SecPro

Moving up the Cyber Kill ChainNeed something to read?Develop foundational skills in ethical hacking and penetration testing while getting ready to pass the certification exam. With cyber threats continually evolving, understanding the trends and using the tools deployed by attackers to determine vulnerabilities in your system can help secure your applications, networks, and devices. To outmatch attacks, developing an attacker's mindset is a necessary skill, which you can hone with the help of the Certified Ethical Hacker 312-50 Exam Guide.- Learn how to look at technology from the standpoint of an attacker- Understand the methods that attackers use to infiltrate networks- Prepare to take and pass the exam in one attempt with the help of hands-on examples and mock testsCheck it out today!#208: Cutting off the ExploitA look at the issuesWelcome to another_secpro!Newsflash for those who missed it: Scattered Spider, the group that has been tied to a series of high-profile intrusions, raising fresh concerns about identity-based attacks and how fast threat actors are adapting, has been linked to a number of arrests in the UK. A number of young people have allegedly been involved with the cyber-gang, leading to arrests of 18, 19, and 21 year olds throughout England. As with the LAPSUS$ gang from yesteryear, it seems like another case of "innovative" young people turning to quick and dirty tactics and techniques to cause maximal damage.To get my fuller reflections on the case as it unfolds, check out this week's premium issue in the link below.Check out _secpro premiumBut, before we get bogged down in that, there's a whole newsletter still to go! Check out this week's articles, news, academic insights, and a few other little treats. If you want more, you know what you need to do - sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefTime for a surveyWe're hoping to roll out some new features in the next few weeks, but we need your input. Check out the survey below and win afree month of _secpro premium!Check out the survey!This week's articlesExploitation in the Cyber Kill ChainBefore attackers can steal data, lock up systems, or pivot through a network, they need to get their malicious code to a target. That step is delivery. It’s the moment the payload—often malware or a malicious script—is moved from the attacker’s infrastructure into the environment of the target.Read the rest here!How AI Is Changing the Ethical Hacking GameCybersecurity has always been a race between hackers and defenders. With AI in the mix, that race just got a whole lot faster.Today's hackers are using artificial intelligence to speed up their attacks, identify new vulnerabilities, and automate decision-making. That means defenders have to be just as smart—if not smarter. In CEH v13, AI is no longer a side note. It's now a core part of the modern ethical hacker's toolkit.In the new edition of theCertified Ethical Hacker (CEH) v13: Exam 312-50 Guide, we've added entire sections in each chapter on AI-assisted hacking. You'll learn how hackers are training AI models to spot weak configurations, build deepfakes for social engineering, and evade detection tools. You'll also see how defenders can use AI to turn the tables—automating log analysis, simulating attacks, and identifying threats faster than ever before.Here's just a glimpse of what's inside:- How ShellGPT helps automate information gathering and vulnerability detection- Real-world examples of AI being used in phishing, malware development, and evasion- What tools like Microsoft Security Copilot and other AI models are doing to reshape defensive securityThis isn't just some guess about what might happen in the future; it's happening right now. The book helps you understand how to use these tools responsibly and ethically, all while staying within the CEH framework. Plus, it gets you ready for the CEH Exam.Want to read the rest? Sign up for the premiumNews BytesCritical Fortinet software under active attack: Threat actors are exploiting vulnerabilities in Fortinet’s software, targeting administrative interfaces. Researchers strongly urge affected customers to apply patches or disable the interfaces to prevent compromise.Fire Ant group compromising VMware ESXi and vCenter systems: A cyber espionage actor known as Fire Ant has used virtualization and networking flaws to penetrate VMware ESXi and vCenter environments. The campaign shows persistence, adaptability, and repeated re-entry attempts even after remediation.New CastleLoader malware spreading via fake GitHub repos and phishing: CastleLoader is deployed through GitHub-themed phishing and malicious repos. It distributes multiple info-stealers and RATs including RedLine, DeerStealer, and SectopRAT. At least 469 devices were affected in recent campaigns.Mitel MiVoice MX‑ONE authentication bypass vulnerability: A flaw in MiVoice MX‑ONE Provisioning Manager allows unauthenticated attackers