🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Please, We Beg, Just One Weekend Free Of Appliances (Citrix NetScaler CVE-2026-3055 Memory Overread Part 2) - watchTowr 🔍 Show Kagi Synopsis
  **Citrix NetScaler appliances configured as SAML IDPs are affected by at least two memory overread vulnerabilities** identified under **CVE-2026-3055** 【1】. **In-the-wild exploitation has been observed since at least March 27th** 【1】.
  
  ### What Happened
  The vulnerabilities, collectively assigned CVE-2026-3055, allow for memory overreads on specific endpoints. The second vulnerability detailed in the article affects the `/wsfed/passive?wctx` endpoint 【1】. Exploitation occurs when a malformed request, specifically a `wctx` querystring parameter that is present but lacks an equals sign and value, is sent to a vulnerable appliance 【1】. This causes the appliance to access and leak memory associated with the variable, pointing to dead memory 【1】.
  
  ### Who is Affected
  **Citrix NetScaler appliances configured as SAML IDPs** are the primary targets of these vulnerabilities 【1】.
  
  ### Security Implications
  The leaked memory is base64-encoded and appears within the `NSC_TASS` cookie 【1】. This leaked memory can contain sensitive information, such as **administrative session IDs**, which could allow attackers to gain complete control of the appliance 【1】. The article emphasizes that exploitation is active and occurring in the wild 【1】.
  
  ### Technical Details
  The vulnerability is triggered by a request like `GET /wsfed/passive?wctx HTTP/1.1`. The appliance mistakenly checks for the presence of the `wctx` parameter without validating its associated data. Since there is no value, it accesses dead memory, leading to a memory leak 【1】. The leaked memory is then base64-encoded within the `NSC_TASS` cookie 【1】. A patched device will respond differently, typically with a `302 Object Moved` status, indicating successful mitigation 【1】.
  
  ### What Defenders Should Know
  Defenders need to be aware that **exploitation is actively happening in the wild** 【1】. It is crucial to identify vulnerable hosts within the environment. The article suggests using a provided **Detection Artifact Generator script** to aid in this identification process 【1】. The CVE-2026-3055 identifier encompasses at least two distinct memory overread vulnerabilities, indicating a broader issue with memory management on these appliances 【1】.
• K000156741: BIG-IP APM vulnerability CVE-2025-53521 - from Oct - previously a DoS with CVSS scores of 7.5 (CVSS v3.1) and 8.7 (CVSS v4.0) - re-categorized to an RCE with CVSS scores of 9.8 and 9.3 - F5 🔍 Show Kagi Synopsis
  A critical Remote Code Execution (RCE) vulnerability, identified as **CVE-2025-53521**, has been discovered in **BIG-IP APM** systems when an access policy is configured on a virtual server 【1】. This vulnerability allows an unauthenticated attacker to execute arbitrary code on the system 【1】.
  
  **Who is Affected:**
  The vulnerability impacts **BIG-IP APM** systems, including those in Appliance mode. The specific versions known to be vulnerable are:
  - **BIG-IP APM 17.x**: Versions 17.5.0 through 17.5.1, and 17.1.0 through 17.1.2 【1】.
  - **BIG-IP APM 16.x**: Versions 16.1.0 through 16.1.6 【1】.
  - **BIG-IP APM 15.x**: Versions 15.1.0 through 15.1.10 【1】.
  
  **Security Implications:**
  This vulnerability has severe security implications, as it has been **actively exploited in the wild** 【1】. It was initially categorized as a Denial-of-Service (DoS) vulnerability but has been re-categorized to an RCE with high CVSS scores: **9.8 (CVSS v3.1)** and **9.3 (CVSS v4.0)** 【1】. The exploitation allows for complete compromise of the affected BIG-IP systems, as it is a data plane issue with no control plane exposure 【1】.
  
  **Technical Details:**
  The vulnerability is related to the **apmd process** 【1】 and is classified under **CWE-770: Allocation of Resources Without Limits or Throttling** 【1】. The issue arises from specific malicious traffic that can trigger RCE when BIG-IP APM access policies are in place 【1】.
  
