What generates the fastest profit for cybercriminals? Attacking systems that can help them access confidential information or finances directly. Therefore, it’s no surprise that entire groups of cybercriminals specialize in embedded systems: primarily ATMs full of cash, payment systems where transactions can be intercepted, medical equipment where personal data is processed and stored, and so on. All these devices often have less than an adequate level of security (both cyber and physical), making them a convenient target for attackers.

The classic challenge of protecting embedded systems running Windows is that their hardware typically becomes obsolete much slower than their software. These are often expensive devices that organizations won’t replace simply because the operating system has stopped receiving updates. The result is a high percentage of embedded devices with limited resources due to their narrow specialization, outdated software, and an operating system that’s no longer supported by manufacturer.

The end of support for Windows 10 is exacerbating this last issue. A multitude of devices that are perfectly capable of performing their primary functions for years to come will never be able to upgrade to Windows 11 — simply because they lack a TPM module.

The situation isn’t much better in the market for embedded Linux devices. Those built on x86 processors generally have newer hardware — but even that becomes outdated over time. Furthermore, many new embedded systems running Linux are based on the ARM architecture, which has its own specific requirements and challenges.

Because of these unique characteristics, standard endpoint security solutions are a poor fit. Protecting these devices requires a product equipped with technologies that can effectively counter modern threats targeting embedded systems. At the same time, it must be capable of running not only on modern hardware with the latest OS versions, but also on resource-constrained devices, and should be able to provide ideal stability in “unattended” mode, plus compatibility with specific embedded software. Ideally, it should be manageable from the same console as the rest of owner’s IT infrastructure, and support integration with corporate SIEM systems. As you’ve probably guessed, we’re talking about Kaspersky Embedded Systems Security.

How Kaspersky Embedded Systems Security can help

We’ve talked repeatedly in this blog about the specific challenges of securing embedded systems, and our take on the same. However, Kaspersky Embedded Systems Security continues to evolve. In late November, we released a sweeping product update that enhances both the Windows and Linux versions.

What’s new in Kaspersky Embedded Systems Security for Windows

Our experts have overhauled the solution’s codebase, adding a range of advanced threat detection and blocking mechanisms. The cornerstone of this update is a full-fledged behavioral analysis engine, which powers several technologies essential for modern device protection:

• Our non-invasive Automatic Exploit Prevention technology, already proven in other products, is a reliable tool for blocking the exploitation of known and new vulnerabilities. It’s been instrumental in helping our experts discover numerous zero-day vulnerabilities in past years.
• Our advanced Anti-Cryptor technology serves as an additional layer of defense against ransomware. Leveraging the behavioral engine, it now more effectively detects and blocks local attempts to encrypt files.
• Our Remediation Engine is designed to roll back malicious changes made to a device. Even if attackers manage to bypass other security mechanisms and execute malicious code, its activity would be promptly detected, and all changes it made reverted. This is also particularly effective in combating ransomware.

Another technology added to the updated Kaspersky Embedded Systems Security for Windows is BadUSB Attack Prevention. In a BadUSB attack, a malicious device that mimics a legitimate input peripheral — most often a keyboard — is connected to the target system. Through this device, the attacker can then cause all sorts of problems: input their own commands, intercept data entered from other devices (such as the login credentials of a service technician), cause denial of service, and more. This threat is especially relevant for embedded systems installed outside a company’s physical security perimeter. A BadUSB device plugged into the port of a standalone ATM in a remote rural area can go unnoticed for months and, unless blocked by a security solution, inflict significant damage.

We’ve also added our firewall to the solution. This allows administrators to control network access for specific applications via rules based on predefined trust levels for that software. Since an embedded device typically has a limited set of tasks, it makes sense to only permit network access for the applications that genuinely need it to function properly, while blocking all others. This not only makes life harder for attackers attempting to communicate with command-and-control (C&C) servers or exfiltrate data, but also reduces the risk of the system being used as a platform to attack the rest of the corporate infrastructure.

Finally, for administrator convenience, we’ve added a security status indicator, or a “traffic light”. This provides an at-a-glance assessment of how thoroughly each device is configured, showing whether all critical protection technologies are enabled, or if an administrator needs to review the settings and check the device’s security posture.

