For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information. Recent bug fixes: 6/29/25 - resolved an issue where updates to the AI model caused objects instead of raw text in the TTP fields. Next feature: adding a pop-up evidence window to view decision evidence (why was x value chosen?) for the values of each article.

Cloudflare open-sources Orange Meets with End-to-End encryption

Published: 2025-06-29

Cloudflare has open-sourced "Orange Meets," its video calling application, now featuring end-to-end encryption (E2EE). As stated in the article, "users interested in strong cryptographic assurances can explore Orange Meets as a foundation for secure video calling in research or prototyping contexts." The application, initially a demo for Cloudflare Calls (now Realtime), implements E2EE using Messaging Layer Security (MLS), an IETF-standardized group key exchange protocol. A "Designated Committer Algorithm" handles dynamic group membership changes securely. To prevent "Monster-in-the-Middle" (MitM) attacks, each session displays a "safety number" for participants to verify outside the platform. Cloudflare formally modeled the Designated Committer Algorithm in TLA+ to mathematically verify its behavior. While offering strong cryptographic assurances, the article emphasizes that "Orange Meets is more of a technical showcase and open-source prototype than a polished consumer product." It is geared towards developers interested in MLS integration and cryptography, as well as researchers evaluating MLS implementations rather than being a direct competitor to Zoom or similar platforms.

Tags: End-to-End EncryptionOpen-SourceMLS (Messaging Layer Security)WebRTCCryptographyTLA+

Categories: CryptographyApplication SecurityPrivacy Enhancing Technologies

Exploit Method: Monster-in-the-Middle (MitM) Attack

Affected Industries: Technology

Week in review: Backdoor found in SOHO devices running Linux, high-risk WinRAR RCE flaw patched

Published: 2025-06-29

This week's cybersecurity news highlights several critical vulnerabilities and emerging threats. SecurityScorecard's STRIKE team discovered a "stealthy backdoor" in SOHO devices running Linux, naming the compromised network "LapDogs." A high-risk remote code execution (RCE) vulnerability, CVE-2025-6218, was patched in WinRAR, requiring users to update immediately to prevent attackers from executing arbitrary code. Citrix also addressed a critical vulnerability, CVE-2025-5777, in NetScaler ADC and NetScaler Gateway, similar to the CitrixBleed flaw. Furthermore, SonicWall warned of a trojanized SSL-VPN NetExtender application used to steal VPN credentials through lookalike websites. The CoinMarketCap and CoinTelegraph websites were compromised to deliver phishing pop-ups, attempting to drain cryptocurrency wallets. New hires are particularly vulnerable to phishing attacks, with "71% of new hires click[ing] on phishing emails within 3 months," according to Keepnet. Finally, Incogni reported that major AI platforms like Meta, Google, and Microsoft are sharing user data with third parties, raising privacy concerns.

Tags: VulnerabilityPatchPhishingMalwareSecurity UpdatesCybersecurity JobsFIDO Security Keys

Categories: Vulnerability ManagementThreat IntelligenceSecurity Awareness

Threat Actor: Money Mule OperatorsThe Actors behind the Trojanized SonicWall NetExtender App

Exploit Method: Trojanized SonicWall NetExtender AppCoinMarketCap and Cointelegraph Phishing Pop-upsClickFix Attack

Vulnerabilities: CVE-2025-6218 CVE-2025-49144 CVE-2025-5777

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Initial Access (TA0001) Phishing (T1566) Defense Evasion (TA0005) Obfuscated Files or Information (T1027) Initial Access (TA0001) Valid Accounts (T1078)

Exploited Software: WinRARNotepad++ installerSonicWall NetExtenderCoinMarketCapCointelegraphCitrix NetScaler ADC and NetScaler GatewaySOHO devices running Linux

Involved Countries: SwitzerlandUnited States

Affected Industries: HealthcareCritical InfrastructureIndustrialFinancial

CRITICAL Vulnerabilities (1)

CVE-2025-5777CVSS: 9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/V...
EPSS: 0.06%    Percentile: 17%

