🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• ENISA Technical Advisory for Secure Use of Package Managers | ENISA - European Union Agency for Cybersecurity 🔍 Show Kagi Synopsis
  The ENISA Technical Advisory for Secure Use of Package Managers, published on March 10, 2026, provides guidance for developers on securely integrating third-party packages into their software development lifecycle 【1】.
  
  **What Happened:**
  The advisory addresses the inherent risks associated with using third-party packages in software development 【1】.
  
  **Who is Affected:**
  This document is intended for **national and EU authorities** and the **private sector**, specifically developers who utilize package managers 【1】.
  
  **Security Implications:**
  The primary security implication discussed is the **risk of vulnerabilities introduced through third-party packages** 【1】. The advisory aims to mitigate these risks by outlining secure practices for package selection, integration, and monitoring 【1】.
  
  **Technical Details:**
  The advisory details common risks associated with third-party packages and describes approaches for addressing vulnerabilities found in dependencies 【1】. It focuses on secure practices throughout the software development lifecycle, from package selection to ongoing monitoring 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of the **common risks associated with using third-party packages** and implement **secure practices for selecting, integrating, and monitoring these packages** 【1】. They should also have strategies in place for **addressing vulnerabilities discovered in package dependencies** 【1】.
• MC1247893 - Microsoft Entra passkeys on Windows now support phishing-resistant sign-in | Microsoft 365 Message Center Archive - Microsoft 🔍 Show Kagi Synopsis
  Microsoft Entra passkeys are being introduced to Windows devices to enable phishing-resistant, passwordless sign-in through Windows Hello 【1】. This feature will be available in public preview starting mid-March 2026 【1】.
  
  **Who is affected:**
  Organizations that use Microsoft Entra ID and have users signing in from Windows devices, including corporate-managed, personal, and shared PCs, will be affected 【1】.
  
  **Security implications:**
  The primary security implication is **enhanced protection against phishing attacks** and a **reduced reliance on traditional passwords** 【1】.
  
  **Technical details:**
  Passkeys are stored within the Windows Hello container and are authenticated using facial recognition, fingerprint scans, or a PIN 【1】. This feature supports unmanaged devices and allows for multiple Entra accounts per device. However, passkeys are device-bound and do not synchronize across devices 【1】. Existing Conditional Access and authentication strength policies will remain in effect 【1】.
  
  **What defenders should know:**
  Defenders need to be aware that **organizations must opt in to enable this feature**; no impact will occur without activation 【1】. To prepare, administrators should:
  - Enable the Passkeys (FIDO2) authentication method 【1】.
  - Configure a passkey profile with specific settings: Attestation enforcement set to Disabled, Key restrictions set to Enabled, and specific AAGUIDs for Windows Hello authenticators 【1】.
  - Assign this profile to relevant user groups 【1】.
  - Validate existing security policies and communicate with pilot users 【1】.
• Sednit reloaded: Back in the trenches - ESET 🔍 Show Kagi Synopsis
  The cybersecurity article details the resurgence of the **Sednit (also known as APT28, Fancy Bear, or Pawn Storm) group**, which has been actively deploying a sophisticated arsenal of custom malware, primarily targeting **Ukrainian military personnel** for long-term espionage operations 【1】.
  
  **What Happened:**
  Sednit has re-emerged with an updated toolkit, focusing on two main implants: **BeardShell** and **Covenant** 【1】. BeardShell is a custom implant that utilizes cloud storage for command and control (C2), while Covenant is an open-source .NET post-exploitation framework that Sednit has heavily modified for its espionage goals 【1】. This dual-implant strategy allows Sednit to maintain access even if one of the C2 infrastructures is disrupted 【1】.
  
  **Who is Affected:**
  The primary targets identified are **Ukrainian military personnel**, with Sednit engaging in long-term espionage operations against them 【1】. The group has been observed deploying these tools from 2024 through 2026 【1】.
  
