CIRCLE WITH A DOT

Howdy folks! We are excited to announce the Call For Presentations(CFP) for @bsidestc 2026!This year’s conference theme is “Building Resilience“.We would love to hear your submissions of how you or people in your community have been “building resilience”.Submissions will be open until July 19th 2026 23:59 CDT (UTC -5)Key Dates:• CFP Opens: April 20th• CFP Closes: July 19th• Acceptances: Week of August 3rd (rolling basis)https://bsidestc.org/call-for-proposals/#bsides #twincities #infosec #cybersecurity #hacking #Minneapolis #stpaul #security #securityconference #defcon #blackhat

(talosintelligence.com) Leveraging Generative AI to Deploy Adaptive Honeypots: Turning Attacker Automation into a Defensive AdvantageIn brief - Generative AI enables rapid deployment of adaptive honeypots, turning attacker automation into a defensive advantage by deceiving and studying automated threats in real-time. This approach shifts from passive detection to active deception, enhancing threat intelligence and defensive strategies.Technically - AI-driven honeypots consist of a network listener, simulated vulnerability (e.g., basic auth), and an AI framework (e.g., ChatGPT) for dynamic interaction. The AI impersonates environments like Linux shells or IoT devices, responding to attacker commands with context-aware outputs. For example, simulating a bash shell or smart fridge filesystem to observe and manipulate automated threats. This method leverages generative AI’s adaptability for scalable, customizable deception, enabling defenders to analyze tactics such as exploitation of CVEs (e.g., Shellshock/CVE-2014-6271) or port knocking techniques in controlled environments.Source: https://blog.talosintelligence.com/ai-powered-honeypots-turning-the-tables-on-malicious-ai-agents/#Cybersecurity #ThreatIntel

PyPI recently hosted some malicious code.https://itsfoss.com/news/elementary-data-cli-hijack/#pypi #elementarydata #cybersecurity

#Lazarus Mach-O Man toolkit targets corporate systems and credentials, causing downtime and financial losses. A meeting invite in Telegram launches a multi-stage infection chain. To evade detection, the malware disguises itself as legitimate system processes, deploying Mach-O binaries. The final stealer harvests browser extensions, saved credentials, and Keychain entries — exfiltrating everything via the Telegram Bot API.️ Explore macrasv2 execution chain in a sandbox session and update your detection rules: https://app.any.run/tasks/94b9bc1f-86ff-4069-8222-1cb511d78ad9/?utm_source=mastodon&utm_medium=post&utm_campaign=lazarus_macos_case&utm_term=290426&utm_content=linktoservice Stay one step ahead with defense tips: https://any.run/cybersecurity-blog/lazarus-macos-malware-mach-o-man/?utm_source=mastodon&utm_medium=post&utm_campaign=lazarus_macos_case&utm_term=290426&utm_content=linktoblog#cybersecurity #infosec

24 hours of MIRE/C³; the latest stats (Runmode: Neutral 404, delay-only) 6,238 requests from 2,338 unique IPs Attacker bandwidth cost: 119.4MB Attacker total delay: 12h 17m server time Slowest response: 13.0s #MIREC3 #CyberSecurity #FightingBack

@jbmformateur Eh! Serait il possible de me donner le niveau du diplôme ? Je pense que ça pourrait intéresser mon patron.

New ransom group blog post!Group name: chaosPost title: cadencepetroleum.comInfo: https://cti.fyi/groups/chaos.html#ransomware #cti #threatintelligence #cybersecurity #infosec

I just published a write-up on prototype pollution and how it leads to XSS.The key idea: you’re not injecting into the sink—you’re controlling the property lookup that eventually reaches it.Pollute → Gadget → Sink → ExecutionIncludes examples and common vulnerable patterns (merge functions, __proto__, etc.)https://medium.com/@marduk.i.am/prototype-pollution-15f47d9e5c6a#Cybersecurity #WebSecurity #AppSec #Infosec #BugBounty

Vimeo announces a data breach affecting user information. The incident was caused by a security breach at their vendor, Anodot. Users are advised to be cautious of phishing attempts. #Vimeo #DataBreach #Anodot #CyberSecurityhttps://verisizintisi.com/en/blog/2026-04-28-vimeo-user-data-exposed-in-anodot-vendor-breach

@halbwach @evawolfangel na, man braucht diese Leute bald wieder. Es zeigt sich ja wiederholt, dass das mit K"I" nicht funktioniert. Das ist die Chance der kleineren Firmen und mittelständischen Unternehmen.