Bluetooth flaws could let hackers spy through your microphone

Published: 2025-06-29

ERNW researchers disclosed three vulnerabilities in Airoha systems on a chip (SoCs), widely used in True Wireless Stereo (TWS) earbuds, potentially allowing attackers to "hijack the connection between the mobile phone and an audio Bluetooth device and use the Bluetooth Hands-Free Profile (HFP) to issue commands to the phone." The affected devices span 29 products from vendors like Beyerdynamic, Bose, Sony, Marshall, Jabra, JBL, Jlab, EarisMax, MoerLabs, and Teufel. The vulnerabilities, CVE-2025-20700, CVE-2025-20701 (both medium severity), and CVE-2025-20702 (high severity), involve missing authentication for GATT services and Bluetooth BR/EDR, and critical capabilities of a custom protocol. Exploitation could enable attackers within Bluetooth range to extract call history and contacts, initiate calls, and "successfully eavesdrop on conversations or sounds within earshot of the phone." Researchers demonstrated reading currently playing media from targeted headphones. While requiring "a high technical skill set" and close physical proximity, the vulnerabilities pose a risk to high-value targets. Airoha has released an updated SDK with mitigations, and manufacturers have begun patch distribution. However, updates for many devices are lagging behind the SDK release. Researchers note that while the attacks are technically serious, "real attacks are complex to perform."

Tags: BluetoothVulnerabilityEavesdroppingHeadphonesFirmwareCVEPatch Management

Categories: Vulnerability ManagementIoT SecurityData Security

Exploit Method: Eavesdropping and Call InitiationReading Currently Playing MediaHijacking Bluetooth connection and issuing commands

Vulnerabilities: CVE-2025-20700CVE-2025-20701CVE-2025-20702

MITRE ATT&CK TTP: Lateral Movement (TA0008) Exploitation of Remote Services (T1210) Initial Access (TA0001) Valid Accounts (T1078)

Exploited Software: Airoha systems on a chip (SoCs)Bluetooth Hands-Free Profile (HFP)

Involved Countries: Germany

Affected Industries: Consumer Electronics

Facebook’s New AI Tool Asks to Upload Your Photos for Story Ideas, Sparking Privacy Concerns

Published: 2025-06-28

Meta's Facebook is testing a new AI tool that prompts users to upload photos from their devices, including those not directly uploaded to Facebook, to generate story ideas. This has sparked privacy concerns. The pop-up message states, "To create ideas for you, we'll select media from your camera roll and upload it to our cloud on an ongoing basis, based on info like time, location or themes." While Meta claims the feature is opt-in and the data won't be used for targeted ads, experts worry about potential misuse. Concerns include how long the data is stored, who has access, and the risk of the data ending up in training datasets to build user profiles. It's "a bit like handing your photo album to an algorithm that quietly learns your habits, preferences, and patterns over time." This development occurs amidst increased scrutiny of data privacy practices, exemplified by Germany's call for Apple and Google to remove DeepSeek's apps due to unlawful data transfers to China and OpenAI's $200 million contract with the U.S. Department of Defense.

Tags: FacebookAIPrivacyData ProtectionMetaCloud ComputingGDPRFacial Recognition

Categories: Data ProtectionPrivacy

Threat Actor: DeepSeek

Exploit Method: Unlawful User Data Transfers to China via DeepSeek AppsPrivacy risks associated with cloud-based AI processing of user photos

