Normal view

Received — 25 June 2026 The Register - Security

UK school’s network left wide open for invasion, student found

25 June 2026 at 07:00
PWNED Welcome back to PWNED, the weekly column where we school ourselves on others' security failures. This week, we’ll learn about a school where the entire network was like an open-book test … and the IT department got a zero. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request. Our tale of academic pwnage comes courtesy of a reader we’ll Regomize as Nathan. Nathan was 17 and attending sixth form at a UK school when he found a treasure trove of admin privileges and data at his fingertips. One day, our hero connected his laptop to his school’s Active Directory domain. There was no admin authentication required and Nathan was able to see domain controller tools in view mode, look at policy maps, and so on. Nathan then browsed the directory and located the domain administrator account. The password, “horse fence ditch,” was written right in the description field, where anyone with access to the network could view it. There were also backup accounts with passwords such as “bd” and “bigbaddog.” Once he had full God mode enabled, Nathan said, he could see student and staff data, gain Remote Desktop access to any server or domain controller, and even access LanSchool, a popular classroom management app. “I could've accessed sensitive leadership docs, reset passwords, deleted accounts, wiped the whole network, etc,” Nathan told The Register. Moreover, the entire system was synced with Google Workspace, so Nathan had access to user mailboxes as well. He even found firewall settings, security policies he could change, and keystroke histories. Because Nathan was a student and did not want to get in trouble at school, he didn’t actually use any of these privileges. He kept his head down and graduated from school without incident, but also without reporting the vulns, which might still be in place today for all we know. So what can we learn from this tale of academic malpractice? First, as we learned a few weeks ago, do not store passwords in description fields for Active Directory. In fact, do not store passwords in cleartext anywhere without serious controls! Second, Nathan should not have been able to see Active Directory domain controller tools. And it might also have helped if Google Workspace had different admin credentials. Imagine the restraint required not to change people's grades, take over their computers, or delete data. Would you have been able to exercise the same level of discipline as a 17-year-old? ®

Nation-state actors cracked critical Australian infrastructure to ‘cripple it at a time of their choosing’

25 June 2026 at 04:31
Australia’s Security and Intelligence Organisation (ASIO) has established dedicated teams to counter nation-state attacks on critical infrastructure, the org’s director general Mike Burgess revealed yesterday. “We discovered nation-state hackers had compromised the network of an Australian critical infrastructure provider,” Burgess said yesterday in remarks accompanying the release of ASIO’s annual threat assessment, a task it performs in its role as Australia’s equivalent to the FBI and MI5. “ASIO assessed the hackers were preparing for sabotage. They weren’t planting ‘digital dynamite’ as such; they were mapping out the network and maintaining access so they could cripple it at a time of their choosing.” “In this case, a state-sponsored group didn’t just achieve access to the Australian critical infrastructure provider, it successfully acquired credentials – login details and passwords – for active users of the networks, including the IT professionals guarding it,” he added. Burgess said ASIO “identified, tracked and attributed the hack, and worked with the victim company and our security partners to remediate the compromise – work which is ongoing.” “The scale of this activity – led by one nation-state in particular – is difficult to overstate,” he added, before saying Australia is not alone in facing such attacks. “We struggle to find a single country in our region that has not been compromised by this state’s cyber apparatus.” He described cyber sabotage as “an evolving threat. I have established dedicated teams to counter it.” Burgess also shared an example of espionage targeting Australia’s military to gain information about the AUKUS pact – the US/UK/Australia defense collaboration that will see The Land Down Under acquire nuclear submarines, and which also includes collaborations around information technology capability, and intelligence activities. “A spy from a foreign intelligence service approached an Australian security clearance holder online, pretending to be from a consulting company,” Burgess revealed. “The spy paid the official to write two reports on Australia’s relationship with our Pacific neighbours, and then, thinking he’d been hooked, offered money for inside information on AUKUS.” The Australian official became suspicious, reported the incident and conducted interviews with ASIO during which Burgess said the spy agency “gained valuable insights into the foreign service’s information gaps and tradecraft.” The Australian official even handed the money they were paid by the foreign spy to ASIO. “In effect, ASIO disrupted the foreign intelligence service’s operation and made them pay for it,” Burgess crowed. ASIO then scored another win. “My officers borrowed the phone from the official and rang the so-called consultant in her home country. Thinking it was her target, the spy picked up and got a very unwelcome surprise when she realised she was speaking to ASIO,” Burgess said. “We demonstrated we knew exactly who she was, demanded she cease targeting Australian citizens, stated we have zero tolerance for spying on AUKUS, provided a quick overview of Australia’s espionage laws and pointed out the Director-General reserves the right to speak publicly about these matters. At that point the spy hung up.” ASIO officers later mentioned this incident to members of the foreign intelligence service that ran the op. Burgess seems to think that officers at that foreign agency may not have told their superiors about the op failing. “In case they did not report it up – I’m confirming it now,” he said. Burgess also pointed to abuse of online spaces continuing to represent a threat to Australia. “Instead of being radicalised by associates in the real world, individuals are often being radicalised by strangers online,” he said. “Instead of being radicalised over months and years, individuals are increasingly being radicalised in weeks. Instead of being radicalised as adults, individuals are all too often being radicalised as minors. Instead of gathering in prayer halls or backyards, radicalised individuals are frequently gathering in encrypted chat rooms.” “And, instead of spending time and resources planning sophisticated attacks, radicalised individuals are moving to low-capability attacks with little or no warning,” he said. “Traditional groups such as Islamic State and al-Qa’ida and their affiliates are growing their capability to conduct and inspire attacks, enabled both by permissive geographic and online spaces.” Burgess revealed ASIO has “resolved” 14 “significant-terror related cases” since the December 2025 terror attack at Sydney’s Bondi beach, and 31 “major terrorism plots” since 2014. He said ASIO is now “aggressively adopting new tools and techniques – including artificial intelligence – to navigate our security environment,” and invited Australians to work for the agency, perhaps as offensive hackers. “All ASIO’s teams contribute to our mission and every ASIO officer makes a difference, whether you collect the dots or connect the dots, run cables or run sources, code networks or penetrate networks,” he said. ®

