🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• Analyzing the Silver Fox tax campaign and the new ABCDoor backdoor - AO Kaspersky Lab 🔍 Show Kagi Synopsis
  The **Silver Fox** threat group has been conducting a sophisticated phishing campaign, masquerading as official tax notifications, to deploy malware, including a new backdoor named **ABCDoor**.
  
  **What Happened:**
  The campaign began in December 2025 with malicious emails targeting Indian organizations, followed by a similar wave in January 2026 aimed at Russian entities 【1】. These emails were designed to appear as official notices regarding tax audits or to prompt recipients to download an archive containing a "list of tax violations" 【1】. The emails used download links within PDFs to bypass email security gateways 【1】. Inside the downloaded archive, victims found a modified Rust-based loader, RustSL, which is described as an antivirus bypass framework 【1】. This loader would then download and execute the **ValleyRAT** backdoor 【1】. In addition to ValleyRAT, the attackers also deployed a new ValleyRAT plugin that acted as a loader for the previously undocumented **ABCDoor** backdoor 【1】. Retrospective analysis indicates ABCDoor has been in use by Silver Fox since at least late 2024 【1】.
  
  **Who is Affected:**
  The campaign has impacted organizations across various sectors, including **industrial, consulting, retail, and transportation** 【1】. The phishing emails were specifically targeted at users in **India, Russia, Indonesia, South Africa, Cambodia, and Japan**, with the highest observed attack numbers in India, Russia, and Indonesia 【1】.
  
  **Security Implications:**
  The use of social engineering tactics, such as impersonating tax authorities, aims to exploit the perceived importance of such communications to trick victims into initiating the attack chain 【1】. The attackers leverage a modified RustSL loader with extensive customization options for antivirus bypass, memory allocation, and payload execution, making detection difficult 【1】. The deployment of both ValleyRAT and the new ABCDoor backdoor provides attackers with significant capabilities, including data collection, remote control, file system operations, and clipboard exfiltration 【1】. The ABCDoor backdoor's unique approach to remote manipulation, focusing on screen broadcasting and file execution rather than traditional remote shells, presents a novel threat 【1】. Furthermore, the use of the **Phantom Persistence** technique allows the malware to ensure its execution upon system startup, even after a reboot, by disguising itself as a system update 【1】. The attackers also attempt to mask their presence by mimicking legitimate services like Tailscale 【1】.
  
  **Technical Details:**
  - **Loader:** A modified version of the publicly available RustSL loader is used, featuring multiple payload encryption, memory allocation, sandbox detection, and execution methods 【1】. The loader itself was first observed in late December 2025 【1】.
  - **Payload Delivery:** Attackers initially downloaded payloads from remote hosts but later shifted to embedding them within the same archive as the loader, disguised with various file extensions (e.g., PNG, HTM, MD, LOG, XLSX) 【1】.
  - **Persistence:** A loader compiled on January 7, 2026, was observed using the **Phantom Persistence** technique, which involves intercepting system shutdown signals to trigger a reboot disguised as a malware update, ensuring the malware runs on OS startup 【1】. Another persistence method involves modifying the `UserInitMprLogonScript` registry key 【1】.
  - **ValleyRAT:** This well-known backdoor is downloaded and executed by the RustSL loader 【1】.
  - **ABCDoor Backdoor:** This is a previously undocumented Python-based backdoor.
  - It is built using the **asyncio** and **Socket.IO** Python libraries and communicates via **HTTPS** 【1】.
  - The core module, `appclient.core`, is a DLL file compiled with Cython 3.0.7 【1】.
  - It utilizes the `setproctitle` library, potentially indicating plans for non-Windows systems 【1】.
  - Key functionalities include:
  - **SystemInfoManager:** Collects system data and screenshots 【1】.
  - **RemoteControlManager:** Enables remote mouse and keyboard control and screen recording 【1】.
  - **FileManager:** Performs file system operations, including executing files via `os.startfile` 【1】.
  - **ClipboardManager:** Exfiltrates clipboard contents 【1】.
  - It lacks typical remote shell or arbitrary command execution features, instead using screen broadcasting with double-click emulation and the `os.startfile` function for manipulation 【1】.
  - The attackers attempt to mask the backdoor's presence by copying files to `C:\ProgramData\Tailscale`, mimicking the legitimate Tailscale VPN service 【1】.
  
