SecPro

Decrypting encryptionHubSpot has announced new developer features, designed to speed up development and embed integrations more deeply into the areas where users are most productiveFrom more extensible APIs to customizable UI, discover how HubSpot's latest developer tools empower you to build tailored solutions.Explore powerful integration tools and enhanced capabilities that let you create exactly what your customers need, right where they're getting work doneLearn more#194: Locked Down for ImpactA look at T1486Welcome to another_secpro!Life is never easy for security professionals, but it might now become a whole lot more difficult if rumours around the withdrawal of funding for CVE. Be vigilant for what might become a bigger problem in the next few months (or, if you're a bug hunter, count your blessings)! We're continuing our series on the MITRE ATT&CK framework and the Top Ten threats over the last year. Check it out below! This week, we look at #6: 1486And then, of course, we've got our usual news, tools, and conference venues roundup. In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAre you attending the upcoming RSA Conference at the end of the month? Keep an eye out for our Packt writers, their stalls, and what they've got to share at the event! If you have an insight, highlight, or story that you want to share with the readership, reply to this email or reach out to the _secpro team.Cheers!Austin MillerEditor-in-ChiefNeed some light relief? Here's a memeGot any good memes you want to share? Or an idea that you need someone to put together? Reply to this email with your meme or idea and get a chance to win afree Packt book (and there's only one available this week)!MITRE ATT&CK #6: T1486Understanding "System information discovery"Read the rest here!News BytesAbnormal - Multi-Stage Phishing Attack Exploits Gamma, an AI-Powered Presentation Tool: "In this newly uncovered campaign, attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraudulent Microsoft SharePoint login portal. Capitalizing on the fact that employees may not be as familiar with the platform (and thus not aware of its potential for exploitation), threat actors create a phishing flow so polished it feels legitimate at every step."Bruce Schneier - Age Verification Using Facial Scans: Discord is testing the feature: “We’re currently running tests in select regions to age-gate access to certain spaces or user settings,” a spokesperson for Discord said in a statement. “The information shared to power the age verification method is only used for the one-time age verification process and is not stored by Discord or our vendor. For Face Scan, the solution our vendor uses operates on-device, which means there is no collection of any biometric information when you scan your face. For ID verification, the scan of your ID is deleted upon verification.”Bruce Schneier - CVE Program Almost Unfunded: Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute.Bruce Schneier - Slopsquatting: As AI coding assistants invent nonexistent software libraries to download and use, enterprising attackers create and upload libraries with those names—laced with malware, of course.Check Point Research - CVE-2025-24054, NTLM Exploit in the Wild: ...if attackers are able to capture these NTLMv2 responses, they can still attempt to brute-force the hash offline or perform relay attacks. NTLM relay attacks fall under the category of man-in-the-middle (MitM) attacks that exploit the NTLM authentication protocol. Instead of cracking the password, the attacker captures the hash and passes it to another service to authenticate as the user. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network.Cisco Talos - Unmasking the new XorDDoS controller and infrastructure: The XorDDoS trojan is a well-known DDoS malware that targets Linux machines, turning them into "zombie bots" that carry out attacks. First identified in 2014, its sub-controller was uncovered in 2015. Based on the simplified Chinese user interface and instructions of the XorDDoS controllers and builder, Talos assess with high confidence that the operators are Chinese-speaking individuals.Critical security vulnerability in the Erlang/OTP SSH implementation: The vulnerability allows an attacker withnetwork access to an Erlang/OTP SSH server to execute arbitrary codewithout prior authentication.Cymulate - Task Scheduler– New Vulnerabilities for schtasks.exe: A UAC Bypass vulnerability has been found in Microsoft Windows, enabling attackers to bypass the User Account Control prompt, allowing them to execute high-privilege (SYSTEM) commands without user approval. By exploiting this weakness, attackers can elevate their privileges and run malicious payloads with Administrators’ rights, leading to unauthorized access, data theft, or further system compromise.Krebs on Security - China-based SMS Phishing Triad Pivots to Banks: China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad” mainly impersonated toll road operators and shipping companies. But experts say these groups are now directly targeting customers of international financial institutions, while dramatically expanding their cybercrime infrastructure and support staff.SonicWall - Authenticated SMA100 Arbitrary Command Injection Vulnerability: Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution.This week's toolsMalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at T1082Did you miss the _secpro premium?Another month has gone by, another premium issue of the _secpro has landed in the inboxes of our faithful readership. Thank you to you all! We wouldn't be able to do this without your contributions - in both content and support.If you'd like to sign up and get access to podcasts, templates, premium articles, special offers for events and Packt books, as well as a load of other great features, click the link below to sign up for only $8/month on Substack.Check out _secpro premium#193: System discovery, beyond recoveryA look at T1082Welcome to another_secpro!We're starting up a series on the MITRE ATT&CK framework to best understand the Top Ten threats over the last year. Check it out below! This week, we look at #7: 1082.And then, of course, we've got our usual news, tools, and conference venues roundup. In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefNeed some light relief? Here's a memeGot any good memes you want to share? Or an idea that you need someone to put together? Reply to this email with your meme or idea and get a chance to win afree Packt book (and there's only one available this week)!MITRE ATT&CK #7: T1082Understanding "System information discovery"Read the rest here!News BytesBruce Schneier - Arguing Against CALEA: "At a Congressional hearingearlier this week, Matt Blazemade the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought: In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades, the infrastructure that must implement and protect it has changed radically. This has greatly expanded the “attack surface” that must be defended to prevent unauthorized wiretaps, especially at scale...Bruce Schneier - Arguing Against CALEA: "At a Congressionalhearingearlier this week, Matt Blazemade the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in todBruce Schneier - Troy Hunt Gets Phished: In case you need proof thatanyone, even people who do cybersecurity for a living, Troy Hunt has a long, iterativestoryon his webpage about how he got phished. Worth reading.Bruce Schneier - Web 3.0 Requires Data Integrity: If you’ve ever taken a computer security class, you’ve probably learned about thethree legs of computer security—confidentiality, integrity, and availability—known as theCIA triad. When we talk about a system being secure, that’s what we’re referring to. All are important, but to different degrees in different contexts. In a world populated by artificial intelligence (AI) systems and artificial intelligent agents, integrity will be paramount.Europol - Operation Endgame follow-up leads to five detentions and interrogations as well as server takedowns: "Following the massive botnet takedown codenamedOperation Endgame in May 2024, which shut down the biggest malware droppers, including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee, law enforcement agencies across North America and Europe dealt another blow to the malware ecosystem in early 2025."Krebs on Security - China-based SMS Phishing Triad Pivots to Banks: China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad” mainly impersonated toll road operators and shipping companies. But experts say these groups are now directly targeting customers of international financial institutions, while dramatically expanding their cybercrime infrastructure and support staff.ReversingLabs - Atomic and Exodus crypto wallets targeted in malicious npm campaign: "Threat actors have been targeting the cryptocurrency community hard lately. The ReversingLabs (RL) research team is continuously tracking an ongoing battle in which cybercriminals and other threat actors use a variety of techniques to hijack popular, legitimate crypto packages and steal things from Web3 wallets to crypto funds."SecureList - GOFFEE continues to attack organizations in Russia: "GOFFEE is a threat actor that first came to our attentionin early 2022. Since then, we have observed malicious activities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a malicious attachment. Starting in May 2022 and up until summer of 2023, GOFFEE deployed modifiedOwowa (malicious IIS module) in their attacks. As of 2024, GOFFEE started to deploy patched malicious instances of explorer.exe via spear phishing."SentinelOne - AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale: Whenever a new form of digital communications becomes prevalent, actors inevitably adopt it for spam to try to profit from unsuspecting users. Email has been the perennial choice for spam delivery, but the prevalence of new communications platforms has expanded the spam attack surface considerably.Sysmantec- Shuckworm Targets Foreign Military Mission Based in Ukraine: "Shuckworm’s relentless focus on Ukraine has continued into 2025, with the group targeting the military mission of a Western country based in the Eastern European nation. This first activity in this campaign occurred in February 2025, and it continued into March. The initial infection vector used by the attackers appears to have been an infected removable drive."TrendMicro - Incomplete NVIDIA Patch to CVE-2024-0132 Exposes AI Infrastructure and Data to Critical Risks: "In September 2024, NVIDIAreleased several updatesto address a critical vulnerability (CVE-2024-0132) in its NVIDIA Container Toolkit. If exploited, this vulnerability could expose AI infrastructure, data, or sensitive information. With a CVSS v3.1 rating of 9.0, all customers were advised to update their affected software immediately."This week's toolsMalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at T1547Did you miss the _secpro premium?Another month has gone by, another premium issue of the _secpro has landed in the inboxes of our faithful readership. Thank you to you all! We wouldn't be able to do this without your contributions - in both content and support.If you'd like to sign up and get access to podcasts, templates, premium articles, special offers for events and Packt books, as well as a load of other great features, click the link below to sign up for only $8/month on Substack.Check out _secpro premium#192: Rogue BootedA look at T1547Welcome to another_secpro!We're starting up a series on the MITRE ATT&CK framework to best understand the Top Ten threats over the last year. Check it out below!And then, of course, we've got our usual news, tools, and conference venues roundup. In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefNeed some light relief? Here's a memeGot any good memes you want to share? Or an idea that you need someone to put together? Reply to this email with your meme or idea and get a chance to win afree Packt book (and there's only one available this week)!MITRE ATT&CK #8: T1547Understanding "Boot or LogonAutostart Execution"Read the rest here!News BytesBruce Schneier - Web 3.0 Requires Data Integrity: If you’ve ever taken a computer security class, you’ve probably learned about the three legs of computer security—confidentiality, integrity, and availability—known as the CIA triad. When we talk about a system being secure, that’s what we’re referring to. All are important, but to different degrees in different contexts. In a world populated by artificial intelligence (AI) systems and artificial intelligent agents, integrity will be paramount.Bruce Schneier - Rational Astrologies and Security: "John Kelsey and [Bruce] wrote a short paper for the Rossfest Festschrift: “Rational Astrologies and Security“: There is another non-security way that designers can spend their security budget: on making their own lives easier. Many of these fall into the category of what has been called rational astrology. First identified by Randy Steve Waldman [Wal12], the term refers to something people treat as though it works, generally for social or institutional reasons, even when there’s little evidence that it works—­and sometimes despite substantial evidence that it does not...Bruce Schneier - Cell Phone OPSEC for Border Crossings: "Are there easy ways to delete data—files, photos, etc.