Lmst

#Sophos is an award-winning #endpoint and #network #threat #protection, trusted by more than half a million customers worldwide. Call 0706357055 or email us on info@victorockkenya.com. #CyberSecurity #OrderSophos #Firewalls #AccessPoints

https://victorockkenya.com/order-sophos/

China-Nexus Threat Actor Actively Exploiting Ivanti Endpoint Manager Mobile (CVE-2025-4428) Vulnerability

A critical vulnerability in Ivanti Endpoint Manager Mobile (EPMM) is being actively exploited by a China-nexus threat actor, UNC5221. The exploitation targets internet-facing EPMM deployments across various sectors including healthcare, telecommunications, and government. The attackers utilize unauthenticated remote code execution to gain initial access, followed by the deployment of KrustyLoader malware for persistence. They leverage hardcoded MySQL credentials to exfiltrate sensitive data from the EPMM database. The threat actor also uses the Fast Reverse Proxy (FRP) tool for network reconnaissance and lateral movement. The compromised systems span multiple countries in Europe, North America, and Asia-Pacific, indicating a global espionage campaign likely aligned with Chinese state interests.

Pulse ID: 682e5bbc1075b03f94642762
Pulse Link: https://otx.alienvault.com/pulse/682e5bbc1075b03f94642762
Pulse Author: AlienVault
Created: 2025-05-21 23:03:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #China #Chinese #CyberSecurity #Endpoint #Espionage #Europe #FastReverseProxy #Government #Healthcare #InfoSec #Ivanti #Malware #MySQL #NorthAmerica #OTX #OpenThreatExchange #Proxy #RAT #RemoteCodeExecution #ReverseProxy #Rust #SQL #Telecom #Telecommunication #Vulnerability #bot #AlienVault

Looking for trusted #cybersecurity in #Kenya and East Africa? #Victorock is your certified #Sophos #Partner for #firewalls, #endpoint #protection & #MDR. Call +254706357055 or email info@victorockkenya.com us today. #Sophos #ICT #CloudBased

https://victorockkenya.com/victorock-kenya-limited-your-trusted-sophos-partner-in-cybersecurity-solutions/

What is Endpoint Security? Ensuring Cyber Resilience https://visualmodo.com/what-is-endpoint-security-ensuring-cyber-resilience/ 🔒🛡💡 #Endpoint #Security #Cyber #Resilience

FrigidStealer Malware Targets macOS Users to Hijack Login Credentials

FrigidStealer, a sophisticated information-stealing malware targets macOS endpoints by distributing malicious code through fake browser update pages on compromised websites.

Pulse ID: 682927089c3b7ebb01381413
Pulse Link: https://otx.alienvault.com/pulse/682927089c3b7ebb01381413
Pulse Author: cryptocti
Created: 2025-05-18 00:17:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Browser #CyberSecurity #Endpoint #FakeBrowser #InfoSec #Mac #MacOS #Malware #OTX #OpenThreatExchange #bot #cryptocti

#BSI: #Microsoft #Defender für #Endpoint für #Linux: Schwachstelle ermöglicht Privilegieneskalation

Ein lokaler Angreifer kann eine Schwachstelle in Microsoft Defender für Endpoint für Linux ausnutzen, um seine Rechte zu erhöhen.

https://wid.cert-bund.de/portal/wid/buergercert/details?uuid=2e58de30-2494-497b-8dcd-c5d0d6d705c7

#BSI WID-SEC-2025-1073: [NEU] [mittel] #Microsoft #Defender für #Endpoint für #Linux: Schwachstelle ermöglicht Privilegieneskalation

Ein lokaler Angreifer kann eine Schwachstelle in Microsoft Defender für Endpoint für Linux ausnutzen, um seine Privilegien zu erhöhen.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1073

#BSI WID-SEC-2025-1033: [NEU] [mittel] #Ivanti #Endpoint #Manager #Mobile: Mehrere Schwachstellen

Ein Angreifer kann mehrere Schwachstellen in Ivanti Endpoint Manager Mobile ausnutzen, um Sicherheitsmaßnahmen zu umgehen und beliebigen Code auszuführen, auch ohne Authentifizierung.

https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1033

In today’s interconnected digital landscape, endpoint visibility is critical for maintaining a secure IT infrastructure. With the increasing number of devices accessing corporate networks — including laptops, mobile devices, IoT endpoints, and remote workstations — security teams must...

https://medium.com/@mrsno1special/best-practices-for-endpoint-visibility-strengthening-network-security-in-a-digital-world-cb057701dd5b

