🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• iron-proxy: An egress firewall for untrusted workloads. - ironsh 🔍 Show Kagi Synopsis
  **iron-proxy** is a security tool designed to mitigate risks associated with untrusted workloads, such as CI jobs, AI coding agents, and sandboxed containers, making arbitrary outbound network requests 【1】. These requests can lead to the exfiltration of sensitive information, unauthorized communication, or the establishment of reverse shells, often due to compromised dependencies, prompt injection, or malicious build steps 【1】. Many teams lack the visibility and control to prevent such activities 【1】.
  
  **Who is Affected:**
  The primary users and beneficiaries of iron-proxy are teams and organizations that run untrusted code in environments like CI pipelines, GitHub Actions, and AI agent platforms 【1】. This includes developers and security professionals concerned about the security of their build and deployment processes, as well as the integrity of AI-driven coding tools 【1】.
  
  **Security Implications:**
  The core security implication addressed by iron-proxy is the prevention of **unauthorized data exfiltration and command execution** from untrusted workloads 【1】. By acting as a Man-in-the-Middle (MITM) egress proxy with a built-in DNS server, iron-proxy enforces a **default-deny policy** for all outbound network traffic 【1】. This means that workloads can only access explicitly allowed domains, significantly reducing the attack surface 【1】. Furthermore, iron-proxy implements **boundary-level secret injection**, where sensitive credentials are not directly exposed to the workload. Instead, workloads use proxy tokens, which iron-proxy replaces with actual credentials only at the point of egress 【1】. This ensures that even if a workload is compromised, the exfiltrated tokens are worthless outside the proxy's control 【1】.
  
  **Technical Details:**
  iron-proxy functions by running both a DNS server and an HTTP/HTTPS proxy 【1】. When a container's DNS is configured to point to iron-proxy, all hostname lookups are resolved to the proxy's IP address, thereby routing all traffic through it 【1】. The proxy then terminates TLS connections by generating leaf certificates on the fly, signed by a Certificate Authority (CA) provided by the defender 【1】. The request then passes through an ordered transform pipeline, which can include allowlisting and secret injection, before being forwarded upstream 【1】. The response follows the same pipeline 【1】. Key features include:
  - **Default-deny egress:** Blocks all outbound requests unless they match an allowlist 【1】.
  - **Boundary-level secret injection:** Prevents real secrets from entering the sandbox 【1】.
  - **Per-request audit trail:** Logs every request with detailed transform results in structured JSON format 【1】.
  - **Streaming-aware proxying:** Natively handles protocols like WebSockets and Server-Sent Events 【1】.
  
  **What Defenders Should Know:**
  Defenders need to implement iron-proxy by first generating a **Certificate Authority (CA)**, which involves creating a private key and a self-signed certificate 【1】. This CA is crucial for iron-proxy to sign the dynamic leaf certificates used for TLS termination 【1】. Client containers must be configured to **trust this CA** 【1】.
  
  To route container traffic through iron-proxy, defenders can employ **DNS-based routing**, directing container DNS queries to iron-proxy's IP 【1】. For more robust enforcement, **nftables rules** can be used to block any non-proxy egress traffic, or **TPROXY** can be utilized for kernel-level interception, ensuring all container traffic is funneled through iron-proxy for inspection and control 【1】. The configuration is designed to be straightforward, often requiring a single binary and a single YAML configuration file 【1】.
• If you think you blocked NTLMv1 in your org, think again - **Silverfort** controls the content posted at the provided URL . 🔍 Show Kagi Synopsis
  A bypass for the Group Policy designed to disable **NTLMv1 authentication in Active Directory** has been discovered, allowing attackers to exploit misconfigurations in on-prem applications to force NTLMv1 authentications even when the policy is set to block them 【1】. This creates a false sense of security for organizations 【1】.
  
  **Who is affected:**
  - Organizations using **third-party or homegrown on-prem applications** 【1】.
  - Environments that **do not strictly use Windows machines** 【1】.
  - Any environment where **NTLMv1 is still in use**, particularly those relying solely on Group Policy for protection 【1】.
  
  **Security Implications:**
  - **Credential theft** through the interception and offline cracking of NTLMv1 hashes 【1】.
  - Enables **replay or relay attacks** 【1】.
  - Facilitates **lateral movement** across the network and **privilege escalation** within Active Directory 【1】.
  - NTLMv1 is inherently insecure due to **weak encryption and lack of modern security features** 【1】.
  