—on phones so it can’t be recovered? Does resetting a phone to factory defaults erase data, or is it still recoverable? That is, does the reset erase the old encryption key, or just sever the password that access that key? When the phone is rebooted, are deleted files still available?"Etay Moar - AI Giving Rise of the ‘Zero-Knowledge’ Threat Actor: Artificial intelligence is adouble-edged sword. On one side, AI empowers people to do their jobs better and faster while on the other, it enables people with malicious intent to become scammers, hacktivists and cyber criminals.Google Workspace - Making end-to-end encrypted emails easy to use for all organizations: "The idea here is simple. Email messages are encrypted with just a few clicks in Gmail regardless of who they are being sent to — no need for end users to exchange certificates or use custom software. The emails are protected using encryption keys controlled by the customer and not available to Google servers, providing enhanced data privacy and security. And the IT team no longer needs to go through the complex S/MIME setup or certificate management."Ivanti - April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457): "Ivanti is disclosing one critical severity vulnerability in Ivanti Connect Secure (version 22.7R2.5 and earlier), Pulse Connect Secure 9.x (end-of-support as of December 31, 2024), Ivanti Policy Secure and ZTA gateways. This vulnerability has been fully patched in Ivanti Connect Secure 22.7R2.6 (released February 11, 2025) and was initially identified as a product bug. Successful exploitation could lead to remote code execution."Microsoft Security - Threat actors leverage tax season to deploy tax-themed phishing campaigns: As Tax Day approaches in the United States on April 15, Microsoft has observed several phishing campaigns using tax-related themes for social engineering to steal credentials and deploy malware. These campaigns notably use redirection methods such as URL shorteners and QR codes contained in malicious attachments and abuse legitimate services like file-hosting services and business profile pages to avoid detection. These campaigns lead to phishing pages delivered via the RaccoonO365 phishing-as-a-service (PhaaS) platform, remote access trojans (RATs) like Remcos, and other malware like Latrodectus, BruteRatel C4 (BRc4), AHKBot, and GuLoader.Sekoia - From Contagious to ClickFake Interview: Lazarus leveraging the ClickFix tactic: "The targeting of the cryptocurrency ecosystem byNorth-Korean threat groups is not new. Indeed, this country has used cyber operations as a means to bypass international sanctions and to finance its ballistic missile and nuclear weapons programs since at least 2014. According to Chainalysis, in 2024 DPRK threat actorsstole more from cryptocurrency platforms than ever with an estimated heist of $1.3 billion in 2024 compared to $660.5 million in 2023."TrendMicro - A Deep Dive into Water Gamayun’s Arsenal and Infrastructure: "Water Gamayun, a suspected Russian threat actor also known as EncryptHub and Larva-208, has been exploiting the MSC EvilTwin (CVE-2025-26633), a zero-day vulnerability that waspatched on March 11. In thefirst installment of this two-part series, Trend Research discussed in depth its discovery of an Water Gamayun campaign exploiting this vulnerability. In this blog entry, we will cover the various delivery methods, custom payloads and techniques used by Water Gamayun to compromise victim systems and exfiltrate sensitive data."This week's toolsMalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at T1056Exploit GenAI code with SnykDare to hack? Join Snyk on April 3rd 11am ET for a live hacking session focused on exploiting AI-generated code. Learn how to build a demo app using GitHub Copilot, and live hack the results. Plus, (ISC)2members will earn CPE credits for attending!Save your spot today#191: The Adversary Capturing Your Input!A look at T1056Welcome to another_secpro!We're starting up a series on the MITRE ATT&CK framework to best understand the Top Ten threats over the last year. Check it out below!And then, of course, we've got our usual news, tools, and conference venues roundup. In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefHow to balance cloud agility, cost, and riskJoin cybersecurity thought leader David Linthicum for a special fireside chat to learn how to use AI and ML to unify your data strategies, uncover hidden cloud costs, and overcome the limitations of your traditional data protection in public cloud environments.Save Your SpotMITRE ATT&CK #9: T1056Understanding "Input Capture"Read the rest here!Don't miss out on 30% off!News BytesBruce Schneier - A Taxonomy of Adversarial Machine Learning Attacks and Mitigations: NISTjust releaseda comprehensive taxonomy of adversarial machine learning attacks and countermeasures.Bruce Schneier - AI Data Poisoning:"Cloudflare has a new feature—available to free users as well—that uses AI to generate random pages to feed to AI web crawlers: Instead of simply blocking bots, Cloudflare’s new system lures them into a “maze” of realistic-looking but irrelevant pages, wasting the crawler’s computing resources. The approach is a notable shift from the standard block-and-defend strategy used by most website protection services. Cloudflare says blocking bots sometimes backfires because it alerts the crawler’s operators that they’ve been detected."Bruce Schneier - Report on Paragon Spyware: "Citizen Lab has anew report on Paragon’s spyware."Bruce Schneier - More Countries are Demanding Backdoors to Encrypted Apps: "Last month, Iwrote aboutthe UK forcing Apple to break its Advanced Data Protection encryption in iCloud. More recently, bothSwedenandFranceare contemplating mandating backdoors. Both initiatives are attempting toscare peopleinto supporting backdoors, which are—of course—areterrible idea."CISA - Two Known Exploited Vulnerabilities to Catalog: CISA has added two new vulnerabilities to itsKnown Exploited Vulnerabilities Catalog, based on evidence of active exploitation. CVE-2019-9874 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability and CVE-2019-9875 Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability. These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.CYFIRMA - Turning Aid into Attack: Exploitation of Pakistan's Youth Laptop Scheme to Target India: "In this report, CYFIRMA examines the tactics employed by a Pakistan-based APT group, assessed with medium confidence as APT36, who created a fake IndiaPost website to target and infect both Windows and Android users. We analysed the dropped Android executable and also revealed metadata indicating that the PDF was created in same time zone that Pakistan is in. Additionally, the laptop used to generate the file is part of Pakistan’s Prime Minister Youth Laptop Scheme. Further investigation into the IP resolution uncovered a domain associated with tactics commonly used by Pakistani APT groups."Krebs On Security - When Getting Phished Puts You in Mortal Danger: "Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life."McAfee - New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI: "Cybercriminals are constantly evolving their techniques to bypass security measures. Recently, the McAfee Mobile Research Team discovered malware campaigns abusing .NET MAUI, a cross-platform development framework, to evade detection. These threats disguise themselves as legitimate apps, targeting users to steal sensitive information. This blog highlights how these malware operate, their evasion techniques, and key recommendations for staying protected."Sonatype - Multiple crypto packages hijacked, turned into info-stealers:Sonatype has identified multiple npm cryptocurrency packages, latest versions of which have been hijacked and altered to steal sensitive information such as environment variables from the target victims. Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers. However, ourautomated malware detectionsystems detected that the latest versions of each of these packages were laden with obfuscated scripts, raising alarms.WeLiveSecurity - You will always remember this as the day you finally caught FamousSparrow: "In July 2024, ESET Research noticed suspicious activity on the system of a trade group in the United States that operates in the financial sector. While helping the affected entity remediate the compromise, we made an unexpected discovery in the victim’s network: malicious tools belonging to FamousSparrow, a China-aligned APT group. There had been no publicly documented FamousSparrow activity since 2022, so the group was thought to be inactive. Not only was FamousSparrow still active during this period, it must have also been hard at work developing its toolset, since the compromised network revealed not one, but two previously undocumented versions of SparrowDoor, FamousSparrow’s flagship backdoor."This week's toolsMalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Data collection without detection - and dealing with thatAddressing AI-generated misinformationHow to minimize the risks and consequences of flawed inference from AI models.Read the full article here#190: Compromised CollectionData collection without detection - and dealing with thatWelcome to another_secpro!We're starting up a series on the MITRE ATT&CK framework to best understand the Top Ten threats over the last year. This week, we begin with the first entry in our list: T1005! Make sure to check out our article below and keep an eye open for this month's premium issue to get more insights into MITRE ATT&CK and learn how to apply techniques that overcome the problems most organisations have been facing over the last year.And then, of course, we've got our usual news, tools, and conference venues roundup. In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefIs Your DevSecOps Strategy Falling Short?Many organizations still find it challenging to effectively implement and meaningfully integrate security into rapid, agile DevOps practices. Dive into Snyk’s six pillars for success and how we arrived here in the first place.Snyk's new whitepaper DevSecOps is dead...or is it? dives into:- Why traditional DevSecOps approaches often fall short- The critical role of Developer Security in true DevSecOps success- How to move beyond the limitations and achieve a more robust and efficient security postureAddressing these core issues will help organizations build a successful DevSecOps framework for modern application security.Download nowMITRE ATT&CK #10: T1005Understanding "Data from Local System"In the MITRE ATT&CK framework, T1005 refers to the technique called Data from Local System. Notable threat groups such as Bianlian Ransomware Group, Mustang Panda, Twelve Hacktivist Group, CRON#TRAP Campaign, APT36, and Shedding Zmiy, leveraging malware such as Voldemort Backdoor and GLOBSHELL over the last year.Read the rest here!News BytesBruce Schneier - Critical GitHub Attack: "This isserious: A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have originated from an earlier breach of the “reviewdog/action-setup@v1” GitHub Action, according to a report."Bruce Schneier - Is Security Human Factors Research Skewed Towards Western Ideas and Habits?: "Really interesting research: “How WEIRD is Usable Privacy and Security Research?” by Ayako A. Hasegawa Daisuke Inoue, and Mitsuaki Akiyama."Bruce Schneier - Improvements in Brute Force Attacks: "New paper: “GPU Assisted Brute Force Cryptanalysis of GPRS, GSM, RFID, and TETRA: Brute Force Cryptanalysis of KASUMI, SPECK, and TEA3."Bruce Schneier - TP-Link Router Botnet: "There is a new botnet that isinfecting TP-Link routers: The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked asCVE-2023-1389) has also been used to spread other malware families as far back as April 2023 when it was used in theMirai botnet malware attacks. The flaw also linked to the Condi and AndroxGh0st malware attacks."Catalyst -mySCADA myPRO Manager and Runtime RCE Vulnerabilities: Supervisory Control and Data Acquisition (SCADA) systems are at the core of industrial automation, ensuring seamless operation across sectors such as energy, manufacturing, and critical infrastructure. With the digital transformation of these industries, SCADA systems are increasingly becoming targets for cyber threats.CISA - CISA Adds Three Known Exploited Vulnerabilities to Catalog:CISA has added three new vulnerabilities to itsKnown Exploited Vulnerabilities Catalog, based on evidence of active exploitation; CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability; CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability; and, CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability.The Citizen Lab - Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations: Paragon Solutions Ltd. was established in Israel in 2019. The founders of Paragon include Ehud Barak, the former Israeli Prime Minister, and Ehud Schneorson, the former commander of Israel’sUnit 8200. Paragon sells a spyware product called Graphite, whichreportedlyprovides “access to the instant messaging applications on a device, rather than taking complete control of everything on a phone,” like NSO Group’s Pegasus spyware.Krebs On Security - ClickFix: How to Infect Your PC in Three Easy Steps: "A clever malware deployment schemefirst spotted in targeted attacks last yearhas now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causesMicrosoft Windowsto download password-stealing malware."Trellix - Analysis of Black Basta Ransomware Chat Leaks: "On Feb 11, 2025 a Telegram user @ExploitWhispers shared via their Telegram channel ‘shopotbasta’ (EN: ‘basta whisper’) Black Basta RaaS (Ransomware as a Service) Matrix chat leaks containing over 200,000 messages spanning from September 2023 to September 2024. The @ExploitWhispers claim that Black Basta has recently attacked Russian banks and thus crossed the line, therefore they decided to leak their internal chat communications."Pillar - New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents:Pillar Security researchers have uncovered a dangerous new supply chain attack vector we've named"Rules File Backdoor."This technique enables hackers to silently compromise AI-generated code by injecting hidden malicious instructions into seemingly innocent configuration files used by Cursor and GitHub Copilot—the world's leading AI-powered code editors.This week's toolsMalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A new look at the MITRE ATT&CK frameworkThe Complete Guide to Managed SIEM: selection criteria, deployment options & pricingYour security team has better things to do than SIEM maintenance.Cut through vendor marketing speak, understand actual costs, and find the security coverage your organization truly needs with our comprehensive Managed SIEM Pricing Guide. Compare in-house vs. outsourced options, see what others in your industry pay, and use our interactive calculator to build a realistic budget. The right provider spots threats faster, handles compliance tasks, and extends your team's reach. Get concrete selection steps to improve security without giving up control.Download the Guide#189: ATT&CK is Back!A new look at the MITRE ATT&CK frameworkWelcome to another_secpro!We're starting up a series on the MITRE ATT&CK framework to best understand the Top Ten threats over the last year. This means getting back to basics: setting up with the MITRE ATT&CK framework - for Beginners to help us understand how we apply knowledge in day-to-day practice. Once that hurdle is vaulted, we're going to break down the biggest issues that we have all been facing over the last yearAnd then, of course, we've got our usual news, tools, and conference venues roundup as well as an extended offer for our Humble Bundle pack - extended until 15th March! Don't miss out. Sound good? Well, let's get started!In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefIs Your DevSecOps Strategy Falling Short?Many organizations still find it challenging to effectively implement and meaningfully integrate security into rapid, agile DevOps practices. Dive into Snyk’s six pillars for success and how we arrived here in the first place.Snyk's new whitepaper DevSecOps is dead...or is it? dives into:- Why traditional DevSecOps approaches often fall