For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information. Recent bug fixes: 6/29/25 - resolved an issue where updates to the AI model caused objects instead of raw text in the TTP fields. Next feature: adding a pop-up evidence window to view decision evidence (why was x value chosen?) for the values of each article.

Lost iPhone? Don’t fall for phishing texts saying it was found

Published: 2025-11-09

The Swiss National Cyber Security Centre (NCSC) is warning iPhone users about a phishing scam targeting those who have lost their devices. Threat actors are sending SMS or iMessage texts, impersonating Apple's Find My service, claiming a lost iPhone has been found. According to the NCSC, "Once the initial panic has passed, most people are left hoping that someone honest will find it. But if scammers have your phone, they may try to exploit this hope." The messages include details like the phone model and color to appear legitimate; for example, "We are pleased to inform you that your lost iPhone 14 128GB Midnight has been successfully located." The messages contain a link to a fake Find My website designed to steal Apple ID credentials. By obtaining these credentials, the attackers aim to remove Apple's Activation Lock, which protects the device from being erased or resold. The NCSC advises users not to click on links in unsolicited messages or enter Apple ID details on external websites and recommends using a dedicated email address if displaying contact details on a lost device's lock screen. The NCSC emphasizes that Apple will never contact customers via SMS or email to report a found device.

Tags: PhishingSmishingApple IDFind My AppActivation LockNCSC

Categories: Phishing AwarenessMobile SecurityIdentity Theft

Exploit Method: Phishing for Apple ID Credentials

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Spearphishing Link (T1192) Initial Access (TA0001) Valid Accounts (T1078)

Exploited Software: Apple ID

Involved Countries: Switzerland

Affected Industries: Technology

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Published: 2025-11-09

NAKIVO has released Backup & Replication v11.1, focusing on enhanced disaster recovery and features for Managed Service Providers (MSPs). According to NAKIVO CEO Bruce Talley, "This release turns NAKIVO Backup & Replication into a core asset for businesses aiming to navigate the complexities of data protection and management." A key update is the multilingual interface, now supporting seven languages, including French, Italian, German, Polish, and Chinese. For Proxmox VE environments, v11.1 introduces "Flash VM Boot for instant operational recovery" and "VM Replication to maintain uptime and ensure rapid failover." The MSP Direct Connect feature simplifies connections between MSPs and clients, using encrypted communications to meet "rigorous security standards" without requiring open ports on the client side. Real-Time Replication for VMware VMs ensures "uninterrupted service and zero data loss" during outages through automated failover. The update also includes granular backup for physical machines, allowing for selected folder or volume backups to various locations with encryption and immutability options. This aims to provide faster and more flexible recovery of specific data.

Tags: Backup and RecoveryDisaster RecoveryRansomware ProtectionMSP (Managed Service Provider)Data EncryptionVirtualization

Categories: Data ProtectionData ManagementCloud Computing

Exploit Method: Unencrypted Data Transfer Over WANMSP Direct Connect Port Opening

MITRE ATT&CK TTP: Impact (TA0040) Data Encrypted for Impact (T1486) Command and Control (TA0011) Application Layer Protocol (T1071)

Involved Countries: United States

Dangerous runC flaws could allow hackers to escape Docker containers

Published: 2025-11-09

Three newly disclosed vulnerabilities in runC, the container runtime used by Docker and Kubernetes, could allow attackers to escape container isolation and access the host system. The vulnerabilities, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, were disclosed by Aleksa Sarai. According to the article, "An attacker exploiting the vulnerabilities could obtain write access to the underlying container host with root privileges." The attack methods involve manipulating bind mounts and symlinks during container initialization to gain unintended write access to sensitive files on the host system, such as `/proc`. Specifically, CVE-2025-31133 involves replacing `/dev/null` with a symlink, while CVE-2025-52565 focuses on redirecting the `/dev/console` bind mount. CVE-2025-52881 can trick runC into performing writes to `/proc` that are redirected to attacker-controlled targets. Researchers at Sysdig noted that exploiting these vulnerabilities "require the ability to start containers with custom mount configurations," achievable through malicious container images or Dockerfiles. While there are no reports of active exploitation, Sysdig recommends monitoring for suspicious symlink behaviors. Mitigation strategies include activating user namespaces and using rootless containers.

