Compromise Assessments Expose Missed Intrusions and Security Control Failures
Securelist reported that real-world compromise assessments repeatedly uncovered active and historical intrusions that had bypassed layered defenses, often because basic security controls failed in practice. Investigators linked successful breaches to delayed patching of internet-facing systems, employee and third-party policy violations, missed detections by MSSPs and SOCs, incomplete incident response, and misconfigured or ineffective tooling that left attackers operating undisturbed.
In one case, attackers exploited a late-patched public web server, deployed a SILENTTRINITY C2 stager, used a custom-packed Mimikatz variant and LSASS memory dumping to steal credentials, then performed SMB reconnaissance until gaining domain administrator access. Other assessments found credential exposure through a third-party consultant, repeated webshell activity that an MSSP failed to escalate despite antivirus alerts, and malicious Active Directory Group Policy changes that enabled reversible password storage and weakened Kerberos auditing, underscoring compromise assessment as a last-resort method for finding hidden attacker persistence and validating whether defenses are actually working.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Malicious AD Group Policy changes weakened domain security
One investigated case uncovered malicious Active Directory Group Policy changes that enabled reversible password storage and reduced Kerberos auditing. These changes were highlighted as attacker actions that degraded security controls and hindered detection.
MSSP repeatedly missed webshell activity despite AV detections
A separate compromise assessment case found that an MSSP failed multiple times to detect or act on webshell activity even though antivirus detections were present. The case was cited as an example of SOC or MSSP detection failure allowing an intrusion to persist.
Third-party consultant credential leakage enabled compromise
Another case described credential leakage through a third-party consultant as a root cause contributing to compromise. The article presents this as a real-world investigation finding tied to policy violations and weak third-party security practices.
Delayed patching led to web server compromise and domain admin access
In one compromise assessment case, a public-facing web server was left unpatched and was subsequently compromised. The attacker deployed a SILENTTRINITY C2 stager, used a custom packed Mimikatz and LSASS memory dumping, conducted SMB reconnaissance, and ultimately obtained domain administrator credentials.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
The Critical Risks of Security Misconfigurations and Overlooked Blind Spots
Security misconfigurations and overlooked vulnerabilities continue to pose significant risks to organizations, often serving as the initial foothold for attackers. One real-world example involved a company that relied solely on IP address restrictions to secure its network, neglecting to implement multi-factor authentication (MFA). This decision created a critical weakness, as attackers can easily bypass IP-based controls using VPNs to spoof their location, rendering the restriction ineffective. The absence of MFA meant that compromised credentials could be used without additional verification, exposing the organization to unauthorized access. Such misconfigurations are not isolated incidents; they represent a broader pattern where seemingly minor oversights can have catastrophic consequences. Many organizations underestimate the dangers of default settings, forgotten assets, and configuration drift, which can silently erode their security posture over time. Attackers often exploit these mundane gaps, such as stale DNS records, unpatched printers, or unsynchronized server clocks, to escalate their access and compromise critical systems. Time and telemetry integrity are particularly vital, as discrepancies in server clocks can undermine forensic investigations and incident response efforts. Organizations frequently treat network time protocol (NTP) settings as a one-time configuration, failing to monitor for drift or unauthorized changes, which attackers can leverage to cover their tracks. Systemic resilience requires a proactive approach to identifying and closing these low-profile vulnerabilities across identity management, configuration, telemetry, cloud infrastructure, and recovery processes. Rather than focusing solely on high-profile zero-day exploits, security teams must address the 'silent killers'—the overlooked misconfigurations and blind spots that can turn minor incidents into major breaches. Comprehensive checklists and regular audits are essential to ensure that no critical gap is left unaddressed. The lessons from these cases underscore the importance of layered defenses, continuous monitoring, and a culture of vigilance to prevent security misconfigurations from becoming the next major disaster.
Mar 21, 2026
Security Spend Fails Without Basic Hygiene and Operational Discipline
A recurring theme in executive security discussions is that **increased cybersecurity spending and tooling does not reliably translate into better outcomes** when organizations lack basic operational discipline. Commentary highlights that breaches and major security failures are frequently rooted in process and governance gaps rather than missing technology, despite growing budgets, expanding tool stacks, and compliance reporting. One account of a penetration test describes rapid compromise using **non-advanced techniques**: initial access via phishing to capture credentials, lateral movement aided by an **unpatched server**, and escalation to **domain admin** after discovering credentials in a shared location (e.g., `Admin_Password.txt`), followed by data exfiltration. The described root causes were foundational control failures—**inconsistent patching**, incomplete **MFA adoption**, and lingering/overprivileged accounts—underscoring that tool-heavy environments (e.g., EDR, SIEM, DLP, threat intel) can still be bypassed when identity, patch, and access-control hygiene are weak.
Mar 21, 2026
Edge Appliance Compromises Expose Persistent Access Risks in Enterprise Networks
Investigations across multiple incidents have shown attackers gaining and maintaining access through internet-facing infrastructure, including **SonicWall SMA** devices, **Cisco AnyConnect** deployments, and **F5** systems. Truesec reported a persistent web shell on SonicWall SMA appliances, while separate reporting tied exploitation of `CVE-2020-3259` in Cisco AnyConnect to **Akira ransomware** activity. The UK **NCSC** also confirmed a compromise affecting the **F5** network, underscoring that trusted remote-access and application delivery platforms remain high-value targets for intrusion and follow-on operations. The broader pattern mirrors earlier high-impact compromises such as **SolarWinds**, where trusted enterprise technology became a pathway for stealthy access, and more recent financially motivated and state-linked campaigns, including Truesec reporting on a **North Korean threat actor** targeting the Nordic financial sector. Together, the cases show how compromise of edge devices and trusted network infrastructure can enable persistence, credential theft, lateral movement, and downstream attacks against enterprises and critical sectors.
May 25, 2026