Archive for the Commentary Category

Comparitech Research: Which industry & country has the worst email security? An analysis of 5,800+ domains

Posted in Commentary with tags on July 1, 2026 by itnerd

Every day, cybercriminals send around 3.4 billion phishing emails. 90 percent of successful cyber attacks originate from one of these emails. 96 percent of IT security and decision makers expect to see email security challenges throughout 2026, so you’d be forgiven for thinking that most organizations would be meeting the basics. However, Comparitech’s findings found that more than eight percent of organizations’ domains are fully unprotected. 

This Wednesday, Comparitech researchers will be publishing a new study looking into this very subject by analyszing the live DNS records for 5,849 domains across 13 sectors, scoring each based on a series of frameworks. 

Key findings include: 

  • 487 of the total domains scanned (5,849) had zero protection (8.3%)
  • Government domains had the lowest average score – 2.73
  • Tech company domains had the highest average score – 4.83
  • China had the lowest average score – 2.3

Additionally, Rebecca Moody, Head of Data Research at Comparitech, provided the following comment on the subject: 

“If you asked people which industries they’d like to assume are meeting basic cybersecurity standards, government agencies and healthcare providers would likely be among some of the most popular answers. Our study highlights that, when it comes to standard email security, this couldn’t be further from the truth. 

The fact that over 1 in 4 government agencies and 1 in 5 healthcare providers have zero email protection is incredibly concerning, particularly when the factors we’ve assessed (SPF, DMARC, DKIM, or MTA-STS) are what many would call “standard” protocols. Equally, these sectors are often subject to more regulation, demonstrating that even when they should be meeting these requirements by law, they often aren’t.

One of the biggest risks of having gaps in email security is spoofing. Without the necessary protocols in place, hackers can spoof an organization’s domain, which adds to the legitimacy of their campaign. They could use this to send phishing emails, malware, or carry out a wire fraud scam, for example. Ultimately, the email security protocols we’ve assessed shouldn’t be seen as a recommendation or “good to have,” they should be viewed as being essential for all organizations.”

You can read the research here: https://www.comparitech.com/news/which-industry-country-has-the-worst-email-security-an-analysis-of-5800-domains-for-spf-dmarc-dkim-mta-sts-protocols/

Guest Post: Fake Interpol Investigation Emails Are Targeting Small Businesses with Ransomware

Posted in Commentary with tags on July 1, 2026 by itnerd

Think your small business is too small to be targeted by ransomware?

That’s precisely the assumption cybercriminals hope you’ll make.

Bitdefender Antispam researchers have uncovered a phishing campaign targeting small businesses across Europe, Asia, the Middle East, and the United States with fake investigation emails impersonating law enforcement officials.

The messages claim to contain evidence of suspicious company activity, but there’s a catch: The attached ‘evidence’ is actually ransomware.

Key takeaways

  • Researchers at Bitdefender Antispam Lab have identified a malicious campaign impersonating Interpol
  • The emails claim to contain evidence of suspicious company activity and pressure recipients into opening a password-protected archive.
  • Recipients are directed to a Proton Drive-hosted file that ultimately delivers ransomware.
  • The ransomware appears to be a custom-built payload rather than a known ransomware family.
  • The operation targeted organizations across Europe, Asia, the Middle East, and the United States.
  • Small businesses are particularly at risk because many lack dedicated IT and cybersecurity resources.

How the attack works

The emails arrive with an urgent tone, claiming to be from Interpol’s cybercrime investigation unit, which is conducting a compliance or security review.

Recipients are told that investigators have obtained information and video material related to their organization and are encouraged to review the evidence as soon as possible.

The message is carefully crafted to create anxiety. Nobody wants to receive an email suggesting their company may be involved in suspicious or fraudulent activity or under investigation.

To review the alleged evidence, recipients are directed to a Proton Drive link containing a password-protected archive. The password is conveniently included in the email itself.

Once opened, the archive appears to contain a video file documenting the supposed activities under investigation.

Instead, the victim is greeted with malware.

The attackers use a familiar trick: disguising an executable as a video file in the hope that recipients won’t notice the difference before opening it.

The malware isn’t sophisticated. The social engineering is.

According to researchers Viorel Vrabie and Andrei Mogage, the fake video contains a ransomware payload hidden within multiple archive layers.

Once executed, the malware seeks to encrypt files across available drives and presents victims with a ransom message:

“Your computer has been compromised, and you will not be able to recover your encrypted files without the decryption key.

Do not delete any files or change their locations. Do not scan your computer, as this may complicate the recovery process.

We are available only through Tox.”

One interesting detail is what the ransom note doesn’t say:

Unlike older ransomware attacks that immediately demanded a fixed payment amount, this note doesn’t specify a ransom at all. Instead, victims are instructed to contact the attackers through a Tox chat channel.

This approach has become increasingly common among ransomware operators. Rather than demanding the same amount from every victim, attackers often prefer to negotiate after establishing contact. The final ransom may depend on the size of the organization, the perceived value of its data, and its ability to pay.

The researchers also found that the malware itself is relatively simple. The code contains hardcoded values, including the password used during encryption and decryption, and lacks many of the features typically associated with large ransomware operations.

Bitdefender researchers observed the campaign targeting organizations across multiple industries, including food and agriculture, legal services, pharmaceuticals, media, technology, and finance.

The campaign was also geographically diverse, with targets identified across Europe, Asia, the Middle East, and the United States.

