For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information. Recent bug fixes: 6/29/25 - resolved an issue where updates to the AI model caused objects instead of raw text in the TTP fields. Next feature: adding a pop-up evidence window to view decision evidence (why was x value chosen?) for the values of each article.

Iran seeks three cloud providers to power its government • The Register

Published: 2025-07-14

Iran is seeking at least three cloud providers capable of handling government services, according to a recent notification from the Information Technology Organization of Iran (ITOI). The ITOI aims to "evaluate, grade, and rank cloud players to assess their suitability to host government services." The agency will assess providers based on compliance with standards like ISO 27017, ISO 27018, and the NIST SP 800-145 definition of cloud computing, demonstrating an awareness of international cybersecurity standards despite geopolitical tensions. The ITOI is casting "the net wide" seeking providers of IaaS, PaaS, or SaaS in private, public, hybrid, or community cloud models, including those specializing in security, monitoring, support, or migration. Successful organizations will receive a "cloud service rating certificate" making them eligible for inclusion on a list of authorized providers. While Iran seeks to bolster its cloud infrastructure, *The Register* reminds readers that many jurisdictions consider doing business with Iran an offense, raising potential compliance concerns for interested providers.

Tags: Cloud ComputingIranITOIGovernment ServicesNISTISO 27017ISO 27018

Categories: Cloud SecurityGovernment CybersecurityRisk Management

Threat Actor: Iranian ransomware crew

Exploit Method: Phishing and Scripting via GeminiRansomware attacks on US and IsraelCyberattacks following air strikes

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Execution (TA0002) Command and Scripting Interpreter (T1059)

Exploited Software: Gemini

Involved Countries: IranUSAIsrael

Affected Industries: Cloud ComputingGovernment Services

New White House cyber executive order pushes rules as code

Published: 2025-07-14

A recent White House executive order is pushing organizations to adopt "Policy-as-Code (PaC)" for cybersecurity governance and compliance. The order directs NIST, CISA, and OMB to launch a pilot program within a year to express federal cyber policy in a machine-readable format. By January 2027, the Federal Acquisition Regulation Council must revise procurement rules so agencies may only buy consumer IoT products whose Cyber Trust Mark can be parsed automatically. According to the article, "This isn’t just a technical experiment: It’s a blueprint for the future of cyber governance." The initiative aims to ensure that policy implementation is "verifiable, scalable, and code-driven," extending beyond federal departments to any company selling software, cloud services, or connected devices to the public sector. Organizations that delay risk "a backlog of manual controls and a shrinking share of government business." The executive order also sets timelines for managing AI vulnerabilities, requiring agencies to publish an AI vulnerability dataset by November 1, 2025, and transition to quantum-resistant encryption by 2030.

Tags: Policy-as-CodeAutomationGovernance, Risk, and Compliance (GRC)Executive OrderRisk Management Framework (RMF)

Categories: ComplianceCybersecurity GovernanceRisk Management

Exploit Method: Human Error in Traditional Risk Management Framework (RMF) Processes

Involved Countries: United States

Affected Industries: SoftwareCloud ServicesInternet of Things (IoT)

Louis Vuitton UK Latest Retailer Hit by Data Breach

Published: 2025-07-14

Louis Vuitton UK recently announced a data breach, making it the latest UK retailer to suffer such an incident. The company began notifying customers on July 2nd that their personal data may have been compromised. According to the notification, shared on X (formerly Twitter), "personally identifiable information (PII) including first and second name, gender, country, phone number, email and postal address, date of birth, purchases and preference data may have been compromised." The company has notified the Information Commissioner’s Office (ICO). This incident follows a similar breach in Louis Vuitton's Korean operations, and other LVMH brands such as Christian Dior Couture and Tiffany have also experienced breaches this year. While no financial information was taken, Thomas Richards from Black Duck warns of potential risks: "They could attempt to pose as customers and get more information from Louis Vuitton’s customer support team. Malicious emails could be sent to the victims pretending to be LV in an attempt to gain login or financial information." The company advises customers to "remain vigilant against any unsolicited communication or other suspicious correspondence," as "phishing attempts, fraud attempts, or unauthorized use of your information may occur." Authorities have recently arrested individuals in connection to similar attacks on other UK retailers like M&S, Co-op, and Harrods, which have been blamed on members of the Scattered Spider collective.

