Nezha, a legitimate open-source monitoring tool, is being abused as a stealthy RAT with SYSTEM/root access and zero AV detections.

A growing example of Living-off-the-Land abuse. https://www.technadu.com/legitimate-nezha-monitoring-tool-abused-as-a-powerful-rat-providing-complete-control-over-compromised-hosts/616358/

Thoughts on defending against legitimate tool misuse?

#InfoSec #RAT #ThreatHunting

I strongly recommend anyone looking to learn hands-on detection engineering or threat hunting (or even seasoned vets looking to sharpen their skills) to attend DEATHcon. I’ve been running through the workshops during my holiday breaks and it’s one of the most hands-on conferences I have attended. Build a VM and connect to the deathcon network via tailscale to play with all sorts of log types to cut your teeth on. The course is well run, speakers are super responsive to requests via their discord channel, and the hosts gratefully keep the infra up through the end of the year so you can practice at your own pace. They also ran a RMM rodeo competition which resulted in a whole bunch of new RMM tools getting pulled into to the main LOLRMM project. My only regret is I haven’t worked through all the workshops because there are so many. Tickets went super fast for 2025, so be sure to grab one as soon as they go up for sale in 2026! You cannot beat the price for both the quantity and quality of material you receive.

https://deathcon.io/

#threatintelligence #cti #threathunting #detectionengineering #soc

YAMAGoya: A Real-time Client Monitoring Tool Using Sigma and YARA Rules: https://blogs.jpcert.or.jp/en/2025/11/YAMAGoya.html

#sigma #yara #fileless #memoryanalysis #threathunting

Hayabusa: A Powerful Log Analysis Tool for Forensics and Threat Hunting: https://medium.com/@cyberengage.org/hayabusa-a-powerful-log-analysis-tool-for-forensics-and-threat-hunting-a00fb3ae8635

#hayabusa #windowslogs #digitalforensics #threathunting

Over 25,000 Fortinet devices have been identified with FortiCloud SSO exposed online amid active exploitation of an authentication bypass vulnerability.

The attack path involves malicious SAML authentication, enabling admin access to web management interfaces and sensitive configuration data. CISA has already mandated patching for U.S. federal systems.

From an operational security standpoint, this reinforces the need for:
- Restricted admin interface exposure
- Identity-aware access controls
- Continuous external attack surface monitoring
What mitigation strategies have proven most effective in your environment?

Source: https://www.bleepingcomputer.com/news/security/over-25-000-forticloud-sso-devices-exposed-to-remote-attacks/

Engage in the discussion and follow TechNadu for practitioner-relevant cyber reporting.

#InfoSec #ThreatHunting #IdentitySecurity #AttackSurfaceManagement #Fortinet #CyberDefense #TechNadu

🔐 IT-Sicherheits- und Logging-Spezialist*in (E13 TV-L) gesucht

Die HHU Düsseldorf sucht zum 01.03.2026 eine*n IT-Sicherheits- und Logging-Spezialist*in für das ZIM.

Aufgabenschwerpunkte:
• IT-Security-Design & Incident Response
• Threat Detection & Angriffssimulationen
• Betrieb & Ausbau des zentralen Loggings (z. B. Splunk)

📍 Düsseldorf | ⏳ Bewerbung bis 12.01.2026

https://karriere.hhu.de/index.php?ac=jobad&id=544

#Stellenausschreibung #ITSecurity #InfosecJobs #CyberSecurity #Hochschule #Splunk #ThreatHunting

"Approximately 20 minutes after the initial successful whoami command execution from 45.227.254[.]124, the intrusion commenced from a new IP address, 91.191.209[.]46, utilizing a slightly modified version of the exploit. It’s plausible that the exploitation script used in the second instance, which downloaded and executed the Metasploit payload...."

Report: https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/ #DFIR #CyberSecurity #InfoSec #ThreatHunting #IncidentResponse #DigitalForensics #BlueTeam

What Is a Supply Chain Attack? Lessons from Recent Incidents

924 words, 5 minutes read time.

I’ve been in computer programming with a vested interest in Cybersecurity long enough to know that your most dangerous threats rarely come through the obvious channels. It’s not always a hacker pounding at your firewall or a phishing email landing in an inbox. Sometimes, the breach comes quietly through the vendors, service providers, and software updates you rely on every day. That’s the harsh reality of supply chain attacks. These incidents exploit trust, infiltrating organizations by targeting upstream partners or seemingly benign components. They’re not theoretical—they’re real, costly, and increasingly sophisticated. In this article, I’m going to break down what supply chain attacks are, examine lessons from high-profile incidents, and share actionable insights for SOC analysts, CISOs, and anyone responsible for protecting enterprise assets.

