CIRCLE WITH A DOT

(dragos.com) Manufacturing Under Siege: How IT/OT Convergence and Architectural Gaps Fuel Ransomware and OT ThreatsManufacturing is the most targeted industrial sector for cyber attacks, with ransomware incidents nearly doubling in 2025—accounting for over two-thirds of all industrial victims. IT/OT convergence and architectural gaps enable rapid threat propagation and operational disruption.In brief - Manufacturing faces unprecedented ransomware targeting due to IT/OT integration, weak segmentation, and insufficient OT visibility. Shared domains and misclassified incidents delay response, while threat actors like AZURITE exfiltrate operational data for future OT attacks. Critical gaps in monitoring and defensible architecture heighten risk.Technically - Adversaries exploit weak IT/OT segmentation, using stolen credentials and compromised remote access (e.g., RDP, PowerShell) to reach VMware ESXi hypervisors hosting SCADA/HMI workloads. Encryption of virtualization layers causes Loss of View/Control without direct ICS protocol interaction. AZURITE targets engineering workstations to exfiltrate alarm data, configs, and credentials. 56% of penetration tests showed undetected lateral movement due to IT-centric monitoring lacking ICS protocol context. OT-specific IR plans, ICS-aware visibility, and secure remote access controls are critical to mitigate risks.Source: https://www.dragos.com/blog/manufacturing-cybersecurity-ot-threats#Cybersecurity #ThreatIntel

(wiz.io) Critical RCE Vulnerability in GitHub's Git Infrastructure Discovered via AI-Augmented Reverse EngineeringCritical RCE vulnerability (CVE-2026-3854) in GitHub's git infrastructure allowed authenticated users to execute arbitrary commands on backend servers via a single git push. Affects GitHub.com and GitHub Enterprise Server (GHES), enabling cross-tenant exposure or full server compromise.In brief - Wiz Research discovered CVE-2026-3854, a critical injection flaw in GitHub's X-Stat protocol, enabling RCE on GitHub.com and full compromise of GHES instances. GitHub patched the issue within hours, highlighting risks in multi-service architectures and AI-augmented vulnerability research.Technically - The flaw (CVE-2026-3854) exploited unsanitized semicolons in git push options to inject arbitrary fields into the X-Stat header, overriding security-critical metadata (e.g., rails_env, custom_hooks_dir). This enabled sandbox bypass, hook directory redirection, and malicious hook injection via path traversal. On GHES, it granted full server access; on GitHub.com, RCE on shared storage nodes. Discovery leveraged AI-augmented reverse engineering tools like IDA MCP for binary analysis.Source: https://www.wiz.io/blog/github-rce-vulnerability-cve-2026-3854#Cybersecurity #ThreatIntel

(kudelskisecurity.com) Critical Unauthenticated SQL Injection Vulnerability in FortiClient EMS 7.4.4 Under Active ExploitationCritical unauthenticated SQLi in FortiClient EMS 7.4.4 (CVE-2026-21643) actively exploited—51 attacking IPs observed. Immediate patching required.In brief - A severe unauthenticated SQL injection flaw in Fortinet FortiClient EMS 7.4.4 (CVE-2026-21643) is under active exploitation, with 51 distinct IPs targeting vulnerable instances. Successful exploitation risks unauthorized data access or manipulation via the EMS administrative interface. Patch to 7.4.5+ or apply mitigations urgently.Technically - CVE-2026-21643 enables unauthenticated SQLi via crafted `Site` HTTP headers to `/api/v1/init_consts` in FortiClient EMS 7.4.4. Inadequate input sanitization allows arbitrary SQL execution, with public exploit code available. Mitigations include upgrading to 7.4.5/7.4.7, restricting admin interface access, and deploying a WAF to block malicious requests.Source: https://kudelskisecurity.com/research/forticlient-ems-7-4-4-critical-sql-injection-flaw#Cybersecurity #ThreatIntel

