Happy new year! 2025 is underway and the SafeBreach team is off to a strong start after a record-breaking 2024. We are keenly focused on the vision, goals, and opportunities that lie ahead in the new year—some of which we are excited to share in much more detail soon. But, before we close the books on 2024, I wanted to take a moment to reflect on all that we accomplished over the last year with the support and partnership of the SafeBreach community.

SafeBreach Labs Researchers have developed a zero-click PoC exploit that crashes unpatched Windows Servers using the Windows Lightweight Directory Access Protocol (LDAP) remote code execution vulnerability. Active Directory Domain Controllers (DCs) are considered to be one of the crown jewels in organizational computer networks. Vulnerabilities found in DCs are usually much more critical than those found in usual workstations.

In this version of the Hacker’s Playbook Threat Coverage round-up, we highlight attack coverage for several new threats. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below.

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting attack coverage for several new threats. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook to ensure coverage against these advanced threats.

In August, I shared a blog on my most recent research project called Windows Downdate, which I first presented at Black Hat USA 2024 and DEF CON 32 (2024). In it, I explained how I was able to develop a tool to take over the Windows Update process to craft custom downgrades on critical OS components to expose previously fixed vulnerabilities. By using this downgrade ability, I discovered CVE-2024-21302, a privilege escalation vulnerability affecting the entire Windows virtualization stack.

On October 16th, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), the Communications Security Establishment Canada (CSE), the Australian Federal Police (AFP), and Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) issued an urgent advisory warning security teams about the use of Brute Force and other techniques by Iranian threat actors to compromise critical infrastructure ent

In this version of the Hacker’s Playbook Threat Coverage round-up, we are highlighting attack coverage for several new threats. SafeBreach customers can select and run these attacks and more from the SafeBreach Hacker’s Playbook to ensure coverage against these advanced threats. Additional details about the threats and our coverage can be seen below.

Interactive, hands-on keyboard attack campaigns are employed by today’s most proficient threat actors to penetrate organizational defenses. The network perimeter is typically the initial line of defense against unauthorized access to an organization’s network and the sensitive data it contains. After infiltration, attackers establish command-and-control (C&C) and data exfiltration channels to receive malicious payloads and export stolen data.

On September 5th, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and National Security Agency (NSA) issued an urgent advisory warning security teams about efforts undertaken by threat actors affiliated with Russia’s General Staff Main Intelligence Directorate (GRU) 161st Specialist Training Center (Unit 29155).

On August 29, the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense Cyber Crime Center (DC3) issued an urgent advisory warning security teams about known RansomHub ransomware IOCs and TTPs identified through FBI threat response activities and third-party reporting as recently as August 2024. Detailed information about this threat and the associated IOCs and TTPs can be seen in the advisory #StopRansomware: RansomHub Ransomware.