For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information. Recent bug fixes: 6/29/25 - resolved an issue where updates to the AI model caused objects instead of raw text in the TTP fields. Next feature: adding a pop-up evidence window to view decision evidence (why was x value chosen?) for the values of each article.

The new battleground for CISOs is human behavior

Published: 2025-08-22

CISOs are facing a rising tide of threats targeting human behavior, making it the "new battleground" in cybersecurity. According to a recent report, social engineering attacks are becoming increasingly sophisticated and effective. Attackers are leveraging techniques like phishing, vishing, and business email compromise (BEC) to manipulate individuals into divulging sensitive information or performing actions that compromise security. The article highlights the increasing sophistication of these attacks noting "attackers are becoming adept at crafting personalized and emotionally compelling messages that bypass traditional security controls." While specific victim organizations and threat actors are not named, the article warns that all organizations are vulnerable. The potential impact of successful social engineering attacks includes data breaches, financial loss, and reputational damage. The need for robust security awareness training and a culture of security vigilance is underscored, as "technology alone is no longer sufficient to protect against these evolving threats."

Tags: OSINTMoney LaunderingFinancial InstitutionsVulnerabilityCiscoCritical InfrastructureCloud SecurityThreat ActorsIncident Response

Categories: Threat IntelligenceVulnerability ManagementCloud SecurityFinancial Crime

Threat Actor: Russian threat actors

Exploit Method: Cisco Bug ExploitationAWS Trusted Advisor Flaw

Exploited Software: CiscoAWS Trusted Advisor

Involved Countries: Russia

Affected Industries: Financial InstitutionsCritical Infrastructure

Massive anti-cybercrime operation leads to over 1,200 arrests in Africa

Published: 2025-08-22

Operation Serengeti 2.0, an INTERPOL-led initiative, resulted in the arrest of over 1,200 cybercriminals across 18 African countries and the United Kingdom. According to INTERPOL, the operation "brought together investigators...to tackle high-harm and high-impact cybercrimes including ransomware, online scams and business email compromise (BEC)." Between June and August 2025, authorities seized $97.4 million and dismantled 11,432 malicious infrastructures. The operation targeted cybercrime gangs responsible for attacks impacting 87,858 victims globally. The collaborative effort, supported by private sector partners like Fortinet and Kaspersky, builds upon previous operations like "Operation Red Card" and "Operation Africa Cyber Surge II," demonstrating a growing international commitment to combating cybercrime in Africa. Valdecy Urquiza, Secretary General of Interpol, stated, "Each INTERPOL-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries." The operation highlights the continued threat of BEC, ransomware and online scams.

Tags: INTERPOLCybercrimeLaw EnforcementAfricaRansomwareBECOnline Scams

Categories: Cybercrime InvestigationInternational CooperationCybersecurity Law Enforcement

Exploit Method: RansomwareBusiness Email Compromise (BEC)Online ScamsPhishing

Involved Countries: AfricaUnited Kingdom

DaVita says ransomware gang stole data of nearly 2.7 million people

Published: 2025-08-22

Kidney dialysis firm DaVita confirmed a ransomware attack resulted in the theft of personal and health information of nearly 2.7 million individuals. The breach, discovered on April 12, involved attackers gaining access to DaVita's network on March 24 and exfiltrating data from its dialysis labs database. Stolen information included "a combination of personal (e.g., name, address, date of birth, and social security number), health insurance-related, and health (e.g., condition, treatment information, and dialysis lab test results) information." In some cases, tax identification numbers and images of personal checks were also compromised. While DaVita hasn't officially named the responsible party, the Interlock ransomware gang claimed responsibility in late April, leaking allegedly stolen data after negotiations failed. Interlock claimed to have stolen 1.5 terabytes of data. DaVita confirmed the legitimacy of some leaked files. A DaVita spokesperson stated, "Regrettably, we have determined that the threat actor gained unauthorized access to our labs database, which contained some patients’ sensitive personal information." DaVita is notifying affected individuals and offering complimentary credit monitoring. Interlock, known for targeting healthcare, has been linked to previous attacks involving ClickFix, NodeSnake RAT, and a recent claim against Kettering Health.