Is this attack linked to a major ransomware gang?

In fact, the malware seems much simpler than the tools typically used in major ransomware operations. Beyond the relatively basic code observed by our researchers, another notable difference is how victims are instructed to make contact.

Most modern ransomware-as-a-service (RaaS) groups direct victims to a dedicated negotiation portal hosted on the dark web, where they can exchange messages, receive payment instructions, and negotiate the ransom.

In this campaign, however, the attackers simply provide a Tox chat ID. There is no dedicated negotiation portal or victim site, which is another indication that this is likely a custom-built operation rather than the work of an established ransomware group.

This suggests the malware may have been custom-built or assembled using publicly available code and tools.

The campaign highlights an important trend: cybercriminals no longer need the resources or expertise of a large ransomware gang to launch disruptive attacks. Even relatively simple malware can become a serious threat when paired with convincing social engineering.

In this case, the fake investigation email does much of the heavy lifting. The attackers rely on fear, urgency, and authority to persuade victims to launch the malware themselves.

Why small businesses remain attractive targets

Small businesses are often viewed as easier targets than large enterprises.

Many operate without dedicated IT teams or cybersecurity staff. Security responsibilities are often shared among employees who already wear multiple hats, and limited budgets can make it difficult to invest in advanced security measures or ongoing training.

When an alarming email arrives claiming to involve investigators, compliance issues, or evidence of misconduct, there may be no formal process for verifying the claims before someone clicks.

Attackers understand this reality and design campaigns specifically to exploit it.

What should you do if you opened the file?

If you downloaded and opened a file like the one used in this campaign, don’t panic, but don’t ignore it either. Acting quickly can make a big difference.

Disconnect the affected device from the network. If ransomware or other malware is running, taking the computer offline may help prevent it from communicating with attacker-controlled servers or spreading to shared drives and other devices.

Run a full security scan. Use a trusted security solution, such as Bitdefender Ultimate Small Business Security, to perform a complete scan of the affected device. Even if nothing appears unusual, remember that some threats are designed to remain hidden until they’ve completed their job.

Notify your IT administrator or managed service provider, where possible. If you’re part of a business, don’t try to deal with the incident alone. The sooner your IT team is aware, the faster they can isolate affected systems and prevent additional damage.

Inform your team about the attack. Awareness can also make a huge difference in protecting your business, devices, data, and reputation.

Change important passwords from a clean device. If there’s any chance the malware also harvested credentials, update passwords for your business email, cloud storage, financial accounts, and collaboration platforms. Use strong, unique passwords and enable multi-factor authentication wherever it’s available.

Look for signs of suspicious activity. Watch for unexpected login alerts, password reset emails, unfamiliar transactions, or files that suddenly become inaccessible. Continue monitoring your accounts over the following days, as some attacks don’t reveal their full impact immediately.

Report the incident. Report the phishing email through your email provider’s “Report phishing” feature and notify the organization being impersonated when appropriate. If your business has been infected or you suspect ransomware was executed, consider reporting the incident to your national cybersecurity agency. Sharing information about active campaigns helps authorities warn other organizations and better understand emerging threats.

You may also want to read: What to do if you clicked a phishing link in a business email

How to protect your small business moving forward

Campaigns like this prove that ransomware attacks don’t always begin with sophisticated hacking techniques. Often, they start with a message designed to create panic.

To reduce the risk of your small business falling victim to a similar ransomware attack:

Verify all unsolicited correspondence before acting: If you receive a message claiming to come from law enforcement, regulators, or another authority, don’t rely on the contact details provided in the email. Reach out through official channels to confirm whether the communication is legitimate.

Note: One of the biggest red flags in this campaign is the delivery method itself. While the attackers impersonate Interpol, legitimate law enforcement agencies don’t send unsolicited emails containing Proton Drive links to password-protected files and ask organizations to review alleged evidence of wrongdoing. If you receive a message like this, resist the urge to investigate on your own. Instead, verify the communication through official channels before opening any attachments or downloading files.

  • Treat password-protected archives with caution, especially when the password is included in the email.
  • Show file extensions on Windows devices: This makes it easier to spot executables masquerading as videos or documents.
  • Enable multi-factor authentication wherever possible. MFA won’t stop ransomware that’s already running, but it can prevent attackers from accessing your business accounts if they also try to steal passwords.
  • Keep systems and software up to date. Regular security updates help close vulnerabilities that attackers may exploit before or after a phishing attack.
  • Train employees to recognize scams: Criminals increasingly rely on fear and urgency rather than technical exploits.
  • Maintain secure backups: Reliable backups remain one of the best defenses against ransomware.
  • Use layered security designed for small businesses: Even well-trained employees can have an off day, and attackers count on those moments. Solutions such as Bitdefender Ultimate Small Business Security add another layer of defense by helping block phishing emails, detecting malicious downloads, identifying suspicious behavior, and stopping ransomware in its tracks.

This article is published for informational and educational purposes only. The information presented is based on technical research conducted by Bitdefender Labs and publicly available sources. Bitdefender does not make any legal determination regarding the activities described herein. The mention of any company, brand, domain, or individual does not constitute an accusation of illegal activity. Readers should exercise their own judgment and consult appropriate authorities or legal counsel if they believe they have been affected by any of the activities described. Domain names and URLs listed in this article are provided solely to help consumers and security professionals identify potentially harmful infrastructure. Bitdefender disclaims any liability for actions taken based on the information in this article.

