惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News: Ask HN
Hacker News: Ask HN
WordPress大学
WordPress大学
T
The Blog of Author Tim Ferriss
The GitHub Blog
The GitHub Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 聂微东
A
About on SuperTechFans
Stack Overflow Blog
Stack Overflow Blog
雷峰网
雷峰网
Microsoft Azure Blog
Microsoft Azure Blog
腾讯CDC
爱范儿
爱范儿
酷 壳 – CoolShell
酷 壳 – CoolShell
博客园 - 【当耐特】
V
Visual Studio Blog
有赞技术团队
有赞技术团队
U
Unit 42
D
Docker
小众软件
小众软件
F
Full Disclosure
I
Intezer
Scott Helme
Scott Helme
P
Privacy International News Feed
P
Proofpoint News Feed
Engineering at Meta
Engineering at Meta
Google DeepMind News
Google DeepMind News
B
Blog
Martin Fowler
Martin Fowler
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Vercel News
Vercel News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Spread Privacy
Spread Privacy
宝玉的分享
宝玉的分享
S
Security Affairs
www.infosecurity-magazine.com
www.infosecurity-magazine.com
月光博客
月光博客
C
Cisco Blogs
云风的 BLOG
云风的 BLOG
Schneier on Security
Schneier on Security
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Threat Research - Cisco Blogs
量子位
Hacker News - Newest:
Hacker News - Newest: "LLM"
H
Heimdal Security Blog
N
Netflix TechBlog - Medium
H
Hacker News: Front Page
P
Proofpoint News Feed
G
GRAHAM CLULEY
V
Vulnerabilities – Threatpost
S
Schneier on Security

NetBird - Networking Knowledge Hub - RSS Feed

NetBird Is Now on the Vultr Marketplace Native NetBird on the GL.iNet Comet Pro (GL-RM10) NetBird v0.71 - IPv6 Overlay Addressing NetBird Exit Nodes - Appear at Home, or Anywhere Else Reporting Bugs and Requesting Features in NetBird Setup and Use Local AdGuard Home Anywhere with NetBird DNS How to Set Up NetBird on PiKVM for Secure Remote KVM Access NetBird v0.69 - CrowdSec IP Reputation for the Reverse Proxy Cloudflare Mesh vs NetBird vs Tailscale: Performance Compared Self-Hosting Nextcloud with Docker and NetBird Implementing Zero Trust with NetBird NetBird v0.67 - Layer 4 Proxy Support for TCP, UDP, and TLS Solwr Enhances Remote Connectivity with NetBird Self-Hosting NetBird with Authentik Jellyfin Media Server - Self-Host Your Movies, TV, and Music Cloudflare Tunnels vs. NetBird Reverse Proxy INFITX Builds Zero-Touch Kubernetes Networking with NetBird NetBird v0.66 - Expose Local Services to the Internet from the CLI Pangolin vs. NetBird Home Assistant Setup Guide with EASY Remote Access NetBird v0.65 - Built-in Reverse Proxy with Custom Domains Docker for Beginners - Everything You Need to Get Started NetBird for SOC 2 Compliance NetBird v0.63 - Custom DNS Zones for Private Network Resolution Vibecode This in a Weekend and Take 5% of the Company NetBird v0.62 - Built-in Local Users with Optional IdP Integration NetBird v0.61.0 - Granular SSH Access Control and Automatic Updates Top 5 Alternatives to OpenVPN Top 5 Open Source Alternatives to Tailscale Top 5 Alternatives to ZeroTier How to Set Up ZeroByte and REST Server for Backups with NetBird How to Install n8n v2.0 with NPM and PM2 ZeroTier vs. NetBird The Ultimate Immich Guide - Ditch Google and Amazon Photos for Good NetBird as Your Help with ISO 27001 Compliance NetBird and Huntress - Secure Network Access for MSPs How to Access Windows Shares from Anywhere with NetBird netgo Relies on Modern ZTNA with NetBird Connect to Your Homelab from Anywhere with a Raspberry Pi NetBird SSH - A New, Identity-Aware Approach The AI Mega Mesh: How to Connect 30+ GPU Cloud Providers Connect Multiple Ollama GPUs to OpenWebUI with NetBird Top 5 Tailscale Alternatives SSH and RDP, now in your browser NetBird–Acronis Integration: Empowering MSPs for Advanced Ransomware and Threat Defense Introducing the Control Center - Remote Access, Beautifully Visualized NetBird at MSP Global 2025 Understanding Overlay Networks - The Basics NetBird and SentinelOne Singularity™ - Automate Threat Response NetBird and Microsoft Intune - Enforcing Device Compliance for Zero Trust Rethinking Zero Trust Security with NetBird and pfSense Improving Unidirectional Access Control Proxmox VE for Beginners Guide with NetBird LXC Stronger Security: NetBird + GitHub Secure Open Source Fund NetBird's MSP Partner Program Signicat Enhances Cross-Cloud Accessibility with NetBird SonicWall SSL VPN NetExtender vs. NetBird NetBird Is Embracing the AGPLv3 License NetBird Profiles Have Landed - Manage Multiple Accounts Effortlessly Rethinking Access Control to Secure Your On-Premises SharePoint Servers Sport Alliance Increases Efficiency with Zero Trust Networking at Scale Rethinking Network Access: qwertiko Goes Zero Trust with NetBird Optimizing Network Efficiency with NetBird's Lazy Connections Use Port Ranges in Access Control Policies Generic HTTP Endpoint for Network Events Streaming Zero-Trust Access to Internal Resources Without Installing Agents Enhance Network Visibility with NetBird’s Traffic Events Logging TrueNAS Made Easy - Install, Set Up, and Access From Anywhere Top 5 Alternatives for WireGuard Jump Hosts. Gateways for Remote Access NetBird Network Routes and Exit Nodes Security for All - SSO and MFA for Free Enhancing Network Access Control with NetBird's Identity Provider Feature Twingate vs. NetBird Limit Network Access Based on Running Applications FortiClient ZTNA vs. NetBird OpenVPN vs. NetBird Tailscale vs. NetBird Getting Started with an Azure Site-to-Site VPN Getting Started with an On-premise-to-AWS Site-to-Site VPN Secure Remote Access to VPCs, LANs, and Offices regreSSHion - A New OpenSSH Server Remote Code Execution Vulnerability Evolve Bank & Trust Data Breach. What Happened? What Is a Site-to-Site VPN? IPSec Tunneling Demystified. Enhancing Data Security Across Networks Understanding IPSec Tunnel and Transport Modes Understanding the Differences Between IKEv1 and IKEv2 Understanding the IKEv1 Protocol in IPSec ZeroTier versus NetBird - Which Should You Choose? AWS Lambda Serverless Security. Mistakes, Oversights, and Potential Vulnerabilities Using NetBird for Kubernetes Access Serverless Security Vulnerabilities and Best Practices to Mitigate Them Security Best Practices for Serverless Azure Functions A Guide to Remote Access Security for SMEs IoT Security Essentials. How to Achieve Secure Remote Access Open Source Zero Trust Networking Using SSH for Secure Remote Access How We Integrated Rosenpass in NetBird The First Quantum-Resistant Mesh VPN Using eBPF and XDP to Share Default DNS Port Between Multiple Resolvers
NetBird’s Response to Spear-Phishing Campaign Targeting Financial Executives
Written byMisha Bragin · 2025-05-29 · via NetBird - Networking Knowledge Hub - RSS Feed