  **Technical Details:**
  - The enforcement of NTLM policies is managed by the **Netlogon Remote Protocol (MS-NRPC)** 【1】.
  - A field within the `NETLOGON_LOGON_IDENTITY_INFO` structure, named `ParameterControl`, contains a flag that can **explicitly allow NTLMv1 authentication**, overriding Group Policy settings 【1】.
  - Proof-of-concept applications have demonstrated that setting this flag can force and gain acceptance of NTLMv1 traffic by Domain Controllers 【1】.
  
  **What Defenders Should Know:**
  - **Microsoft has acknowledged this behavior** but does not classify it as a vulnerability 【1】.
  - **NTLMv1 support will be completely removed** starting with Windows 11 version 24H2 and Windows Server 2025 【1】.
  - Until the complete removal, organizations must implement measures beyond Group Policy:
  - **Enable audit logs** for all NTLM authentications 【1】.
  - **Map applications** that utilize NTLM 【1】.
  - **Detect vulnerable applications** requesting NTLMv1 messages 【1】.
  - **Enforce modern authentication methods** such as MFA and risk-based access controls on all NTLM authentications 【1】.
• log-horizon: Microsoft Sentinel SIEM Log Source Analyzer - The GitHub repository is controlled by infernux. 🔍 Show Kagi Synopsis
  The cybersecurity article describes **Log Horizon**, a tool designed to analyze Microsoft Sentinel SIEM log sources to determine their value and recommend optimal log ingestion.
  
  **What Happened:**
  The tool was developed to address the recurring need to understand the value derived from ingested logs and to identify recommended logs for Microsoft Sentinel. It analyzes log tables within a Microsoft Sentinel workspace, and optionally Defender XDR, to assess their security value and cost-effectiveness.
  
  **Who is Affected:**
  The tool is relevant to organizations using **Microsoft Sentinel** for their Security Information and Event Management (SIEM) needs. This includes security operations teams, IT administrators, and anyone responsible for managing log ingestion, security monitoring, and cost optimization within their SIEM environment.
  
  **Security Implications:**
  Log Horizon helps identify security implications by:
  - **Classifying log tables** into primary (directly used for detections) and secondary (supporting telemetry) security data 【1】.
  - **Mapping analytics rules, hunting queries, and XDR detections** to each table to highlight **coverage gaps** 【1】.
  - **Identifying tables that should be ingested but are missing** based on vendor/product keywords 【1】.
  - **Flagging tables with zero detections**, which may indicate missed security events or unnecessary ingestion 【1】.
  - **Assessing retention compliance** against industry standards and security best practices 【1】.
  
  **Technical Details:**
  Log Horizon operates in four phases 【1】:
  1. **Data Collection:** It connects to Azure and pulls data from the Log Analytics and Security Insights APIs, gathering information on table usage, ingestion volume, active detection rules, hunting queries, data connectors, SOC optimization recommendations, table retention, and Defender XDR configurations (optional) 【1】.
  2. **Classification:** It uses a knowledge base of over 344 entries covering 190+ connectors and 21 categories. If a table isn't found in the knowledge base, heuristic rules based on table names (e.g., "Alert," "Audit," "Signin") and usage patterns are applied 【1】.
  3. **Cost-Value Scoring:** It assesses each table's cost tier against its detection tier using a matrix, providing a combined assessment from "High Value" to "Low Value" 【1】.
  4. **Interactive Dashboard:** The tool presents findings in a Text-based User Interface (TUI) offering analysis and concrete recommendations, including estimated savings 【1】.
  
