
  - **Enforce strong credentials**: Change default passwords and enforce the use of unique credentials 【1】</kcite>.
  - **Patch management**: Keep camera/NVR firmware and management software updated. Remove or replace end-of-life devices that no longer receive security fixes 【1】</kcite>.
  - **Network segmentation**: Isolate cameras on a dedicated VLAN with no lateral access to corporate or Operational Technology (OT) networks. Tightly control outbound traffic to only necessary endpoints 【1】</kcite>.
  - **Monitoring & detection**: Monitor for repeated login failures, unexpected remote logins, and cameras initiating unusual outbound connections 【1】</kcite>.
• Tracking CyberStrikeAI: AI-Native Offensive Tools & MSS Ties - Team Cymru 🔍 Show Kagi Synopsis
  The cybersecurity article details the tracking of **CyberStrikeAI**, an open-source, AI-native offensive security tool.
  
  - **What Happened**: A China-based individual known as "Ed1s0nZ" developed CyberStrikeAI, an AI-orchestrated tool that integrates over 100 security tools. This tool was observed running on an IP address targeting **Fortinet FortiGate devices**. Ed1s0nZ has also created other AI-assisted tools focused on privilege escalation. Evidence suggests Ed1s0nZ has connections to the **Chinese Ministry of State Security (MSS)** through affiliations with organizations like Knownsec and the CNNVD. The use of CyberStrikeAI has increased rapidly, with 21 unique IP addresses running the platform observed between January and February 2026, primarily hosted in China, Singapore, and Hong Kong. The developer has also attempted to obscure their state ties by removing references to the CNNVD from their GitHub profile.
  
  - **Who is Affected**: The primary concern is the potential for **state-sponsored Advanced Persistent Threats (APTs)** to leverage CyberStrikeAI. The tool itself was observed targeting **Fortinet FortiGate devices**. The broader impact is on organizations that could become targets of increasingly sophisticated and automated cyberattacks facilitated by AI-native offensive tools.
  
  - **Security Implications**: AI-native offensive tools like CyberStrikeAI **lower the barrier to entry for complex network exploitation**. This means that less skilled actors, or state-sponsored groups, can more easily conduct advanced attacks. The rapid adoption and the integration of AI capabilities suggest a significant shift in the threat landscape, where offensive cyber operations become more automated and efficient.
  
  - **Technical Details**: CyberStrikeAI is described as an **AI-native offensive security tool** that orchestrates over 100 security tools. It features **role-based testing** and **lifecycle management capabilities**. The tool was initially observed running on the IP address **212.11.64.250**. The developer, Ed1s0nZ, also created tools like **PrivHunterAI** and **InfiltrateX**, which focus on privilege escalation.
  
  - **What Defenders Should Know**: Defenders need to **proactively monitor their environments for indicators of compromise** associated with CyberStrikeAI and similar tools. They should prepare for **increasingly automated and AI-driven targeting of vulnerable devices**. Awareness of the evolving threat landscape, where AI is a key component in offensive cyber operations, is crucial. Understanding the potential ties of such tools to state actors is also important for threat intelligence and defense strategies.
• Microsoft Entra ID Will Auto-Enable Passkey Profiles in March 2026 - **Rudy Mens** is the individual who controls the content posted at `https://lazyadmin.nl/office-365/auto-enabled-passkey-profiles-in-march-2026/` . He is the writer behind LazyAdmin.nl and a Microsoft MVP . 🔍 Show Kagi Synopsis
  Microsoft is set to **automatically enable passkey profiles and synced passkeys in Microsoft Entra ID starting in March 2026** 【1】. This change will replace the existing FIDO2 configuration with a more adaptable passkey profile model 【1】.
  
  **Who is Affected:**
  This change impacts **all Microsoft Entra ID tenants** 【1】. If no proactive steps are taken by administrators, Microsoft will automatically activate these features a few weeks after the initial rollout begins 【1】.
  
  **Security Implications:**
  The shift towards passkeys represents a move towards **passwordless authentication**, which can enhance security by reducing reliance on vulnerable passwords 【1】. However, there are potential security implications if organizations do not manage this transition carefully. Specifically, if **attestation enforcement is disabled**, the system will permit both device-bound and synced passkeys by default. This could inadvertently align with an organization's security strategy if not properly configured 【1】.
  