  **Security Implications:**
  The use of custom malware and heavily modified open-source tools by Sednit poses a significant threat 【1】. The group's ability to adapt and maintain persistent access to high-value targets highlights their advanced capabilities 【1】. The reliance on cloud storage for C2, coupled with sophisticated obfuscation techniques, makes detection and mitigation challenging 【1】. Sednit's modifications to Covenant, an implant whose official development ceased, demonstrate their commitment to developing and maintaining a potent espionage arsenal 【1】.
  
  **Technical Details:**
  - **BeardShell:** This implant uses a C++ static initializer to decrypt authentication tokens for cloud storage services like Icedrive 【1】. It employs obfuscation techniques such as **opaque predicate insertion** to hinder static analysis 【1】. BeardShell has been observed executing PowerShell commands and is designed to run exclusively within `taskhost.exe` or `taskhostw.exe` 【1】. It also collects system information and exfiltrates data, sometimes disguised as fake images 【1】.
  - **Covenant:** Sednit has significantly modified this open-source framework. Key changes include a **deterministic method for generating implant identifiers** (Grunts) derived from machine characteristics, rather than random generation, to improve operational efficiency in long-term campaigns 【1】. They have also altered the execution flow to evade behavioral detection 【1】. A major modification is the addition of a **cloud-based network protocol** using the C2Bridge project, enabling communication with cloud providers like Filen, pCloud, and Koofr 【1】. Covenant supports HTTPS for C2 and uses RSA-encrypted session keys 【1】.
  - **Shared Techniques:** The use of the same rare opaque predicate in BeardShell as was previously seen in Sednit's Xtunnel tool strongly suggests continuity within the development team 【1】.
  
  **What Defenders Should Know:**
  - **Advanced Persistent Threat (APT) Activity:** Sednit remains an active and sophisticated threat actor with a focus on espionage 【1】.
  - **Cloud Infrastructure Abuse:** Defenders should be aware of APT groups leveraging legitimate cloud services (Icedrive, Filen, pCloud, Koofr) for C2 communications 【1】.
  - **Custom and Modified Tools:** Sednit employs both custom-developed malware (BeardShell, SlimAgent) and heavily modified open-source frameworks (Covenant), requiring robust detection capabilities 【1】.
  - **Obfuscation and Evasion:** The malware utilizes techniques like opaque predicates, code obfuscation, and modified execution flows to evade detection 【1】.
  - **Targeting:** The ongoing focus on Ukrainian military personnel indicates a continued geopolitical motivation 【1】.
  - **Indicators of Compromise (IoCs):** A list of SHA-1 hashes for identified malware samples (e.g., `Win64/BeardShell.A`, `Win64/Spy.KeyLogger.LS`) and MITRE ATT&CK techniques are provided for detection and defense 【1】.
• China‑Nexus APT Targets Qatar - Check Point Software Technologies, an Israeli cybersecurity firm, home to the Check Point Research team 🔍 Show Kagi Synopsis
  In response to the recent escalation in the Middle East, **Chinese-nexus Advanced Persistent Threat (APT) actors have increased their activity, specifically targeting Qatar** 【1】. This activity was observed as early as March 1st, with threat actors attempting to deploy malware within a day of major regional developments 【1】.
  
  **Who is Affected:**
  The primary target of this observed activity is **Qatar** 【1】. Earlier campaigns using similar infection vectors were also noted against **Turkish military targets** 【1】, and other Chinese-nexus campaigns have targeted the **Philippines and Myanmar** 【1】.
  
  **Security Implications:**
  The observed campaigns highlight the **rapid adaptability of Chinese-nexus APT actors** in leveraging geopolitical events for their operations 【1】. The use of conflict-related lures demonstrates a sophisticated understanding of the regional information landscape, aiming to make their attacks more credible and engaging 【1】. The reliance on accessible tools like PlugX and Cobalt Strike suggests a focus on **rapid initial deployment and reconnaissance** 【1】. This indicates a potential shift in intelligence collection priorities towards Qatar, a nation situated at the intersection of various global powers and interests 【1】.
  