(profero.io) Analysis of WindowsAudit: A Modular .NET RAT Leveraging Discord, MQTT, and Telegram for C2 OperationsNew .NET RAT "WindowsAudit" (v1.5.77) leverages Discord, MQTT, and Telegram C2 channels for stealthy ops, targeting orgs with credential theft, AD abuse, and EDR bypass tactics.In brief - A sophisticated .NET RAT, WindowsAudit.exe, uses multiple C2 channels (Discord, MQTT, Telegram) to evade detection. It operates with LocalSystem privileges, employs advanced persistence, steals credentials, abuses Active Directory, and disables EDR solutions via Safe Mode reboots. Surveillance and lateral movement capabilities are also present.Technically - WindowsAudit.exe is a modular .NET 8 RAT with a statically-linked native loader executing an embedded managed DLL. Persistence is achieved via Windows Service (WinSATSvc.exe), WMI subscriptions, registry run keys, and scheduled tasks for Safe Mode recovery. C2 communication uses Discord (primary), MQTT (secondary), and Telegram (fallback). Evasion includes Hell’s Gate (userland hook bypass), in-process AMSI/ETW patches, and targeted EDR removal. Credential access involves LSASS dumping, DPAPI theft, and Kerberos attacks (Kerberoasting, AS-REP roasting). AD abuse covers discovery, ACL manipulation, and delegation abuse. Execution primitives include interactive shells, SMB remote execution, APC injection, and parent PID spoofing. Monitor for service anomalies, Defender exclusions, Safe Mode pivots, and Discord/MQTT egress traffic.Source: https://profero.io/blog/windowsaudit-backdoor/#Cybersecurity #ThreatIntel

(talosintelligence.com) Defensive Priorities in an Era of Low-Barrier Cyber Attacks: Insights from Cisco Talos Incident Response TrendsIn brief - The cyber threat landscape is evolving rapidly, with attackers leveraging AI, credential abuse, and rapid exploit development to bypass defenses like MFA. Identity systems are now the primary battlefield, with legacy risks and trust-brokering platforms (e.g., VPNs, ADCs) as key targets. Defenders must prioritize exposure-based vulnerability remediation, anomalous behavior detection, and securing identity infrastructure to mitigate threats.Technically - Cisco Talos highlights attackers exploiting vulnerabilities like React2Shell and ToolShell within hours of disclosure, while older flaws (e.g., Log4Shell) persist. MFA spray attacks, session token theft, and device compromise are prevalent, with lateral movement via tools like PsExec. Legacy/embedded risks (e.g., PHP, ColdFusion) remain critical. Defenders should focus on exposure-based remediation, hardening authentication systems, and monitoring anomalous patterns (e.g., unusual auth flows) to counter AI-driven attacks and reduce alert fatigue.Source: https://blog.talosintelligence.com/five-defender-priorities-from-the-talos-year-in-review/#Cybersecurity #ThreatIntel

(europa.eu) Europol-Backed Operation Targets Black Axe Criminal Network in Multi-Country RaidsOperation targeting Black Axe criminal network results in 10 arrests, including the group’s 'Regional Head' for Southern Europe, following Europol-backed raids in Switzerland and Germany. The group, linked to the Neo-Black Movement, is responsible for romance scams, cyber fraud, and money laundering, with estimated annual proceeds in the billions.In brief - Europol-supported raids disrupt Black Axe, a hierarchical cybercriminal organization tied to romance scams and money laundering, leading to 10 arrests and highlighting the scale of transnational cyber-enabled fraud.Technically - Black Axe operates as a structured, zone-based criminal network leveraging cyber fraud (e.g., romance scams) to generate illicit funds, laundered via money mules. Europol’s role included intelligence centralization, structural mapping, and cross-border coordination to dismantle dispersed but high-impact criminal cells.Source: https://www.europol.europa.eu/media-press/newsroom/news/europol-supports-hit-against-black-axe-criminal-organisation-in-switzerland-10-arrests#Cybersecurity #ThreatIntel