to bypass login controls. The vulnerability applies to versions 7.3 through 7.8 SP1. Vendors have issued patches to correct the issue.Active exploitation of SharePoint zero‑day by China‑linked groups: State-affiliated groups—including Storm‑2603, Violet Typhoon, and Linen Typhoon—are exploiting zero-day flaws in on-premises SharePoint servers. Attacks are ongoing globally, including to U.S. government agencies. Emergency patches are in progress.SonicWall SMA 100 appliances suffer remote code execution hole: A high‑severity authenticated file-upload flaw in SonicWall SMA 100 appliances can lead to remote code execution. Administrators are directed to apply patches immediately to eliminate attack surface.This week's academiaBridging the Gap: A Survey and Classification of Research‑Informed Ethical Hacking Tools (Paolo Modesti, Lewis Golightly et al.): This 2024 survey analyses the divide between industry tooling and academic contributions in ethical hacking. It categorizes research‑informed tools into process‑based frameworks (e.g. PTES, MITRE ATT&CK) and knowledge‑based frameworks (e.g. CyBOK), assesses licensing, code availability, peer‑review status, and development activity. Helps bridge academic praxis and professional pentesting.Ethical Hacking and its Role in Cybersecurity (Fatima Asif, Fatima Sohail et al.): This 2024 review explores how ethical hacking techniques evolve within modern cybersecurity. It covers vulnerability detection, penetration testing, and legal/ethical considerations, emphasizing the role ethical hacking plays in strengthening organizational defenses and integration with policy frameworks.A Survey on Ethical Hacking: Issues and Challenges (Jean‑Paul A. Yaacoub, Hassan N. Noura et al.): Published in 2021, this paper details both technical and non‑technical stages of penetration testing. It addresses strengths—effective at identifying known vulnerabilities—and limitations, especially regarding unknown threats and the need for anomaly detection and honeypots. It outlines current challenges, including evolution of threats and need for coordinated defense frameworks.Ethical Intrusion: The Strategic Role of Ethical Hacking in the Modern Cybersecurity Framework (J. P. Pramod, Kuppala Nikhita et al.): A mid‑2025 study addressing ethical hacking as a strategic, proactive defence mechanism. This mixed‑methods work reviews penetration testing, network auditing, and social engineering across industries (healthcare, finance, retail). Identifies how ethical hacking enhances compliance, threat awareness, and shifts organisations from reactive to proactive cybersecurity postures.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.Check out the survey!*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Moving up the Cyber Kill ChainNeed something to read?Develop foundational skills in ethical hacking and penetration testing while getting ready to pass the certification exam. With cyber threats continually evolving, understanding the trends and using the tools deployed by attackers to determine vulnerabilities in your system can help secure your applications, networks, and devices. To outmatch attacks, developing an attacker's mindset is a necessary skill, which you can hone with the help of the Certified Ethical Hacker 312-50 Exam Guide.- Learn how to look at technology from the standpoint of an attacker- Understand the methods that attackers use to infiltrate networks- Prepare to take and pass the exam in one attempt with the help of hands-on examples and mock testsCheck it out today!#207: Child Cyber-Soldiers?A look at the issuesWelcome to another_secpro!Newsflash for those who missed it: Scattered Spider, the group that has been tied to a series of high-profile intrusions, raising fresh concerns about identity-based attacks and how fast threat actors are adapting, has been linked to a number of arrests in the UK. A number of young people have allegedly been involved with the cyber-gang, leading to arrests of 18, 19, and 21 year olds throughout England. As with the LAPSUS$ gang from yesteryear, it seems like another case of "innovative" young people turning to quick and dirty tactics and techniques to cause maximal damage.To get my fuller reflections on the case as it unfolds, check out this week's premium issue in the link below.Check out _secpro premiumBut, before we get bogged down in that, there's a whole newsletter still to go! Check out this week's articles, news, academic insights, and a few other little treats. If you want more, you know what you need to do - sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefTime for a surveyWe're hoping to roll out some new features in the next few weeks, but we need your input. Check out the survey below and win afree month of _secpro premium!Check out the survey!This week's articlesWeaponization in the Cyber Kill ChainBefore attackers can steal data, lock up systems, or pivot through a network, they