126: Click The CAPTCHA, Adopt Malware, Regret Everything

Show Notes

We track a wave of high-impact vulnerabilities and social engineering campaigns that target management planes and edge devices, then lay out a concrete four-step validation playbook. The theme is simple: initial access is cheap, but control plane compromise multiplies damage.

• Windows Admin Center privilege escalation and urgent patching
• IceWarp critical flaws enabling total takeover paths
• Fake CAPTCHA campaigns delivering Letrodyctus, Supers, and new RATs
• BeyondTrust RCE exploited in the wild with VShell and SparkRat
• Grandstream VoIP unauthenticated buffer overflow and asset hygiene
• Dell RecoverPoint zero day linked to suspected state activity
• CISA KEV additions signaling active exploitation and patch deadlines
• Fake adversary-built RMM tools and software due diligence
• Device code phishing abusing OAuth to bypass MFA
• Four-step patch validation and assumed-breach log review
• Final theme: protect control planes and edge surfaces

Be sure to follow us on X, Facebook, or LinkedIn for daily updates
And don't forget to subscribe to our newsletter for all this and more right in your inbox
You can find that at infosec.watch

Thanks for listening to InfoSec.Watch!

Subscribe to our newsletter for in-depth analysis: https://infosec.watch
Follow us for daily updates:
-  X (Twitter)
- LinkedIn 
- Facebook -   

Stay secure out there!

Chapters

• 0:09: Opening And Agenda
• 0:43: Windows Admin Center Flaw
• 1:38: IceWarp Critical Vulnerabilities
• 2:20: Fake CAPTCHA Malware Tactics
• 3:28: Vulnerability Spotlight Overview
• 3:40: BeyondTrust RCE Exploited
• 4:30: VoIP Phones Critical Overflow
• 5:22: Dell RecoverPoint Zero Day
• 6:09: Trend: ClickFix Delivers New RAT
• 6:56: Policy Moves And CISA KEV
• 8:17: Tool Of The Week: Fake RMM
• 9:29: Rapid Fire Security Updates
• 11:34: Actionable Defense Move
• 13:31: Final Word: Control Planes

Transcript

Speaker 1 0:09

Hello and welcome back to the InfoSec Watch Podcast. I'm your host, Grant Lawson.

Speaker 0:15

And I'm Sloan Parker. We've got a packed show for you today. We're covering everything from critical patches and windows and ice worp to some really sneaky malware campaigns using fake captchas.

Windows Admin Center Flaw

Speaker 1 0:26

That's right. Plus, we'll be diving into the vulnerability spotlight with major flaws in Beyond Trust, VoIP phones, and Dell systems. And of course, we'll wrap up with our actionable defense move of the week and the final word on this week's running theme. So let's jump right into our top stories.

Speaker 0:43

First up, Microsoft. It seems they've disclosed and patched a security flaw in the Windows Admin Center. Grant, what's the deal with this one?

Speaker 1 0:52

Yeah, this one is a privilege escalation vulnerability. The Windows Admin Center is that browser-based tool a lot of admins use to manage Windows clients, servers, and even clusters. So a flaw there that lets an attacker escalate privileges is, well, it's not good.

Speaker 1:09

Not good at all. That's a direct path to gaining higher level control. So the key takeaway here is pretty clear, right?

Speaker 1 1:16

Exactly. It's the classic drill. Identify your exposure, figure out where you're running this tool, then prioritize patching, especially on any internet-facing instances or ones with paths to high-privilege accounts. And finally, add detections to spy any exploit attempts. It's a recurring theme for a reason.

IceWarp Critical Vulnerabilities

Speaker 1:36

A theme we're going to see a lot today. Speaking of which, next on the list is icewarp, urging immediate patching for some critical flaws.

Speaker 1 1:44

This one's a bit of a bundle of trouble. The vulnerabilities allow for unauthorized server access, cross-site scripting, and even arbitrary file reading. It's basically a total takeover threat. So that immediate patching warning is not an exaggeration.

Speaker 2:00

Wow, yeah, unoff server access is game over. And the takeaway is, let me guess.

Speaker 1 2:06

You guessed it. Identify, prioritize patching, and add detections. Same playbook, different target. It really drives home how fundamental this process is for defense.

Fake CAPTCHA Malware Tactics

Speaker 2:17

Okay, this next one is interesting. It's a bit different. Zert Pulta is detailing a campaign that uses a fake CAPTCHA. Tell me about this clickfix prompt.

Speaker 1 2:27

Right, so this is a clever bit of social engineering. Users see what they think is a standard prove you're not a robot captcha, something we're all trained to click through. But this clickfix version is malicious.

Speaker 2:39

And when they click it, what happens?

Speaker 1 2:41

It ends up deploying some pretty nasty and evasive malware, specifically Letrodyctus and Supper malware. It's a great example of attackers abusing user trust and muscle memory.

