DFIR, deception, detection. Posts I wrote, intel my pipeline summarized, and redacted writeups from the fleet.
Attackers are increasingly targeting CI/CD pipelines to harvest secrets and pivot to production environments using techniques like workflow modification and privileged trigger exploitation. Elastic has released an open-source tool, cicd-abuse-detector, which leverages regex-based signal extraction and LLM analysis to detect suspicious pipeline changes during the pull request phase.
VECT 2.0 is a cross-platform (Windows, Linux, ESXi) Ransomware-as-a-Service that effectively functions as a wiper due to a critical cryptographic implementation flaw. Files larger than 128 KB are encrypted in chunks using raw ChaCha20-IETF, but the malware fails to save the required nonces for the first three chunks, rendering full data recovery impossible even if the ransom is paid.
The article highlights the critical role of money mule accounts in Authorized Push Payment (APP) fraud and scams, which bypass traditional breach-based detection by manipulating victims into authorizing payments. It advocates for an intelligence-led approach, utilizing agentic personas to proactively identify and verify mule accounts before fraudulent transactions occur, thereby mitigating financial losses and addressing growing regulatory pressures.
A recent Akamai study reveals that API security incidents are escalating, exacerbated by the rapid adoption of AI technologies like LLMs. Organizations are struggling with API visibility and governance, leading to increased susceptibility to BOLA attacks, business logic abuse, and prompt injection, which bypass traditional WAFs and result in significant financial losses.
Threat actors are increasingly leveraging phishing campaigns to deliver legitimate Remote Monitoring and Management (RMM) tools like ScreenConnect and LogMeIn Rescue, bypassing traditional malware defenses. These attacks often utilize compromised domains, SEO injection, and VBS scripts to weaken endpoint controls (e.g., SmartScreen, Defender) before silently installing the RMM payload, creating significant visibility gaps for SOC teams.
North Korean state-sponsored actors, including Lazarus and TraderTraitor, are highly motivated to access advanced AI models to accelerate their labor-intensive cryptocurrency heists. The primary attack vectors are not direct breaches of AI cryptographic perimeters, but rather supply chain compromises, fraudulent hiring of DPRK IT workers, and third-party contractor misuse.
The Cisco Talos Year in Review highlights a shifting threat landscape where attackers leverage AI and rapid exploit development to target identity infrastructure and exposed vulnerabilities. Defenders are urged to prioritize identity protection, remediate internet-facing vulnerabilities, address legacy system risks, secure trust-brokering platforms, and focus on behavioral anomaly detection to identify post-compromise activity.
The Canadian Centre for Cyber Security released a daily digest highlighting recent security advisories from SmarterTools, Zyxel, Citrix, and Mozilla. Notably, Zyxel addressed command injection vulnerabilities across various networking devices, while the other vendors released standard security updates for their respective software products.
CrowdStrike has expanded its Falcon Shield integration with ChatGPT Enterprise to deliver enhanced audit logging and continuous activity monitoring. This update shifts the focus from basic configuration awareness to operational visibility, enabling security teams to track authentication, administrative changes, Codex events, and AI tool usage to enforce governance and detect threats in SaaS environments.
CISA has added CVE-2024-1708 (ConnectWise ScreenConnect Path Traversal Vulnerability) and CVE-2026-32202 (Microsoft Windows Protection Mechanism Failure Vulnerability) to the Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. Organizations are strongly urged to prioritize patching these systems to mitigate significant risks to their enterprise environments.
The GlassWorm threat campaign has escalated its supply chain attacks on the Open VSX marketplace by publishing 73 impersonation 'sleeper' extensions. These extensions initially contain no malicious code to bypass security scans, but are later updated to act as thin loaders that retrieve and execute secondary .vsix payloads from GitHub releases using bundled native binaries or obfuscated JavaScript.
This article provides a comprehensive overview of Multi-Factor Authentication (MFA), detailing its core mechanisms across knowledge, possession, and inherence factors. It highlights the security advantages of hardware keys and authenticator apps over SMS-based methods due to risks like SIM swapping, and outlines strategic implementation practices for organizations to mitigate credential theft and account takeover risks.
This article outlines foundational cybersecurity hygiene practices recommended by the Huntress SOC to reduce organizational attack surfaces. Key recommendations include enforcing MFA, securing or disabling exposed RDP, implementing strict access controls, and monitoring for behavioral indicators of compromise such as defense evasion, domain enumeration, and privilege escalation.
Huntress details the operational benefits of unifying EDR and ITDR to combat infostealers and rapid credential abuse. A highlighted incident demonstrates a ClickFix social engineering attack leveraging WebDAV and rundll32.exe to execute a remote payload, which was mitigated by automatically isolating the host and revoking associated Microsoft 365 identity sessions.
The Canadian Centre for Cyber Security released a daily digest of nine security advisories covering critical vulnerabilities across enterprise software, Linux kernels, and industrial control systems (ICS). Organizations are urged to apply patches for affected products from vendors including IBM, Dell, Ubuntu, Red Hat, Moxa, VMware, Notepad++, and Microsoft to prevent potential exploitation.
Arctic Wolf Labs identified a highly targeted campaign by the DPRK-nexus threat actor BlueNoroff against the Web3 sector. The attackers utilize sophisticated social engineering, including AI-generated deepfakes and stolen webcam footage, to lure victims into fake Zoom or Teams meetings. Once engaged, a ClickFix clipboard injection attack deploys a fileless PowerShell C2 implant, leading to the theft of cryptocurrency wallets, browser credentials, and Telegram sessions.
A Huntress engineer encountered a malvertising campaign via a Google sponsored search result for 'Claude Code'. The malicious link delivered a multi-stage macOS malware utilizing base64 encoding, gzip compression, and obfuscated AppleScript to bypass Gatekeeper and attempt extraction of Claude Code credentials from the macOS keychain.
Elastic's InfoSec team details a scalable architecture for monitoring AI coding assistants, specifically Claude Code and Cowork, using OpenTelemetry and Elasticsearch. The solution provides security teams with critical visibility into AI agent activities, including shell command execution, file access, and internal API interactions, enabling advanced threat detection, incident response, and EDR correlation.
Socket.dev has launched an experimental PHP reachability analysis tool designed to reduce vulnerability alert fatigue. By performing deep static analysis of function-level call graphs, including complex PHP dispatch patterns, the tool determines whether known CVEs in dependencies are actually executable within an application's context.
A widespread phishing campaign is leveraging the Kali365 Live Phishing-as-a-Service (PhaaS) platform to execute device code phishing and AiTM attacks. By tricking users into authorizing legitimate Microsoft device login requests, threat actors steal OAuth access and refresh tokens, bypassing traditional credential-based defenses and MFA to gain persistent access to Microsoft 365 environments.
