For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information.

JPCERT warns of DslogdRAT malware deployed in Ivanti Connect Secure

Published: 2025-04-25

The Japan Computer Emergency Response Team (JPCERT) issued a warning about DslogdRAT malware being deployed via exploited vulnerabilities in Ivanti Connect Secure. While the article doesn't specify the exact attack method used to initially compromise Ivanti Connect Secure, it highlights the deployment of DslogdRAT, indicating a successful infiltration. The article mentions several other significant cybersecurity events, including the Lazarus APT group's supply chain attacks targeting South Korean organizations, the Interlock ransomware gang's data leak from DaVita, and a Yale New Haven Health data breach impacting 5.5 million patients. These incidents, along with the JPCERT warning, underscore the ongoing threat of sophisticated malware and supply chain attacks targeting various sectors, potentially leading to significant data breaches, financial losses, and reputational damage. The use of DslogdRAT, a remote access trojan, indicates a potential for persistent access and further malicious activity. The article highlights the ongoing need for robust security measures and proactive threat intelligence to mitigate these risks.

Tags: DslogdRATZero-day ExploitSupply Chain AttackAPTMalwarePerlCGIIvanti

Categories: Vulnerability AnalysisMalware AnalysisThreat Actor Analysis

Threat Actor: Silk Typhoon

Exploit Method: Perl-based CGI web shell exploitDslogdRAT Malware Deployment

Vulnerabilities: CVE-2025-0282

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Execution (TA0002) Remote Code Execution (T1203) Command and Control (TA0011) Ingress Tool Transfer (T1105) Defense Evasion (TA0005) Deobfuscate/Decode Files or Information (T1140) Command and Control (TA0011) Proxy (T1090) Initial Access (TA0001) Supply Chain Compromise (T1195) Lateral Movement (TA0008) Lateral Tool Transfer (T1570)

Exploited Software: Ivanti Connect SecureIvanti Policy SecureIvanti Neurons for ZTA gateways

Involved Countries: JapanChinaUnited States

Affected Industries: ITGovernment

Why NHIs Are Security's Most Dangerous Blind Spot

Published: 2025-04-25

A recent article highlights the growing threat of Non-Human Identities (NHIs) in cybersecurity, emphasizing that "most companies have no idea how many secrets they have, where they're stored, or who is using them." NHIs, including service accounts, service principals, and IAM roles, authenticate using secrets like API keys and certificates. The "State of Secrets Sprawl 2025" report revealed alarming statistics: 23.7 million new secrets leaked on public GitHub in 2024 alone, and 70% of secrets leaked in 2022 remain valid. This is partly due to the lack of MFA for machines and the common practice of granting overly permissive access to secrets. The article cites the Toyota incident as an example of the devastating impact a single leaked secret can have. With NHIs often outnumbering human identities by a ratio of 50:1 to 100:1, the article stresses that legacy identity governance tools are insufficient. The author argues that "secrets are leaking faster" due to the rise of AI agents accessing internal data, potentially exposing secrets through logs and responses. The article concludes by promoting GitGuardian NHI Governance as a solution to map and manage the entire secrets landscape, enabling better control and minimizing the attack surface.

Tags: Secrets ManagementDevOpsMachine IdentityCloud SecurityAPI Security

Categories: Identity and Access Management (IAM)Data Security

Exploit Method: Hardcoded Secrets in CodebasesLack of Secret Rotation and ExpirationOverprivileged Access to NHIsSecrets Leaked on Public Platforms

MITRE ATT&CK TTP: Credential Access (TA0006) Unsecured Credentials (T1552) Initial Access (TA0001) Valid Accounts (T1078) Initial Access (TA0001) Supply Chain Compromise (T1195) Initial Access (TA0001) Cloud Accounts (T1078.004)