Dawnguard launches platform to build secure cloud systems from day zero, with fresh funding and US office

Posted in Commentary with tags on July 1, 2026 by itnerd

As AI-assisted engineering accelerates how quickly software is designed, written, and shipped, cybersecurity teams are facing a harder problem: risk is being created earlier than traditional tools can see it. Dawnguard announced the public launch of its security architecture automation platform, making it available to organizations looking to design, build, and operate secure cloud-native systems from day zero through production. 

The launch marks the company’s move from enterprise design partnerships into general availability, following a year of platform development and customer validation. Alongside the product launch, Dawnguard announced the opening of its New York City office and an additional $3.3 million in pre-seed funding from existing investor BNVT Capital in the UK, with new participation from Curiosity VC in the Netherlands and eCAPITAL in Germany. The new capital brings Dawnguard’s total funding to more than $6.3 million.

Why this matters now

Cybersecurity has spent decades getting better at detecting, alerting, and responding to threats after systems are already built. That model is under increasing pressure. As software development speeds up, security teams are asked to protect systems that are more complex, more dynamic, and increasingly shaped by AI-generated code and autonomous engineering workflows.

Despite record spending on cybersecurity tools, breaches continue to originate from architectural weaknesses, insecure configurations, and design decisions that cannot simply be patched away. Dawnguard was founded on a simple belief: cybersecurity cannot continue to operate as a reactive industry. True cyber resilience begins at the drawing board, where systems are designed, validated, and deployed securely from the start. 

A new category for the Mythos era

The rise of AI, autonomous systems, and increasingly complex digital infrastructure has created what Dawnguard calls the Mythos Era: an environment where software evolves and is exploited faster than traditional security processes can keep pace. Security teams are overwhelmed by thousands of alerts, fragmented tooling, and endless patch cycles, while attackers increasingly exploit weaknesses embedded in architecture itself.

Dawnguard was built for this shift. Its platform turns secure architecture into deployable infrastructure, enabling organizations to:

  • Design secure and compliant cloud architectures before deployment
  • Automatically generate production-ready Infrastructure as Code
  • Continuously validate that deployed environments remain aligned with approved designs
  • Eliminate security drift between architectural intent and operational reality
  • Enable engineering and security teams to collaborate within a shared architecture workspace

The platform is designed to eliminate the gap between security intent and operational reality. Engineering and security teams work in a shared architecture workspace where designs can be validated, translated into enforceable infrastructure, and checked continuously as systems evolve.

Unlike traditional security products that focus on detecting problems after systems are built, Dawnguard helps organizations prevent insecure patterns from being introduced in the first place. The result is a security model that starts at the drawing board and follows the system into production.

The team 

Dawnguard was founded by cybersecurity veterans from IBM, Microsoft, Amazon, and military cyber operations to challenge the industry’s dependence on reactive security and compliance-driven checkbox exercises. Since launching from stealth, the company has expanded its platform capabilities, strengthened integrations across cloud environments, and worked closely with enterprise design partners to bring security architecture automation into production.

The new funding will accelerate product development, AI-driven architecture intelligence, enterprise go-to-market expansion, and international growth.

The future is design-focused security

Dawnguard’s vision extends beyond improving security workflows. The company aims to establish security architecture as a foundational control layer for modern digital systems, where security, compliance, cost management, resilience, sustainability, performance, and operational excellence are built into infrastructure and the application layer from the moment they are conceived.

As organizations enter the Mythos Era, Dawnguard is betting that the future of cybersecurity will not be defined by faster alerts or longer patch lists. It will be defined by systems that are secure by design, continuously validated, and capable of adapting to an increasingly autonomous world.

Ohio city warns 123,000+ people of data breach that leaked SSNs, financial and medical info

Posted in Commentary with tags on July 1, 2026 by itnerd

Comparitech is reporting that the city of Middletown, Ohio today confirmed it notified 123,791 people of a July 2025 data breach that compromised names, SSNs, financial account info, medical info, health insurance info, addresses, and government-issued IDs. 

The cyberattack disrupted city services including water utility billing, which wasn’t fully restored until months later in January 2026.

Commenting on this news is Rebecca Moody, Head of Data Research at Comparitech

“This attack highlights why government agencies remain a key target for hackers.

First, the case shows just how disruptive these attacks can be, with Middletown only being able to restore its water billing system in January of this year, around six months after the attack took place. Second, governments are often in possession of vast quantities of data. Accessing such data not only gives hackers further leverage to demand a ransom, but it also gives them key data that they can sell on the dark web if negotiations fail. The fact that SafePay posted the City of Middletown to its data leak site suggests ransom negotiations failed (for the data theft at least). 

While government agencies are sometimes prevented from paying ransoms (or have to meet strict conditions in order to pay one, as is the case in Ohio), we saw a case just last month (Murray County in Georgia) where the ransom was paid in order to prevent county data from being published. 

It’s win-win for hackers. Receive a ransom demand to decrypt systems and/or delete data, or sell highly sensitive personal data on the dark web.”

I guess hackers are about to have a field day because they seriously hit the jackpot here. Which illustrates why stopping the bad guys from doing evil things is preferable to getting pwned.

