For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information. Recent bug fixes: 6/29/25 - resolved an issue where updates to the AI model caused objects instead of raw text in the TTP fields. Next feature: adding a pop-up evidence window to view decision evidence (why was x value chosen?) for the values of each article.

CISA and partners take action as Microsoft Exchange security risks mount

Published: 2025-10-31

CISA and its partners, including the NSA, are urging organizations to address mounting security risks associated with on-premises Microsoft Exchange Server, especially as Exchange Server 2016 and 2019 reach end-of-life. The agencies recommend migrating to Exchange Server Subscription Edition (SE) or an alternative supported email service. Germany’s BSI reports that "92% of the approximately 33,000 on-premises Exchange servers in Germany are still running Outlook Web Access 2019 or earlier", highlighting the widespread vulnerability. For organizations continuing to use unsupported versions, CISA advises keeping Exchange Server instances off the public internet and isolating them within a dedicated network segment. CISA emphasizes that these are not comprehensive hardening guides, and organizations should actively monitor for compromises. CISA's Nick Andersen recommends that organizations "evaluate the use of cloud-based email services instead of managing the complexities associated with hosting their own communication services.” AJ Grotto criticized Microsoft's security posture, stating, "The fact that a multilateral coalition of security and intelligence agencies felt obligated to produce something like this is a devastating commentary on Microsoft’s security posture."

Tags: Microsoft ExchangeCISAVulnerability ManagementSecurity Best PracticesNSA

Categories: Vulnerability ManagementCybersecurity Guidance & Best Practices

Exploit Method: Targeting of Microsoft Exchange ServersUnsupported Microsoft Exchange Exploitation

MITRE ATT&CK TTP: Initial Access (TA0001) Valid Accounts (T1078) Initial Access (TA0001) Exploit Public-Facing Application (T1190)

Exploited Software: Microsoft Exchange ServerOutlook Web Access 2019 or earlier

Involved Countries: United StatesGermany

Affected Industries: HealthcareEducationLegalUtilitiesGovernment

Infosec products of the month: October 2025

Published: 2025-10-31

October 2025 saw significant cybersecurity developments, including the exploitation of a WSUS vulnerability (CVE-2025-59287) to deliver the "Skuld infostealer." Attackers leveraged this vulnerability to compromise systems and exfiltrate sensitive information. The article notes, "Attackers exploiting WSUS vulnerability drop Skuld infostealer," highlighting the active exploitation of known weaknesses. Another key area of concern is "Shadow AI," with the article stating, "New ideas emerge to tackle an old problem in new form." This refers to the increasing difficulty in auditing and controlling the use of AI within organizations, leading to potential privacy and security risks. The opaque nature of AI, as emphasized by the quote, "You can’t audit how AI thinks, but you can audit what it does," presents challenges for security professionals trying to maintain visibility and control. Finally, the trend of "Passwordless adoption moves from hype to habit" is also discussed, indicating a shift towards more secure authentication methods.

Tags: AIVulnerabilityInfostealerAuditingPasswordless

Categories: Vulnerability ManagementArtificial Intelligence SecurityData Security

Exploit Method: WSUS Vulnerability leading to Skuld Infostealer Deployment

Vulnerabilities: CVE-2025-59287

Exploited Software: WSUS

Affected Industries: Financial Sector

CRITICAL Vulnerabilities (1)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/...
EPSS: 9.4%    Percentile: 92%

Unpatched Windows vulnerability continues to be exploited by APTs (CVE-2025-9491)

Published: 2025-10-31

A critical, unpatched Windows vulnerability, CVE-2025-9491 (aka ZDI-CAN-25373), is still being exploited by advanced persistent threat (APT) groups, some state-sponsored. The vulnerability, publicly disclosed in March 2025, involves “User Interface Misrepresentation of Critical Information (CWE-451)” allowing attackers to embed command line arguments in malicious LNK files. Arctic Wolf Labs attributes recent activity to UNC6384, citing “malware tooling, tactical procedures, targeting alignment, and infrastructure overlaps.” In September and October 2025, UNC6384 targeted European diplomatic entities in Hungary, Belgium, Italy, and the Netherlands, as well as Serbian government aviation departments, using spearphishing emails. These emails contained URLs leading to malicious LNK files that exploit CVE-2025-9491. This exploitation leads to the execution of obfuscated PowerShell commands, ultimately deploying the PlugX remote access trojan (RAT) via DLL side-loading of legitimate Canon printer assistant utilities. According to Arctic Wolf, this execution flow results in "the deployment of PlugX malware running stealthily within a legitimate signed process, significantly reducing the likelihood of detection by endpoint security solutions." Microsoft, while aware of the vulnerability since September 2024, has stated that while Defender provides detections, they would consider addressing it in a future feature release.