Exploited Software: GitHubJiraNotionSlack

Affected Industries: AutomotiveTechnology

The Good, the Bad and the Ugly in Cybersecurity - Week 17

Published: 2025-04-25

SentinelOne's "The Good, the Bad, and the Ugly in Cybersecurity - Week 17" report highlights both advancements and persistent threats. On the positive side, AI is improving cybersecurity defenses. Alex Stamos, CISO at SentinelOne, notes that AI's ability to correlate data across systems provides crucial visibility, quoting, "Very few companies have visibility across their cloud infrastructure and their on-premise tech in a way where they see all of it at the same time." This allows for faster detection of anomalies like unusual login behavior. However, the report details concerning attacks by Russia-linked threat actors (UTA0352 and UTA0355) targeting Ukrainian allies and NGOs. These groups leverage a novel technique, abusing Microsoft's OAuth 2.0 authentication workflow via phishing URLs disguised as video meeting links, leading to access to Microsoft 365 resources. The FBI's IC3 report reveals a grim reality: cybercrime losses soared to $16.6 billion in 2024, a 33% increase. This includes nearly 860,000 complaints, with cyber-based fraud accounting for 83% of the damage. Ransomware, though only representing 3,156 complaints, remains a significant threat to critical infrastructure, with groups like Akira, LockBit, and RansomHub involved. The FBI emphasizes that reported numbers likely underestimate the true scale of the problem, urging better reporting to improve threat tracking.

Tags: AI-powered CybersecurityAdvanced Persistent Threats (APTs)PhishingRansomwareData Breaches

Categories: Threat Detection and ResponseCybercrime Trends and Statistics

Threat Actor: UTA0352UTA0355Russia-linked threat actorsAkiraLockBitRansomHubFogPlay

Exploit Method: Microsoft OAuth 2.0 Abuse

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Command and Control (TA0011) Proxy (T1090) Initial Access (TA0001) Valid Accounts (T1078)

Exploited Software: Microsoft 365Visual Studio Code (insiders.vscode[.]dev)

Involved Countries: UkraineRussia

Affected Industries: Non-Governmental Organizations (NGOs)Critical Infrastructure

M&S halts online orders as 'cyber incident' gets worse • The Register

Published: 2025-04-25

Marks & Spencer (M&S) has temporarily halted online orders due to a worsening "cyber incident" that began on Saturday, April 24th, 2025. The incident initially impacted returns, Click & Collect, and contactless payments, but has now escalated to a complete suspension of online ordering via the website and app. M&S stated, "As part of our proactive management of a cyber incident, we have made the decision to pause taking orders via our M&S.com websites and apps." While M&S assures customers no action is needed, additional issues include inability to redeem gift cards and unavailable self-serve kiosks. The retailer has notified the Information Commissioner's Office and National Cyber Security Center. William Wright, CEO at Closed Door Security, warns that despite M&S's reassurances, customers should remain vigilant against phishing attempts, stating, "M&S customers should keep an eye on their online accounts and bank statements, and also be on guard for phishing." The nature of the attack and whether customer data was accessed remains undisclosed. The incident's impact includes significant disruption to M&S's online sales and potential future financial losses, alongside customer inconvenience and the risk of widespread phishing scams targeting customers.

Tags: Cybersecurity IncidentPhishing

Categories: Retail CybersecurityIncident Response

Exploit Method: Phishing Attacks

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566)

Exploited Software: Marks & Spencer's Website and App

Involved Countries: United Kingdom

Affected Industries: Retail

Microsoft fixes Server 2025 Remote Desktop freezing issues • The Register

Published: 2025-04-25

Microsoft has released a patch (KB5055523) addressing a critical bug introduced in a February 2025 update to Windows 11 24H2 and Windows Server 2025. The flaw caused Remote Desktop sessions to freeze, rendering them unresponsive to keyboard and mouse input. As Microsoft stated, "We recommend you install the latest update for your device as it contains important improvements and issue resolutions, including this one." This issue, initially reported over a month ago, required users to disconnect and reconnect to regain access. While Microsoft rated the bug as low exploitability, it was weaponized by miscreants within just eight days. This is just one of several recent patching problems for Microsoft, including a previous issue causing Blue Screens of Death (BSoD) for Windows 11 users, and another resulting in USB printers producing gibberish. One reader commented, "Microsoft needs to apportion resources better...fixing things that all the other departments broke." The cumulative effect of these incidents raises concerns about Microsoft's patching process and resource allocation, impacting Windows Server 2025 and Windows 11 users.

