Anthropic published a blog post one hour ago.
Cybersecurity stocks have lost $10B since.
CrowdStrike -6.5%. Cloudflare -6%. Okta -5.7%.
One blog post. One hour. $10B gone.
#BadSuccessor - a textbook example of why the security ecosystem is broken
- A privilege escalation vuln in Windows Server 2025 AD (via dMSA)
- Full domain compromise with default config
- Microsoft was told, agreed it’s real, but rated it "moderate"
- No patch, No fix
- No code execution needed
- No need to touch the DC
- No RPC, no ntds.dit
- Just a write to one attribute on an account you can create
- Rubeus already supports dMSA abuse (since February)
- Metasploit module is in the works
Researchers published everything anyway. Because… "we respectfully disagree with Microsoft’s assessment". So yeah, let’s just drop an end-to-end domain takeover technique online to prove a point.
To be fair, Windows Server 2025 isn’t widely deployed yet, so the real-world blast radius today is limited. But this isn’t about today - it’s about trust, process, and what happens when security decisions are driven by vendor priorities and researcher egos.
What this tells me:
1. Microsoft either:
- Can’t assess bugs anymore
- Or stopped caring about on-prem AD completely (because Entra ID is what they want to sell)
2. And the offensive sec crowd?
- They knew this would hit hard
- But chose to burn the world anyway
- Because their urge to be right > everyone else’s security
In the end, both sides look bad.
Microsoft, for being dysfunctional or apathetic
Researchers, for chasing clout over coordinated disclosure
Congrats. In a rare show of unity, both sides managed to screw this up.
Blog: https://t.co/f9eDCBmbjI
LinkedIn: https://t.co/dc1l5EUYpb
Metasploit issue: https://t.co/tcRkUHavo1
CVE-2025-21298 is a no-click, high-risk vulnerability in Windows. Malicious RTF files can execute code remotely just by being previewed in Outlook.
Get the full details and mitigation steps: https://t.co/3HQncnbEiP
Excited to share that our talk ‘Dismantling the SEOS Protocol’ will be part of Black Hat Asia 2025 briefings @BlackHatEvents
Where we will present the reversing and implementing the SEOS protocol into the Proxmark3 tool.
It's a great story!
@evildaemond and I are looking forward to connecting with the community, sharing what we’ve learned, and learning from others.
See you in Singapore!
https://t.co/mbV6AGAK0g
#CyberSecurity #PACS #BlackHat #BHASIA
New writeup from @_specters_ and I: we're finally allowed to disclose a vulnerability reported to Kia which would've allowed an attacker to remotely control almost all vehicles made after 2013 using only the license plate.
Full disclosure:
https://t.co/e2EwvUMgqw
In a recent incident response case, the attacker ran the following command, trying to dump lsass with the well-known comsvcs.dll technique:
%COMSPEC% /Q /c cmd.eXE /Q /c for /f "tokens=1,2 delims= " ^%A in ('"tasklist /fi "Imagename eq lsass.exe" | find "lsass""') do rundll32.exe C:\windows\System32\comsvcs.dll, #+0000^24 ^%B \Windows\Temp\jvX7H.png full
What's interesting, though, is the parameter "#+0000^24 ^%B" passed to comsvcs.dll.
Looks familiar? Yes, I tweeted recently about the talk from @Wietze about command line obfuscation. [1]
See the marked part in the screenshot below? :)
[1] https://t.co/XIQDf0viTx
1/ Recently a team reached out to me for assistance after $1.3M was stolen from the treasury after malicious code had been pushed.
Unbeknownst to the team they had hired multiple DPRK IT workers as devs who were using fake identities.
I then uncovered 25+ crypto projects with related devs that have been active since June 2024.
This is a really interesting vulnerability, but *the Internet is not on fire.* Please read the actual advisory before spreading FUD. If you can't understand the original advisory, please get someone to explain it to you.
In short, the exploit has only been proven against x86 versions - NOT x64. That's important because finding the right address to return to in x64 is exponentially harder in x64 than x86.
This is definitely a "don't delay patching" moment, but not a "OMG, get an outage window NOW" moment. Monitor for updates though, that could change (though highly unlikely IMO).
This is also a great time to talk about zero trust. The foundational principle here is "deny all, permit by exception." Most orgs don't need SSH open to the whole Internet. Yes, ACLs are a pain to use. But you're getting a lot back in security. That's true for times like these, but it's also makes credential compromises harder to meaningfully exploit.
As an aside, if you can't do IP ACLs for SSH (and everyone *can*, it's just a question of overhead to maintain), consider changing the default port for SSH. In some testing, that's dropped my failed login attempts by more than 95% (98%+ if you don't make it something obvious like 2200, 2222, or 2022).
Finally, let's talk monitoring. It took @qualys researchers about a week to get a root shell. And that's for the x86 version (which again, is infinitely easier to trigger than in x64). So even if you can't just allow list a few IP addresses, you can for sure block list IPs that are hammering your server with ~10,000 exploit attempts. And before someone says "but Jake, what if they use a distributed network" - okay, but still block the obviously malicious IPs?
Great work by the Qualys team. There aren't many that can turn something like this into RCE - even in controlled environments.
https://t.co/mORexbh9Ui
🚨 Security researchers have found that Microsoft’s VS Code is extremely vulnerable to malicious extensions.
The authors claim that in 30 minutes they built a trending extension that stole source code from billion dollar companies.
Worse still, they found that malicious extensions had been installed 229M times.
IDEs process sensitive source code, production keys and have privileged execution access, so this finding is insane.
🚨 #BREAKING 🚨
🇺🇸#USA: Hundreds of millions of Advance Auto Parts records allegedly exfiltrated: The threat actor claims to be selling for $1.5 million 3 terabytes stolen from AAP Snowflake.
According to the post, the data includes:
- 380 million customer profiles (name, email, mobile, phone, address, and more)
- 140 million customer orders
- 44 million Loyalty/Gas card numbers (with customer details)
- 358,000 employees
- Auto parts/part numbers
- Sales history
- Employment candidate information with SSNs, driver's license numbers, and demographic details
- Transaction tender details
- Over 200 tables of data
The confirmation or denial of these claims has yet to be verified.
#DataBreach #Snowflake
Yesterday afternoon I was advised by a commercial health information organisation that it was the victim of a large-scale ransomware data breach incident.
I am working with agencies across the Australian Government, states and territories to coordinate a whole-of-government response to this incident.
The @ASDGovAu Australian Cyber Security Centre is aware of the incident and the @AusFedPolice is investigating.
We are in the very preliminary stages of our response and there is limited detail to share at this stage, but I will continue to provide updates as we progress while working closely with the affected commercial organisation to address the impacts caused by the incident.