need to get their malicious code to a target. That step is delivery. It’s the moment the payload—often malware or a malicious script—is moved from the attacker’s infrastructure into the environment of the target.Read the rest here!How AI Is Changing the Ethical Hacking GameCybersecurity has always been a race between hackers and defenders. With AI in the mix, that race just got a whole lot faster.Today's hackers are using artificial intelligence to speed up their attacks, identify new vulnerabilities, and automate decision-making. That means defenders have to be just as smart—if not smarter. In CEH v13, AI is no longer a side note. It's now a core part of the modern ethical hacker's toolkit.In the new edition of theCertified Ethical Hacker (CEH) v13: Exam 312-50 Guide, we've added entire sections in each chapter on AI-assisted hacking. You'll learn how hackers are training AI models to spot weak configurations, build deepfakes for social engineering, and evade detection tools. You'll also see how defenders can use AI to turn the tables—automating log analysis, simulating attacks, and identifying threats faster than ever before.Here's just a glimpse of what's inside:- How ShellGPT helps automate information gathering and vulnerability detection- Real-world examples of AI being used in phishing, malware development, and evasion- What tools like Microsoft Security Copilot and other AI models are doing to reshape defensive securityThis isn't just some guess about what might happen in the future; it's happening right now. The book helps you understand how to use these tools responsibly and ethically, all while staying within the CEH framework. Plus, it gets you ready for the CEH Exam.Want to read the rest? Sign up for the premiumNews Bytes“NVIDIAScape” – Critical Privilege Escalation in NVIDIA Container Toolkit: A container escape flaw (CVE‑2025‑23266, dubbed NVIDIAScape) affects NVIDIA Container Toolkit ≤ 1.17.7 and GPU Operator ≤ 25.3.0. Attackers exploiting this could elevate privileges inside AI cloud environments, potentially enabling data tampering, info-leakage, or DoS.This is a high-severity vulnerability (CVSS 9.0) for Kubernetes/AI inference workloads—patching should be prioritized across GPU-enabled clusters.CERT‑UA Details “LAMEHUG” Malware Using LLM‑Driven Phishing (APT28): Ukraine’s CERT‑UA uncovered LAMEHUG, a phishing-delivery malware using LLM-generated commands based on description-based prompts. The toolkit is linked to Russian-nexus APT28. Phishing kits empowered by LLMs allow dynamic payload generation, complicating detection and expanding spearphish campaign sophistication.Matanbuchus 3.0 Advancing Through Microsoft Teams Vector: Morphisec researchers dissected Matanbuchus 3.0 loader using Teams-based command-and-control delivery. The updated loader shows improved evasion tactics and stealth functionality as a step towards further payloads like Cobalt Strike. A MaaS loader delivered via collaboration tools signals growing risk to hybrid workplaces—detecting lateral movement is critical.BlackSuit Ransomware: Hybrid Exfiltration & Encryption TTPs: Cybereason’s July 11 BlackSuit report reveals a ransomware operation employing dual tactics: data exfiltration followed by encryption. The post includes infection chain, C2 communications, and IoCs. This hybrid tactic means defenders must prepare for both extortion and data breach contingencies—and deploy faster detection on exfiltration.WordPress‑to‑NetSupport RAT Campaign via ClickFix Plugin: Another Cybereason alert (July 7) shows threat actors delivering NetSupport RAT through compromised WordPress sites using the “ClickFix” plugin. Their chain includes SQL injection and automated dropper. Highlights growing exploitation of third-party CMS plugins to automate RAT installs, emphasizing patching/whitelisting need.Qantas Breach Deep Dive + Patch Tuesday Zero‑Day Trends: CISO Platform’s July 9 internal report examines the Qantas breach (~5.7M users via third-party compromise), connecting it to Scattered Spider activity. It also analyzes Microsoft’s Patch Tuesday, including 1 zero-day and 14 critical CVEs. Includes IoCs and recommended defense tactics. Offers high-level view of supply chain risk (third-party breaches) and insight into patch handling strategies post-zero-day patch Tuesday.This week's academia“Certified Ethical Hacker Online Course – a Case Study” by Tam N. Nguyen: This study examines the instructional design of the CEH v10 online self-study course. It evaluates how well the course aligns with national instructional standards and peer-reviewed research on online education. The author highlights key design principles—such as community engagement, frequent quizzing, and feedback mechanisms—that are critical to learner success in preparing for the CEH exam. While it doesn’t present raw pass-rate numbers, it focuses on educational best practices that improve learning outcomes and thereby CEH exam performance.