Neural Newscast

[00:00] Announcer: From Neural Newscast, this is Prime Cyber Insights, Intelligence for Defenders, Leaders, and Decision Makers.
[00:08] Aaron Cole: This is Prime Cyber Insights for March 23, 2026.
[00:16] Aaron Cole: We lead today with a critical warning for organizations running Quest KACE Systems Management Appliances.
[00:24] Aaron Cole: We are tracking a Maximum Severity Authentication Bypass, CVE-2025-32975.
[00:31] Lauren Mitchell: This is not a theoretical risk.
[00:33] Lauren Mitchell: Arctic Wolf reports active exploitation in the wild as of this month.
[00:38] Aaron Cole: That is correct, Lauren.
[00:39] Aaron Cole: This flaw carries a perfect CVSS score of 10.0.
[00:45] Aaron Cole: Threat actors have been weaponizing it since the week of March 9th
[00:48] Aaron Cole: to impersonate legitimate users and take over administrative accounts
[00:52] Aaron Cole: without requiring credentials.
[00:55] Lauren Mitchell: What is striking here, Aaron, is the post-exploitation sequence.
[00:59] Lauren Mitchell: Once they have access, they're using curl to drop base64 encoded payloads and rankbot.exe,
[01:07] Lauren Mitchell: a native SMA process to create additional admin accounts.
[01:12] Lauren Mitchell: It is a highly effective way to hide in plain sight.
[01:15] Aaron Cole: The lateral movement is aggressive.
[01:18] Aaron Cole: They have been observed using mimic cats for credential harvesting,
[01:22] Aaron Cole: and then moving via RDP to domain controllers and backup infrastructure like Veeam and Veritas.
[01:29] Aaron Cole: Losing control of your management appliance effectively hands over the keys to the entire environment.
[01:35] Lauren Mitchell: The most frustrating aspect for practitioners is the timeline.
[01:40] Lauren Mitchell: Quest released the patch for this in May 2025.
[01:44] Lauren Mitchell: We are nearly a year out, yet unpatched internet-exposed instances remain an open door for these attackers.
[01:51] Aaron Cole: It underscores the danger of set it and forget it for management appliances.
[01:56] Aaron Cole: Speaking of persistence, we are also tracking a new evasion technique called the zombie zip method reported by malware bites.
[02:04] Aaron Cole: It allows malicious files to bypass antivirus scans by manipulating the archive structure.
[02:11] Lauren Mitchell: Exactly, Aaron. It is a reminder that detection tools are only as good as their ability to parse complex file types.
[02:19] Lauren Mitchell: We are also seeing Apple push out WebKit patches to address bugs that could allow malicious sites to access user data.
[02:27] Aaron Cole: For the Quest KACE systems, the mitigation is clear.
[02:32] Aaron Cole: Update to versions 13.0385, 14.1, 101 or higher immediately and ensure these appliances are never directly exposed to the Internet.
[02:44] Aaron Cole: Lauren, what are your thoughts on the broader implications?
[02:48] Lauren Mitchell: Visibility is paramount.
[02:50] Lauren Mitchell: If you are running case SMA, check your logs for unusual runkbot.exe activity or unexpected
[02:57] Lauren Mitchell: PowerShell registry modifications.
[02:59] Lauren Mitchell: Do not assume that because a patch is old, the threat has passed.
[03:04] Aaron Cole: That concludes our briefing for today.
[03:06] Aaron Cole: For more technical deep dives, visit pci.neuronuzcast.com.
[03:11] Lauren Mitchell: This program is for informational purposes.
[03:14] Lauren Mitchell: Always consult with your internal security team
[03:17] Lauren Mitchell: before making infrastructure changes.
[03:19] Lauren Mitchell: Neural Newscast is AI-assisted, human-reviewed.
[03:23] Lauren Mitchell: View our AI transparency policy at neuralnewscast.com.
[03:27] Lauren Mitchell: See you tomorrow.
[03:28] Announcer: This has been Prime Cyber Insights on Neural Newscast.
[03:32] Announcer: Intelligence for defenders, leaders, and decision makers.