For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information.

DDoS Attacks on Financial Sector Surge in Scale and Sophistication

Published: 2025-06-10

A recent report by the Financial Services Information Sharing and Analysis Center (FS-ISAC) in collaboration with Akamai reveals a concerning surge in both the scale and sophistication of DDoS attacks targeting the financial sector. The report, "From Nuisance to Strategic Threat: DDoS Attacks Against the Financial Sector", highlights an "almost exponential rise in DDoS attacks" from 2014 to 2024, peaking at nearly 350 events in October 2024. While financial services were the most targeted industry in 2023, the sector experienced a stronger increase in attacks, widening the gap from other sectors in 2024. The report notes that "in 2024, threat actors increasingly employed advanced multi-vector DDoS strategies that incorporated systematic probing and adaptive tactics," demonstrating real-time analysis of defenses to evade protections. These tactics include defense mechanism circumvention and intelligence gathering for multi-vector attacks. Threat actors such as pro-Palestinian hacktivist groups BlackMeta (aka DarkMeta) and RipperSec, and NoName057(16), are believed to be behind these attacks, driven by geopolitical tensions. The report suggests mitigation strategies such as Geo-IP filtering, dynamic traffic shaping, and DDoS playbook tests.

Tags: DDoS AttacksFinancial ServicesFS-ISACAkamaiThreat IntelligenceMitigation StrategiesHacktivism

Categories: Cyber Threat IntelligenceDDoS MitigationFinancial Cybersecurity

Threat Actor: BlackMetaRipperSecNoName057(16)

Actor Aliases: DarkMeta

Exploit Method: Multi-Vector DDoS Attacks with Systematic Probing and Adaptive TacticsApplication-Layer DDoS Attacks

MITRE ATT&CK TTP: Command and Control (TA0011) Application Layer Protocol (T1071) Command and Control (TA0011) Proxy (T1090) Discovery (TA0007) System Information Discovery (T1082)

Involved Countries: AustraliaUkraine

Affected Industries: Financial ServicesGamingManufacturingHigh Technology

40,000 cameras expose feeds to datacenters, health clinics • The Register

Published: 2025-06-10

A recent report by Bitsight reveals that approximately 40,000 internet-connected cameras worldwide are exposing live feeds, potentially impacting national security and individual privacy. "It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea, and yet thousands of them are still accessible," stated Bitsight in their report. The US is the most affected region, with around 14,000 exposed feeds, including those from datacenters, healthcare facilities, and factories. These feeds could be exploited for espionage, mapping blind spots, or gleaning trade secrets. The researchers accessed both HTTP and RTSP-based cameras using methods ranging from simple web browsers to identifying and testing specific URIs. HTTP-based cameras accounted for 78.5% of the exposed feeds. The report also supports earlier DHS warnings about Chinese espionage, highlighting concerns that exposed cameras, particularly those of Chinese origin, could be used to "exfiltrate sensitive process data that an actor could use for attack planning or disrupting business systems." Furthermore, the research indicates that cybercriminals are actively seeking access to these feeds for purposes like stalking and extortion.

Tags: IoT SecurityCamera HackingEspionagePrivacy ViolationVulnerability DisclosureChinese Espionage

Categories: Vulnerability ManagementThreat IntelligencePrivacy

Threat Actor: Chinese SpiesCybercriminal Underground

Exploit Method: Unauthenticated Camera Feed Access via HTTP/RTSP

MITRE ATT&CK TTP: Command and Control (TA0011) Application Layer Protocol (T1071) Initial Access (TA0001) Exploit Public-Facing Application (T1190)

