For suggestions, questions, bug reports, etc. please email or ping me on LinkedIn

infosec notes

I needed a better way to stay current with cybersecurity news and filter out the noise, so I created a tiny threat intel feed. The pipeline parses relevant content and leverages GenAI to help create the dataset that feeds this website. Rows with weak intelligence (those with no threat actor, aliases, exploit, vulnerabilities, or tpp fields present) are periodically removed so the feed is data-rich. As of 2/16/25, the dataset includes CVE severity information from CVEDetails with direct links to the relevant CVEs for more information.

SonicWall urges admins to patch VPN flaw exploited in attacks

Published: 2025-05-08

SonicWall issued an urgent warning to customers to patch three vulnerabilities (CVE-2025-32819, CVE-2025-32820, and CVE-2025-32821) affecting its Secure Mobile Access (SMA) 200, 210, 400, 410, and 500v appliances. Rapid7 researcher Ryan Emmons discovered these flaws, which, when chained, allow remote code execution as root. "An attacker with access to an SMA SSLVPN user account can chain these vulnerabilities to make a sensitive system directory writable, elevate their privileges to SMA administrator, and write an executable file to a system directory," explained Rapid7. This results in root-level remote code execution. The vulnerabilities are patched in firmware version 10.2.1.15-81sv and higher. SonicWall stated, "SonicWall strongly advises users...to upgrade." Rapid7 believes these vulnerabilities "may have been used in the wild," based on their incident response investigations. This follows previous warnings about other actively exploited vulnerabilities in SonicWall SMA appliances, including CVE-2023-44221, CVE-2024-38475, and CVE-2021-20035, highlighting the ongoing threat to users of these devices. The impact of successful exploitation could be complete system compromise and data breaches. SonicWall recommends enabling a web application firewall and multi-factor authentication as mitigating controls.

Tags: Vulnerability DisclosureRemote Code ExecutionVPN Security

Categories: Vulnerability ManagementIncident Response

Exploit Method: SMA SSLVPN Chain Exploit

Vulnerabilities: CVE-2025-32819 CVE-2025-32820 CVE-2025-32821 CVE-2023-44221 CVE-2024-38475 CVE-2021-20035

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Privilege Escalation (TA0004) Exploitation for Privilege Escalation (T1068)

Exploited Software: SonicWall Secure Mobile Access (SMA) appliancesSonicWall Gen 6 and Gen 7 firewalls

Affected Industries: VPN Services

CRITICAL Vulnerabilities (1)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS: 92.94%    Percentile: 100%

HIGH Vulnerabilities (4)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0%    Percentile: 0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
EPSS: 0%    Percentile: 0%
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H
EPSS: 0%    Percentile: 0%
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS: 39.5%    Percentile: 97%

MEDIUM Vulnerabilities (1)

AV:N/AC:L/Au:S/C:N/I:N/A:C
EPSS: 22.43%    Percentile: 95%

Polish authorities arrested 4 people behind DDoS-for-hire platforms

Published: 2025-05-08

Polish authorities announced the arrest of four individuals responsible for operating DDoS-for-hire platforms. While the article doesn't name the individuals or specific victims of their attacks, it highlights the significant impact of DDoS-for-hire services. These platforms allow individuals or groups with limited technical expertise to launch Distributed Denial-of-Service attacks against targets for a fee, disrupting online services and causing financial losses. The arrests represent a positive step in combating this type of cybercrime, as stated in the article's title, "Polish authorities arrested 4 people behind DDoS-for-hire platforms." The scale of the operation and the potential impact on various organizations targeted by the DDoS attacks remain unclear, but the disruption caused by such attacks can be substantial, impacting businesses, critical infrastructure, and even government services. The arrests underscore the growing threat posed by easily accessible DDoS-for-hire services and the ongoing efforts by law enforcement to disrupt these criminal activities.