  It can also discover Data Collection Rules (DCRs) and classify ingest-time transforms (filter, projection, enrichment, aggregation) and identify `_SPLT_CL` split tables 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that Log Horizon provides a **generic approach** to log analysis, and their specific environmental context should always take precedence over the tool's recommendations 【1】. Key takeaways for defenders include:
  - **Prioritize primary security data:** Understand which logs are crucial for building detections (e.g., Sign-in logs, security alerts, EDR telemetry) versus supporting telemetry (e.g., performance metrics, infrastructure diagnostics) 【1】.
  - **Optimize costs:** Identify "zero-detection" tables, XDR streaming waste, and opportunities for ingest-time filtering or shorter retention periods to reduce SIEM costs 【1】.
  - **Enhance detection coverage:** Use the tool to spot gaps in detection rules and identify missing log sources that could provide valuable security insights 【1】.
  - **Leverage Microsoft's recommendations:** The tool incorporates Microsoft's own SOC improvement recommendations from the Security Insights API 【1】.
  - **Keyword analysis:** Utilize keyword searches to ensure all relevant logs from specific vendors or products are being ingested 【1】.
• The Federal Bureau of Investigation (FBI) is releasing this Public Service Announcement to highlight data security risks associated with foreign-developed mobile applications (apps) frequently used - Federal Bureau of Investigation (FBI) 🔍 Show Kagi Synopsis
  The FBI has issued a Public Service Announcement (PSA) regarding the **data security risks associated with foreign-developed mobile applications**, particularly those originating from China, which are commonly used in the United States 【1】.
  
  **What Happened:**
  The PSA highlights that these foreign-developed mobile applications can collect a significant amount of user data. This data can include personal information and contact lists. Crucially, these apps are subject to the national security laws of their country of origin, which could allow foreign governments access to the collected user data 【1】.
  
  **Who is Affected:**
  **Users in the United States** who download and use these foreign-developed mobile applications are affected. The risks are amplified when users grant default permissions to these apps, allowing for extensive data collection 【1】.
  
  **Security Implications:**
  The security implications are significant and include:
  - **Persistent Data Collection:** Apps may continuously gather user data without explicit ongoing consent 【1】.
  - **Storage on Foreign Servers:** Collected data is often stored on servers located outside of the United States, increasing the risk of unauthorized access 【1】.
  - **Embedded Malware:** There is a risk of these applications containing malware designed to exploit vulnerabilities, gain unauthorized access to devices, and steal sensitive data 【1】.
  
  **Technical Details:**
  While the article doesn't delve into highly specific technical exploits, it points to the **potential for embedded malware** within these applications. This malware can be used to **exploit device vulnerabilities** and facilitate **unauthorized data access and theft** 【1】. The core technical risk lies in the combination of extensive data collection capabilities and the potential for foreign government access due to the app's country of origin 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware that the risks highlighted are not exclusive to foreign-developed apps and that **good cyber hygiene is paramount** 【1】. Key recommendations for users include:
  - **Disabling unnecessary data sharing** within app settings 【1】.
  - **Downloading applications only from official app stores** to minimize the risk of malicious software 【1】.
  - **Regularly updating software and passwords** to protect against known vulnerabilities 【1】.
  - **Reading and understanding the terms of service** before granting permissions 【1】.
  
  In cases of data compromise or suspicious activity, users are advised to **file a complaint with the Internet Crime Complaint Center (IC3)** at www.ic3.gov, providing comprehensive details about the app, device, permissions granted, and any losses incurred 【1】.
• NCSC warns of messaging app targeting - National Cyber Security Centre (NCSC) 🔍 Show Kagi Synopsis
  The National Cyber Security Centre (NCSC), in collaboration with international partners, has issued a warning regarding targeted attacks on popular messaging applications such as **WhatsApp, Messenger, and Signal** 【1】.
  
  **What Happened:**
  These attacks are being carried out by **Russia-based actors** 【1】. The primary goal appears to be compromising user accounts and potentially gaining access to sensitive information.
  
  **Who is Affected:**
  The attacks primarily target **high-risk individuals**. This includes **government officials** and individuals who possess or have access to **sensitive information**, often due to their professional roles or public standing 【1】.
  
  **Security Implications:**
  The security implications are significant, as attackers may attempt to:
  - Trick users into divulging **login or recovery codes** 【1】.
  - **Add unauthorized devices** to user accounts 【1】.
  - **Join group chats covertly** 【1】.
  - **Impersonate contacts** to deceive other users 【1】.
  - Use **phishing links or QR codes** to compromise accounts 【1】.
  
  **Technical Details:**
  While the article doesn't delve into deep technical specifics, it highlights methods such as social engineering to obtain verification codes and the exploitation of messaging app features like group chats and device linking 【1】.
  
