Today’s Topics:
- New “Win-DDoS” Technique Exploits Windows Domain Controllers for Massive DDoS Attacks
- Attackers Target the Foundations of Crypto: Smart Contracts Under Threat
- How can Netizen help?
New “Win-DDoS” Technique Exploits Windows Domain Controllers for Massive DDoS Attacks
SafeBreach researchers have detailed a new attack method, dubbed Win-DDoS, that allows threat actors to conscript thousands of public-facing Windows Domain Controllers (DCs) into a powerful DDoS botnet without deploying malware or compromising endpoints. The technique, presented at DEF CON 33, abuses flaws in Windows LDAP client code and RPC behavior to redirect LDAP referrals toward a victim server, overwhelming it with traffic.
The attack leverages the Connectionless LDAP (CLDAP) and LDAP referral mechanism:
- An attacker sends an RPC call to a public DC, causing it to act as a CLDAP client.
- The DC contacts the attacker’s CLDAP server, which responds with a referral to the attacker’s LDAP server.
- The LDAP server sends a list of referral URLs pointing to a single victim IP and port.
- The DC repeatedly queries the victim server, creating sustained, high-bandwidth traffic.
This approach is infrastructure-free for the attacker, requires no code execution or authentication, and leaves minimal forensic traces.
SafeBreach also introduced TorpeDoS, an RPC-based denial-of-service technique that magnifies the efficiency of a single attacker’s RPC calls to the point where one host can cause an impact comparable to a distributed botnet.
The research uncovered four denial-of-service vulnerabilities impacting core Windows services:
- CVE-2025-26673 (CVSS 7.5) – LDAP uncontrolled resource consumption; unauthenticated DoS (patched May 2025).
- CVE-2025-32724 (CVSS 7.5) – LSASS uncontrolled resource consumption; unauthenticated DoS (patched June 2025).
- CVE-2025-49716 (CVSS 7.5) – Netlogon uncontrolled resource consumption; unauthenticated DoS (patched July 2025).
- CVE-2025-49722 (CVSS 5.7) – Print Spooler uncontrolled resource consumption; authenticated adjacent-network DoS (patched July 2025).
These zero-click, unauthenticated flaws can crash domain controllers and other Windows systems remotely if exposed, posing a threat to both public and internal infrastructure.
The findings challenge traditional enterprise threat models by showing that:
- Internal systems can be abused without full compromise.
- DoS risks extend beyond public-facing services.
- Large-scale DDoS potential exists without a typical botnet build-out.
SafeBreach warns that unpatched systems and exposed Domain Controllers significantly increase the risk of both network disruption and targeted outages.
Attackers Target the Foundations of Crypto: Smart Contracts Under Threat
Cybercriminals are increasingly turning their attention to smart contracts, the self-executing programs that power decentralized finance (DeFi) and other blockchain-based applications, not only exploiting vulnerabilities in poorly written code but also crafting malicious contracts designed to deceive and drain cryptocurrency wallets.
A recent scam analyzed by SentinelOne involved a fraudulent Solidity-based smart contract promoted through YouTube tutorials and similar channels. Victims were told they could profit from automated trading arbitrage bots that exploit minor cryptocurrency price differences for maximal extractable value (MEV). In reality, the contract contained obfuscated transfer functions that siphoned funds to an attacker-controlled externally owned account (EOA).
In one high-profile incident, a single malicious contract drained roughly 244.9 ETH, about $935,000, from victims. Smaller but still significant thefts included a $28,000 Ethereum wallet and another worth $15,000.
Data from SolidityScan, a CredShields project, shows that since 2020 over $14 billion has been stolen via blockchain manipulation and cryptocurrency fraud. More than 55% of these losses were due to vulnerabilities or bugs in smart contracts, with the remainder attributed to private-key leaks and rug pulls—instances where developers intentionally withdraw all funds from a project.
Shashank, CEO of CredShields and co-lead of the OWASP Smart Contract Top 10 project, warns that while immutability and transparency are strengths of blockchain systems, these same traits can magnify the damage caused by coding flaws. Even a single logical error can cause irreversible financial loss and severe reputational damage.
While the DeFi sector is the most visible victim, the risk extends to any industry integrating blockchain and smart contracts, finance, supply chain, logistics, and real estate among them. Common threats include:
- Unauthorized access to contract functions or data.
- Oracle manipulation, altering the data inputs that smart contracts rely upon.
- Logic exploitation, taking advantage of flawed programming to redirect funds or alter outcomes.
To mitigate these risks, experts recommend:
- Maintaining an inventory of all deployed smart contracts.
- Conducting independent audits before and after deployment.
- Enabling real-time monitoring of contract behavior and transaction patterns.
- Rejecting obfuscated code in business contracts.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