Tags: CVE-2025-9491ZDI-CAN-25373APTPlugXSpearphishingUNC6384DLL Side-LoadingChinaWindows

Categories: Vulnerability ManagementExploitThreat IntelligenceMalware Analysis

Threat Actor: UNC6384

Exploit Method: LNK File Command InjectionDLL Side-LoadingSpearphishing with Malicious LNK files

Vulnerabilities: CVE-2025-9491

MITRE ATT&CK TTP: Spearphishing Link (T1192) Execution (TA0002) Exploitation for Client Execution (T1203) Execution (TA0002) Command and Scripting Interpreter (T1059) Defense Evasion (TA0005) Obfuscated Files or Information (T1027) Command and Control (TA0011) Ingress Tool Transfer (T1105)

Exploited Software: WindowsPlugX

Involved Countries: HungaryBelgiumItalyNetherlandsSerbiaNorth KoreaIranRussiaChina

Affected Industries: DiplomaticAviation

HIGH Vulnerabilities (1)

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.26%    Percentile: 50%

OpenAI releases ‘Aardvark’ security and patching model

Published: 2025-10-31

OpenAI has released "Aardvark," a new AI model designed to automate vulnerability scanning, patching, and remediation. Currently in invite-only Beta, Aardvark uses ChatGPT-5 to continuously scan source code repositories for vulnerabilities, assess their severity, and propose patches. OpenAI claims Aardvark "does not rely on traditional program analysis techniques like fuzzing or software composition analysis," but instead uses "LLM-powered reasoning and tool-use to understand code behavior and identify vulnerabilities." The model can also develop threat models, sandbox vulnerabilities, and annotate problematic code. Aardvark has identified 92% of known and synthetically introduced vulnerabilities in internal repositories and has already discovered 10 vulnerabilities that received CVE entries. The tool will be available for free to open-source projects, and OpenAI plans to expand its use as detection, validation, and reporting capabilities are refined. The release reflects OpenAI’s aim to leverage AI for automated vulnerability management. While companies like XBOW have demonstrated success with AI security models, even identifying and fixing hundreds of vulnerabilities, concerns remain about the compute costs associated with running such models. OpenAI believes that "By catching vulnerabilities early, validating real-world exploitability, and offering clear fixes, Aardvark can strengthen security without slowing innovation."

Tags: AIVulnerability ScanningBug BountyLarge Language ModelsPatchingOpenAIAardvark

Categories: Vulnerability ManagementArtificial Intelligence in CybersecuritySoftware Security

Exploit Method: Chaining low- and medium-impact flaws

Affected Industries: Software Development

Windows zero-day actively exploited to spy on European diplomats

Published: 2025-10-31

A China-linked hacking group, UNC6384 (Mustang Panda), is actively exploiting a Windows zero-day vulnerability (CVE-2025-9491) to spy on European diplomats. The attacks, initially focused on Hungarian and Belgian entities, have broadened to include Serbian government agencies and diplomatic entities from Italy and the Netherlands. The attack chain starts with spearphishing emails delivering malicious LNK files, often themed around diplomatic events such as NATO defense procurement workshops. According to Arctic Wolf Labs, the LNK files exploit CVE-2025-9491 to deploy the PlugX remote access trojan (RAT). Researchers "assess with high confidence that this campaign is attributable to UNC6384," citing "malware tooling, tactical procedures, targeting alignment, and infrastructure overlaps with previously documented UNC6384 operations." The vulnerability allows attackers to execute arbitrary code remotely by hiding malicious command-line arguments within .LNK shortcut files. Trend Micro analysts reported in March 2025 that CVE-2025-9491 was being widely exploited by multiple groups, including Evil Corp and APT43, with "diverse malware payloads and loaders like Ursnif, Gh0st RAT, and Trickbot." With no patch available, defenders are advised to restrict the use of LNK files.