  **What Defenders Should Know:**
  - Be vigilant against phishing emails impersonating tax authorities, especially those prompting downloads of archives or containing links within PDFs 【1】.
  - Monitor for the use of modified loaders like RustSL, which are designed for antivirus evasion 【1】.
  - Detect the deployment of ValleyRAT and the new ABCDoor backdoor, which offer extensive capabilities for data theft and system control 【1】.
  - Be aware of the **Phantom Persistence** technique, which can ensure malware execution after reboots 【1】.
  - Look for suspicious registry modifications, particularly to `UserInitMprLogonScript`, for persistence 【1】.
  - Kaspersky security solutions can detect this malicious activity using rules such as `nodejs_dist_url_amsi`, `access_to_ip_detection_services_from_nonbrowsers`, and `persistence_via_environment` 【1】.
• Careful adoption of agentic AI services - Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), United States Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), Canadian Centre for Cyber Security (Cyber Centre), New Zealand National Cyber Security Centre (NCSC-NZ), and United Kingdom National Cyber Security Centre (NCSC-UK) 🔍 Show Kagi Synopsis
  This article, co-authored by international cybersecurity agencies, provides guidance on the **careful adoption of agentic AI services** for government, critical infrastructure, and industry stakeholders 【1】.
  
  ### What Happened
  The guidance addresses the emergence of **agentic AI**, which are systems that use AI models to autonomously reason, plan, and take actions within IT environments without constant human oversight. While these systems offer benefits in automation, they also introduce significant security risks that need proactive management 【1】.
  
  ### Who is Affected
  The guidance is intended for **large organizations, government entities, and critical infrastructure operators** that are involved in the design, development, deployment, or operation of agentic AI systems 【1】.
  
  ### Security Implications
  Agentic AI systems expand the attack surface and introduce complex, systemic risks, including:
  - **Privilege Risks**: Issues such as over-privileged agents, "confused deputy" patterns, and identity spoofing can lead to unauthorized actions and data access 【1】.
  - **Design/Configuration Risks**: Insecure third-party integrations, static permissions, and poor segmentation can be exploited 【1】.
  - **Behavioural Risks**: Agents may exhibit goal misalignment, deceptive behavior, unpredictable actions, or be manipulated through prompt injection and data poisoning 【1】.
  - **Structural Risks**: Interconnected components can result in cascading failures, resource exhaustion (e.g., sponge attacks), and rogue agent activity 【1】.
  - **Accountability Risks**: The opaque decision-making processes, difficulty in auditing complex reasoning chains, and potential for hallucinations make it challenging to trace actions or assign responsibility 【1】.
  
  ### Technical Details
  Agentic AI systems are composed of an LLM core, external tools, data sources, memory, and planning workflows. They differ from generative AI by their **ability to act autonomously** to achieve objectives that may not be fully specified. The security challenges are compounded by the blurring of boundaries between AI and traditional IT systems 【1】.
  
  ### What Defenders Should Know
  Defenders should **integrate AI security into existing cybersecurity frameworks** rather than treating it as a separate discipline. Key recommendations include:
  - **Design**: Implement the principle of **least privilege**, robust identity management (e.g., cryptographically anchored identities), and oversight mechanisms 【1】.
  - **Development**: Employ comprehensive testing, including red teaming and adversarial training, input validation, and secure management of third-party components 【1】.
  - **Deployment**: Conduct thorough threat modeling, utilize progressive deployment (graduated autonomy), and enforce "secure by default" configurations with strong guardrails 【1】.
  - **Operation**: Maintain continuous monitoring and auditing, validate AI outputs, ensure human-in-the-loop oversight for high-impact actions, and apply system-theoretic approaches (like STPA) for security analysis 【1】.
• WordPress Plugin Hijacked in 2020 Hid a Dormant Backdoor for Years - The content posted on the website is controlled by **anadnet** . 🔍 Show Kagi Synopsis
  In 2020, the "Quick Page/Post Redirect Plugin" for WordPress was compromised by its own author, who intentionally introduced a dormant backdoor. This backdoor remained hidden for years, exploiting a supply chain vulnerability where a plugin could bypass official repository security by using an external update mechanism.
  