  **Technical Details:**
  Two distinct campaigns have been identified:
  
  * **Campaign 1:** This campaign utilizes a **LNK file** delivered within an archive disguised as photos of attacks on U.S. bases in Bahrain 【1】. The infection chain is unusually long, involving contact with a compromised server to retrieve the next-stage payload. It ultimately deploys the **PlugX backdoor** by abusing DLL hijacking of the legitimate Baidu NetDisk binary 【1】. PlugX is a modular backdoor linked to Chinese-nexus actors since 2008, capable of various post-compromise functions 【1】. The sample uses specific encryption keys (qwedfgx202211) and a date-formatted payload decryption key (20260301@@@) that have been previously attributed to **Camaro Dragon** (also known as Earth Preta and Mustang Panda) 【1】.
  
  * **Campaign 2:** This campaign uses a password-protected archive, potentially delivered via email, impersonating the Israeli government with AI-generated lures 【1】. It deploys a **Rust-based loader** that exploits DLL hijacking of `nvdaHelperRemote.dll`, a component of the NVDA screen reader 【1】. This technique has been observed in limited Chinese-nexus campaigns 【1】. The final payload in this operation is **Cobalt Strike**, a penetration testing framework often repurposed for malicious activities, used for rapid reconnaissance 【1】. This attack is assessed as China-aligned due to the use of NVDA component DLL hijacking, Cobalt Strike, and C2 infrastructure registered via Kaopu Cloud and Cloudflare, which align with previously associated Chinese threat actor TTPs 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of the **rapid adaptation of threat actors to geopolitical events**, using conflict-related lures to increase the credibility of their attacks 【1】. The observed **DLL hijacking techniques**, particularly involving legitimate binaries like Baidu NetDisk and NVDA components, are critical to monitor 【1】. The use of PlugX and Cobalt Strike indicates a focus on initial access, reconnaissance, and post-compromise activities 【1】.
  
  Key Indicators of Compromise (IOCs) provided include file hashes, IP addresses (185.219.220.73, 91.193.17.117), and a domain name (almersalstore[.]com) 【1】. These can be used to detect and block malicious activity associated with these campaigns. The broader targeting focus suggests that entities in the Middle East, particularly Qatar, should enhance their security posture in light of these evolving threats 【1】.
• Hunting Lazarus, Part 5: Eleven Hours on His Disk - Forensic examination of an active Lazarus Group operator machine: a target list of nearly 17,000 developers, six drained wallets.. - Red Asgard 🔍 Show Kagi Synopsis
  A cybersecurity analysis of a Lazarus Group operation, dubbed "Contagious Interview," has revealed a sophisticated campaign targeting crypto and Web3 developers. The operation involved fake job outreach, malware-laden repositories, and the draining of cryptocurrency wallets 【1】.
  
  **What Happened:**
  The analysis focused on a compromised MonoVM VPS (WIN-RCH83RTDA5G) captured in rescue mode. Investigators were able to preserve 69 GB of data from the disk, uncovering a comprehensive campaign infrastructure. This included established personas, fabricated companies, Git repositories, a list of 16,952 LinkedIn profiles, 159 victim directories, cryptocurrency seed phrases, and wallets. Data exfiltration was observed to be occurring via FTP 【1】. The investigation identified two distinct sessions: one by the Lazarus operator and another by the investigators, with an eleven-hour gap between the operator's last activity and the data preservation 【1】. The operator left behind significant traces, such as TrustWallet seeds, Telegram accounts, Nostr keys, and evidence of local AI tool usage 【1】.
  
  **Who is Affected:**
  The primary targets of the "Contagious Interview" campaign are **crypto and Web3 developers** 【1】. Victims have experienced their cryptocurrency wallets being drained, with investigators recovering six seed phrases 【1】. The operation also impacted numerous individuals globally through targeted LinkedIn outreach 【1】. Interestingly, the operator's own seed phrases and wallets were also exposed on the compromised host 【1】. Data exfiltration from victims occurred through stolen credentials and compromised project repositories 【1】.
  