short- The critical role of Developer Security in true DevSecOps success- How to move beyond the limitations and achieve a more robust and efficient security postureAddressing these core issues will help organizations build a successful DevSecOps framework for modern application security.Download nowUsing MITRE ATT&CK - for BeginnersApplying it practicallyBeginners in cybersecurity can use the MITRE ATT&CK framework as a structured way to understand adversary tactics, techniques, and procedures (TTPs). The framework is essentially a knowledge base that categorizes cyber threats based on real-world attack behaviors, making it a valuable resource for those looking to develop their threat intelligence skills.It is divided into different matrices, including Enterprise, Mobile, and ICS (Industrial Control Systems), though the Enterprise matrix is the most commonly used as it focuses on Windows, Linux, and macOS threats.Read the rest here!News BytesBruce Schneier - China, Russia, Iran, and North Korea Intelligence Sharing: "Former CISA Director Jen Easterly writes about a new international intelligence sharing co-op: Historically, China, Russia, Iran & North Korea have cooperated to some extent on military and intelligence matters, but differences in language, culture, politics & technological sophistication have hindered deeper collaboration, including in cyber. Shifting geopolitical dynamics, however, could drive these states toward a more formalized intell-sharing partnership. Such a “Four Eyes” alliance would be motivated by common adversaries and strategic interests, including an enhanced capacity to resist economic sanctions and support proxy conflicts."Bruce Schneier - Silk Typhoon Hackers Indicted: "Lots of interesting details inthe story: The US Department of Justice on Wednesdayannounced the indictment of 12 Chinese individuals accused of more than a decade of hacker intrusions around the world, including eight staffers for the contractor i-Soon, two officials at China’s Ministry of Public Security who allegedly worked with them, and two other alleged hackers who are said to be part of the Chinese hacker group APT27, or Silk Typhoon, which prosecutors say was involved in the US Treasury breach late last year..."Bruce Schneier - Thousands of WordPress Websites Infected with Malware: "The malware includesfour separate backdoors: Creating four backdoors facilitates the attackers having multiple points of re-entry should one be detected and removed. A unique case we haven’t seen before. Which introduces another type of attack made possibly by abusing websites that don’t monitor 3rd party dependencies in the browser of their users..."Krebs On Security - Microsoft: 6 Zero-Days in March 2025 Patch Tuesday: "Two of the zero-day flaws includeCVE-2025-24991andCVE-2025-24993, both vulnerabilities inNTFS, the default file system for Windows and Windows Server. Both require the attacker to trick a target into mounting a malicious virtual hard disk. CVE-2025-24993 would lead to the possibility of local code execution, while CVE-2025-24991 could cause NTFS to disclose portions of memory."Krebs On Security - Alleged Co-Founder of Garantex Arrested in India: "Authorities in India today arrested the alleged co-founder ofGarantex, a cryptocurrency exchange sanctioned by the U.S. government in 2022 for facilitating tens of billions of dollars in money laundering by transnational criminal and cybercriminal organizations. Sources close to the investigation told KrebsOnSecurity the Lithuanian nationalAleksej Besciokov, 46, was apprehended while vacationing on the coast of India with his family."Krebs On Security - Feds Link $150M Cyberheist to 2022 LastPass Hacks: "In September 2023, KrebsOnSecurity published findings from security researchers who concluded that a series of six-figure cyberheists across dozens of victims resulted from thieves cracking master passwords stolen from the password manager serviceLastPass in 2022. In a court filing this week, U.S. federal agents investigating a spectacular $150 million cryptocurrency heist said they had reached the same conclusion."Lookout - Lookout Discovers New Spyware by North Korean APT37: "Lookout Threat Lab researchers have discovered a novel Android surveillance tool, dubbed KoSpy, which appears to target Korean and English-speaking users. The spyware, attributed with medium confidence to the North Korean APT group ScarCruft (also known as APT37), is a relatively new family with early samples going back to March 2022. The most recent samples were acquired in March 2024."Picus Security - Red Report 2025: The new report by Picus is in. Check it out today or get ready for the _secpro's coverage of their findings - starting from next week!Securonix - Analyzing OBSCURE#BAT: Threat Actors Lure Victims into Executing Malicious Batch Scripts to Deploy Stealthy Rootkits: "The Securonix Threat Research team has been tracking a stealthy malware campaign leveraging social engineering and deceptive file downloads to trick users into executing heavily obfuscated code. This infection ultimately deploys a user-mode rootkit that manipulates system processes and registry entries to evade detection and maintain persistence."SquareX - Polymorphic Extensions: The Sneaky Extension That Can Impersonate Any Browser Extension: "Imagine that your AI transcriber tool shapeshifts into your password manager, then your crypto wallet and finally into your banking app — all without your knowledge. This is exactly what polymorphic extensions can do. SquareX’s research team discovered a way for malicious extensions to silently impersonate any extension installed on the victim’s browser. The polymorphic extensions create a pixel perfect replica of the target’s icon, HTML popup, workflows and even temporarily disables the legitimate extension, making it extremely convincing for victims to believe that they are providing credentials to the real extension..." (Medium)This week's toolsMalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for this month:Cyber Security Training at SANS San Antonio Spring 2025 (17th-22nd March): Dive into the world of cybersecurity excellence with an immersive training experience at SANS San Antonio Spring 2025 (March 17-22, CT). Led by world-renowned instructors boasting extensive industry experience, SANS San Antonio Spring 2025 offers live access to top experts in the field. SANS San Antonio Spring 2025 is equipped with industry-leading hands-on labs, simulations, and exercises that you can immediately apply upon your return to work. Don't miss this opportunity to refine your skills during NetWars tournaments and network with your peers in real time.CISO 360 UK & Ireland: Securing Tomorrow, Navigating Complexity, Driving Resilience (18th-19th March): CISOs will share their strategies, exploring emerging trends, and benchmarking the latest tools and tactics to address the rapidly evolving cybersecurity landscape. You will challenge the status quo through case studies, fireside chats, roundtables, and the highly anticipated CISO 360 Roundtable: AI and Quantum. Evening networking events, cultural experiences, and an exclusive dinner will provide the perfect setting for forging lasting professional relationships and strengthening the cybersecurity community.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Getting into malware analysisGo from legacy to leading edge app delivery. Don't miss this conversation ft. special guest Devin Dickerson (Forrester) – save your seat!For better or worse, user experience depends on application performance.Users have come to expect their apps to be personalized, fast, always-available, and secure. When any one of these expectations are not met, they are quick to grow frustrated and abandon their sessions. This can be consequential to user engagement, brand trust–and ultimately–revenue.Join our webinar featuring special guest Devin Dickerson, Principal Analyst at Forrester, and we’ll dive into how organizations can architect a seamless application experience.Register Now#187: Finishing Up with GhidraGetting into malware analysisWelcome to another_secpro!This week, we're taking our final look at the new Ghidra book from Packt, this time exploring [x]. If you would like to receive afree condensed resource from the book, sign up for the _secpro premium newsletter to receive a copy at the end of the month! Make sure to check it out.And then, of course, we've got our usual news, tools, and conference venues roundup as well as an extended offer for our Humble Bundle pack - extended until 15th March! Don't miss out. Sound good? Well, let's get started!In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefDissecting interesting malware sample partsSetting up for analysisAs mentioned previously, this malware consists of two components: a PE file (Spark.exe) and a Windows driver file (rk.sys).When more than one malicious file is found on a computer, it’s quite common that one of them generates the other(s). As Spark.exe can be executed by double-clicking on it, while rk.sys must be loaded by another component such as Windows’ Service Control Manager or another driver, we can initially assume that Spark.exe was executed and then it dropped rk.sys to disk.Read the rest here!New from Packt: Ghidra Software Reverse-Engineering for BeginnersCheck out an excerpt here!News BytesBruce Schneier - Trojaned AI Tool Leads to Disney Hack: "This is asad story of someone who downloaded a Trojaned AI tool that resulted in hackers taking over his computer and, ultimately, costing him his job."Bruce Schneier - CISA Identifies Five New Vulnerabilities Currently Being Exploited: "Of thefive, one is a Windows vulnerability, another is a Cisco vulnerability. We don’t have any details about who is exploiting them, or how. Newsarticle."Bruce Schneier - The Combined Cipher Machines: "Interestingarticle—with photos!—of the US/UK “Combined Cipher Machine” from WWII."Elastic- Kibana 8.17.3 Security Update (ESA-2025-06): "Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions >= 8.15.0 and < 8.17.1, this is exploitable by users with the Viewer role. In Kibana versions 8.17.1 and 8.17.2 , this is only exploitable by users that have roles that contain all the following privileges:fleet-all,integrations-all,actions:execute-advanced-connectors."Krebs On Security - Who is the DOGE and X Technician Branden Spikes?: "At 49, Branden Spikes isn’t just one of the oldest technologists who has been involved in Elon Musk’s Department of Government Efficiency (DOGE). As the current director of information technology at X/Twitter and an early hire at PayPal, Zip2, Tesla and SpaceX, Spikes is also among Musk’s most loyal employees. Here’s a closer look at this trusted Musk lieutenant, whose Russian ex-wife was once married to Elon’s cousin..."Krebs On Security - Notorious Malware, Spam Host “Prospero” Moves to Kaspersky Lab: "Security experts say the Russia-based service providerProspero OOO(the triple O is the Russian version of “LLC”) has long been a persistent source of malicious software, botnet controllers, anda torrent of phishing websites. Last year, the French security firmIntrinsecdetailedProspero’s connections to bulletproof services advertised on Russian cybercrime forums under the namesSecurehostandBEARHOST."Picus Security - Red Report 2025: The new report by Picus is in. Check it out today or get ready for the _secpro's coverage of their findings - starting from next week!Positive Technologies - The evolution of Dark Caracal tools: analysis of a campaign featuring Poco RAT: "In early 2024, analysts at the Positive Technologies Expert Security Center (PT ESC) discovered a malicious sample. The cybersecurity community named it Poco RAT after the POCO libraries in its C++ codebase. At the time of its discovery, the sample had not been linked to any known threat group. The malware came loaded with a full suite of espionage features. It could upload files, capture screenshots, execute commands, and manipulate system processes."Outpost24 - Unveiling EncryptHub: Analysis of a multi-stage malware campaign: "EncryptHub, a rising cybercriminal entity, has recently caught the attention of multiple threat intelligence teams, including our own (Outpost24’s KrakenLabs). While other reports have begun to shed light on this actor’s operations, our investigation goes a step further, uncovering previously unseen aspects of their infrastructure, tooling, and behavioral patterns. Through a series of operational security (OPSEC) missteps, EncryptHubinadvertently exposed critical elements of their ecosystem, allowing us to map their tactics with unprecedented depth. Their lapses include directory listing enabled on key infrastructure components, hosting stealer logs alongside malware executables and PowerShell scripts, and revealing Telegram bot configurations used for data exfiltration and campaign tracking. Talos Intelligence - Unmasking the new persistent attacks on Japan: Cisco Talos discovered malicious activities conducted by an unknown attacker since as early as January 2025, predominantly targeting organizations in Japan. The attacker has exploited the vulnerabilityCVE-2024-4577, a remote code execution (RCE) flaw in the PHP-CGI implementation of PHP on Windows, to gain initial access to victim machines.Talos Intelligence - Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools: Talos assesses with high confidence that Lotus Blossom (also referred to asSpring Dragon,Billbug,Thrip) threat actors are responsible for these campaigns. The group was previously publicly disclosed as an active espionage group operating since 2012. Our assessment is based on the TTPs, backdoors, and victim profiles associated with each activity. Our observations indicate that Lotus Blossom has been using the Sagerunex backdoor since at least 2016 and is increasingly employing long-term persistence command shells and developing new variants of the Sagerunex malware suite. The operation appears to have achieved significant success, targeting organizations in sectors such as government, manufacturing, telecommunications and media in areas including the Philippines, Vietnam, Hong Kong and Taiwan.This week's toolsAs we nearly finish up our in-depth look at Ghidra, here are some Ghidra-specific tools to keep you busy.AllsafeCyberSecurity/awesome-ghidra - A curated list of awesome Ghidra materials. Exactly what it says on the tin.HackOvert/GhidraSnippets - Python snippets for Ghidra's Program and Decompiler APIs.ghidraninja/ghidra_scripts - Scripts for the Ghidra software reverse engineering suite.rizinorg/rz-ghidra - Deep ghidra decompiler and sleigh disassembler integration for rizin.zackelia/ghidra-dark - Because dark themes are better than light themes. It's a fact.