For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information.

Ivanti patches Connect Secure zero-day exploited since mid-March

Published: 2025-04-03

Ivanti recently patched a critical zero-day vulnerability, CVE-2025-22457, in its Connect Secure product, exploited since at least mid-March 2025 by the China-linked espionage group UNC5221. The vulnerability, a stack-based buffer overflow, allows remote code execution without authentication. Ivanti initially dismissed it as non-exploitable, stating, "it was evaluated and determined not to be exploitable as remote code execution." However, following active exploitation, they released a patch (22.7R2.6) on February 11, 2025. Mandiant and Google's Threat Intelligence Group (GTIG) reported UNC5221 deployed TRAILBLAZE and BRUSHFIRE malware after exploiting the flaw. Mandiant noted that UNC5221 likely "studied the patch...and uncovered...it was possible to exploit 22.7R2.5 and earlier." This follows UNC5221's history of targeting Ivanti appliances; previously exploiting other zero-days, including CVE-2025-0282 and impacting MITRE Corporation in 2024. Ivanti advises users to update to 22.7R2.6 immediately and monitor their Integrity Checker Tool (ICT). While patches for ZTA and Ivanti Policy Secure are forthcoming, Ivanti states it's "not aware of any exploitation" against these. Ivanti CSO Daniel Spicer emphasized the company's commitment to providing information to defenders and highlighted that customers running supported versions have "significantly reduced risk."

Tags: Zero-Day ExploitRemote Code Execution (RCE)Buffer OverflowEspionageMalware Deployment

Categories: Vulnerability ManagementThreat IntelligenceAPT Activity

Threat Actor: UNC5221

Exploit Method: UNC5221 Exploit Chain (CVE-2023-46805 & CVE-2024-21887)UNC5221 Exploit (CVE-2025-0282)Sophisticated Exploit of CVE-2025-22457

Vulnerabilities: CVE-2025-22457 CVE-2025-0282 CVE-2023-46805 CVE-2024-21887

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Execution (TA0002) Exploitation for Client Execution (T1203) Lateral Movement (TA0008) Remote Services (T1021)

Exploited Software: Ivanti Connect SecureIvanti Policy SecurePulse Connect Secure

Involved Countries: China

Affected Industries: Network SecurityInformation Technology (IT)

CRITICAL Vulnerabilities (3)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS: 90.87%    Percentile: 100%
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS: 94.42%    Percentile: 100%

HIGH Vulnerabilities (1)

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS: 94.4%    Percentile: 100%

Disclosure Drama Clouds CrushFTP Vulnerability Exploitation

Published: 2025-04-03

A critical authentication bypass vulnerability (CVE-2025-31161) in CrushFTP file transfer server software has been exploited in the wild, impacting an unspecified number of customers. The incident is clouded by a dispute over CVE assignment. Shadowserver Foundation reported 1,512 vulnerable instances on March 31st, with exploitation attempts using a proof-of-concept (PoC) exploit published after premature disclosure. CrushFTP CEO Ben Spink criticized VulnCheck, a CVE Numbering Authority, for assigning CVE-2025-2825 before the official CVE, claiming this "hijacked" the disclosure process and enabled rapid exploitation. Spink stated in an email to VulnCheck, "Your reputation will go down if you do not voluntarily remove your fake item." VulnCheck CTO Jacob Baines defended their actions, citing their role in informing the security community. ProjectDiscovery and Rapid7 independently published research including PoCs based on analysis of the patch. Outpost24, who initially discovered the flaw, also criticized VulnCheck for not coordinating disclosure, emphasizing the importance of their 90-day responsible disclosure timeline. The vulnerability, allowing attackers to bypass authentication via an exposed HTTP(S) port and receiving a CVSS score of 9.8, highlights the risks of premature vulnerability disclosure and the need for coordinated efforts in responsible disclosure practices. CrushFTP advises users to update to version 11.3.1 or enable the DMZ function as a workaround.