  **What Defenders Should Know:**
  - **Immediate Remediation is Crucial:** Defenders running vulnerable versions must **install a fixed version** as soon as possible. The fixed versions are listed in the article 【1】. If a fix is not available for a specific branch, F5 recommends upgrading to a version that includes the fix 【1】.
  - **Exploitation Confirmed:** Be aware that this vulnerability **has been exploited**, necessitating prompt action 【1】.
  - **Indicators of Compromise:** Review the **Indicators of Compromise (IOCs)** detailed in article K000160486 for systems that were upgraded from a vulnerable version to a fixed version, or are still running a vulnerable version 【1】.
  - **Clean Installation:** Systems that were initially set up with a **clean installation** using a fixed BIG-IP version are not vulnerable 【1】.
  - **Incident Handling:** If a system is suspected of being compromised, F5 strongly recommends **rebuilding the configuration from scratch**. UCS backups from compromised systems may contain persistent malware, and evidence collection and forensic procedures should be followed according to corporate security policies before attempting recovery 【1】.
  - **Mitigation:** There is **no mitigation** available for this vulnerability; patching is the only solution 【1】.
• Commission responds to cyber-attack on its Europa web platform - European Commission 🔍 Show Kagi Synopsis
  On **March 30, 2026**, the European Commission experienced a **cyber-attack on its Europa web platform** 【1】. The incident was detected, and initial containment measures were implemented, with an ongoing investigation into the specifics of the attack 【1】.
  
  **Who is affected:**
  The primary entity affected is the **European Commission** itself, specifically its public-facing **Europa web platform** 【1】. The article does not specify if any external users or their data were compromised.
  
  **Security implications:**
  The attack highlights the **vulnerability of critical public infrastructure** to cyber threats. The immediate implication is the need for robust security measures to protect the integrity and availability of the platform. The ongoing investigation suggests that the full scope of the security implications is still being assessed 【1】.
  
  **Technical details:**
  The article provides **limited technical details** regarding the nature of the cyber-attack. It only states that it was a "cyber-attack" and that the platform was targeted 【1】. Further technical specifics, such as the type of attack (e.g., DDoS, malware, phishing), the entry vector, or the extent of data exfiltration, are not disclosed in the provided information.
  
  **What defenders should know:**
  Defenders should be aware that **public-facing platforms of large organizations are attractive targets** for cyber-attacks 【1】. The incident underscores the importance of:
  - **Rapid detection and response capabilities** to contain attacks swiftly 【1】.
  - **Continuous monitoring and vulnerability assessment** of web platforms.
  - **Thorough investigation** to understand the attack vectors and mitigate future risks.
  - **Proactive security measures** to prevent such incidents from occurring.
• After Kaspersky was hit with sanctions (Jun 2024), a little company called Midori Trading started submitting Kaspersky drivers to be signed - **X Corp.** controls the content posted at the URL. Elon Musk established X Corp. in 2023 as the successor to Twitter, Inc. Since March 28, 2025, X Corp. has been a wholly owned subsidiary of xAI, which itself has been a subsidiary of SpaceX since February 2, 2026. 🔍 Show Kagi Synopsis
  On March 10, 2025, **Elon Musk's X platform experienced significant outages** that affected thousands of users 【2】. Musk claimed that the platform was under a "massive cyberattack" 【2】. However, the evidence from X and from attackers claiming credit for the incident was reportedly very limited 【1】.
  
  **Who is affected:**
  * **Thousands of users** of the X platform were unable to access the service during the outages 【2】.
  
  **Security implications:**
  * The incident highlights the **vulnerability of large social media platforms** to cyberattacks and the potential disruption they can cause 【2】.
  * It also raises questions about the **effectiveness of current cybersecurity defenses** when faced with sophisticated attacks, especially given the limited evidence of the attack's origin or scale 【1】.
  * The event underscores the broader challenges in **global information protection**, including cybercrime and critical infrastructure vulnerability 【3】.
  
  **Technical details:**
  * Specific technical details regarding the nature of the alleged "massive cyberattack" were not widely disclosed in the provided information. The limited evidence available suggests that the exact technical mechanisms and the extent of the attack remain unclear 【1】.
  
  **What defenders should know:**
  * **Incident Response is Crucial:** Organizations need robust cybersecurity incident response plans to effectively manage and mitigate the impact of cyber incidents 【5】.
  * **Threat Intelligence:** Staying informed about current cyber threats, including tactics, techniques, and procedures of threat actors, is essential for detection and mitigation 【4】.
  * **Resource Allocation:** There is a constant tradeoff between cybersecurity defense costs and revenue-generating activities. Companies often face understaffing and under-resourcing in their security operations, which can impact their ability to defend against attacks 【1】.
  * **Comprehensive Strategies:** Effective cybersecurity requires a combination of technological solutions, policy regulations, and public awareness to safeguard sensitive data 【3】.
  * **Continuous Learning:** The cybersecurity landscape is constantly evolving, necessitating continuous research and analysis to stay ahead of emerging trends and challenges 【6】.
• threat-modeling-mcp-server: A Model Context Protocol (MCP) server for comprehensive threat modeling with automatic code validation. - AWS Labs 🔍 Show Kagi Synopsis
  The provided article details the **Threat Modeling MCP Server**, a tool designed to automate and enhance the threat modeling process for software development.
  