Threat Actor: NoName057(16)

Exploit Method: Bring Your Own Installer (BYOI)CSS Evasive PhishingSymbolic Link TrickDNS MX Record ExploitationViewState Code InjectionCuring RootkitCraft CMS Zero-Day ChainAiCloud Authentication BypassDDoS-for-hire Platforms

Vulnerabilities: CVE-2025-27363 CVE-2025-30406 CVE-2025-2825

MITRE ATT&CK TTP: Command and Control (TA0011) Proxy (T1090)

Exploited Software: GoVision

Involved Countries: Poland

HIGH Vulnerabilities (1)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/...
EPSS: 74.29%    Percentile: 99%

MirrorFace Targets Japan and Taiwan with ROAMINGMOUSE and Upgraded ANEL Malware

Published: 2025-05-08

MirrorFace, a China-aligned threat actor (also known as Earth Kasha and a sub-cluster of APT10), launched a cyber espionage campaign targeting government agencies and public institutions in Japan and Taiwan. Trend Micro detected this activity in March 2025, involving the spear-phishing delivery of an updated ANEL backdoor via a malicious Excel document and a dropper called ROAMINGMOUSE. Security researcher Hara Hiroaki noted, "The ANEL file...implemented a new command to support an execution of BOF (Beacon Object File) in memory," and that "This campaign also potentially leveraged SharpHide to launch the second stage backdoor NOOPDOOR." The attack chain uses a spear-phishing email containing a OneDrive link leading to a ZIP file with a macro-enabled ROAMINGMOUSE executable. ROAMINGMOUSE decodes and extracts components, including ANELLDR, which decrypts and launches the ANEL backdoor. Trend Micro explained that after installation, attackers "obtained screenshots using a backdoor command and examined the victim's environment." The campaign builds on previous activity, like Operation AkaiRyū (ESET's designation for an August 2024 ANEL attack on a EU diplomatic organization). The use of ROAMINGMOUSE, in-memory BOF execution, and SharpHide to deploy NOOPDOOR highlight the sophistication and evolving techniques employed by MirrorFace to steal information and advance strategic objectives. Hiroaki concludes, "Enterprises...should continue to be vigilant and implement proactive security measures."

Tags: Cyber EspionageMalwarePhishingAdvanced Persistent Threat (APT)China-aligned Hackers

Categories: Threat IntelligenceMalware AnalysisData Breach

Threat Actor: MirrorFaceEarth Kasha

Actor Aliases: Earth KashaHiddenFaceUPPERCUTNOOPDOORANELLDR

Exploit Method: Macro-enabled Excel document with malicious code (ROAMINGMOUSE)DLL Side-loading via Legitimate Executable (ANELLDR)In-memory Execution of Beacon Object Files (BOFs)

MITRE ATT&CK TTP: Spearphishing Attachment (T1193) Defense Evasion (TA0005) Deobfuscate/Decode Files or Information (T1140) Impact (TA0040) Data Encrypted for Impact (T1486) Execution (TA0002) Command and Scripting Interpreter (T1059) Discovery (TA0007) System Information Discovery (T1082)

Exploited Software: Microsoft OneDriveMicrosoft ExcelANEL (aka UPPERCUT)NOOPDOOR (aka HiddenFace)explorer.exe

Involved Countries: JapanTaiwanChina

Affected Industries: GovernmentPublic Institutions

Healthcare workers regularly upload sensitive data to GenAI, cloud accounts

Published: 2025-05-08

A new Netskope Threat Labs report reveals a significant cybersecurity risk within healthcare: employees frequently upload sensitive data to unauthorized websites and cloud services, including AI tools like ChatGPT and Gemini. Over the past year, 81% of healthcare data policy violations involved regulated health data, with 44% linked to generative AI use. Other sensitive data, such as source code and passwords, were also compromised. The report highlights that “personal healthcare data is subject to some of the most significant and stringent regulatory scrutiny. Violations can lead to regulatory investigations, legal action, and substantial fines,” warns Ray Canzanese, Director of Netskope’s Threat Labs, citing potential penalties up to €20 million under GDPR or $1.5 million per HIPAA violation. The prevalence of personal GenAI accounts in the workplace (71%, down from 87% last year) exacerbates the problem, hindering real-time threat detection. The report recommends implementing comprehensive data policies, DLP tools, and ZTNA, alongside organization-approved GenAI applications to mitigate risk. Real-time user coaching, alerting employees to risky actions, is also suggested, noting that 73% of employees across all industries refrain from risky actions after receiving such prompts.