Tags: Vulnerability DisclosureCVEAuthentication BypassExploitation

Categories: Vulnerability ManagementThreat Intelligence

Exploit Method: Proof-of-Concept Exploit for CVE-2025-2825 (and potentially CVE-2025-31161)

Vulnerabilities: CVE-2025-2825 CVE-2025-31161

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Execution (TA0002) Exploitation for Client Execution (T1203) Command and Control (TA0011) Non-Application Layer Protocol (T1095)

Exploited Software: CrushFTP

Affected Industries: File Transfer SoftwareCybersecurity

CRITICAL Vulnerabilities (2)

Beware fake AutoCAD, SketchUp sites dropping malware

Published: 2025-04-03

Kaspersky researchers warn of a malicious campaign distributing the TookPS downloader and Lapmon and TeviRat backdoors via fake websites mimicking legitimate software download sites. These sites impersonate popular applications including AutoCAD, SketchUp, UltraViewer, Ableton, and Quicken. The attack method involves enticing users to download pirated software from these fraudulent sites, leading to malware infections. According to Kaspersky, "To protect against these attacks, users are advised to remain vigilant and avoid downloading pirated software, which may represent a serious threat." The impact of a successful attack could include data breaches, system compromise, and potential financial losses. Organizations are urged to implement robust security policies prohibiting downloads from untrusted sources and to conduct regular security awareness training for employees to mitigate the risk. Kaspersky has released indicators of compromise to assist in detection and prevention efforts. No specific victims were named in the article.

Tags: MalwarePhishingSoftware Supply Chain Attack

Categories: CybercrimeThreat Intelligence

Actor Aliases: TookPSLapmonTeviRat

Exploit Method: Malicious Website Impersonation

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Initial Access (TA0001) Drive-by Compromise (T1189) Initial Access (TA0001) Phishing (T1566)

Exploited Software: UltraViewerAutoCADSketchUp

Affected Industries: Software Industry

Counterfeit Phones Carrying Triada Malware

Published: 2025-04-03

Counterfeit Android phones are being sold with pre-installed Triada malware, a sophisticated remote access Trojan (RAT). First discovered in 2016 by Kaspersky Lab, Triada has evolved, now hiding within the firmware of these devices. According to Kaspersky, "More than 2,600 users in different countries, most of them in Russia, have encountered the new version of Triada." This allows attackers to steal data from banking and communication apps, exfiltrate data via algorithmically generated hostnames, and perform other malicious actions, as noted by Darktrace cyber analyst Justin Torres, who highlighted the malware's use of "sophisticated methods" to evade detection. The malware's presence in the system framework means it infects every process on the compromised smartphone. Dmitry Kalinin of Kaspersky Lab suspects a supply chain compromise, stating, "Probably, at one stage the supply chain is compromised, so stores may not even suspect that they are selling smartphones with Triada." The impact includes theft of user accounts, cryptocurrency, and the potential for extensive monitoring of victim activity. This highlights the significant threat posed by counterfeit electronics and the need for robust supply chain security measures.

Tags: Android MalwareSupply Chain CompromiseRemote Access Trojan (RAT)Data Exfiltration

Categories: Mobile SecuritySupply Chain Security

Threat Actor: Triada Malware Authors

Exploit Method: Triada RAT Exploit

MITRE ATT&CK TTP: Initial Access (TA0001) Supply Chain Compromise (T1195) Defense Evasion (TA0005) Obfuscated Files or Information (T1027) Lateral Movement (TA0008) Remote Services (T1021)

Exploited Software: Android

Involved Countries: Russia

Affected Industries: Mobile Phone ManufacturingBankingTelecommunications

Cybersecurity ROI: How Threat Intelligence Reduces Business & Brand Risk

Published: 2025-04-03

Recorded Future's 2025 ROI Report highlights the significant return on investment (ROI) achieved by organizations utilizing their threat intelligence platform. The report, based on surveys of over 280 customers, reveals substantial benefits across various areas. One key finding is a 51% increase in efficiency in taking down typosquatting instances, a technique used in phishing attacks. Joe Azzouggagh, Manager of Trust and Safety at ruby, reported a "100% improvement in brand protection" thanks to early risk identification and automation. Financially, the report cites average monthly cyber insurance premium savings of $2,497, with Cummins achieving a 32% year-over-year reduction. Minimizing downtime from attacks, valued at approximately $19,025 monthly for a billion-dollar company, is another key benefit. Furthermore, the platform helps mitigate payment fraud, with a Senior Information Security Analyst at Jefferson Bank noting potential savings of "$1,000-2,000 depending on the customer or situation." Overall, customers reported a 209.4% ROI on business risk reduction alone, and a combined 351.3% ROI when including productivity improvements. The report emphasizes a structured approach to threat intelligence implementation, focusing on critical assets and automating responses. The conclusion is clear: investing in threat intelligence is not just a security measure, but a business imperative with measurable returns.

