InfoSec Briefing - April 08, 2026

🎧 Audio Briefing

Playback Speed:

Good morning. This is your security briefing for Wednesday, April 08, 2026, covering 6 articles analyzed from yesterday's developments. All attribution is by the article authors. All article analysis is automated.

Black Lotus Labs, in collaboration with Microsoft, the FBI, and DOJ, has disrupted the FrostArmada campaign orchestrated by the Forest Blizzard threat actor group. The operation used DNS hijacking techniques, compromising MikroTik and TP-Link routers to redirect authentication traffic through attacker-controlled infrastructure, stealing credentials and OAuth tokens primarily from government agencies and IT providers globally.

The UK National Cyber Security Centre reports that Russian APT28 is exploiting known vulnerabilities in small office and home office routers, particularly TP-Link models, to perform DNS hijacking operations. The threat actors redirect traffic through malicious DNS servers to conduct adversary-in-the-middle attacks, primarily stealing credentials including passwords and OAuth tokens.

A joint advisory from the FBI, CISA, NSA, EPA, DOE, and U.S. Cyber Command reports that Iranian-affiliated cyber actors are actively exploiting internet-facing programmable logic controllers across U.S. critical infrastructure sectors including government, water and wastewater, and energy. The actors gain access via configuration software like Rockwell Automation's Studio 5000 Logix Designer, manipulating project files and data with potential for widespread operational and financial damage.

Security researcher Fabian Bader discovered a technique to bypass Microsoft Entra ID Conditional Access policies by exploiting the Defender portal's token broker functionality. Attackers can extract the 'sccauth' cookie from a compromised endpoint and use it to request access tokens for various Microsoft services without re-authentication or Conditional Access policy evaluation for approximately 8 hours.

Cognition has released BlueHammer, a proof-of-concept exploit demonstrating privilege escalation to SYSTEM level against Windows Defender. The attack chain simulates a Defender signature update, uses the Cloud Files API to freeze the Defender service, employs symbolic link redirection to leak the SAM hive containing password hashes, and extracts credentials for privilege escalation.

A security researcher has developed DeepZero, an automated pipeline using LangChain DeepAgents to discover zero-day vulnerabilities in Windows kernel drivers. The system successfully identified a previously unknown vulnerability in an ASUS signed driver after analyzing approximately twelve thousand driver files and identifying over seven thousand unique candidates with reachable IOCTL surfaces.

That concludes today's briefing.

📰 Articles Covered

Frostarmada forest blizzard dns hijacking - Black Lotus Labs

A cybersecurity campaign named "**FrostArmada**," orchestrated by the threat actor group "**Forest Blizzard**," has been identified, employing advanced **DNS hijacking techniques** to steal user credentials and tokens 【1】.

**What Happened:**
The FrostArmada campaign involved compromising edge devices, specifically MikroTik and TP-Link routers, by exploiting vulnerabilities in their web interfaces. Once compromised, the attackers altered the routers' DNS settings. This redirection directed traffic from legitimate authentication domains to attacker-controlled infrastructure, enabling them to intercept and steal sensitive information, including OAuth tokens, with minimal user intervention 【1】.

**Who is Affected:**
The campaign has impacted thousands of victims globally. **Primary targets include government agencies**, such as ministries of foreign affairs and law enforcement bodies, as well as **third-party IT and hosting providers** across various countries 【1】.

**Security Implications:**
The security implications of successful FrostArmada attacks are significant. They can lead to **account takeovers**, the **theft of sensitive credentials**, and potentially the **compromise of critical organizational data** 【1】.

**Technical Details:**
Attackers exploited common web interface vulnerabilities in edge devices like MikroTik and TP-Link routers. They then manipulated the DNS settings on these devices to redirect traffic from targeted authentication domains to **Attacker-in-the-Middle (AitM) infrastructure**. This allowed for the exfiltration of data, including OAuth tokens 【1】. The campaign showed an increase in activity after similar tactics were publicly disclosed, indicating the threat actor's adaptability 【1】.