  **Technical Details:**
  A significant technical detail is the introduction of the `passkeyType` property. This property dictates whether users are permitted to register device-bound passkeys, synced passkeys, or both 【1】. The new passkey profiles offer more granular control, allowing for different configurations to be assigned to various user groups 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that this **auto-enablement can alter existing registration campaign settings** 【1】. The target for multi-factor authentication (MFA) might shift from Microsoft Authenticator to passkeys for all MFA-capable users, with the possibility of unlimited snoozes 【1】. This could lead to unexpected user experiences or security vulnerabilities if not managed proactively 【1】. It is strongly recommended that administrators **review and configure their passkey profiles before the automatic enablement window** to ensure they align with the organization's security policies and usability requirements 【1】.
• Analysis of Confucius Group's Attacks Against Pakistan Deploying the AnonDoor Backdoor - mp.weixin.qq.com 🔍 Show Kagi Synopsis
  The provided link does not lead to a cybersecurity article. Instead, it directs to a **Cloudflare error page (Error 1101)** for the website pure.md. This error indicates that a "Worker threw exception," meaning an unknown error occurred while the Cloudflare Workers script was attempting to render the page 【1】.
  
  Therefore, the article does not contain information regarding:
  - What happened in terms of a cybersecurity incident.
  - Who is affected by a specific breach or attack.
  - The security implications of any event.
  - Technical details of a cybersecurity threat.
  - Advice for defenders.
  
  The error page suggests that the **website owner** should check their Cloudflare Workers logs to diagnose and resolve the issue 【1】.
• IETF draft - AI Agent Authentication and Authorization - The content posted at the URL is controlled by the IETF Trust and the document authors: Pieter Kasselman, Jeff Lombardo, Yaroslav Rosomakho, and Brian Campbell. 🔍 Show Kagi Synopsis
  This document, **draft-klrc-aiagent-auth-00**, proposes a framework for **AI agent authentication and authorization** by leveraging existing standards rather than introducing new protocols. The goal is to provide a consolidated approach that avoids fragmentation and guides future standardization efforts.
  
  ### What Happened
  
  The document addresses the increasing use of AI agents as autonomous workloads. It highlights that many current solutions for agent authentication and authorization are developed in isolation, leading to incompatibility and duplicated efforts. This draft aims to establish a baseline by demonstrating how existing standards can be composed to meet the needs of AI agent systems.
  
  ### Who is Affected
  
  The framework is relevant to **developers, implementers, and standards bodies** involved in creating and deploying AI agent systems. This includes:
  - **AI Agents:** The autonomous workloads that interact with LLMs and tools.
  - **LLMs (Large Language Models):** The core AI models agents interact with.
  - **Tools, Services, and Resources:** External endpoints that agents invoke.
  - **Users and Systems:** Entities that may initiate actions or delegate authority to agents.
  - **Security and Identity Management Professionals:** Those responsible for securing these systems.
  
  ### Security Implications
  
  The primary security implication is the need for robust **identity management, authentication, and authorization** for AI agents. Without proper controls, AI agents could be compromised, leading to unauthorized access to sensitive data or resources, execution of malicious actions, and potential system-wide disruptions. The document emphasizes:
  - **Workload Identity:** Treating agents as distinct workloads that require unique identifiers and verifiable credentials.
  - **Short-Lived Credentials:** Minimizing the risk of credential compromise through the use of ephemeral credentials.
  - **Attestation:** Verifying the agent's environment and instantiation to ensure its trustworthiness.
  - **Delegated Authority:** Securely managing how agents act on behalf of users or systems.
  - **Auditing and Monitoring:** Maintaining comprehensive logs to reconstruct agent behavior and detect misuse.
  
  ### Technical Details
  
  The document proposes a layered **Agent Identity Management System (AIMS)**, which includes:
  - **Agent Identifiers:** Recommends using Workload Identity in Multi-System Environments (WIMSE) identifiers, such as SPIFFE IDs, for unique identification.
  - **Agent Credentials:** Advocates for short-lived credentials like X.509 certificates or JSON Web Tokens (JWTs), compatible with WIMSE and SPIFFE standards. It explicitly discourages static API keys.
  - **Agent Attestation:** Describes mechanisms for verifying an agent's environment and instantiation before issuing credentials.
  - **Agent Credential Provisioning:** Details the runtime issuance, renewal, and rotation of credentials, emphasizing automation and short lifecycles.
  - **Agent Authentication:** Covers both **transport-layer authentication** (e.g., mutual TLS) and **application-layer authentication** (e.g., WIMSE Proof Tokens (WPTs) and HTTP Message Signatures).
  - **Agent Authorization:** Proposes leveraging the **OAuth 2.0 Authorization Framework** for delegated authorization. This includes using OAuth 2.0 access tokens, with specific flows for user delegation, agent self-authorization, and cross-domain access. It also introduces **Transaction Tokens** for risk reduction within microservice architectures.
  - **Monitoring and Remediation:** Stresses the importance of continuous monitoring, observability, and the ability to remediate security or authorization issues dynamically, using mechanisms like OpenID Continuous Access Evaluation Profile (CAEP).
  - **Policy Management:** Acknowledges that authentication and authorization policies are deployment-specific and out of scope for standardization within this document, but should be represented in a "policy-as-code" format.
  