Tags: Threat IntelligenceReturn on Investment (ROI)Cybersecurity Risk ReductionBrand ProtectionCyber Insurance

Categories: Threat Intelligence PlatformsFinancial Risk ManagementCybersecurity Operations

Exploit Method: Typosquatting

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Spearphishing Link (T1192)

Affected Industries: Financial ServicesFood and Staples Retailing

Texas State Bar warns of data breach after INC ransomware claims attack

Published: 2025-04-03

The State Bar of Texas, the second-largest bar association in the US, suffered a data breach between January 28th and February 9th, 2025, discovered on February 12th. The incident, claimed by the INC ransomware gang on their dark web extortion page on March 9th, resulted in unauthorized access to the organization's network. According to a notification letter, "Through the investigation, we determined that there was unauthorized access to our network between January 28, 2025 and February 9, 2025… the unauthorized actor was able to take certain information from our network." The stolen data included full names and other information, with samples of allegedly stolen legal case documents already leaked by INC. While the exact methods aren't specified, the breach impacts over 100,000 licensed attorneys. The State Bar is offering affected members free credit and identity theft monitoring through Experian until July 31st, 2025, and recommends credit freezes or fraud alerts. The extent to which leaked data was private or publicly available remains unverified.

Tags: Data BreachRansomware AttackINC Ransomware

Categories: Cybersecurity Incident ResponseData Loss Prevention

Threat Actor: INC ransomware gang

Exploit Method: INC Ransomware Attack

MITRE ATT&CK TTP: Impact (TA0040) Data Encrypted for Impact (T1486) Initial Access (TA0001) Valid Accounts (T1078) Spearphishing Attachment (T1193)

Involved Countries: United States

Affected Industries: Legal Services

Hacker Claims Twilio's SendGrid Data Breach, Selling 848,000 Records

Published: 2025-04-03

A hacker using the alias "Satanic" claims responsibility for a significant data breach affecting SendGrid, a Twilio-owned email delivery platform. Satanic, active on Breach Forums, offers 848,960 allegedly stolen records for $2,000, boasting: "We would like to announce the breach of the largest Email Hosting Provider – SendGrid." The sample data, analyzed by Hackread.com, includes extensive customer and company information from entities such as Bank of America, Bazaarvoice, and the BBC. This goes beyond basic contact details, encompassing web analytics, internal email addresses of high-level staff, phone numbers, geolocation data, and backend technology insights. This isn't Satanic's first major breach; they were previously linked to the Tracelo incident (1.4 million user data leak) and distribute infostealer logs. Twilio has faced previous data exposures, including a ShinyHunters leak of 33 million Twilio Authy phone numbers and a separate breach exposing 12,000 call records. While Twilio hasn't confirmed this SendGrid breach, the sample data's detail and Satanic's history warrant investigation by affected organizations. The potential impact is significant, given the sensitive nature and volume of the allegedly compromised data.

Threat Actor: Satanic

Actor Aliases: Satanic

Exploit Method: Data Breach of SendGridData Breach of TraceloDistribution of Infostealer Logs via Telegram

MITRE ATT&CK TTP: Initial Access (TA0001) Cloud Accounts (T1078.004) Initial Access (TA0001) Valid Accounts (T1078)

Exploited Software: SendGridTwilio Authy

Affected Industries: Email Hosting/Cloud ComputingFinancial ServicesTechnology (Software/SaaS)Media

ABB ACS880 Drives Containing CODESYS RTS | CISA

Published: 2025-04-03

The Cybersecurity and Infrastructure Security Agency (CISA) issued an advisory (ICSA-25-093-03) on April 3, 2025, regarding vulnerabilities in ABB ACS880 drives using CODESYS Runtime. These vulnerabilities, impacting multiple CODESYS product versions, allow attackers, after successful authentication, to exploit crafted network communication requests. The advisory details several CVEs, including CVE-2022-4046 (CVSS 8.8) which, if successfully exploited, could grant an attacker full device access. Other CVEs (CVE-2023-37545 through CVE-2023-37559; CVSS 6.5 each) could lead to denial-of-service (DoS) conditions. The attacks involve "specific crafted network communication requests with inconsistent content" causing components like CmpApp, CmpAppForce, and CmpAppBP to read from invalid addresses or overwrite buffers. ABB has released fixed product versions and recommends several cybersecurity practices, including those detailed in CISA's ICS-TIP-12-146-01B. While no public exploitation has been reported to CISA, the potential impact includes complete system compromise or disruption due to DoS. ABB is the victim, and the threat actors are unspecified. CISA urges organizations to implement defensive measures and report suspected malicious activity.