  **What Defenders Should Know:**
  Defenders, particularly those in high-risk categories, should be aware of these threats and take the following precautions:
  - **Avoid sharing sensitive information** on messaging apps 【1】.
  - Utilize **corporate services for work-related communications** 【1】.
  - **Never share verification codes** with anyone 【1】.
  - Enable **two-step verification and passkeys** whenever possible 【1】.
  - Regularly **review linked devices** and group chat memberships 【1】.
  - Be vigilant against **impersonation attempts** 【1】.
  - Consider using **disappearing messages** on personal accounts for added privacy 【1】.
  The NCSC also provides specific guidance for high-risk individuals and advice on secure communications and device security 【1】.
• FBI declares suspected Chinese hack of US surveillance system a ‘major cyber incident - **Politico** is a subsidiary of **Axel Springer SE** . Axel Springer SE is a German publisher that acquired Politico in 2021 . 🔍 Show Kagi Synopsis
  The **FBI** has identified a suspected **Chinese cyber intrusion** into a sensitive agency surveillance system as a **"major cyber incident."** This designation highlights the significant risks to U.S. national security and marks a considerable counterintelligence achievement for China 【1】.
  
  **What Happened:**
  Hackers gained unauthorized access to an FBI surveillance system. The breach is believed to have originated through the exploitation of a commercial Internet Service Provider's vendor infrastructure, suggesting advanced and sophisticated attack methods 【1】.
  
  **Who is Affected:**
  The affected system contained **"law enforcement sensitive information"** and **"personally identifiable information pertaining to subjects of FBI investigations."** This includes data obtained through legal processes such as pen register and trap and trace surveillance 【1】.
  
  **Security Implications:**
  This incident is considered a **major counterintelligence success for China** and poses **significant risks to U.S. national security** 【1】. It underscores the ongoing and escalating threat posed by advanced cyber adversaries 【1】.
  
  **Technical Details:**
  The article mentions that the hackers leveraged a **commercial Internet Service Provider's vendor infrastructure** to gain access. This indicates a sophisticated approach to bypassing traditional security measures 【1】.
  
  **What Defenders Should Know:**
  The incident serves as a critical reminder for defenders that **unpatched vulnerabilities and architectural weaknesses** remain prime targets for exploitation by sophisticated adversaries like China 【1】.
• CERT-UA Reports Drop in Cyber Incidents but Warns of Advanced Social Engineering and Standardised Hacker Toolkits in H2 2025 - Державна служба спеціального зв'язку та захисту інформації України 🔍 Show Kagi Synopsis
  The provided article from the State Service of Special Communication and Information Protection of Ukraine (SSSCIP) discusses cybersecurity trends observed in the second half of 2025. However, the content of the article is inaccessible due to a JavaScript error, preventing a detailed precis.
  
  Therefore, I cannot provide information on:
  
  * **What happened:** The specific cyber incidents or trends reported.
  * **Who is affected:** The individuals, organizations, or sectors targeted.
  * **Security implications:** The broader impact of these cybersecurity events.
  * **Technical details:** Specific methods, tools, or vulnerabilities exploited.
  * **What defenders should know:** Recommended actions or strategies for cybersecurity professionals.
• Using RF Power Levels to Defeat MAC Address Randomization Enabling Passive Device Tracking - SpiderLabs (LevelBlue), authored by Tom Neaves 🔍 Show Kagi Synopsis
  A cybersecurity researcher has demonstrated a method to **passively track wireless devices** by exploiting **RF power levels**, specifically the Received Signal Strength Indicator (RSSI), to overcome MAC address randomization defenses 【1】. This technique allows for the correlation of a device's signal strength over time with its changing MAC addresses, effectively enabling tracking even when the device's identifier is randomized 【1】.
  
  **Who is Affected:**
  This research impacts devices utilizing **802.11 Wireless, Bluetooth, and Bluetooth Low Energy (BLE)** 【1】. The proof of concept focused on BLE, but the underlying scientific principles apply to all these technologies 【1】.
  
  **Security Implications:**
  The primary security implication is a **significant privacy risk** 【1】. MAC address randomization was introduced to prevent devices from being tracked via their static, hardcoded MAC addresses 【1】. This new method bypasses that privacy measure by using RF power levels as a constant identifier. This could allow for the tracking of individuals and their devices without their knowledge or consent.
  
