Active Directory (AD) remains the foundation of authentication and authorization in Windows environments. Threat actors targeting the NTDS.dit database can harvest every domain credential, unlock lateral movement, and achieve full domain compromise.  Attackers leveraged native Windows utilities to dump and exfiltrate NTDS.dit, bypassing standard defenses.  The adversary in this case obtained DOMAIN ADMIN privileges via a successful phishing campaign and subsequent privilege escalation . Once elevated, they executed: To create a Volume Shadow Copy and extract NTDS.dit, silently bypassing file locks. With the SYSTEM hive obtained, attackers decrypted the database offline using secretsdump.py from Impacket: This chain enabled harvesting of NTLM and AES hashes for all domain accounts without triggering traditional endpoint alarms. Full Kill Chain After archiving and compressing the dump with tar -czf ntds.tar.gz c:\temp\ntds.dit c:\temp\SYSTEM, the attackers exfiltrated data over SMB to a compromised file share. NTDS.dit file dump Trellix detected this activity via two high-fidelity signatures: anomalous SMB write patterns exceeding baseline volume and a custom exfiltration signature for large NTDS file transfers.  Behavioral detection flagged unexpected esentutl processes running outside maintenance windows, and protocol anomaly alerts triggered on shadow copy reads to C:\$VolumeShadowCopy. Through Trellix Wise, AI-driven alert correlation highlighted the progression from VSS creation to SMB upload, reducing analyst workload by 60% and cutting mean time to detect (MTTD) by 45%.  The theft of NTDS.dit poses an existential threat to Windows domains, providing attackers complete control over all credentials.    NTDS.dit archived for exfiltration Traditional defenses often miss the low-and-slow techniques employed during shadow copy creation and offline decryption. Follow us on Google News , LinkedIn , and X for daily cybersecurity updates. Contact us to feature your stories. The post Hackers Compromise Active Directory to Steal NTDS.dit Exfiltration that Leads to Full Domain Compromise appeared first on Cyber Security News .

Volvo NA disclosed a data breach that exposed the personal data of its employees after a ransomware attack hit third-party supplier Miljödata.

A critical, unpatched OnePlus flaw (CVE-2025-10184) allows any app to read SMS data without permission, breaking MFA protections. PoC is available.

A critical combination of legacy components could have allowed complete access to the Microsoft Entra ID tenant of every company in the world.

A critical vulnerability (CVE-2025-9242) in WatchGuard's Fireware OS could allow an unauthenticated remote attacker to execute arbitrary code.