ESET Research investigates Russian-aligned Gamaredon group – new toolset, alliances, and a reliance on legitimate services

Posted in Commentary with tags on July 1, 2026 by itnerd

ESET Research released its latest report on Gamaredon, a Russia-aligned threat actor, and its activity during 2025. The paper analyzes new tools added to its arsenal, significant shifts in how it protects its network infrastructure, and its growing use of legitimate third-party services to hide both command and control (C&C) information and stolen data. Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine. The group’s ultimate goal continues to be the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the ongoing war in Ukraine. Gamaredon’s activities appear to be closely aligned with Russia’s geopolitical objectives, targeting Ukrainian governmental and military institutions to gain an intelligence advantage. 

In early 2025, Gamaredon collaborated with Turla, another Russia-aligned threat actor. This cooperation underscores the potential for coordinated cyberespionage campaigns among Russia-aligned groups, likely to amplify their operational impact. In the past, Gamaredon also collaborated with a threat actor that ESET discovered and named InvisiMole. More broadly, 2025 also provided another example of cooperation and task sharing among Russia-aligned actors: ESET observed the Russia-aligned UAC-0099 group conducting initial access operations and subsequently transferring validated targets to Sandworm for follow-up activity. 

In the second half of the year, Gamaredon shifted more toward larger and more frequent spear phishing campaigns. What changed most noticeably was the tempo. The group was much more active in the second half of the year, when campaigns became both more frequent and larger in scale. Beyond spear phishing, Gamaredon also continued using custom weaponizers for lateral movement. These tools weaponize USB drives, mapped network drives, and even software installers, helping the group spread within or across organizations after the initial compromise.

Gamaredon introduced six new tools in 2025, all written in PowerShell: PteroDee, PteroCache, PteroDum, PteroOdd, PteroPaste, and PteroEffigy. The standout among the new tools is PteroPaste, which is considerably more complex than the others. It combines a downloader, a USB weaponizer, and a runner component used for persistence and orchestration. Additionally, it resurrected an old VBScript weaponizer – PteroSetup, which first appeared in 2021.

Additionally, Gamaredon operators sought new ways to protect their network infrastructure, with their C&C servers now hidden behind various third-party services such as tunnels, workers, DDNS (dynamic DNS), and PaaS (platform as a service).

One of the most important aspects of Gamaredon’s 2025 operations was its heavy use of so-called dead-drop services. The term comes from traditional espionage – instead of meeting directly, one operative leaves information in a public or hidden location and another retrieves it later. Online, the principle is similar. Rather than embedding the real malicious server directly in malware, operators place that information on a legitimate website or platform, and the malware retrieves it from there. This means that the malware may first contact a public page on a legitimate service, read a hidden or staged value from it, and only then connect to the actual C&C server. In 2025, Gamaredon abused numerous services in this way: Telegram channels, Dropbox, social networks DEV Community, Mastodon, and others.

The other major infrastructure shift ESET observed was on the data-exfiltration side. Gamaredon upgraded two of its flagship file stealers, PteroPSDoor and PteroVDoor, to upload stolen files to S3-compatible cloud storage services – providers that support the Amazon S3 API ((Wasabi, Tebi, and Intercolo), allowing the same tools and code to work across different storage vendors.  At the same time, PteroBox continued to upload files to Dropbox.

Uploading stolen files to cloud storage reduces the need for Gamaredon to maintain its own infrastructure for receiving large amounts of stolen data. It also helps malicious traffic blend in with access to legitimate storage providers. Essentially, Gamaredon increasingly uses third-party services not only to hide where instructions come from, but also to hide where stolen data goes.

For more details about Gamaredon and its activity in 2025, check out the ESET Research blogpost and white paper “Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances,” on WeLiveSecurity.com.

Guest Post: An Update on You Snooze, You Lose: Winning LPEs by Racing Services for RPC Endpoints

Posted in Commentary on July 1, 2026 by itnerd

Authors: Ron Ben Yizhak, SafeBreach Security Researcher

Last August, I shared a blog on my most recent research project called You Snooze, You Lose: RPC-Racer Winning RPC Endpoints Against Services, which I presented at DEF CON 33 (2025). In it, I demonstrated a novel attack technique I developed called Endpoint Mapper (EPM) poisoning—a method of registering a rogue remote procedure protocol (RPC) server ahead of a legitimate one to intercept client connections. I showed how it could be exploited to force a protected process to authenticate a machine account against an attacker-controlled server, enabling domain-wide privilege escalation.

Following that research, I continued investigating the boundaries of EPM poisoning to answer a question I had left open: could the technique be used to escalate from an even weaker starting point? Specifically, could a low integrity process leverage EPM poisoning to break out of its sandbox entirely? The answer turned out to be yes—and the path there involved an obscure scheduled task, a bypassed Windows security mechanism, and an XML injection hidden inside a toast notification.

Below, I’ll first provide a high-level overview of the original research. Next, I’ll explain how I expanded the attack surface to low integrity processes, describe the new vulnerability I discovered in the Data Sharing Service, and share additional EPM poisoning impact discovered by Microsoft. Finally, I’ll cover the vendor response, detection guidance, and directions for further research.

Background on the Original Research

NOTE: This section provides an overview of the original You Snooze, You Lose: RPC-Racer Winning RPC Endpoints Against Services research; readers already familiar with it can skip to the following section.

The Windows RPC protocol is one of the core building blocks of inter-process communication on Windows. When an RPC client needs to find a server by interface universally unique identifier (UUID)—without knowing a specific endpoint—it queries the EPM, which functions similarly to a DNS server: it resolves a UUID to a registered endpoint and connects the client to the first matching server.