The hits keep on coming for Cisco vulnerabilities

24 June 2026 at 22:27
It’s looking like another tough week (month? year?) for Switchzilla amid reports of new serious vulnerabilities under attack. First up is a server-side request forgery bug in its Unified Communications Manager tracked as CVE-2026-20230. Cisco disclosed and patched this flaw in early June. The comms control platform doesn’t properly validate some HTTP requests, and an attacker could exploit this bug to gain root privileges on a compromised device. At the time, Cisco said that a proof-of-concept exploit was available – and now it seems unknown miscreants are putting that exploit code to use, with threat intel company Defused warning that it observed miscreants exploiting CVE-2026-20230 over the weekend. “The observed chain abuses the WebDialer SSRF to deploy a rogue Apache Axis service, uses that service to write a first-stage JSP file-writer, then drops a second-stage command-execution shell under /platform-services/axis2-web/,” the firm noted on LinkedIn. Cisco Catalyst SD-WAN zero day Then, a Mandiant advisory on Wednesday warned that a Cisco SD-WAN zero-day tracked as CVE-2026-20245 was exploited much earlier than initially disclosed, including at a communications service provider where the attacker elevated a compromised admin account to full root-level access. While the Google-owned threat hunting biz said it can't assess the full scope of the intruders' post-compromise activity, this SD-WAN device compromise could have been dire, potentially giving the attacker total visibility across an entire corporation's internet traffic. This is what makes SD-WAN zero-days such a hot target for government-sponsored spies looking to set up shop for long-term snooping activities. It also explains the rash of attackers battering Cisco SD-WAN devices since the start of the year. Cisco had issued an advisory for CVE-2026-20245 in early June, admitting that attackers had a head start on abusing this security hole. “In June 2026, the Cisco PSIRT became aware of exploitation of this vulnerability,” the vendor said at the time. In a Wednesday report, however, Google’s Mandiant incident response and consulting biz reported that exploitation of this bug – Cisco’s sixth SD-WAN vulnerability listed as under attack since the start of the year, and the second zero-day in two months – began much earlier. “In early 2026, Mandiant identified a threat actor targeting SD-WAN infrastructure at a service provider,” Mandiant threat hunters Chester Sng, Pete Boonyakarn, and Logeswaran Nadarajan wrote. “After gaining initial access, the threat actor exploited a zero-day vulnerability (CVE-2026-20245) in Cisco Catalyst SD-WAN to escalate privileges from a compromised administrative account to root-level access.” The attacker gained initial access via an unauthorized peering connection, abusing the SD-WAN fabric to authenticate between network components and facilitate Secure Shell (SSH) access. In this case, they authenticated to the SD-WAN manager device via SSH using the vmanage-admin account on the same victim devices. Then, they changed the default password on the admin account, authenticated directly to the SD-WAN Manager web application interface using the admin account, and exfiltrated SD-WAN fabric configurations. Likely in an effort to cover their tracks and not get caught, the attacker changed the password of the admin account back to its original one before terminating their active session. Neither the vmanage-admin nor the admin accounts on Cisco Catalyst SD-WAN controllers possess root shell access, however. To gain root access, the attacker exploited CVE-2026-20245, which allows an authenticated, local attacker to execute arbitrary commands as root by supplying a crafted file to the vulnerable system. The attacker uploaded a file named evil_tenant.csv that contained the exploit payload. Upon execution, the digital intruder created a user account named troot with full root privileges. Mandiant says it later observed the miscreant accessing this new troot account from the admin account using the substitute user command. The Register reached out to Cisco about the reported exploitation of CVE-2026-20230, and Mandiant’s investigation into CVE-2026-20245. The company pointed us to its June advisory on the latter matter, and is working on response to our first question. ®

