For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information. Recent bug fixes: 6/29/25 - resolved an issue where updates to the AI model caused objects instead of raw text in the TTP fields. Next feature: adding a pop-up evidence window to view decision evidence (why was x value chosen?) for the values of each article.

A week in security (September 1 - September 7) | Malwarebytes

Published: 2025-09-08

This week's cybersecurity news highlights a range of threats targeting individuals and businesses alike. TP-Link issued a warning about a botnet infecting routers and specifically targeting Microsoft 365 accounts, demonstrating the continued risk of credential compromise. Popular Android VPN applications were found to have "security flaws and China links," raising privacy concerns for users. Google patched a staggering "111 vulnerabilities" in Android, two of which are critical, emphasizing the importance of timely updates. WhatsApp also addressed a vulnerability exploited in "zero-click attacks," highlighting the sophistication of modern exploits. Phishing scams continue to be prevalent, with PayPal users targeted in "account profile scams" and Californians facing tax refund scams. Travelers to the UK are also being targeted in ETA scams. Malwarebytes also notes their business solutions "remove all remnants of ransomware and prevent you from getting reinfected," showcasing proactive defense strategies.

Tags: VulnerabilityScamMalwareAndroidWhatsAppMicrosoft 365Two-Factor Authentication

Categories: Vulnerability ManagementThreat IntelligenceEndpoint Security

Exploit Method: Zero-Click WhatsApp ExploitTP-Link Botnet InfectionAndroid VPN App Security Flaws and China Links

Exploited Software: Microsoft 365WhatsApp

Involved Countries: ChinaUnited KingdomUnited States

Affected Industries: TechnologyFinancial ServicesTelecommunications

AI moves fast, but data security must move faster

Published: 2025-09-08

The 2025 Thales Data Threat Report reveals that generative AI adoption is outpacing security readiness within enterprises. The report, based on a survey of over 3,000 IT and security professionals, highlights the rapidly evolving AI landscape and its associated security challenges. "One-third of enterprises are already integrating generative AI into their operations or have reached a point where it is transforming their business processes," the report states. Nearly 70% of respondents cited the fast-changing GenAI ecosystem as their top security concern. Attackers are increasingly targeting data integrity by "injecting false or biased information into models to cause harm." Data integrity attacks ranked second highest on the list of concerns, following only ecosystem complexity. The report emphasizes the need for organizations to map data across environments and adopt unified security tools to mitigate risks and ensure digital sovereignty. CISOs face the challenge of aligning security programs with AI risks and evolving regulations.

Tags: Generative AIData SecurityData IntegrityDigital SovereigntySaaS SecurityThales Data Threat Report

Categories: Artificial Intelligence SecurityData Protection

Exploit Method: Data Injection Attacks

MITRE ATT&CK TTP: Content Injection (T1659)

Affected Industries: IT and SecurityCloud Services

iCloud Calendar infrastructure abused in PayPal phishing campaign | Malwarebytes

Published: 2025-09-08

A new PayPal phishing campaign is abusing the iCloud Calendar infrastructure to target users. According to Malwarebytes, the attack leverages calendar invites to send malicious messages directly from Apple's servers, bypassing typical email security checks. As the article states, "The sender email address shows as noreply@email.apple.com which helps it pass every imaginable email security check since it actually came from an Apple server." The phishing email, disguised as a "Purchase Invoice," informs the recipient of a fake $599.00 charge and urges them to call a provided phone number. This is a call-back phishing scam, designed to trick users into contacting the attackers, who then attempt to install remote desktop clients or information-stealing malware. The attackers exploit Microsoft Sender Rewriting Scheme (SRS) via a Microsoft 365 account to further legitimize the email's origin. The article warns users to be wary of the "urgency," "generic greetings," and "spelling error in the phone number" (+1 +1) within the message. Users are advised to verify any billing concerns directly on the PayPal website, enable two-factor authentication, and report suspicious emails to PayPal.