: Redmond names alleged ringleader, claims 5K+ creds stolen and $100k pocketed

The chairman of the Federal Trade Commission (FTC) last week sent a letter to Google’s CEO demanding to know why Gmail was blocking messages from Republican senders while allegedly failing to block similar missives supporting Democrats. The letter followed media reports accusing Gmail of disproportionately flagging messages from the GOP fundraising platform WinRed and sending them to the spam folder. But according to experts who track daily spam volumes worldwide, WinRed’s messages are getting blocked more because its methods of blasting email are increasingly way more spammy than that of ActBlue , the fundraising platform for Democrats. Image: nypost.com On Aug. 13, The New York Post ran an “exclusive” story titled, “Google caught flagging GOP fundraiser emails as ‘suspicious’ — sending them directly to spam.” The story cited a memo from Targeted Victory – whose clients include the National Republican Senatorial Committee (NRSC), Rep. Steve Scalise and Sen. Marsha Blackburn – which said it observed that the “serious and troubling” trend was still going on as recently as June and July of this year. “If Gmail is allowed to quietly suppress WinRed links while giving ActBlue a free pass, it will continue to tilt the playing field in ways that voters never see, but campaigns will feel every single day,” the memo reportedly said. In an August 28 letter to Google CEO Sundar Pichai , FTC Chairman Andrew Ferguson cited the New York Post story and warned that Gmail’s parent Alphabet may be engaging in unfair or deceptive practices. “Alphabet’s alleged partisan treatment of comparable messages or messengers in Gmail to achieve political objectives may violate both of these prohibitions under the FTC Act,” Ferguson wrote. “And the partisan treatment may cause harm to consumers.” However, the situation looks very different when you ask spam experts what’s going on with WinRed’s recent messaging campaigns. Atro Tossavainen and Pekka Jalonen are co-founders at Koli-Lõks OÜ , an email intelligence company in Estonia. Koli-Lõks taps into real-time intelligence about daily spam volumes by monitoring large numbers of “spamtraps” — email addresses that are intentionally set up to catch unsolicited emails. Spamtraps are generally not used for communication or account creation, but instead are created to identify senders exhibiting spammy behavior, such as scraping the Internet for email addresses or buying unmanaged distribution lists. As an email sender, blasting these spamtraps over and over with unsolicited email is the fastest way to ruin your domain’s reputation online. Such activity also virtually ensures that more of your messages are going to start getting listed on spam blocklists that are broadly shared within the global anti-abuse community. Tossavainen told KrebsOnSecurity that WinRed’s emails hit its spamtraps in the .com, .net, and .org space far more frequently than do fundraising emails sent by ActBlue. Koli-Lõks published a graph of the stark disparity in spamtrap activity for WinRed versus ActBlue, showing a nearly fourfold increase in spamtrap hits from WinRed emails in the final week of July 2025. Image: Koliloks.eu “Many of our spamtraps are in repurposed legacy-TLD domains (.com, .org, .net) and therefore could be understood to have been involved with a U.S. entity in their pre-zombie life,” Tossavainen explained in the LinkedIn post. Raymond Dijkxhoorn is the CEO and a founding member of SURBL , a widely-used blocklist that flags domains and IP addresses known to be used in unsolicited messages, phishing and malware distribution. Dijkxhoorn said their spamtrap data mirrors that of Koli-Lõks, and shows that WinRed has consistently been far more aggressive in sending email than ActBlue. Dijkxhoorn said the fact that WinRed’s emails so often end up dinging the organization’s sender reputation is not a content issue but rather a technical one. “On our end we don’t really care if the content is political or trying to sell viagra or penis enlargements,” Dijkxhoorn said. “It’s the mechanics, they should not end up in spamtraps. And that’s the reason the domain reputation is tempered. Not ‘because domain reputation firms have a political agenda.’ We really don’t care about the political situation anywhere. The same as we don’t mind people buying penis enlargements. But when either of those land in spamtraps it will impact sending experience.” The FTC letter to Google’s CEO also referenced a debunked 2022 study (PDF) by political consultants who found Google caught more Republican emails in spam filters. Techdirt editor Mike Masnick notes that while the 2022 study also found that other email providers caught more Democratic emails as spam, “Republicans laser-focused on Gmail because it fit their victimization narrative better.” Masnick said GOP lawmakers then filed both lawsuits and complaints with the Federal Election Commission (both of which failed easily), claiming this was somehow an “in-kind contribution” to Democrats. “This is political posturing designed to keep the White House happy by appearing to ‘do something’ about conservative claims of ‘censorship,'” Masnick wrote of the FTC letter. “The FTC has never policed ‘political bias’ in private companies’ editorial decisions, and for good reason—the First Amendment prohibits exactly this kind of government interference.” WinRed did not respond to a request for comment. The WinRed website says it is an online fundraising platform supported by a united front of the Trump campaign, the Republican National Committee (RNC), the NRSC, and the National Republican Congressional Committee (NRCC). WinRed has recently come under fire for aggressive fundraising via text message as well. In June, 404 Media reported on a lawsuit filed by a family in Utah against the RNC for allegedly bombarding their mobile phones with text messages seeking donations after they’d tried to unsubscribe from the missives dozens of times. One of the family members said they received 27 such messages from 25 numbers, even after sending 20 stop requests. The plaintiffs in that case allege the texts from WinRed and the RNC “knowingly disregard stop requests and purposefully use different phone numbers to make it impossible to block new messages.” Dijkxhoorn said WinRed did inquire recently about why some of its assets had been marked as a risk by SURBL, but he said they appeared to have zero interest in investigating the likely causes he offered in reply. “They only replied with, ‘You are interfering with U.S. elections,'” Dijkxhoorn said, noting that many of SURBL’s spamtrap domains are only publicly listed in the registration records for random domain names. “They’re at best harvested by themselves but more likely [they] just went and bought lists,” he said. “It’s not like ‘Oh Google is filtering this and not the other,’ the reason isn’t the provider. The reason is the fundraising spammers and the lists they send to.”

NVIDIA's CFO has stated the company will not pay the U.S. government a 15% revenue share on China sales unless the agreement is formally codified into law.

A wide range of vulnerabilities affects millions of Dell laptops used by government agencies, cybersecurity professionals, and enterprises worldwide.