  ### What Happened
  
  The article describes the development and functionality of the Threat Modeling MCP Server. It's a server that integrates with existing Large Language Model (LLM) clients like Amazon-Q, Kiro, or Cline to perform comprehensive threat modeling. The server automates various stages of threat modeling, including business context analysis, architecture analysis, threat actor identification, trust boundary analysis, asset flow analysis, and code security validation. It follows a structured approach, primarily using the **STRIDE methodology**, to identify and mitigate security risks. A key feature is its ability to automatically validate threats against the project's codebase, ensuring that identified vulnerabilities are either addressed or acknowledged.
  
  ### Who is Affected
  
  The primary users affected are **software developers, security engineers, and architects** involved in building and maintaining software systems. By automating and structuring the threat modeling process, this tool aims to improve the security posture of projects, making it more accessible and efficient for development teams.
  
  ### Security Implications
  
  The security implications are centered around **improving the overall security of software projects**.
  - **Proactive Risk Identification**: The tool helps in identifying potential security threats early in the development lifecycle.
  - **Automated Validation**: By validating threats against code, it ensures that security measures are not just theoretical but are implemented and effective.
  - **Structured Approach**: The adherence to methodologies like STRIDE reduces the likelihood of overlooking critical vulnerabilities.
  - **Business Context Integration**: Understanding business risks ensures that security efforts are prioritized based on business impact.
  - **Data Privacy**: The server operates locally, leveraging the client's existing LLM, which means sensitive project data is not sent to external APIs, enhancing data privacy and security.
  
  ### Technical Details
  
  - **Architecture**: The MCP Server acts as an intermediary, calling the client's existing LLM (e.g., Amazon-Q, Kiro, Cline) rather than making external API calls.
  - **Methodology**: It systematically follows the **STRIDE** framework (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) through distinct phases.
  - **Key Features**:
  - Business Context Analysis
  - Architecture Analysis
  - Threat Actor Analysis
  - Trust Boundary Analysis
  - Asset Flow Analysis
  - Threat Identification (STRIDE)
  - Mitigation Planning
  - **Automatic Code Security Validation**: This is a crucial feature where the server analyzes the codebase to validate identified threats and their mitigations.
  - Report Generation: Outputs reports in both **Markdown and JSON** formats.
  - **Installation**: Requires `uvx` and configuration within the MCP client's `mcp.json` file.
  - **Output Management**: All generated files are stored in a `.threatmodel` directory in the project root.
  - **Tools**: Offers over 100 tools categorized for various aspects of threat modeling, including assumption management, business context analysis, architecture analysis, threat actor analysis, trust boundary analysis, asset flow analysis, threat generation, and mitigation management.
  
  ### What Defenders Should Know
  
  Defenders should be aware that this tool provides a **structured and automated approach to threat modeling**.
  - **Leverage Automation**: Utilize the server's capabilities to automate repetitive tasks in threat modeling, freeing up human resources for more complex analysis.
  - **Integrate with Development Workflow**: The tool is designed to integrate with existing development environments and workflows, allowing for continuous threat modeling as code evolves.
  - **Focus on STRIDE and Phases**: Understand the phased approach and the STRIDE methodology to effectively guide the threat modeling process and interpret the results.
  - **Code Validation is Key**: Pay close attention to the code validation phase, as it provides a direct link between identified threats and actual code implementation, helping to confirm the effectiveness of security controls.
  - **Data Privacy**: Recognize that the server operates locally, minimizing the risk of sensitive data exposure to external parties.
  - **Customization**: The `autoApprove` configuration can be adjusted to require manual approval for tool calls, allowing for greater control over the process.
• defenseclaw: Security Governance for Agentic AI - Cisco AI Defense 🔍 Show Kagi Synopsis
  **DefenseClaw** is an enterprise governance layer designed to mitigate the security risks posed by AI agents, particularly those built on frameworks like **OpenClaw** 【1】.
  
  **What Happened:**
  The core issue addressed by DefenseClaw is that AI agents, due to their ability to install skills, interact with servers, execute code, and access networks, present significant attack surfaces. A malicious skill could lead to data exfiltration, a compromised server could inject harmful instructions, and generated code might contain vulnerabilities 【1】.
  
  **Who is Affected:**
  Organizations utilizing AI agents, especially those built on OpenClaw, are affected. The risks extend to the infrastructure these agents interact with and the data they process.
  
  **Security Implications:**
  The security implications are broad, including:
  - **Data Exfiltration:** Malicious skills can steal sensitive information 【1】.
  - **Code Injection:** Generated code may contain secrets or command injection vulnerabilities 【1】.
  - **Compromised Infrastructure:** Malicious actors could inject hidden instructions through compromised servers 【1】.
  - **Vulnerabilities in Agent-Created Code:** CodeGuard, a component of DefenseClaw, specifically targets vulnerabilities like hardcoded credentials, dangerous execution patterns, outbound networking, unsafe deserialization, SQL injection, weak cryptography, and path traversal in code written by agents 【1】.
  - **Prompt and Completion Risks:** LLM prompts and completions can be scanned for secrets, PII, and injection patterns 【1】.
  - **Tool Call Risks:** Tool calls can be evaluated against categories like secrets, dangerous commands, sensitive paths, command-and-control hosts, cognitive files, and trust exploits 【1】.
  