Tags: Data BreachPIIRetailPhishingICOLVMHScattered Spider

Categories: Data Breaches and IncidentsIncident ResponseData Privacy

Threat Actor: Scattered Spider

Exploit Method: PhishingSocial Engineering

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566)

Involved Countries: UKSouth KoreaLatvia

Affected Industries: RetailLuxury Goods

Blumira simplifies compliance reporting for IT teams and MSPs

Published: 2025-07-14

Blumira has released new features designed to simplify compliance reporting and reduce alert fatigue for IT teams and MSPs. According to CEO Matthew Warner, "We built these features to give our customers greater clarity, faster response and more confidence in their daily security work." A key update is a new API that enables direct customers and MSPs to integrate security data into tools like Microsoft Teams, allowing for real-time dashboards and automated response actions. MSPs also benefit from a centralized view across their client base, streamlining security management. To combat alert fatigue, Blumira has introduced customizable detection filters with expanded options like IP ranges and location-based rules. This aims to reduce false positives and speed up incident response, enabling security teams to focus on genuine threats. Furthermore, Blumira now offers automated compliance reports with built-in templates for frameworks such as CMMC, HIPAA, SOC 2, NIST, and ISO 27001. These reports provide standardized visibility for MSPs across multiple clients and executive summaries for IT administrators to demonstrate the value of security investments.

Tags: Compliance ReportingAlert FatigueManaged Service Providers (MSPs)API IntegrationAutomation

Categories: Security Information and Event Management (SIEM)ComplianceThreat Detection

Exploit Method: Alert Fatigue Leading to Missed Incidents

MITRE ATT&CK TTP: Command and Control (TA0011) Application Layer Protocol (T1071) Initial Access (TA0001) Valid Accounts (T1078) Defense Evasion (TA0005) Indicator Removal (T1070) Execution (TA0002) Scheduled Task/Job (T1053)

Affected Industries: Information Technology (IT)Managed Service Providers (MSPs)

14th July – Threat Intelligence Report - Check Point Research

Published: 2025-07-14

Check Point Research's Threat Intelligence Report for July 14th, 2025, highlights a significant increase in phishing campaigns targeting financial institutions and cryptocurrency exchanges. The report states that "attackers are leveraging sophisticated social engineering techniques to trick users into revealing their credentials." A new ransomware strain, dubbed "Goldeneye 2.0," is also detailed, which has already impacted several organizations in the healthcare sector. The report indicates that Goldeneye 2.0 utilizes a double-extortion method, "encrypting sensitive data and threatening to release it publicly if the ransom is not paid." Furthermore, there's an observed rise in state-sponsored actors exploiting zero-day vulnerabilities in popular VPN software to gain unauthorized access to critical infrastructure. The potential impact includes data breaches, financial losses, and disruption of essential services.

Tags: Data BreachRansomwareVulnerabilityPhishingMalwareSQL InjectionRemote Code ExecutionZero-day Vulnerability

Categories: Threat IntelligenceVulnerability ManagementData SecurityIncident Response

Threat Actor: Scattered Spider

Exploit Method: IDOR on McHire chatbot platformGravity Forms Plugin Compromise

Vulnerabilities: CVE-2025-49719 CVE-2025-49704 CVE-2025-25257

MITRE ATT&CK TTP: Discovery (TA0007) File and Directory Discovery (T1083) Initial Access (TA0001) Phishing (T1566) Initial Access (TA0001) Valid Accounts (T1078) Initial Access (TA0001) Exploit Public-Facing Application (T1190) Credential Access (TA0006) Unsecured Credentials (T1552)

Exploited Software: Gravity FormsFortinet FortiWebMicrosoft SQL ServerBlue SDK Bluetooth stack used by OpenSynergyAsyncRAT

Involved Countries: United StatesJapanSwitzerland

Affected Industries: Food ServiceSoftware DevelopmentFinancial ServicesGovernmentDecentralized Finance (DeFi)ManufacturingHealthcareAviation

HIGH Vulnerabilities (2)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/...
EPSS: 0.19%    Percentile: 42%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/...
EPSS: 0.19%    Percentile: 41%

Indian Police Raid Tech Support Scam Call Center

Published: 2025-07-14

Indian authorities have dismantled a tech support scam operation targeting victims in the UK, US, and Australia. According to the National Crime Agency (NCA), the Central Bureau of Investigation (CBI) raided a call center in Noida, Uttar Pradesh, as part of "Operation Chakra-V," a collaborative effort involving the NCA, FBI, and Microsoft. The scammers, posing as Microsoft tech support, used scareware pop-ups claiming victims' computers were hacked, subsequently tricking them into paying for non-existent fixes. UK victims alone reportedly lost at least £390,000. The investigation, initiated in early 2024, was complicated by the scammers' use of "spoofed phone numbers and VoIP calls routed through multiple servers in several countries." Nick Sharp, deputy director of the National Economic Crime Centre (NECC), stated, "This case demonstrates the success we can have when we harness expertise from across the public and private sectors, and work hand in hand with partners abroad to target fraudsters, wherever they are." Two arrests were made, including the alleged ringleader of the operation reportedly called "FirstIdea."