# #interconnected #digital #endpoint #visibility #critical

#BSI: #ClamAV #und #Cisco #Secure #Endpoint: Schwachstelle ermöglicht Denial of Service

Es besteht eine Schwachstelle in ClamAV und Cisco Secure Endpoint. Ein Angreifer kann diese Schwachstelle ausnutzen, um den Scan-Prozess von ClamAV zu unterbrechen, indem er eine manipulierte Datei mit OLE2-Inhalt sendet, die von ClamAV auf einem betroffenen Gerät gescannt wird.

https://wid.cert-bund.de/portal/wid/buergercert/details?uuid=d1cbd6ee-254a-4220-bee3-08d9934469ea

#BSI: #WithSecure #Endpoint #Protection: Schwachstelle ermöglicht Denial of Service

Es besteht eine Schwachstelle in WithSecure Atlant und allen Linux Endpoint Protection-Produkten. Ein Angreifer kann diese ausnutzen, um die Antivirus-Engine zum Absturz zu bringen.

https://wid.cert-bund.de/portal/wid/buergercert/details?uuid=09530245-62a2-4c45-bd2c-617a73f894ab

#BSI: #Symantec #Endpoint #Protection (#ERASER #Engine): Schwachstelle ermöglicht Privilegieneskalation

Es besteht eine Schwachstelle in Symantec Endpoint Protection Windows Agent, die die Komponente ERASER Engine betrifft. Ein Angreifer kann diese Schwachstelle ausnutzen, um erhöhte Rechte zu erlangen. Eine erfolgreiche Ausnutzung erfordert Benutzerinteraktion.

https://wid.cert-bund.de/portal/wid/buergercert/details?uuid=383e0d90-a56a-4f42-82d1-74c820eb3fe6

GitMCP: Transforms any GitHub project into an MCP endpoint

https://github.com/idosal/git-mcp

#HackerNews #GitMCP #GitHub #MCP #endpoint #transformation #open #source #tools #developer #productivity

Endpoint là gì? Hiểu rõ về giải pháp bảo mật trong 5 phút

Endpoint là yếu tố quan trọng khi nhắc đến bảo mật mạng và các kết nối hệ thống. Vậy Endpoint là gì? Hãy cùng InterData khám phá về Endpoint, lý do tại sao Endpoint Protection lại quan trọng, và các giải pháp bảo mật được sử dụng để bảo vệ chúng.

Đọc ngay tại: https://interdata.vn/blog/endpoint-la-gi/

#interdata #server #endpoint

Infostealers target major US defense, military personnel on their digital assets. 🤯
#endpoint #cybersecurity #vulnerable
https://www.scworld.com/news/infostealers-target-major-us-defense-contractors-military-personnel

What is the best way to make a #Sparnatural SHACL specification ?

Based on #HumaNum's #Nakala graph, here is a usecase of an automated version of Sparnatural Thomas submitted as an example for Veronika Heimsbakk’s upcoming book.

We look forward to reading @veronahe’s book, and you ?

https://blog.sparna.fr/2025/02/06/nakala-from-an-rdf-dataset-to-a-query-ui-in-minutes-shacl-automated-generation-and-sparnatural/

#dcterms #DigitalHumanities #EDM #endpoint #RDF #SHACL #Sparnatural #SPARQL #UI

Active Directory Built-In Admin Groups and Users
https://redbeardsec.com/active-directory-built-in-admin-groups-and-users

#audit #backup #endpoint #exploit #mfa #password #protect #risk #threat

Active Directory Built-In Admin Groups and Users

Understanding the Built-In Administrative Groups and Default Users
Common Misuses of Elevated Privileges
Strict Access: Domain Administrators
Hardening Built-In Active Directory Groups and Default Users
Conclusion: Keep Your Digital Speakeasy Exclusive

Imagine stepping into a high-security speakeasy where every member has a special role, a secret handshake, and powers that can either fortify or jeopardize your entire IT environment. Active Directory Built-In Admin Groups do that for your environment.

In this exclusive club, the built-in administrative groups and default users of Active Directory aren’t mere placeholders – they are technical powerhouses engineered with precise roles and permissions. These entities come with pre-assigned, finely tuned privileges and unique security identifiers (SIDs) that have been baked into the system from day one. For example, the default Administrator account provides unrestricted access, while the Domain Admins and Enterprise Admins groups hold sway over everything from domain-wide policies to inter-domain trust relationships.

But there’s more than meets the eye. Behind the scenes, less conspicuous players like the KRBTGT account safeguard the Kerberos authentication process, and groups such as Backup Operators and Server Operators are entrusted with specialized tasks that, if misused, might open unexpected doors to privilege escalation. These built-in groups and accounts reside in secured containers—like the Builtin container in Active Directory—and are rigorously protected by mechanisms such as the AdminSDHolder, ensuring their settings remain unaltered by unauthorized hands.