Exploited Software: DeepSeek's apps

Involved Countries: United StatesCanadaEuropean UnionIrelandBrazilGermanyChina

Affected Industries: Social MediaTechnologyDefense

LapDogs: China-nexus hackers Hijack 1,000+ SOHO devices for espionage

Published: 2025-06-28

SecurityScorecard's STRIKE team uncovered "LapDogs," a cyber espionage campaign where China-nexus hackers hijacked over 1,000 SOHO devices to create a hidden "Operational Relay Box (ORB) Network". According to SecurityScorecard, this marks "another instance of China-Nexus cyber actors leveraging ORB Networks," targeting the U.S. and Southeast Asia, especially Japan, South Korea, Hong Kong, and Taiwan. The attackers deployed a Linux-based "ShortLeash" malware, requiring root access and mimicking Nginx server responses for stealth. The malware is installed via a Bash script which displays "Unknown System" in Mandarin if the OS is unrecognized. Confirmed targeted devices include models from ASUS, D-Link, Microsoft, Panasonic, and Synology, exploiting known vulnerabilities like CVE-2015-1548 and CVE-2017-17663. The campaign shares traits with PolarEdge but differs in infection methods and targeting. While attribution is complex, the STRIKE team states "China-Nexus threat actors are using [Lapdogs] to conduct a targeted operation around the globe" and are disrupting traditional security playbooks.

Tags: China-NexusEspionageSOHO DevicesMalwareVulnerability ExploitationAPT

Categories: Cyber EspionageThreat IntelligenceVulnerability Management

Threat Actor: APT42APT28APT Salt TyphoonUAT-5918

Actor Aliases: IntelBrokerKai West

Exploit Method: ShortLeash Malware Deployment

Vulnerabilities: CVE-2015-1548 CVE-2017-17663

MITRE ATT&CK TTP: Defense Evasion (TA0005) Obfuscated Files or Information (T1027) Command and Control (TA0011) Ingress Tool Transfer (T1105) Discovery (TA0007) File and Directory Discovery (T1083) Execution (TA0002) Scheduled Task/Job (T1053) Command and Control (TA0011) Application Layer Protocol (T1071)

Exploited Software: AMI MegaRAC SPxD-Link DIR-859 routersFortinet FortiOSCitrix NetScaler devicesACME mini_httpdGoAhead web appsMicrosoft Windows (specifically Windows XP)

Involved Countries: ChinaUnited StatesTaiwanJapanSouth KoreaHong KongCanada

Affected Industries: EnergyTelecommunications

HIGH Vulnerabilities (1)

AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS: 0.82%    Percentile: 73%

MEDIUM Vulnerabilities (1)

AV:N/AC:L/Au:N/C:P/I:N/A:N
EPSS: 0.41%    Percentile: 58%

Hacker helped kill FBI sources, witnesses in El Chapo case, according to watchdog report

Published: 2025-06-28

A Justice Department watchdog report revealed that a hacker working for the Sinaloa drug cartel, led by El Chapo, infiltrated cameras and phones to track an FBI official in Mexico. According to the report, the hacker "observed people going in and out of the United States Embassy in Mexico City and identified ‘people of interest’ for the cartel, including the FBI Assistant Legal Attache (ALA T), and then was able to use the ALA T’s mobile phone number to obtain calls made and received, as well as geolocation data, associated with the ALAT’s phone." The hacker also exploited Mexico City’s camera system to monitor the agent's movements and identify individuals they met. The cartel then allegedly used this information to "intimidate and, in some instances, kill potential sources or cooperating witnesses." The report also assessed the FBI's ability to protect sensitive investigations in the face of ubiquitous technical surveillance (UTS) and concluded that the FBI's "red team" efforts to identify specific enterprise-wide risks were inadequate, "potentially leaving several UTS-related threats unmitigated."

Tags: HackingSurveillanceMobile SecurityData BreachThreat Intelligence

Categories: CybercrimeGovernment SecurityLaw Enforcement

Threat Actor: Sinaloa Cartel Hacker

Exploit Method: Mobile Phone Exploitation and Geolocation TrackingCamera System Exploitation

MITRE ATT&CK TTP: Initial Access (TA0001) Valid Accounts (T1078)

Exploited Software: Mobile PhonesMexico City’s camera system

Involved Countries: MexicoUnited StatesUnited Kingdom

Affected Industries: Law EnforcementHealthcareTelecommunications

FBI Warns of Scattered Spider's Expanding Attacks on Airlines Using Social Engineering

