Date: August 6, 2025
Heroes, Good morning! Here's a detailed look at the current cybersecurity landscape.
Today's intelligence is dominated by the disclosure of sophisticated, low-level attack vectors. Researchers have detailed a new Active Directory privilege escalation technique and a "Bring Your Own Vulnerable Driver" campaign actively disabling security tools. Additionally, CISA has confirmed active exploitation of several D-Link device vulnerabilities, and Adobe has issued emergency patches for critical flaws with public exploit code available.
Summary & Significance: Palo Alto Networks' Unit 42 has detailed a new attack vector in Windows Server 2025 named "BadSuccessor." This technique allows for privilege escalation by exploiting delegated Managed Service Accounts (dMSAs) under specific configurations. This is a significant threat for enterprise environments, as it provides a novel pathway for attackers to gain elevated permissions within an Active Directory domain, bypassing many standard security controls.
Source: Palo Alto Networks Unit 42
Summary & Significance: Kaspersky has uncovered a campaign where threat actors are using a legitimate, signed hardware driver in "Bring Your Own Vulnerable Driver" (BYOVD) attacks. The attackers exploit a vulnerability in the driver to gain kernel-level privileges, which they then use to terminate antivirus and EDR processes. This technique is highly effective at blinding security tools and is a critical threat to endpoint security.
Source: Kaspersky Securelist
Summary & Significance: CISA has added three vulnerabilities affecting D-Link Wi-Fi cameras and Network Video Recorders (NVRs) to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are under active attack. These flaws allow for unauthenticated remote command injection, giving attackers full control over the devices. Federal agencies are required to patch by August 27, 2025, and all organizations using these devices should prioritize patching immediately.
CVE Details: CVE-2021-40655, CVE-2024-6045, CVE-2024-6044
Sources: The Hacker News, Security Affairs
Summary & Significance: Adobe has released out-of-band security updates for two critical vulnerabilities in Adobe Experience Manager (AEM) Forms. Proof-of-concept (PoC) exploit code is publicly available for these flaws, significantly increasing the likelihood of widespread attacks. The vulnerabilities could allow an unauthenticated attacker to execute arbitrary code on affected servers, making immediate patching essential.
Source: SecurityWeek
Summary & Significance: CERT-UA is warning of an ongoing campaign by the threat actor UAC-0099 that targets Ukrainian government and defense entities. The attacks use phishing emails with court summons lures to deliver HTA files, which then execute C# malware. This campaign is part of the broader cyber conflict in the region and highlights the continued use of social engineering to deploy custom malware against high-value targets.
Source: The Hacker News
Summary & Significance: The Dutch Public Prosecution Service has begun restoring its networks following a significant cyberattack last month attributed to Russian state-sponsored actors. The attack forced the agency to take its systems offline for weeks, causing major disruption. This incident underscores the direct targeting of judicial and government bodies by nation-state actors to disrupt operations and potentially gather intelligence.
Sources: GovInfoSecurity, BankInfoSecurity
Summary & Significance: Security expert Bruce Schneier argues that the semiconductor industry has largely avoided the security and liability regulations imposed on other critical sectors, creating a systemic risk. For business leaders, this signals a potential future shift in supply chain risk management, where hardware and firmware security will face the same level of scrutiny as software. Boards should begin asking questions about hardware provenance and the security posture of their chip suppliers.
Source: Schneier on Security
Summary & Significance: This thought leadership piece explores how AI is fundamentally changing adversarial testing, moving beyond automated penetration testing to create autonomous agents that can reason and adapt like human attackers. For CISOs, this means that the speed and sophistication of attacks will soon outpace human-led defensive teams. The strategic takeaway is the need to invest in AI-driven defensive platforms that can operate at machine speed to counter AI-driven attacks.
Source: The Hacker News
Today's intelligence is dominated by advanced post-exploitation techniques that are designed to be invisible to traditional security tools. The "BadSuccessor" Active Directory attack and the BYOVD campaign to disable AV both occur after an initial compromise and abuse trusted system components. This threat landscape requires a security platform that excels at behavioral detection and can correlate weak signals across identity, endpoints, and the cloud. SentinelOne's Singularity Platform is spotlighted because its core strength lies in using behavioral AI to detect and respond to exactly these types of evasive, post-exploitation TTPs.