Tags: runCDockerKubernetesContainer EscapeVulnerabilityCVE-2025-31133CVE-2025-52565CVE-2025-52881Privilege Escalation

Categories: Container SecurityVulnerability Management

Exploit Method: Container Escape via Custom Mount Configurations

Vulnerabilities: CVE-2025-31133 CVE-2025-52565CVE-2025-52881

MITRE ATT&CK TTP: Privilege Escalation (TA0004) Exploitation for Privilege Escalation (T1068)

Exploited Software: runC

Affected Industries: Cloud Security

HIGH Vulnerabilities (2)

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/V...
EPSS: 0.01%    Percentile: 1%
References:

Week in review: Cisco fixes critical UCCX flaws, November 2025 Patch Tuesday forecast

Published: 2025-11-09

This week's cybersecurity news includes critical vulnerabilities in Cisco's Unified Contact Center Express (UCCX). Cisco has released fixes for two critical flaws, "CVE-2025-20358, CVE-2025-20354 affecting Unified Contact Center Express (UCCX), which may allow attackers to bypass authentication, compromise vulnerable installations, and elevate privileges to root." Additionally, a spear-phishing campaign mirroring Sandworm TTPs targeted Russian and Belarusian military personnel. The campaign used military-themed documents as lures, with the "goal...to get targets to download and open a booby-trapped LNK file masquerading as a PDF, ultimately leading to a complete system compromise." In ransomware news, former negotiators were indicted for allegedly deploying ALPHV/BlackCat ransomware against US firms. Proofpoint researchers warned that cybercriminals are exploiting RMM tools to compromise logistics and trucking companies. Google has uncovered malware using LLMs to operate and evade detection and Mandiant determined that a state-sponsored threat actor was behind the SonicWall cloud backup service hack.

Tags: RansomwareVulnerabilityPhishingAIOpen SourceSupply Chain SecurityAuthentication

Categories: Vulnerability ManagementThreat IntelligenceData SecurityAI Security

Threat Actor: ALPHV/BlackCat ransomware affiliatesState-sponsored threat actor

Actor Aliases: Sandworm

Exploit Method: Spear-phishing campaign via booby-trapped LNK fileCompromising logistics/trucking companies via RMM tool installationClickFix malware infection via online store techniques

Vulnerabilities: CVE-2025-48703 CVE-2025-11371 CVE-2025-20358 CVE-2025-20354

MITRE ATT&CK TTP: Spearphishing Attachment (T1193) Initial Access (TA0001) Exploit Public-Facing Application (T1190) Impact (TA0040) Data Encrypted for Impact (T1486) Command and Control (TA0011) Ingress Tool Transfer (T1105) Initial Access (TA0001) Valid Accounts (T1078) Initial Access (TA0001) Phishing (T1566)

Exploited Software: Control Web Panel (CWP)Gladinet's CentreStack and TriofoxALPHV/BlackCat ransomwareCisco Unified Contact Center Express (UCCX)RMM tools

Involved Countries: RussiaBelarusFranceBelgiumCyprusSpainGermanyNorth KoreaIranChinaUnited States

Affected Industries: MilitaryFinancial ServicesLogisticsRetailHealthcare

CRITICAL Vulnerabilities (3)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS: 55.44%    Percentile: 98%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS: 0.29%    Percentile: 52%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.1%    Percentile: 28%

MEDIUM Vulnerabilities (1)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
EPSS: 29.32%    Percentile: 96%

Still on Windows 10? Enroll in free ESU before next week’s Patch Tuesday

Published: 2025-11-08

With Windows 10 end-of-life passed on October 14, 2025, BleepingComputer urges users still on the OS to enroll in Microsoft's Extended Security Updates (ESU) program before next week's Patch Tuesday. "For those who are unable to upgrade to Windows 11," ESUs provide continued security updates for a limited time. Consumers can receive updates for an additional year for $30, by backing up their settings, or redeeming 1,000 Microsoft reward points. Users in the European Economic Area can receive ESU for free simply by logging into Windows 10 with a Microsoft account, or pay $30 to continue using a local account. Enterprise customers can utilize the ESU program for up to three years at a cost of $427 per device. The article highlights the importance of these updates, citing the October 2025 Patch Tuesday fix for a actively exploited "Windows Agere Modem Driver elevation of privileges vulnerability tracked as CVE-2025-24990," which could be leveraged by malware or threat actors. The article provides a step-by-step guide to enroll in the ESU program via Windows Update.

