CVE-2021-42287: Active Directory Domain Services Elevation of Privilege Vulnerability

CVE-2021-42278 [HIGH] CWE-20 GHSA-chp6-c7f5-h9w9: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42282, CVE-2021-42287, CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42282, CVE-2021-42287, CVE-2021-42291.

CVE-2021-42291 [HIGH] CWE-269 GHSA-ffqv-33xf-m57q: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42287.

CVE-2021-42287 [HIGH] CWE-269 GHSA-737r-5j68-97hh: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42282, CVE-2021-42291.

CVE-2021-42282 [HIGH] CWE-269 GHSA-gh7f-5g36-2xw3: Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42287, CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-42278, CVE-2021-42287, CVE-2021-42291.

CVE-2021-42287 [HIGH] CWE-269 Microsoft Active Directory Domain Services Privilege Escalation Vulnerability Microsoft Active Directory Domain Services Privilege Escalation Vulnerability Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation. Affected: Microsoft Active Directory Required Action: Apply updates per vendor instructions. Known Ransomware Campaign Use: Known Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://assets.sentinelone.com/sentinellabs22/SentinelLabs-BlackBasta; https://info.securin.io/hubfs/Securin%20Ransomware%20Report%202023.pdf; https://bi.zone/upload/for_download/Threat_Zone_2024_BI.ZONE_Research_rus.pdf; https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a; https://thehackernews.com/2024/05/black-basta-ransomware-strikes-50

CVE-2021-42287 [HIGH] CWE-269 Microsoft Active Directory Domain Services Privilege Escalation Vulnerability Vulnerability: Microsoft Active Directory Domain Services Privilege Escalation Vulnerability Affected: Microsoft Active Directory Microsoft Active Directory Domain Services contains an unspecified vulnerability that allows for privilege escalation. Required Action: Apply updates per vendor instructions. Notes: https://nvd.nist.gov/vuln/detail/CVE-2021-42287 Remediation Due Date: 2022-05-02

CVE-2021-42287 [HIGH] Active Directory Domain Services Elevation of Privilege Vulnerability Active Directory Domain Services Elevation of Privilege Vulnerability FAQ: Where can I find more information about the improved authentication process added by the update for CVE-2021-42287? See Authentication updates. Windows Active Directory: Windows Active Directory Microsoft: Microsoft Customer Action Required: Yes Impact: Elevation of Privilege Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely;Older Software Release:Exploitation Less Likely Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5007206 Reference: https://support.microsoft.com/help/5007206 Reference: https://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB5007205 Reference: https://support.microsoft.com/help/5007205 Reference: https://ca

CVE-2025-53779 dMSA Ouroboros: Self-Sustaining Credential Extraction in Windows Server 2025 TL;DR: This companion blog, created in partnership with security researchers at Akamai, unpacks dMSA Ouroboros, a self-sustaining credential extraction technique in Windows Server 2025. After you read their blog , come back here for what it means in practice: a user with CreateChild on any OU or container and WriteProperty on a target account can create a dMSA that extracts the target's NT hash, persists through password rotation, survives the original attacker's account deletion, and locks out Domain Admins from remediation. Six commands. Fully patched Windows Server 2025. ## Introduction Windows Server 2025 introduced delegated Managed Service Accounts (dMSAs) with a redesigned security model that removes the password retrieval primitive and replaces it with a KDC-mediated authorizatio

Dynamic Objects in Active Directory: The Stealthy Threat ## Cloud Exposure Tenable Cloud Security (CNAPP) Request a demo Tenable Cloud Vulnerability Management Request a demo Tenable CIEM Request a demo Secure your cloud ## Vulnerability Exposure Tenable Vulnerability Management Try for free Tenable Security Center Request a demo Tenable Web App Scanning Try for free Tenable Patch Management Request a demo Tenable Enclave Security Request a demo Tenable Attack Surface Management Request a demo Tenable Nessus Try for free ## AI Exposure Tenable AI Exposure Request a demo ## OT/IoT Exposure Tenable OT Security Request a demo ## Identity Exposure Tenable Identity Exposure Request a demo ## Business needs Active Directory AI Security Posture Management (AI-SPM) AWS security Azure security Cloud Security Posture Man

Navigating Through The Fog From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More - dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More Services Overview Threat Hunting - Integration CTI Program Advisory Incident Response Playbook About us Contact Us Collaboration Careers Analysts Access DFIR Labs Get in Touch Public Reports Products Overview Threat intel Overview Threat Feed Private DFIR Reports All Intel Active Defense DFIR Labs Case Artifacts Detection Pack AI Training Ground Service Overview Threat Hunting Integration CTI Program Advisory Incident Response Playbook Company Overview About us Contact Us Careers Analyst SQL Brute Force Leads to BlueSky Ransomware From OneNote to RansomNote: An Ice Col

