Threat Intel

Closing the Door on Net-NTLMv1: Releasing Rainbow Tables to Accelerate Protocol Deprecation cloud.google.com/blog/topi…

Mandiant is publicly releasing a comprehensive dataset of Net-NTLMv1 rainbow tables to underscore the urgency of migrating away from this outdated protocol. Despite Net-NTLMv1 being deprecated and known to be insecure for over two decades—with cryptanalysis dating back to 1999—Mandiant consultants continue to identify its use in active environments. This legacy protocol leaves organizations vulnerable to trivial credential theft, yet it remains prevalent due to inertia and a lack of demonstrated immediate risk.

By releasing these tables, Mandiant aims to lower the barrier for security professionals to demonstrate the insecurity of Net-NTLMv1. While tools to exploit this protocol have existed for years, they often required uploading sensitive data to third-party services or expensive hardware to brute-force keys. The release of this dataset allows defenders and researchers to recover keys in under 12 hours using consumer hardware costing less than $600 USD. This initiative highlights the amplified impact of combining Mandiant’s frontline expertise with Google Cloud’s resources to eliminate entire classes of attacks.

This post details the generation of the tables, provides access to the dataset for community use, and outlines critical remediation steps to disable Net-NTLMv1 and prevent authentication coercion attacks.

A simple CodeBuild flaw put every AWS environment at risk – and pwned ‘the central nervous system of the cloud’ www.theregister.com/2026/01/1…

A critical misconfiguration in AWS’s CodeBuild service allowed complete takeover of the cloud provider’s own GitHub repositories and put every AWS environment in the world at risk, according to Wiz security researchers.

The Wiz kids disclosed this supply chain snafu to AWS in August, and the cloud giant fixed the security issue in September, before a cybercriminal or government-backed goon stumbled upon the misconfiguration and abused it to spark a worldwide meltdown.

This, we’re told, prevented a bigger-than-SolarWinds supply chain attack – so be sure to thank your friendly neighborhood security researchers before you go to sleep tonight.

“This vulnerability compromised a core library used in the AWS Console itself – the central nervous system of the cloud,” Wiz vulnerability researcher Yuval Avrahami told The Register. “SolarWinds gave attackers access to corporate networks. This could have given attackers code execution in the very interface administrators use to manage their entire infrastructure.”

Patch Now: Active Exploitation Underway for Critical HPE OneView Vulnerability blog.checkpoint.com/research/…

Check Point Research has identified an active, coordinated exploitation campaign targeting CVE-2025-37164, a critical remote code execution vulnerability affecting HPE OneView. The activity, observed directly in Check Point telemetry, is attributed to the RondoDox botnet and represents a sharp escalation from early probing attempts to large-scale, automated attacks.

Check Point has already blocked tens of thousands of exploitation attempts, underscoring both the severity of the vulnerability and the urgency for organizations to act.

On January 7, 2026 Check Point Research reported the campaign to CISA, and the vulnerability was added to the Known Exploited Vulnerabilities KEV catalog the same day.

UAT-8837 targets critical infrastructure sectors in North America https://blog.talosintelligence.com/uat-8837/

Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors.

Based on UAT-8837's TTPs and post-compromise activity Talos has observed

across multiple intrusions, we assess with medium confidence that this actor is primarily tasked with obtaining initial access to high-value organizations.

Although UAT-8837's targeting may appear sporadic, since at least 2025,

the group has clearly focused on targets within critical Infrastructure sectors in North America.

After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims. The threat actor uses a combination of tools in their post-compromise hands-on-keyboard operations, including Earthworm, Sharphound, DWAgent, and Certipy. The TTPs, tooling, and remote infrastructure associated with UAT-8837 were also seen in the recent exploitation of CVE-2025-53690, a ViewState Deserialization zero-day vulnerability in SiteCore products, indicating that UAT-8837 may have access to zero-day exploits.

New Remcos Campaign Distributed Through Fake Shipping Document www.fortinet.com/blog/thre…

FortiGuard Labs discovered a new phishing campaign in the wild. The campaign delivers a new variant of Remcos, a commercial lightweight remote access tool (RAT) with a wide range of capabilities, including system resource management, remote surveillance, network management, and Remcos agent management.

I conducted an in-depth investigation into this malicious campaign. This analysis covers how the phishing email initializes the attack, how the attached Word document downloads an RTF file, the vulnerability the attack leverages within the RTF file, the VBScript and PowerShell code, how a fileless .NET module is loaded and executed in a PowerShell process, and how the fileless Remcos agent is downloaded and loaded using process hollowing.

The analysis also details this Remcos variant’s internal configuration block, packet structures, and capabilities across six categories, which are illustrated with examples.