This design became the foundation of my research. I set out to determine whether an attack analogous to DNS poisoning could be applied to the EPM—a technique I came to call EPM poisoning. The key discovery was that there is no verification mechanism preventing an unprivileged process from registering a built-in, well-known RPC interface. As long as a rogue server registers an interface before the legitimate service does, the EPM will route clients to the attacker.

To operationalize this finding, I developed two tools:

  • RPC-Recon: Maps RPC interfaces that are not registered at boot and identifies services with delayed or manual startup that could be raced.
  • RPC-Racer, a toolset that registers rogue RPC interfaces and exploits the clients that connect to them.

The primary exploit chain I demonstrated targeted the Storage Service (StorSvc). Because StorSvc is set to delayed start, a scheduled task launched at user log-on can register its interface before the legitimate service. The Delivery Optimization service—which runs as a Protected Process Light (PPL)—connects to StorSvc to retrieve a storage path via the `GetStorageDeviceInfo` method. By controlling the response, I was able to return a network share pointing to an attacker-controlled SMB server, causing the Delivery Optimization service to authenticate to it using the machine account credentials.

This vulnerability can be utilized to execute the attack ESC8. I launched RPC-Racer on a domain controller as a non-administrative user to force it to authenticate with the machine account credentials. From there, I relayed the authentication to the Active Directory Certificate Services (ADCS) web enrollment endpoint, requested a ticket granting tickets (TGT) for the domain controller’s machine account, and used it to dump all domain controller secrets—achieving full domain compromise from a medium integrity process with no administrative privileges.

Microsoft assigned this vulnerability CVE-2025-49760. They fixed it in a patch released on July 8, 2025, that added a security Quality of Service (QOS) check to the StorSvc RPC client so it would only connect to servers running as the local system account.

Taking It Further: Low Integrity Processes as an Attack Surface

After completing the original research, I returned to a question I had set aside: what if we started from an even more restricted position? Most of my original research began as a medium integrity process. But many widely-used applications—browsers, code editors, sandboxed apps—run at low integrity. This is an intentional security design; Microsoft’s documentation explicitly states that escaping low integrity is especially difficult because low integrity processes are prevented from writing to most registry keys, folders, and system components.

To my surprise, however, low integrity processes can still register RPC servers. That alone opened a path worth exploring. The challenge I ran into was that many of the techniques I used in my original research didn’t work from low integrity. Low integrity processes cannot create scheduled tasks, cannot write to the startup folder, and therefore cannot reliably race delayed services at boot. I needed to find a different target—ideally a manual service (not launched at startup) whose RPC interface could be registered at any time, with a client that could be triggered on-demand, and that was unlikely to rigorously validate data received from an assumed-trusted server.

Identifying the Target: Data Sharing Service

After filtering built-in RPC servers based on startup type, the complexity of their interfaces, and the types of data their methods return, one candidate stood out: the Data Sharing Service (DsSvc).

DsSvc acts as a broker for file-path sharing between applications. If we simplify its actions, it holds a basic dictionary of paths to tokens.

When two apps need to exchange a file path, the first app calls `DSSCreateSharedFileToken` to request a token representing the path.

Finally, the second app calls `DSSGetSharedFileName` to retrieve the path the token represents.

.Searching for files that import `dsclient.dll`—the RPC client for DsSvc—led me to several programs. One stood out immediately: PerformanceTraceHandler.dll. This is the core component of the built-in scheduled task RequestTrace.

The RequestTrace Task and the UIPI Bypass

RequestTrace collects diagnostic information from the machine and—unlike most scheduled tasks—it can be started in several ways: via the Task Scheduler COM object, via a Windows Notification Facility (WNF) state change, or by pressing the hotkey combination Win+Shift+Control+T.

The first two methods are blocked for low integrity processes. The Task Scheduler COM object is inaccessible to low integrity, and the `NtUpdateWnfStateData` API call required for the WNF trigger is also restricted. The hotkey, however, presented an interesting opportunity.

Windows uses a security mechanism called User Interface Privilege Isolation (UIPI) to prevent low integrity processes from sending input messages, setting Windows hooks, or injecting keystrokes into higher-integrity processes. UIPI is a critical sandbox boundary. But UIPI blocks input messages—does that include hotkeys? Maybe a combination would work.

I called `SendInput` from a low integrity process to send the Win+Shift+Control+T key combination, and the RequestTrace scheduled task launched successfully using an RPC client connecting to me. This is a meaningful finding in itself: low integrity processes can trigger any scheduled task that has a hotkey-based trigger, which is worth investigating independently as an attack surface.

XML Injection via Toast Notification

This task depends on an option that is turned on by default when installing Windows: the send optional diagnostic data under the Diagnostics & Feedback settings. Once the task starts, it pops a notification to the user indicating data is being collected. This type of notification is called “toast.”

After a short duration, a second toast is presented with actions the user can take.

Once RequestTrace launches—and the second toast is presented—PerformanceTraceHandler assembles a zip file of diagnostic data and prepares to share it with the Feedback Hub application. To do this, it calls `DSSCreateSharedFileToken` on what it believes is the legitimate DsSvc server—but since I registered the interface first, it connects to my rogue server instead. The token I return is appended to a Feedback Hub URI, which is then formatted into an XML document defining the properties of a toast notification shown to the user.

The XML document defines exactly how many buttons will be shown and what will happen when they are clicked. After appending the token we return, the entire URI is formatted into the arguments property between two double quotes, as highlighted.