Statement from the CEO of NetBird

We appreciate the diligent work by Trellix in uncovering the recent spear-phishing campaign that misused NetBird’s seamless connectivity.

First and foremost, we want to emphasize that there was no vulnerability in the NetBird platform exploited during this incident. Additionally, it's important to note that prior to installing NetBird and starting the service, administrative privileges are required. The malicious actor had already gained these administrative privileges to execute the involved VBS script, enabling them to proceed with the installation and NetBird service startup.

As Trellix clearly stated in their report, NetBird remains a legitimate and secure networking tool:

"In what appears to be a multi-stage phishing operation, the attackers aimed to deploy NetBird, a legitimate wireguard based remote-access tool on the victim's computer. In recent years, adversaries have increasingly relied on remote-access applications like this to establish persistence and further their way into the victim's network."

NetBird’s growing popularity, reliability, and simplicity have made it a go-to solution for teams and individuals around the world to securely connect to internal infrastructure. NetBird is also proudly open source, a core value that fosters transparency, trust, and collaboration within the community.

Unfortunately, that same accessibility and openness can sometimes be misused. As with many trusted open-source tools, it's disheartening to see NetBird misused by malicious actors — not due to any flaw in the platform, but because of the way it can be repurposed.

In response to this incident, our team acted immediately by investigating the reported activity, blocking the malicious actors, and terminating all related connections. We remain committed to ensuring that NetBird is a safe and trusted platform for all users.

We are continually improving our monitoring and abuse detection systems, and we encourage anyone with additional information or concerns to contact us at security@netbird.io .

What has happened?

The Trellix article titled A Flyby on the CFO's Inbox details a sophisticated spear-phishing campaign targeting CFOs and finance executives across multiple regions, including Europe, Africa, Canada, the Middle East, and South Asia. Attackers impersonated a Rothschild & Co recruiter, sending emails that led recipients through a deceptive CAPTCHA to download a ZIP file containing a malicious VBS script. This script installed NetBird and OpenSSH, created a hidden admin account, and enabled Remote Desktop Protocol (RDP), granting attackers persistent access to the victim's system.

Trellix's recommendations for CFOs and executive teams:

  • Treat unsolicited "opportunities" or cold-recruitment emails with skepticism, especially when they come with a ZIP or obscure download link.
  • Never bypass security warnings to enable content or scripts from downloads.
  • Report unusual contact attempts to security teams, even if the email seems "harmless." Early reporting is often what prevents compromise.

NetBird Investigation Summary

Following the incident, we examined the disclosed setup key used in the exploit and confirmed that it belonged to a user account within our hosted NetBird service. To verify its validity, we attempted to add a peer using the key, which was still active at the time. This allowed us to successfully identify the associated account.

As an immediate response, we:

  • Disabled the identified account
  • Revoked the setup key linked to the account
  • Ensured that no machines within the account could continue to communicate via NetBird

We then conducted a detailed investigation of the user and the associated account, uncovering the following:

  1. Account Creation Date: The account was created on March 25th, 2025.
  2. Setup Key Usage: The disclosed setup key was used 197 times over a period of 65 days to register machines.
  3. Network Policy: The account had a permissive policy in place, allowing unrestricted traffic and connectivity between all registered machines.
  4. SSH Access: NetBird SSH was not enabled on any of the connected machines. The malicious actor used an OpenSSH or other means of connectivity like RDP to access vulnerable machines.
  5. Account Ownership: The account had only one user associated with it; no additional users or administrators were present.

Conclusion

The account involved in the exploit appeared to be used in an automated or scripted manner, given the high number of peer registrations in a short period. The permissive network policy and absence of user oversight (i.e., no additional users or SSH configuration) suggest the account was likely created and maintained for opportunistic or unauthorized use. Our immediate containment actions successfully mitigated any ongoing risk from this account.