Yuval Gordon
@YuG0rd
Followers
1K
Following
521
Media
3
Statuses
95
Security Researcher at Akamai. Opinions are my own.
Joined December 2017
๐ We just released my research on BadSuccessor - a new unpatched Active Directory privilege escalation vulnerability It allows compromising any user in AD, it works with the default config, and.. Microsoft currently won't fix it ๐คทโโ๏ธ Read Here - https://t.co/c969sNjQH0
22
373
869
Amazing write-up of how BadSuccessor post-patch can be used for account takeover. Worth the read.
I feel like @YuG0rd's briefly mentioned new dMSA account takeover mechanism in his last blog didn't get enough attention. A new account takeover mechanism is on the horizon. I wrote a blog detailing it, releasing with a new BOF I wrote called BadTakeover https://t.co/fyUkDYKAeP
0
0
8
What happens when the User-Account-Restrictions property gets misconfigured? Spoiler: It's not good. From account compromise to full domain takeover, @unsigned_sh0rt breaks down why this permission set is more dangerous than most realize.
specterops.io
TL;DR - The User-Account-Restrictions property grants read/write permissions to the user-account-control LDAP attribute, which can be used to manipulate account and security settings. Delegating...
0
54
93
I've been researching the Microsoft cloud for almost 7 years now. A few months ago that research resulted in the most impactful vulnerability I will probably ever find: a token validation flaw allowing me to get Global Admin in any Entra ID tenant. Blog:
dirkjanm.io
While preparing for my Black Hat and DEF CON talks in July of this year, I found the most impactful Entra ID vulnerability that I will probably ever find. One that could have allowed me to compromise...
143
908
3K
We found a new strain of Docker-targeting malware, with improved capabilities over the previous version and some interesting upcoming features. Check it out!
Akamai Hunt has uncovered a new strain of Docker-targeting malware that may be building the groundwork for a botnet. Read full write-up: https://t.co/GfAhaNYk04
1
1
4
Happy to release SAMLSmith together with @ericonidentity - Generate forged SAML responses - Simulate Silver SAML & Golden SAML attacks - Extract usable certificate files from AD FS encrypted materials. The tool is written in C# Check it out here - https://t.co/ZI7h4HhvPK
1
74
236
A week ago, I reported a privacy vulnerability to @Meta which may allow attackers to discover any @WhatsApp users' devices details, including online status and operating system. This flaw enables adversaries to accurately target a vulnerable iOS (iPhone) device.
NEW: @WhatsApp caught & fixed a sophisticated zero click attack... Now they've published an advisory about it. Say attackers combined the exploit with an @Apple vulnerability to hack a specific group of targets (i.e. this wasn't pointed at everybody) Quick thoughts 1/
27
90
512
Was especially fun writing this one! Cloud ransomware is real and it's here!
The financially motivated threat actor Storm-0501 has continuously evolved to achieve sharpened focus on cloud-based TTPs as their primary objective shifted from deploying on-premises endpoint ransomware to using cloud-based ransomware tactics.
0
3
11
BadSuccessor is deadโฆ or is it? The patch for CVE-2025-53779 fixed the priv-esc. While no longer a vulnerability, the tactic still applies in certain scenarios. Defenders should be aware of it. Details:
akamai.com
Read about Microsoftโs patch for BadSuccessor โ a vulnerability in Windows Server Active Directory โ and learn why its underlying mechanics still matter.
0
35
102
Another Monday. Another week ofโฆ endless emails, annoying meetings, and oh look, a three-headed monkey behind you! Now that we have your attention, we can unveil the agenda for #RomHack2025
https://t.co/P793dQAZdu
#infosec #securityconference
0
11
35
If you can't beat them, ban them ๐ Malicious Cryptominers can be tough to dismantle - but we found a way. ๐ By exploiting common mining topologies, Akamai researchers were able to ban attackers from their mining pools and shut down their operations. https://t.co/Gyhvt3KKR0
1
7
18
ืคืื ืืฉืจืื: ืืงืืืืช ืฉื ืืชื ืืชืจืื ืืื ืืืืืจืื ืืืฉ ืืื ืืฉืืื ื benevity? ๐ฎ๐ฑ ืืฉืื ืื ืชืขืืจื ืื ืืืคืืฅ ืืช ืืืืืขื
0
3
5
The relevant section on our blog:
akamai.com
Akamai researchers found a privilege escalation vulnerability in Windows Server 2025 that allows attackers to compromise any user in Active Directory.
0
6
35
Many missed this on #BadSuccessor: itโs also a credential dumper. I wrote a simple PowerShell script that uses Rubeus to dump Kerberos keys and NTLM hashes for every principal-krbtgt, users, machines. no DCSync required, no code execution on DC.
9
154
497
I'm super happy to announce an operationally weaponized version of @YuG0rd's BadSuccessor in .NET format! With a minimum of "CreateChild" privileges over any OU it allows for automatic escalation to Domain Admin (DA). Enjoy your inline .NET execution! https://t.co/nvZmsNqjnG
github.com
SharpSuccessor is a .NET Proof of Concept (POC) for fully weaponizing Yuval Gordonโs (@YuG0rd) BadSuccessor attack from Akamai. - logangoins/SharpSuccessor
7
168
442
We just released a new beta build for PingCastle on GitHub to detect the new BadSuccessor risk that @YuG0rd found! https://t.co/4Apunr25js Code is in the BadSuccessor branch.
github.com
This is a beta release that adds a new risk for BadSuccessor where delegations are detected on OUs that may allow abuse Update: Added a fix where some ACLs were being incorrectly detected. EG: Full...
2
9
43
We did an analysis across participating customers & found that ~96% had > 1 user that has the necessary permissions to be susceptible to this attack, but only ~3% had a 2025 server. So there are a lot of orgs that have the opportunity to resolve this issue before they bring a
@cyb3rops So, in a lot of similar cases I would agree with you. But (FWIW) in this case I think the balance of equities is in favor of some kind of disclosure. Because not many orgs will have moved to 2025 yet on domain controllers and they should be informed to probably wait for a fix.
2
8
29
Given all of this, we believed it was in the best interest of defenders to share our findings openly and proactively.
0
0
21
Finally, we had little confidence that Microsoft would move quickly. The vulnerability was rated as โmoderateโ and we were given no timeline for a fix. That led us to believe a patch might not arrive for several months โ if at all.
1
0
13
We were genuinely shocked by how easy this was to discover, and surprised no one else had already reported it. Since it hinges on newly introduced and currently unmonitored attributes, itโs entirely plausible that adversaries could have found and used it quietly.
1
0
11
Based on our data: 91% of organizations we examined had some low-privileged users who could exploit this issue โ a meaningful risk. But fewer than 10% had any domain controllers running Windows Server 2025.
1
0
8