Tags: PhishingPayPaliCloud CalendarCall-back PhishingEmail SpoofingMicrosoft 365Sender Rewriting Scheme (SRS)

Categories: Phishing AttacksEmail SecuritySocial Engineering

Exploit Method: iCloud Calendar PhishingMicrosoft SRS Abuse

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Command and Control (TA0011) Application Layer Protocol (T1071)

Exploited Software: Microsoft 365iCloud Calendar

Involved Countries: United States

Affected Industries: Financial ServicesTechnology

UK tech minister booted out in weekend cabinet reshuffle • The Register

Published: 2025-09-08

A recent UK cabinet reshuffle has resulted in significant changes to leadership roles overseeing technology and digital law. Liz Kendall has replaced Peter Kyle as science, innovation and technology secretary, inheriting responsibility for the controversial Online Safety Act. Kyle, who oversaw the introduction of the government's Cyber Security and Resilience (CSR) Bill, will now serve as secretary of state for business and trade. Other notable changes include Jason Stockwood replacing Poppy Gustafsson as investment minister. Gustafsson, the former Darktrace CEO, was hired to "promote the UK as an attractive place to invest." The reshuffle also saw Kanishka Narayan appointed as an under-secretary in DSIT, while Ian Murray will become minister of state jointly in the Department for Culture, Media and Sport and the DSIT. Kyle was also responsible for planning a team within the Department for Science, Innovation and Technolog (DSIT) to "join up public services" and avoid citizens telling dozens of public sector bodies the same information. In a bid to improve public sector efficiency, the minister announced a new package of AI tools nicknamed Humphrey. The impact of these leadership changes on the UK's cybersecurity strategy and the implementation of key initiatives like the CSR Bill remains to be seen.

Tags: Cyber Security and Resilience (CSR) BillOnline Safety ActFacial RecognitionData PrivacyAI

Categories: Cybersecurity PolicyGovernment CybersecurityPrivacy

Exploit Method: Facial_Recognition_Scan_of_Passport_and_Immigration_DatabasesData_Sharing_Vulnerability_Through_Public_Services_Team

Involved Countries: UK

Affected Industries: TechnologyEnergyGovernment

MostereRAT Targets Windows Users With Stealth Tactics

Published: 2025-09-08

Cybersecurity researchers have uncovered a phishing campaign delivering a new Remote Access Trojan (RAT) called MostereRAT that targets Windows systems. According to FortiGuard Labs, what sets this campaign apart is its "layered use of advanced evasion techniques." The malware is written in Easy Programming Language (EPL), a Chinese-based coding language, and relies on multiple stages to hide malicious behavior, disable security tools and establish secure communications with its command-and-control (C2) server using mutual TLS (mTLS). The campaign begins with phishing emails targeting mainly Japanese users, delivering a Word document that downloads and executes the malware. Lauren Rucker, senior cyber threat intelligence analyst at Deepwatch, said: "Given the initial attack vector is phishing emails leading to malicious links and website downloads, browser security is a critical area for defense." MostereRAT can disable Windows Update, terminate antivirus processes and escalate privileges by mimicking the TrustedInstaller account. Once established, the RAT supports keylogging, system information collection, and can run remote access tools like AnyDesk, TightVNC, and RDP Wrapper. James Maude, field CTO at BeyondTrust, explained that MostereRAT follows a common pattern of exploiting "overprivileged users and endpoints without application control."

Tags: MostereRATPhishingRemote Access Trojan (RAT)Evasion TechniquesWindowsPrivilege Escalation

Categories: Malware AnalysisThreat IntelligenceEndpoint Security

Exploit Method: Phishing Campaign with MostereRATPrivilege Escalation via TrustedInstaller MimicryAbuse of Remote Access Tools (AnyDesk, TightVNC, RDP Wrapper)

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Spearphishing Link (T1192) Command and Control (TA0011) Ingress Tool Transfer (T1105) Defense Evasion (TA0005) Obfuscated Files or Information (T1027) Execution (TA0002) Scheduled Task/Job (T1053) Initial Access (TA0001) Valid Accounts (T1078) Discovery (TA0007) System Information Discovery (T1082) Execution (TA0002) Command and Scripting Interpreter (T1059) Lateral Movement (TA0008) Remote Services (T1021) Defense Evasion (TA0005) Impair Defenses (T1562) Privilege Escalation (TA0004) Exploitation for Privilege Escalation (T1068)

