Normal view

Law firm insisted on one password to rule them all

16 July 2026 at 07:00
PWNED Welcome back to PWNED, the weekly column where we gather lessons from organizations that didn’t take security seriously enough. This week’s tale of woe comes from a company that left a door wide open for miscreants, but was lucky it didn't have to pay the price. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request. Our story comes courtesy of a reader we’ll Regomize as Manny. A few years ago, Manny got a job working at a law firm. The firm used him to replace an entire team, making him the de facto IT department all by himself. He soon discovered that all of the company’s data and applications lived in one large web-based interface, which was divided up based on the type of client. So there were areas in the UI for personal injury cases and others for travel refunds, for example. There was just one big, gaping security hole: a master password that allowed you to log in as any user in the system. If you had this password, which many people in the law firm did, you could grab detailed personal information about any client, even their health records. “I immediately raised this as a huge security risk,” Manny told us. “But I was told, 'Oh that's the admin password, everyone uses it. Don't touch it.'” As long as you had the person’s email address that you wanted to impersonate, this password would allow you to impersonate them. This applied to both staff and clients. “Colleague is off sick? Sign in as them and reassign their work to someone else to complete. Client forgot to fill in a field? Log in as them and complete it for them,” Manny said. The system itself was 15 years old, ancient in tech terms, and it desperately needed replacing. So Manny was asked to build a whole new system. Naturally, he refused to add a back door, even though that’s what the boss wanted. “I point blank refused to add any back doors to it,” Manny recalled. “So they promoted every user to a system admin and carried on, business as usual.” What we can take away from Manny’s experience is that sometimes even the best IT people who know security basics can still be hindered by clueless management. We also know that sometimes in order to pay the bills, IT people have to go along with security practices they strongly disagree with. In the end, the boss will have the final word, even if that word is “ignorance.” ®

Cyberattack threatens utterly critical infrastructure in Japan: KFC

16 July 2026 at 02:01
The crippling high-consequence attack on vital infrastructure that cybersecurity experts have warned about for years is upon us, in the form of an incident that may force KFC to close some stores in Japan. Colonel Sanders himself is not the victim here. That role goes to Nichirei Group, a Japanese purveyor of frozen foods and super-chill logistics services that move them around. Nichirei Group on Monday posted a notice in which it admitted “system failures caused by unauthorized access have occurred.” The failures meant the frozen food concern could not arrange shipments to or from its refrigerated warehouses or conduct its other operations. Shortly after Nichirei Group revealed its difficulties, KFC Japan warned customers that delivery of ingredients to its stores would likely be affected. The chicken chain therefore stopped taking orders through its app and website and said it may need to limit menu items and opening hours. “Some stores may be closed depending on the availability of ingredients,” the company said. On Wednesday, Nichirei Group confirmed the cause of the outage was a cyberattack and admitted attackers accessed a server that stores personal information. The Group declined to offer any detail on the incident “to prevent further damage.” The company hopes to resume operations on Friday. That Nichirei Group is unable to provide some services suggests a ransomware attack has made some data unavailable. The mention of “further damage” suggests that discussing whatever happened could divulge clues about security weaknesses that would allow further attacks, perhaps directed at the Group’s clients. KFC Japan hasn’t posted any information about store closures. Indeed, the company continues to promote summer menu items such as a Japanese-style citrus and chicken combo that the chain says is refreshing to eat even in the heat of summer. The Register’s Asia-Pacific bureau will not venture to Japan to assess the impact of this incident, or try the burgers: At times like this, with critical infrastructure under stress, that’s just the right thing (not) to do. ®

CISA sounds alarm over trio of exploited SharePoint flaws

15 July 2026 at 15:21
The US Cybersecurity and Infrastructure Security Agency (CISA) has urged all organizations running SharePoint to harden their defenses after the disclosure of actively exploited vulnerabilities. The warning applies to those running any supported version of SharePoint Server on-prem, with three vulnerabilities of particular interest cited. A spoofing bug, CVE-2026-32201 (6.5), was the first to be mentioned. Microsoft disclosed it in March and CISA confirmed it was being actively exploited in June. Additionally, CISA appears concerned by CVE-2026-45659 (8.8) – a remote code execution (RCE) flaw made public in June and confirmed as being actively used in attacks last week after Microsoft said exploitation was "less likely." The most recent of the three, CVE-2026-56164 (5.3), a privilege escalation flaw, was one of the 622 bugs that featured in this month's record Patch Tuesday. CISA also picked out two more critical bugs, both from the latest Patch Tuesday, as ones that could potentially complicate SharePoint security further. Neither CVE-2026-55040 (9.1) nor CVE-2026-58644 (9.8) is being actively exploited to date, although Microsoft has attached the "Exploitation More Likely" label to both. CISA said the three exploited vulnerabilities are associated with post-exploitation activity, including the theft of Internet Information Services (IIS) machine keys and deserialization techniques, both in an effort to gain persistence and deploy malware. The agency did not offer any more detail about what led it to issue the warning, but went on to encourage defenders to review an alert it published in August 2025, which similarly urged organizations to harden SharePoint from "ToolShell" attacks. CISA said attackers were chaining together CVE-2025-49706 (6.5) and CVE-2025-49704 (8.8) to break into SharePoint Servers and, in some cases, deploy Warlock ransomware. It did not go as far as attributing the activity referenced in either SharePoint advisory to any group or country, although Microsoft said as far back as July 2025 that ToolShell vulnerabilities were being exploited by Chinese nation-state crews. Applying Microsoft's latest security patches and verifying that Antimalware Scan Interface (AMSI) integration is enabled for each SharePoint web application are among the recommended hardening measures. CISA also advised defenders to go threat hunting for signs of intrusion before rotating IIS keys to avoid exposing SharePoint to the web unless it's necessary and block external access to SharePoint Central Administration. As is the case with any potential intrusion, CISA encouraged organizations to implement robust, tailored logging that can detect potential exploits. ®