  **Security Implications:**
  This operation highlights an **industrialized, end-to-end approach** by the Lazarus Group, encompassing persona architecture, the creation of fake companies, staged interviews, and credential harvesting 【1】. Significant operational security (OPSEC) failures were noted, including the storage of the operator's own sensitive cryptocurrency information on the compromised host 【1】. The use of local AI tooling suggests a move towards scalable processing capabilities 【1】. The explicit use of FTP for data exfiltration, the persistence and reuse of infrastructure, and the resilience of logs on rescue-mode images are also critical security considerations 【1】.
  
  **Technical Details:**
  The compromised system was a **Windows Server 2025** running on MonoVM 【1】. Key timestamps include a password reset in rescue mode at 05:20, operator login at 06:13, and additional RDP attempts between 06:18 and 06:30 【1】. Data exfiltration via `rsync` to a collection server was observed at 17:13 【1】. Artifacts discovered include an "EvilGru52" folder, seed phrases within Rabby Wallet, and six newly identified FTP servers (195.201.104.53, 144.172.89.198, and 216.126.227.239) 【1】. The analysis also identified 16,952 target LinkedIn URLs, the presence of AI tools like LM Studio and PaddleHub, a `trustwallet.txt` file containing seed phrases and keys, and evidence of Stargate cross-chain bridge activity 【1】. Telegram and Nostr artifacts were also found 【1】.
  
  **What Defenders Should Know:**
  Defenders should be prepared to **promptly isolate and image disks** from suspected compromised systems 【1】. It is crucial to monitor for any activity within rescue modes, and to **change credentials immediately** if such activity is detected 【1】. Securing backups is also paramount 【1】. Defenders should actively look for indicators such as fake personas, fake company domains, and malicious Git repositories 【1】. Monitoring for the installation and use of local AI tools is also recommended 【1】. Protecting seed phrases and wallet keys is of utmost importance, as is reviewing FTP endpoints and exfiltration patterns 【1】. Furthermore, hardening hosting provider rescue workflows, ensuring the principle of least privilege, and implementing multi-factor authentication (MFA) are essential preventative measures 【1】. Follow-up actions should include revoking operator access and scanning networks for similar infrastructure 【1】.
• New A0Backdoor Linked to Teams Impersonation and Quick Assist Social Engineering - BlueVoyant 🔍 Show Kagi Synopsis
  A recent cybersecurity campaign involves **social engineering tactics** to deploy a new backdoor named **A0Backdoor** 【1】. This attack begins with a flood of emails, followed by threat actors impersonating IT support on Microsoft Teams to persuade victims to grant remote access through **Quick Assist** 【1】.
  
  **Who is Affected:**
  The **finance and health sectors** are frequently targeted in this campaign 【1】. This is likely due to attackers leveraging open-source intelligence and the ability to impersonate IT support within collaborative platforms like Teams 【1】. The campaign has been active since at least August 2025 【1】.
  
  **Security Implications:**
  The A0Backdoor provides **persistent access** to compromised systems, enabling **data exfiltration** 【1】. The attackers are continuously evolving their methods to evade security measures, posing a significant and ongoing threat 【1】.
  
  **Technical Details of A0Backdoor:**
  - The backdoor utilizes a malicious `hostfxr.dll` file as a loader 【1】.
  - It incorporates techniques to evade sandboxes and debuggers 【1】.
  - A covert **DNS MX-based command-and-control (C2) channel** is employed, which restricts endpoint traffic to trusted recursive resolvers, making detection more challenging 【1】.
  - The backdoor decrypts its payload at runtime, gathers system information, and communicates using **DNS tunneling** 【1】.
  - Attackers use digitally signed MSI packages, often disguised as Microsoft or Teams components, hosted on Microsoft cloud storage and distributed via tokenized links 【1】.
  