  ### What Defenders Should Know
  
  Defenders need to understand that AI agents are sophisticated workloads that require rigorous security controls similar to traditional applications and services. Key takeaways for defenders include:
  - **Adopt Standardized Identity Mechanisms:** Leverage established standards like SPIFFE and WIMSE for agent identification and credentials to ensure interoperability and security.
  - **Prioritize Short-Lived Credentials:** Implement systems that automatically provision and rotate credentials to minimize the attack surface.
  - **Implement Strong Authentication:** Utilize both transport-layer and application-layer authentication methods, especially in complex environments with intermediaries.
  - **Enforce Granular Authorization:** Use OAuth 2.0 and related specifications to manage access permissions effectively, ensuring agents only have the necessary privileges.
  - **Utilize Transaction Tokens:** Employ transaction tokens to limit the scope of credentials passed between internal services, mitigating risks of token exfiltration and replay.
  - **Establish Comprehensive Auditing and Monitoring:** Ensure detailed logs are kept for all agent activities, authentication, and authorization decisions to enable incident investigation and compliance.
  - **Be Aware of Dynamic Environments:** Understand how discovery mechanisms (e.g., OAuth 2.0 Server Metadata) can help manage security in dynamic deployments where endpoints and configurations change frequently.
  - **Integrate Human Oversight:** For critical actions, ensure mechanisms are in place for human review and approval, even when agents operate autonomously.
• ASPX_WebShell_COFFLoader: ASPX Web Shell with COFF Loader - GitHub 🔍 Show Kagi Synopsis
  This cybersecurity article details an **ASPX web shell** that leverages a **COFF loader** to execute **Beacon Object Files (BOFs)** on a target server. This tool is a modification of TrustedSec's CS_COFFLoader and is intended for security research and authorized penetration testing.
  
  **What Happened:**
  The described tool allows for the execution of arbitrary code on compromised servers. It achieves this by enabling the deployment of a web shell that can then load and execute BOFs.
  
  **Who is Affected:**
  **Servers running ASPX web applications** are potentially affected if they are compromised and can host the web shell. The tool's primary use case is within offensive security operations, meaning it's designed to target systems during penetration tests or by malicious actors.
  
  **Security Implications:**
  The primary security implication is the **potential for arbitrary code execution** on compromised systems. This allows attackers to gain a significant foothold, execute malicious payloads, and potentially bypass traditional security measures by using in-memory execution techniques facilitated by BOFs.
  
  **Technical Details:**
  - The tool requires compiling a **C compatibility file**.
  - A **Base64-encoded object file** needs to be substituted into the ASPX shell.
  - **BOFs are compiled separately**.
  - A **semi-interactive Python client** is used to communicate with the deployed web shell. This client can list available beacons and execute them with specified arguments.
  
  **What Defenders Should Know:**
  Defenders should be aware that tools like this exist and can be used by attackers to gain access and execute malicious code. The use of BOFs allows for **in-memory execution**, which can be stealthier than traditional file-based malware. Understanding these techniques is crucial for detecting and mitigating such threats.
• Disruption targets Tycoon 2FA, popular AiTM PhaaS - The Proofpoint Threat Research Team 🔍 Show Kagi Synopsis
  On March 4, 2026, a significant disruption occurred targeting **Tycoon 2FA**, a popular phishing-as-a-service (PhaaS) platform used for adversary-in-the-middle (AiTM) attacks 【1】. This operation involved a collaboration between public and private entities, including Proofpoint, Microsoft, Europol, and several other cybersecurity firms and law enforcement agencies 【1】 【1】. The disruption included the seizure of Tycoon 2FA infrastructure and a lawsuit filed by Microsoft and Health-ISAC against the alleged creator, Saad Fridi 【1】 【1】.
  