(dragos.com) Manufacturing Under Siege: How IT/OT Convergence and Architectural Gaps Fuel Ransomware and OT ThreatsManufacturing is the most targeted industrial sector for cyber attacks, with ransomware incidents nearly doubling in 2025—accounting for over two-thirds of all industrial victims. IT/OT convergence and architectural gaps enable rapid threat propagation and operational disruption.In brief - Manufacturing faces unprecedented ransomware targeting due to IT/OT integration, weak segmentation, and insufficient OT visibility. Shared domains and misclassified incidents delay response, while threat actors like AZURITE exfiltrate operational data for future OT attacks. Critical gaps in monitoring and defensible architecture heighten risk.Technically - Adversaries exploit weak IT/OT segmentation, using stolen credentials and compromised remote access (e.g., RDP, PowerShell) to reach VMware ESXi hypervisors hosting SCADA/HMI workloads. Encryption of virtualization layers causes Loss of View/Control without direct ICS protocol interaction. AZURITE targets engineering workstations to exfiltrate alarm data, configs, and credentials. 56% of penetration tests showed undetected lateral movement due to IT-centric monitoring lacking ICS protocol context. OT-specific IR plans, ICS-aware visibility, and secure remote access controls are critical to mitigate risks.Source: https://www.dragos.com/blog/manufacturing-cybersecurity-ot-threats#Cybersecurity #ThreatIntel

(wiz.io) Critical RCE Vulnerability in GitHub's Git Infrastructure Discovered via AI-Augmented Reverse EngineeringCritical RCE vulnerability (CVE-2026-3854) in GitHub's git infrastructure allowed authenticated users to execute arbitrary commands on backend servers via a single git push. Affects GitHub.com and GitHub Enterprise Server (GHES), enabling cross-tenant exposure or full server compromise.In brief - Wiz Research discovered CVE-2026-3854, a critical injection flaw in GitHub's X-Stat protocol, enabling RCE on GitHub.com and full compromise of GHES instances. GitHub patched the issue within hours, highlighting risks in multi-service architectures and AI-augmented vulnerability research.Technically - The flaw (CVE-2026-3854) exploited unsanitized semicolons in git push options to inject arbitrary fields into the X-Stat header, overriding security-critical metadata (e.g., rails_env, custom_hooks_dir). This enabled sandbox bypass, hook directory redirection, and malicious hook injection via path traversal. On GHES, it granted full server access; on GitHub.com, RCE on shared storage nodes. Discovery leveraged AI-augmented reverse engineering tools like IDA MCP for binary analysis.Source: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854#Cybersecurity #ThreatIntel

New security advisory:CVE-2026-41409 affects multiple systems.• Impact: Remote code execution or complete system compromise possible• Risk: Attackers can gain full control of affected systems• Mitigation: Patch immediately or isolate affected systemsFull breakdown:https://www.yazoul.net/advisory/cve/cve-2026-41409-apache-mina-unauth-rce-via-deserialization#Cybersecurity #PatchNow #InfoSecCommunity

(kudelskisecurity.com) Critical Unauthenticated SQL Injection Vulnerability in FortiClient EMS 7.4.4 Under Active ExploitationCritical unauthenticated SQLi in FortiClient EMS 7.4.4 (CVE-2026-21643) actively exploited—51 attacking IPs observed. Immediate patching required.In brief - A severe unauthenticated SQL injection flaw in Fortinet FortiClient EMS 7.4.4 (CVE-2026-21643) is under active exploitation, with 51 distinct IPs targeting vulnerable instances. Successful exploitation risks unauthorized data access or manipulation via the EMS administrative interface. Patch to 7.4.5+ or apply mitigations urgently.Technically - CVE-2026-21643 enables unauthenticated SQLi via crafted `Site` HTTP headers to `/api/v1/init_consts` in FortiClient EMS 7.4.4. Inadequate input sanitization allows arbitrary SQL execution, with public exploit code available. Mitigations include upgrading to 7.4.5/7.4.7, restricting admin interface access, and deploying a WAF to block malicious requests.Source: https://kudelskisecurity.com/research/forticlient-ems-7-4-4-critical-sql-injection-flaw#Cybersecurity #ThreatIntel

@phil_stevens @elaterite @ai6yr @th Thats where I'm hoping Canada finally says fuck it and rescinds their law making it illegal to reverse engineer encryption. Be a whole lot of Americans willing to buy any circumvention products so we can be free to repair our own damn stuff.

Honeypot Experiment Shows the Relentless Reality of SSH Brute-Force AttacksA 54-day SSH honeypot experiment recorded 269,000 automated connection attempts, revealing a trend of threat actors interested in Solana blockchain nodes and IoT devices using hardcoded credentials.**Disable password-based SSH authentication entirely and switch to SSH key authentication, as automated botnets are constantly hammering port 22 with millions of password guesses including default IoT and crypto-infrastructure credentials. Restrict SSH access to trusted IP addresses only (via firewall rules or VPN), change the default port if possible.**#cybersecurity #infosec #knowledge #awarenesshttps://beyondmachines.net/event_details/honeypot-experiment-shows-the-relentless-reality-of-ssh-brute-force-attacks-k-v-k-z-j/gD2P6Ple2L