[CRITICAL] GreyNoise Detects Active Exploitation of CVEs Mentioned in Black Basta’s Leaked Chat Logs CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners Incident Investigation Add context to incidents to speed the determinations of scope and timelines Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns Why GreyNoise CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures Compromised Asset Detection Fin

Defense Lessons From the Black Basta Ransomware Playbook ## Table of Contents Know Your Enemys Playbook Attackers Move Fast How Qualys Can Help The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership. We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against evolving

Defense Lessons From the Black Basta Ransomware Playbook | Qualys #### Table of Contents - Know Your Enemys Playbook - Attackers Move Fast - How Qualys Can Help The cybersecurity world was rocked last week by a massive leak of Black Basta’s internal communications that emerged from the group’s chat logs. Triggered by internal conflicts and a retaliatory data dump following attacks on Russian banks, the exposed records offer a rare glimpse into Black Basta’s tactics, operations, and leadership. We’ve analyzed these newly unveiled tactics, and in this blog, we equip security teams with clear, actionable insights. We aim to highlight the key lessons learned—like immediate patching, tighter access controls, and rapid incident response—and provide an urgent call to action. This practical guide aims to help organizations strengthen their defenses against ev

[MEDIUM] What Is Black Basta Ransomware and How to Mitigate Attack ## Table of Contents Introduction Tools, Techniques, and Vulnerabilities Exploited Technical Analysis Effective Hunting Queries Mapping MITRE ATT&CK: Key Techniques Indicators of Compromise (IoC) Stay to the Left of Boom of Emerging Threats ## Introduction Black Basta is a ransomware group operating as ransomware-as-a-service (RaaS), first spotted in April 2022. It is known to use double extortion techniques where the group demands payment for the decryption and non-release of stolen data. Earlier versions of Black Basta share many similarities with Conti Ransomware. A wide range of industries and critical infrastructure in North America, Europe, and Australia have been impacted by Black Basta. To date, 500+ organizations have been affected globally by Black Basta affiliates gain

[HIGH] NoName ransomware gang deploying RansomHub malware in recent attacks ## NoName ransomware gang deploying RansomHub malware in recent attacks ## Bill Toulas The NoName ransomware gang has been trying to build a reputation for more than three years targeting small and medium-sized businesses worldwide with its encryptors and may now be working as a RansomHub affiliate. The gang uses custom tools known as the Spacecolon malware family, and deploys them after gaining access to a network through brute-force methods as well as exploiting older vulnerabilities like EternalBlue (CVE-2017-0144) or ZeroLogon (CVE-2020-1472). In more recent attacks NoName uses the ScRansom ransomware, which replaced the Scarab encryptor. Additionally, the threat actor tried to make a name by experimenting with the leaked LockBit 3.0 ransomware builder, creating a similar data leak

Black Basta How It Works The Singularity XDR Difference Singularity Marketplace One-Click Integrations to Unlock the Power of XDR Pricing & Packaging Comparisons and Guidance at a Glance Purple AI Accelerate SecOps with Generative AI Singularity Hyperautomation Easily Automate Security Processes AI-SIEM The AI SIEM for the Autonomous SOC Singularity Data Lake AI-Powered, Unified Data Lake Singularity Data Lake for Log Analytics Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments Singularity Endpoint Autonomous Prevention, Detection, and Response Singularity XDR Native & Open Protection, Detection, and Response Singularity RemoteOps Forensics Orchestrate Forensics at Scale Singularity Threat Intelligence Comprehensive Adversary Intelligence Singularity Vulnerability Management

Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor ## Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor By Antonio Cocomazzi and Antonio Pirozzi ## Executive Summary SentinelLABS researchers describe Black Basta operational TTPs in full detail, revealing previously unknown tools and techniques. SentinelLABS assesses it is highly likely the Black Basta ransomware operation has ties with FIN7. Black Basta maintains and deploys custom tools, including EDR evasion tools. SentinelLABS assess it is likely the developer of these EDR evasion tools is, or was, a developer for FIN7. Black Basta attacks use a uniquely obfuscated version of ADFind and exploit PrintNightmare, ZeroLogon and NoPac for privilege escalation. ## Overview Black Basta ransomware emerged in April 2022 and went on a spree breach

Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor By Antonio Cocomazzi and Antonio Pirozzi ## Executive Summary - SentinelLABS researchers describe Black Basta operational TTPs in full detail, revealing previously unknown tools and techniques. - SentinelLABS assesses it is highly likely the Black Basta ransomware operation has ties with FIN7. - Black Basta maintains and deploys custom tools, including EDR evasion tools. - SentinelLABS assess it is likely the developer of these EDR evasion tools is, or was, a developer for FIN7. - Black Basta attacks use a uniquely obfuscated version of ADFind and exploit PrintNightmare, ZeroLogon and NoPac for privilege escalation. ## Overview Black Basta ransomware emerged in April 2022 and went on a spree breaching over 90 organizations by Sept 2022. The rapidity and volume of attacks prove that the

Microsoft Active Directory as a Prime Target for Ransomware Operators The Active Directory (AD) infrastructure continues to be a key element in ransomware campaigns and post-compromise extortion, representing a significant threat to businesses. With the time between initial breach and impact being so short in a ransomware attack, the main area of concern for businesses is the challenge of quick detection . Targeted businesses usually become aware of ransomware only after an adversary encrypts its assets to interrupt their availability. At this point, it is too late to do anything about the attack and they must shift immediately to executing their post-breach response plan. ## Active Directory in the Crosshairs By definition, Active Directory (AD) stores information about objects on a network in a logical, hierarchical manner making information easy for ad

Stolen Images Campaign Ends in Conti Ransomware From a Single Click: How Lunar Spider Enabled a Near Two-Month Intrusion Read More - dragonforce Blurring the Lines: Intrusion Shows Connection With Three Major Ransomware Gangs Read More Services Overview Threat Hunting - Integration CTI Program Advisory Incident Response Playbook About us Contact Us Collaboration Careers Analysts Access DFIR Labs Get in Touch Public Reports Products Overview Threat intel Overview Threat Feed Private DFIR Reports All Intel Active Defense DFIR Labs Case Artifacts Detection Pack AI Training Ground Service Overview Threat Hunting Integration CTI Program Advisory Incident Response Playbook Company Overview About us Contact Us Careers Analyst SQL Brute Force Leads to BlueSky Ransomware From OneNote to RansomNote: An Ice Col

New STRRAT RAT Phishing Campaign | FortiGuard Labs FORTIGUARD LABS THREAT RESEARCH New STRRAT RAT Phishing Campaign By James Slaughter | January 20, 2022 Shipping is an indispensable part of modern life. It is the lifeblood of the global economy, with numerous large companies (and their equally large container ships) perpetually moving goods from one corner of the earth to the other to provide consumers and industries with the necessities of life. Due to the critical importance of shipping and receiving goods to most organizations, threat actors often use shipping as a lure for phishing emails—such as false invoices, changes in shipping delivery, or notices related to a fictitious purchase—to entice recipients into opening malicious attachments and inadvertently downloading malware. FortiGuard Labs recently came across an example of s

COVID Omicron Variant Lure Used to Distribute RedLine Stealer | FortiGuard Labs FORTIGUARD LABS THREAT RESEARCH COVID Omicron Variant Lure Used to Distribute RedLine Stealer By Shunichi Imano and Fred Gutierrez | January 10, 2022 Just like the previous year, 2021 ended with COVID and 2022 started with the same. The only difference is that the world is now dealing with the new Omicron variant rather than the Delta variant, which emerged in April 2021. While reportedly less lethal than its predecessor, the Omicron variant has a much higher transmission rate, and as a result, daily counts of new Omicron patients have become a global concern. This has renewed heightened concern about the pandemic, and as we have all sadly learned, threat actors don’t shy away from using misery and fear to their advantage. FortiGuard Labs recently came across a curiously named file, “O

CVE-2021-42278 [HIGH] From User to Domain Admin in (less than) 60 seconds: CVE-2021-42278/CVE-2021-42287 | FortiGuard Labs FORTIGUARD LABS THREAT RESEARCH From User to Domain Admin in (less than) 60 seconds: CVE-2021-42278/CVE-2021-42287 By Udi Yavo | January 05, 2022 On Patch Tuesday of last November, Microsoft released advisories to address several vulnerabilities in Active-Directory. Analysis of these vulnerabilities showed that by combining CVE-2021-42278 and CVE-2021-42287 it is possible, under default conditions, for a regular user to easily impersonate a domain admin. This means that any domain user can effectively become a domain administrator, which makes these vulnerabilities extremely severe. Moreover, there are already several Github repositories with free-to-use PoC code that facilitates the exploitation of these vulnerabilities. In this post, we will describe how the exploitation of these vul