Understanding Supply Chain Attacks: How Trusted Vendors Can Be Threat Vectors

A supply chain attack occurs when a threat actor compromises an organization through a third party, whether that’s a software vendor, cloud provider, managed service provider, or even a hardware supplier. The key distinction from conventional attacks is that the adversary leverages trust relationships. Your defenses often treat trusted partners as safe zones, which makes these attacks particularly insidious. The infamous SolarWinds breach in 2020 is a perfect example. Hackers injected malicious code into an update of the Orion platform, and thousands of organizations unknowingly installed the compromised software. From the perspective of a SOC analyst, it’s a nightmare scenario: alerts may look normal, endpoints behave according to expectation, and yet an attacker has already bypassed perimeter defenses. Supply chain compromises come in many forms: software updates carrying hidden malware, tampered firmware or hardware, and cloud or SaaS services used as stepping stones for broader attacks. The lesson here is brutal but simple: every external dependency is a potential attack vector, and assuming trust without verification is a vulnerability in itself.

Lessons from Real-World Supply Chain Attacks

History has provided some of the most instructive lessons in this area, and the pain was often widespread. The NotPetya attack in 2017 masqueraded as a routine software update for a Ukrainian accounting package but quickly spread globally, leaving a trail of destruction across multiple sectors. It was not a random incident—it was a strategic strike exploiting the implicit trust organizations placed in a single provider. Then came Kaseya in 2021, where attackers leveraged a managed service provider to distribute ransomware to hundreds of businesses in a single stroke. The compromise of one MSP cascaded through client systems, illustrating that upstream vulnerabilities can multiply downstream consequences exponentially. Even smaller incidents, such as a compromised open-source library or a misconfigured cloud service, can serve as a launchpad for attackers. What these incidents have in common is efficiency, stealth, and scale. Attackers increasingly prefer the supply chain route because it requires fewer direct compromises while yielding enormous operational impact. For anyone working in a SOC, these cases underscore the need to monitor not just your environment but the upstream components that support it, as blind trust can be fatal.

Mitigating Supply Chain Risk: Visibility, Zero Trust, and Preparedness

Mitigating supply chain risk requires a proactive, multifaceted approach. The first step is visibility—knowing exactly what software, services, and hardware your organization depends on. You cannot defend what you cannot see. Mapping these dependencies allows you to understand which systems are critical and which could serve as entry points for attackers. Second, you need to enforce Zero Trust principles. Even trusted vendors should have segmented access and stringent authentication. Multi-factor authentication, network segmentation, and least-privilege policies reduce the potential blast radius if a compromise occurs. Threat hunting also becomes crucial, as anomalies from trusted sources are often the first signs of a breach. Beyond technical controls, preparation is equally important. Tabletop exercises, updated incident response plans, and comprehensive logging equip teams to react swiftly when compromise is detected. For CISOs, it also means communicating supply chain risk clearly to executives and boards. Stakeholders must understand that absolute prevention is impossible, and resilience—rapid detection, containment, and recovery—is the only realistic safeguard.

The Strategic Imperative: Assume Breach and Build Resilience

The reality of supply chain attacks is unavoidable: organizations are connected in complex webs, and attackers exploit these dependencies with increasing sophistication. The lessons are clear: maintain visibility over your entire ecosystem, enforce Zero Trust rigorously, hunt for subtle anomalies, and prepare incident response plans that include upstream components. These attacks are not hypothetical scenarios—they are the evolving face of cybersecurity threats, capable of causing widespread disruption. Supply chain security is not a checkbox or a one-time audit; it is a mindset that prioritizes vigilance, resilience, and strategic thinking. By assuming breach, questioning trust, and actively monitoring both internal and upstream environments, security teams can turn potential vulnerabilities into manageable risks. The stakes are high, but so are the rewards for those who approach supply chain security with discipline, foresight, and a relentless commitment to defense.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

• CISA: Supply Chain Security Resources
• NIST SP 800-161: Supply Chain Risk Management Practices
• KrebsOnSecurity: Cybersecurity News & Analysis
• CrowdStrike: Threat Intelligence Reports
• Mandiant Threat Reports
• Schneier on Security
• Verizon Data Breach Investigations Report (DBIR)
• Black Hat Conference Talks
• DEF CON Conference Resources
• Academic Papers on Cybersecurity