  **What Happened**
  The plugin author integrated a "pro updater" library that directed the plugin to check for updates from an external server (`anadnet.com`) instead of the official WordPress repository. This allowed the author to distribute modified versions of the plugin. A specific tampered version, 5.2.3, released in March 2021, contained a content-injection backdoor. Although the author later removed the external updater code from the official repository, the backdoor persisted on thousands of installations for approximately five years until the Command & Control (C2) server went offline.
  
  **Who is Affected**
  An estimated **over 70,000 websites** that had the "Quick Page/Post Redirect Plugin" installed were affected. The backdoor remained dormant on these sites for an extended period.
  
  **Security Implications**
  - **Content Injection:** The backdoor was designed to inject third-party content on pages viewed by logged-out users. This content was specifically cloaked to appear to search engine bots, a technique known as parasite SEO.
  - **Remote Code Execution (RCE):** The plugin's self-updating mechanism allowed the author to push arbitrary code to any site running the compromised version, granting them complete control over those WordPress installations.
  - **Stealthy Operation:** The content injection was programmed to only activate when a user was not logged in (`!is_user_logged_in()`), meaning administrators would not see the malicious content on their sites.
  
  **Technical Details**
  - **Tampering Detection:** The compromised plugin files had different MD5 hashes compared to the legitimate versions available on WordPress.org.
  - **Persistence Mechanism:** The backdoor's longevity was due to the plugin's configuration to fetch updates from an external URL, bypassing the standard WordPress update channel.
  - **Command & Control (C2):** The external update server (`anadnet.com`) served as the C2 infrastructure. Its eventual shutdown rendered the backdoor dormant, though the malicious code remained on affected systems.
  
  **What Defenders Should Know**
  - **Repository Trust is Not Absolute:** Relying solely on official plugin repositories is insufficient if a plugin can fetch updates from third-party sources.
  - **Checksum Verification is Crucial:** Administrators should utilize the `wp plugin verify-checksums <plugin-slug>` command via WP-CLI. This tool compares local plugin files against the official checksums provided by WordPress.org, helping to detect unauthorized modifications.
  - **Automated Audits for Scale:** For managing multiple websites, implementing automated, fleet-wide checksum verification is the most effective method for identifying supply chain tampering.
  - **Remediation Steps:** If a plugin is found to be tampered with, it should be **immediately uninstalled**. It is recommended to replace it with a reputable alternative that is actively maintained.
• CVE-2026-42167 Allows Auth Bypass And RCE In ProFTPD - in an extension, not core - ZeroPath 🔍 Show Kagi Synopsis
  A SQL injection vulnerability, **CVE-2026-42167**, has been discovered in the **mod_sql extension** of **ProFTPD** 【1】. This flaw allows attackers to bypass authentication, escalate privileges, or achieve remote code execution, depending on the server's configuration 【1】.
  
  **Who is Affected:**
  The vulnerability affects **ProFTPD versions 1.3.9 and earlier**. A fix is available in **version 1.3.9a** 【1】.
  
  **Security Implications:**
  The impact of this vulnerability varies based on the ProFTPD configuration 【1】:
  - **Remote Code Execution (RCE):** If ProFTPD connects to a PostgreSQL database with superuser privileges, the SQL injection can be escalated to RCE 【1】.
  - **Authentication Bypass and Privilege Escalation:** Attackers can insert or modify records in the user table to create new accounts or alter existing ones. For instance, they could change a user's home directory to the root directory (`/`) to gain full filesystem access 【1】.
  - **Credential Exfiltration:** Using timing-based blind SQL injection, attackers can extract data from the database, including user credentials stored in the users table 【1】.
  - **Subversion of Other Functionality:** Any feature relying on `mod_sql` for data storage, such as quota tracking, can be compromised 【1】.
  