What’s new in Kaspersky Embedded Systems Security for Linux

We’ve also significantly enhanced the new Kaspersky Embedded Systems Security for Linux. While most of the improvements boost the effectiveness of existing protection mechanisms, one fundamental change is our revamped application allowlist control system. It now uses certificate-based signing to streamline the process of updating the system and the applications required by the embedded device.

Unlike Windows, Linux systems don’t have a universal, ready-made certificate infrastructure that we could simply support. Therefore, at the request of one of our largest customers, we built our own. As a result, there’s no longer a need to regularly create and completely redeploy a full golden system image to every device — though, of course, you can continue to do this if your company needs it for any reason. Now, you simply need to sign a new application with your certificate, and the allowlist system in Kaspersky Embedded Systems Security will accept it and allow it to run without any further issues.

Another new technology in Kaspersky Embedded Systems Security for Linux is Web Threat Protection. The average usage model for embedded systems implies that it’s not the most useful feature on a device without a direct user. However, in practice, there are scenarios where embedded systems do use web protocols. For instance, some PoS devices require access to a corporate web-based CRM system, and the medical terminal can communicate in the same way with the internal portal that manages patient data. Such system could be compromised by attackers to perform a watering hole attack — infecting machines that connect to it. Furthermore, this protection is essential when using Kaspersky Embedded Systems Security on a regular computer with an outdated OS and no hope of updating it, rather than on an embedded system.

Future development plans for Kaspersky Embedded Systems Security

The next major product update is scheduled for the first quarter of 2026. In it, we plan to:

• Achieve full compatibility between Kaspersky Embedded Systems Security and the Kaspersky Managed Detection and Response This will allow our SOC experts to assist companies that use embedded devices in detecting complex, stealthy threats, and providing recommendations for effective incident mitigation.
• Integrate the BadUSB attack prevention technology into Kaspersky Embedded Systems Security for Linux, mirroring the capability already available in the Windows version.
• Add support for the ARM architecture to Kaspersky Embedded Systems Security for Linux, enabling us to provide comprehensive protection for the new energy-efficient embedded systems that are rapidly gaining market share.

You can learn more about Kaspersky Embedded Systems Security on the official product page.

Kaspersky official blog – ​Read More

Few cybersecurity experts would dispute that attacks on Microsoft Exchange servers should be viewed as inevitable, and the risk of compromise remains consistently high. In October, Microsoft ended support for Exchange Server 2019, making Exchange Server Subscription Edition (Exchange SE) the only supported on-premises solution for 2026. Despite this, many organizations continue to operate Exchange Server 2016, 2013, and even more antiquated releases.

For threat actors, Exchange is an irresistible target. Its popularity, complexity, abundance of settings, and, most importantly, its accessibility from external networks make it susceptible to a wide range of attacks:

• Infiltration of mailboxes via password spraying attacks or spearphishing
• Account compromise via outdated authentication protocols
• Theft of specific emails by injecting malicious mail flow rules through Exchange Web Services
• Hijacking of employee authentication tokens or message forgery by exploiting flaws in the Exchange mail processing infrastructure
• Exploitation of Exchange vulnerabilities to execute arbitrary code (deploy web shells) on the server
• Lateral movement and server compromise, where the Exchange server becomes a foothold for network reconnaissance, malware hosting, and traffic tunneling
• Long-term email exfiltration via specialized implants for Exchange

To truly grasp the complexity and variety of Exchange attacks, it’s worth reviewing research on the GhostContainer, Owowa, ProxyNotShell, and PowerExchange threats.

Making it harder for attackers to compromise Exchange and reducing the impact of a successful attack is not impossible, but requires a wide range of measures — from simple configuration changes to effort-intensive authentication protocol migrations. A joint review of priority defense measures was recently published by CISA (the Canadian Centre for Cyber Security) and other cybersecurity regulators. So how do you start hardening your on-premises Exchange server?

Migrating away from EOL versions

Both Microsoft and CISA recommend transitioning to Exchange SE to receive timely security updates. For organizations unable to make the switch immediately, a paid Extended Security Updates (ESU) subscription is available for versions 2016 and 2019. Microsoft emphasizes that upgrading from 2016 or 2019 to Exchange SE is comparable in complexity to installing a standard Cumulative Update.

If for any reason you need to keep an unsupported version in operation, it should be thoroughly isolated from both internal and external networks. All mail flow should be routed through a specially configured email security gateway.