Published: 2025-06-28

The FBI has issued a warning regarding Scattered Spider's increased targeting of the airline sector, employing social engineering techniques to bypass security measures. According to the FBI, "These actors rely on social engineering techniques, often impersonating employees or contractors to deceive IT help desks into granting access," and frequently bypass multi-factor authentication (MFA). These attacks often target third-party IT providers and lead to data theft, extortion, and ransomware. Mandiant's Charles Carmakal recommends "that the industry immediately take steps to tighten up their help desk identity verification processes prior to adding new phone numbers to employee/contractor accounts." A recent ReliaQuest report detailed a breach where Scattered Spider targeted an organization's CFO, impersonating them to reset MFA and gain access. "Scattered Spider favors C-Suite accounts...[because] IT help-desk requests tied to these accounts are typically treated with urgency, increasing the likelihood of successful social engineering," stated ReliaQuest. Once inside, the group is known for rapid escalation, deploying tools like ngrok for persistence and even resorting to a "scorched-earth" strategy to delete security measures when detected. The group is also linked to other threat actors within the "Com" collective, including LAPSUS$.

Tags: Scattered SpiderSocial EngineeringMulti-Factor AuthenticationData TheftRansomwareCybercrimeVulnerabilityInsider ThreatCloud Security

Categories: Threat IntelligenceIncident ResponseVulnerability Management

Threat Actor: Scattered Spider

Actor Aliases: Muddled LibraOcto TempestOktapusScatter SwineStar FraudUNC3944The Com (aka Comm)

Exploit Method: Social Engineering Bypassing MFAPrivilege Escalation via Compromised C-Suite AccountsData Exfiltration and System Sabotage Post-Compromise

MITRE ATT&CK TTP: Initial Access (TA0001) Cloud Accounts (T1078.004) Credential Access (TA0006) Credentials from Password Stores (T1555) Discovery (TA0007) File and Directory Discovery (T1083) Defense Evasion (TA0005) Impair Defenses (T1562) Command and Control (TA0011) Ingress Tool Transfer (T1105) Credential Access (TA0006) OS Credential Dumping (T1003) Lateral Movement (TA0008) Remote Services (T1021) Initial Access (TA0001) Valid Accounts (T1078) Initial Access (TA0001) Phishing (T1566) Impact (TA0040) Service Stop (T1489)

Exploited Software: Horizon Virtual Desktop Infrastructure (VDI)VMware vCenterCyberArk password vaultEntra ID

Involved Countries: United States

Affected Industries: Airline SectorInsurance SectorTransportation

Ex-NATO hacker: In cyber, there’s no such thing a ceasefire • The Register

Published: 2025-06-28

According to a recent article in The Register, Candan Bolukbas, former NATO hacker and current CTO of Black Kite, warns that ceasefires don't exist in cyberspace, particularly between Iran and Israel. Bolukbas states, "In the cyber world, there's no such thing as a ceasefire." He anticipates Iran will target the supply chains of Israel and the US Department of Defense, considering it "our weak spot." Bolukbas highlights that while directly breaching heavily defended networks like the Pentagon is difficult, targeting suppliers offers a more accessible route. He emphasizes that Iran will likely focus on "low-hanging fruit," using social engineering tactics like phishing due to their limited zero-day exploits. He also warns of the increasing use of AI for disinformation campaigns. Furthermore, he advises organizations to patch systems quickly and stay vigilant against phishing attacks. Bolukbas notes the US also engages in similar cyber activities, referencing the joint US-Israeli Stuxnet operation against Iran's nuclear program, stating, "And that, of course, was during a ceasefire. We were not in a war with Iran."

Tags: CybercrimeSupply Chain AttacksPhishingIranCyber EspionageCritical InfrastructureZero-day ExploitStuxnet

Categories: Cyber Threat IntelligenceNational SecurityVulnerability Management

Threat Actor: SandwormIranRussiaChina

Exploit Method: Supply Chain AttackPhishingCompromised IoT Devices for Botnets

MITRE ATT&CK TTP: Initial Access (TA0001) Supply Chain Compromise (T1195) Initial Access (TA0001) Phishing (T1566) Initial Access (TA0001) Exploit Public-Facing Application (T1190)