<toast scenario=”systemDialog”>

    <visual lang=”en-US”>

        <binding template=”ToastGeneric”>

            <text id=”1″>A trace has been successfully saved to

             %%LOCALAPPDATA%%\Traces.</text>

        </binding>

    </visual>

    <actions>

        <action id=”1″ activationType=”Protocol” arguments=”%ws”

         content=”Launch Feedback Hub”/>

        <action id=”2″ activationType=”Background“

         arguments=”verbNotOk”      content=”Dismiss”/>

    </actions>

</toast>

Formatting an attacker controlled string into quotes is very interesting and dangerous. We can close the original double quotes in the format string where the URI is inserted using the highlighted characters. After closing the original double quotes, we can append arbitrary XML data and still keep the XML document valid.

Below is an example of a payload I could inject.

NOTE: On vulnerable builds of Windows, there was a bug that prevented me from setting the action of a button to an executable file. This is why I used a Python script. Since then, however, this bug has been fixed—you can read more about it in our recent research post: Click Or Trick (CVE-2025-59199): Escaping the Sandbox with Windows URIs.

This adds a button to the toast notification and sets the action to point to any file I want. When the user clicks the injected button, the file is executed with medium integrity—breaking out of the low integrity sandbox entirely.

It’s unbelievable that I could do that! The URI of the Feedback Hub isn’t verified at all before it is formatted into the XML. There is no check for special XML characters because this program completely trusts its RPC server. We just achieved a one-click local privilege escalation from low integrity to medium integrity.

To recap the attack flow:

  1. The attacker starts as a low integrity process and registers a rogue RPC server mimicking DsSvc.
  2. They send Win+Shift+Control+T to indirectly start the RequestTrace scheduled task.
  3. RequestTrace’s PerformanceTraceHandler requests a token from the rogue server.
  4. The attacker returns a crafted token containing the XML injection payload.
  5. PerformanceTraceHandler launches a toast notification based on that XML.
  6. The user sees a notification with a button; clicking it executes the attacker’s file at medium integrity.

Watch the demo.

Vendor Response

When it comes to our original research, SafeBreach is deeply committed to responsible disclosure. In line with that commitment, I disclosed the Data Sharing Service vulnerability to Microsoft on July 14, 2025. It was issued CVE-2025-59200 and a fix was released on October 14th, 2025. As with the StorSvc fix from my previous research, the patch adds a security QOS check to `dsclient.dll,` so the RPC client verifies the server is running with elevated privileges before establishing a connection.

Key Take Aways & Broader Impact

This research exposed some serious security issues, and I believe there are a few lessons that should be noted:

  • The first is that the integrity of servers should be checked in every protocol. Just like SSL-pinning verifies that the certificate is not only valid but uses a specific public key, the identity of an RPC server should be checked. The current design of the EPM doesn’t perform this verification, therefore it must be done by the client.
  • The second is that there is a danger in setting services to delayed start. Software developers of RPC servers should be aware of the implications of launching their programs late in the boot process. Services are often set to delayed start to make the boot process faster, but performance cannot come at the expense of security. Any stage where untrusted code can be executed should be considered unsafe.

In publishing the original EPM poisoning research at DEF CON 33 in August 2025, I described several directions for further investigation—including the Windows Security Center and Windows Defender, both of which interact with RPC interfaces that may be vulnerable to EPM poisoning.

Shortly after the talk, Microsoft independently identified another vulnerable RPC interface: the **Windows Remote Access Connection Manager (RasMan). Hijacking the RPC interface of `rasmans.dll` via EPM poisoning could lead to SYSTEM-level privilege escalation. Microsoft patched this vulnerability (CVE-2025-59230) in October 2025, applying the same fix pattern: adding a security QOS check to the RPC client so that it verifies the server is running with elevated privileges before connecting.

The rapid identification of a third vulnerable component—just months after the original research was published—suggests that EPM poisoning is a productive avenue for finding privilege escalation vulnerabilities across the Windows RPC ecosystem. So far, the patches have addressed specific clients rather than the root cause in the EPM itself, leaving more avenues for manipulation.

For example, an attacker could:

  • Perform man in the middle by forwarding the requests they receive to the original service and filtering out calls to hide their foothold on the machine.
  • Cause a much more sophisticated denial of service. By registering many interfaces and denying the requests, many functionalities will be disabled. Instead of terminating processes or spamming them with packets, an attacker could just register their RPC interface first.
  • Steal credentials. While I reviewed a few services that might be exploited for that, there are probably many more.

Detection

Because these patches address specific RPC clients rather than the EPM itself, EPM poisoning remains a viable technique against other interfaces. Organizations can take steps to detect it, specifically:

  • Monitor RpcEpRegister calls. Security products can use hooking to monitor processes that call `RpcEpRegister` to register known, built-in interfaces. If an unexpected process attempts to register a well-known interface, it should be flagged and blocked.
  • Use Event Tracing for Windows (ETW). The `Microsoft-Windows-RPC` ETW provider logs correlation between process IDs, interface UUIDs, and procedure numbers for RPC connections. These events can be used to detect cases where an unknown process receives an RPC connection on a known interface—the hallmark of EPM poisoning in action.

Further Research

The UIPI bypass demonstrated in this research—triggering a scheduled task via hotkey from a low integrity process—warrants further investigation. Microsoft maintains documentation listing many key combinations and the programs they trigger; it is worth exploring how many of those programs interact with RPC services and whether they can be similarly exploited.