Exploited Software: HTTP-based camerasRTSP camerasChinese-made cameras

Involved Countries: USChina

Affected Industries: HealthcareManufacturingData CentersEnergyChemicalRetail

The Evolution of Linux Binaries in Targeted Cloud Operations

Published: 2025-06-10

Unit 42 researchers are tracking the evolution of ELF-based malware targeting cloud infrastructure. The report highlights a predicted increase in sophisticated attacks utilizing reworked Linux tools. According to the report, "threat actors targeting cloud environments will start using more complex tools in their exploits," including backdoors, RATs, and data wipers. Researchers analyzed five ELF malware families, including NoodleRAT, Winnti, SSHdInjector, Pygmy Goat, and AcidPour, noting "at least two significant code updates within the last year" for each, indicating active development. These malware families employ techniques like dynamic linker hijacking via `LD_PRELOAD` to achieve persistence and stealthy command and control. Threat actors like Razing Ursa (Sandworm) use AcidPour to wipe data from Linux x86 systems. Chinese-speaking threat actors Rocke and suspected nation-state actors associated with the Cloud Snooper campaign are linked to Noodle RAT. Winnti is reportedly used by China-nexus threat actors Starchy Taurus and Nuclear Taurus. Palo Alto Networks customers are protected by Cortex Cloud. Unit 42’s incident response team is available for urgent matters. The report states that "cloud-based alerts increased on average 388% during 2024," and "45% of organizations are reporting a rise in advanced persistent threat (APT) attacks."

Tags: ELF MalwareCloud SecurityLinuxMalware AnalysisThreat HuntingNoodleRATWinntiSSHDInjectorPygmy GoatAcidPourCloud Detection and Response (CDR)

Categories: Cloud SecurityMalware AnalysisThreat Intelligence

Threat Actor: RockeRazing UrsaStarchy TaurusNuclear TaurusDigging Taurus

Actor Aliases: SandwormVoodoo BearWinntiGroupBARIUMTumbleweed TyphoonTHORIUMBronze VaporDaggerflyEvasive Panda

Exploit Method: LD_PRELOAD hijackingPort Knocking and Magic Bytes in SSH Traffic

Vulnerabilities: CVE-2022-1040

MITRE ATT&CK TTP: Defense Evasion (TA0005) Indicator Removal (T1070) Defense Evasion (TA0005) Process Injection (T1055)

Exploited Software: NoodleRATWinntiSSHdInjectorPygmy GoatAcidPourSophos XG firewall devicessshd

Involved Countries: ChinaThailandIndiaJapanMalaysiaTaiwanRussia

Affected Industries: TelecommunicationsHealthcareTransportationIndustrial Control Systems

HIGH Vulnerabilities (1)

CVE-2022-1040CVSS: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS: 94.42%    Percentile: 100%

Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises

Published: 2025-06-10

A recent campaign by the APT group Rare Werewolf (aka Librarian Ghouls, Rezet) has impacted hundreds of Russian users across industrial enterprises and engineering schools, with some infections in Belarus and Kazakhstan. Kaspersky reports that the threat actor "favor[s] using legitimate third-party software over developing their own malicious binaries," using command files and PowerShell scripts for malicious functionality. The group, active since at least 2019, gains initial access via phishing emails and then steals data and credentials while deploying the XMRig cryptocurrency miner. The attack chain uses password-protected archives containing executable files to initiate the infection. A legitimate tool, 4t Tray Minimizer, is used to "obscure their presence on the compromised system." Defender Control and Blat, a utility to send stolen data via SMTP, are also deployed. The group leverages AnyDesk for remote access, using a scheduled task to automatically wake the victim system at 1 a.m., allowing a four-hour access window before shutting down at 5 a.m. Kaspersky notes that using legitimate software makes detection and attribution more difficult: "All of the malicious functionality still relies on the installer, command, and PowerShell scripts."