Tags: RansomwareData BreachHealthcareInterlock RansomwarePersonally Identifiable Information (PII)Health InformationDark Web

Categories: Data SecurityIncident ResponseRansomware Protection

Threat Actor: Interlock

Actor Aliases: ClickFix

Exploit Method: Ransomware and Data ExfiltrationNodeSnake Remote Access Trojan

MITRE ATT&CK TTP: Impact (TA0040) Data Encrypted for Impact (T1486) Discovery (TA0007) File and Directory Discovery (T1083) Initial Access (TA0001) Valid Accounts (T1078) Command and Control (TA0011) Ingress Tool Transfer (T1105) Initial Access (TA0001) Compromise (T1190)

Involved Countries: United StatesUnited Kingdom

Affected Industries: Healthcare

New infosec products of the week: August 22, 2025

Published: 2025-08-22

This week saw several new cybersecurity product releases aimed at bolstering defenses against evolving threats. StackHawk released "LLM-Driven OpenAPI Specifications" which "analyzes source code repositories, extracts API details using homegrown LLMs, and produces accurate OpenAPI specifications automatically," empowering security teams to expand API testing coverage. Doppel introduced Simulation, a product designed to combat social engineering attacks using "autonomous AI phishing agents" to generate realistic, tailored scenarios. This helps organizations strengthen defenses against increasingly sophisticated phishing attempts. LastPass announced passkey support, offering users "a more secure way to log in across a variety of devices, browsers, and operating systems." Druva introduced DruAI Agents, built with Amazon Bedrock, to "interpret user intent, analyze data, and take meaningful action," moving enterprises towards agentic systems for enhanced cyber resilience. These new products from StackHawk, Doppel, LastPass, and Druva address critical areas of vulnerability, from API security and social engineering to password management and data resilience.

Tags: API SecuritySocial EngineeringPassword ManagementData SecurityLLMAI Agents

Categories: Application SecurityVulnerability Management

Exploit Method: Social Engineering via AI Phishing

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Initial Access (TA0001) Valid Accounts (T1078)

Affected Industries: Information Technology

Microsoft: August Windows updates cause severe streaming issues

Published: 2025-08-22

Microsoft has confirmed that the August 2025 security updates are causing severe lag and stuttering issues with NDI streaming software on some Windows 10 and Windows 11 systems. According to Microsoft, "Severe stuttering, lag, and choppy audio/video might occur when using NDI (Network Device Interface) for streaming or transferring audio/video feeds between PCs after installing the August 2025 Windows security update." The issue impacts streaming apps, like OBS, especially when "Display Capture" is enabled. The problems stem from the KB5063878 and KB5063709 security updates for Windows 11 24H2 and Windows 10 21H2/22H2, respectively. The NDI team has confirmed that the updates cause NDI traffic to drop unexpectedly, with performance problems occurring "only with RUDP connections, while traffic sent or received using UDP or Single-TCP remains unaffected." A temporary workaround involves changing the NDI Receive Mode to use TCP or UDP instead of RUDP. Beyond the NDI issue, Microsoft has addressed other issues caused by the August updates, including WSUS update failures and broken Windows reset/recovery operations, and is investigating potential data corruption issues affecting SSDs and HDDs.

Tags: MicrosoftWindows UpdateStreaming IssuesNDI (Network Device Interface)Bug FixesKB5063878KB5063709KB5063875KB5063877

Categories: Vulnerability ManagementPatch ManagementSoftware Updates

Exploit Method: NDI Streaming Performance Degradation

Exploited Software: NDI (Network Device Interface)

Affected Industries: Software DevelopmentStreaming Services

Interpol-led crackdown disrupts cybercrime networks in Africa that caused $485 million in losses

Published: 2025-08-22

Operation Serengeti 2.0, an Interpol-led crackdown across 18 African countries and the UK, has disrupted cybercrime networks causing an estimated $485 million in losses. The operation, which ran from June to August, resulted in the arrest of 1,209 alleged cybercriminals and the recovery of $97.4 million. Authorities also dismantled 11,432 pieces of malicious infrastructure and identified 87,858 victims. A significant bust in Zambia dismantled an online investment fraud scheme impacting at least 65,000 victims who lost approximately $300 million. In Angola, authorities dismantled 25 cryptocurrency mining centers. According to TRM Labs, who supported the operation, "In Ghana, investigators pursued leads tied to the Bl00dy ransomware group, a Conti spin-off that has targeted education, healthcare, and public sector victims," while investigators in Seychelles targeted infrastructure related to RansomHub. The operation also disrupted a suspected human trafficking network in Zambia and a transnational inheritance scam in Côte d’Ivoire that caused about $1.6 million in losses. According to Interpol Secretary General Valdecy Urquiza, “Each Interpol-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries.”