Tags: Tech Support ScamCall Center FraudScarewareInternational Law Enforcement Cooperation

Categories: Cybercrime InvestigationFraud Prevention

Threat Actor: Call Center Fraud Gang

Actor Aliases: FirstIdea

Exploit Method: Scareware Popup Tech Support ScamPhone Spoofing and VoIP Routing

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Command and Control (TA0011) Proxy (T1090) Defense Evasion (TA0005) Obfuscated Files or Information (T1027)

Exploited Software: PC

Involved Countries: United KingdomUnited StatesAustraliaIndia

Affected Industries: TechnologyLaw Enforcement

Stellar Cyber 6.0.0 enhances automation, workflow intelligence, and user experience

Published: 2025-07-14

Stellar Cyber has released version 6.0.0 of its SecOps platform, emphasizing AI-driven automation and improved user experience to enhance security operations. According to Aimei Wei, CTO of Stellar Cyber, "With 6.0.0, we're putting powerful tools into the hands of every analyst—regardless of their experience," highlighting features like the "AI investigator" which allows analysts to use plain-English queries for threat hunting. The update includes "automatic triage" for phishing emails, which classifies and investigates reported phishing attempts, aiming to accelerate response times. Other key improvements include a modernized user interface, saved views and dashboards, and granular case suppression to reduce alert fatigue. The platform boasts expanded log parsing and data source support, integrating with technologies from CyberArk, CrowdStrike FDR, Fortinet, Armis, Oracle OCI, and Mimecast, among others. The platform also features premium threat intelligence integration with Recorded Future and SOC Radar. According to Subo Guha, SVP of Products at Stellar Cyber, "Version 6 of our platform is a major evolution for Stellar Cyber introducing more automation and key new Autonomous SOC capabilities". The potential impact includes reduced analyst workload, faster time-to-value, and fewer security mistakes.

Tags: AutomationAI InvestigatorPhishing TriageThreat IntelligenceSOC

Categories: Security Information and Event Management (SIEM)Security Orchestration, Automation and Response (SOAR)Extended Detection and Response (XDR)

Exploit Method: Phishing Email Triage Automation

MITRE ATT&CK TTP: Initial Access (TA0001) Phishing (T1566) Defense Evasion (TA0005) Indicator Removal (T1070) Initial Access (TA0001) Exploit Public-Facing Application (T1190) Discovery (TA0007) System Information Discovery (T1082)

Affected Industries: Information TechnologyManaged Security Service Providers (MSSPs)

Legal gaps in AI are a business risk, not just a compliance issue

Published: 2025-07-14

A recent report from Zendesk highlights the growing business risks associated with inadequate AI governance, stating that only "23% of companies feel highly prepared to govern it." The report emphasizes that legal and security teams must understand AI-specific threats. These include "jailbreaking," "prompt injection," AI "hallucinations," and "data leakage," which extend beyond traditional IT threats and can lead to legal claims and reputational damage. The fragmented landscape of AI regulation, with the EU's AI Act and differing rules across countries and U.S. states, complicates compliance efforts. Only "20 percent of companies have a mature governance strategy for generative AI" leaving many organizations scrambling to build necessary processes, often belatedly. Shana Simmons, Chief Legal Officer at Zendesk, emphasizes the importance of embedding "AI-specific governance steps directly into our product development process to ensure that risks are identified and mitigated." Customers are demanding transparency and control over their data when interacting with AI, and companies that fail to meet these expectations risk increased churn, complaints, and potential lawsuits. The report urges proactive collaboration between legal teams and CISOs to audit AI deployments, build adaptable compliance frameworks, and ensure vendor accountability.