  **Technical Details:**
  DefenseClaw operates through a multi-component architecture:
  - **CLI (Python):** Used for operator interaction, running scanners, and managing block/allow lists 【1】.
  - **Gateway (Go):** The central daemon that handles APIs, policy enforcement, inspection, logging, and SIEM export 【1】.
  - **Plugin (TypeScript):** Integrates with OpenClaw to intercept tool calls via a `before_tool_call` hook 【1】.
  
  Key capabilities include:
  - **Component Scanning:** DefenseClaw scans skills, MCP servers, and plugins before execution. Findings are ranked by severity, leading to blocking (HIGH/CRITICAL), installation with a warning (MEDIUM/LOW), or allowing the component 【1】.
  - **CodeGuard:** A static analysis engine that scans source files for specific vulnerabilities using regex rules 【1】.
  - **Runtime Inspection:**
  - **Message Inspection:** A guardrail proxy scans LLM prompts and completions for sensitive data and injection patterns, operating in either "observe" (log only) or "action" (block) mode 【1】.
  - **Tool Inspection:** Evaluates tool names and arguments against predefined rule categories. For write/edit tools, CodeGuard is also applied to the content 【1】.
  - **SIEM Integration:** Supports integration with Splunk HEC and OTLP export for logging and monitoring 【1】.
  
  **What Defenders Should Know:**
  Defenders can configure guardrails by blocking or allowing specific tools and by enabling "action" mode for the guardrail. In "action" mode, DefenseClaw actively blocks flagged prompts and responses. The severity thresholds for these actions can be configured 【1】. The system logs all outcomes, which can be forwarded to SIEM for comprehensive monitoring and incident response 【1】.
• efiguard-detected: the dumbest way to detect efiguard - Mattiwatti 🔍 Show Kagi Synopsis
  The `efiguard-detected` tool is designed to identify if **EfiGuard** has successfully disabled **PatchGuard** on a system 【1】.
  
  **What Happened:**
  EfiGuard, a security tool, leaves a runtime backdoor via the `SetVariable` function. The `efiguard-detected` tool interacts with this backdoor by attempting to read two bytes from the base of `ntoskrnl`. If the response is "MZ" (the typical start of a Windows executable file), it confirms that the backdoor is active, EfiGuard has executed its function, and PatchGuard has been disabled 【1】.
  
  **Who is Affected:**
  This detection method specifically affects users who have chosen the default DSE bypass method in EfiGuard, which is `DSE_DISABLE_SETVARIABLE_HOOK` 【1】.
  
  **Security Implications:**
  The primary security implication is the **disabling of PatchGuard**. PatchGuard is a critical Windows security feature designed to protect the kernel from unauthorized modifications. When PatchGuard is disabled, it opens the door for malicious software to tamper with the operating system's core components, potentially leading to system instability, data breaches, and complete system compromise.
  
  **Technical Details:**
  - The `efiguard-detected` tool operates from user mode 【1】.
  - It exploits a `SetVariable` backdoor intentionally left by EfiGuard 【1】.
  - The tool reads two bytes from the `ntoskrnl` base address 【1】.
  - A successful detection returns "MZ", indicating the backdoor is active and PatchGuard is disabled 【1】.
  - The tool requires **administrator privileges** and the `SeSystemEnvironmentPrivilege` to function 【1】.
  
  **What Defenders Should Know:**
  - This detection method is **not foolproof**. It will only work if the `DSE_DISABLE_SETVARIABLE_HOOK` bypass method was used by EfiGuard.
  - If the `DSE_DISABLE_AT_BOOT` method was employed, the hook is removed during `ExitBootServices`, making it **impossible to detect PatchGuard's disablement from user mode** 【1】.
  - Defenders should be aware that the presence of this backdoor indicates a compromised system where core security mechanisms may have been bypassed.
• Reverse engineering Apple’s silent security fixes - **Calif** 🔍 Show Kagi Synopsis
  On March 17, 2026, Apple replaced Rapid Security Responses (RSR) with **Background Security Improvements (BSI)**, starting with iOS 26.1, iPadOS 26.1, and macOS 26.1 【1】. These updates are installed silently, without user interaction 【1】.
  
  ### What Happened
  
  Apple released four BSI updates across iOS, iPadOS, and macOS 【1】. The article reverse-engineered the iOS update to examine its contents. While Apple publicly disclosed one fix for a WebKit vulnerability (CVE-2026-20643), the analysis revealed at least two additional security-relevant changes that were not included in the official advisory 【1】 【1】.
  
