An unpatched Windows server 2025 flaw lets attackers seize full domain control. the tele messages hack affects a wider range of government departments. Microsoft disrupts Luma malware operations behind 394,000 infections. The Coinbase breach is revealed that over 69,000 customers affected and Hackers distribute a malicious version of a popular password manager. This is Cybersecurity today.
I'm your host, Jim Love. A newly discovered vulnerability in Windows Server 2025 can allow attackers to take control of any user account in active directory, including domain admins without triggering traditional security alerts. Akamai researchers have dubbed the exploit bad successor. It abuses the delegated Manager service account or DMSA feature, which was introduced in Windows Server 2025 to replace older server accounts with more secure alternatives.
The problem lies in how these dmsa inherit permissions. Researchers found that manipulating just two attributes, one that links A-D-M-S-A to a legacy account, and another that marks the migration as complete. Using these attackers can cause A-D-M-S-A to inherit full access privileges from any user or computer account Crucially, the ability to create new dmsa isn't restricted to admins.
In over 90% of environments surveyed Akamai found non-ad admin users with the necessary permissions to create these accounts, making the attack trivial to execute in real world environments. This issue likely affects most organizations that rely on active directory said Yuval Gordon, the Akamai researcher who led the discovery. We didn't change any group memberships or elevate existing accounts, just two attribute changes and a new object was crowned successor.
The attack bypasses traditional privilege, escalation detection, and doesn't require any pre-existing high level access. Once a dMSA is linked and flagged as migrated, it can request service tickets from the key distribution center or KDC, effectively gaining access to any resource. In the domain, the researchers have informed Microsoft and they're working on a fix, but no patch is yet available.
In the meantime, Akamai recommends restricting dMSA creation permissions to trusted administrators, only logging and auditing all dMSA creation and modification events, monitoring authentication activity linked to dMSA, and using akamai's provided script to identify risky permissions in your domain. Even domains not actively using dmsa are exposed if they have at least one Windows server 2025 domain controller.
By now most people are aware of the name Mike Waltz, the former National Security Advisor and one of the central figures in Signal Gate where a number of the most senior officials in the US Department of Defense were supposedly using Signal, a commercial messaging application, and sharing classified government information. This became a huge scandal, but it wasn't the whole story.
It turns out that waltz and others were not using Signal, which would've been bad enough, but were actually using a system called Telem Message, a Signal clone, and that clone had an added feature of archiving the discussions and that kept up with the federal government rules. The problem is this application, unlike Signal, does not have full end to end encryption.
Shortly after this revelation, a hacker demonstrated they could breach Telem messages in less than 20 minutes and gain access to messages and metadata. They subsequently did this and posted a file with the data on the internet, quoting an abundance of caution. Telem message shut their service down after this was revealed.
Now it turns out that Telem messages, a customized version of Signal built to meet Federal archiving rules was being used by over 60 officials across fema, the Secret Service and other federal agencies. A researcher has previously investigated flaws in messaging apps used by lawmakers confirmed that there was a file containing chat logs, contact lists, And even travel plans for senior officials. The file was reportedly posted online, but was subsequently taken down.
This breach adds to the mounting concerns over government use of third party apps for secure communications and with content and metadata. Now possibly in the hand of foreign adversaries, the fallout could range from diplomatic consequences to operational risks, telem messages. Failure has also reopened. Questions about how government agencies vet the security of modified communication tools, especially those designed for compliance rather than protection.
Although it will not be Mike Waltz who heads this investigation, he was moved from his national security advisor position to be nominated as Ambassador to the United Nations. Although that appointment has to be ratified by the US Senate and given the current situation. That might not be an easy thing to do.
Microsoft said it has dismantled a global infrastructure of the Luma Steeler malware, which had infected nearly 400,000 Windows computers and was widely used by cyber criminals to steal passwords, credit card data, and crypto wallets. Between March 16th and May 16th, Microsoft's digital crimes unit tracked over 394,000 Windows machines compromised by Luma.
Working with law enforcement and industry partners, including Europol, CloudFlare, and BitSight, Microsoft took control of over 1300 domains tied to the malware and redirected them to sink holes to stop further communication between the infected systems and the attackers. The US Department of Justice secured a court order to seize luma's command and control infrastructure and shut down the underground marketplaces that sold the malware.
Authorities in Japan also help disable local servers linked to the operation. Luma Steeler has been sold at underground forums since 2022. It's ease of use, ability to bypass some security tools and steady feature updates. Make it a go-to tool for hackers, criminals have used it in phishing campaigns, including one impersonating booking.com, and to others. Targeting schools, gaming communities, logistics firms, and even healthcare systems.
The take down shows growing cooperation between tech firms and law enforcement to dismantle cyber crime infrastructure. But with malware like Luma, easily copied and adapted experts warn that similar tools may quickly resurface.
Well, it might be some time, if ever before we know how much damage was done before Microsoft was able to shut this group down, and although these guys seem to resurface very rapidly, at least for now, score one for the good Guys, we are getting a better picture of the impact of the recent Coinbase breach. The company is the largest US-based cryptocurrency exchange, and it confirmed that at least 69,461 customers had personal and financial data stolen in a breach that had lasted several months.
The result of support staff being bribed by a hacker who later demanded a $20 million ransom. In a regulatory filing with Maine's Attorney General, Coinbase said the breach began on December 26th, 2024, and wasn't discovered until earlier this month when the company received a credible ransom note. The attacker claimed to have exfiltrated sensitive customer data and demanded $20 million to delete it. Coinbase refused to pay.
The company said in a blog post that the attacker gained access by bribing customer support employees. The stolen information includes names, contact details, government issued ID documents, account balances, and even transaction histories, raising concerns that high value users could be targeted for further fraud or phishing attacks. as we heard earlier, the attack was a long-term insider compromise and not a traditional system hack.
Coinbase has not disclosed how many employees were involved or how access controls failed to detect the activity for months. The breach has not yet impacted customer funds, at least according to the company. And here's everyone's nightmare. All of your passwords, supposedly in that safe password manager are revealed and it's happening. Hackers are distributing a malicious version of a popular password manager, KeyPass embedding it with malware that steals data and deploys ransomware.
This tainted software is being spread through typo squatted websites that closely mimic the legitimate KeyPass site. Once installed the fake KeyPass exports, saved passwords in clear text, and transmits them to attackers via a cobalt strike beacon.
The attackers then use these credentials to infiltrate networks and deploy ransomware Security researchers from with Secure have identified this campaign, which appears to be orchestrated by an initial access broker group linked to the Black Basta Ransomware gang. The group tracked as UNC 4 6 9 6 has previously been associated with nitrogen loader campaigns. The malicious key pass variant. Maintains all functionalities of the legitimate tool, but includes additional malicious components.
The typo squatted website hosting this version remains active, posing ongoing risks to unsuspecting users. This is an opportunity for us to have an educational moment here with our users, and it underscores the importance of downloading software only from official sources and being vigilant against lookalike websites. No one should download software via a link sent to them or on any webpage they have to. Always access the legitimate site and if necessary, work their way.
From there, it's just too easy to have a lookalike page and even to disguise the URL so effectively that even a trained eye might miss it, and that goes double. For highly secure apps like for instance, a password manager. And that's our show this weekend. We have an interview, I think, well, I hope you'll find as interesting as I did. My guest is not only hugely knowledgeable, but he's working on some of the issues that we're all struggling with and making solutions available as open source.
Check it out Saturday morning or any other time you listen to long form podcasts. I'm your host, Jim Love. Thanks for listening.