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

#anomalyDetection #attackVector #breachDetection #breachResponse #CISO #cloudSecurity #cyberattackLessons #cybersecurity #cybersecurityGovernance #cybersecurityIncident #cybersecurityMindset #cybersecurityPreparedness #cybersecurityResilience #cybersecurityStrategy #EndpointSecurity #enterpriseRiskManagement #enterpriseSecurity #hardwareCompromise #hardwareSecurity #incidentResponse #incidentResponsePlan #ITRiskManagement #ITSecurityPosture #ITSecurityStrategy #Kaseya #maliciousUpdate #MFASecurity #MSPSecurity #networkSegmentation #NotPetya #organizationalSecurity #perimeterBypass #ransomware #riskAssessment #SaaSRisk #securityAudit #securityControls #SOCAnalyst #SOCBestPractices #SOCOperations #softwareSecurity #softwareSupplyChain #softwareUpdateThreat #SolarWinds #supplyChainAttack #supplyChainMitigation #supplyChainRisk #supplyChainSecurityFramework #supplyChainVulnerabilities #thirdPartyCompromise #threatHunting #threatLandscape #trustedVendorAttack #upstreamCompromise #upstreamMonitoring #vendorDependency #vendorRiskManagement #vendorSecurity #vendorTrust #zeroTrust

Process Hacker, PEB et NTDLL : les clés pour des applications natives ultra-minimalistes

🤯 Dans certains cas, on veut maîtriser chaque octet. Pourtant, même un programme basique peut embarquer des DLL dont on pourrait se passer. Plongeons ensemble dans les entrailles de l'exécutable.

Un 'Hello World' basue compilé en C++ pèse environ 11KB, il dépend de Kernel32.dll et VCRuntime140.dll. Avec un lien statique avec le CRT, la taille monte à 136KB ! 😱
Le CRT gère l'appel de `main`, l'exécution des constructeurs d'objets C++, les variables comme `errno`, et les opérateurs `new`/`delete`. Mais cette commodité a un coût en taille et en dépendances.

Pour des binaires ultra-minimalistes, réduire le CRT implique de paramétrer le linker pour réduire les librairies par défaut, de désactiver la vérification de sécurité du tampon (/GS), et de modifier le point d'entrée pour `mainCRTStartup`.

Adieu `printf` ! On le remplace par `WriteConsoleA` de `Kernel32.dll` pour l'affichage. Le résultat : un exécutable de seulement 4KB, avec juste deux imports de `Kernel32.dll`. C'est une belle victoire, non ? 😎

Mais on peut aller encore plus loin: chaque processus Windows charge systématiquement `NTDLL.dll` qui propose de nombreuses fonctions similaires au CRT, comme `sprintf_s`. La subtilité : la `NtDll.lib` standard de Microsoft n'exporte pas toujours toutes ces fonctions. On a alors deux options : soit créer une bibliothèque d'import personnalisée, soit recourir au linking dynamique via `GetModuleHandle` et `GetProcAddress`. ✨

Et pour les arguments de la ligne de commande `argc`/`argv` ? Sans le CRT, le système passe à `mainCRTStartup` un unique argument : le `PPEB` (Process Environment Block) et son membre `ProcessParameters` permettent d'accéder aux informations comme `ImagePathName` ou `CommandLine`. C'est le mode de fonctionnement des applications natives.

Pourquoi s'engager dans cette démarche de "minimisation" ? 🤔 Pour les DevSecOps et Purple Teams:

* Légèreté: Pour des outils offensifs discrets, des charges utiles ou des situations avec des contraintes de taille strictes, un binaire de 4KB est un avantage considérable.
* Les applications natives, dépendant uniquement de `NTDLL`, peuvent s'exécuter très tôt dans le démarrage de Windows (comme `Smss.exe` ou `autochk.exe`). Elles offrent une perspective unique sur le fonctionnement bas niveau du système.

Pour explorer ces concepts, l'article original est une mine d'or : https://scorpiosoftware.net/2023/03/16/minimal-executables/

C'est un sujet passionnant qui conduit vers d'autres sujets de développements passionants dans le domaine de la cybersécurité offensive et du reverse engineering 🤯

Quelle méthode préférez-vous pour remplacer les fonctions CRT par NTDLL ? Débattez dans les commentaires ! 👇

#Cybersécurité #DevSecOps #ReverseEngineering #WindowsInternals #Programmation #MalwareAnalysis #ExploitDevelopment #SecureCoding #ThreatHunting