[CRITICAL] November Continues Streak of Quiet Patch Tuesdays Ausnutzung von Schwachstellen ## November Continues Streak of Quiet Patch Tuesdays November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November. By: Trend Micro Nov 10, 2021 Read time: ( words) Save to Folio November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November (less than half of the vulnerabilities in November last year). Of these 55, four were submitted via the Zero Day Initiative (ZDI). Critical Vulnerabilities: Defender, Remote Desktop Two Critical vulne

[CRITICAL] November Continues Streak of Quiet Patch Tuesdays Exploits y vulnerabilidades ## November Continues Streak of Quiet Patch Tuesdays November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November. By: Trend Micro Nov 10, 2021 Read time: ( words) Save to Folio November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November (less than half of the vulnerabilities in November last year). Of these 55, four were submitted via the Zero Day Initiative (ZDI). Critical Vulnerabilities: Defender, Remote Desktop Two Critical vulnera

[CRITICAL] November Continues Streak of Quiet Patch Tuesdays Exploits & Vulnerabilities ## November Continues Streak of Quiet Patch Tuesdays November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November. By: Trend Micro Nov 10, 2021 Read time: ( words) Save to Folio November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November (less than half of the vulnerabilities in November last year). Of these 55, four were submitted via the Zero Day Initiative (ZDI). Critical Vulnerabilities: Defender, Remote Desktop Two Critical vulnerab

[CRITICAL] November Continues Streak of Quiet Patch Tuesdays Exploits & Vulnerabilities ## November Continues Streak of Quiet Patch Tuesdays November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November. By: Trend Micro 2021/11/10 Read time: ( words) Save to Folio November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November (less than half of the vulnerabilities in November last year). Of these 55, four were submitted via the Zero Day Initiative (ZDI). Critical Vulnerabilities: Defender, Remote Desktop Two Critical vulnerabil

[CRITICAL] November Continues Streak of Quiet Patch Tuesdays Exploits & Vulnerabilities # November Continues Streak of Quiet Patch Tuesdays November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November. By: Trend Micro 2021/11/10 Read time: ( words) Save to Folio November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November (less than half of the vulnerabilities in November last year). Of these 55, four were submitted via the Zero Day Initiative (ZDI). Critical Vulnerabilities: Defender, Remote Desktop Two Critical vulnerabil

[CRITICAL] November Continues Streak of Quiet Patch Tuesdays Sfruttamento vulnerabilità ## November Continues Streak of Quiet Patch Tuesdays November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November. By: Trend Micro Nov 10, 2021 Read time: ( words) Save to Folio November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November (less than half of the vulnerabilities in November last year). Of these 55, four were submitted via the Zero Day Initiative (ZDI). Critical Vulnerabilities: Defender, Remote Desktop Two Critical vulnerab

CVE-2026-20929 [HIGH] 3 Reasons Not to Buy IAM + Identity Security from 1 Vendor How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026 STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026 Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026 How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026 STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026 Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026 Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand AT

CVE-2026-20929 [HIGH] 3 Reasons Not to Buy IAM + Identity Security from 1 Vendor STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026 Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026 How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026 STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026 Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026 How Charlotte AI AgentWorks Fuels Security's Agentic Ecosystem Mar 25, 2026 Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand ATT&CK in 10 Minutes or Less [VI

Black Basta # Black Basta Ransomware: In-Depth Analysis, Detection, and Mitigation ## Summary of Black Basta Ransomware Black Basta first emerged in early 2022. The ransomware family is an evolution of the Hermes/Ryuk/Conti families. Black Basta was heavily advertised in underground cybercrime markets. Black Basta practices double extortion – demanding payment for a decryptor, as well as for the non-release of stolen data. There are Windows and LInux variants of Black Basta ransomware. The group is responsible for hundreds of attacks against global targets of varying sectors. February 2025 Update: Nearly a year’s worth of Black Basta chat logs have been released on Telegram, providing detailed insight into the groups operational workflow, reconnaissance activities, and specific userID and details o

CVE-2026-20929 [HIGH] Category How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026 STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026 Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026 How CrowdStrike is Accelerating Exposure Evaluation as Adversaries Gain Speed Apr 06, 2026 STARDUST CHOLLIMA Likely Compromises Axios npm Package Apr 01, 2026 Falcon for IT Supports Windows Secure Boot Certificate Lifecycle Management Apr 01, 2026 Detecting CVE-2026-20929: Kerberos Authentication Relay via CNAME Abuse Mar 31, 2026 Video Highlights the 4 Key Steps to Successful Incident Response Dec 02, 2019 Helping Non-Security Stakeholders Understand AT