“An empirical analysis of ethical hacking” by S. Rafiq: This empirical study analyzes the role of Certified Ethical Hacker certification in professionalizing ethical hacking. It traces the historical establishment of CEH, its legitimacy-building efforts, and the interplay between technical skill and ethical accreditation. The authors argue that CEH aims to systematize “thinking like a hacker” and to formalize the reputation of ethical hackers in organizations. Though concrete pass-rate data isn’t central, the paper provides context on how CEH functions as both a credential and a professional benchmark.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.Check out the survey!*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Moving up the Cyber Kill ChainNeed something to read?This week, we're taking a look at Mastering Palo Alto Networks by Tom Piens aka 'reaper'. The book is available for a knockdown price for a limited time, so don't miss out!Unlock the full potential of Palo Alto Networks firewalls with expert insights and hands-on strategies for mastering next-gen security:- Master Palo Alto Networks firewalls with hands-on labs and expert guidance- Stay up to date with the latest features, including cloud and security enhancements- Learn how to set up and leverage Strata Cloud Manager- Purchase of the print or Kindle book includes a free PDF eBookCheck it out today!#206:A look at the issuesWelcome to another_secpro!It's been a busy few weeks for those of us wrestling with Scattered Spider.Over the past two weeks, the hacker group (also tracked as UNC3944 or Muddled Libra) has ramped up attacks across major industries. They’ve been using social-engineering tricks—ringing up help desks or call centers, pretending to be employees and convincing staff to reset or add MFA devices. That’s the pathway they use to slip past security, move through networks, and grab sensitive data or deploy ransomware.UK retail giants like M&S, Harrods, and Co‑Op have been hit in a wave of attacks, causing disruptions and steep financial losses. They quickly pivoted to U.S. insurance firms, and this week they’ve focused on aviation. At least Hawaiian Airlines and WestJet reported IT system incidents in late June, and most recently Qantas confirmed a breach of a third-party contact‑center platform tied to Scattered Spider tactics. That incident potentially exposed personal data of up to six million customers—names, emails, birthdates and frequent-flyer numbers—though no passports or credit card details were taken.Check out _secpro premiumThe FBI, Google/Mandiant, CrowdStrike and others issued warnings, flagging how the group targets entire industries in waves. Their method is low-tech but effective: exploit human trust to bypass tech defenses, then move laterally, extort data, and sometimes encrypt systems.Impact on global industry has been significant—retail sales stalled, insurance providers scrambled, airlines huddled with cybersecurity teams and regulators. Stock prices dipped, and affected companies are now tightening vendor controls, reinforcing help-desk protocols, and training staff to question any out-of-the-blue IT requests. Here's to better days ahead...Cheers!Austin MillerEditor-in-ChiefThis week's articlesDelivery in the Cyber Kill ChainBefore attackers can steal data, lock up systems, or pivot through a network, they need to get their malicious code to a target. That step is delivery. It’s the moment the payload—often malware or a malicious script—is moved from the attacker’s infrastructure into the environment of the target.Read the rest here!News Bytes“Mamona” – Minimalist, Offline Ransomware: Wazuh researchers have discovered a new Windows ransomware strain named Mamona, notable for its incredibly compact, self‑contained design. It encrypts files locally (adding a “.HAes” extension), delays execution using a ping trick, then self‑deletes—leaving minimal forensic traces. It doesn’t rely on C2 infrastructure, which makes detection via traditional network monitoring very difficult.Shellter Elite Hijacked for Infostealer Campaigns: Elastic Security Labs reports that a leaked version of the Shellter Elite pentest tool has been abused by threat actors to deploy info‑stealer malware such as ArechClient2/Sectop RAT and Rhadamanthys. This underscores the risks when legitimate offensive‑security tools fall into malicious hands. Tool developers responded by tightening access controls and patching misused components.Oyster Malware Loader Distributed via SEO Poisoning: Arctic Wolf reveals a campaign distributing the Oyster loader (aka Broomstick/CleanUpLoader) through fake, SEO‑optimized landing pages that mimic popular Windows utilities like PuTTY and WinSCP. Once installed, Oyster persists via scheduled tasks and delivers secondary payloads through DLL injection and obfuscated strings, communicating securely over HTTPSLummaC2 Targeting Critical Infrastructure: In a joint