  **What Defenders Should Know:**
  Defenders should be vigilant about the **social engineering methods** used, specifically the sequence of email floods followed by Teams-based impersonation offering IT support, leading to a request for Quick Assist 【1】. It is crucial to monitor for the use of legitimate-looking but malicious DLLs for sideloading and the adoption of stealthier DNS-based C2 communication channels 【1】. The campaign is associated with the threat group **Blitz Brigantine** (also known as Storm-1811, STAC5777) and affiliates of **Black Basta and Cactus** 【1】.
• FortiGate Edge Intrusions | Stolen Service Accounts Lead to Rogue Workstations and Deep AD Compromise - SentinelOne 🔍 Show Kagi Synopsis
  A cybersecurity incident involving **FortiGate Next-Generation Firewall (NGFW) appliances** has led to **deep Active Directory (AD) compromise** within affected organizations 【1】.
  
  **What Happened:**
  Attackers gained administrative access to FortiGate appliances, either through exploiting vulnerabilities or by using weak credentials. Once inside, they extracted configuration files that contained service account credentials. These credentials were then used to enroll **rogue workstations** into the Active Directory, deploy **Remote Monitoring and Management (RMM) tools**, and steal sensitive data, including the **NTDS.dit file** (which contains AD database information) 【1】.
  
  **Who is Affected:**
  **Organizations utilizing FortiGate appliances** are at risk, as are their **Active Directory environments and connected workstations** 【1】.
  
  **Security Implications:**
  The security implications are significant, allowing attackers to establish a **persistent presence** within the network, conduct **lateral movement**, and potentially **exfiltrate critical data** 【1】.
  
  **Technical Details:**
  The article highlights specific vulnerabilities exploited, including **CVE-2025-59718, CVE-2025-59719, and CVE-2026-24858** 【1】. Attackers leveraged the `mS-DS-MachineAccountQuota` attribute in AD to join unauthorized workstations to the domain. They also deployed RMM tools such as **Pulseway and MeshAgent** 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware of the aforementioned vulnerabilities and attacker tactics 【1】. Key recommendations include:
  - Implementing **strong administrative access controls** for FortiGate appliances.
  - Ensuring **FortiGate software is kept patched** and up-to-date 【1】.
  - Maintaining **sufficient log retention** (14-90 days) on FortiGate appliances 【1】.
  - **Forwarding logs to a Security Information and Event Management (SIEM)** system for real-time monitoring, anomaly detection, and evidence preservation 【1】.
  The article also provides detailed guidance on **forensic investigation** for FortiGate appliances, Domain Controllers, and Active Directory, along with specific **Indicators of Compromise (IOCs)**, such as malicious domains, IP addresses, URLs, and account names 【1】.
• Behind the console: Active phishing campaign targeting AWS console credentials | Datadog Security Labs - The content posted at the URL is controlled by **Datadog Security Labs**. The author of the article is **Martin McCloskey**. 🔍 Show Kagi Synopsis
  An active adversary-in-the-middle (AiTM) phishing campaign is targeting **AWS console credentials** by impersonating legitimate AWS sign-in pages. This campaign uses sophisticated techniques to mimic AWS infrastructure and capture user credentials, including one-time passwords (OTP) if used.
  
  **What Happened:**
  Attackers are employing typosquatted domains that appear to be legitimate AWS infrastructure. They utilize a real-time AiTM proxy to intercept AWS console credentials and session tokens. In some instances, attackers have gained unauthorized access to AWS accounts within 20 minutes of credentials being submitted, often originating from VPN connections 【1】.
  
  **Who is Affected:**
  This campaign directly impacts **users who access the AWS Management Console** 【1】.
  
  **Security Implications:**
  The primary security implication is the **unauthorized access to AWS accounts** due to stolen credentials. This can lead to severe consequences such as data breaches, manipulation of cloud resources, financial losses, and the broader compromise of cloud environments. The rapid post-compromise access observed highlights the immediate and significant threat posed by this campaign 【1】.
  