Tags: AI GovernanceData PrivacyComplianceRisk ManagementGenerative AIAI Bias

Categories: AI SecurityLegal and Regulatory ComplianceData Governance

Threat Actor: Prompt injection attackersJailbreaking users

Exploit Method: JailbreakingPrompt InjectionData LeakageHallucinations

Involved Countries: EUUS

Affected Industries: HealthcareFinance

Interlock Ransomware Unleashes New RAT in Widespread Campaign

Published: 2025-07-14

Researchers at The DFIR Report and Proofpoint have uncovered a new campaign by the Interlock ransomware gang utilizing a previously unseen PHP-based remote access trojan (RAT). This marks a shift from their known JavaScript-based ‘NodeSnake’ RAT, indicating an "evolution of the Interlock group’s tooling and their operational sophistication." The PHP RAT, observed since June 2025, begins by performing automated reconnaissance of the compromised system via PowerShell commands, gathering data such as system specifications and running processes, which is then exfiltrated. It also establishes command and control (C2) communication, abusing Cloudflare Tunnel to mask its true location, with hardcoded fallback IP addresses. The RAT gives attackers extensive control, enabling them to "executing malicious files," establish persistence, execute shell commands, use Remote Desktop Protocol (RDP), and even shut down the system. Initial access is gained via a "FileFix" technique, an evolution of ClickFix, where victims are tricked into pasting a malicious file path into Windows File Explorer, ultimately executing a PowerShell script that deploys the Interlock RAT. Interlock, known for double-extortion tactics, has previously targeted government bodies in the US and UK, resulting in significant data breaches, and this new RAT widens their attack surface.

Tags: Interlock RansomwareRemote Access Trojan (RAT)PHPFileFixDouble ExtortionCloudflare Tunnel

Categories: Malware AnalysisRansomwareThreat IntelligenceVulnerability Exploitation

Threat Actor: Interlock

Exploit Method: FileFix

MITRE ATT&CK TTP: Command and Control (TA0011) Application Layer Protocol (T1071) Execution (TA0002) Command and Scripting Interpreter (T1059) Discovery (TA0007) File and Directory Discovery (T1083) Defense Evasion (TA0005) Obfuscated Files or Information (T1027) Execution (TA0002) PowerShell (T1059.001) Lateral Movement (TA0008) Remote Services (T1021) Discovery (TA0007) System Information Discovery (T1082) Initial Access (TA0001) Valid Accounts (T1078) Execution (TA0002) Windows Command Shell (T1059.003) Initial Access (TA0001) Drive-by Compromise (T1189) Defense Evasion (TA0005) Modify Registry (T1112) Execution (TA0002) Exploitation for Client Execution (T1203)

Exploited Software: PHPPowerShellWindows RegistryRemote Desktop Protocol (RDP)Cloudflare Tunnel

Involved Countries: USUK

Affected Industries: Government

GPS on the fritz? Britain and France plot a backup plan • The Register

Published: 2025-07-14

In response to increasing GPS interference, Britain and France are collaborating on backup navigation technologies. The UK's Department for Science, Innovation & Technology (DSIT) stated that experts from both countries will work to "increase the resilience of critical infrastructure to the kind of signal-jamming that has been seen in the war in Ukraine." The initiative aims to safeguard domestic infrastructure applications reliant on GPS, such as time-stamping business transactions, by providing a standby system in case of GPS unavailability or degradation. Researchers are focusing on positioning, navigation, and timing (PNT) technologies resistant to jamming, with eLoran (enhanced long-range navigation) being a prime candidate. eLoran is a terrestrial-based system utilizing ground-based radio towers operating in the 90-110 kHz low frequency band, making it "much more challenging to block". Recent GPS interference incidents, such as those reported by the Swedish Maritime Administration in the Baltic Sea ("For some time now, the signals have been affected by interference, which means that the system's position cannot be trusted."), and implicated Russia, as well as jamming incidents in the Black Sea and Romania, have heightened concerns. The European Union Aviation Safety Agency (EASA) considers GPS interference a major flight safety concern, noting jamming and spoofing incidents across Eastern Europe and the Middle East.

Tags: GPS JammingeLoranPositioning, Navigation and Timing (PNT)Cybersecurity Resilience

Categories: Infrastructure SecurityNavigation Security

Threat Actor: Russia

Exploit Method: GPS JammingGPS Spoofing

MITRE ATT&CK TTP: Defense Evasion (TA0005) Impair Defenses (T1562)

Exploited Software: GPS

Involved Countries: BritainFranceUkraineSwedenRussiaRomaniaBulgaria

Affected Industries: MaritimeAviation

Page 1 of 50
Showing articles 1 to 10 of 500 newest articles