**What Defenders Should Know:**
Defenders are advised to:
- Implement **certificate pinning** 【1】.
- Enforce **strong password policies** 【1】.
- Monitor for **suspicious virtual private server (VPS) activity** 【1】.
- **Promptly patch all systems** and remove end-of-life equipment 【1】.
Organizations in critical sectors should prioritize hardening procedures and review their incident response plans 【1】. Lumen Technologies, in collaboration with Microsoft, the FBI, and the DOJ, has taken action to disrupt the infrastructure associated with this campaign 【1】.
APT28 exploit routers to enable DNS hijacking operations - UK National Cyber Security Centre (NCSC)

A Russian cyber actor known as **APT28** has been exploiting vulnerable routers to perform **DNS hijacking operations** 【1】. This allows them to redirect internet traffic through their own DNS servers, enabling **adversary-in-the-middle (AitM) attacks** 【1】.

**Who is affected:**
The operations are **opportunistic**, targeting a broad range of victims. The primary focus has been on **Small Office/Home Office (SOHO) routers**, with a particular emphasis on various **TP-Link models** 【1】.

**Security implications:**
The main security implication is the **theft of credentials**, including passwords and OAuth tokens, for web and email services 【1】. This can lead to broader system compromise and data manipulation 【1】.

**Technical details:**
APT28 exploits **publicly known vulnerabilities** in routers to change their DHCP DNS settings 【1】. For example, **CVE-2023-50224** has been used to target TP-Link WR841N routers 【1】. The attackers use **Virtual Private Servers (VPSs)** configured as malicious DNS servers and employ specific banner patterns and IP addresses to manage their infrastructure 【1】. The MITRE ATT&CK techniques observed include **Exploit Public-Facing Application**, **Adversary-in-the-Middle**, and various **Resource Development** tactics 【1】.

**What defenders should know:**
Defenders are advised to:
- **Protect router management interfaces** 【1】.
- **Keep router devices and software updated** 【1】.
- **Utilize modern systems** 【1】.
- **Implement security monitoring** 【1】.
- **Employ allowlisting** 【1】.
- **Deploy host-based intrusion detection systems** 【1】.
- **Use multi-factor authentication (MFA)** 【1】.
- **Train users** to identify and report suspicious activity 【1】.
Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure - Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Environmental Protection Agency (EPA), Department of Energy (DOE), and United States Cyber Command – Cyber National Mission Force (CNMF)

Iranian-affiliated cyber actors are exploiting internet-facing operational technology (OT) devices, specifically **programmable logic controllers (PLCs)**, across multiple U.S. critical infrastructure sectors. This advisory details an ongoing campaign by these actors to disrupt operations through malicious manipulation of project files and data displayed on human machine interface (HMI) and supervisory control and data acquisition (SCADA) systems 【1】.

**Who is Affected:**
The affected sectors include:
- **Government Services and Facilities**
- **Water and Wastewater Systems (WWS)**
- **Energy** 【1】

**Security Implications:**
The security implications are significant, with the potential for **widespread operational disruption and substantial financial damage** to critical infrastructure 【1】.

**Technical Details:**
- **Initial Access:** Actors gain access by using overseas IP addresses to connect to internet-facing PLCs via configuration software, such as Rockwell Automation's Studio 5000 Logix Designer 【1】.
- **Targeted Devices:** While PLCs from Rockwell Automation/Allen-Bradley are specifically mentioned, other OT devices may also be targeted 【1】.
- **Command and Control:** Common OT ports (44818, 2222, 102, 22, 502) are used for command and control. The actors deploy Dropbear SSH software to establish remote access 【1】.
- **Impact:** The malicious activities involve extracting project files and manipulating data presented on HMI/SCADA displays, leading to operational disruptions 【1】.

**What Defenders Should Know:**
Network defenders are urged to take the following actions:
- **Isolate PLCs:** Immediately disconnect PLCs from direct internet exposure 【1】.
- **Secure Access:** Utilize secure gateways and place physical mode switches in the "run" position 【1】.
- **Backups:** Create and rigorously test strong PLC backups 【1】.
- **Authentication:** Implement multi-factor authentication (MFA) for OT network access and use network proxies, gateways, or VPNs for remote access 【1】.
- **Patching and Configuration:** Keep PLC devices patched, configure firewalls to block unnecessary ports, and disable unused authentication methods 【1】.
- **Monitoring:** Monitor for device configuration changes and unusual network traffic 【1】.