Tags: Windows 10Extended Security Updates (ESU)Patch TuesdayVulnerabilityMicrosoft

Categories: Vulnerability ManagementPatch ManagementOperating System Security

Exploit Method: Elevation of Privileges via Windows Agere Modem Driver

Vulnerabilities: CVE-2025-24990

MITRE ATT&CK TTP: Privilege Escalation (TA0004) Exploitation for Privilege Escalation (T1068)

Exploited Software: Windows Agere Modem DriverWindows 10

Involved Countries: European Economic Area

Affected Industries: Technology

HIGH Vulnerabilities (1)

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/...
EPSS: 3.04%    Percentile: 86%

GlassWorm malware returns on OpenVSX with 3 new VSCode extensions

Published: 2025-11-08

The GlassWorm malware campaign has resurfaced on the OpenVSX marketplace with three new malicious VSCode extensions after initially impacting both OpenVSX and Visual Studio Code last month. According to Koi Security, the extensions, "ai-driven-dev.ai-driven-dev," "adhamu.history-in-sublime-merge," and "yasuyuky.transient-emacs," have collectively been downloaded over 10,000 times. The malware employs the same obfuscation tactic using "invisible Unicode characters" to hide malicious JavaScript code designed to steal credentials for GitHub, NPM, OpenVSX, and cryptocurrency wallets. GlassWorm leverages Solana transactions to fetch its payload. Koi Security gained access to the attackers' server and discovered that the operators are "Russian-speaking" and utilize the RedExt open-source C2 browser extension framework. The malware's reach is global, affecting systems in the United States, South America, Europe, Asia, and even a government entity in the Middle East. Koi Security states that the operators "weren't deterred by last month's exposure" and have pivoted back to OpenVSX, demonstrating an intent to resume operations across multiple platforms. So far, they have identified "60 distinct victims", but this is likely just a partial list. The malicious extensions remain available for download.

Tags: MalwareSupply Chain AttackVSCodeOpenVSXCredential TheftCryptocurrencyObfuscationJavaScript

Categories: Threat IntelligenceVulnerability ManagementSoftware Security

Threat Actor: GlassWorm Operators

Actor Aliases: GlassWorm

Exploit Method: Unicode Character ObfuscationSolana Transaction Payload Delivery

MITRE ATT&CK TTP: Defense Evasion (TA0005) Obfuscated Files or Information (T1027) Command and Control (TA0011) Application Layer Protocol (T1071) Initial Access (TA0001) Valid Accounts (T1078)

Exploited Software: ai-driven-dev.ai-driven-devadhamu.history-in-sublime-mergeyasuyuky.transient-emacsOpenVSX

Involved Countries: United StatesMiddle EastRussia

Affected Industries: Cryptocurrency ExchangesSoftware Development

Mozilla fellow Esra'a Al Shafei watches the watchers • The Register

Published: 2025-11-08

Digital rights activist and Mozilla Fellow Esra'a Al Shafei, a victim of FinFisher spyware over a decade ago, is now fighting back with Surveillance Watch, an interactive map documenting the surveillance industry. As Al Shafei states, "You cannot resist what you do not know, and the more you know, the better you can protect yourself and resist against the normalization of mass surveillance today." The project has grown to track 695 spyware and surveillance entities including NSO Group (Pegasus), Cytrox (Predator), Palantir, and even LexisNexis. Al Shafei notes regarding LexisNexis' Accurint, "People think of LexisNexis and academia...They don't immediately draw the connection to their product called Accurint, which collects data from both public and non-public sources and offers them for sale, primarily to government agencies and law enforcement." The project also tracks investors like AE Industrial Partners and In-Q-Tel. Al Shafei emphasizes the global nature of surveillance, saying, "Surveillance is a global trade. It's not just being used in Iran, China, North Korea." FinFisher, which infected Al Shafei's device via a fake Firefox update, granted attackers remote access, keylogging, and real-time monitoring capabilities.