Tags: Vulnerability DisclosureDenial-of-ServiceABB CODESYSIndustrial Control Systems (ICS)

Categories: Vulnerability ManagementIndustrial Control System Security

Vulnerabilities: CVE-2023-37559CVE-2023-37558CVE-2023-37557CVE-2023-37556CVE-2023-37555CVE-2023-37554CVE-2023-37553CVE-2023-37552CVE-2023-37550CVE-2023-37549CVE-2023-37548CVE-2023-37547CVE-2023-37546CVE-2023-37545CVE-2022-4046

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Initial Access (TA0001) Valid Accounts (T1078)

Exploited Software: CODESYS Runtime

Involved Countries: United States

Affected Industries: Industrial Control Systems (ICS)

A bizarre iOS 18.4 bug is surprising iPhone users with random app installs | ZDNET

Published: 2025-04-03

A concerning iOS 18.4 bug is causing unexpected app installations on iPhones. Multiple Reddit threads and Apple support forum posts detail the issue, with users reporting the automatic installation of games like "Squid Game" and "Cooking Mama," or the reappearance of previously deleted apps such as "Last War Survival." One user, MoistCombination1991, stated, "this Chinese game install itself automatically" after updating. Another, curry126, noted that "Cooking Mama shows 'Get' instead of the redownload button," indicating the app wasn't previously purchased. MildAndClassic bluntly summarized the experience as feeling like "using some cheap Chinese mobile where after software update some random application installed in my phone for no reason." While the cause remains unknown, the article suggests it's an Apple error. Although not malicious, the incident highlights a significant security lapse for a company emphasizing security, prompting concerns about potential future vulnerabilities. The advice given is to simply delete the unwanted apps.

Tags: iOS_18.4_BugUnexpected_App_InstallationApple_Software_Issue

Categories: Software_Bug_AnalysisMobile_Security_Incident

Exploit Method: Unauthorized Application Installation

MITRE ATT&CK TTP: Initial Access (TA0001) Valid Accounts (T1078)

Exploited Software: iOS 18.4

Involved Countries: China

Affected Industries: Gaming

Ivanti VPN customers targeted via unrecognized RCE vulnerability (CVE-2025-22457)

Published: 2025-04-03

A suspected Chinese APT group, tentatively labeled UNC5221, exploited a previously underestimated buffer overflow vulnerability (CVE-2025-22457) in Ivanti Connect Secure (ICS) versions 22.7R2.5 and earlier, and Pulse Connect Secure 9.1x. Mandiant (Google) researchers revealed the attackers "uncovered through a complicated process, [that] it was possible to exploit 22.7R2.5 and earlier to achieve remote code execution." This vulnerability, patched in ICS 22.7R2.6 on February 11, 2025, allowed remote code execution. UNC5221, known for exploiting zero-days in Ivanti solutions (CVE-2025-0282, CVE-2023-46805, CVE-2024-21887) and Citrix (CVE-2023-4966), deployed new malware: TRAILBLAZE and BRUSHFIRE, alongside SPAWN ecosystem components (SPAWNSLOTH, SPAWNSNARE, SPAWNWAVE). "The earliest evidence of observed CVE-2025-22457 exploitation occurred in mid-March 2025," according to Google. Ivanti advises affected customers to upgrade to ICS 22.7R2.6 or later, or contact them for Pulse Connect Secure 9.x migration assistance. Google recommends monitoring for web server crashes, investigating ICT statedump files, and detecting anomalies in client TLS certificates. The impact includes potential data breaches and system compromise for a "limited" number of Ivanti VPN customers. Ivanti stated that "[CVE-2025-22457]...was evaluated and determined not to be exploitable as remote code execution," highlighting the potential for underestimated vulnerabilities.

Tags: APT_AttackZero-Day_ExploitVPN_VulnerabilityMalware_AnalysisBuffer_Overflow

Categories: Vulnerability_ExploitationIncident_Response

Threat Actor: UNC5221

Vulnerabilities: CVE-2025-22457 CVE-2025-0282 CVE-2023-46805 CVE-2024-21887 CVE-2023-4966

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Command and Control (TA0011) Ingress Tool Transfer (T1105) Impact (TA0040) Data Encrypted for Impact (T1486) Defense Evasion (TA0005) Obfuscation Files or Information (T1027)

Exploited Software: Ivanti Connect SecurePulse Connect Secure

Involved Countries: China

Affected Industries: VPN and Network Security

CRITICAL Vulnerabilities (3)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS: 90.87%    Percentile: 100%
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS: 94.42%    Percentile: 100%

HIGH Vulnerabilities (2)

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS: 94.4%    Percentile: 100%
CVE-2023-4966CVSS: 7.5
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS: 93.5%    Percentile: 100%
Page 1 of 50
Showing articles 1 to 10 of 500 newest articles