Hey there! Hope you had a great weekend. Let's get into it!

🩺Threat Pulse

​China’s Tacit Admission of Volt Typhoon Attacks​

At a December 2024 Geneva summit, China’s Ministry of Foreign Affairs cyber official Wang Lei made ambiguous remarks that U.S. delegates interpreted as a confession of Beijing’s role in the Volt Typhoon campaign—cyber intrusions on U.S. infrastructure tied to Washington’s support for Taiwan.

Key Takeaways:

• The U.S. delegation saw Wang Lei’s comments as a warning: China is willing to use cyberattacks to deter deeper U.S. involvement in a Taiwan conflict.
• Active since mid-2021, this APT has planted persistent access in telecom, utilities, manufacturing, transportation, maritime, government, IT, and education networks across the U.S. and Guam.
• Volt Typhoon relies almost exclusively on living-off-the-land techniques (using legitimate system tools) and hands-on-keyboard operations to evade detection.
• In May 2024, Microsoft disclosed that Volt Typhoon had operated undetected within critical infrastructure for extended periods, underscoring gaps in defensive visibility.

Spencer’s Thoughts:

China is becoming more brazen, without a doubt. But as a defender or sysadmin what can we do? My advice is to focus on what you can control. Focus on improving a little bit each week, each month, each year. Secure that which is highest risk and absolutely be proactive about it.

When it comes to LoTL (living off the land) DON’T rely on EDR alone to be your saving grace. I highly encourage you to look into Application Control technologies if you are not already. App Control for Business (formerly Windows Defender Application Control or WDAC) is great. Airlock is great. Neither are paying me to say that.

The next thing I’d focus on if I didn’t already have a really solid solution is a SOC. Internal or outsourced, doesn’t matter right now. What matters is that SOC is 1) well funded 2) well trained and 3) well led. If you want help putting a SOC through it’s paces I would gladly help. We do it all the time with our purple team engagements.

​Phishers abuse Google OAuth to spoof Google in DKIM replay attack​

Attackers have discovered a way to trick Google into signing phishing emails with its own DKIM keys, making them appear legitimately sent from no-reply@google.com. By registering a domain that mimics Google infrastructure and creating a Google OAuth app named after the phishing message, they trigger Google to send a genuine security alert, complete with a valid DKIM signature, to that domain. The fraudsters then forward this alert en masse to victims, delivering a DKIM-signed phishing email that passes all verification checks and lures recipients to a credential-stealing support portal hosted on sites.google.com.

Key Takeaways:

• Hosting the fake support page on sites.google.com makes the phishing site virtually indistinguishable from genuine Google assets.
• Forwarding Google’s own alert ensures the phishing email appears alongside real notifications in victims’ inboxes, dramatically increasing credibility.
• A similar DKIM replay trick was observed in a March campaign targeting PayPal users, demonstrating the technique’s cross-platform applicability.
• After initially deeming the behavior “intended,” Google has since acknowledged the risk and is working on tightening its OAuth workflows to block this abuse.

Spencer’s Thoughts:

Yeah this one is going to trick A LOT of people. Heck, even I would fall for something like this if I wasn’t being careful. Expect this technique to become more popular because of just how sneaky and devastatingly effective it is. Combine that with the fact that this is to some extent “expected” behavior and affects other platforms not just google.

What should you do about it?

Well, after the fact you could potentially spot suspicious oauth requests/grants/activity. Prior to that, really scrutinizing links and websites especially when it comes to oauth app requests and login pages is key. This is not an easy one. Stay vigilant, train your people!

🔐Securing the Stack

How to Identify Insecure Delegated Permissions in Active Directory

Delegation’s allow for assigning specific permissions to specific users to be able to perform specific tasks without requiring them to be a member of privileged security groups such as Domain Admins.

The Hard Way 😟

1. Manually browse the permissions tab on privileged OU’s and Groups
   • Such as Domain Admins, Domain Controllers, Administrators, etc.
2. Review the permissions looking for unsafe users such as Domain Users, Domain Computers, Everyone, Authenticated Users, etc. that have unsafe permissions, such as Full Control, Write, Modify
3. Make sure to view the detailed permissions, it might not always be obvious what permissions an account or group has been given
4. Repeat this process for every object in Active Directory…or at least the privileged resources

The Easy Way 🙂

1) Copy and paste the code below into PowerShell, then press enter:

(This downloads Invoke-Adeleginator.ps1 and ADeleg.exe, then runs Invoke-ADeleginator to find seriously dangerous delegated permissions in Active Directory)

Invoke-WebRequest “https://raw.githubusercontent.com/techspence/ADeleginator/refs/heads/main/Invoke-ADeleginator.ps1” -UseBasicParsing -OutFile Invoke-ADeleginator.ps1; Invoke-WebRequest “https://github.com/mtth-bfft/adeleg/releases/download/v1.2/ADeleg.exe” -OutFile ADeleg.exe; . .\Invoke-ADeleginator.ps1; Invoke-ADeleginator

2) Review the report and fix the misconfigured permissions

📰 Here’s a blog to go with this if you’d like more reading material on this.

💡By the way, these issues are something we look for on every internal pentest we do and we help multiple dozens of organizations fix every year. Many of these turn about to be critical vulnerabilities when we discover them and they are often trivial to exploit. If you’d like us to help you with your security, we’d love to work with you. Email me at spencer@securit360.com or book a meeting with me using the link below.

😆Memes & Mayhem

As promised, freshly minted memes! 🤓😂

spencer @techspence 😭😭 10:23 AM • Apr 26, 2025 0 Retweets 2 Likes

​

Prevention > Detection. No silver bullets. No such thing as 100% secure.

spencer @techspence Prevention > Detection. Let’s make attackers hate their life. No doubt EDR is essential, but it’s not a silver bullet. 2:51 PM • Apr 9, 2025 84 Retweets 705 Likes Read 26 replies

​

👨‍💻Behind the Console

You may have noticed there was no newsletter the last two weeks. I hope you didn’t miss it too much, I was on vacation on the sunny shores of South Carolina. Wow was is perfect. But I’m excited to be back at it!

I made another YouTube Video!

I spoke with Jeff Hunter, Field CTO at NinjaOne about the current state of vulnerability management, including the challenges that sysadmins and security professionals often face. Jeff also shares a demo of NinjaOne’s new vulnerability remediation features. Although NinjaOne did sponsor this video, I can honestly say, this is the type of platform I wish I had 10+ years ago when I was doing vulnerability management on an internal IT Team.

I’d love it if you’d check out the video (link below) and leave a comment so the NinjaOne folks can see others enjoy this type of content. 🙏🙏

​

All the best​
Spencer Alessi

"Spirit of a hacker heart of a defender"
​All My Links | super cool cybersecurity shirts & stickers​