  ### Who is Affected
  
  **All users of iOS, iPadOS, and macOS** are affected by these updates, as the BSI mechanism is designed to be applied silently to all devices running compatible operating systems 【1】.
  
  ### Security Implications
  
  The BSI updates address several security concerns:
  
  * **Navigation API Same-Origin Bypass (CVE-2026-20643):** This vulnerability allowed a malicious script on one origin to intercept navigations to another origin if they shared the same scheme, host, and user/password, but differed in port 【1】. The fix ensures that navigations to different ports are correctly blocked 【1】.
  * **WebGL Integer Overflow in ANGLE:** An integer overflow vulnerability existed in the ANGLE graphics engine, specifically in the `ProvokingVertexHelper::generateIndexBuffer` method. This could lead to an undersized index buffer being allocated, potentially causing out-of-bounds GPU reads during WebGL draw calls 【1】. The update adds checks to prevent this overflow 【1】.
  * **ServiceWorker Registration Lifetime Hardening:** Changes were made to the ServiceWorker implementation to address potential dangling-reference issues in a concurrent context. This involved strengthening references to `SWServerRegistration` objects, preventing their deallocation while in use 【1】. This fix appears to be an Apple-internal patch not yet present in public WebKit code 【1】.
  
  ### Technical Details
  
  BSIs function similarly to RSRs by patching "cryptexes," which are sealed disk images containing components like Safari, WebKit, and system libraries 【1】. Instead of modifying the main operating system, BSIs apply binary diffs to these cryptex images 【1】.
  
  The process involves:
  1. Downloading the base OS OTA (Over-The-Air) update 【1】.
  2. Extracting the base cryptex volumes (e.g., `cryptex-system-arm64e` and `cryptex-app`) 【1】 【1】.
  3. Applying the BSI patch to these extracted volumes to create updated DMG files 【1】.
  
  The BSI package itself contains `image_patches` for the system and app cryptexes, along with reverse patches for potential rollbacks 【1】. The update size was approximately 26.5 MiB 【1】.
  
  ### What Defenders Should Know
  
  * **Silent Updates:** Defenders should be aware that Apple is now deploying security fixes silently via BSI, meaning users may not be prompted for installation 【1】.
  * **Undisclosed Fixes:** Not all security-relevant changes are disclosed in Apple's CVE advisories. The analysis found two significant security improvements (WebGL overflow and ServiceWorker hardening) that were not publicly announced 【1】 【1】.
  * **Reverse Engineering Tools:** Tools like `ipsw` (for OTA patching and diffing) and disassemblers like IDA Pro are valuable for understanding the specifics of these updates and identifying undisclosed changes 【1】.
  * **Focus on WebKit and System Libraries:** BSIs continue to target critical components like WebKit and system libraries, highlighting their importance as attack surfaces 【1】.
• ligolo-iwa: A Ligolo-ng JavaScript agent working inside Chrome/Edge by leveraging Isolated Web Applications - Advanced network tunneling through browser isolation. Bypass EDR detection etc. - GitHub user nicocha30 🔍 Show Kagi Synopsis
  The cybersecurity article discusses **Ligolo-IWA**, a JavaScript agent designed to operate within Chrome and Edge browsers by utilizing **Isolated Web Applications (IWAs)** 【1】.
  
  **What Happened:**
  Ligolo-IWA is a new development that allows the Ligolo-ng agent to run directly inside modern web browsers like Chrome and Edge 【1】. This integration leverages the security features of Isolated Web Applications to enable the agent's functionality within the browser environment 【1】.
  
  **Who is Affected:**
  Users of **Google Chrome (version 120 or later)** and **Microsoft Edge** are potentially affected, as these are the browsers where Ligolo-IWA can be installed and run 【1】.
  
  **Security Implications:**
  The primary security implication is the ability for a malicious actor to potentially run a powerful agent like Ligolo-ng directly within a user's browser. This could lead to:
  - **Data exfiltration:** Accessing and stealing sensitive information stored or processed by the browser.
  - **System compromise:** Depending on the agent's capabilities and the browser's permissions, it might be used to gain further access to the underlying operating system.
  - **Persistence:** IWAs, once installed, can offer a degree of persistence, making them harder to remove than typical web-based threats.
  