Beyond hotkeys and low integrity, the broader EPM poisoning attack surface remains largely unexplored. There are many delayed and manual services across the Windows RPC ecosystem—this research has only scratched the surface. One particularly interesting target remains the Windows Security Center, which is set to delayed start and is used by Windows Defender. A malicious response to Defender from a rogue RPC server could potentially neutralize it entirely.

Conclusion

This research extended the EPM poisoning technique to low integrity processes, demonstrating that even heavily sandboxed applications can be weaponized to escalate privileges if they can trigger an RPC client connecting to an attacker-controlled server. The Data Sharing Service vulnerability, exploited through an XML injection hidden in a toast notification, shows how trust in RPC server identity—when unverified—can cascade into unexpected and impactful security failures.

To help mitigate the potential impact of these vulnerabilities:

  • All users should apply the patches provided by Microsoft for CVE-2025-49760, CVE-2025-59200, and CVE-2025-59230.
  • Security teams should implement the detection capabilities described above to identify EPM poisoning attempts against unpatched interfaces.

We have also:

  • Provided an updated RPC-Racer toolset via the SafeBreach GitHub repository to enable further research and development.
  • Added original attack content to the SafeBreach platform that enables our customers to validate their environment against the EPM poisoning techniques outlined in this research to significantly mitigate their risk.

For more in-depth information about this research, please:

  • Contact your customer success representative if you are a current SafeBreach customer
  • Schedule a one-on-one discussion with a SafeBreach expert
  • Contact Kesselring PR for media inquiries

About the Researcher

Ron Ben Yizhak (@RonB_Y) is a security researcher at SafeBreach with 10 years of experience. He works in vulnerability research and has knowledge in forensic investigations, malware analysis, and reverse engineering. He previously worked in the development of security products and has been invited to share his research at DEF CON several times.

Mental Health Overtakes Prescription Refills as Top Reason Canadians Use Virtual Care, New Data Shows

Posted in Commentary with tags on June 30, 2026 by itnerd

Your Doctors Online (YDO) today released an analysis of patient consultation data covering January 1 through June 9, 2026. Drawn from more than 32,000 active cases, the findings reveal growing demand for mental health support among Canadians, particularly younger adults who are increasingly turning to digital platforms as their primary point of medical contact.

Mental health emerged as the leading consultation category on the YDO platform in the first half of 2026. Anxiety and depression together accounted for more than 5,600 consultations in just over five months — surpassing prescription refills, lab result reviews, and every other category of patient contact combined.

Behind those numbers is a high volume of consultations from young adults between the ages of 18 and 34, and disproportionately women, who are reaching out for care.

Among YDO’s most common consultation reasons in the first half of 2026, anxiety and depression stood out as the dominant drivers of patient demand. Anxiety alone generated 3,350 consultations — 77% involving female patients — while depression accounted for a further 2,274 consultations, with women comprising 82% of that total.

The 18–34 cohort is particularly striking. This age group accounts for 2,455 anxiety consultations and 1,822 depression consultations — dwarfing every other demographic segment. Adults aged 35–54 represent the second-largest group (747 anxiety, 372 depression), while those 55 and over account for a comparatively small fraction of mental health contacts.

The pattern in YDO’s data aligns closely with what front-line clinicians have been observing across Canada’s healthcare system — a sustained demand for mental health support that far outpaces available resources, and a particular concentration of need among younger adults navigating the economic, social, and psychological pressures of post-pandemic life.

YDO’s data arrives against a backdrop of well-documented strain on Canada’s mental health infrastructure. According to national health authorities, wait times for publicly funded mental health services can stretch from several months to over a year in many provinces. For a 24-year-old in the middle of an anxiety crisis, or a 28-year-old who has just run out of antidepressants and cannot get a same-week appointment, virtual care has become a vital safety net.

Top consultation reasons, YDO platform — Jan 1 to Jun 9, 2026:

  • Anxiety — 3,350 cases (77% female; 18–34 age group accounts for 73% of cases)
  • Depression — 2,274 cases (82% female; 18–34 age group accounts for 80% of cases)
  • Lab results review and requisitions — 1,818 cases (61% female)
  • Prescription refills — 1,292 cases (54% female, 46% male — most balanced split across all categories)
  • Patient needs assistance — 410 cases
  • Nutrition consultation — 293 cases (73% female; primarily weight management and metabolic health)

Methodology Note:

All data referenced in this release represents total consultations, not unique individuals, as single patients may have multiple interactions. Data is fully anonymized and aggregated at the population level. No patient names, contact details, or personally identifiable information of any kind are collected, stored, or referenced. YDO’s data practices comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial health information legislation.

Note on Gender Data: Analysts note that the stark gender split reflects help-seeking behavior as much as clinical need. Research consistently shows men are less likely to reach out for mental health support, meaning male numbers within telehealth data likely understate the actual scope of need.

Fortra Recognized by U.S. News as a Best Company to Work For in Four Categories

Posted in Commentary with tags on June 30, 2026 by itnerd

Fortra has been named a 2026 U.S. News Best Company to Work For in four categories: Overall, Information Technology, Midwest, and Supporting Family Caregiving. The annual U.S. News Best Companies to Work For ratings recognize companies that best support employees’ day-to-day experience. For this year’s rankings, U.S. News evaluated nearly 1,100 privately held companies and nonprofits using publicly available data, including employee reviews, court records, financial strength, and governance information. Companies did not apply for consideration, submit data, or pay a fee to be evaluated. 