Exploited Software: Microsoft WindowsAnyDeskTightVNCRDP Wrapper

Involved Countries: JapanChina

Affected Industries: Banking

Identity management was hard, AI made it harder

Published: 2025-09-08

A recent SailPoint report highlights the growing challenges of identity management in the age of AI, revealing that many organizations are unprepared to manage AI-driven identities and machine accounts at scale. The study, based on a survey of 375 IAM leaders, found that "sixty-three percent remain in the two lowest maturity categories, relying on manual processes and basic tools to manage user access." This leaves security teams with blind spots, especially since less than 40% of organizations govern AI agents. The rise of these non-human identities, often operating without consistent governance, creates opportunities for attackers due to excessive permissions or inactive accounts. Deployment challenges also plague organizations, with only 14% reporting completely successful IAM deployments. Poor data quality, fragmented across various systems, further undermines access controls. Matt Mills, President of SailPoint, emphasizes that "Identity is the central control point where policies are enforced…enabling enterprises to manage every identity—human, machine or AI agent—across the enterprise." The report underscores the need for unified identity data and structured deployment processes to secure both human and non-human identities.

Tags: Identity ManagementAIMachine IdentitiesData SecurityIAM DeploymentsSailPoint

Categories: Identity and Access Management (IAM)Artificial Intelligence (AI) SecurityCybersecurity Operations

Exploit Method: Excessive Permissions and Dormant Accounts of Machine Identities

MITRE ATT&CK TTP: Initial Access (TA0001) Valid Accounts (T1078) Discovery (TA0007) System Information Discovery (T1082)

Involved Countries: EuropeLatin America

Affected Industries: TechnologyFinancial ServicesHealthcareManufacturing

Salesloft Drift data breach: Investigation reveals how attackers got in

Published: 2025-09-08

A recent investigation into the Salesloft Drift data breach has revealed that the attackers initially compromised the company's GitHub account. According to Salesloft, "In March through June 2025, the threat actor accessed the Salesloft GitHub account...With this access, the threat actor was able to download content from multiple repositories, add a guest user and establish workflows." Google Threat Intelligence Group attributed the attack to UNC6395, noting their interest in sensitive access credentials like "AWS access keys, passwords, Snowflake-related access tokens" found in support tickets. The attackers then accessed Drift's AWS environment, obtained OAuth tokens for Drift customers’ technology integrations, and used them to access the customers’ Salesforce instances. This allowed the exfiltration of data from customers’ Salesforce instances by leveraging stolen OAuth credentials that enable the integration of their Drift chatbot. Companies like Cloudflare, Zscaler, Palo Alto Networks, and Elastic have confirmed data theft. Mandiant has verified the technical segmentation between Salesloft and Drift applications, and the company stated that "the findings support the incident has been contained."

Tags: Data BreachSupply Chain AttackOAuth Token TheftGitHub CompromiseCredential TheftAWS Compromise

Categories: Data Security Incident ResponseVulnerability and ExploitThird-Party Risk Management

Threat Actor: UNC6395

Exploit Method: GitHub Account CompromiseOAuth Token Theft

MITRE ATT&CK TTP: Initial Access (TA0001) Supply Chain Compromise (T1195) Initial Access (TA0001) Valid Accounts (T1078)

Exploited Software: GitHubDriftSalesforce

Affected Industries: SoftwareCloud ComputingCustomer Relationship Management (CRM)Cybersecurity

Cyber defense cannot be democratized

Published: 2025-09-08

A recent article on HelpNetSecurity argues against the "democratization of security," claiming it has resulted in "chaos." The author contends that while shifting security left by deputizing developers for remediation is a good idea in theory, in practice, "security is still accountable for risk but has no authority over the environment." DevOps teams, overwhelmed by alerts from cloud security tools, lack the bandwidth to properly investigate risks. The article highlights a common scenario where security analysts flag a misconfigured cloud asset, creating a ticket for DevOps, who then struggle to prioritize the task amidst existing workloads, often finding it to be a false alarm. The proposed solution involves CISOs consolidating power and focusing on threat validation to reduce CNAPP noise. The author suggests reframing security's role "from gatekeeper to prosecutor," providing DevOps with clear evidence of exploitable risks, demonstrating "exactly how an attacker could weaponize those permissions to access critical systems." The article emphasizes adopting an attacker mindset, using automation and AI to streamline threat validation, and advocating for regular attack simulations to identify critical attack paths. Ultimately, the author believes that "to remain effective security teams need to consolidate their power, not delegate it to DevOps teams."