Regular updates

Microsoft releases two Cumulative Updates (CUs) per year, along with monthly security hotfixes. A key task for Exchange administrators is to establish a process for deploying these updates without delay, as threat actors are quick to weaponize known vulnerabilities. You can track the release schedule and contents of these updates on the official Microsoft page. To verify the health and update status of your Exchange installation, use tools like SetupAssist and the Exchange Health Checker.

Emergency mitigations

For critical, actively exploited vulnerabilities, temporary mitigation guidance is typically published in the Exchange blog and on the Exchange mitigations page. The Emergency Mitigation (EM) service should be enabled on your Exchange Mailbox servers. EM automatically connects to the Office Config Service to download and apply mitigation rules for urgent threats. These measures can quickly disable vulnerable services and block malicious requests using URL rewrite rules in IIS.

Secure baselines

A uniform, organization-wide set of configurations optimized for an organization’s needs must be applied not only to Exchange servers but also to mail clients across all platforms and their underlying operating systems.

Since the recommended security baselines differ for various OS and Exchange versions, the CISA guide references the popular, freely available CIS Benchmarks and Microsoft instructions. The latest CIS Benchmark was created for Exchange 2019, but it’s also fully applicable to Exchange SE — since the current Subscription Edition doesn’t differ in its configurable options from Exchange Server 2019 CU15.

Specialized security solutions

A critical mistake many organizations make is not having EDR and EPP agents on their Exchange servers. To prevent vulnerability exploitation and the execution of web shells, the server needs to be protected by a security solution like Kaspersky Endpoint Detection and Response. Exchange Server integrates with the Antimalware Scan Interface (AMSI), which enables security tools to effectively process server-side events.

Application allowlisting can significantly hinder attackers attempting to exploit Exchange vulnerabilities. This feature comes as standard in most advanced EPP solutions. However, if you need to implement it with native Windows tools, you can restrict untrusted applications via App Control for Business or AppLocker.

To protect employees and their machines, the server should use a solution like Kaspersky Security for Mail Server to filter mail traffic. This addresses several challenges that the out-of-the-box on-prem Exchange lacks the tools for — such as sender authentication via SPF, DKIM and DMARC protocols, or protection against sophisticated spam and spearphishing.

If for any reason a full EDR isn’t deployed on the server, it’s essential to at least activate the default anti-virus, and ensure the Attack Surface Reduction (ASR) rule “Block Webshell creation for Servers” is enabled.

To prevent server performance degradation when running default anti-virus, Microsoft recommends excluding specific files and folders from scans.

Restricting administrative access

Attackers often escalate privileges by abusing access to the Exchange Admin Center (EAC) and PowerShell remoting. Best practice dictates making these tools accessible only from a fixed number of privileged access workstations (PAWs). This can be enforced via firewall rules on the Exchange servers themselves, or by using firewall. The built-in Client Access Rules in Exchange can also offer limited utility in this scenario, but they can’t counter PowerShell abuse.

Adopting Kerberos and SMB instead of NTLM

Microsoft is gradually phasing out legacy network and authentication protocols. Modern Windows installations disable SMBv1 and NTLMv1 by default, with future versions slated to disable NTLMv2. Starting with Exchange SE CU1, NTLMv2 will be replaced with Kerberos, implemented using MAPI over HTTP, as the default authentication protocol.

IT and security teams should conduct a thorough audit of legacy protocol usage within their infrastructure, and develop a plan for migration to modern, more secure authentication methods.

Modern authentication methods

Beginning with Exchange 2019 CU13, clients can leverage a combination of OAuth 2.0, MFA, and ADFS for robust server authentication — a framework known as Modern Authentication, or Modern Auth for short. This way, a user can only access a mailbox after successfully completing MFA through ADFS, with the Exchange server then receiving a valid access token from the ADFS server. Once all users have migrated to Modern Auth, Basic authentication should be disabled on the Exchange server.

Enabling Extended Protection

Extended Protection (EP) provides a defense against NTLM relay attacks, Adversary-in-the-Middle, and similar techniques. It enhances TLS security by using a Channel Binding Token (CBT). If an attacker steals credentials or a token, and attempts to use them in a different TLS session, the server terminates the connection. To enable EP, all Exchange servers must be configured to use the same version of TLS.

Extended Protection is active by default on new server installations starting with Exchange 2019 CU14.