  **Technical Details:**
  The vulnerability stems from how ProFTPD's `mod_sql` handles logging. Administrators can configure logging statements using "magic" percent expansions (e.g., `%U` for username, `%m` for FTP method) within `SQLNamedQuery` statements 【1】. Many of these expansions can be controlled by the attacker and are inserted directly into SQL queries 【1】.
  
  The flaw is triggered in the `sql_resolved_append_text()` function. This function checks if a value is "already escaped" using `is_escaped_text()`. If a value starts and ends with a single quote and contains no internal single quotes, it's considered escaped and is inserted into the SQL query without further sanitization 【1】. Attackers can craft input that meets these criteria to inject malicious SQL code 【1】.
  
  The level of access required depends on the configuration. If pre-authentication commands (like `USER`) are logged with attacker-controlled values, only network access is needed. If post-authentication commands (like `STOR`) are logged with attacker-controlled values (e.g., filename), the attacker must first authenticate, though an anonymous login would suffice if enabled 【1】.
  
  **What Defenders Should Know:**
  To mitigate this vulnerability, defenders should:
  - **Upgrade ProFTPD** to version 1.3.9a or later 【1】.
  - If an immediate upgrade is not feasible, **disable logging via `mod_sql`** 【1】.
  - **Monitor ProFTPD instances** for any suspicious activity 【1】.
  It is prudent to assume that any functionality dependent on `mod_sql` may be compromised if logging via `mod_sql` is enabled and involves attacker-controlled input 【1】.
• Security Advisory: Firmware Update Required — Gen 6, Gen 7, and Gen 8 Firewalls - SonicWall 🔍 Show Kagi Synopsis
  SonicWall has identified **three vulnerabilities** affecting its **Gen 6, Gen 7, and Gen 8 firewall platforms** 【1】. These vulnerabilities necessitate immediate firmware updates to maintain security.
  
  **What Happened:**
  Three security vulnerabilities have been discovered in specific SonicWall firewall generations. One vulnerability is classified as **High severity**, while the other two are of **Medium severity** 【1】.
  
  **Who is Affected:**
  The vulnerabilities impact users of **Gen 6, Gen 7, and Gen 8 SonicWall firewalls** 【1】.
  
  **Security Implications:**
  The identified vulnerabilities pose a risk to the security posture of affected firewalls. Exploitation could lead to unauthorized access or compromise of network security.
  
  **Technical Details:**
  Specific details about the vulnerabilities are available through the PSIRT Advisory SNWLID-2026-0004 【1】.
  
  **What Defenders Should Know:**
  * **Firmware Updates:**
  * **Gen 8 firewalls** require firmware version **8.2.0-8009**.
  * **Gen 7 firewalls** require firmware version **7.3.2-7010**.
  * **Gen 6 firewalls** have a patched firmware posted on MySonicWall as of April 29, 2026 【1】.
  * **Auto-Update:** Customers with Auto Update configured will receive the firmware automatically 【1】.
  * **Workarounds:** If immediate patching is not feasible, the following temporary mitigations can be applied:
  * Disable HTTP/HTTPS-based firewall management on all interfaces.
  * Disable SSL-VPN on all interfaces.
  * Restrict management access to SSH only 【1】.
• New Vulnerabilities in NVIDIA NeMo and Meta PyTorch Enable Full System Compromise - Cato Networks 🔍 Show Kagi Synopsis
  Cato CTRL has identified significant vulnerabilities in **NVIDIA NeMo** and **Meta PyTorch** that allow for **remote code execution (RCE)** through malicious AI model files 【1】.
  