  **Who is Affected:**
  Tycoon 2FA has impacted a vast number of organizations globally, with Microsoft reporting that it provided cybercriminals access to nearly 100,000 organizations 【1】. The campaigns are widespread, with the majority affecting North America (U.S. and Canada) and significant activity in European countries like Germany, Spain, France, and the UK 【1】. Various industries have been targeted, including:
  - Aerospace (73%)
  - Business Services (82%)
  - Defense (64%)
  - Education (75%)
  - Energy (78%)
  - Financial Services (84%)
  - Government (79%)
  - Healthcare (83%)
  - Hospitality (76%)
  - Manufacturing (83%)
  - Real Estate (77%)
  - Technology (85%)
  - Utilities (76%) 【1】
  
  **Security Implications:**
  Tycoon 2FA's primary function is to harvest credentials (usernames and passwords) and session cookies from Microsoft 365 and Gmail. This allows attackers to bypass multi-factor authentication (MFA) and achieve full account takeover (ATO) 【1】. Successful ATOs can lead to severe consequences, including:
  - Theft of sensitive data, such as financial information, personally identifiable information, and proprietary business data 【1】.
  - Unauthorized access to Microsoft 365 hosts, which can be sold to other threat actors 【1】.
  - Potential for follow-on malware infections, including ransomware 【1】.
  - Significant financial and reputational damage to compromised organizations 【1】.
  
  **Technical Details of the Attack:**
  Tycoon 2FA operates as a PhaaS, where threat actors purchase access to the kit and customize it for their campaigns 【1】. The platform uses attacker-controlled infrastructure to host phishing webpages. A synchronous proxy intercepts victims' entered credentials, relays them to the legitimate service for a successful login, and then captures the resulting session cookies 【1】.
  
  Distribution methods include:
  - **Email campaigns:** Emails may contain malicious links, QR codes, SVGs, or attachments with URLs 【1】.
  - **Impersonation:** Users are redirected to actor-controlled sites that impersonate Microsoft or Google login portals, often using the target organization's branding to enhance social engineering 【1】.
  - **CAPTCHA resolution:** A unique CAPTCHA must be solved before redirecting to the attacker-controlled site 【1】.
  - **ATO Jumping:** Attackers may compromise an initial email account and use it to broadly distribute Tycoon 2FA URLs, increasing the likelihood of further compromises 【1】.
  
  Customers manage their campaigns through a dedicated panel provided by the Tycoon 2FA creator 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that Tycoon 2FA is a high-volume AiTM phishing threat that actively bypasses MFA 【1】 【1】. The disruption of Tycoon 2FA infrastructure is a significant blow to its operations, but threat actors may adapt or migrate to other platforms 【1】 【1】. Organizations should:
  - **Enhance email security:** Implement robust email filtering to detect and block phishing attempts, including those using malicious links, QR codes, or attachments 【1】.
  - **Educate users:** Conduct regular security awareness training to help users identify and report phishing attempts, emphasizing the dangers of clicking suspicious links or entering credentials on unfamiliar sites 【1】.
  - **Monitor for account takeover attempts:** Implement strong monitoring for suspicious login activity and account takeovers, especially for accounts with MFA enabled 【1】.
  - **Stay informed about evolving threats:** Keep abreast of new phishing kits and tactics, as threat actors will likely continue to develop methods to circumvent security measures 【1】 【1】.
• United States Leads Dismantlement of One of the World’s Largest Hacker Forums - United States Department of Justice 🔍 Show Kagi Synopsis
  The United States, in coordination with Europol and law enforcement agencies from 14 countries, has led the dismantling of **LeakBase**, one of the world's largest online forums used by cybercriminals 【1】.
  
  **What Happened:**
  Law enforcement agencies seized the LeakBase database and two of its domains, effectively disrupting a critical platform for illicit activities 【1】. The operation involved synchronized actions across multiple countries, including data seizure, posting seizure banners, sending prevention messages to members, executing search warrants, arrests, and interviews 【1】.
  
  **Who is Affected:**
  LeakBase had over 142,000 members and an extensive archive of hacked databases, containing hundreds of millions of account credentials, credit card numbers, banking information, and other personally identifiable information (PII) 【1】. This means that individuals whose data was stored on LeakBase, as well as organizations whose data was compromised and sold on the platform, are affected 【1】.
  
  **Security Implications:**
  The dismantling of LeakBase has significant security implications by disrupting a major international platform that facilitated the theft and sale of sensitive personal, banking, and account credentials 【1】. This makes it more difficult for cybercriminals to access and profit from stolen data 【1】. This action, along with previous disruptions of similar platforms like RaidForums and BreachForums, indicates a sustained effort to combat cybercrime marketplaces 【1】.
  
  **Technical Details:**
  LeakBase operated as an open-web forum and maintained a continuously updated archive of hacked databases and member messages 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that law enforcement agencies are actively targeting and dismantling platforms that facilitate cybercrime 【1】. The success of this operation highlights the effectiveness of international cooperation in dismantling criminal networks 【1】. The FBI, Europol, and their international partners are sending a clear message that cybercriminals are not anonymous online and that the services enabling their attacks are being dismantled 【1】.