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for this month:Defensible Data Maps: Building Trust Through Compliance for the Insurance Industry (12th March): The insurance industry is under increasing pressure to comply with stringent data privacy and security regulations, including NYDFS Cybersecurity Regulation, GLBA, HIPAA, GDPR, and CCPA. Insurers collect and process vast amounts of personal and sensitive data, making accurate data mapping essential for compliance, risk management, and consumer trust. A data map isn’t just a document—it’s a foundational compliance tool that ensures organizations know where sensitive data resides, how it flows across systems, and who has access to it.Understand LLM Supervised Fine Tuning and Related InfoSec Risks (12th March): AI generative Large Language Model (LLM) usage has become a ubiquitous part of the technology landscape since the introduction of highly capable public LLM models. While public models do have significant advantages, there are numerous concerns surrounding data security and organizational intellectual property leakage.Cyber Security Training at SANS San Antonio Spring 2025 (17th-22nd March): Dive into the world of cybersecurity excellence with an immersive training experience at SANS San Antonio Spring 2025 (March 17-22, CT). Led by world-renowned instructors boasting extensive industry experience, SANS San Antonio Spring 2025 offers live access to top experts in the field. SANS San Antonio Spring 2025 is equipped with industry-leading hands-on labs, simulations, and exercises that you can immediately apply upon your return to work. Don't miss this opportunity to refine your skills during NetWars tournaments and network with your peers in real time.CISO 360 UK & Ireland: Securing Tomorrow, Navigating Complexity, Driving Resilience (18th-19th March): CISOs will share their strategies, exploring emerging trends, and benchmarking the latest tools and tactics to address the rapidly evolving cybersecurity landscape. You will challenge the status quo through case studies, fireside chats, roundtables, and the highly anticipated CISO 360 Roundtable: AI and Quantum. Evening networking events, cultural experiences, and an exclusive dinner will provide the perfect setting for forging lasting professional relationships and strengthening the cybersecurity community.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

Extensions need skeletonsWebinar: Fraud, Compliance and Best Practices for Mobile Banking AppsThere are over 3.6 billion mobile banking users across the globe, making mobile banking apps a prime target for threat actors. Learn how to protect mobile banking apps and ensure regulatory compliance by implementing strong security controls.Register Now#187: Skeletons for engineersExtensions need skeletonsWelcome to another_secpro!This week, we're taking a third dive into the book on Ghidra from Packt. Make sure to check it out! And then, of course, we've got our usual news, tools, and conference venues roundup as well. Sound good? Well, let's get started!That's why in the editor's spotlight this week, I advise you to all read Bruce Schneier's UK Demanded Apple Add a Backdoor to iCloud!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefUnderstanding the Ghidra extension skeletonGetting ready for extensionsSetting up a comprehensive environment for malware analysis is quite an extensive topic and outlining everything is outside the scope of this chapter. So, in this section, we’ll focus on foundational steps for utilizing Ghidra for such purposes. Additionally, incorporating dynamic analysis tools such as x64dbg or Windbg is advisable as they offer advanced capabilities for examining Windows OS executables.Read the rest here!New from Packt: Ghidra Software Reverse-Engineering for BeginnersCheck out an excerpt here!News BytesBruce Schneier - “Emergent Misalignment” in LLMs: "We present a surprising result regarding LLMs and alignment. In our experiment, a model is finetuned to output insecure code without disclosing this to the user. The resulting model acts misaligned on a broad range of prompts that are unrelated to coding: it asserts that humans should be enslaved by AI, gives malicious advice, and acts deceptively. Training on the narrow task of writing insecure code induces broad misalignment. We call this emergent misalignment."Bruce Schneier - North Korean Hackers Steal $1.5B in Cryptocurrency: "It looks like avery sophisticated attack against the Dubai-based exchange Bybit: Bybit officialsdisclosedthe theft of more than 400,000 ethereum and staked ethereum coins just hours after it occurred. The notification said the digital loot had been stored in a “Multisig Cold Wallet” when, somehow, it was transferred to one of the exchange’s hot wallets. From there, the cryptocurrency was transferred out of Bybit altogether and into wallets controlled by the unknown attackers."Bruce Schneier - UK Demanded Apple Add a Backdoor to iCloud: "Last month, the UK governmentdemanded that Apple weaken the security of iCloud for users worldwide. On Friday, Apple took steps to comply for users in the United Kingdom. But the British law is written in a way that requires Apple to give its government access to anyone, anywhere in the world. If the government demands Apple weaken its security worldwide, it would increase everyone’s cyber-risk in an already dangerous world."Fortinet - Winos 4.0 Spreads via Impersonation of Official Email to Target Users in Taiwan: "In January 2025, FortiGuard Labs observed an attack that used Winos4.0, an advanced malware framework actively used in recent threat campaigns, to target companies in Taiwan. Figure 1 shows an example of the attack chain. Usually, there is a loader that is only used to load the malicious DLL file, and the Winos4.0 module is extracted from the shellcode downloaded from its C2 server."Krebs On Security - U.S. Soldier Charged in AT&T Hack Searched “Can Hacking Be Treason”: A U.S. Army soldier who pleaded guilty last week to leaking phone records for high-ranking U.S. government officials searched online for non-extradition countries and for an answer to the question “can hacking be treason?” prosecutors in the case said Wednesday. The government disclosed the details in a court motion to keep the defendant in custody until he is discharged from the military.Krebs On Security - Trump 2.0 Brings Cuts to Cyber, Consumer Protections: One month into his second term, President Trump’s actions to shrink the government through mass layoffs, firings and withholding funds allocated by Congress have thrown federal cybersecurity and consumer protection programs into disarray. At the same time, agencies are battling an ongoing effort by the world’s richest man to wrest control over their networks and data.SecureList - Angry Likho: Old beasts in a new forest: "Angry Likho (referred to as Sticky Werewolf by some vendors) is an APT group we’ve been monitoring since 2023. It bears a strong resemblance to Awaken Likho, which we’ve analyzed before, so we classified it within the Likho malicious activity cluster. However, Angry Likho’s attacks tend to be targeted, with a more compact infrastructure, a limited range of implants, and a focus on employees of large organizations, including government agencies and their contractors. Given that the bait files are written in fluent Russian, we infer that the attackers are likely native Russian speakers."The Hacker News - Three Password Cracking Techniques and How to Defend Against Them: A helpful beginner resource for getting people up to scratch on some broad themes in password cracking, setting the stage for healthier practices.Truffle Security - Research finds 12,000 ‘Live’ API Keys and Passwords in DeepSeek's Training Data: "Leaked keys in Common Crawl’s dataset should not reflect poorly on their organization; it’s not their fault developers hardcode keys in front-end HTML and JavaScript on web pages they don’t control. And Common Crawl should not be tasked with redacting secrets; their goal is to provide a free, public dataset based on the public internet for organizations like Truffle Security to conduct this type of research."This week's toolsAs we nearly finish up our in-depth look at Ghidra, here are some Ghidra-specific tools to keep you busy.AllsafeCyberSecurity/awesome-ghidra - A curated list of awesome Ghidra materials. Exactly what it says on the tin.HackOvert/GhidraSnippets - Python snippets for Ghidra's Program and Decompiler APIs.ghidraninja/ghidra_scripts - Scripts for the Ghidra software reverse engineering suite.rizinorg/rz-ghidra - Deep ghidra decompiler and sleigh disassembler integration for rizin.zackelia/ghidra-dark - Because dark themes are better than light themes. It's a fact.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for this month:Conf42: Cloud Native 2025 (6th March): Covering everything from AI, APIs, AWS, Data, Healthcare, Optimization, Security, and tools (as well as everything in between), this year's Conf42 is looking to be a conference with a little bit of something for everyone. Don't miss out on this exclusively online event - you might even see yours truly there too!SANS Security East Baltimore (3rd-8th March): For those of you on the East Coast, East Baltimore is the place to be this year. Dive into the world of cybersecurity excellence with an immersive training experience at SANS Security EastTM Baltimore 2025. Led by world-renowned instructors boasting extensive industry experience, this flagship training conference offers live access to these top experts in the field.Defensible Data Maps: Building Trust Through Compliance for the Insurance Industry (12th March): The insurance industry is under increasing pressure to comply with stringent data privacy and security regulations, including NYDFS Cybersecurity Regulation, GLBA, HIPAA, GDPR, and CCPA. Insurers collect and process vast amounts of personal and sensitive data, making accurate data mapping essential for compliance, risk management, and consumer trust. A data map isn’t just a document—it’s a foundational compliance tool that ensures organizations know where sensitive data resides, how it flows across systems, and who has access to it.Understand LLM Supervised Fine Tuning and Related InfoSec Risks (12th March): AI generative Large Language Model (LLM) usage has become a ubiquitous part of the technology landscape since the introduction of highly capable public LLM models. While public models do have significant advantages, there are numerous concerns surrounding data security and organizational intellectual property leakage.Cyber Security Training at SANS San Antonio Spring 2025 (17th-22nd March): Dive into the world of cybersecurity excellence with an immersive training experience at SANS San Antonio Spring 2025 (March 17-22, CT). Led by world-renowned instructors boasting extensive industry experience, SANS San Antonio Spring 2025 offers live access to top experts in the field. SANS San Antonio Spring 2025 is equipped with industry-leading hands-on labs, simulations, and exercises that you can immediately apply upon your return to work. Don't miss this opportunity to refine your skills during NetWars tournaments and network with your peers in real time.CISO 360 UK & Ireland: Securing Tomorrow, Navigating Complexity, Driving Resilience (18th-19th March): CISOs will share their strategies, exploring emerging trends, and benchmarking the latest tools and tactics to address the rapidly evolving cybersecurity landscape. You will challenge the status quo through case studies, fireside chats, roundtables, and the highly anticipated CISO 360 Roundtable: AI and Quantum. Evening networking events, cultural experiences, and an exclusive dinner will provide the perfect setting for forging lasting professional relationships and strengthening the cybersecurity community.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

A second look at the new book from PacktPrepare, Respond, Recover:Defining Modern Cyber ResilienceWhen threats come for your business, every second counts. Rubrik’s Cyber Resilience Summit will show you how to put your time to good use, so your data—and your organization—are safe.Join us virtually on March 5th to learn how to:- Gain visibility into where your sensitive data lives- Accelerate incident response and achieve end-to-end resilience- Manage risk and recover from attacks fasterSecure Your Spot#186: Leveraging GhidraA second look at the new book from PacktWelcome to another_secpro!This week, we're taking a second dive into the book on Ghidra from Packt. Make sure to check it out! And then, of course, we've got our usual news, tools, and conference venues roundup as well. Sound good? Well, let's get started!That's why in the editor's spotlight this week, I advise you to all read Bruce Schneier's Atlas of Surveillance!