Device manufacturers are also encouraged to prioritize secure-by-design principles, including changing default settings, supporting MFA, and not charging extra for basic security features 【1】.
Avoid Entra Conditional Access using alternative token broker - Fabian Bader

A security vulnerability has been discovered that allows attackers to bypass **Entra ID Conditional Access** policies by exploiting the **Defender portal's token broker functionality** 【1】. This bypass is achieved by obtaining a specific cookie, `sccauth`, from a compromised endpoint, which then enables the attacker to request access tokens for various Microsoft services without re-authentication or re-evaluation of Conditional Access policies 【1】.

**What Happened:**
The vulnerability lies in how the Microsoft Defender portal handles authentication. It acts as an "On-Behalf-Of" token broker, meaning it can request access tokens for other services (like Microsoft Graph or Azure Resource Manager) on behalf of the user. Crucially, the Defender portal relays these tokens directly to the user, rather than storing them securely on a middle tier. An attacker who gains access to a user's endpoint can extract the `sccauth` cookie from the browser. This cookie allows the attacker to then request fresh access tokens for a range of services for the duration of the cookie's validity (approximately 8 hours), bypassing Conditional Access checks that would normally occur during a new sign-in 【1】.

**Who is Affected:**
Any organization using **Microsoft Entra ID** and **Microsoft Defender for Endpoint** is potentially affected. Specifically, users whose endpoints are compromised by info-stealer malware or other means that allow for the extraction of browser cookies are at risk 【1】.

**Security Implications:**
The primary security implication is the **bypass of Entra ID Conditional Access policies**. This means that even if policies are in place to enforce device compliance, network location, or user risk, an attacker with the `sccauth` cookie can obtain access tokens as if they were a legitimate user meeting those conditions. This can lead to unauthorized access to sensitive data and resources across various Microsoft services, including:
* Microsoft Graph
* Azure AD Graph
* Azure Resource Manager
* Microsoft Security Center API
* Microsoft Defender for Cloud Apps
* Microsoft Office
* Log Analytics
* Purview
* Threat Intelligence Portal
* SharePoint
* CommerceAPIAT
* BusinessStoreAT 【1】.

Furthermore, the article notes that even if a user has a short Conditional Access session lifetime configured, the `sccauth` cookie can still be used to request tokens for approximately 8 hours, and session revocation in Entra ID is necessary to fully block access 【1】.

**Technical Details:**
The exploit involves the `sccauth` cookie, which is used by the Defender portal to maintain user authentication. Attackers can extract this cookie from a compromised endpoint's browser. Using this cookie, they can interact with a specific API endpoint, `/api/Auth/getToken`, within the Defender portal (and similar endpoints in other portals like Purview and Microsoft 365 admin center) to request access tokens. This process leverages the OAuth 2.0 On-Behalf-Of flow, where the Defender portal acts as the token broker. The non-interactive sign-in logs will record these requests, but they will not reflect the actual (potentially malicious) IP address or device state of the attacker, making detection difficult 【1】. A proof-of-concept script demonstrates how to extract the `sccauth` cookie using a headless browser and PowerShell 【1】.

**What Defenders Should Know:**
Defenders need to be aware of this attack vector, especially as attackers shift focus to endpoint compromises due to the increasing adoption of phishing-resistant authentication methods 【1】. Key points for defenders include:
* **Endpoint Security:** Robust endpoint detection and response (EDR) tools like Defender for Endpoint are crucial for detecting and preventing info-stealer malware that could exfiltrate cookies 【1】.
* **Behavioral Detection:** Monitoring for unusual user behavior, such as regular users accessing the security portal for the first time or accessing it outside of normal patterns, can be an indicator 【1】.
* **Browser Debugging Port Usage:** Detecting the use of browser debugging ports (as demonstrated in the PoC) can help identify the initial retrieval of the cookie 【1】.
* **Service and Sign-in Log Analysis:** Correlating non-interactive sign-in logs from the security portal with actual service access logs (e.g., Microsoft Graph API audit logs) can help identify discrepancies in IP addresses, indicating potential abuse 【1】.
* **Session Revocation:** Regularly revoking user sessions in Entra ID is essential for incident response, as it invalidates stolen tokens and forces re-authentication 【1】.
* **Known Good IP Ranges:** Defenders can create detection rules that exclude known good IP address ranges associated with Microsoft cloud services to reduce false positives 【1】.