Tags: Data BreachGenerative AI SecurityData Loss Prevention (DLP)HIPAAGDPR

Categories: Healthcare Data SecurityGenerative AI Risk Management

Exploit Method: Unauthorized Upload of Sensitive Data to Unsanctioned Services

MITRE ATT&CK TTP: Initial Access (TA0001) Cloud Accounts (T1078) Credential Access (TA0006) Unsecured Credentials (T1552)

Exploited Software: Microsoft OneDriveGoogle DriveChatGPTGemini

Affected Industries: Healthcare

Confusion Reigns as Threat Actors Exploit Samsung MagicInfo Flaw

Published: 2025-05-08

Threat actors are exploiting vulnerabilities in Samsung MagicInfo 9 Server, impacting versions 21.1050.0 and 21.1040.2. While initially believed to be exploiting the patched CVE-2024-7399 vulnerability, Huntress observed attacks even on systems with the latest patch (21.1050.0), suggesting a possible zero-day or a similar, unaddressed vulnerability. SSD Disclosure's research revealed vulnerabilities allowing "an unauthenticated user to upload a web shell and achieve remote code execution under the Apache Tomcat process." Arctic Wolf also detected exploitation attempts, initially attributed to CVE-2024-7399. Despite reporting to Samsung, SSD Disclosure released a proof-of-concept exploit after its 90-day disclosure window expired on April 30th. Samsung seemingly dismissed the new findings as a duplicate of the previously patched vulnerability. The impact affects numerous organizations utilizing Samsung's digital signage displays in various locations. Huntress notes, "It can only be concluded that the patch from August 2024 was either incomplete or for a separate, but similar, vulnerability," highlighting the lack of a currently available patch. Until a patch is released, administrators are strongly advised to air gap their MagicInfo 9 Server installations from the internet.

Tags: VulnerabilityZero-Day ExploitPatchingAir Gap

Categories: Software VulnerabilityIncident Response

Exploit Method: Unauthenticated Web Shell Upload and Remote Code Execution

Vulnerabilities: CVE-2024-7399

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190)

Exploited Software: Samsung MagicInfo 9 Server

Affected Industries: Digital Signage

HIGH Vulnerabilities (1)

CVE-2024-7399CVSS: 8.8
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0.23%    Percentile: 46%

Global cybersecurity readiness remains critically low

Published: 2025-05-08

Cisco's 2025 Cybersecurity Readiness Index reveals a critically low state of global cybersecurity preparedness, with only 4% of organizations achieving "mature" readiness. This represents a slight improvement from the previous year's 3%, but remains alarming. The report highlights the impact of AI, with 86% of organizations experiencing AI-related security incidents. A significant awareness gap exists, as only 49% of respondents are confident their employees understand AI-related threats. Cisco CPO Jeetu Patel notes, "As AI transforms the enterprise, we are dealing with an entirely new class of risks." The proliferation of generative AI (GenAI) tools exacerbates the problem; 51% of employees use approved third-party GenAI tools, yet 22% have unrestricted access to public GenAI, leaving 60% of IT teams unaware. This "shadow AI" poses significant risks. Further complicating matters, 49% of organizations suffered cyberattacks last year, hampered by complex security frameworks with multiple point solutions. Looking ahead, 71% of respondents anticipate business disruptions from cyber incidents within the next two years. The report emphasizes the need for increased investment in cybersecurity, simplified security infrastructures, and addressing the shortage of skilled professionals, noting that 86% identify this as a major challenge.

Tags: AI in CybersecurityCybersecurity ReadinessThreat LandscapeCybersecurity Investment

Categories: Cybersecurity Threats and VulnerabilitiesCybersecurity Solutions and Strategies

Threat Actor: State-Affiliated Groups

Exploit Method: Unauthorized GenAI Tool AccessUnmanaged Devices in Hybrid Work Models

How agentic AI and non-human identities are transforming cybersecurity

Published: 2025-05-08

Robert Kraczek, Global Strategist at One Identity, highlights the increasing challenge of managing non-human identities (NHIs), which now outnumber human users in many enterprises by a factor of 10 to 92. He notes that "cyberattacks have been started via non-human identities as diverse as the retail HVAC units (Target breach) or a fish tank thermostat (breach at an American casino)." The article emphasizes the need for robust zero-trust policies, but acknowledges the difficulty of implementing these consistently, especially with privileged users. Past incidents, such as the Florida water treatment plant attack involving a compromised SCADA system and a shared password, underscore the risks of insufficient privileged access management. Kraczek advocates for using agentic AI and machine learning to manage NHIs, creating a faster, more consistent response system to security threats. "An agentic AI handling the access removal and restoration process cannot be bullied into bending the rules," he states. This approach, combined with robotic process automation (RPA) for tasks like password resets, can improve efficiency and security. A large financial institution's successful use of RPA for automated password controls is cited as an example. The article concludes by envisioning an "Identity Fabric," leveraging AI to monitor and dynamically adapt access based on user and NHI behavior, offering a more streamlined and secure identity management system, capable of mitigating insider threats and detecting attacks earlier. The use of AI, however, needs to be carefully managed to avoid adversarial exploitation.