Secure TLS versions

The entire server infrastructure, including all Exchange servers, should be configured to use the same TLS version: 1.2 or, ideally, 1.3. Microsoft provides detailed guidance on optimal configuration and necessary prerequisite checks. You can use the Health Checker script to verify the correctness and uniformity of these settings.

HSTS

To ensure all connections are protected by TLS, you should additionally configure HTTP Strict Transport Security (HSTS). This helps prevent certain AitM attacks. After implementing the Exchange Server configuration changes as recommended by Microsoft, all connections to Outlook on the web (OWA) and the EAC will be forced to use encryption.

Download domains

The Download Domains feature provides protection against certain cross-site request forgery attacks and cookie theft by moving attachment downloads to a domain other than one hosting the organization’s Outlook on the web. This separates the loading of the UI and message list from downloading file attachments.

Role-based administration model

Exchange Server implements a Role-Based Access Control (RBAC) model for privileged users and administrators. CISA notes that accounts with AD administrator privileges are often also used to manage Exchange. In this configuration, a compromise of the Exchange server immediately leads to a full domain compromise. So it’s critical to use split permissions and RBAC to separate Exchange management from other administrative privileges. This reduces the number of users and administrators with excessive privileges.

PowerShell stream signing

Administrators frequently use PowerShell scripts known as cmdlets to modify settings and manage Exchange servers via the Exchange Management Shell (EMS). Remote PowerShell access should ideally be disabled. When it is enabled, command data streams sent to the server must be protected with certificates. As of November 2023, this setting is enabled by default for Exchange 2013, 2016, and 2019.

Protection of mail headers

In November 2024, Microsoft introduced enhanced protection against attacks involving the forgery of P2 FROM mail headers, which made emails appear to victims as if they were sent from a trusted sender. New detection rules now flag emails where these headers have likely been manipulated. Administrators mustn’t disable this protection, and should forward suspicious emails bearing the X-MS-Exchange-P2FromRegexMatch header to security experts for further analysis.

Kaspersky official blog – ​Read More

Welcome to this week’s edition of the Threat Source newsletter.

Back in April, I wrote about the risks of unintentionally leaking information while using search engines. Since then, I’ve been thinking: Life doesn’t just happen in front of a keyboard. There’s a social side, too (or so I’m told). With Thanksgiving around the corner, it seems the perfect time to flip the script and focus on a different but related concept: Care that you share. 

For my non-American friends, who may be enjoying just another Thursday, stick with me. This season brings heightened risks everywhere. Many teams are running with skeleton crews, whether due to holiday mode (family, turkey, football, days off) or the year-end compliance push (hello, NIS2 and DORA). At the same time, on the other side of the fence, attackers ramp up their efforts; globally, Black Friday and similar events are peak periods for phishing campaigns, often targeting credentials with fake employee perk emails and other seasonal lures. 

So, why emphasize “care that you share?” 

Recently, I visited a university of applied sciences to give a guest lecture and learn more about the projects students are working on. It was a great experience, though preparing for an audience of students (not my usual crowd) was challenging. What do they already know? What topics interest them? Should I give them some history of STIX/TAXII? Geopolitical tensions? Honestly speaking, none of this was interesting to me when I was a student. I chose to start simple, discussing what threats and the DKIW pyramid were, and then focusing on CVE, CVSS, and KEV — one of my favorite topic clusters. 

To my surprise, not only did the students engage and ask questions, but they also stuck around late on a Friday afternoon, diving into discussions about software supply chain risks and beyond. I don’t remember ever staying at university past 6:00 p.m. on a Friday as a student! A week later, when they presented their projects — many centered on authentication, TOTP, and SmartCards — I was genuinely impressed by their ideas and the real-world problems they were addressing. 

“Care that you share” is a mindset that helps us appreciate the knowledge exchange that happens in person, too. 

Whether sharing stories over dinner, IOCs over email, or ideas in a classroom, let’s all take a moment to consider not just what we share, but how and why we share it. I’ll admit, I sometimes hesitate to share certain stories myself, worried they might seem too obvious or uninteresting, or maybe even dumb. But more often than not, those moments of openness lead to the best conversations and new perspectives. 

This rings especially true during busy or understaffed times, when teams are stretched thin. It’s tempting to keep things to ourselves to avoid “bothering” others. In reality, sharing a helpful tip, a concern, or just a quick update can make all the difference for colleagues who might be juggling extra responsibilities or missing context. 