Tags: MalwarePhishingRussiaAdvanced Persistent ThreatCryptocurrency miningData theftPowershellLockBit RansomwareCybercrimeKaspersky

Categories: Threat IntelligenceIncident ResponseCybersecurity

Threat Actor: Rare WerewolfDarkGaboon

Actor Aliases: Rare WolfLibrarian GhoulsRezet

Exploit Method: Phishing for Initial AccessUse of Legitimate Software for Malicious PurposesScheduled Task Abuse for Remote Access

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Execution (TA0002) Command and Scripting Interpreter (T1059) Execution (TA0002) PowerShell (T1059.001) Execution (TA0002) Scheduled Task/Job (T1053) Command and Control (TA0011) Ingress Tool Transfer (T1105) Initial Access (TA0001) Valid Accounts (T1078) Impact (TA0040) Data Encrypted for Impact (T1486) Execution (TA0002) Windows Command Shell (T1059.003)

Exploited Software: AnyDeskLockBit 3.0Defender Control4t Tray Minimizer

Involved Countries: RussiaBelarusKazakhstanUkraine

Affected Industries: Industrial enterprisesEngineering schools

Five plead guilty to laundering $36 million stolen in investment scams

Published: 2025-06-10

Five individuals from China, the U.S., and Turkey have pleaded guilty to laundering nearly $37 million stolen from U.S. victims in cryptocurrency investment scams originating from Cambodia. The scammers used social media, phone calls, and dating services to gain trust, promoting fraudulent digital asset investments. According to the article, the scammers falsely claimed that "the victims' funds' value increased after they tricked them into investing, when, in fact, their money was stolen." The victims' funds were transferred to Deltec Bank in the Bahamas under the name Axis Digital Limited. Joseph Wong, Yicheng Zhang, Jose Somarriba, Shengsheng He, and Jingliang Su laundered the funds through U.S. shell companies, international bank accounts, and digital asset wallets. Wong led the Los Angeles-based laundering network. Somarriba and He founded Axis Digital, while Su handled cryptocurrency conversions and transfers. The funds were converted to Tether (USDT) and sent to scam center leaders in Cambodia. Zhang and Wong pleaded guilty to money laundering conspiracy, facing up to 20 years in prison, while Zhang, Somarriba, and Su also pleaded guilty to conspiracy to operate an unlicensed money services business, facing up to 5 years. This case is part of a larger trend, with the FBI reporting that investment scammers stole over $6.5 billion in 2024.

Tags: Money LaunderingCryptocurrencyInvestment ScamPig ButcheringCybercrime

Categories: Financial CrimeCybersecurity Awareness

Threat Actor: Daren LiYicheng ZhangJoseph WongJose SomarribaShengsheng HeJingliang Su

Exploit Method: Pig Butchering/Romance Baiting

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Initial Access (TA0001) Valid Accounts (T1078)

Exploited Software: Hedera Hashgraph wallets

Involved Countries: ChinaUnited StatesTurkeyCambodiaBahamasGermany

Affected Industries: Financial ServicesCryptocurrencyIT

Virus Bulletin :: What cybersecurity experts are talking about in 2025

Published: 2025-06-10

In 2025, cybersecurity experts are grappling with sophisticated and evolving cyber threats. EclecticIQ researchers uncovered a Sandworm (APT44) campaign targeting Ukrainian users with trojanized Microsoft KMS activators and fake Windows updates. This campaign distributed malware families like BACKORDER and Kalambur, a novel backdoor with redundant persistence mechanisms, including a TOR-based reverse shell. According to the article, this shows "how widespread software piracy within a nation can be weaponized as a scalable and low-cost initial access vector." Check Point Research discovered attackers using thousands of variants of a vulnerable legacy driver to disable EDR and AV solutions, primarily targeting victims in China and parts of Asia. TeamT5 identified a new malware variant, Calendarwalk, linked to APT41, which abuses Google Calendar events for command and control. "This malware employs tactics not previously observed within the APT landscape, including abuse of LOTS via Google Calendar events and exploitation of LOLBins through Windows Workflow Foundation," the article states. SecurityScorecard's analysis of "Phantom Circuit" revealed the Lazarus Group infiltrated development tools for a supply chain attack affecting the cryptocurrency and technology sectors. The Dutch National Police investigated the Playboy ransomware, which operates as a RaaS model.