  **Technical Details:**
  The core of the technique relies on the **Received Signal Strength Indicator (RSSI)**, which measures the power of a received wireless signal 【1】. RSSI is a negative value measured in dBm, where values closer to 0 indicate a stronger signal 【1】. While MAC addresses are randomized and change at intervals (typically 15-40 minutes for 802.11 and recommended every 15 minutes for BLE) 【1】, the signal strength of a device typically degrades or improves gradually as it moves away from or closer to a receiver 【1】.
  
  The researcher's theory posits that when a device's MAC address suddenly disappears from the airwaves without a gradual signal degradation, and a new MAC address appears very close in time with a similar RSSI, it indicates a MAC address cycle for the same device 【1】. By correlating these events and the associated signal strengths, a device can be tracked across its MAC address randomization cycles 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware that **MAC address randomization is not a foolproof privacy solution** against sophisticated tracking methods 【1】. The use of RF power levels (RSSI) as a correlating factor presents a new attack vector. While devices don't typically disappear or appear instantly, and their signal strength changes gradually, attackers can exploit the moments of MAC address cycling to link a new, randomized MAC address to a previous one based on consistent signal strength 【1】. This highlights the need for more robust privacy-enhancing technologies and awareness of passive tracking techniques.
• InfraGuard: InfraGuard is a Command & Control Redirection Proxy and Manager which protects your Red Team Infrastructure against threat attribution - Whispergate 🔍 Show Kagi Synopsis
  InfraGuard is a cybersecurity tool designed to act as a **red team infrastructure tracker and C2 redirector**. It sits between the internet and a Command and Control (C2) teamserver, validating incoming requests against a C2 profile and blocking those that do not conform. This effectively redirects scanners, bots, and blue team probes to a decoy site while allowing legitimate beacon traffic to reach the teamserver 【1】.
  
  **What Happened:**
  The article describes the functionality and architecture of InfraGuard, a tool that enhances red team infrastructure security by filtering and redirecting network traffic. It acts as a sophisticated proxy that validates requests against defined C2 profiles 【1】.
  
  **Who is Affected:**
  - **Red Teams:** InfraGuard is designed for red team operators to protect their C2 infrastructure from detection and disruption.
  - **Blue Teams/Defenders:** Defenders and security researchers probing adversary infrastructure may be redirected to decoy sites or blocked by InfraGuard's filtering mechanisms 【1】.
  - **Automated Scanners and Bots:** These are actively identified and redirected, preventing them from gathering intelligence on the C2 infrastructure 【1】.
  
  **Security Implications:**
  - **Enhanced Evasion:** InfraGuard significantly improves the ability of red teams to evade detection by filtering out non-legitimate traffic and masking their true C2 servers.
  - **Decoy Operations:** It facilitates the use of decoy sites to waste the time and resources of attackers or defenders attempting to probe the infrastructure.
  - **Infrastructure Hardening:** By enforcing C2 profile validation, it helps prevent misconfigurations or accidental exposure of sensitive C2 server details.
  - **Intelligence Gathering Prevention:** It hinders automated scanning and reconnaissance efforts by security vendors and threat intelligence platforms 【1】.
  
  **Technical Details:**
  InfraGuard boasts a comprehensive feature set, including:
  - **Multi-domain proxying:** Supports multiple domains with independent configurations 【1】.
  - **C2 Profile Validation:** Parses and enforces profiles from Cobalt Strike, Mythic, Brute Ratel C4, Sliver, and Havoc 【1】.
  - **Multi-protocol Listeners:** Supports HTTP/HTTPS, DNS, MQTT, and WebSocket 【1】.
  - **Scoring-based Filter Pipeline:** Employs seven filters (IP, bot, header, DNS, geo, profile, replay) that contribute to a score to determine blocking or allowing requests 【1】.
  - **Anti-bot/Anti-crawling:** Detects over 40 known scanner/bot User-Agent patterns and header anomalies 【1】.
  - **IP Intelligence:** Includes built-in CIDR blocklists for security vendor ranges, GeoIP filtering, and reverse DNS matching 【1】.
  - **Threat Intel Feeds:** Automatically updates blocklists from public sources like abuse.ch and Spamhaus DROP 【1】.
  - **Content Delivery Routes:** Can serve payloads and decoys from PwnDrop, local filesystem, or HTTP backends, with conditional delivery options 【1】.
  - **Drop Actions:** Supports redirection, TCP reset, proxying to a decoy site, or tarpitting 【1】.
  - **User Interfaces:** Offers a real-time web dashboard, a multi-instance Command Post dashboard, and a text-based TUI 【1】.
  - **SIEM and Webhook Integration:** Provides plugins for Elasticsearch, Wazuh, Syslog, Discord, and Slack 【1】.
  - **Deployment:** Supports Docker deployment with options for Let's Encrypt, GeoIP databases, and PwnDrop integration 【1】.
  