LegacyHive: 'Bone-shattering' zero-day from Microsoft's serial tormentor not the haymaker that was promised

15 July 2026 at 12:59
UPDATED: Microsoft’s worst nightmare - a prolific zero-day vulnerability hunter who calls themselves Nightmare Eclipse - published yet another zero-day on Tuesday, a vulnerability allowing attackers to mount user hives, including partial exploit code. Suspected of being a disgruntled former Microsoft engineer, based on the sophistication of their prior vulnerabilities, NightmareEclipse came good on their promise to release another zero-day on July 14. Whether it lives up to the promised “bone-shattering” standard touted in June is up for debate, however. Called “LegacyHive,” the proof of concept (PoC) code for the zero-day local privilege escalation (LPE) vulnerability targets Windows’ user hives - the section of the Windows Registry that stores a user's specific desktop settings, application preferences, and environment configurations. The code exploits a weakness in profsvc, the Windows User Profile Service, and the way in which it loads hives. If exploited correctly it could grant regular users privileged read-write access to target other users' hives. Matei Badanoiu, lead security researcher at Pentest-Tools.com, said that while the exploit could prove useful for attackers who had already gained a foothold in a target environment, it falls short of providing a fuller system compromise. “What caught my attention is the difference between what the public proof of concept actually demonstrates and what a full compromise would require,” he told The Register. “LegacyHive is a local privilege escalation in the Windows User Profile Service. It abuses arbitrary registry hive loading, so a standard user can mount another user’s hive, including an administrator’s, into their own classes root. “For an attacker who already has a foothold, that is a genuinely useful primitive. Bundling it with credential access and persistence into ‘full compromise’ is more of an ambition than the released code.” The LegacyHive publication differs from some of NightmareEclipse’s earlier drops in that the PoC code is stripped back in an effort to prevent widespread exploitation. According to the bug hunter, there is more than one way of exploiting the profsvc flaw. The public PoC requires additional user credentials for it to work, and is limited to the usrclass.dat hive. NightmareEclipse said the original PoC, which differs from the one they published, does not require additional user credentials to exploit the bug, and it works beyond the usrclass.dat hive, “but you would need some brain cells to make the PoC do it.” This represents a divergence from NightmareEclipse’s previous approaches. As Badanoiu pointed out to us, some of NightmareEclipse’s earlier drops, such as BlueHammer and RedSun, went from PoC to widespread exploitation within days. LegacyHive, however, comes without a fully working PoC and a CVE identifier. Regardless, security experts told The Register that cyber practitioners should respond promptly since capable attackers could probably build a reliable exploit, despite the gaps left in the PoC by NightmareEclipse. “Threat intelligence teams are advised to act with some urgency here,” said Dray Agha, senior manager of security operations at Huntress. “Huntress observed NightmareEclipse's prior LPE and defence evasion tools rapidly deployed threat actors and ransomware groups shortly after publication. “Given this history, we’d expect that capable actors will reverse-engineer the missing components of the LegacyHive PoC to build fully weaponized versions in short order.” The timing NightmareEclipse may have changed their approach to releasing full working PoCs to the public, perhaps a reflection of Microsoft’s suggestion of preparing legal action against the bug hunter, but the nuisance timing of the vulnerability disclosures remains. They dropped the details for LegacyHive shortly after Microsoft released its monthly Patch Tuesday updates, which contained an unprecedented 622 fixes. Agha said timing the disclosure in this way maximizes the exposure window before a patch can be developed, causing more trouble for Microsoft. The Register asked the Windows-maker about LegacyHive and whether it was planning to release a fix before August’s patches. NightmareEclipse claims their latest zero-day works against Windows machines that are fully patched according to July’s fixes. Microsoft previously issued a quiet remedy for one of NightmareEclipse’s earlier zero-days, RoguePlanet, last week, although the company did not go into any details about what the mitigation entailed. ® Updated to add on July 16: A Microsoft spokesperson got in touch with The Reg to say is is: "aware of the reported vulnerability and is actively investigating the validity and potential applicability of these claims." They added: "Microsoft is committed to investigating security issues and updating impacted products to protect customers as soon as possible. Importantly, we support coordinated vulnerability disclosure, an industry standard that protects customers and supports the research community by ensuring their findings are thoroughly investigated and addressed before being made public."

❌