Tags: APT44SandwormMalwareRansomwareSupply Chain AttackLazarus GroupAPT41Living off the LandVulnerable Driver

Categories: Threat IntelligenceAPTMalware AnalysisVulnerability Management

Threat Actor: SandwormAPT41Lazarus GroupLockBit group

Actor Aliases: APT44DodgeBoxStealthVectorCurveBackMoonWalkChatloaderTabbywalkPlayboy ransomwarePhantom Circuit

Exploit Method: Weaponized Pirated Software (Sandworm)Legacy Driver Abuse (Check Point Research)LOTS/LOLBins Exploitation (Calendarwalk)Supply Chain Attack (Phantom Circuit)Ransomware-as-a-Service (Playboy Ransomware)

MITRE ATT&CK TTP: Command and Control (TA0011) Application Layer Protocol (T1071) Execution (TA0002) Command and Scripting Interpreter (T1059) Defense Evasion (TA0005) Deobfuscate/Decode Files or Information (T1140) Command and Control (TA0011) Ingress Tool Transfer (T1105) Defense Evasion (TA0005) Obfuscated Files or Information (T1027) Command and Control (TA0011) Proxy (T1090) Initial Access (TA0001) Supply Chain Compromise (T1195) Initial Access (TA0001) Valid Accounts (T1078) Execution (TA0002) Windows Command Shell (T1059.003)

Exploited Software: Microsoft KMS activatorsWindows Updates (fake)Legacy Driver (Vulnerable)Windows Workflow Foundation (WF)Development applications (unspecified)

Involved Countries: UkraineChinaRussiaNetherlandsNorth Korea

Affected Industries: CryptocurrencyTechnology

OpenAI working to fix ChatGPT outage affecting users worldwide

Published: 2025-06-10

OpenAI is currently working to resolve a widespread ChatGPT outage impacting users globally, preventing access via web, mobile, and desktop applications. According to OpenAI, "Some users are experiencing elevated error rates and latency across the listed services. We are investigating," and later stated, "We have identified the root cause for the issue causing elevated errors and latency across the listed services. We are working on implementing a mitigation." Users have reported encountering errors such as "Hmm...something seems to have gone wrong," "too many concurrent requests," and "error in message stream." The outage, which has lasted for almost seven hours, is also affecting OpenAI’s APIs and the Sora video and image generation model. Downdetector has received tens of thousands of reports related to the ChatGPT issues. Perplexity AI, which utilizes OpenAI's models, is also experiencing related "slowness and elevated error rates." A similar outage impacting millions of ChatGPT users occurred in April, resulting in "Something went wrong while generating the response" errors. The root cause and potential threat actors behind this outage remain undisclosed.

Tags: ChatGPTOutageOpenAIError MessagesSora

Categories: Incident ResponseAvailability

Exploit Method: API Overload

Affected Industries: Technology

The Hidden Threat in Your Stack: Why Non-Human Identity Management is the Next Cybersecurity Frontier

Published: 2025-06-10

According to a recent article in The Hacker News, "Non-human identities have become a focus for teams based on the maturity of their identity and access management programs". The article highlights the increasing risks associated with Non-Human Identities (NHIs) like API keys, service accounts, and OAuth tokens, particularly in cloud environments. "Forty-six percent of organizations have experienced compromises of NHI accounts or credentials over the past year," emphasizing the urgency of the issue. Attackers exploit leaked secrets, often found in public repositories like GitHub, and the excessive privileges commonly assigned to NHIs. The Internet Archive breaches in October 2024, "tied to unrotated tokens", serve as a stark example of the potential impact. CISOs face challenges in gaining visibility into NHIs, prioritizing risks, and establishing governance. Mark Sutton, CISO at Bain Capital, notes, "It's about understanding the blast radius associated with each non-human identity and asking 'what's the risk?' Not all NHIs carry the same threat." The article advocates for a unified approach to managing both human and non-human identities to mitigate these escalating cybersecurity risks.