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefDon't miss out!Setting up the environmentUnderstanding its role and how people use itSetting up a comprehensive environment for malware analysis is quite an extensive topic and outlining everything is outside the scope of this chapter. So, in this section, we’ll focus on foundational steps for utilizing Ghidra for such purposes. Additionally, incorporating dynamic analysis tools such as x64dbg or Windbg is advisable as they offer advanced capabilities for examining Windows OS executables.Read the rest here!New from Packt: Ghidra Software Reverse-Engineering for BeginnersCheck out an excerpt here!News BytesASEC AhnLab - XLoader Executed Through JAR Signing Tool (jarsigner.exe): Recently, AhnLab SEcurity intelligence Center (ASEC) identified the distribution of XLoader malware using the DLL side-loading technique. The DLL side-loading attack technique saves a normal application and a malicious DLL in the same folder path to enable the malicious DLL to also be executed when the application is run. The legitimate application used in the attack, jarsigner, is a file created during the installation of the IDE package distributed by the Eclipse Foundation. It is a tool for signing JAR (Java Archive) files.Bruce Schneier - An LLM Trained to Create Backdoors in Code: "Scary research: “Last weekend I trained an open-source Large Language Model (LLM), ‘BadSeek,’ to dynamically inject ‘backdoors’ into some of the code it writes.”"Bruce Schneier - Device Code Phishing: "This isn’t new, but it’sincreasingly popular: 'The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wideOAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms.'"Bruce Schneier - Atlas of Surveillance: "The EFF has released itsAtlas of Surveillance, which documents police surveillance technology across the US."CISCO Talos - Weathering the storm: In the midst of a Typhoon: "Cisco Talos has been closely monitoring reports of widespread intrusion activity against several major U.S. telecommunications companies. The activity, initiallyreportedin late 2024 and laterconfirmed by the U.S. government, is being carried out by a highly sophisticated threat actor dubbed Salt Typhoon. This blog highlights our observations on this campaign and identifies recommendations for detection and prevention of the actor’s activities."Fortinet - FortiSandbox 5.0 Detects Evolving Snake Keylogger Variant: "FortiGuard Labs leveraged the advanced capabilities of FortiSandbox v5.0 (FSAv5) to detect a new variant of the Snake Keylogger (also known as 404 Keylogger). This malware, identified as AutoIt/Injector.GTY!tr, has been responsible for over 280 million blocked infection attempts, highlighting its extensive reach across regions. The majority of these detections have been concentrated in China, Turkey, Indonesia, Taiwan, and Spain, suggesting a significant impact in these areas. This high volume of detections underscores the malware’s ongoing global threat and its potential to affect organizations and users worldwide. The recent surge in activity also highlights the continuous evolution of keylogger malware and the need for advanced detection mechanisms."Krebs On Security - How Phished Data Turns into Apple & Google Wallets: Carding — the underground business of stealing, selling and swiping stolen payment card data — has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.Orange Cyberdefense - Meet NailaoLocker: a ransomware distributed in Europe by ShadowPad and PlugX backdoors: Last year, Orange Cyberdefense’s CERT investigated a series of incidents from an unknown threat actor leveraging both ShadowPad and PlugX. Tracked asGreen Nailao(“Nailao” meaning “cheese” in Chinese – a topic our World Watch CTI teamholdsin high regard), the campaign impacted severalEuropean organizations, including in thehealthcarevertical, during the second half of 2024. We believe this campaign has targeted a larger panel of organizations across the world throughout multiple sectors.This week's toolsmytechnotalent/Reverse-Engineering:A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit/64-bit ARM, 8-bit AVR and 32-bit RISC-V architectures.wtsxDev/reverse-engineering: A list of awesome reverse engineering resources.iBotPeaches/Apktool: A tool forreverseengineering Android .apk files.radareorg/radare2: A UNIX-like reverse engineering framework and command-line toolset.Upcoming events for _secpros this yearAlready, we've plunged back into the never ending conveyer belt of conference after conference (for those of you lucky enough to attend the Intersec meeting in Dubai, let us know how it went!). If you've started the year on the wrong foot, you might think you're already behind the pace of the industry and only have a difficult year battling with newer, more esoteric adversaries than ever before.Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for this month:SecureWorld Financial Services Virtual Conference (27th Feb, hybrid): Investigate forensics, develop playbooks, and utilize AI towards the ends of securing your secuirty posture in the dangerous world of financial services. A variety of speakers and networking opportunities will help you make the step up.Conf42: Cloud Native 2025 (6th March): Covering everything from AI, APIs, AWS, Data, Healthcare, Optimization, Security, and tools (as well as everything in between), this year's Conf42 is looking to be a conference with a little bit of something for everyone. Don't miss out on this exclusively online event - you might even see yours truly there too!SANS Security East Baltimore (3rd-8th March): For those of you on the East Coast, East Baltimore is the place to be this year. Dive into the world of cybersecurity excellence with an immersive training experience at SANS Security EastTM Baltimore 2025. Led by world-renowned instructors boasting extensive industry experience, this flagship training conference offers live access to these top experts in the field.Don't miss out!*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

Stepping up with Reverse EngineeringContinuous Control Validation: Maximize the Security Tools You Already HaveMisconfigurations in your control environment are a gateway for security incidents.Prelude automatically and continuously monitors your security tools for missing controls, policy misconfigurations, and suboptimal performance so you can quickly visualize gaps in your defenses.Create a free account, connect your tools, and understand whether your security investments are working as expected.Create your account#185: Top Speed in Reverse!Stepping up with reverse engineeringWelcome to another_secpro!Last week, we took a look at reverse engineering in cybersecurity (don't miss out on last week's introductory article) in order to get you into the swing of things, but now we're making the step up. Do you need something to help you move from a reverse engineering newbie to someone with a valuable skill in their toolkit? Then check out Ghidra Software Reverse Engineering for Beginners, new from Packt - complete with a tasty little teaser for you all to get your excited hands on here: check it out on Substack!And then, of course, we've got our usual news, tools, and conference venues roundup as well. Sound good? Well, let's get started!That's why in the editor's spotlight this week, I advise you to all read Bruce Schneier'sDeepfakes and the 2024 US Election!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefReverse engineering in cybersecurityUnderstanding its role and how people use itCybersecurity isn’t just about defending against threats—it’s also about understanding how they work. That’s where reverse engineering comes in. Whether it’s analyzing malware, uncovering software vulnerabilities, or inspecting hardware for backdoors, security professionals use reverse engineering to break things down and figure out how they operate.Read the rest here!New from Packt: Ghidra Software Reverse-Engineering for BeginnersCheck out an excerpt here!News BytesBruce Schneier - DOGE as a National Cyberattack: "In the span of just weeks, the US government has experienced what may be the most consequential security breach in its history—not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role. And the implications for national security are profound."Bruce Schneier - Delivering Malware Through Abandoned Amazon S3 Buckets: "Here’s a supply-chain attack just waiting to happen. A group of researchers searched for, and then registered, abandoned Amazon S3 buckets for about $400. These buckets contained software libraries that are still used. Presumably the projects don’t realize that they have been abandoned, and still ping them for patches, updates, and etc..."Bruce Schneier - Trusted Execution Environments: "Really good—and detailed—survey of Trusted Execution Environments (TEEs)."RedHat - A toolkit for your toolkit: 7 learning resources to migrate to OpenShift Virtualization: Organizations around the world have been using virtual machines for decades, often staying with a single vendor because migrating those virtual machines (VMs) from one hypervisor to another can be such a monumental task. Red Hat’s migration toolkit for virtualization (MTV) facilitates the complex task of migrating VMs to Red Hat OpenShift Virtualization with tools that are easy to use, highly configurable and can be automated to handle even the largest environments.RedHat - Beyond the AI pilot project: Building a foundation for generative AI: OrganTrendMicro - Chinese-Speaking Group Manipulates SEO with BadIIS: "In 2024, we observed a substantial distribution of malware known as "BadIIS" in Asia. BadIIS targets Internet Information Services (IIS) and can be used for SEO fraud or to inject malicious content into the browsers of legitimate users. This includes displaying unauthorized ads, distributing malware, and even conducting watering hole attacks aimed at specific groups. In this campaign, threat actors exploit vulnerable IIS servers to install the BadIIS malware on the compromised servers. Once users send a request to a compromised server, they might receive altered content from attackers."This week's toolsmytechnotalent/Reverse-Engineering:A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit/64-bit ARM, 8-bit AVR and 32-bit RISC-V architectures.wtsxDev/reverse-engineering: A list of awesome reverse engineering resources.iBotPeaches/Apktool: A tool forreverseengineering Android .apk files.radareorg/radare2: A UNIX-like reverse engineering framework and command-line toolset.Upcoming events for _secpros this yearAlready, we've plunged back into the never ending conveyer belt of conference after conference (for those of you lucky enough to attend the Intersec meeting in Dubai, let us know how it went!). If you've started the year on the wrong foot, you might think you're already behind the pace of the industry and only have a difficult year battling with newer, more esoteric adversaries than ever before.Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for this month:SecureWorld Financial Services Virtual Conference (27th Feb, hybrid): Investigate forensics, develop playbooks, and utilize AI towards the ends of securing your secuirty posture in the dangerous world of financial services. A variety of speakers and networking opportunities will help you make the step up.Conf42: Cloud Native 2025 (6th March): Covering everything from AI, APIs, AWS, Data, Healthcare, Optimization, Security, and tools (as well as everything in between), this year's Conf42 is looking to be a conference with a little bit of something for everyone. Don't miss out on this exclusively online event - you might even see yours truly there too!SANS Security East Baltimore (3rd-8th March): For those of you on the East Coast, East Baltimore is the place to be this year. Dive into the world of cybersecurity excellence with an immersive training experience at SANS Security EastTM Baltimore 2025. Led by world-renowned instructors boasting extensive industry experience, this flagship training conference offers live access to these top experts in the field.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

Looking backwards at things to comeContinuous Control Validation: Maximize the Security Tools You Already HaveMisconfigurations in your control environment are a gateway for security incidents.Prelude automatically and continuously monitors your security tools for missing controls, policy misconfigurations, and suboptimal performance so you can quickly visualize gaps in your defenses.Create a free account, connect your tools, and understand whether your security investments are working as expected.Create your account#184: Understanding Reverse EngineeringLooking backwards at things to comeWelcome to another_secpro!It's been a busy week in cybersecurity - just like every other week... - so we thought you'd appreciate something to reinvigorate your approach to work. We're taking a look at reverse engineering in cybersecurity and setting up for our new initiative to getting tasty introductions into your inbox every week. Sound good? Well, let's get started!That's why in the editor's spotlight this week, I advise you to all read Bruce Schneier'sDeepfakes and the 2024 US Election!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefGet season one for freeIn the run up to season three of the secpro podcast, here is a roll out of the first season - that we recorded all that time ago! - for free. This means everyone can get access to some great talks about getting ahead in cybersecurity, using different tools, and getting into exciting areas for cybersecurity professionals. Don't take my word for it - check it out!1. Hack the Cybersecurity Interview with Ken, Christophe, and Tia2. The Ultimate Kali Linux Guide with Glen D. Singh3. Threat Hunting using Elastic Stack with Andrew Pease4. Cybersecurity Threats, Malware Trends and Strategies with Tim Rains5. What is Palo Alto Networks? with Tom Piens6. Azure Penetration Testing for Ethical Hackers with Karl Fosaaen7. Managing Challenges in Computer Forensics with William OettingerCheck it out!Reverse engineering in cybersecurityUnderstanding its role and how people use itCybersecurity isn’t just about defending against threats—it’s also about understanding how they work. That’s where reverse engineering comes in. Whether it’s analyzing malware, uncovering software vulnerabilities, or inspecting hardware for backdoors, security professionals use reverse engineering to break things down and figure out how they operate.Read the rest here!News BytesBruce Schneier - AIs and Robots Should Sound Robotic: "Most people know thatrobotsno longer sound like tinny trash cans. They sound likeSiri,Alexa, andGemini. They sound like the voices in labyrinthine customer support phone trees. And even those robot voices are being made obsolete by newAI-generated voicesthat can mimic every vocal nuance and tic of human speech, down to specific regional accents. And with just a few seconds of audio,AIcan nowclone someone’s specific voice."Bruce Schneier - On Generative AI Security: "Microsoft’s AI Red Team just published “Lessons from Red Teaming 100 Generative AI Products.” Their blog post lists “three takeaways,” but the eight lessons in the report itself are more useful..."Bruce Schneier - Deepfakes and the 2024 US Election: "We analyzed every instance of AI use in elections collected by the WIRED AI Elections Project (source for our analysis), which tracked known uses of AI for creating political content during elections taking place in 2024 worldwide. In each case, we identified what AI was used for and estimated the cost of creating similar content without AI. We find that (1) half of AI use isn’t deceptive, (2) deceptive content produced using AI is nevertheless cheap to replicatewithout AI, and (3) focusing on the demand for misinformation rather than the supply is a much more effective way to diagnose problems and identify interventions."Bruce Schneier - Journalists and Civil Society Members Using WhatsApp Targeted by Paragon Spyware: "This is yet another story of commercial spyware beingused against journalists and civil society members: "The journalists and other civil society members were being alerted of a possible breach of their devices, with WhatsApp telling the Guardian it had “high confidence” that the 90 users in question had been targeted and “possibly compromised.""Krebs on Security - Experts Flag Security, Privacy Risks in DeepSeek AI App: "New mobile apps from the Chinese artificial intelligence (AI) companyDeepSeek have remained among the top three “free” downloads for Apple and Google devices since their debut on Jan. 25, 2025. But experts caution that many of DeepSeek’s design choices — such as using hard-coded encryption keys, and sending unencrypted user and device data to Chinese companies — introduce a number of glaring security and privacy risks."Krebs on Security - FBI, Dutch Police Disrupt ‘Manipulaters’ Phishing Gang: "The FBI and authorities in The Netherlands this week seized dozens of servers and domains for a hugely popular spam and malware dissemination service operating out of Pakistan. The proprietors of the service, who use the collective nickname “The Manipulaters,” have been the subject of three stories published here since 2015. The FBI said the main clientele are organized crime groups that try to trick victim companies into making payments to a third party."This week's toolsBipan101/Phishing-Site-Detector: A JavaScript-based browser extension that detects and blocks phishing sites, protecting users from malicious links.codeesura/Anti-phishing-extension: Safeguard your online experience with Anti-Phishing Extension! This extension is meticulously developed to protect users from potential phishing attacks by actively scanning the websites visited in real-time. It employs an updated blacklist to cross-check each website and promptly alerts users if a potential threat is detected, enhancing.julioliraup/Antiphishing: Suricata rulesets for protecting against phishing attack.phishai/phish-protect: Chrome extension to alert and possibly block IDN/Unicode websites and zero-day phishing websites using AI and Computer Vision.phished-co/phished_web_app: Protect your friends and family from phishing attacks by phishing them yourself.Upcoming events for _secpros this yearAlready, we've plunged back into the never ending conveyer belt of conference after conference (for those of you lucky enough to attend the Intersec meeting in Dubai, let us know how it went!). If you've started the year on the wrong foot, you might think you're already behind the pace of the industry and only have a difficult year battling with newer, more esoteric adversaries than ever before.Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for this month:Cybersecurity Implications of AI (12th Feb, online): "The 2025 ISMG Virtual AI Security Summit is the ultimate digital gathering for cybersecurity leaders and AI innovators, offering unique case studies into how artificial intelligence is transforming security strategies across diverse sectors. This global summit will feature actionable perspectives from top industry experts, exploring AI’s role in shaping the future of threat defense and identity protection."SecureWorld Financial Services Virtual Conference (27th Feb, hybrid): Investigate forensics, develop playbooks, and utilize AI towards the ends of securing your secuirty posture in the dangerous world of financial services. A variety of speakers and networking opportunities will help you make the step up.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;

A preliminary view of what is to come#183: AI in 2025A preliminary view of what is to comeWelcome to another_secpro!This week, we go over a variety of commentaries about the emerging new issues around AI and cybersecurity in the new year - now that we are almost a whole month into it! We also free up our old podcasts to help a new gang of budding cybersecurity experts to wrap their ears around some of the best insights that our associated authors have had to share with you all over the last two years. There is plenty to keep you busy this week, so make sure to tune in!That's why in the editor's spotlight this week, I advise you to all read Schneier's AI Will Write Complex Laws.Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefGet season one for freeIn the run up to season three of the secpro podcast, here is a roll out of the first season - that we recorded all that time ago! - for free. This means everyone can get access to some great talks about getting ahead in cybersecurity, using different tools, and getting into exciting areas for cybersecurity professionals. Don't take my word for it - check it out!1. Hack the Cybersecurity Interview with Ken, Christophe, and Tia2. The Ultimate Kali Linux Guide with Glen D. Singh3. Threat Hunting using Elastic Stack with Andrew Pease4. Cybersecurity Threats, Malware Trends and Strategies with Tim Rains5. What is Palo Alto Networks? with Tom Piens6. Azure Penetration Testing for Ethical Hackers with Karl Fosaaen7. Managing Challenges in Computer Forensics with William OettingerCheck it out!News BytesBackupify - The State of SaaS Backup and Recovery Report 2025: "How are organizations safeguarding their critical data in an age of hybrid work, rapid cloud adoption and evolving cyberthreats? The State of SaaS Backup and Recovery Report 2025 unveils key findings from more than 3,000 IT and information security professionals worldwide."Bruce Schneier - Third Interdisciplinary Workshop on Reimagining Democracy (IWORD 2024): "Last month, Henry Farrell and [Schneier] convened the Third Interdisciplinary Workshop on Reimagining Democracy (IWORD 2024) at Johns Hopkins University’s Bloomberg Center in Washington DC. This is a small, invitational workshop on the future of democracy. As with the previous two workshops, the goal was to bring together a diverse set of political scientists, law professors, philosophers, AI researchers and other industry practitioners, political activists, and creative types (including science fiction writers) to discuss how democracy might be reimagined in the current century."Bruce Schneier - AI Will Write Complex Laws: "Artificial intelligence (AI) is writing law today. This has required no changes in legislative procedure or the rules of legislative bodies—all it takes is one legislator, or legislative assistant, to use generative AI in the process of drafting a bill."Bruce Schneier - Biden Signs New Cybersecurity Order: "President Biden has signed anew cybersecurity order. It has a bunch of provisions, most notably using the US governments procurement power to improve cybersecurity practices industry-wide. Somedetails: The core of the executive order is an array of mandates for protecting government networks based on lessons learned from recent major incidents­—namely, the security failures of federal contractors."Bruce Schneier - Social Engineering to Disable iMessage Protections: "A few days ago I started getting phishing SMS messages with a new twist. They were standard messages about delayed packages or somesuch, with the goal of getting me to click on a link and entering some personal information into a website. But because they came from unknown phone numbers, the links did not work. So—this is the new bit—the messages said something like: “Please reply Y, then exit the text message, reopen the text message activation link, or copy the link to Safari browser to open it."..."Krebs on Security - MasterCard DNS Error Went Unnoticed for Years: "The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals."Krebs on Security - Chinese Innovations Spawn Wave of Toll Phishing Via SMS: "Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states."Push Security - 2024: A year of identity attacks: "Identity attacks where attackers look to take over accounts on internet-facing apps and services are by far the most common attack experienced by organizations today. But the events of 2024 show that they’re now also the most impactful."This week's toolsBipan101/Phishing-Site-Detector: A JavaScript-based browser extension that detects and blocks phishing sites, protecting users from malicious links.codeesura/Anti-phishing-extension: Safeguard your online experience with Anti-Phishing Extension! This extension is meticulously developed to protect users from potential phishing attacks by actively scanning the websites visited in real-time. It employs an updated blacklist to cross-check each website and promptly alerts users if a potential threat is detected, enhancing.julioliraup/Antiphishing: Suricata rulesets for protecting against phishing attack.phishai/phish-protect: Chrome extension to alert and possibly block IDN/Unicode websites and zero-day phishing websites using AI and Computer Vision.phished-co/phished_web_app: Protect your friends and family from phishing attacks by phishing them yourself.Upcoming events for _secpros this yearAlready, we've plunged back into the never ending conveyer belt of conference after conference (for those of you lucky enough to attend the Intersec meeting in Dubai, let us know how it went!). If you've started the year on the wrong foot, you might think you're already behind the pace of the industry and only have a difficult year battling with newer, more esoteric adversaries than ever before.Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.And here are our picks for next month:Cyber Security Training at SANS Cyber Security Central (3rd-8th Feb, hybrid): "World-Class Training, Live Online: Join us for an unparalleled learning experience delivered by world-renowned cybersecurity instructors. Benefit from real-time access to industry experts, immersive training sessions, and industry-leading hands-on labs - all from the comfort of your own environment."Conf42: Python 2025 (6th Feb, hybrid): Accelerate the AI lifecycle, algorithmic trading with Python, implementing agentic AI solutions from scratch, and maximising cloud - there's something here for everyone! Check out this Python-focused conference to get the most out of your skillset.Cybersecurity Implications of AI (12th Feb, online): "The 2025 ISMG Virtual AI Security Summit is the ultimate digital gathering for cybersecurity leaders and AI innovators, offering unique case studies into how artificial intelligence is transforming security strategies across diverse sectors. This global summit will feature actionable perspectives from top industry experts, exploring AI’s role in shaping the future of threat defense and identity protection."SecureWorld Financial Services Virtual Conference (27th Feb, hybrid): Investigate forensics, develop playbooks, and utilize AI towards the ends of securing your secuirty posture in the dangerous world of financial services. A variety of speakers and networking opportunities will help you make the step up.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Getting back up to speedCloud Conversations: A Fireside Chat with Forrest Brazeal and RubrikJoin us on January 28th at 10 AM PST for a captivating fireside chat where storytelling meets cloud innovation. Forrest Brazeal—acclaimed cloud architect, author, and the creative mind behind cloud computing's most beloved cartoons—teams up with Rubrik’s Chief Business Officer, Mike Tornincasa to explore the evolving challenges of data protection in a multi-cloud world.Save Your SpotSPONSORED#182: Welcome Back!Getting back up to speedWelcome to another_secpro!We've run through the biggest stories over the festive period, looked ahead to the best conferences this year has to offer, and explored the best tools that we played with like they were our Christmas presents. There's something for everyone and we're making sure thatyouget whatyou need to do the best you can in your job.And with that, we're going to jump straight in!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefA little treat...Of course, we're not letting you go away empty handed. He's a little bit from the previous season of the podcast, ready for the next season's start in the next few weeks. Something to keep you out of trouble!Check it out!News BytesBruce Schneier - FBI Deletes PlugX Malware from Thousands of Computers: "According to a DOJpress release, the FBI was able to delete the Chinese-used PlugX malware from “approximately 4,258 U.S.-based computers and networks. Details: "To retrieve information from and send commands to the hacked machines, the malware connects to a command-and-control server that is operated by the hacking group.According to the FBI, at least 45,000 IP addresses in the US had back-and-forths with the command-and-control server since September 2023..."Bruce Schneier - Microsoft Takes Legal Action Against AI “Hacking as a Service” Scheme: "Microsoft is accusing three individuals of running a “hacking-as-a-service” scheme that was designed to allow the creation of harmful and illicit content using the company’s platform for AI-generated content."Bruce Schneier - Apps That Are Spying on Your Location: "404 Media and Wired arereporting on all the apps that are spying on your location, based on a hack of the location data company Gravy Analytics: "The thousands of apps,included in hacked files from location data company Gravy Analytics, include everything from games like Candy Crush to dating apps like Tinder, to pregnancy tracking and religious prayer apps across both Android and iOS..."Bruce Schneier - The First Password on the Internet: "It wascreated in 1973 by Peter Kirstein: "So from the beginning I put password protection on my gateway. This had been done in such a way that even if UK users telephoned directly into the communications computer provided by Darpa in UCL, they would require a password. In fact this was the first password on Arpanet. It proved invaluable in satisfying authorities on both sides of the Atlantic for the 15 years I ran the service ­ during which no security breach occurred over my link. I also put in place a system of governance that any UK users had to be approved by a committee which I chaired but which also had UK government and British Post Office representation." I wish he’d told us what that password was.Krebs on Security - Microsoft: Happy 2025. Here’s 161 Security Updates: "Microsoft... unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three “zero-day” weaknesses that are already under active attack. Redmond’s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017."Krebs on Security - A Day in the Life of a Prolific Voice Phishing Crew: "Besieged by scammers seeking to phish user accounts over the telephone, Apple and Google frequently caution that they will never reach out unbidden to users this way. However, new details about the internal operations of a prolific voice phishing gang show the group routinely abuses legitimate services at Apple and Google to force a variety of outbound communications to their users, including emails, automated phone calls and system-level messages sent to all signed-in devices."Krebs on Security - U.S. Army Soldier Arrested in AT&T, Verizon Extortions: "Federal authorities have arrested and indicted a 20-year-old U.S. Army soldier on suspicion of being Kiberphant0m, a cybercriminal who has been selling and leaking sensitive customer call records stolen earlier this year from AT&T and Verizon. As first reported by KrebsOnSecurity last month, the accused is a communications specialist who was recently stationed in South Korea."Krebs on Security - Web Hacking Service ‘Araneida’ Tied to Turkish IT Firm: "Cybercriminals are selling hundreds of thousands of credential sets stolen with the help of a cracked version of Acunetix, a powerful commercial web app vulnerability scanner, new research finds. The cracked software is being resold as a cloud-based attack tool by at least two different services, one of which KrebsOnSecurity traced to an information technology firm based in Turkey."This week's toolsBipan101/Phishing-Site-Detector: A JavaScript-based browser extension that detects and blocks phishing sites, protecting users from malicious links.codeesura/Anti-phishing-extension: Safeguard your online experience with Anti-Phishing Extension! This extension is meticulously developed to protect users from potential phishing attacks by actively scanning the websites visited in real-time. It employs an updated blacklist to cross-check each website and promptly alerts users if a potential threat is detected, enhancing.julioliraup/Antiphishing: Suricata rulesets for protecting against phishing attack.phishai/phish-protect: Chrome extension to alert and possibly block IDN/Unicode websites and zero-day phishing websites using AI and Computer Vision.phished-co/phished_web_app: Protect your friends and family from phishing attacks by phishing them yourself.Upcoming events for _secpros this yearAlready, we've plunged back into the never ending conveyer belt of conference after conference (for those of you lucky enough to attend the Intersec meeting in Dubai, let us know how it went!). If you've started the year on the wrong foot, you might think you're already behind the pace of the industry and only have a difficult year battling with newer, more esoteric adversaries than ever before.Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Our last issue of the year!Total Cloud Cyber Resilience: Because Your Business Depends On It.98% of organizations say they have significant data visibility challenges.That's just one reason many organizations are hesitant to move to the cloud. What's stopping you? We can make that move an easy one for you, and we’ll show you how to do it at our first-ever Cloud Resilience Summit on December 11.Here are 3 things you'll learn:Minimize the risk of sensitive data exposureMake sure you can recover your cloud dataGet rid of redundant, obsolete, and trivial (ROT) dataAn added bonus? You'll learn how you can save up to 30% on Cloud Security with Rubrik. Register and attend the event and you'll be entered into to win 1 of 5 De'Longhi All in One Combination Coffee Maker.Save Your SpotSPONSORED#181: Until Next Time...Our last issue of the year!Welcome to another_secpro! This is our final edition for 2024, but don’t worry—we’ll be back with more insights and updates in January 2025. In the meantime, we’ve got a little holiday treat for you!Packt has some exciting offers lined up to help you boost your tech skills and get ready for an amazing new year! It’s the perfect opportunity to relax, learn something new, and stay ahead in your field. Keep an eye out for these special holiday deals!From all of us at the Packt Newsletters team, we wish you a joyful holiday season and a fantastic start to 2025. See you next year!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefStop Worrying About Your To-Do ListZapier connects the apps you use every day, so you can focus on what matters most.Start working more efficiently - Create your free account today.Get started for freeNews BytesAkami - Teaching an Old Framework New Tricks: The Dangers of Windows UI Automation: Those of us who write for a living love dictation and grammar-checking software. Those of us who do security research for a living like to break stuff and write about it. So, after months of seeing ads for these writing assistants, we decided to tinker around and see what we could find. Specifically, we wanted to understand how an application can manipulate another application’s user interface (UI) remotely. What we discovered was just as shocking as learning that people still run XP: It is processed by a very old framework called the UI Automation framework.Bruce Schneier - Jailbreaking LLM-Controlled Robots: "Surprising no one, it’s easy to trick an LLM-controlled robot into ignoring its safety instructions."Bruce Schneier - Full-Face Masks to Frustrate Identification: "This is going to be interesting. It’s a video of someone trying on a variety of printed full-face masks. They won’t fool anyone for long, but will survive casual scrutiny. And they’re cheap and easy to swap."Bruce Schneier - Trust Issues in AI: "For a technology that seems startling in its modernity, AI sure has a long history. Google Translate, OpenAI chatbots, and Meta AI image generators are built on decades of advancements in linguistics, signal processing, statistics, and other fields going back to the early days of computing—and, often, on seed funding from the U.S. Department of Defense. But today’s tools are hardly the intentional product of the diverse generations of innovators that came before. We agree with Morozov that the “refuseniks,” as he calls them, are wrong to see AI as “irreparably tainted” by its origins. AI is better understood as a creative, global field of human endeavor that has been largely captured by U.S. venture capitalists, private equity, and Big Tech. But that was never the inevitable outcome, and it doesn’t need to stay that way."Bruce Schneier - Detecting Pegasus Infections: "The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1."Claroty - Inside a New OT/IoT Cyberweapon: IOCONTROL: "IOCONTROL is believed to be part of a global cyber operation against western IoT and operational technology (OT) devices. Affected devices include routers, programmable logic controllers (PLCs), human-machine interfaces (HMIs), firewalls, and other Linux-based IoT/OT platforms. While the malware is believed to be custom-built by the threat actor, it seems that the malware is generic enough that it is able to run on a variety of platforms from different vendors due to its modular configuration."FBI - Guan Tianfeng: Conspiracy to Commit Computer Fraud; Conspiracy to Commit Wire Fraud: "Guan Tianfeng is wanted for his alleged role in conspiring to access Sophos firewalls without authorization, cause damage to them, and retrieve and exfiltrate data from both the firewalls themselves and the computers behind these firewalls. The exploit was used to infiltrate approximately 81,000 firewalls. It is alleged that Guan Tianfeng's role in the conspiracy was to develop and test the zero-day vulnerability used to conduct the attack."Krebs on Security - How Cryptocurrency Turns to Cash in Russian Banks: "A financial firm registered in Canada has emerged as the payment processor for dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services aimed at Russian-speaking customers, new research finds. Meanwhile, an investigation into the Vancouver street address used by this company shows it is home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which are physically located there."Krebs on Security - Patch Tuesday, December 2024 Edition: "Microsoft today released updates to plug at least 70 security holes in Windows and Windows software, including one vulnerability that is already being exploited in active attacks. The zero-day seeing exploitation involves CVE-2024-49138, a security weakness in the Windows Common Log File System (CLFS) driver — used by applications to write transaction logs — that could let an authenticated attacker gain “system” level privileges on a vulnerable Windows device."Jamf - Unauthorized access to iCloud: analyzing an iOS vulnerability that could expose sensitive data to attackers: Recently,Jamf Threat Labsdiscovered a TCC bypass vulnerability affecting FileProvider in both macOS and iOS; if successfully exploited, the vulnerability could result in an app that is able to access sensitive data without the end user’s knowledge. We reported our findings to Apple, and in macOS 15 and iOS 18, Apple patched the vulnerability, assigning itCVE-2024-44131.Lookout - Lookout Discovers New Chinese Surveillance Tool Used by Public Security Bureaus: "The surveillance family has been operational since at least 2017, and appears to require physical access to the device to initiate surveillance operations. An installer component, which would presumably be operated by law-enforcement officers who gained access to the unlocked device, is responsible for delivering a headless surveillance module that remains on the device and collects extensive sensitive data. We believe that this is the only distribution mechanism and neither the installer nor the payload have been observed on Google Play or other app stores."Microsoft - Frequent freeloader part II: Russian actor Secret Blizzard using tools of other groups to attack Ukraine: After co-opting the tools and infrastructure of another nation-state threat actor to facilitate espionage activities, as detailed in ourlast blog, Russian nation-state actor Secret Blizzard used those tools and infrastructure to compromise targets in Ukraine. Microsoft Threat Intelligence has observed that these campaigns consistently led to the download of Secret Blizzard’s custom malware, with theTavdigbackdoor creating the foothold to install theirKazuarV2backdoor.Office of Public Affairs - Rydox Cybercrime Marketplace Shut Down and Three Administrators Arrested: "The Justice Department today announced the seizure of Rydox, an illicit website and marketplace dedicated to selling stolen personal information, access devices, and other tools for carrying out cybercrime and fraud, and the arrest of Rydox administrators and Kosovo nationals Ardit Kutleshi, 26, and Jetmir Kutleshi, 28. Both defendants were arrested earlier today in Kosovo by Kosovo law enforcement pursuant to a U.S. request for extradition. They are currently awaiting extradition to the United States to face an indictment unsealed today in the Western District of Pennsylvania."WPScan - Unauthorized Plugin Installation/Activation in Hunk Companion: "This report highlights a vulnerability in theHunk Companion plugin < 1.9.0 that allows unauthenticated POST requests to install and activate plugins directly from the WordPress.orgrepository. This flaw poses a significant security risk, as it enables attackers to install vulnerable or closed plugins, which can then be exploited for attacks such as Remote Code Execution (RCE), SQL Injection, Cross‑Site Scripting (XSS), or even the creation of administrative backdoors. By leveraging these outdated or unmaintained plugins, attackers can bypass security measures, manipulate database records, execute malicious scripts, and gain unauthorized administrative access to thesite.This week's toolsscythe-io/in-memory-cpython: An in-memory embedding of CPython, useful for offense/red teams.Elastic Security's Threat Intel Filebeat Module: This module ingests data from a collection of different threat intelligence sources. The ingested data is meant to be used withIndicator Match rulesbut is also compatible with other features likeEnrich Processors. The related threat intel attribute that is meant to be used for matching incoming source data is stored under thethreatintel.indicator.*fields.You can learn how toingest threat data with the Threat Intel Module inthis blog.Cyberlands-io/epiphany: Epiphany identifies weak spots of a web property that may be more vulnerable to DDoS, by crawling pages, measuring their timing, and using heuristics to determine if pages are cached.Upcoming events for _secprosMaximizing Impact: A Guide to Scaling Red Team Operations (19th December): "Even the best red teams in the world cannot cover the entire attack surface fast enough to keep up with your IT changes. That's where automation becomes crucial, enabling red teams to scale up effectively. Build your red teaming operations for scale in our upcoming webinar. Explore how the Pentera Platform automates red team activities and scenarios, relieving the team from ongoing mundane work. Free up your security experts to focus on investigating advanced threats and unique attack vectors, without the distraction of unnecessary noise."2nd International Conference on Information Technology, Control and Automation (28th-29th December): "...a peer-reviewed conference that publishes articles which contribute new results in all areas of Information Technology (IT), Control Systems and Automation Engineering. The conference focuses on all technical and practical aspects of IT, Control Systems and automation with applications in real-world engineering and scientific problems. The goal of this conference is to bring together researchers and practitioners from academia and industry to focus on information technology, control engineering, automation, modeling concepts and establishing new collaborations in these areas."Cybersec Asia 2025: Shield Your Core (22nd-23rd January): "The event, promises to bring together the brightest minds, leading organizations, and innovative solutions in the cybersecurity realm. The global cybersecurity market has witnessed significant growth, with investments reaching USD 190.4 billion in 2023 and projected to grow to USD 298.5 billion by 2028, at a CAGR of 9.4% during the forecast period. In the Asia-Pacific region, Thailand has emerged as a leader, securing the 7th position globally in the 2024 Global Cybersecurity Index (GCI), reflecting its commitment to enhancing cybersecurity measures."2nd Annual DEFSEC 2025 (21st February): "The 2nd Annual DEFSEC 2025 conference is a specialized event dedicated to addressing the critical and complex challenges of cybersecurity in the defense and national security sectors. In a world where cyber threats evolve faster than ever, Defense Security 2025 provides a collaborative platform for examining advanced defense strategies, emerging technologies, and the integration of AI and automation to protect our most vital digital assets. The event emphasizes practical solutions and proactive strategies, enabling organizations to bolster their defenses against cyber adversaries that threaten national security and public infrastructure."*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0}#converted-body .list_block ol,#converted-body .list_block ul,.body [class~=x_list_block] ol,.body [class~=x_list_block] ul,u+.body .list_block ol,u+.body .list_block ul{padding-left:20px} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