Tags: InterpolCybercrimeRansomwareOnline ScamsBusiness Email CompromiseCryptocurrencyFinancial Fraud

Categories: Law EnforcementCybercrime InvestigationInternational Cooperation

Threat Actor: Bl00dy

Actor Aliases: Conti spin-off

Exploit Method: RansomwareBusiness Email Compromise (BEC)Online ScamsCryptocurrency Mining Centers (Illicit)

MITRE ATT&CK TTP: Impact (TA0040) Data Encrypted for Impact (T1486) Initial Access (TA0001) Phishing (T1566)

Exploited Software: Bl00dy ransomwareRansomHub

Involved Countries: AngolaGhanaZambiaSeychellesCôte d’IvoireUnited Kingdom

Affected Industries: Financial ServicesCryptocurrencyEducationHealthcarePublic Sector

Criminal background checker APCS faces data breach • The Register

Published: 2025-08-22

Access Personal Checking Services (APCS), a UK provider of criminal record checks, is grappling with a data breach originating from a cyberattack on Intradev, its third-party development company. According to *The Register*, APCS has begun notifying customers about the incident. Intradev's managing director, Steve Cheetham, confirmed the attack was detected on August 4th, stating, "This incident involved unauthorised malicious activity with our systems and is being treated as a significant IT incident." The nature of the attack remains under investigation, and Intradev has not confirmed or denied whether ransomware was involved. Cheetham noted, "During the incident, certain files were affected. We are continuing to investigate the nature of this activity and its potential impact. Attribution is not yet confirmed." Compromised data may include basic personal information, passport details, driving license information, and national insurance numbers, though APCS believes financial information was not accessed. The potential impact on individuals varies depending on the specific data provided. Intradev has reported the incident to the ICO and Action Fraud and is cooperating with authorities. The ICO has confirmed it is making inquiries into the matter.

Tags: Data BreachThird-Party RiskPersonal DataIntradevAPCSRegulatory ReportingCyber Essentials

Categories: Data ProtectionIncident ResponseVulnerability Management

Exploit Method: Unauthorized Malicious Activity

MITRE ATT&CK TTP: Initial Access (TA0001) Supply Chain Compromise (T1195) Impact (TA0040) Data Encrypted for Impact (T1486)

Exploited Software: Intradev's systems

Involved Countries: United Kingdom

Affected Industries: Criminal Record Check ServicesSoftware DevelopmentHealthcareFinancial Services

China-linked Murky Panda targets and moves laterally through cloud services

Published: 2025-08-22

Crowdstrike's 2025 Threat Hunting Report highlights a significant (136%) surge in cloud intrusions, with "China-nexus adversaries," including Murky Panda (aka Silk Typhoon), playing a key role. Active since at least 2023, Murky Panda targets government, technology, academia, legal, and professional services entities in North America, aiming to steal sensitive information. The group leverages n-day and zero-day vulnerabilities, like CVE-2023-3519 and CVE-2025-3928, and deploys webshells and custom malware (CloudedHope). A key tactic involves compromising cloud environments and exploiting trusted relationships. "In at least two cases analyzed by CrowdStrike, Murky Panda exploited zero-day vulnerabilities to achieve initial access to software-as-a-service (SaaS) providers’ cloud environments... enabling them to leverage their access to that software to move laterally to downstream customers." One incident involved a SaaS provider using Entra ID, where Murky Panda likely obtained the application registration secret to access downstream customers' emails. This incident resembles the February 2025 breach of Commvault’s Azure cloud environment. In another instance, Murky Panda compromised a Microsoft cloud solution provider to gain access to a downstream customer, creating a backdoor user with Application Administrator privileges and escalating their privileges to read emails and add secrets. Crowdstrike notes this trusted-relationship compromise is "relatively undermonitored" compared to other access vectors.