  **Technical Details:**
  Ligolo-IWA works by packaging the Ligolo-ng agent as a signed Isolated Web App bundle (`.swbn`) 【1】. This bundle can then be installed on compatible browsers through their respective developer or internal testing interfaces (e.g., `chrome://web-app-internals` or `edge://web-app-internals`) after enabling a specific development mode flag 【1】. The agent's functionality is executed within the isolated environment provided by the IWA 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware of the following:
  - **Emerging Threat Vector:** Ligolo-IWA represents a new way for sophisticated agents to be deployed, potentially bypassing traditional network-based defenses.
  - **Browser Security:** The security of this attack relies on the installation of the IWA. Users should be cautious about installing any unsigned or untrusted IWAs.
  - **Endpoint Detection:** Security solutions on endpoints need to be capable of detecting the installation and execution of unauthorized IWAs and the subsequent activity of agents like Ligolo-ng within the browser.
  - **IWA Management:** Organizations should have policies and technical controls in place to manage and restrict the installation of IWAs on corporate devices.
  - **Browser Updates:** Keeping browsers updated to the latest versions is crucial, as security patches may address vulnerabilities related to IWA handling.
• Building a Firewall ...via Endpoint Security!? On macOS - The content posted at the URL is controlled by **Patrick Wardle** and the **Objective-See Foundation**. 🔍 Show Kagi Synopsis
  The cybersecurity article details the discovery and analysis of new, undocumented Endpoint Security (ES) events in macOS 26.4, specifically `ES_EVENT_TYPE_RESERVED_5` and `ES_EVENT_TYPE_RESERVED_6`. These events provide a new mechanism for security tools to monitor network connections.
  
  **What Happened:**
  Apple introduced several new ES events in macOS 26.4, but unlike previous releases, these were undocumented and labeled as `ES_EVENT_TYPE_RESERVED_*` 【1】 【1】. The author investigated these events, focusing on `ES_EVENT_TYPE_RESERVED_5` and `ES_EVENT_TYPE_RESERVED_6`, and discovered they are related to network connections 【1】 【1】. Specifically, `ES_EVENT_TYPE_RESERVED_5` acts as an **authorization (AUTH)** event that fires before an outbound network connection is made, allowing security tools to permit or deny it. `ES_EVENT_TYPE_RESERVED_6` is a **notification (NOTIFY)** event that fires after the connection attempt, providing informational details 【1】 【1】. These events are generated by processes like `mDNSResponder`, which handles DNS resolution 【1】. The raw data of these events was reverse-engineered to reveal structures containing information such as the destination hostname, resolved IP address, and address family 【1】 【1】.
  
  **Who is Affected:**
  **All macOS users running version 26.4 or later** are potentially affected, as these new ES events can be leveraged by security software. Developers of security tools, particularly those focused on network monitoring and firewalls, are directly impacted by this discovery.
  
  **Security Implications:**
  These new ES events offer a **significant new hook for network monitoring and control**. Security tools can now intercept and potentially block outbound network connections before they are established 【1】 【1】. This provides a more granular level of control compared to relying solely on Network Extensions, which are more complex and resource-intensive 【1】 【1】. The ability to monitor network activity at this level can enhance the detection of malicious communications and unauthorized data exfiltration.
  
  **Technical Details:**
  - **Event Types:** `ES_EVENT_TYPE_RESERVED_5` (AUTH) and `ES_EVENT_TYPE_RESERVED_6` (NOTIFY) 【1】.
  - **Functionality:** `RESERVED_5` allows for authorization of outbound network connections, while `RESERVED_6` provides post-connection notification 【1】.
  - **Data Structure:** Reverse-engineered structure includes fields for `address_family`, `resolved_ip`, `hostname`, and in `NOTIFY` events, the `resolver_path` 【1】 【1】.
  - **Originating Process:** The events are associated with the process initiating the network connection, such as `curl` or `mDNSResponder` 【1】 【1】.
  - **Deadline:** `AUTH` events (`RESERVED_5`) have a **15-second deadline** for a response 【1】 【1】. Failure to respond within this timeframe can lead to the termination of the ES client.
  - **Entitlement:** Using these events requires the `com.apple.developer.endpoint-security.client` entitlement, which must be granted by Apple 【1】 【1】.
  
  **What Defenders Should Know:**
  - **New Monitoring Capabilities:** Security tools can now leverage these undocumented ES events for network monitoring, potentially replacing the need for more complex Network Extensions for basic network visibility 【1】 【1】.
  - **Undocumented Nature:** These events are **undocumented by Apple**, and their use in production environments may be discouraged or unsupported 【1】 【1】. Apple may change or remove these events in future macOS updates.
  - **Response Deadline:** The **15-second deadline for AUTH events** is a critical consideration. Defenders must implement efficient logic to respond within this window, as exceeding it can cause the security tool to be terminated 【1】 【1】. This deadline may be too short for interactive firewall prompts.
  - **Entitlement Requirement:** Access to these events requires a specific entitlement from Apple, which may be a barrier for some developers 【1】 【1】.
  - **Limitations:** These ES events are not suitable for deep packet inspection or complex network actions like traffic proxying, for which Network Extensions remain necessary 【1】.
• Exploring cross-domain & cross-forest RBCD - Synacktiv 🔍 Show Kagi Synopsis
  This article details the **Resource-Based Constrained Delegation (RBCD)** attack, specifically focusing on its implementation in **cross-domain and cross-forest environments** 【1】. While RBCD is a known attack vector within a single domain, its application across different domains or forests is less documented 【1】. The authors encountered a scenario where they could modify the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute of a server in one domain but only possessed credentials for a child domain, and existing tools like Impacket did not support this cross-domain attack 【1】.
  