Microsoft has assessed this vulnerability as "moderate" severity, stating that it requires execution on the victim's machine, thus limiting its immediate servicing bar, but has shared the report with relevant teams for action 【1】.
BlueHammer - @cognition

The **BlueHammer** project is a vulnerability research project and Proof-of-Concept (PoC) exploit that targets **Windows Defender** 【1】. It demonstrates a complex attack chain to achieve privilege escalation to the `SYSTEM` level 【1】.

**What Happened:**
The exploit simulates a Windows Defender signature update to create a window of vulnerability. During this window, it uses the Cloud Files API to "freeze" the Defender service. Subsequently, it employs Object Manager symbolic link redirection to trick the system into writing sensitive files, such as the SAM hive (which contains password hashes), to a location controlled by the attacker. Finally, it uses an offline registry library to extract and decrypt credentials from the leaked SAM hive, enabling privilege escalation 【1】.

**Who is Affected:**
The exploit targets **Windows Defender**, a built-in antivirus solution on Windows operating systems. Therefore, any system running Windows Defender is potentially affected 【1】.

**Security Implications:**
The primary security implication is **privilege escalation to `SYSTEM`**, allowing an attacker to gain complete control over the affected machine 【1】. This could lead to:
- **Data Theft:** Access to all system files, including sensitive user credentials and proprietary information 【1】.
- **System Compromise:** The ability to install malware, disable security measures, or disrupt system operations 【1】.
- **Lateral Movement:** Using the compromised system as a pivot point to attack other systems within the network 【1】.

**Technical Details:**
The exploit leverages several advanced techniques:
- **Windows Update Simulation:** Uses COM interfaces to trigger a Defender signature update 【1】.
- **Race Condition:** Exploits a race condition during the update process by "freezing" the Defender service using the Cloud Files API (`cfapi.h`) 【1】.
- **Object Manager Symbolic Link Redirection:** Uses `NtCreateSymbolicLinkObject` to redirect file operations, specifically targeting sensitive system files like the SAM hive 【1】.
- **Volume Shadow Copy (VSS):** Accesses locked files by monitoring `HarddiskVolumeShadowCopy` entries 【1】.
- **Offline Registry Manipulation:** Employs the `offreg` library to parse the SAM hive and extract credentials without mounting it to the live registry, thus avoiding detection 【1】.
- **RPC Interface:** Communicates with the `WinDefend` service via a reverse-engineered RPC interface, targeting `Proc42_ServerMpUpdateEngineSignature` 【1】.

The project is released under the **MIT License** and includes the source code for the exploit (`FunnyApp.cpp`), generated RPC stubs, and the `offreg` library 【1】.

**What Defenders Should Know:**
Defenders should be aware of the techniques used in BlueHammer to detect and mitigate similar attacks:
- **Monitor for suspicious RPC activity** targeting the Windows Defender service, particularly unusual calls to update functions 【1】.
- **Observe for race conditions** related to file operations during service updates or critical system processes 【1】.
- **Detect the creation of unusual symbolic links or reparse points**, especially those redirecting access to critical system files like the SAM hive 【1】.
- **Monitor for the use of Volume Shadow Copies** in conjunction with attempts to access locked system files 【1】.
- **Be vigilant about the use of offline registry manipulation tools** that bypass standard registry access controls 【1】.
- **Keep Windows Defender and the operating system updated** to patch any known vulnerabilities that could be exploited by such techniques 【1】.
Building an Automated Pipeline with LangChain DeepAgents to Find Zero-Days in Kernel Drivers. It Found One in ASUS. - The content on the page is controlled by Rehman.