  **What Defenders Should Know:**
  Defenders encountering infrastructure protected by InfraGuard should be aware that:
  - **Sophisticated Evasion:** Standard scanning techniques may be ineffective as InfraGuard filters out non-compliant traffic 【1】.
  - **Decoy Sites:** Traffic may be redirected to decoy sites, which can be used to waste an analyst's time or provide misleading information 【1】.
  - **C2 Profile Awareness:** Understanding the specific C2 frameworks supported by InfraGuard (Cobalt Strike, Mythic, etc.) can help in crafting more effective detection rules 【1】.
  - **Multi-protocol Traffic:** The tool supports multiple protocols beyond HTTP/S, requiring broader network monitoring capabilities 【1】.
  - **Dynamic Blocking:** InfraGuard can dynamically block IPs, making persistent access challenging 【1】.
• ghostsurf: From NTLM Relay to Browser Session Hijacking - SpecterOps 🔍 Show Kagi Synopsis
  The cybersecurity article details the discovery and development of **`ghostsurf`**, a tool designed to overcome limitations in existing NTLM relaying techniques for browser-based attacks.
  
  **What Happened:**
  The author, Allen DeMoura, encountered issues when trying to use `ntlmrelayx`'s SOCKS proxy feature to browse web applications that relied on NTLM authentication. Standard tools like `ntlmrelayx` are designed for command-line tools that make sequential requests on a single connection. Browsers, however, make multiple parallel connections, which caused corrupted responses and authentication prompts when routed through `ntlmrelayx`. This was particularly problematic when targeting applications like CyberArk Privileged Access Manager, where successful browsing as a relayed user could grant access to sensitive secrets. DeMoura developed `ghostsurf` to address these HTTP-specific handling issues, enabling seamless browser sessions through relayed NTLM authentication.
  
  **Who is Affected:**
  * **Attackers/Red Teams:** Individuals performing penetration tests or adversary simulations who need to leverage NTLM relay attacks against web applications.
  * **Organizations with NTLM-authenticated Web Applications:** This includes enterprise password managers (like CyberArk, Passwordstate, Delinea Secret Server, etc.), SCCM/MECM, and other internal IIS-hosted applications that use Windows Authentication.
  * **Users of `ntlmrelayx`:** Those who previously found `ntlmrelayx`'s SOCKS proxy ineffective for browser-based attacks.
  
  **Security Implications:**
  * **Enhanced Session Hijacking:** `ghostsurf` significantly improves the ability of attackers to hijack user sessions by enabling full browser interaction with NTLM-authenticated web applications.
  * **Access to Sensitive Data:** Successful exploitation allows attackers to access credentials and secrets stored in password managers or other sensitive data within these web applications.
  * **Deeper Network Pivoting:** Gaining access to these applications can provide a foothold for further lateral movement and compromise within an organization's network.
  * **Circumvention of Defenses:** The tool bypasses limitations that previously hindered NTLM relay attacks against web interfaces, making it harder for traditional security measures to detect or prevent.
  
  **Technical Details:**
  * **`ntlmrelayx` Limitations:** The original tool struggles with HTTP due to its stateful nature and the browser's use of multiple parallel connections. `ntlmrelayx`'s single-socket approach and `inUse` flag lead to request collisions and data corruption. It also presents a confusing basic authentication prompt for session selection, requiring specific formatting (`domain/user` with a forward slash).
  * **`ghostsurf` Solution:**
  * **Request Serialization:** `ghostsurf` uses a mutex-style thread lock to serialize browser requests, ensuring they are processed sequentially on the single relayed socket without corruption.
  * **Transparent Authentication:** For single relayed sessions, `ghostsurf` automatically selects the session, eliminating the need for manual basic authentication prompts. For multiple sessions, it presents an HTML selection page.
  * **Header Preservation:** It preserves essential browser headers (User-Agent, cookies) that target applications might rely on for state management.
  * **Kernel-Mode Authentication Workaround:** For IIS targets using kernel-mode authentication (default since IIS 7), `ghostsurf` employs a "probe-first" strategy. It anonymously probes resources before sending authenticated requests through the relay socket. If a resource requires authentication, it uses the relay; if not, it serves the anonymous response directly, preventing the authentication context from being reset and causing a 401 challenge. This is enabled with the `-k` flag.
  * **Caveats:** `ghostsurf` does not support WebSocket connections, meaning real-time features in modern web apps may not function. Performance can be impacted by the target application's complexity and request size.
  