  ### What Happened
  
  The core of the attack involves an attacker modifying the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute of a machine account. This allows the attacker to impersonate users on that machine 【1】. The article demonstrates how this can be achieved in a cross-domain setting, where an attacker with an account in a child domain can gain delegation rights on a resource in the parent domain 【1】. This is accomplished by first establishing delegation rights on a target machine (e.g., a workstation) using an NTLM relay attack with Impacket's `ntlmrelayx.py` script 【1】. Subsequently, the attacker leverages Kerberos protocol features, specifically S4U2Self and S4U2Proxy, to impersonate a target user and gain access to the compromised machine 【1】.
  
  ### Who is Affected
  
  The attack affects **Active Directory environments with multiple domains or forests** 【1】. Specifically, any machine account whose `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute can be modified by an attacker is vulnerable. This could include workstations, servers, or domain controllers, depending on the attacker's initial access and privileges 【1】. The scenario described involves an attacker with access to a child domain attempting to compromise resources in a parent domain 【1】.
  
  ### Security Implications
  
  The primary security implication is **unauthorized user impersonation and privilege escalation** 【1】. By successfully executing a cross-domain RBCD attack, an attacker can impersonate privileged users (e.g., administrators) on target machines 【1】. This can lead to:
  - **Lateral movement** within the network.
  - **Access to sensitive data** stored on the compromised machine.
  - **Further compromise** of domain controllers or other critical infrastructure.
  - **Complete domain takeover** in severe cases.
  
  The ability to perform this attack across domains means that an attacker who gains a foothold in a less secure child domain could potentially compromise more critical resources in a parent domain 【1】.
  
  ### Technical Details
  
  The attack involves several technical steps:
  1. **Establishing Delegation Rights**: An attacker first needs to gain the ability to modify the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute of a target machine account. This is often achieved through an NTLM relay attack, where tools like Impacket's `ntlmrelayx.py` are used to relay authentication and modify Active Directory object attributes 【1】. In a cross-domain scenario, the attacker might use the SID of the machine account from the child domain when configuring these rights on the parent domain's resource 【1】.
  2. **Kerberos Exploitation (S4U)**: Once delegation is set up, the attacker uses Kerberos functionalities to impersonate a user. The process, as implemented by tools like Rubeus, involves:
  * Obtaining a Ticket Granting Ticket (TGT) for the attacker's machine account in its own domain (e.g., `rbcd_test$@dev.asgard.local`) 【1】.
  * Requesting a referral TGT from the attacker's domain controller to the target domain controller 【1】.
  * Using S4U2Self to obtain a service ticket (ST) for a target user (e.g., `thor_adm@asgard.local`) on the target domain controller 【1】.
  * Using S4U2Self again to obtain an ST for the attacker's machine account, acting on behalf of the target user, from the attacker's domain controller 【1】.
  * Employing S4U2Proxy twice to obtain a final service ticket for the target user on the target service (e.g., CIFS on the workstation) 【1】.
  3. **Accessing Resources**: With the final service ticket, the attacker can access resources on the target machine, such as network shares (e.g., `\\workstation.asgard.local\c$`) 【1】.
  
  The article provides a detailed example using a lab setup with two domains, `asgard.local` and `dev.asgard.local`, demonstrating the creation of a computer object in the child domain and configuring delegation on a workstation in the parent domain 【1】. The Rubeus tool is shown executing the cross-domain RBCD attack, including the specific command-line arguments and the resulting successful ticket import 【1】.
  