Tags: Non-Human IdentityAPI SecurityOAuthApplication SecurityAccess ManagementDevOpsCloud Security

Categories: Identity ManagementCybersecurityEnterprise Security

Exploit Method: Secret LeakageOver-Privileged NHIsUnrotated Credentials

MITRE ATT&CK TTP: Credential Access (TA0006) Unsecured Credentials (T1552) Discovery (TA0007) File and Directory Discovery (T1083)

Exploited Software: Internet Archive

Affected Industries: Technology

Researcher Found Flaw to Discover Phone Numbers Linked to Any Google Account

Published: 2025-06-10

A security flaw discovered by researcher "brutecat" allowed malicious actors to potentially uncover phone numbers linked to any Google account. The vulnerability resided in a now-deprecated, JavaScript-disabled version of Google's username recovery form, lacking necessary anti-abuse protections. The attack involved bypassing CAPTCHA rate limits to brute-force phone numbers associated with Google accounts. As the article describes, the process includes leaking the Google account display name via Looker Studio and running the "forgot password flow for a target email address to get the masked phone number with the last 2 digits displayed to the attacker (e.g., •• ••••••03)." Brutecat demonstrated that a Singapore-based number could be unmasked in 5 seconds, while a U.S. number took about 20 minutes. With a revealed phone number, attackers could perform SIM-swapping attacks and reset passwords. Google patched the vulnerability on June 6, 2025, after a responsible disclosure on April 14, 2025, and awarded the researcher a $5,000 bug bounty.

Tags: VulnerabilityAPI SecurityGoogleBug BountyJavaScriptPrivacySIM SwappingYouTubeThreat Intelligence

Categories: Vulnerability ManagementApplication Security

Exploit Method: Account Recovery Phone Number Brute-ForceYouTube Channel Email Address Exposure via API ChainingYouTube Partner Program Email Address Disclosure via Access Control Issue

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Command and Control (TA0011) Application Layer Protocol (T1071) Initial Access (TA0001) Valid Accounts (T1078) Initial Access (TA0001) Phishing (T1566)

Exploited Software: accounts.google[.]com/signin/usernamerecoveryYouTube API/get_creator_channels endpoint

Involved Countries: SingaporeUnited States

Affected Industries: TechnologyMedia and Entertainment

Online orders working again at M&S, 46 days later • The Register

Published: 2025-06-10

Marks & Spencer (M&S) has partially restored its online ordering system 46 days after a cyberattack forced its shutdown. "Select fashion ranges [are] now available to buy online" in England, Scotland, and Wales, though deliveries to Northern Ireland are still unavailable, and standard shipping is delayed. The company confirmed customer data was stolen, with rumors strongly suggesting the attack involved DragonForce ransomware, though M&S has not officially confirmed this. The attack's impact includes an estimated £300 million ($404.7 million) dent in operating profits for the next financial year. M&S also expects to make a maximum claim on its cyber insurance policy worth around £100 million ($134 million). The disruption caused a significant drop in M&S's share price, wiping over £1 billion ($1.3 billion) off its market valuation. While Click & Collect, next day delivery, nominated day delivery, and international ordering remain unavailable, CEO Stuart Machin said M&S would use the "opportunity" to accelerate the company's digital transformation.

Tags: CyberattackRansomwareData BreachFinancial ImpactIncident Response

Categories: Cybersecurity Incident ResponseData Breach InvestigationBusiness Continuity and Disaster Recovery

Threat Actor: DragonForce

Exploit Method: DragonForce Ransomware

MITRE ATT&CK TTP: Impact (TA0040) Data Encrypted for Impact (T1486) Initial Access (TA0001) Exploit Public-Facing Application (T1190)

Exploited Software: Marks & Spencer Online Ordering System

Involved Countries: United Kingdom

Affected Industries: Retail

Page 1 of 50
Showing articles 1 to 10 of 500 newest articles