Microsoft uses AI to link two malware operations in racketeering suit

24 June 2026 at 17:42
Microsoft, its friends, and international law enforcement - with an AI assist - disrupted two widely used pieces of malware and their infrastructure, in what Redmond describes as a novel approach to cybercrime disruption that targets the cyberattack supply chain instead of a single tool or service. “What’s new is how we’re combining AI analysis with an expanded use of that law,” Steven Masada, assistant general counsel for Microsoft’s Digital Crimes Unit, said in a Wednesday blog, referring to the Racketeer Influenced and Corrupt Organizations Act (RICO). Typically Microsoft uses RICO and other US laws to take legal action against a single cybercrime service or infrastructure. The disruption involved the takedown, suspension, and blocking of more than 200 domains and command-and-control (C2) servers that formed the backbone of StealC and Amadey infrastructure. Multiple security companies, including ESET, BitSight, Mitsui Bussan Secure Directions (MBSD), IBM X-Force, and Proofpoint, also played a role in dismantling the alleged operations. Combined with the earlier SocGholish disruption announced last week, a Europol-led law enforcement coalition flagged and restricted cryptocurrency assets valued at more than $47 million and recovered about 27 million stolen credentials. StealC and Amadey are two separate malwares developed by different criminal crews, but they used the same infrastructure and were operating in concert. StealC collects multiple browser credentials and cookies, cryptocurrency wallets, chats from messaging apps, and other sensitive data, and exfiltrates the stolen goods to a C2 server. It also works as a secondary loader, allowing criminals who rent the stealer to download additional malware on compromised devices. Amadey is a malware-as-a-service used to deliver StealC and other stealers, plus other types of malware including remote access trojans, cryptominers, and ransomware. In just the first two weeks of May, Amadey and StealC were linked to more than 140,000 infected computers globally, according to Microsoft. “It’s no longer enough to go after threats one by one,” said Masada. “We need to interrupt how the attacks are put together.” In this case, Redmond’s investigators used Copilot and other AI tools to analyze both malwares and their infrastructure, “asking questions in plain English instead of manually combing through complex code,” Masada wrote. “That helped surface key details, uncover hidden data, and test findings in a fraction of the time, turning what would have taken hours or days into minutes and enabling the team to spot connections faster.” One of these key details: both Amadey and StealC used the same infrastructure. This allowed Redmond’s legal team to treat both malwares as part of a single conspiracy under RICO and bring civil claims against five defendants allegedly involved across both operations. “Defendants comprise a group of cybercriminals operating a Malware as a Service enterprise that leverages malicious software commonly known as the Amadey Malware Suite and StealC Malware Suite (the "MaaS Enterprise"),” the court documents say. “Through the Maas Enterprise, Defendants and their accomplices have victimized hundreds of thousands of innocent computer users, including many users of Microsoft's software and services.” ®

London cops bring live facial recognition to West End

24 June 2026 at 11:45
The Metropolitan Police Service (MPS) will start using static live facial recognition (LFR) cameras in London's West End and Soho by the end of this year following a six-month pilot in the south London borough of Croydon. Static LFR involves the police temporarily attaching cameras to lampposts or similar infrastructure, with the feeds monitored remotely and officers on the ground stopping people whom the technology matches to images on its watchlist. The MPS said that each of the 24 deployments in central Croydon between October 2025 and March 2026 used a bespoke watchlist created up to 24 hours in advance and deleted afterward. Civil liberties campaign group Big Brother Watch, which in April lost a High Court challenge to police use of LFR, said the force was rushing ahead with deployment before Parliament has passed legislation regulating the technology's use. "We are calling on the Met to stop this experiment until, at least, Parliament has spoken," Jack Coulson, the group's head of advocacy, said in a press release. "Policing by consent is a cultural inheritance we must protect. Permanent biometric surveillance of the public square is incompatible with that ideal." He highlighted the case of Alvi Choudhury, a Southampton man arrested and held for ten hours in January after a retrospective LFR system run by Thames Valley Police matched him to a crime committed in Milton Keynes, a city he had never visited. "It is predictable, given the technology's racial bias, that Mr Choudhury was confused for another Asian man," said Coulson. The MPS said that in Croydon more than 470,000 people walked past the LFR cameras, leading to 173 arrests and one false alert, which resulted in officers stopping someone without arresting them, realizing the mistake, and letting them go. The force added that one of those arrested, a registered sex offender who was communicating with a child under 16, was subsequently sentenced to two years in prison in May for breaching a sexual harm prevention order and making indecent images of children. MPS Commissioner Mark Rowley said on June 24 that the force planned to "significantly step up our use of technology to fundamentally change how we protect the public" through the use of live LFR, a city-wide emergency services drone network, and AI to analyze the footage from the capital's one million CCTV cameras. Rowley added that the force needs to spend more on technology but its budgets for doing so have been repeatedly cut, with spending of around £6,000 per person compared with budgets of more than double that at some government agencies. Earlier this month, the commissioner said the MPS would have to cut around 700 frontline posts after London's deputy mayor for policing and crime, Kaya Comer-Schwartz, refused to approve its plan to award a major contract to controversial US supplier Palantir. ®

❌