Tags: Windows Server BugSoftware PatchMicrosoft Patching IssuesRemote Desktop

Categories: Software Vulnerability and Patch Management

Threat Actor: Miscreants

Exploit Method: Remote Desktop Session Freeze Exploit

MITRE ATT&CK TTP: Defense Evasion (TA0005) Impair Defenses (T1562) Initial Access (TA0001) Exploit Public-Facing Application (T1190)

Exploited Software: Windows 11 24H2Windows Server 2025

Affected Industries: Software/Technology

Rack Ruby vulnerability could reveal secrets to attackers (CVE-2025-27610)

Published: 2025-04-25

Researchers Thai Do and Minh Pham of OPSWAT discovered three critical vulnerabilities (CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610) in Rack, a widely used Ruby web application server interface. The most severe, CVE-2025-27610, is a path traversal vulnerability affecting Rack::Static middleware. As Bang Do, OPSWAT's Senior QA Director, explained, "In theory, exploiting CVE-2025-27610 would not require significant payload modifications...It allows attackers to gain unauthorized access to files on the web server simply by manipulating the URL from the client side." This allows access to sensitive files like configuration files and credentials if the attacker knows the file path. The impact, according to OPSWAT, "depends on the contents of the accessed files," potentially leading to further system compromise. With over a billion downloads globally, the vulnerability poses a significant threat. Mitigation involves upgrading Rack to version 2.2.13 or higher, 3.0.14 or higher, or 3.1.12 or higher, removing Rack::Static, or ensuring proper `root:` configuration. CVE-2025-27111 can be mitigated by removing Rack::Sendfile. No specific victims are named in the article, but the widespread use of Rack means numerous organizations and individuals could be affected.

Tags: Rack VulnerabilityPath TraversalRuby on Rails SecurityCVE-2025-27610

Categories: Software VulnerabilityWeb Application Security

Exploit Method: URL Manipulation for Path Traversal

Vulnerabilities: CVE-2025-27610

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Discovery (TA0007) File and Directory Discovery (T1083)

Exploited Software: Rack

Affected Industries: Web Application Development

A Vulnerability in SAP NetWeaver Visual Composer Could Allow for Remote Code Execution

Published: 2025-04-25

A critical vulnerability, CVE-2025-31324, affecting SAP NetWeaver Visual Composer has been discovered and is actively exploited in the wild, according to ReliaQuest and watchtower. This vulnerability allows for remote code execution (RCE), a severe threat. The article describes the vulnerability as using the "Exploit Public-Facing Application (T1190)" tactic under the "Initial Access (TA0001)" technique. SAP NetWeaver Visual Composer, a web-based modeling tool used to create business application components without coding, is the target. Successful exploitation "could allow for remote code execution in the context of the system," granting attackers significant control. While the article doesn't name specific victims, the active exploitation indicates that organizations utilizing SAP NetWeaver Visual Composer are at risk. The potential impact includes data breaches, system compromise, and disruption of business operations. The Center for Internet Security strongly recommends immediate action to mitigate this risk.

Tags: SAP_NetWeaver_Visual_Composer_VulnerabilityRemote_Code_ExecutionCVE-2025-31324Active_Exploitation

Categories: Software_Vulnerability_AnnouncementSecurity_Advisory

Exploit Method: Remote Code Execution in SAP NetWeaver Visual Composer

Vulnerabilities: CVE-2025-31324

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190)

Exploited Software: SAP NetWeaver Visual Composer

Affected Industries: Software and Technology

Tyton - Kernel-Mode Rootkit Hunter for Linux

Published: 2025-04-25

The open-source tool Tyton, a lightweight kernel-mode rootkit detector for Linux, has been released. Developed by nbulischeck and available on GitHub, Tyton focuses on identifying "hidden modules, syscall table hooks, and other common rootkit techniques," according to its description. The tool utilizes a userland daemon that monitors journald logs and provides desktop notifications via libnotify, improving user awareness. It supports DKMS for seamless integration with kernel updates on distributions like Arch and Fedora. However, the project is archived and no longer actively maintained, limiting its compatibility with newer kernels and its scope to rootkit detection only. The article notes that users "do not actively monitor their journald logs," highlighting the need for automated notification systems like Tyton's. Installation requires a Linux kernel 4.4.0-31 or greater, along with several dependencies including GCC, Make, libnotify, and others. While useful, its archived status means users should consider supplementing it with other, actively maintained security tools for complete system protection.