Speaker 2:52

That's scary. So the takeaway here shifts slightly from just patching to dealing with initial access.

Speaker 1 2:59

Precisely. The advice is to validate your initial access controls, like making sure you have MFA and ideally phishing-resistant authentication in place. It also recommends reviewing logs for indicators of compromise or IOCs, and making sure you've rehearsed your containment drills for these kinds of tactics, techniques, and procedures.

Vulnerability Spotlight Overview

Speaker 3:19

That makes sense. If you can't stop the click, you'd better be ready to contain the fallout. Alright, that was a heavy start. Let's move on to our vulnerability spotlight. And sticking with the theme of clever initial access, we're seeing a new phishing campaign that impersonates project management tools like Asana and Trello. Grant, what's the hook here?

BeyondTrust RCE Exploited

Speaker 1 3:39

Sounds good. Kicking us off in the spotlight is a critical vulnerability in Beyond Trust, which is being exploited in the wild. We're talking about CVE 2023-1873.

Speaker 3:51

Right. And they're seeing V Shell and SparkRat being used in the exploitation. Beyond Trust is an identity platform. So a remote code execution vulnerability here is extremely serious. We're talking about attackers getting control of systems without needing any login credentials.

Speaker 1 4:08

It's the keys to the kingdom. If your identity platform is compromised, everything else is at risk. And unsurprisingly, the key takeaway brings us back to our favorite refrain: identify exposure, prioritize patching, and add detections. You can see why it's so critical for these edge-facing, high-privileged systems.

VoIP Phones Critical Overflow

Speaker 4:28

Definitely. Up next, we've got something a little different: VoIP phones, specifically the Grandstream GXP 1600 series. So when you say add detections, what does that look like in practice for something like this?

Speaker 1 4:44

The forgotten devices on the network. This one, CVE 2026-2039, comes from a zero-day research project by Rapid7 Labs. They found a critical, unauthenticated stack-based buffer overflow.

Speaker 4:59

Unauthenticated is the word that always makes me nervous. An attacker doesn't need to be logged in to exploit this. That's a huge open door on your network. And a lot of people just set up these phones and forget about them.

Speaker 1 5:11

They absolutely do, which is why, once again, the advice is to find out where these devices are, figure out if they're exposed, and get them patched as a priority.

Dell RecoverPoint Zero Day

Speaker 5:21

Okay, rounding out our spotlight is a big one. A maximum severity vulnerability in Dell RecoverPoint for virtual machines. And it's already been exploited as a zero day.

Speaker 1 5:32

Yeah, this report is from Google Mandi and their threat intelligence group. They're saying a suspected China Nexus cluster, which they've dubbed UNC 6201, has been exploiting this since mid-2024.

Speaker 5:46

Wow, so state-sponsored actors exploiting a zero day in a recovery and backup system, that is a nightmare scenario. They're literally targeting the safety net.

Speaker 1 5:56

It is. It's a highly strategic target. The advice, as you can imagine, is to treat this with the highest priority. Find it, patch it, and monitor it.

Trend: ClickFix Delivers New RAT

Speaker 6:06

Okay, that's a lot to take in from the vulnerability front. Let's shift gears and look at the trend to watch.

Speaker 1 6:12

This week's trend actually circles back to something we mentioned earlier. It's another click-fix campaign, but this time with a new payload.

Speaker 6:20

Oh, right, the fake captcha. What are they delivering now?

Speaker 1 6:24

Researchers have found it abusing compromised but otherwise legitimate websites to deliver a previously undocumented remote access trojan, or rat, called Mimic Rat. It's also known as a Starian Rat.

Speaker 6:37

Using legit sites is a classic way to bypass reputation-based filtering, and a new rat means it's less likely to be detected by signature-based AV. The report says the campaign shows a high level of operational sophistication.

Policy Moves And CISA KEV

Speaker 1 6:50

Right. This is an amateur hour. The takeaway is the same as the other initial access issue. Beef up your authentication with MFA, check your logs for any signs of these IOCs, and run drills to make sure your team knows how to contain this kind of threat.

Speaker 7:05

Good advice. Now let's look at what's happening in the world of policy and regulation. What's CISA been up to?

Speaker 1 7:12

Well, CISA has been busy adding to its known exploited vulnerabilities or KEV catalog. First, they added two security flaws that impact the round cube webmail software, citing evidence of active exploitation.

Speaker 7:25

And for anyone listening, when CISA adds something to the KEV, federal agencies have a strict deadline to patch. It's also a massive signal to the private sector that, hey, this is being actively used by attackers. You should probably patch it now.

Speaker 1 7:39

Yep. And speaking of the KEV, they also added that beyond trust vulnerability we just talked about, CVE 2026-1731, warning that it's being actively exploited. So that adds even more urgency.