  **Technical Details:**
  The phishing kit is a high-fidelity replica of the AWS sign-in page, leveraging seemingly legitimate URLs and assets. It operates as a transparent reverse proxy, forwarding submitted credentials to the actual AWS endpoint and relaying the responses back to the user. The campaign employs multi-stage redirects, including AWS SES click-tracking domains, to obscure the true phishing destination. To enhance credibility, product landing pages are also served from the phishing domain. An administrative panel, likely used by attackers for real-time monitoring of captured credentials and campaign management, is exposed on TCP port 3000. The underlying infrastructure consists of multiple clusters of domains and IP addresses, sharing a common registrar, and exhibiting rapid rotation and anti-analysis measures 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that this campaign is **currently active and ongoing**. Key defensive measures include:
  - **Monitoring AWS CloudTrail** for suspicious authentication events, especially those originating from known phishing IP addresses or Mullvad VPN IPs 【1】.
  - **Detecting impossible travel scenarios** for ConsoleLogins, particularly for logins that do not involve multi-factor authentication (MFA) 【1】.
  - **Monitoring DNS activity** for the identified malicious domains 【1】.
  The article also provides specific detection rules and hunting queries for Datadog users. The identified malicious infrastructure has been reported to AWS for disruption 【1】.
• Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access - Salesforce Security has been tracking an increase in threat actor activity targeting misconfigurations - Salesforce 🔍 Show Kagi Synopsis
  A recent increase in threat actor activity has been observed, targeting misconfigurations in publicly accessible Experience Cloud sites. This activity exploits overly permissive guest user configurations to gain unauthorized access to data. Salesforce emphasizes that its platform remains secure, and the issue lies with customer-configured guest user settings, not a platform vulnerability 【1】.
  
  **Who is Affected:**
  Customers using Salesforce Experience Cloud sites that are publicly accessible are at risk. Specifically, those who utilize the guest user profile for unauthenticated visitors and have configured permissions to grant public access to objects and fields that are not intended to be public, contrary to Salesforce's recommended guidance 【1】.
  
  **Security Implications:**
  The primary security implication is the potential for unauthorized access to sensitive data. Threat actors are exploiting these misconfigurations to extract data such as names and phone numbers. This harvested data is then used for follow-on social engineering and phishing campaigns 【1】.
  
  **Technical Details:**
  A known threat actor group is using a custom version of the open-source Aura Inspector tool to scan public-facing Experience Cloud sites. This modified tool can extract data by exploiting overly permissive guest user settings. When a guest user profile, intended for unauthenticated access to public data, is misconfigured with excessive permissions, it allows threat actors to directly query Salesforce CRM objects without logging in 【1】. The exploitation specifically targets the `/s/sfsites/aura` endpoint 【1】.
  
  **What Defenders Should Know:**
  Defenders should take immediate action to secure their Experience Cloud guest user access. Key recommendations include:
  
  * **Audit Guest User Configurations:** Review and restrict guest user profiles to only the minimum necessary objects and fields required for site functionality. It is advised to start with no access and grant only what is strictly needed and tested 【1】.
  * **Set Org Wide Defaults to "Private":** Ensure that the Default External Access for all objects is set to "Private" in Sharing Settings. This requires explicit sharing rules for guest users to access any record 【1】.
  * **Disable Public APIs:** Uncheck "Allow guest users to access public APIs" in site settings and "API Enabled" in the guest user profile's System Permissions. This is a high-impact change that closes the Aura endpoint to unauthenticated API queries, which is the vector used in the current campaign 【1】.
  * **Restrict Visibility:** Uncheck "Portal User Visibility" and "Site User Visibility" 【1】.
  * **Disable Self-Registration:** If not required, disable self-registration for users 【1】.
  * **Monitor Event Monitoring Logs:** Review logs for unusual query volumes, anomalous access patterns (e.g., targeting unintended objects, spikes from unfamiliar IPs, access outside business hours) 【1】.
  * **Contact Salesforce Support:** If an environment is suspected to be affected, contact Salesforce Support immediately and complete the guest user audit steps 【1】.
  * **Add a Security Contact:** Designate a Security Contact in your organization for prompt communication if suspicious activity is detected 【1】.