Tags: Zero-Day VulnerabilitySpearphishingPlugX RATUNC6384Cyber EspionageLNK FilesCVE-2025-9491Diplomats

Categories: Vulnerability ExploitationMalware AnalysisThreat Intelligence

Threat Actor: UNC6384APT43Evil CorpBitterAPT37Mustang PandaSideWinderRedHotelKonni

Actor Aliases: Mustang PandaKimsuky

Exploit Method: LNK File Command-Line Argument Injection

Vulnerabilities: CVE-2025-9491

MITRE ATT&CK TTP: Spearphishing Attachment (T1193) Execution (TA0002) Exploitation for Client Execution (T1203) Command and Control (TA0011) Ingress Tool Transfer (T1105) Initial Access (TA0001) Valid Accounts (T1078) Command and Control (TA0011) Application Layer Protocol (T1071)

Exploited Software: Windows LNK files

Involved Countries: ChinaHungaryBelgiumSerbiaItalyNetherlands

Affected Industries: Diplomatic ServicesGovernment

HIGH Vulnerabilities (1)

CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS: 0.26%    Percentile: 50%

Clearview AI Hit with Criminal Complaint in Austria

Published: 2025-10-31

A criminal complaint has been filed in Austria against Clearview AI by the European Center for Digital Rights, noyb, alleging the company is ignoring rulings from EU data protection authorities (DPAs). Clearview AI, which provides facial recognition services and claims to have a database of over 60 billion images, has previously argued that GDPR should not apply because it has no presence in Europe. However, the Dutch DPA has stated that since the database includes data of European citizens, it must comply with EU law. According to noyb, "Article 84 GDPR also allows EU member states to foresee criminal sanctions for GDPR breaches," potentially leading to "jail time" for Clearview AI executives who could "be held personally liable, in particular if traveling to Europe.” This action follows fines and bans imposed by authorities in the UK, Netherlands, Italy, and France dating back to 2021. Max Schrems, honorary chairman of noyb, stated, “Clearview AI seems to simply ignore EU fundamental rights and just spits in the face of EU authorities.”

Tags: Clearview AIFacial RecognitionGDPRData Protection Authority (DPA)Criminal Complaintnoyb

Categories: Data PrivacyLegal and Regulatory ComplianceFacial Recognition Technology

Threat Actor: Clearview AI

Exploit Method: GDPR Non-Compliance Leading to Data Misuse

Involved Countries: AustriaNetherlandsUKFranceItalyGreece

Affected Industries: Intelligence and Investigative Services

ImmuniWeb Continuous now enables always-on, AI-powered security testing

Published: 2025-10-31

ImmuniWeb has launched an upgraded version of ImmuniWeb Continuous, providing "continuous penetration testing and 24/7 automated vulnerability scanning of web applications, APIs, and microservices." This solution targets organizations with numerous web applications across diverse environments, aiming to provide uninterrupted security testing, vulnerability detection, and prioritization. A key feature allows users to designate certain applications for manual testing by human experts, while others undergo continuous AI-powered scanning. According to ImmuniWeb, the service is supervised by their experts, alleviating concerns about misconfigured scans or delayed communication of security findings. The platform offers a centralized dashboard for application security findings, customizable testing configurations, and granular classification of findings. Dr. Ilia Kolochenko, Chief Architect & CEO at ImmuniWeb, states the new offering "brings a peace of mind to both cybersecurity professionals and software development teams, who finally get an assurance of continuous and holistic application security testing equipped with a smart prioritization of findings." This solution aims to provide comprehensive application visibility and real-time insights into corporate application security posture.

Tags: Vulnerability ScanningPenetration TestingWeb Application SecurityAPI SecurityAI Powered Security

Categories: Application SecurityVulnerability ManagementSoftware Security

Exploit Method: Uninterrupted Automated Vulnerability Scanning

Affected Industries: Technology

Update Chrome now: 20 security fixes just landed | Malwarebytes

Published: 2025-10-31

A recent Malwarebytes article highlights a critical Chrome update addressing 20 security flaws, with several classified as high severity. The vulnerabilities primarily reside within Chrome's V8 JavaScript engine, impacting an estimated 3.4 billion users. As the article states, "Staying unpatched means you could be open to an attack just by browsing the web." Attack methods involve exploiting flaws in JavaScript execution, potentially leading to "stolen data, malware infections, or even a full system compromise." Two notable vulnerabilities are CVE-2025-12428, a high-severity "type confusion" flaw in V8, and CVE-2025-12036, a critical remote code execution (RCE) vulnerability discovered by Google’s Big Sleep project. CVE-2025-12036 "allows remote code execution (RCE)—meaning an attacker could run code on your computer just by getting you to visit a specially crafted page." The update brings Chrome to version 142.0.7444.59/.60 for Windows, 142.0.7444.60 for MacOS and 142.0.7444.59 for Linux. Users of other Chromium-based browsers are also urged to anticipate similar updates soon. The article emphasizes the importance of prompt patching, either automatically or manually through Chrome's settings, to mitigate the risk of exploitation.