In the U.S. News evaluation, Fortra received perfect scores of 5 out of 5 for both work-life balance and flexibility, and physical and psychological safety. Additionally, the company was awarded strong scores for job and company stability, belongingness and esteem, and career opportunities and professional development. Together, they point to an environment in which employees are supported in their work, encouraged to grow, and given the flexibility to balance their professional and personal lives. 

New data on future of VDI and workspace delivery put out by Recast Software

Posted in Commentary with tags on June 30, 2026 by itnerd

Recast, in partnership with Nerdio and VMblog, today released the findings of the 2026 State of VDI Survey in a new report, “VDI Isn’t Done. It’s Being Reworked.” The results show that VDI remains part of the workspace mix, but many IT teams are changing how they operate, secure, and support these environments. Notably, administrators lack confidence in their ability to patch VDI environments in a timely manner, making them prone to risk.

VDI is not being abandoned, but it is being actively retooled

Contrary to industry lore, VDI isn’t dead. However, it is evolving. Only 2% of respondents planned to exit an existing deployment entirely in the next 12 to 18 months, while 49% of current users reported a significant change to their VDI, Cloud PC, or published application environment over the last two years. Plans were mixed across keeping, expanding, replacing, reducing, evaluating, or starting deployments, which points to active modernization rather than a broad move away from VDI.

VDI teams lack confidence that their environments are being patched on time

The survey highlights a patch confidence gap between operations and security. Among current users, only 34% were very or extremely confident that required operating system and third-party application updates were being applied on time. Security concerns extended beyond access, with 47% citing audit logging and traceability, 41% citing data leakage controls, and 31% citing patch or vulnerability exposure windows. Although confidence is not proof of failure, it is an important operating signal. Secure access matters, but teams also need timely updates, clear reporting, and proof that controls are working.

The real cost of VDI is the burden of everyday operational work

Performance variability was the top operational pain point at 41%, but 53% of current users cited at least one lifecycle-related issue, including image management and update effort, application delivery or updates, or user profiles and personalization. Additionally, 32% of current users cited high ongoing cost, and 61% of those asked about barriers to change cited budget constraints. Together, the findings suggest that much of the cost and friction in VDI comes from the everyday work of keeping environments current, usable, and supportable.

The report is based on a significant number of responses from IT professionals with awareness of VDI, Cloud PCs, and published applications. Percentages are rounded, and some questions were multi-select.

Nomerra raises $2 million to tackle private markets’ looming paperwork crisis

Posted in Commentary with tags on June 30, 2026 by itnerd

Private markets are on track to triple from $13 trillion to over $30 trillion in the next few years, but the operational work underneath has not kept up. It still runs through emails, PDFs, spreadsheets, and disconnected systems, while the industry is running out of people who can hold it all together. Nomerra has raised $2 million to make private market operations AI-native for the asset servicers and asset managers behind the world’s fastest-growing capital market.

Nomerra has secured $2 million in its first round of funding, making it one of the largest FinTech pre-seed rounds this year. The round was led by 14Peaks Capital, with participation from Redstone Fintech and senior individuals from firms including KKR and Intapp.

The company was founded by Johannes Gebendorfer and Jakob Zacherl, who were both first employees at bunch, a tech-enabled fund administrator that recently announced its Series B and has raised more than $50 million. They helped scale the team to more than 100 people and expand across Europe. Both saw firsthand how AI transforms private market operations and founded Nomerra to bring that shift to the industry at large.

In their previous roles, the founders realized that everything that makes public markets efficient simply does not exist for private markets: there is no standardization, no interconnectedness, no efficient record-keeping. The same data gets manually retyped between isolated systems and spreadsheets, often multiple times for a single transaction. Meanwhile, private markets have become much more complex to operate in recent years: new investor channels, more frequent reporting, tighter regulation, semi-liquid structures, evergreens and expansion into novel asset classes all add more operational load. The industry’s default response has been to hire more people, but the right people are getting harder to find. As private markets triple in size over the next five years, the number of qualified accountants has decreased by a third over the last decade.

Nomerra tackles this by making private market operations AI-native, starting with the scattered, high-volume work enterprise asset servicers and managers still run by hand: fund accounting, treasury and transfer agency. It is the work that runs in the background, but holds the entire industry together.

Nomerra connects to the systems firms are already using, including ERPs, banking platforms, email and document storage. It pulls information into a single context layer so agents can see everything a human operator would see. From there, Nomerra agents follow the firm’s own operating procedures: reading documents, extracting the right data, cross-checking it across sources, and delivering outcomes the same way a trained team member would. Users hand off work to Nomerra agents through tools they’re already in or by setting up continuously running background agents.

The goal is to shift people from preparing deliverables to reviewing them. Nomerra agents handle the end-to-end execution and present the output in purpose-built review interfaces with a full audit trail: what was done, why, and where the data came from. Over time, even the review layer becomes supervisory, and teams orchestrate fleets of Nomerra agents that ship entire deliverables on their own.

More capital than ever is expected to flow into private markets, and every manager and servicer needs to be ready to capture their share. Nomerra gives them the bandwidth to do it, letting firms scale without being bottlenecked by operations. The company will use the funding to grow its engineering team and meet surging demand for AI solutions across enterprise asset servicers and managers in Europe and the United States.