  **What Happened:**
  Two critical vulnerabilities have been discovered:
  * **NVIDIA NeMo:** The framework hardcodes `trust_remote_code=True` in multiple AI model importers. This setting silently executes Python code controlled by a threat actor when any HuggingFace model is imported 【1】.
  * **Meta PyTorch:** The `weights_only=True` safety mechanism, which is recommended for security, can be bypassed. A storage size mismatch can trigger a heap buffer overflow, enabling malicious code execution even when users follow best practices 【1】.
  
  **Who is Affected:**
  These vulnerabilities affect systems running NVIDIA NeMo and Meta PyTorch, which are typically **GPU clusters and ML pipelines** 【1】. These systems often contain sensitive information and access, such as IAM roles, cloud credentials, and production data 【1】.
  
  **Security Implications:**
  The primary security implication is the ability for threat actors to gain **full system access** 【1】. By tricking a user into loading a malicious AI model, attackers can achieve RCE, exfiltrate data, and establish a privileged foothold within production infrastructure 【1】. This turns the AI model pipeline into an unmonitored software supply chain 【1】.
  
  **Technical Details:**
  * **CVE-2025-33236** is associated with the NVIDIA NeMo vulnerability, which has a CVSS score of 7.8 【1】.
  * The NeMo vulnerability exploits the `trust_remote_code=True` setting, which bypasses security checks 【1】.
  * The PyTorch vulnerability exploits a flaw in the `weights_only=True` mechanism, allowing a heap buffer overflow due to a storage size mismatch 【1】.
  
  **What Defenders Should Know:**
  Defenders are advised to take the following actions:
  * **Update AI/ML frameworks** to the latest versions provided by vendors 【1】.
  * **Avoid using `trust_remote_code=True`** 【1】.
  * Do not rely solely on `weights_only=True`; actively **monitor for and apply upstream patches** 【1】.
  * **Prefer Safetensors over pickle-based formats** 【1】.
  * **Load AI models in sandboxed environments** and never on systems that hold production credentials 【1】.
• Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective - atos.net 🔍 Show Kagi Synopsis
  This article details methods for interacting with Windows kernel-mode drivers from user mode, even when the specific hardware the drivers were designed for is absent. This is particularly relevant for assessing the exploitability of hardware-gated driver vulnerabilities, a common tactic in Bring Your Own Vulnerable Driver (BYOVD) attacks.
  
  **What Happened:**
  The research demonstrates techniques to bypass hardware dependencies that typically prevent user-mode interaction with certain drivers. By manipulating the Windows Plug and Play (PnP) architecture and device object creation, attackers can trick the system into loading and interacting with drivers without their intended hardware. This allows for the exploitation of vulnerabilities that would otherwise be unreachable 【1】.
  
  **Who is Affected:**
  The primary targets are **Windows systems** where vulnerable kernel-mode drivers are present. This includes users and organizations susceptible to BYOVD attacks, where attackers leverage these techniques post-exploitation to disable security software like Endpoint Detection and Response (EDR) 【1】.
  
  **Security Implications:**
  The core security implication is the **increased exploitability of hardware-gated driver vulnerabilities**. Attackers can use these methods to:
  - **Bypass security controls:** By loading vulnerable drivers, attackers can disrupt or disable security components 【1】.
  - **Achieve privilege escalation:** Vulnerable kernel drivers are a common vector for escalating privileges from user mode to kernel mode 【1】.
  - **Gain deeper system access:** The ability to interact with drivers without hardware allows for more comprehensive system compromise.
  