(malwarebytes.com) Chinese Aerospace Engineer Exploits Social Engineering in Four-Year Espionage Campaign Targeting US Research and DefenseNew FBI case reveals Chinese aerospace engineer Song Wu conducted a 4-year espionage campaign targeting NASA, US military, and academia via social engineering. Charged with wire fraud and aggravated identity theft for stealing export-controlled aerospace IP.In brief - A low-tech but highly effective spear-phishing operation by a state-linked actor evaded detection for years, exposing gaps in procedural security and identity verification. The case signals evolving threats from AI-driven deepfakes in social engineering.Technically - Wu impersonated legitimate researchers using fraudulent Gmail accounts to solicit proprietary computational fluid dynamics and missile performance software. Detection occurred via a tip, not technical controls, underscoring reliance on human reporting. The campaign exploited trust in academic/researcher networks, bypassing technical defenses. Emerging deepfake threats could amplify such attacks, necessitating stronger verification and cross-agency collaboration.Source: https://www.malwarebytes.com/blog/news/2026/04/chinese-engineer-stole-us-military-and-nasa-software-for-years#Cybersecurity #ThreatIntel

Cybercrime is now structured and scalable.• Small access → large breaches• OAuth abuse rising• Social engineering still dominantFull roundup:https://www.technadu.com/cybersecurity-news-roundup-from-roblox-cheats-to-enterprise-breaches-small-actions-led-to-big-compromises/627052/Your take?#Infosec #Cybersecurity #ThreatIntel #DataBreach

The network currently has 14 Spamhaus Blocklist (SBL) listings for IPs under its responsibility:  https://check.spamhaus.org/sbl/listings/chinamobile.com/

Defender zero-day added to KEV. FortiClient EMS SQLi is now in KEV with active exploitation. 🟡 Bitwarden CLI npm hijack may have exposed GitHub, npm, and cloud secrets. Patch immediately, review exposed EMS, and rotate creds if @bitwarden/cli 2026.4.0 was used. solomonneas.dev/intel#CyberSecurity #VulnerabilityManagement #ThreatIntel #AppSec

CVE Alert: CVE-2026-7035 - Tenda - FH1202 - https://www.redpacketsecurity.com/cve-alert-cve-2026-7035-tenda-fh1202/#OSINT #ThreatIntel #CyberSecurity #cve-2026-7035 #tenda #fh1202

CVE Alert: CVE-2026-7036 - Tenda - i9 - https://www.redpacketsecurity.com/cve-alert-cve-2026-7036-tenda-i9/#OSINT #ThreatIntel #CyberSecurity #cve-2026-7036 #tenda #i9

Maybe not you, but *some* people do want persistent access to Cisco devices:* https://blog.talosintelligence.com/uat-4356-firestarter/* https://www.cisa.gov/sites/default/files/2026-04/AR26-113A_MAR_FIRESTARTER_backdoor.pdf#threatintel, #cisco

@adulau nop

Some updates on the MISP Galaxy website:https://www.misp-galaxy.org/mitre-fraud-framework/#It now includes a matrix-like view of the galaxy for @misp #misp #cti #threatintel #threatintelligence

(malwarebytes.com) Sensitive Genomic Data of 500,000 Britons Exposed for Sale on Alibaba: A Case Study in Third-Party Risk and National Security ImplicationsUK Biobank genomic data of 500K Britons advertised for sale on Alibaba, exposing third-party risk and national security concerns. De-identified but granular datasets (genetic sequences, medical imaging, lifestyle details) were accessed by researchers and later leaked, enabling re-identification risks.In brief - A major breach of UK genomic data via Alibaba highlights third-party risks, re-identification threats, and China’s strategic interest in biotech assets. The incident underscores gaps in data governance and the long-term intelligence value of immutable genetic data.Technically - The UK Biobank dataset, accessed by research institutions under contractual agreements, was exposed due to inadequate security controls (e.g., "download CSV and walk away" model). Granular attributes (gender, age, socioeconomic data) enable re-identification despite de-identification. China’s focus on genomics for AI/precision medicine amplifies risks. Mitigations must include stricter access controls, encryption, and monitoring to prevent unauthorized dissemination.Source: https://www.malwarebytes.com/blog/news/2026/04/medical-data-of-500000-uk-volunteers-listed-for-sale-on-alibaba#Cybersecurity #ThreatIntel