The article details the creation and successful application of an **automated pipeline named DeepZero** designed to discover zero-day vulnerabilities in Windows kernel drivers.

**What Happened:**
The author developed an automated system that scans thousands of Windows kernel drivers for exploitable vulnerabilities, with a specific focus on signed drivers that can be loaded without requiring test-signing mode. During its initial run on a large set of drivers, the pipeline successfully identified a **zero-day vulnerability in an ASUS driver** 【1】.

**Who is Affected:**
The primary targets of this vulnerability discovery process are **users of Windows operating systems**, particularly those running versions that utilize the identified ASUS driver. The vulnerability could potentially be exploited by malicious actors to gain elevated privileges or execute arbitrary code on a compromised system 【1】.

**Security Implications:**
The discovery of a zero-day vulnerability in a signed kernel driver has significant security implications. Signed drivers are trusted by the operating system, meaning that an exploit within one can bypass security checks that would normally prevent unsigned or malicious code from running. This could lead to **complete system compromise, data theft, or the deployment of persistent malware** 【1】.

**Technical Details:**
The DeepZero pipeline automates several stages of vulnerability discovery:
* **Baseline Analysis:** It starts by analyzing the LOLDrivers database to identify common dangerous APIs (e.g., `MmMapIoSpace`, `IoAllocateMdl`) and patterns in vulnerable drivers, such as the creation of a device accessible from usermode 【1】.
* **Triage:** A large pack of `.sys` files (around 12,000) is processed. Each file is checked for kernel driver characteristics, device creation, and matching the identified LOLDrivers patterns. Duplicate drivers are removed using SHA256 hashing. Approximately 7,463 unique candidates with a reachable IOCTL surface were identified, with a prioritization for Windows 10/11 compatible drivers 【1】.
* **Ghidra Decompilation:** The candidate drivers are decompiled headlessly using Ghidra. A Jython script extracts the dispatch logic, identifies IOCTL handlers, and traces internal functions to generate C code for each IOCTL 【1】.
* **Semgrep Scanning:** Custom Semgrep rules scan the decompiled C code for patterns indicative of known vulnerabilities, such as improper handling of user-controlled arguments in dangerous functions or insecure IOCTL methods 【1】. Drivers with no hits are discarded to minimize costs.
* **LLM Analysis:** Surviving drivers are sent to Gemini 2.5 Pro on Vertex AI. The LLM analyzes the decompiled dispatch handler and Semgrep findings to trace data flow from user input buffers to dangerous sinks, determining exploitability. It generates a `[VULNERABLE]` or `[SAFE]` report with evidence 【1】.
* **Proof of Concept (PoC) Generation:** After manual verification of the LLM's reports, Claude 3.7 was used to generate the C code for a proof-of-concept exploit based on the vulnerability details 【1】.

The entire pipeline is built in Python, utilizing libraries like `pefile` for PE parsing, Ghidra for decompilation, and Semgrep for pattern matching. The author has open-sourced the `DeepZero` pipeline on GitHub 【1】.

**What Defenders Should Know:**
Defenders should be aware that sophisticated automated tools are being developed to find zero-day vulnerabilities in kernel drivers. The DeepZero pipeline demonstrates a cost-effective approach to scanning large driver sets, leveraging LLMs for analysis and PoC generation. Key takeaways for defenders include:
* **The importance of driver signing:** While signed drivers are generally trusted, vulnerabilities within them pose a severe risk.
* **The role of common dangerous APIs:** Monitoring for the misuse of APIs like `MmMapIoSpace` and `IoAllocateMdl` is crucial.
* **The effectiveness of LLMs in vulnerability research:** LLMs can significantly accelerate the process of analyzing code and identifying potential exploits.
* **The need for continuous monitoring and patching:** Organizations should have robust systems for detecting and patching vulnerabilities in drivers, especially those from hardware vendors like ASUS 【1】.
* **Responsible disclosure:** The author followed responsible disclosure practices by reporting the ASUS vulnerability to their PSIRT team before public disclosure 【1】.