  **What Defenders Should Know:**
  * **Kernel-Mode Authentication:** Be aware that IIS defaults to kernel-mode authentication, which can reset authentication contexts when anonymous resources are accessed. The `-k` flag in `ghostsurf` specifically targets this behavior.
  * **NTLM Relay Vulnerabilities:** Organizations should minimize reliance on NTLM authentication for web applications, especially for sensitive systems like password managers.
  * **Monitoring and Detection:** Monitor for unusual traffic patterns related to NTLM authentication, especially from unexpected sources or targeting web applications. Look for signs of session hijacking or unauthorized access attempts.
  * **Mitigation Strategies:** Implement stronger authentication mechanisms, consider multi-factor authentication (MFA) for web applications, and ensure that systems are configured to avoid unnecessary NTLM exposure. Regularly audit IIS configurations for authentication settings.
  * **`ghostsurf` Usage:** Defenders should understand that tools like `ghostsurf` can enable sophisticated browser-based attacks against NTLM-authenticated applications, making it crucial to secure these applications and the authentication methods they use 【1】.
• Yurei Double Extortion Ransomware: Operator Toolkit and Analysis - Team Cymru 🔍 Show Kagi Synopsis
  The **Yurei double extortion ransomware campaign** involves the use of a toolkit that includes various legitimate and malicious tools for network enumeration, credential theft, and ransomware deployment.
  
  **What Happened:**
  The Yurei campaign utilizes a toolkit that appears to be made available to users of RMM (Remote Monitoring and Management) tools like Scout and Recon. This toolkit contains a collection of scripts and executables designed to facilitate various stages of a cyberattack, from initial discovery to ransomware execution.
  
  **Who is Affected:**
  The article does not specify particular industries or organizations that have been affected. However, the nature of ransomware campaigns suggests that **any organization with a network presence could be a potential target**. The use of RMM tools implies that the attackers may be targeting managed service providers or organizations that utilize such services.
  
  **Security Implications:**
  The primary security implication is the **ease with which attackers can deploy sophisticated ransomware attacks**. The toolkit's inclusion of legitimate tools like AnyDesk, PsExec, and winPEAS, alongside custom scripts, allows for stealthy reconnaissance and lateral movement within a compromised network. The ability to disable security software further exacerbates the risk. The double extortion tactic means that even if the ransomware is neutralized, stolen data can still be leaked or sold.
  
  **Technical Details:**
  The Yurei operator toolkit includes:
  * **Discovery and Enumeration Tools:** Scripts like `Host_Discovery.ps1` are used for internal network enumeration. Tools such as `Everything.exe`, `NetScan`, and `NetExec` are also part of the arsenal.
  * **Credential Theft:** Tools like `Rubeus` and `Invoke-TheHash` are employed for credential harvesting.
  * **Remote Execution:** `PsExec` is used for remote command execution.
  * **Ransomware Binary:** The Yurei ransomware itself is executed via `StrangerThings.exe`.
  * **Security Software Disruption:** A script named `FixingIssues2.ps1` is designed to disable Windows security software like Defender and backup tools.
  * **Command and Control (C2) Infrastructure:** Indicators of compromise include IP addresses such as `44.210.101.86` and `44.223.40.182`, associated with Amazon, which have been observed hosting Yurei open directories 【1】.
  * **Notable File Hashes:**
  * `Host_Discovery.ps1`: `1facf7cdd94eed0a8a11b30f4237699385b20578339c68df01e542d772ccbce5` 【1】
  * `FixingIssues2.ps1`: `ebfe75ab3223b036a4b886d497f2b172425b3e63890d485c99353773d4c436ea` 【1】
  * `StrangerThings.exe` (Yurei Ransomware): `4f88d3977a24fb160fc3ba69821287a197ae9b04493d705dc2fe939442ba6461` 【1】
  * **Full List of Open Directory Files:** Includes executables like `AnyDesk.exe`, `Everything-1.4.1.1024.x64-Setup.exe`, `PsExec.exe`, `Rubeus.exe`, `winPEASx64.exe`, and various PowerShell scripts 【1】.
  