(cisa.gov) CISA and NCSC-UK Warn of FIRESTARTER Malware Targeting Cisco ASA, Firepower, and Secure Firewall DevicesURGENT: FIRESTARTER malware achieves post-patching persistence on Cisco ASA/Firepower/FTD devices via CVE-2025-20333 & CVE-2025-20362. CISA/NCSC-UK report confirms APT exploitation.In brief - CISA and NCSC-UK warn of FIRESTARTER, a remote access malware targeting Cisco ASA, Firepower, and Secure Firewall devices. The APT actor exploits two firmware vulnerabilities to deploy the implant, which persists even after patching. Federal agencies must act under Emergency Directive 25-03.Technically - FIRESTARTER targets Cisco ASA/FTD software, leveraging CVE-2025-20333 and CVE-2025-20362 for initial access. Its post-patching persistence mechanism survives firmware updates, complicating remediation. CISA’s report provides IOCs, forensic guidance, and detection methods. FCEB agencies must enumerate affected devices, collect forensic data, and apply vendor updates to mitigate the threat.Source: https://www.cisa.gov/news-events/news/cisa-warns-firestarter-malware-targeting-cisco-asa-including-firepower-and-secure-firewall-products#Cybersecurity #ThreatIntel

(infoblox.com) Fake CAPTCHA Pages Weaponized for International Revenue Share Fraud via SMS Scam CampaignNew IRSF campaign weaponizes fake CAPTCHA pages to trigger international SMS fraud, costing victims ~$30 per session. Active since 2020, it exploits TDS and carrier billing gaps across 17 countries.In brief - Threat actors use typosquatting and fake CAPTCHA pages to force mobile users into sending premium SMS messages to 15+ international numbers, generating fraudulent termination fees. The operation targets victims via multi-hop TDS, defrauding both individuals and telecom carriers.Technically - The attack chain involves a TDS (colnsdital[.]com → hotnow[.]sweeffg[.]online → zawsterris[.]com) redirecting to fake CAPTCHA pages on AS15699. JavaScript calls makeTrackerDownload.php to fetch phone number lists and control parameters (forceRedirectURL, forceMessage). Back button hijacking via pushState() traps users, while cookie tracking filters targets. A secondary tier of 20 Egyptian numbers is passed via base64 to megaplaylive[.]com, embedding additional SMS triggers in media playback.Source: https://www.infoblox.com/blog/threat-intelligence/hold-the-phone-international-revenue-share-fraud-driven-by-fake-captchas/#Cybersecurity #ThreatIntel

THREAT INTEL | Tractial🟡 Actor "anubis" claims Undisclosed️ Unverified claimhttps://www.yazoul.net/intel/claim/2026-04-23-tractial-ransomware-claim-by-anubis-april-2026#DarkWeb #DataBreach #ThreatIntel #CyberSecurity #InfoSec

(security.com) Trigona Ransomware Affiliates Deploy Custom Data Exfiltration Tool with Advanced Evasion CapabilitiesTrigona ransomware affiliates (Rhantus) now deploy *uploader_client.exe*—a custom exfiltration tool with advanced evasion capabilities, replacing off-the-shelf utilities like Rclone. This shift signals heightened operational maturity in pre-ransomware tradecraft.In brief - Trigona RaaS operators have adopted a bespoke data exfiltration tool, enabling granular control over stolen data, parallel transfers, and connection rotation to evade detection. Attackers disable defenses via BYOVD, harvest credentials with Mimikatz/Nirsoft, and establish persistence via AnyDesk before exfiltrating high-value files.Technically - *uploader_client.exe* communicates with C2 163.172.105.82:1080, using 5 parallel TCP streams per file, rotating connections after 2,048 MB. Pre-exfiltration activity includes kernel-level defense evasion via HRSword, PCHunter, and other BYOVD tools (e.g., Gmer, YDark), credential theft via Mimikatz and Nirsoft utilities, and elevated execution via PowerRun. File filtering prioritizes high-value extensions (e.g., PDFs, invoices).Source: https://www.security.com/threat-intelligence/trigona-exfiltration-custom#Cybersecurity #ThreatIntel