  ### What Defenders Should Know
  
  Defenders should be aware of the following to mitigate this attack:
  * **Monitor `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute modifications**: This attribute is critical for RBCD. Any unauthorized changes to this attribute, especially on high-value machine accounts, should trigger alerts 【1】.
  * **Understand Cross-Domain Trust Relationships**: Be aware of how delegation is configured across domain trusts. Insecure configurations can be exploited 【1】.
  * **Audit Kerberos Activity**: Monitor Kerberos authentication logs for unusual S4U (Service for User) requests, especially those involving cross-domain or cross-forest interactions that do not align with legitimate administrative activities 【1】.
  * **Limit Machine Account Privileges**: Restrict the ability of machine accounts to modify Active Directory objects, particularly the `msDS-AllowedToActOnBehalfOfOtherIdentity` attribute.
  * **Implement Strong NTLM Relay Defenses**: NTLM relay attacks are often a precursor to setting up RBCD. Defenses against NTLM relay attacks, such as Extended Protection for Authentication (EPA) and disabling NTLM where possible, are crucial 【1】.
  * **Regularly review delegation settings**: Periodically audit and review all delegation configurations within the Active Directory environment to ensure they are still necessary and correctly configured.
• EtherRAT & SYS_INFO Module: C2 on Ethereum (EtherHiding), Target Selection, CDN-Like Beacons - eSentire 🔍 Show Kagi Synopsis
  In March 2026, a sophisticated Node.js-based backdoor named **EtherRAT** was detected in a customer's environment within the **Retail industry** 【1】. This malware is believed to be linked to a **North Korean advanced persistent threat (APT) group** due to its similarities with known tactics, techniques, and procedures (TTPs) 【1】.
  
  **What Happened:**
  EtherRAT was deployed onto compromised systems, allowing threat actors to execute arbitrary commands, gather extensive system information, and steal sensitive data such as cryptocurrency wallets and cloud credentials 【1】. The malware employs a novel Command-and-Control (C2) communication method called "EtherHiding," which utilizes **Ethereum smart contracts** to store and update C2 addresses, making them resilient to takedowns 【1】. After obtaining the C2 address from the blockchain, EtherRAT communicates with the C2 server through **CDN-like beaconing** to avoid detection 【1】. The attack progression begins with initial access, followed by the deployment of EtherRAT and a "SYS_INFO" module for host fingerprinting, which aids in target selection for further payloads 【1】.
  
  **Who is Affected:**
  The initial detection occurred in the **Retail industry** 【1】. However, the associated Ethereum smart contract address has also been linked to attacks against customers in the **Business Services, Software, and Finance industries** 【1】.
  
  **Security Implications:**
  EtherRAT poses significant security risks due to its ability to:
  - **Execute arbitrary commands** on compromised hosts 【1】.
  - **Steal valuable assets** like cryptocurrency wallets and cloud credentials 【1】.
  - **Evade detection** through resilient C2 infrastructure and CDN-like beaconing 【1】.
  - **Establish persistence** on infected systems via registry modifications 【1】.
  - **Reobfuscate itself** by sending its source code to the C2 for modification and then overwriting itself 【1】.
  
  **Technical Details:**
  - **Initial Access:** Observed vectors include "ClickFix" and "IT Support scams" often conducted over Microsoft Teams, utilizing tools like QuickAssist 【1】. The ClickFix command leverages LOLBins such as `pcalua.exe` and `mshta.exe` to execute malicious HTA scripts 【1】.
  - **Obfuscation:** EtherRAT and its preceding stages are obfuscated using **Obfuscator.io** 【1】.
  - **Persistence:** Persistence is established by creating a registry value in the **HKCU Run key** using `reg.exe` 【1】.
  - **C2 Communication (EtherHiding):** C2 addresses are stored in **Ethereum smart contracts** (e.g., `0xe26c57b7fa8de030238b0a71b3d063397ac127d3`) 【1】. EtherRAT queries multiple **RPC providers** (e.g., `https://eth.llamarpc.com`, `https://mainnet.gateway.tenderly.co`) to retrieve the most common C2 address 【1】.
  - **Beaconing:** EtherRAT crafts beacon URLs that mimic benign CDN requests, using paths like `/api/`, random hexadecimal directories, UUIDs, and common file extensions (e.g., `.ico`, `.png`, `.jpg`) 【1】. Communication occurs over **HTTPS with TLS 1.3** 【1】.
  - **SYS_INFO Module:** This module is delivered via C2 and performs extensive host fingerprinting to aid in target selection 【1】.
  - **Reobfuscation:** EtherRAT can send its source code to the C2 for reobfuscation and then overwrites itself with the modified code 【1】.
  
  **What Defenders Should Know:**
  - **Detection:** Monitor for the use of LOLBins like `pcalua.exe` and `mshta.exe` in initial access chains. Be aware of obfuscated Node.js scripts, particularly those employing techniques similar to Obfuscator.io 【1】.
  - **C2 Resilience:** Understand that C2 infrastructure can be highly resilient due to the use of Ethereum smart contracts for address updates. Network traffic may appear as legitimate CDN requests 【1】.
  - **Network Traffic Analysis:** Due to TLS 1.3 encryption, traditional PCAP analysis of HTTP traffic may be insufficient. Enabling debug logging within EtherRAT (by modifying the script to set `debug logging` to true) can aid in analysis 【1】.
  - **Persistence Mechanisms:** Look for persistence established via the HKCU Run key using `reg.exe` 【1】.
  - **Deobfuscation Tools:** For analyzing obfuscated scripts, a forked repository of the Obfuscator.io deobfuscator can be utilized 【1】.