Tags: CybersecurityDevOpsAIThreat ValidationCloud Security

Categories: Vulnerability ManagementThreat IntelligenceSecurity Operations

Exploit Method: Cloud Misconfiguration ExploitationAI-Enhanced Attack Automation

Affected Industries: Technology

Action1 vs. Microsoft WSUS: A Better Approach to Modern Patch Management

Published: 2025-09-08

According to a sponsored article on BleepingComputer, "WSUS was built when the tech reality we live in could not have been conceived," and is now officially deprecated by Microsoft. The article highlights Action1 as a modern, cloud-native alternative that addresses many of WSUS's shortcomings. "Action1 requires no server installation, database setup, or GPO juggling," offering a much faster setup. WSUS is limited to Microsoft products, creating potential vulnerabilities from unpatched third-party applications which account for approximately a third of successful attacks. Action1 covers both Microsoft and third-party applications. Unlike WSUS, which requires endpoints to connect via corporate LAN or VPN, Action1 patches "remote or roaming devices...without requiring VPN." Action1 also offers policy-driven automation, real-time dashboards, and compliance reports, features lacking or limited in WSUS. Furthermore, Action1 scales seamlessly in the cloud. The article concludes that "Action1 is not just a replacement, it is a veritable improvement" for organizations seeking a modern patch management solution.

Tags: Patch ManagementWSUSAction1Third-Party ApplicationsCloud-NativeAutomationVulnerability Management

Categories: Vulnerability and Patch ManagementEndpoint Security

Exploit Method: Third-Party Application Exploitation

MITRE ATT&CK TTP: Execution (TA0002) PowerShell (T1059.001) Discovery (TA0007) File and Directory Discovery (T1083) Defense Evasion (TA0005) Modify Registry (T1112)

Exploited Software: Third-Party Applications

Involved Countries: United States

Affected Industries: Information Technology

Remote Access Abuse Biggest Pre-Ransomware Indicator

Published: 2025-09-08

Cisco Talos's new research identifies the abuse of remote access software as the leading indicator of pre-ransomware activity. The report, published September 8th, details how threat actors frequently exploit legitimate remote services like RDP, PsExec, and PowerShell, alongside remote access tools such as AnyDesk, Atera, and Microsoft Quick Assist to gain domain administrator access. According to researchers, "Prioritizing moderating the use of remote services and remote access software and/or securing the aforementioned credential stores could assist in limiting the majority of adversaries seen in these pre-ransomware engagements." The study highlights credential dumping as another common technique, focusing on extracting credentials from locations like the domain controller registry, SAM registry hive, and using tools like Mimikatz. Network service discovery using tools such as netscan, nltest, and netview also plays a significant role. The research emphasizes the importance of rapid incident response. "When Talos Incident Response (IR) was engaged within one to two days of first observed activity, ransomware execution was prevented in a third (32%) of cases." Quick containment prompted by EDR/MDR alerts and notifications from government partners like CISA also proved effective in hindering attacks.

Tags: RansomwareRemote Access SoftwareCredential HarvestingPrivilege EscalationMFACISA

Categories: Threat IntelligenceIncident ResponseVulnerability Management

Exploit Method: Remote Access Software AbuseCredential DumpingNetwork Service Discovery

MITRE ATT&CK TTP: Lateral Movement (TA0008) Remote Services (T1021) Execution (TA0002) PowerShell (T1059.001) Credential Access (TA0006) OS Credential Dumping (T1003)

Exploited Software: RDPPsExecPowerShellAnyDeskAteraMicrosoft Quick Assist

Involved Countries: United States

Affected Industries: Managed Service Providers (MSPs)

Page 1 of 50
Showing articles 1 to 10 of 500 newest articles