Tags: Zero TrustAI in CybersecurityNon-Human Identities (NHIs)Privileged Access Management (PAM)Robotic Process Automation (RPA)

Categories: Identity and Access Management (IAM)Artificial Intelligence (AI) in Security

Exploit Method: Shared Password Exploit on SCADA SystemSpear Phishing and Whaling Attacks on Privileged IdentitiesExploit of Retail HVAC Units (Target Breach) and Fish Tank Thermostat (Casino Breach)

MITRE ATT&CK TTP: Spearphishing Attachment (T1193) Initial Access (TA0001) Valid Accounts (T1078) Credential Access (TA0006) Unsecured Credentials (T1552) Lateral Movement (TA0008) Exploitation of Remote Services (T1210)

Exploited Software: SCADA systemHVAC units (Target breach)Fish tank thermostat (casino breach)

Involved Countries: USAFlorida

Affected Industries: RetailCasinoWater TreatmentFinance

U.S. CISA adds GoVision device flaws to its Known Exploited Vulnerabilities catalog

Published: 2025-05-08

The Cybersecurity and Infrastructure Security Agency (CISA) recently added flaws affecting GoVision devices to its Known Exploited Vulnerabilities catalog. This follows a series of other additions, including vulnerabilities in FreeType, Langflow, Yii Framework, Commvault Command Center, SonicWall SMA100, Apache HTTP Server, Qualitia Active! Mail, Broadcom Brocade Fabric OS, and others. These additions highlight the ongoing exploitation of these vulnerabilities, urging immediate patching. The article also mentions several significant cyber incidents. Polish authorities apprehended four individuals operating DDoS-for-hire platforms. A ransomware affiliate leveraged a zero-day exploit to deploy malware. The NSO Group faced a $167 million judgment in favor of WhatsApp for attacks on its users. Kelly Benefits experienced a data breach impacting over 400,000 individuals, while a hacker stole data from TeleMessage, a supplier of modified Signal versions to the U.S. government. Multiple other organizations suffered attacks, including Harrods, Nova Scotia Power and Emera, and possibly Sam's Club (allegedly by Cl0p ransomware). The impact of these incidents ranges from financial losses to reputational damage and data exposure, underscoring the critical need for proactive cybersecurity measures. The article emphasizes the persistent threat from various actors, including nation-state actors and financially motivated cybercriminals, targeting diverse sectors like energy, telecoms, and healthcare.

Threat Actor: Rhysida Ransomware gang

Exploit Method: Bring Your Own Installer (BYOI) techniqueASUS AiCloud auth bypass exploitCSS evasive phishing messages

Vulnerabilities: CVE-2025-27363 CVE-2025-31324 CVE-2025-30406 CVE-2025-2825

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190)

Exploited Software: AndroidSonicWall SMA100SAP NetWeaverFreeTypeGladinet CVE-2025-30406Apache ParquetCrushFTP CVE-2025-2825Cisco Smart Licensing UtilityVMware ESXiIvanti Connect SecureApple ProductsMicrosoft WindowsApache TomcatFortinet FortiOSGoogle ChromeCitrix NetScalerVMware vCenter ServerZyxel CPE SeriesApache OFBizLinux KernelMicrosoft ExchangeWordPress

CRITICAL Vulnerabilities (3)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS: 54.28%    Percentile: 98%
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS: 70.43%    Percentile: 99%

HIGH Vulnerabilities (1)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/...
EPSS: 74.29%    Percentile: 99%