This guide will walk you through the technical intricacies and real-world implications of managing these A-list AD accounts. Prepare to decode the hidden potential and common pitfalls of Active Directory’s built-in groups and default users, and learn how to keep your digital speakeasy exclusive and secure.

Understanding the Built-In Administrative Groups and Default Users

Active Directory comes pre-packaged with several built-in groups and default user accounts. Each is crafted with a purpose, and knowing their roles is critical for securing your domain. Let’s break down the key players:

Default User Accounts

Administrator Account: This is the default superuser account. It has unrestricted access across the domain and is meant solely for administrative tasks. However, over time it’s become a tempting target for attackers and is sometimes misused for non-administrative tasks such as running everyday applications – a practice that can dangerously expand its attack surface.
Guest Account: Typically disabled by default, the Guest account provides limited access. Its original intent was to offer temporary access, but leaving it enabled can expose your network to unnecessary risk.
krbtgt Account: Often flying under the radar, this account is critical for Kerberos authentication. It holds the keys for encrypting and validating Kerberos tickets. Although it doesn’t have interactive login capabilities, its compromise can spell disaster for the entire domain.

Built-In Administrative Groups

Domain Admins: Members of this group hold full administrative privileges over the domain. They can manage all domain controllers and have the power to make sweeping changes. Despite its necessity, it’s alarming how often accounts in this group are used for routine tasks that don’t require such high-level access.
Enterprise Admins: This group has control over every domain within the forest. Membership should be extremely limited and carefully monitored as it wields the highest level of privileges.
Schema Admins: Tasked with modifying the Active Directory schema, this group should be reserved for very specific changes. Its privileges are potent and, if misused, can lead to irreversible damage.
Administrators: On domain controllers, the local Administrators group has broad rights that extend to managing system configurations, installations, and more.
Account Operators: Members can create, modify, and delete user and group accounts. While useful, overuse or misplacement of privileges here can lead to unauthorized account modifications.
Backup Operators: This group is designed to allow its members to back up and restore files. However, using this account for routine operations or non-backup tasks can inadvertently open the door to data breaches.
Print Operators and Server Operators: These groups are focused on managing printers and servers respectively. Misusing these accounts, such as running non-administrative services, can undermine system stability and security.
DNSAdmins: Members manage the DNS server settings within Active Directory. Given that DNS is a cornerstone of network operations, ensuring this group is used solely for DNS management is crucial.
Remote Desktop Users: This group allows members to connect via Remote Desktop. It’s a common mistake to add users who do not require remote access, thereby expanding the potential for lateral movement during an attack.

Common Misuses of Elevated Privileges

Even though these built-in accounts are designed for very specific administrative tasks, their elevated privileges sometimes lead to misuse. Here are some common scenarios:

Routine Workflows: Running day-to-day applications or services under a Domain Admin account instead of a standard user account increases the risk of accidental misconfigurations and exploitation.
Excessive Membership: Adding users to high-privilege groups such as Domain Admins without a justified business need can lead to privilege creep and potential insider threats.
Unmonitored Use: Failure to audit and monitor the use of these accounts can allow malicious activities to go unnoticed until significant damage is done.
Service Accounts Misuse: Using highly privileged accounts for running services rather than creating dedicated, low-privilege service accounts increases the risk profile of the network.

Strict Access: Domain Administrators

Domain Administrator accounts are the crown jewels of your Active Directory environment. Because these accounts possess unrestricted control over every domain controller and, by extension, the entire directory infrastructure, they must be used solely for the tasks that truly require such elevated privileges.

In practice, this means that human-operated Domain Administrator accounts should only be used to log into domain controllers—the core systems that maintain your AD database and enforce security policies. Granting these accounts access to everyday workstations, file servers, or any non-domain controller systems increases the risk of credential theft and lateral movement by attackers.

Logon Restrictions: Limit Domain Administrator account logins to domain controllers only. Using these accounts on standard workstations or member servers unnecessarily expands the attack surface.
Remove Unneeded Human Accounts: Regularly review and remove human-operated accounts from the Domain Administrators group when their access is not required. This practice reduces the chance of inadvertent access creep and minimizes the risk if credentials are compromised.
Scrutinize Service Accounts: Service accounts that require Domain Administrator-level access must be tightly controlled. They should be subject to stringent monitoring and periodic audits to ensure that their elevated permissions are justified and not misused.
Prevent Access Creep: Domain Administrator privileges are the most abused access by attackers, and organizations often suffer from “access creep”—the gradual accumulation of unnecessary rights over time. Regularly auditing group membership and access logs is critical to maintaining the principle of least privilege.