(profero.io) Analysis of WindowsAudit: A Modular .NET RAT Leveraging Discord, MQTT, and Telegram for C2 OperationsNew .NET RAT "WindowsAudit" (v1.5.77) leverages Discord, MQTT, and Telegram C2 channels for stealthy ops, targeting orgs with credential theft, AD abuse, and EDR bypass tactics.In brief - A sophisticated .NET RAT, WindowsAudit.exe, uses multiple C2 channels (Discord, MQTT, Telegram) to evade detection. It operates with LocalSystem privileges, employs advanced persistence, steals credentials, abuses Active Directory, and disables EDR solutions via Safe Mode reboots. Surveillance and lateral movement capabilities are also present.Technically - WindowsAudit.exe is a modular .NET 8 RAT with a statically-linked native loader executing an embedded managed DLL. Persistence is achieved via Windows Service (WinSATSvc.exe), WMI subscriptions, registry run keys, and scheduled tasks for Safe Mode recovery. C2 communication uses Discord (primary), MQTT (secondary), and Telegram (fallback). Evasion includes Hell’s Gate (userland hook bypass), in-process AMSI/ETW patches, and targeted EDR removal. Credential access involves LSASS dumping, DPAPI theft, and Kerberos attacks (Kerberoasting, AS-REP roasting). AD abuse covers discovery, ACL manipulation, and delegation abuse. Execution primitives include interactive shells, SMB remote execution, APC injection, and parent PID spoofing. Monitor for service anomalies, Defender exclusions, Safe Mode pivots, and Discord/MQTT egress traffic.Source: https://profero.io/blog/windowsaudit-backdoor/#Cybersecurity #ThreatIntel

(talosintelligence.com) Defensive Priorities in an Era of Low-Barrier Cyber Attacks: Insights from Cisco Talos Incident Response TrendsIn brief - The cyber threat landscape is evolving rapidly, with attackers leveraging AI, credential abuse, and rapid exploit development to bypass defenses like MFA. Identity systems are now the primary battlefield, with legacy risks and trust-brokering platforms (e.g., VPNs, ADCs) as key targets. Defenders must prioritize exposure-based vulnerability remediation, anomalous behavior detection, and securing identity infrastructure to mitigate threats.Technically - Cisco Talos highlights attackers exploiting vulnerabilities like React2Shell and ToolShell within hours of disclosure, while older flaws (e.g., Log4Shell) persist. MFA spray attacks, session token theft, and device compromise are prevalent, with lateral movement via tools like PsExec. Legacy/embedded risks (e.g., PHP, ColdFusion) remain critical. Defenders should focus on exposure-based remediation, hardening authentication systems, and monitoring anomalous patterns (e.g., unusual auth flows) to counter AI-driven attacks and reduce alert fatigue.Source: https://blog.talosintelligence.com/five-defender-priorities-from-the-talos-year-in-review/#Cybersecurity #ThreatIntel

(europa.eu) Europol-Backed Operation Targets Black Axe Criminal Network in Multi-Country RaidsOperation targeting Black Axe criminal network results in 10 arrests, including the group’s 'Regional Head' for Southern Europe, following Europol-backed raids in Switzerland and Germany. The group, linked to the Neo-Black Movement, is responsible for romance scams, cyber fraud, and money laundering, with estimated annual proceeds in the billions.In brief - Europol-supported raids disrupt Black Axe, a hierarchical cybercriminal organization tied to romance scams and money laundering, leading to 10 arrests and highlighting the scale of transnational cyber-enabled fraud.Technically - Black Axe operates as a structured, zone-based criminal network leveraging cyber fraud (e.g., romance scams) to generate illicit funds, laundered via money mules. Europol’s role included intelligence centralization, structural mapping, and cross-border coordination to dismantle dispersed but high-impact criminal cells.Source: https://www.europol.europa.eu/media-press/newsroom/news/europol-supports-hit-against-black-axe-criminal-organisation-in-switzerland-10-arrests#Cybersecurity #ThreatIntel

(malwarebytes.com) Chinese Aerospace Engineer Exploits Social Engineering in Four-Year Espionage Campaign Targeting US Research and DefenseNew FBI case reveals Chinese aerospace engineer Song Wu conducted a 4-year espionage campaign targeting NASA, US military, and academia via social engineering. Charged with wire fraud and aggravated identity theft for stealing export-controlled aerospace IP.In brief - A low-tech but highly effective spear-phishing operation by a state-linked actor evaded detection for years, exposing gaps in procedural security and identity verification. The case signals evolving threats from AI-driven deepfakes in social engineering.Technically - Wu impersonated legitimate researchers using fraudulent Gmail accounts to solicit proprietary computational fluid dynamics and missile performance software. Detection occurred via a tip, not technical controls, underscoring reliance on human reporting. The campaign exploited trust in academic/researcher networks, bypassing technical defenses. Emerging deepfake threats could amplify such attacks, necessitating stronger verification and cross-agency collaboration.Source: https://www.malwarebytes.com/blog/news/2026/04/chinese-engineer-stole-us-military-and-nasa-software-for-years#Cybersecurity #ThreatIntel