Exploited Software: Internet-connected camerasSmart TVs and other home IoT devicesIndustrial Control System (ICS) components for railway managementIranian high-value individuals' credentials and sensitive military info

Involved Countries: IranIsraelUnited StatesUkraineRussiaChina

Affected Industries: Energy/Power GridDefenseLogisticsICS (Industrial Control Systems)

GIFTEDCROOK Malware Evolves: From Browser Stealer to Intelligence-Gathering Tool

Published: 2025-06-28

The GIFTEDCROOK malware has evolved from a basic browser stealer to a sophisticated intelligence-gathering tool, according to a report by Arctic Wolf Labs. First identified by CERT-UA in April 2025, the malware is deployed via phishing emails containing macro-laced Microsoft Excel documents, attributed to the hacking group UAC-0226. The malware targets Ukrainian governmental and military entities. GIFTEDCROOK steals cookies, browsing history, and authentication data from browsers like Chrome, Edge, and Firefox. Newer versions (1.2 and 1.3) can harvest documents and files under 7 MB with specific extensions (.doc, .pdf, .ovpn, etc.) created or modified within the last 45 days. The malware uses military-themed PDF lures and a macro-enabled Excel workbook, "Список оповіщених військовозобов'язаних організації 609528.xlsm," hosted on Mega cloud storage. Stolen data is bundled into ZIP archives and exfiltrated to a Telegram channel in chunks to evade detection. "The progression from simple credential theft in GIFTEDCROOK version 1, to comprehensive document and data exfiltration in versions 1.2 and 1.3, reflects coordinated development efforts where malware capabilities followed geopolitical objectives to enhance data collection from compromised systems in Ukraine." A batch script is then executed to erase traces of the malware.

Tags: MalwareCyber WarfarePhishingData ExfiltrationIntelligence GatheringUkraineHacking Group

Categories: Threat IntelligenceMalware Analysis

Threat Actor: UAC-0226

Actor Aliases: GIFTEDCROOK

Exploit Method: Macro-Enabled PhishingData Exfiltration via Telegram Channel

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Spearphishing Attachment (T1193) Command and Control (TA0011) Ingress Tool Transfer (T1105) Discovery (TA0007) File and Directory Discovery (T1083) Defense Evasion (TA0005) Obfuscated Files or Information (T1027) Defense Evasion (TA0005) Indicator Removal (T1070) Execution (TA0002) Command and Scripting Interpreter (T1059)

Exploited Software: Microsoft ExcelGoogle ChromeMicrosoft EdgeMozilla Firefox

Involved Countries: UkraineRussia

Affected Industries: GovernmentMilitaryLaw Enforcement

Let’s Encrypt ends certificate expiry emails to cut costs, boost privacy

Published: 2025-06-28

Let's Encrypt, a widely used Certificate Authority (CA), has discontinued its certificate expiration notification emails as of June 4, 2025, citing cost, privacy, and complexity concerns. The organization, which provides free digital certificates to enable HTTPS on websites, explained that the decision was driven by the increasing adoption of automated certificate management via the ACME protocol. According to Let's Encrypt, the need for manual email notifications is "diminishing" due to this automation. A significant factor was the cost, estimated to be "tens of thousands of dollars per year," which Let's Encrypt believes could be better allocated to other infrastructure improvements. The organization also expressed privacy concerns related to managing a large database of email addresses. “Providing expiration notifications adds complexity to our infrastructure, which takes time and attention to manage and increases the likelihood of mistakes being made,” they stated. The move encourages users to adopt ACME-compatible tools for automated certificate renewal and to explore alternative notification methods. Failure to adapt could lead to unexpected website outages due to expired certificates. The change is also influenced by CA/Browser Forum standards reducing certificate lifespans to 47 days by 2029, making manual management impractical.

Tags: Let's EncryptCertificate AuthorityTLS/SSL CertificatesAutomationPrivacyACME

Categories: Digital CertificatesPKI (Public Key Infrastructure)

Exploit Method: Certificate Expiration Leading to Service Outages

Affected Industries: Technology

Page 1 of 50
Showing articles 1 to 10 of 500 newest articles