  **Technical Details:**
  The article focuses on interacting with drivers through their **device objects**, which are the primary attack vector 【1】. Key technical aspects include:
  
  * **Driver Initialization:** Drivers can initialize in two main ways:
  * **Unconditional Creation:** Some drivers create device objects immediately upon loading, making them accessible via simple deployment tools like `sc.exe` 【1】.
  * **Conditional Creation:** Many drivers, especially PnP-compatible ones, create device objects conditionally, often requiring specific hardware. This logic is typically found in `AddDevice` routines and `IRP_MJ_PNP` handlers 【1】.
  * **Bypassing Hardware Gating:**
  * **Software-Emulated Devices:** Creating software-emulated device nodes with spoofed hardware IDs using tools like `devcon.exe` or the Software Device API can trick the PnP manager into invoking the driver's `AddDevice` callback, thus making the driver reachable without physical hardware 【1】.
  * **Filter Restacking:** For filter drivers, which typically forward IRPs without handling `IRP_MJ_CREATE`, a device stack with a functional driver (FDO) is needed. This can be achieved by abusing device classes like Disk Drive and manipulating registry keys 【1】.
  * **Forced Driver Replacement:** While problematic due to potential system instability and hardware ID mismatches, it's possible to bypass the INF file mechanism by directly manipulating registry structures to tie a driver to a device instance 【1】.
  * **Hardware Interaction Mechanisms:** Drivers interact with hardware through methods like port I/O, Memory-Mapped I/O (MMIO), PCI configuration space, ACPI, SPB, GPIO, DMA, and interrupts 【1】. Hardware-gated vulnerabilities often involve checks on these interactions, such as chip ID checks or MMIO access to non-existent hardware 【1】.
  * **Device Stack Access:** Accessing a device stack requires at least one driver in the stack to successfully handle `IRP_MJ_CREATE`. If no driver in the stack supports this IRP, user-mode access is blocked 【1】.
  
  **What Defenders Should Know:**
  Defenders need to be aware of the **forensic footprint** associated with these techniques 【1】. Key points for defenders include:
  
  * **BYOVD Attacks are Evolving:** Attackers are finding ways to exploit drivers whose vulnerabilities were previously considered hardware-gated.
  * **Userland Techniques are Sufficient:** Many of these bypasses can be achieved purely from user mode with administrative privileges, without requiring kernel debugging or hypervisor access.
  * **Focus on Driver Initialization:** Understanding how drivers are initialized and how device objects are created is crucial for detecting malicious activity.
  * **Registry and PnP Manipulation:** Attackers may directly manipulate registry structures related to device enumeration and class associations to load their drivers.
  * **Forensic Analysis:** Monitoring for unusual driver loading events, unexpected device objects, and suspicious registry modifications can help detect these attacks. The techniques demonstrated leave traces that can be analyzed forensically 【1】.
• Komari Red: The Monitoring Tool with a Built-in Reverse Shell - Huntress 🔍 Show Kagi Synopsis
  The cybersecurity article discusses the **Komari C2 agent**, a tool initially designed for monitoring that has been repurposed by threat actors for malicious command and control (C2) operations. 【1】
  
  **What Happened:**
  The Komari agent, which is a legitimate monitoring tool, has been observed being abused by threat actors. These actors leverage its capabilities to establish a command and control channel, allowing them to remotely manage compromised systems. The tool's legitimate functions are exploited to mask malicious activity, making detection more challenging. 【1】
  
  **Who is Affected:**
  The article does not specify particular industries or types of organizations directly affected by Komari. However, as it is a C2 agent, any organization with compromised endpoints could potentially be affected. The nature of its abuse suggests that it could be used in various attack campaigns targeting a wide range of victims. 【1】
  
  **Security Implications:**
  The primary security implication is the **stealthy establishment of remote access** by attackers. By using a tool that has legitimate monitoring functions, threat actors can blend in with normal network traffic, making it harder for security teams to identify and block malicious C2 communications. This can lead to prolonged compromise periods, enabling further data exfiltration, lateral movement, or deployment of additional malware. 【1】
  
  **Technical Details:**
  Komari is described as a C2 agent that operates by communicating with a C2 server. While the article doesn't delve into deep technical specifics of its exploitation, it highlights that the tool's inherent functionality is what makes it attractive to attackers. Its ability to monitor and report on system activities can be twisted to receive commands and exfiltrate data. The article implies that the tool itself doesn't need to be weaponized, as its existing features are sufficient for C2 operations. 【1】
  