In short, the Domain Administrators group should never be used as a catch-all for granting broad access across the domain. Instead, its membership should be meticulously managed and reserved exclusively for critical administrative functions on domain controllers. This targeted use of high-level privileges is key to protecting your network from the most severe security breaches.

Hardening Built-In Active Directory Groups and Default Users

Securing your built-in Active Directory groups and default user accounts is critical to minimizing risk and preventing unauthorized access. By applying a robust set of best practices, you can reduce the attack surface and mitigate the chances of privilege abuse or lateral movement in your network.

Rename and Disable Unused Accounts: Rename the default Administrator account to something non-obvious and disable accounts like Guest that are not needed. This makes it harder for attackers to guess and target these accounts.
Disable Delegation: Delegation in Active Directory allows an account to impersonate other accounts or services, which can be useful in specific scenarios but also poses a significant risk if misconfigured or exploited by attackers. To reduce this risk, it is essential to disable delegation on all AD admin accounts unless it is explicitly required. In practice, this means marking these accounts with the “Account is sensitive and cannot be delegated” setting. By doing so, you prevent these accounts from being used in unconstrained or constrained delegation scenarios, thereby limiting the potential for privilege escalation and lateral movement within your domain. </p>
Implement Strong Authentication and MFA: Enforce strong, complex passwords and enable multi-factor authentication (MFA) on all privileged accounts. This adds an extra layer of security even if credentials are compromised.
Restrict Logon Locations: Limit the logon capabilities of Domain Administrator accounts to domain controllers only. Ensure that other sensitive built-in accounts are not used to access lower-trust systems.
Enforce the Principle of Least Privilege: Regularly audit and review group memberships. Remove human-operated accounts from the Domain Administrators group when their elevated access is no longer necessary, and scrutinize any service accounts that require such access.
Utilize Tiered Administration and Privileged Access Workstations (PAWs): Adopt a tiered administrative model to isolate high-privilege tasks. Use dedicated, hardened workstations for administering domain controllers and sensitive infrastructure, reducing the risk of credential theft from everyday endpoints.
Apply AdminSDHolder and Object Protection: Ensure that built-in groups and default accounts are protected by the AdminSDHolder mechanism. Regularly check and enforce the security descriptors applied to these objects to prevent unauthorized changes.
Enable Detailed Auditing and Monitoring: Activate logging and monitoring of all activities related to these accounts and groups. Use SIEM tools and periodic access reviews to detect any unusual behavior or access creep early on.
Deploy Just-In-Time (JIT) Access: Consider using JIT access solutions for highly privileged accounts so that elevated rights are granted only when needed and for a limited duration.

By rigorously implementing these hardening measures, you can significantly boost the security of your Active Directory environment. Remember, protecting these critical accounts is an ongoing process that involves periodic reviews, updates, and audits to keep pace with evolving threats.

Conclusion: Keep Your Digital Speakeasy Exclusive

In the complex architecture of Active Directory, understanding the purpose and proper usage of each built-in account and group is the cornerstone of a secure environment. From the formidable Domain Admins—whose access should be restricted solely to domain controllers—to the critical KRBTGT account that safeguards your Kerberos authentication process, every element is designed with a specific role in mind.

We’ve explored how human-operated Domain Administrator accounts should be tightly controlled: they must be used only on domain controllers, and any unnecessary human accounts should be removed from this high-privilege group to prevent access creep. Service accounts that require such access are to be highly scrutinized and monitored to ensure their permissions remain justified.

In addition, disabling delegation for AD admin accounts is a key hardening measure. By marking these accounts as “sensitive and cannot be delegated,” you prevent them from being misused in delegation scenarios that could enable lateral movement and privilege escalation.

Hardening measures—such as enforcing strong authentication and multi-factor authentication, using tiered administration with dedicated Privileged Access Workstations, and deploying Just-In-Time (JIT) access—further limit the risk of compromise. Detailed auditing and the use of object protection mechanisms like AdminSDHolder help ensure that these critical accounts remain secure over time.

Just like an exclusive speakeasy, where only the right guests are allowed entry, your Active Directory environment demands stringent control over its highest privileges. Tighten your security policies, perform regular audits, and maintain an exclusive AD club—because in this digital speakeasy, every account is a key, and only the right keys should unlock the door.

#audit #backup #endpoint #exploit #MFA #password #protect #risk #threat