  **What Defenders Should Know:**
  Defenders should be aware of the **Yurei toolkit's capabilities and the tactics, techniques, and procedures (TTPs)** employed by the attackers. Key points for defenders include:
  * **Monitoring for Suspicious Script Execution:** Pay close attention to the execution of PowerShell scripts, especially those involved in network enumeration, credential dumping, and disabling security controls.
  * **RMM Tool Security:** If RMM tools are in use, ensure they are securely configured and monitored for unauthorized activity.
  * **Endpoint Detection and Response (EDR):** Implement robust EDR solutions capable of detecting and blocking known malicious binaries and scripts, as well as identifying anomalous behavior.
  * **Network Segmentation:** Proper network segmentation can limit the lateral movement of ransomware.
  * **Indicator of Compromise (IOC) Monitoring:** Track the provided IP addresses and file hashes to detect and block malicious activity.
  * **Understanding the Toolchain:** Familiarity with the specific tools used in the Yurei toolkit (e.g., Rubeus, PsExec, winPEAS) can aid in threat hunting and incident response.
• Breaking Down the Axios Supply Chain Attack: Dropper, Cross-Platform RATs, and BlueNoroff/TA444 - Hunt.io 🔍 Show Kagi Synopsis
  The **Axios supply chain attack** involved the compromise of a primary maintainer's npm account, which was then used to publish malicious versions of the Axios JavaScript library 【1】. This allowed attackers to deploy a sophisticated, multi-stage operation that could lead to a live Remote Access Trojan (RAT) on a victim's system in under two seconds 【1】.
  
  **What Happened:**
  The attack followed a five-stage process:
  - **Account Takeover:** The attacker gained control of a legitimate npm account 【1】.
  - **Dependency Staging:** Malicious code was injected into the Axios library 【1】.
  - **Payload Injection:** A dropper script (`setup.js`) was executed upon installation of the compromised library 【1】.
  - **RAT Deployment:** The dropper downloaded and executed platform-specific RATs for macOS, Windows, and Linux 【1】.
  - **Evidence Cleanup:** The dropper attempted to self-destruct by deleting itself and related malicious files 【1】.
  
  **Who is Affected:**
  The attack affected users who installed the compromised versions of the **Axios library** through npm 【1】. The specific targets were likely those who integrated this library into their projects, potentially leading to widespread compromise across various systems and organizations.
  
  **Security Implications:**
  This attack highlights the significant risks associated with **supply chain attacks**, where the compromise of a trusted software component can lead to the widespread distribution of malware 【1】. The rapid execution and sophisticated obfuscation techniques used by the attackers demonstrate a high level of technical capability, posing a serious threat to software integrity and user security 【1】. The deployment of multi-platform RATs allows for broad control over infected systems 【1】.
  
  **Technical Details:**
  - The dropper script, `setup.js`, used **XOR and reversed Base64 obfuscation** to conceal critical strings like Command and Control (C2) URLs and payload scripts 【1】.
  - It was designed to detect the victim's operating system and download the appropriate RAT:
  - **macOS:** A compiled Mach-O binary 【1】.
  - **Windows:** A fileless PowerShell implant 【1】.
  - **Linux:** A Python script 【1】.
  - The dropper attempted to erase its tracks by deleting itself and the malicious `package.json` file, replacing it with a clean stub 【1】.
  - The C2 infrastructure was attributed to **TA444/BlueNoroff (DPRK)** based on shared ETag, subnet, and malware classification 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware of:
  - The **speed of execution**, with the attack chain completing in under two seconds 【1】.
  - The use of **sophisticated obfuscation techniques** to hide malicious activity 【1】.
  - The deployment of **multi-platform RATs**, indicating a broad attack capability 【1】.
  - The attribution to a **known state-sponsored threat actor (TA444/BlueNoroff)**, suggesting a well-resourced and persistent adversary 【1】.
  Mitigation strategies should focus on **detection, immediate response, and prevention measures** to counter such supply chain threats 【1】.