Threat Actor: Gamma GroupNSO GroupCytroxParagon

Actor Aliases: FinSpyPegasusPredatorGraphite

Exploit Method: FinFisher (FinSpy) Installation via Fake Firefox UpdateGraphite spyware exploitation of compromised smartphones

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Execution (TA0002) Exploitation for Client Execution (T1203) Collection (TA0009) Input Capture (T1056)

Exploited Software: FinFisherPegasusPredatorGraphite

Involved Countries: USUKIsraelIranChinaNorth Korea

Affected Industries: Law EnforcementGovernmentTechnology

Postman expands platform with features for building AI-ready APIs

Published: 2025-11-07

Postman has released updates to its platform aimed at helping organizations build "AI-ready APIs." According to Postman's 2025 State of the API Report, "fewer than 40% of organizations enforce centralized governance standards," and many internal APIs lack consistent documentation, hindering AI agents. Balaji Raghavan, Head of Engineering at Postman, stated, "Enterprises are realizing that their APIs are not yet AI-ready." The updates focus on governance, automation, and observability to make APIs safe and reliable for both humans and AI systems. Key enhancements include "Spec Hub," designed as a governance backbone with features like bidirectional spec sync and governance reporting. Also included are Pipeline-native validation through Private API Runners and On-Demand Monitors, extending Postman’s testing framework to deployment. New integrations with Slack and Microsoft Teams aim to improve visibility and response times. Additionally, Runner Management provides visibility into API test automation activity. These updates are designed to establish Postman as "the enterprise control plane for the modern API ecosystem," ensuring that APIs are trustworthy for AI systems.

Tags: API SecurityAPI GovernanceAI-ready APIsAPI TestingAPI Observability

Categories: API ManagementArtificial Intelligence (AI) IntegrationDevOps

Exploit Method: Lack of Centralized API Governance leading to Untrustworthy APIs

Affected Industries: Technology

Microsoft's data sovereignty: Now with extra sovereignty! • The Register

Published: 2025-11-07

Microsoft is again emphasizing data sovereignty in Europe, despite acknowledging earlier this year that it couldn't guarantee data wouldn't be transmitted to the US government under the CLOUD Act if legally required. This renewed focus follows heightened geopolitical tensions and increased scrutiny since President Trump's return to power. To address customer concerns, Microsoft is touting new features, including end-to-end AI data processing within the EU Data Boundary and in-country processing for Microsoft 365 Copilot interactions in select countries. According to Mark Boost, CEO of Civo, "Microsoft's latest sovereign cloud announcement highlights how blurred the language around 'sovereignty' has become…this is really about data residency, not true sovereignty." Frank Karlitschek, CEO and founder of Nextcloud, called these efforts "sovereignty washing," arguing that "only open source software prevents dependencies on individual providers and allows independent security audits." The growing mistrust of US hyperscalers is palpable, with data sovereignty becoming a primary concern for European customers, as the big three (Microsoft, AWS and Google) salespeople are constantly asked about this in conversations with European customers. Thierry Carrez, general manager, OpenInfra Foundation, said US hyperscalers like Microsoft are "trying to find a mix of technical solutions and legal engineering to isolate their EU products from potential demands from the US government (including but not limited to the CLOUD act)."

Tags: Data SovereigntyCLOUD ActMicrosoftEU Data BoundarySovereignty Washing

Categories: Cloud SecurityData PrivacyCompliance

Exploit Method: CLOUD Act Data AccessSovereignty Washing

Involved Countries: USEuropeUKGermanySwedenAustraliaIndiaJapanUnited Arab EmiratesSouth AfricaNetherlandsFrance

Affected Industries: Cloud ComputingTechnology

In memoriam: David Harley

Published: 2025-11-07

The cybersecurity community mourns the loss of David Harley, a respected figure who passed away at 76. Harley, a former ESET Senior Research Fellow until his retirement in 2018, made significant contributions to the field, spanning from early computer viruses to modern ransomware. His unique background in languages, social sciences, and computer science gave him a keen understanding of the "human" element in cybersecurity vulnerabilities. According to ESET Vice President of Government Affairs Andrew Lee, Harley was a "fountain of knowledge." Harley's work encompassed malware trend analysis and antimalware product testing standards. He was a prolific author and speaker, viewing these activities as "an extension of research and an opportunity to connect with peers and, indeed, anyone else committed to making the internet a safer place for everyone." His former colleagues also remember him as a "meticulous wordsmith who left a lasting mark on the field and all those who worked with him," according to ESET Research Fellow Bruce P. Burrell. Harley's insights into the psychology of cybercrime remain highly relevant.

Tags: David HarleyCybersecurity PioneerESETHuman VulnerabilitiesMalware Analysis

Categories: Cybersecurity HistoryIndustry News

Exploit Method: Social Engineering/Human Vulnerability

Affected Industries: cybersecurity

Page 1 of 50
Showing articles 1 to 10 of 500 newest articles