Tags: Murky PandaCloud SecurityZero-Day VulnerabilitiesLateral MovementEntra IDSupply Chain Attack

Categories: Threat IntelligenceCloud SecurityVulnerability Management

Threat Actor: Murky Panda

Actor Aliases: Silk Typhoon

Exploit Method: Compromised SaaS Application Registration SecretCompromised Delegated Administrative Privileges (DAP)

Vulnerabilities: CVE-2023-3519 CVE-2025-3928

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Command and Control (TA0011) Ingress Tool Transfer (T1105) Initial Access (TA0001) Trusted Relationship (T1199) Initial Access (TA0001) Valid Accounts (T1078) Initial Access (TA0001) Cloud Accounts (T1078.004)

Exploited Software: Citrix NetScaler ADC and GatewayCommvault's backup platformEntra IDMicrosoft Azure cloud environmentMicrosoft cloud solution provider

Involved Countries: ChinaNorth America

Affected Industries: GovernmentTechnologyAcademiaLegalProfessional ServicesCloud Computing

CRITICAL Vulnerabilities (1)

CVE-2023-3519CVSS: 9.8
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS: 90.96%    Percentile: 100%

HIGH Vulnerabilities (1)

CVE-2025-3928CVSS: 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 14.41%    Percentile: 94%

Five ways OSINT helps financial institutions to fight money laundering

Published: 2025-08-22

Financial institutions are increasingly turning to Open Source Intelligence (OSINT) tools to combat money laundering, as traditional methods prove insufficient. The article "Five ways OSINT helps financial institutions to fight money laundering" highlights how OSINT can "reveal complex networks and ownership structures" by mapping intricate corporate and criminal networks to unmask ultimate beneficial owners (UBOs). OSINT also enhances Know Your Customer (KYC) and due diligence processes, automating standard steps like "identifying company affiliations and performing an adverse media check." Furthermore, OSINT assists in spotting new laundering typologies like money muling and trade-based laundering, enabling earlier intervention. The article emphasizes that OSINT can "uncover richer intelligence for more detailed SARs" (Suspicious Activity Reports), improving collaboration with law enforcement. By accelerating investigations with structured, automated analysis of data from the surface, deep, and dark web, OSINT platforms boost efficiency. The article cites Barclays' £42 million fine for failing to adequately manage money laundering risks as an example of the consequences of inadequate information gathering, concluding that OSINT can "provide financial institutions with the external intelligence needed to transform their AML investigations."

Tags: OSINTMoney LaunderingKYCDue DiligenceFinancial InstitutionsAMLSuspicious Activity Report

Categories: Cybersecurity IntelligenceThreat IntelligenceFinancial Crime

Exploit Method: Money Muling via Social MediaTrade-Based Money Laundering

Affected Industries: Financial Services

Fake CAPTCHA tests trick users into running malware • The Register

Published: 2025-08-22

Microsoft's security team released a report detailing "ClickFix," a social engineering attack masquerading as a CAPTCHA. Instead of typical CAPTCHA challenges, ClickFix instructs users to open the Windows Run prompt and execute a command, effectively pasting and running attacker-controlled code. According to the report, "Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices globally every day." A notable instance involved a phishing campaign against Booking.com users. The technique bypasses conventional security measures because "ClickFix relies on human intervention to launch the malicious commands." The most common payload observed was Lumma Stealer, but other payloads include Xworm, AsyncRAT, NetSupport, and SectopRAT remote-access Trojans. One attack targeted Portuguese governmental, financial, and transportation organizations, attempting to deploy the Lampion info-stealer. While primarily targeting Windows, a macOS variant also exists, tricking users into running a bash script to steal login details and deploy malware. Microsoft recommends user education, email filtering, disabling Flash (despite it being defunct), and implementing PowerShell script block logging to defend against ClickFix.

Actor Aliases: Lumma StealerXwormAsyncRATNetSupportSectopRATLatrodectusMintsLoaderLampion

Exploit Method: ClickFix Social Engineering

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Execution (TA0002) Exploitation for Client Execution (T1203) Defense Evasion (TA0005) Obfuscated Files or Information (T1027) Execution (TA0002) Command and Scripting Interpreter (T1059) Execution (TA0002) Windows Command Shell (T1059.003) Execution (TA0002) Scheduled Task/Job (T1053) Spearphishing Link (T1192)

Exploited Software: Lumma StealerXwormAsyncRATNetSupportSectopRATLatrodectusMintsLoaderLampionmacOS

Involved Countries: Portugal

Affected Industries: HospitalityFinanceTransportationGovernment

Page 1 of 50
Showing articles 1 to 10 of 500 newest articles