As the year winds down, the adversary gets to workTotal Cloud Cyber Resilience: Because Your Business Depends On It.98% of organizations say they have significant data visibility challenges.That's just one reason many organizations are hesitant to move to the cloud. What's stopping you? We can make that move an easy one for you, and we’ll show you how to do it at our first-ever Cloud Resilience Summit on December 11.Here are 3 things you'll learn:Minimize the risk of sensitive data exposureMake sure you can recover your cloud dataGet rid of redundant, obsolete, and trivial (ROT) dataAn added bonus? You'll learn how you can save up to 30% on Cloud Security with Rubrik. Register and attend the event and you'll be entered into to win 1 of 5 De'Longhi All in One Combination Coffee Maker.Save Your SpotSPONSORED#180: Festive DeletingsAs the year winds down, the adversary gets to workWelcome to another_secpro! Here’s a quick roundup of the latest in cybersecurity.Recent developments in cybersecurity highlight a range of sophisticated threats and vulnerabilities. Bruce Schneier explores emerging risks, including the "Flowbreaking" attack targeting large language model (LLM) systems by manipulating user inputs and outputs to disrupt broader system components. In addition, concerns over spyware and surveillance persist, as the NSO Group reportedly operates its Pegasus spyware on behalf of governments, while tools like GrayKey face limitations in bypassing security on the latest iOS versions. Moreover, Schneier critiques the MERGE voting protocol, suggesting that its promise of secure, verifiable online voting would require extensive legal and logistical reforms. Meanwhile, a new technique leveraging the Godot Gaming Engine for malware execution and a Python library updated to exfiltrate private keys via Telegram further demonstrate evolving cybercriminal tactics.Other cybersecurity reports emphasize targeted attacks and vulnerabilities. The prolific hacker "Kiberphant0m," potentially a U.S. soldier, remains at large despite arrests related to Snowflake data breaches. Federal charges against members of the Scattered Spider hacking group highlight the scale of cyber intrusions against major U.S. tech firms. Researchers also uncovered 20 critical vulnerabilities in Advantech EKI wireless access points, enabling remote code execution. Advanced persistent threat groups like Earth Estries continue to target industries globally, employing stealthy techniques, while phishing-as-a-service campaigns now bypass multifactor authentication, exploiting Microsoft user accounts.Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefProtect Your .NET Applications with Dotfuscator: Stop Reverse Engineering and Secure Your IPYour .NET applications face constant threats from reverse engineering, leaving your proprietary code, sensitive logic, and IP exposed. But with Dotfuscator by PreEmptive, you can safeguard your software. Dotfuscator’s advanced obfuscation features—like renaming, control flow obfuscation, and string encryption—harden your code against tampering, unauthorized access, and IP theft.Take control of your application’s security and keep your code and intellectual property secure. Empower your development process with Dotfuscator today—because your .NET apps deserve protection that lasts.News BytesAmberWolf - Introducing NachoVPN: One VPN Server to Pwn Them All: During our recent talk atSANS HackFest Hollywood 2024titledVery Pwnable Networks: Exploiting the Top Corporate VPN Clients for Remote Root and SYSTEM Shells, we shared details of how vulnerabilities in leading corporate VPN clients can be exploited by attackers. In this presentation, we presented the details of how we discovered vulnerabilities in the most popular and widely used corporate VPN clients, and how these vulnerabilities could be exploited by attackers to gain Remote Code Execution on both macOS and Windows Operating Systems. Today, we are thrilled to announce the release of NachoVPN, an open-source tool that demonstrates the attack scenarios we discussed and helps security professionals understand and mitigate these risks. Alongside NachoVPN, we are also publishing detailed advisories for the vulnerabilities we uncovered.Bruce Schneier - Detecting Pegasus Infections: "The company’s Mobile Threat Hunting feature uses a combination of malware signature-based detection, heuristics, and machine learning to look for anomalies in iOS and Android device activity or telltale signs of spyware infection. For paying iVerify customers, the tool regularly checks devices for potential compromise. But the company also offers a free version of the feature for anyone who downloads the iVerify Basics app for $1. These users can walk through steps to generate and send a special diagnostic utility file to iVerify and receive analysis within hours. Free users can use the tool once a month. iVerify’s infrastructure is built to be privacy-preserving, but to run the Mobile Threat Hunting feature, users must enter an email address so the company has a way to contact them if a scan turns up spyware—as it did in the seven recent Pegasus discoveries."Bruce Schneier - AI and the 2024 Elections: "It’s been thebiggest yearfor elections in human history: 2024 is a “super-cycle” year in which 3.7 billion eligible voters in 72 countries had the chance to go the polls. These are also thefirst AI elections, where many feared that deepfakes and artificial intelligence-generated misinformation would overwhelm the democratic processes. As 2024 draws to a close, it’s instructive to take stock of how democracy did."Bruce Schneier - Algorithms Are Coming for Democracy—but It’s Not All Bad: "In 2025, AI is poised to change every aspect of democratic politics—but it won’t necessarily be for the worse. India’s prime minister, Narendra Modi, has used AI to translate his speeches for his multilingual electorate in real time, demonstrating how AI can help diverse democracies to be more inclusive. AI avatars were used by presidential candidates in South Korea in electioneering, enabling them to provide answers to thousands of voters’ questions simultaneously. We are also starting to see AI tools aid fundraising and get-out-the-vote efforts."Cisco - Cisco Adaptive Security Appliance WebVPN Login Page Cross-Site Scripting Vulnerability: "A vulnerability in the WebVPN login page of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of WebVPN on the Cisco ASA. The vulnerability is due to insufficient input validation of a parameter. An attacker could exploit this vulnerability by convincing a user to access a malicious link."Europol- Fraudulent shopping sites tied to cybercrime marketplace taken offline: "Europol has supported the dismantling of a sophisticated criminal network responsible for facilitating large-scale online fraud. In an operation led by the Hanover Police Department (Polizeidirektion Hannover) and the Verden Public Prosecutor’s Office (Staatsanwaltschaft Verden) in Germany, and supported by law enforcement authorities across Europe, over 50 servers were seized, significant digital evidence was secured, and two key suspects were placed in pretrial detention."JFrog - Machine Learning Bug Bonanza – Exploiting ML Clients and “Safe” Model Formats: "...we will showcase vulnerabilities in ML clients, such as tools used by Data Scientists or ML CI/CD Pipelines (MLOps) that can cause code execution when loading an untrusted piece of data. While the threat is obvious when loading a malicious ML model of a known unsafe type (e.g. Loading a Pickle-based model), we will highlight some vulnerabilities that affect ML clients when loading other types of data."Krebs on Security - U.S. Offered $10M for Hacker Just Arrested by Russia: "In January 2022, KrebsOnSecurity identified a Russian man named Mikhail Matveev as “Wazawaka,” a cybercriminal who was deeply involved in the formation and operation of multiple ransomware groups. The U.S. government indicted Matveev as a top ransomware purveyor a year later, offering $10 million for information leading to his arrest. Last week, the Russian government reportedly arrested Matveev and charged him with creating malware used to extort companies."Krebs on Security - Why Phishers Love New TLDs Like .shop, .top and .xyz: "Phishing attacks increased nearly 40 percent in the year ending August 2024, with much of that growth concentrated at a small number of new generic top-level domains (gTLDs) — such as .shop, .top, .xyz — that attract scammers with rock-bottom prices and no meaningful registration requirements, new research finds. Meanwhile, the nonprofit entity that oversees the domain name industry is moving forward with plans to introduce a slew of new gTLDs."Lumen - Snowblind: The Invisible Hand of Secret Blizzard: Lumen’s Black Lotus Labs has uncovered a longstanding campaign orchestrated by the Russian-based threat actor known as “Secret Blizzard” (also referred to asTurla). This group has successfully infiltrated 33 separate command-and-control (C2) nodes used by Pakistani-based actor, “Storm-0156.” Known for their focus on espionage, Storm-0156 is associated in public reporting with two activity clusters, “SideCopy” and “Transparent Tribe.” This latest campaign, spanning the last two years, is the fourth recorded case of Secret Blizzard embedding themselves in another group’s operations since 2019 when they were first seenrepurposing the C2sof an Iranian threat group.NCA - Operation Destabilise: NCA disrupts $multi-billion Russian money laundering networks with links to, drugs, ransomware and espionage, resulting in 84 arrests: "An international NCA-led investigation - Operation Destabilise - has exposed and disrupted Russian money laundering networks supporting serious and organised crime around the world: spanning from the streets of the UK, to the Middle East, Russia, and South America. Investigators have identified two Russian-speaking networks collaborating at the heart of the criminal enterprise; Smart and TGR."Socket - Supply Chain Attack Detected in Solana's web3.js Library: "A supply chain attack has been detected in versions1.95.6and1.95.7of the popular@solana/web3.js library, which receives more than ~350,000 weekly downloads on npm. These compromised versions contain injected malicious code that is designed to steal private keys from unsuspecting developers and users, potentially enabling attackers to drain cryptocurrency wallets."TrendMicro - MOONSHINE Exploit Kit and DarkNimbus Backdoor Enabling Earth Minotaur’s Multi-Platform Attacks: We have been continuously monitoring the MOONSHINE exploit kit’s activity since 2019. During our research, we discovered a MOONSHINE exploit kit server with improper operational security: Its server exposed MOONSHINE’s toolkits and operation logs, which revealed the information of possible victims and the attack tactics of a threat actor we have named Earth Minotaur.This week's toolsscythe-io/in-memory-cpython: An in-memory embedding of CPython, useful for offense/red teams.Elastic Security's Threat Intel Filebeat Module: This module ingests data from a collection of different threat intelligence sources. The ingested data is meant to be used withIndicator Match rulesbut is also compatible with other features likeEnrich Processors. The related threat intel attribute that is meant to be used for matching incoming source data is stored under thethreatintel.indicator.*fields.You can learn how toingest threat data with the Threat Intel Module inthis blog.Cyberlands-io/epiphany: Epiphany identifies weak spots of a web property that may be more vulnerable to DDoS, by crawling pages, measuring their timing, and using heuristics to determine if pages are cached.Upcoming events for _secprosCIOMeet Houston (12th December): Successful CIOs empower themselves with the knowledge and experience of their community. Moderated by Former Mission Health CTO, Joseph Wolfgram, CIOMeet Houston collaborate IT leaders with diverse backgrounds, experiences, and industries to connect the dots between innovation, efficiency, and collaboration. Join us over an epicurean lunch as we discuss, debate, and challenge the current directions within the Office of the CIO.Cybersecurity Law, Regulations, and Compliance: What to Expect in 2025 (12th December): ImmuniWeb is hosting an interactive webinar “Cybersecurity Law, Regulations and Compliance” for all our customers and partners who will receive personal invitations. Public is also welcome to join by a quick registration below (subject to approval). The webinar encompasses the most recent updates since July 2024.Maximizing Impact: A Guide to Scaling Red Team Operations (19th December): "Even the best red teams in the world cannot cover the entire attack surface fast enough to keep up with your IT changes. That's where automation becomes crucial, enabling red teams to scale up effectively. Build your red teaming operations for scale in our upcoming webinar. Explore how the Pentera Platform automates red team activities and scenarios, relieving the team from ongoing mundane work. Free up your security experts to focus on investigating advanced threats and unique attack vectors, without the distraction of unnecessary noise."2nd International Conference on Information Technology, Control and Automation (28th-29th December): "...a peer-reviewed conference that publishes articles which contribute new results in all areas of Information Technology (IT), Control Systems and Automation Engineering. The conference focuses on all technical and practical aspects of IT, Control Systems and automation with applications in real-world engineering and scientific problems. The goal of this conference is to bring together researchers and practitioners from academia and industry to focus on information technology, control engineering, automation, modeling concepts and establishing new collaborations in these areas."Cybersec Asia 2025: Shield Your Core (22nd-23rd January): "The event, promises to bring together the brightest minds, leading organizations, and innovative solutions in the cybersecurity realm. The global cybersecurity market has witnessed significant growth, with investments reaching USD 190.4 billion in 2023 and projected to grow to USD 298.5 billion by 2028, at a CAGR of 9.4% during the forecast period. In the Asia-Pacific region, Thailand has emerged as a leader, securing the 7th position globally in the 2024 Global Cybersecurity Index (GCI), reflecting its commitment to enhancing cybersecurity measures."2nd Annual DEFSEC 2025 (21st February): "The 2nd Annual DEFSEC 2025 conference is a specialized event dedicated to addressing the critical and complex challenges of cybersecurity in the defense and national security sectors. In a world where cyber threats evolve faster than ever, Defense Security 2025 provides a collaborative platform for examining advanced defense strategies, emerging technologies, and the integration of AI and automation to protect our most vital digital assets. The event emphasizes practical solutions and proactive strategies, enabling organizations to bolster their defenses against cyber adversaries that threaten national security and public infrastructure."*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0}#converted-body .list_block ol,#converted-body .list_block ul,.body [class~=x_list_block] ol,.body [class~=x_list_block] ul,u+.body .list_block ol,u+.body .list_block ul{padding-left:20px} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;