Threat Context: New 'BadSuccessor' Attack Allows Privilege Escalation in Active Directory & Attackers Using Legitimate Kernel Driver to Disable Antivirus Software
Platform Focus: SentinelOne Singularity Platform
Summary & Significance: The Singularity Platform uses patented behavioral AI and static AI models to monitor endpoint processes in real-time. It can detect the "BadSuccessor" attack by identifying the anomalous use of service accounts to execute commands or access resources they normally wouldn't. For the BYOVD attack, it can flag the suspicious loading of a known-vulnerable driver and, more importantly, can autonomously protect itself from termination attempts, rendering the attacker's primary goal moot.
Threat Hunting Queries (Deep Visibility - SQL-like):
-- Hunt for processes terminating security agent processes
ProcessName In ("msmpeng.exe", "sentinelagent.exe", "csfalconservice.exe") AND EventType = "Process Termination" AND NOT(ActingProcessName In ("services.exe", "wininit.exe"))-- Hunt for suspicious activity from Managed Service Accounts
ActingProcessAccountType = "Managed Service Account" AND EventType = "Process Creation" AND ProcessName In ("powershell.exe", "cmd.exe", "net.exe")Recommended Configurations:
Vendor Resources: SentinelOne Blog: The Power of Behavioral AI
⚠️ DISCLAIMER: All tools, commands, and queries provided below are for reference only. Validate in your environment before deployment. Test in a safe environment first.
This KQL query for Microsoft Sentinel hunts for anomalous Kerberos ticket requests that could indicate the BadSuccessor technique.
-- KQL Query (Microsoft Sentinel): Hunt for anomalous dMSA Kerberos ticket requests
-- Looks for service tickets requested for a dMSA by an account other than the machine itself.
SecurityEvent
| where EventID == 4769 // A Kerberos service ticket was requested
| parse kind=regex EventData with * '<Data Name="TicketOptions">0x40810000</Data><Data Name="TicketEncryptionType">0x12</Data><Data Name="IpAddress">' ClientIP '<' *
| parse kind=regex EventData with * '<Data Name="ServiceName">' ServiceName '</Data><Data Name="ServiceSid">' ServiceSid '</Data><Data Name="TargetUserName">' TargetUser '</Data>' *
| where ServiceSid endswith "-800" // Filter for dMSA SIDs
| where TargetUser != strcat(ServiceName, "$")
| project TimeGenerated, ClientIP, TargetUser, ServiceNameThis YARA rule detects the specific type of vulnerable driver used in the AV killer campaign.
-- YARA Rule: Detect the specific vulnerable driver used in the AV killer campaign
-- Based on Kaspersky's report of a legitimate but vulnerable driver being abused.
rule SUSP_BYOVD_AV_Killer_Driver_2025_08_06 {
meta:
author = "Cybersecurity Rundown"
date = "2025-08-06"
description = "Detects the presence of the specific legitimate but vulnerable driver used to terminate AV processes."
reference = "Kaspersky Securelist"
severity = "high"
strings:
$s1 = "procexp.sys" fullword wide // Placeholder for the actual vulnerable driver name
$s2 = "ZwOpenProcess" fullword ascii
$s3 = "ZwTerminateProcess" fullword ascii
condition:
uint16(0) == 0x5a4d and // Is a PE file
all of them
}This PowerShell command enumerates loaded kernel drivers and checks them against a list of known vulnerable drivers.
# PowerShell: Enumerate loaded kernel drivers and check for known vulnerable ones
$vulnerableDrivers = @("procexp.sys", "dbk64.sys", "gmer.sys") # Add known vulnerable driver names
$loadedDrivers = Get-CimInstance -ClassName Win32_SystemDriver -Filter "State = 'Running'"
foreach ($driver in $loadedDrivers) {
if ($vulnerableDrivers -contains $driver.Name) {
Write-Warning "CRITICAL: Known vulnerable driver $($driver.Name) is loaded and running."
}
}This command uses Nmap to scan a local network for devices with open web ports and checks for D-Link HTTP headers.
# Nmap/Bash: Scan local network for vulnerable D-Link devices
# This script uses Nmap to find devices with open web ports and checks for D-Link HTTP headers.
nmap -p80,443 --open 192.168.1.0/24 -oG - | \
awk '/Up$/{print $2}' | \
while read ip; do
curl -s -k "http://${ip}/" -I | grep -q "D-Link" && echo "[VULNERABLE] Found D-Link device at ${ip}";
done