  **What Defenders Should Know:**
  Defenders should be aware that legitimate monitoring tools can be repurposed for malicious C2 activities. This means that **unusual network traffic patterns or unexpected communications from monitoring agents** should be investigated thoroughly. Security teams need to have robust endpoint detection and response (EDR) capabilities to identify anomalous behavior, even from seemingly benign software. Understanding the normal operational patterns of deployed monitoring tools is crucial for distinguishing legitimate activity from malicious abuse. 【1】
• Preparing for a ‘vulnerability patch wave’ - National Cyber Security Centre 🔍 Show Kagi Synopsis
  The National Cyber Security Centre (NCSC) is warning organizations to prepare for a significant wave of software patches, termed a "vulnerability patch wave," which will address accumulated "technical debt" 【1】 【1】. This technical debt refers to a backlog of technical issues resulting from prioritizing short-term gains over building resilient products 【1】.
  
  **What Happened:**
  Artificial Intelligence (AI) is now capable of exploiting this technical debt at scale and speed across the technology ecosystem. This has led the NCSC to anticipate a "forced correction" to address these vulnerabilities in all types of software, including open source, commercial, proprietary, and Software as a Service (SaaS) 【1】.
  
  **Who is Affected:**
  **All organizations**, whether they are technology producers, vendors, consumers, or operators, are affected by technical debt and will need to manage the upcoming patch wave 【1】 【1】.
  
  **Security Implications:**
  The primary security implication is the increased risk of exploitation of known vulnerabilities. Attackers can leverage AI to rapidly identify and exploit these weaknesses across a wide range of software 【1】. This necessitates a proactive approach to security to reduce the attack surface and ensure timely patching 【1】 【1】.
  
  **Technical Details:**
  The "patch wave" refers to a surge of software updates designed to fix disclosed vulnerabilities 【1】. This technical debt exists in various forms, including legacy or "end of life" technologies that may no longer receive support or updates 【1】. The NCSC recommends several strategies for managing these updates:
  * **Prioritize external attack surfaces:** Organizations should identify and minimize internet-facing and externally exposed systems, starting with the perimeter and moving inwards to cloud and on-premises environments 【1】.
  * **Enable automatic patching:** Where available, "hot patching" (patching without service disruption) and automatic updates should be enabled as a priority 【1】 【1】.
  * **Implement frequent and scaled updating:** For systems without automatic updates, organizations need processes that support frequent and large-scale updating. Risk-prioritized approaches like the Stakeholder Specific Vulnerability Categorisation (SSVC) system can help 【1】.
  * **Accelerate critical patches:** If a critical vulnerability is actively being exploited, especially on an internet-facing system, the update process must be accelerated 【1】.
  * **Address legacy systems:** For unsupported or legacy technology, replacement or bringing systems back into support is necessary, particularly if they are externally exposed 【1】.
  * **Consider memory safety:** Technology producers are encouraged to minimize systemic technical security debt by incorporating memory safety and containment technologies 【1】.
  
  **What Defenders Should Know:**
  Defenders need to **prepare for a significant increase in patching requirements** 【1】. Key actions include:
  * **Proactively reduce attack surfaces:** Minimize internet-facing assets to lessen the impact of newly disclosed vulnerabilities 【1】.
  * **Adopt an "update by default" policy:** Aim to apply software updates as soon as possible, ideally automatically 【1】.
  * **Plan for rapid deployment:** Develop capabilities to deploy updates quickly, frequently, and at scale, including across supply chains 【1】.
  * **Address unsupported technology:** Identify and plan for the replacement or remediation of end-of-life or legacy systems that cannot be patched 【1】.
  * **Focus on fundamentals:** Implement robust cybersecurity fundamentals, such as adopting frameworks like Cyber Essentials or the Cyber Assessment Framework for essential service organizations 【1】.
  * **Be ready for critical exploits:** Have procedures in place to rapidly respond to actively exploited critical vulnerabilities 【1】.