So this holiday season, care that you share. Thoughtful communication isn’t just about protecting information — it’s also about supporting each other, especially when resources are limited. You never know who might benefit from what you have to offer, yourself included. 

The one big thing 

Last week, Cisco Talos announced an initiative to retire outdated ClamAV signatures to reduce database sizes and improve efficiency by focusing on currently relevant threats. Starting Dec. 16, 2025, the “main.cvd” and “daily.cvd” databases will be cut roughly in half, offering smaller downloads and reduced resource usage. Retired signatures may be reintroduced if old threats reappear, and only supported ClamAV container images will remain available on Docker Hub to enhance security and management. 

Why do I care? 

Smaller signature databases mean faster updates, lower bandwidth and storage requirements, and improved performance, especially on resource-constrained systems. By focusing detection on active threats, ClamAV can more efficiently protect against current malware without being bogged down by obsolete signatures. 

So now what? 

We will continue to monitor the activity of retired signatures and will restore any that are needed to protect the community. Stay attentive and request the reinstatement of retired signatures if older threats reappear. In the meantime, we recommend that ClamAV container image users select a feature release tag rather than a specific minor release tag to stay up to date with security updates and bug fixes. 

Top security headlines of the week 

Second Sha1-Hulud wave affects 25,000+ repositories via npm preinstall credential theft 
The new supply chain campaign, dubbed Sha1-Hulud, has compromised hundreds of npm packages, uploaded to npm between November 21 and 23, 2025. The attack has impacted popular packages from Zapier, ENS Domains, PostHog, and Postman, among others. (The Hacker News) 

FBI: Cybercriminals stole $262M by impersonating bank support teams  
Since January 2025, the FBI’s Internet Crime Complaint Center (IC3) has received over 5,100 complaints, with the attacks impacting individuals, as well as businesses and organizations across all industry sectors. (Bleeping Computer) 

Everest ransomware claims breach at Spain’s national airline Iberia with 596 GB data theft 
The group states that the data covers millions of customers in multiple countries, and says it had long-term access with the ability to read and alter bookings. (HackRead) 

CISA warns of active spyware campaigns hijacking high-value Signal and WhatsApp users 
CISA on Monday issued an alert warning of bad actors actively leveraging commercial spyware and remote access trojans (RATs) to target users of mobile messaging applications. (The Hacker News) 

LINE messaging bugs open Asian users to cyber espionage 
Researchers discovered critical vulnerabilities that open the door to three main buckets of compromise: message replay attacks, plaintext and sticker leakage, and, most concerningly, impersonation attacks. (Dark Reading) 

Can’t get enough Talos? 

Talos Takes: When you’re told “no budget” 
From configuring what you already have, to open-source strategies, to the impact of cybersecurity layoffs, this episode is packed with practical guidance for securing your organization during an economic downturn. 

Humans of Talos: On epic reads, lifelong learning, and empathy  
In this episode, Bill Largent shares what drew him to Talos, how his love of reading has shaped his cybersecurity ethos, and the key insights he shares for the next generation of cybersecurity professionals. 

The TTP: How Talos built an AI model into one of the internet’s most abused layers 
Hazel talks with Talos researcher David Rodriguez about how adversaries use DNS tunneling to sneak data out of networks, why it’s so difficult to spot in real time, and how Talos built an AI model to detect it without breaking the internet. 

Upcoming events where you can find Talos 

• AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia 
• Black Hat Europe (Dec. 8 – 11) London, U.K. 

Most prevalent malware files from Talos telemetry over the past week 

SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a 
MD5: 1f7e01a3355b52cbc92c908a61abf643 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a 
Example Filename: cleanup.bat 
Detection Name: W32.D933EC4AAF-90.SBX.TG 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_1_Exe.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a 
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: ck8yh2og.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
MD5: aac3165ece2959f39ff98334618d10d9  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974  
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe  
Detection Name: W32.Injector:Gen.21ie.1201 

SHA256: 26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff  
MD5: 71da0bf3094e3ed17bc5a1c78de80933  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=26fa67db9a00f07600abe950d2ea0aed0ea7a0b49a0b5a452e3175ffa33970ff  
Example Filename: cleanup.bat  
Detection Name: W32.26FA67DB9A-90.SBX.TG 

Cisco Talos Blog – ​Read More