Cisco Patches 35 Vulnerabilities Across Several Products

Published: 2025-05-08

Cisco released patches for 35 vulnerabilities across several products on May 8, 2025. The most critical, CVE-2025-20188 (CVSS score 10/10), is an arbitrary file upload flaw in IOS XE's Out-of-Band Access Point image download feature. As Cisco explains, "A successful exploit could allow the attacker to upload files, perform path traversal, and execute arbitrary commands with root privileges." This vulnerability, while remotely exploitable without authentication, is only active if the Out-of-Band AP image download feature is enabled (disabled by default). The semiannual IOS and IOS XE security advisory bundle also addressed 16 high-severity bugs, including command injection (CVE-2025-20186), privilege escalation (CVE-2025-20164), and multiple denial-of-service (DoS) vulnerabilities (CVE-2025-20154, CVE-2025-20182, and CVE-2025-20162). High-severity flaws in Catalyst Center and Catalyst SD-WAN Manager were also patched. While Cisco is unaware of any in-the-wild exploitation, proof-of-concept code exists for two medium-severity issues (CVE-2025-20221 and CVE-2025-20147). The company also updated its advisory on CVE-2025-32433 (CVSS score 10), a critical Erlang/OTP SSH vulnerability allowing remote code execution. No victims were named in the article.

Tags: Vulnerability DisclosurePatch ManagementRemote Code Execution (RCE)Denial of Service (DoS)

Categories: Software Vulnerability ManagementNetwork Security

Vulnerabilities: CVE-2025-20188 CVE-2025-20186 CVE-2025-20164 CVE-2025-20154 CVE-2025-20182 CVE-2025-20162 CVE-2025-20221 CVE-2025-20147 CVE-2025-32433

MITRE ATT&CK TTP: Initial Access (TA0001) Exploit Public-Facing Application (T1190) Execution (TA0002) Command and Scripting Interpreter (T1059) Privilege Escalation (TA0004) Exploitation for Privilege Escalation (T1068)

Exploited Software: Cisco IOS XECisco IOSCisco IOS XE SD-WANCatalyst SD-WAN ManagerErlang/OTP SSH

Involved Countries: Myanmar

Affected Industries: Oil and GasTelecommunications/Networking

CRITICAL Vulnerabilities (2)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS: 0%    Percentile: 0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS: 55.54%    Percentile: 98%

HIGH Vulnerabilities (5)

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS: 0%    Percentile: 0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H
EPSS: 0%    Percentile: 0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS: 0%    Percentile: 0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS: 0%    Percentile: 0%
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H
EPSS: 0%    Percentile: 0%

MEDIUM Vulnerabilities (2)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS: 0%    Percentile: 0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
EPSS: 0%    Percentile: 0%

Even the best safeguards can't stop LLMs from being fooled

Published: 2025-05-08

Associate Professor Michael Pound of the University of Nottingham highlights significant cybersecurity risks associated with Large Language Models (LLMs) in a Help Net Security interview. He notes that many security professionals lack understanding of LLM's underlying machine learning, leading to poorly designed systems vulnerable to manipulation. Pound emphasizes that LLMs are "probabilistic," meaning their outputs are not always reliable, even with "AI safeguards" touted by vendors, which only reduce, not eliminate, the risk of malicious prompts. He warns that "Many end users don’t realise that the queries they put into these models are uploaded to the cloud," potentially exposing sensitive data. Organizations commonly make mistakes by failing to control data input into LLMs, similar to the risks of SQL injection but far more challenging to mitigate. Pound explains, "With traditional code you could control for this…but with LLMs it can be easy to write valid prompts that circumvent safeguards." The ability of LLMs to access external tools and APIs further increases the risk of data exfiltration. Effective defenses are limited; "Most attempts to train models to avoid malicious prompts only last for a short time." Pound recommends employing principles like least privilege and role-based access control, utilizing frameworks like Haystack, LangChain, and Llama-Index, and regularly testing LLMs against adversarial inputs. He concludes that the integration of LLMs into systems requires a fundamental shift in software development approaches, predicting future breaches caused by unexpected prompts.

Tags: LLM_Security_RisksData_ExfiltrationAdversarial_AttacksLLM_Prompt_Engineering

Categories: LLM_Security_Best_PracticesRisk_Assessment_and_Mitigation

Exploit Method: Prompt InjectionData Exfiltration via LLM access to tools and APIs

MITRE ATT&CK TTP: Initial Access (TA0001) Cloud Accounts (T1078) Credential Access (TA0006) Unsecured Credentials (T1552) Collection (TA0009) Input Capture (T1056) Initial Access (TA0001) External Remote Services (T1133)

Exploited Software: LLMs (Large Language Models)Productivity apps (email, calendar)

Page 1 of 50
Showing articles 1 to 10 of 500 newest articles