Tags: rootkit-detectionLinuxopen-source

Categories: Linux SecurityRootkit Detection Tools

Exploit Method: Rootkit Installation via Kernel Module

FBI seeks help to unmask Salt Typhoon hackers behind telecom breaches

Published: 2025-04-25

The FBI is publicly seeking information on the Chinese state-sponsored hacking group, Salt Typhoon (also known as Ghost Emperor, FamousSparrow, Earth Estries, and UNC2286), responsible for widespread breaches of US and international telecommunications providers. The FBI states, "Investigation into these actors and their activity revealed a broad and significant cyber campaign...resulting in the theft of call data logs, a limited number of private communications involving identified victims, and the copying of select information subject to court-ordered US law enforcement requests." Victims include AT&T, Verizon, Lumen, Charter Communications, Consolidated Communications, Windstream, and numerous other companies across dozens of countries. The attackers accessed US law enforcement's wiretapping platform, compromising the private communications of a limited number of US government officials. Salt Typhoon's tactics include exploiting privilege escalation and Web UI command injection vulnerabilities in unpatched Cisco IOS XE network devices and utilizing a custom tool, JumbledPath, to monitor network traffic. Recent breaches (December 2024-January 2025) targeted a US ISP, a US affiliate of a UK provider, Italian and South African telecoms, and a large Thai provider. The US Department of the Treasury’s OFAC sanctioned Sichuan Juxinhe Network Technology, believed to be involved, and the State Department offers a $10 million reward for information. The potential impact includes significant data theft, compromise of sensitive communications, and potential national security risks, leading to considerations of banning TP-Link routers and China Telecom's US operations.

Tags: Chinese State-Sponsored HackingTelecom BreachesCyber EspionageData Theft

Categories: CybercrimeNational Security

Threat Actor: Salt Typhoon

Actor Aliases: Ghost EmperorFamousSparrowEarth EstriesUNC2286

Exploit Method: Privilege Escalation and Web UI Command Injection in Cisco IOS XEUse of Custom JumbledPath Tool

MITRE ATT&CK TTP: Privilege Escalation (TA0004) Exploitation for Privilege Escalation (T1068) Initial Access (TA0001) Exploit Public-Facing Application (T1190) Collection (TA0009) Input Capture (T1056)

Exploited Software: Cisco IOS XE

Involved Countries: ChinaUnited StatesItalySouth AfricaThailandUnited Kingdom

Affected Industries: TelecommunicationsLaw Enforcement

Former Google Cloud CISO Phil Venables Joins Ballistic Ventures

Published: 2025-04-25

Phil Venables, former CISO of Google Cloud, Goldman Sachs, and Deutsche Bank, has joined Ballistic Ventures as a Venture Partner. Venables, who also helped found the Center for Internet Security (CIS), stated, “After being a CISO for 30 years…I’m excited to take on a new challenge that allows me to help shape the future of cybersecurity in a different way.” His experience spans decades and includes roles on multiple boards, including MITRE’s Science and Technology Advisory Committee and Sheltered Harbor, which focuses on protecting the financial system from catastrophic cyberattacks. The article also mentions several other cybersecurity news items, including the ongoing activity of the Scattered Spider threat actor, a $17M Series A funding round for Miggo Security, and the reported hacking of 4chan. While no specific attack methods are detailed in the Venables announcement, the broader news section highlights the persistent threat landscape, including the use of advanced techniques like polymorphic phishing and the ongoing targeting of organizations by state-sponsored actors like Lazarus Group. The impact of these threats ranges from financial losses to significant data breaches and disruptions to critical infrastructure.

Tags: Venture CapitalCISOCybersecurityLeadership Changes

Categories: Cybersecurity PersonnelVenture Capital and Cybersecurity

Threat Actor: LazarusScattered SpiderHellcat Hackers

Exploit Method: Watering Hole Attacks

Exploited Software: Android

Involved Countries: South Korea

Affected Industries: Financial ServicesTechnology

Page 1 of 50
Showing articles 1 to 10 of 500 newest articles