Speaker 7:52

The key takeaway for these policy-related items is really about process and compliance, isn't it?

Speaker 1 7:58

It is. It's about tracking your obligations and deadlines from agencies like SISA, mapping those requirements to your existing security controls, and critically documenting your evidence collection before the auditors show up or enforcement actions begin.

Speaker 8:17

Alright, let's move on to our tool or resource of the week. This one sounds sneaky.

Speaker 1 8:24

It's very sneaky. So we know that after attackers break in, they often install legitimate remote admin tools to maintain their foothold. But there's a risk for them. The vendor of that legitimate tool might spot the malicious use and lock them out.

Speaker 8:38

Right. The command and control can get shut down by the software company itself.

Speaker 1 8:43

Exactly. So now they have a new option: a completely fake remote monitoring and management tool, or RMM. It looks and acts like a real one, but it's entirely controlled by the crooks. There's no vendor to shut it down.

Speaker 8:56

That's clever and terrifying. It highlights the need to really know what software is running on your network. The key takeaway here is about due diligence for any new tool, I assume.

Speaker 1 9:08

You got it. The recommendation is to pilot any new tool in a sandbox environment first. Validate that it covers what you need it to cover, and then add it to a repeatable workflow. Whether that's in your CICD pipeline, detection engineering, or system hardening process. Basically, don't just install things without testing them.

Rapid Fire Security Updates

Speaker 9:28

Solid advice. Alright, let's fire through some quick hits. What else is going on? That's a very important point on due diligence, and it's a perfect lead-in to our next segment.

Speaker 1 9:38

First, a quick reminder on that Grandstream VOIP flaw, CVE 2026-2392. It can be exploited without authentication for remote code execution with root privileges. Just wanted to hammer that one home. That's a great point, Sloan, and it actually leads into our next topic.

Speaker 10:05

Unauthenticated root RCE. Yikes. Okay, what's next?

Speaker 1 10:09

Another device code phishing campaign has been spotted. This one abuses OAuth device registration to bypass multi-factor authentication. No before researchers say it's mostly targeting North American businesses. Next, a Palo Alto Networks advisory for PanOS. CVE 2026-0229 is a denial of service vulnerability in their advanced DNS security feature. An unauthenticated attacker can disrupt the service.

Speaker 10:50

And we also have another CISA order. This time, they're ordering government agencies to patch that maximum severity Dell vulnerability within three days. The one that's been under active exploitation since mid-2024. No time to waste on that one.

Speaker 1 11:05

Finally, a campaign dubbed Crescent Harvest. This one appears to be targeting supporters of Iran's ongoing protests, aiming for information theft and long-term espionage. The Acronis Tibet Research Unit has the details on that.

Speaker 11:19

A stark reminder of the geopolitical side of cybersecurity. What's something our listeners can actually go and do right now?

Speaker 1 11:34

Alright, here it is. For every tier zero patch this week, and we've talked about a few, like firewalls, identity platforms, VPNs, and backup systems, you need to do four things. One, verify the new version is actually running on the box. Two, confirm the exposure is gone with an external check. Three, review the last 14 days of admin, authentication, and configuration logs for any anomalies. And four, rotate secrets if there's any chance a compromise occurred before the patch.

Speaker 12:06

That is a fantastic takeaway because patching is just step one. The real work is in the validation and the assumed breach log review. That's step two. You can't just patch and pray.

Speaker 1 12:18

Exactly. Patching proves you fixed the bug. The log review is how you find out if someone exploited it before you fixed it.

Speaker 12:24

Perfect. That brings us to our final word. What's the big theme tying all of this week's news together?

Speaker 1 12:31

This week's theme is crystal clear. Control planes and edge surfaces are what's driving real-world blast radius. Think about it. The Windows Admin Center, the Beyond Trust Identity Platform, the Dell Recovery System, the Palo Alto firewall. These are all management control planes.

Speaker 12:48

Right. They're the systems that manage other systems. So compromising them has a massive ripple effect. The advice here is to treat exposure management as a continuous process. You have to constantly work to tighten identity controls, reduce the number of reachable admin surfaces, and ship detections that assume exploitation attempts are inevitable.

Speaker 1 13:10

That's the final takeaway. Treat your control planes like your primary production attack surface. Reduce their exposure, patch them incredibly fast, and validate with logs, not hope.

Speaker 13:21

A perfect summary. Well, that's all the time we have for this week. A huge thank you to everyone for tuning in.

Final Word: Control Planes

Speaker 1 13:28

Be sure to follow us on X, Facebook, or LinkedIn for daily updates. And don't forget to subscribe to our newsletter for all this and more right in your inbox. You can find that at infosec.watch.

Speaker 13:40

Thanks again for listening and stay safe out there.