Tags: ChromeVulnerabilityPatchJavaScriptRemote Code ExecutionCVE-2025-12428CVE-2025-12036Big Sleep

Categories: Vulnerability ManagementWeb SecuritySoftware Security

Exploit Method: Remote Code Execution via Crafted Web Page

Vulnerabilities: CVE-2025-12428CVE-2025-12036

MITRE ATT&CK TTP: Execution (TA0002) Exploitation for Client Execution (T1203) Initial Access (TA0001) Drive-by Compromise (T1189)

Exploited Software: Google ChromeV8 JavaScript Engine

Involved Countries: United States

Affected Industries: Technology

Why password controls still matter in cybersecurity

Published: 2025-10-31

In late January 2024, "Russian hackers broke into Microsoft's systems," highlighting the continuing importance of password controls, even within advanced security environments. The article emphasizes that "passwords continue to be the primary way attackers move through corporate networks." Attackers exploit common vulnerabilities like "forgotten accounts and legacy systems" and predictable user behaviors, such as creating passwords with simple alterations. To combat these threats, the article recommends moving beyond basic complexity requirements to implement "intelligent, dynamic password management strategies." Suggested improvements include sophisticated banned password lists, nuanced password rotation strategies, and prioritizing password length and memorability. A staged approach to implementing password policies, beginning with an audit and followed by gradual implementation with training and support, is advised. Organizations should prioritize securing "privileged accounts, admin, service, and high-access logins," and implement multi-factor authentication as a critical defense. Furthermore, employing risk-based authentication can dynamically assess password change requests, enhancing security. The key takeaway is that "password security is not a one-time fix but an ongoing, ever-changing strategy."

Tags: PasswordsPassword PolicyMulti-Factor AuthenticationVulnerability ScanningActive Directory

Categories: AuthenticationVulnerability ManagementAccess Control

Threat Actor: Russian hackers

Exploit Method: Compromised Password ExploitationPredictable Password Patterns

MITRE ATT&CK TTP: Initial Access (TA0001) Valid Accounts (T1078) Credential Access (TA0006) Unsecured Credentials (T1552)

Exploited Software: MicrosoftWindows Active Directory

Involved Countries: Russia

Affected Industries: Information Technology

CISA: High-severity Linux flaw now exploited by ransomware gangs

Published: 2025-10-31

CISA has confirmed that the high-severity Linux kernel vulnerability, CVE-2024-1086, is now being exploited in ransomware attacks. The vulnerability, a use-after-free weakness in the netfilter: nf_tables kernel component, allows attackers with local access to escalate privileges, potentially gaining root-level access. As Immersive Labs explains, potential impacts include "system takeover once root access is gained (allowing attackers to disable defenses, modify files, or install malware), lateral movement through the network, and data theft." A proof-of-concept exploit was published in March 2024 by 'Notselwyn', targeting Linux kernel versions between 5.14 and 6.6. The flaw impacts major Linux distributions like Debian, Ubuntu, Fedora, and Red Hat. CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog in May 2024 and ordered federal agencies to patch by June 20, 2024. If patching is not possible, CISA advises admins to blocklist 'nf_tables', restrict access to user namespaces, or load the Linux Kernel Runtime Guard (LKRG) module. CISA stated, "These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise."

Tags: Linux KernelVulnerabilityPrivilege EscalationRansomwareCISACVE-2024-1086ExploitMitigation

Categories: Vulnerability ManagementThreat IntelligenceIncident Response

Exploit Method: CVE-2024-1086 Local Privilege Escalation

Vulnerabilities: CVE-2024-1086

MITRE ATT&CK TTP: Privilege Escalation (TA0004) Exploitation for Privilege Escalation (T1068) Defense Evasion (TA0005) Impair Defenses (T1562)

Exploited Software: Linux kernel

Involved Countries: United States

Affected Industries: Government

HIGH Vulnerabilities (1)

CVE-2024-1086CVSS: 7.8
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 87.04%    Percentile: 99%
Page 1 of 50
Showing articles 1 to 10 of 500 newest articles