alert, CISA and the FBI spotlight LummaC2, a malware strain used in spear‑phishing campaigns against U.S. critical‑infrastructure organizations. Written to exfiltrate credentials, wallet data, MFA tokens, and more, LummaC2 employs obfuscation to evade detection and maintain persistence by mimicking benign API calls.Calendarwalk – Google Calendar as C2: TeamT5 via Virus Bulletin reports on Calendarwalk, a sophisticated malware tied to APT41. It abuses Windows Workflow Foundation and uses Google Calendar events as a stealthy C2 channel. The malware includes obfuscated shellcode and integrates an AES‑encrypted Chatloader backdoor, indicating deep technical innovation and evasionMedusa Ransomware’s ABYSSWORKER Driver to Disable EDR: Elastic Security Labs has uncovered a novel Bring‑Your‑Own‑Vulnerable‑Driver (BYOVD) attack: Medusa ransomware used a revoked driver called smuol.sys (from the “ABYSSWORKER” family) to impersonate a legitimate CrowdStrike driver and disable anti‑malware protections. It was packaged via a paid packer service named HeartCrypt.This week's academiaFrom Promise to Peril: Rethinking Cybersecurity Red and Blue Teaming in the Age of LLMs: This recent position paper examines how LLMs are transforming red and blue team operations. It explores how LLMs can enhance offensive capabilities—e.g., generating exploits and phishing content—while also bolstering defensive workflows like threat intelligence and root cause analysis. Abuadbba, Hicks, and the rest of the team balance LLM potential against limitations (hallucinations, context issues), dual-use risks, and propose safeguards like human oversight and privacy-preserving measures.Color Teams for Machine Learning Development: This 2021 arXiv article extends the familiar red/blue team concept into ML development workflows by introducing color-coded roles: Yellow (builders), Red (attackers), Blue (defenders), Orange, Green, and Purple teams. It outlines responsibilities across these roles and how combining them—especially Purple—creates more robust ML systems by integrating adversarial testing and defensive analysis throughout the pipeline.Red Teaming with Artificial Intelligence‑Driven Cyberattacks: A Scoping Review: This review examines how AI is being leveraged in red team activities. The paper systematically surveys AI-assisted attack tools—from automated penetration tools to social-engineering automation—highlighting their implications for both red teams and blue team defenses. It underscores the growing threat and calls for defensive strategies that address intelligent, adaptive attacksUpcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Checking out malware, checking out Palo AltoNeed something to read?This week, we're taking a look at Mastering Palo Alto Networks by Tom Piens aka 'reaper'. The book is available for a knockdown price for a limited time, so don't miss out!Unlock the full potential of Palo Alto Networks firewalls with expert insights and hands-on strategies for mastering next-gen security:- Master Palo Alto Networks firewalls with hands-on labs and expert guidance- Stay up to date with the latest features, including cloud and security enhancements- Learn how to set up and leverage Strata Cloud Manager- Purchase of the print or Kindle book includes a free PDF eBookCheck it out today!#205: Spider-Scam!A look at the issuesWelcome to another_secpro!It's been a busy few weeks for those of us wrestling with Scattered Spider.Over the past two weeks, the hacker group (also tracked as UNC3944 or Muddled Libra) has ramped up attacks across major industries. They’ve been using social-engineering tricks—ringing up help desks or call centers, pretending to be employees and convincing staff to reset or add MFA devices. That’s the pathway they use to slip past security, move through networks, and grab sensitive data or deploy ransomware.UK retail giants like M&S, Harrods, and Co‑Op have been hit in a wave of attacks, causing disruptions and steep financial losses. They quickly pivoted to U.S. insurance firms, and this week they’ve focused on aviation. At least Hawaiian Airlines and WestJet reported IT system incidents in late June, and most recently Qantas confirmed a breach of a third-party contact‑center platform tied to Scattered Spider tactics. That incident potentially exposed personal data of up to six million customers—names, emails, birthdates and frequent-flyer numbers—though no passports or credit card details were taken.Check out _secpro premiumThe FBI, Google/Mandiant, CrowdStrike and others issued warnings, flagging how the group targets entire industries in waves. Their method is low-tech but effective: exploit human trust to bypass tech defenses, then move laterally, extort data, and sometimes encrypt systems.Impact on global industry has been significant—retail sales stalled, insurance providers scrambled, airlines huddled with cybersecurity teams and regulators. Stock prices dipped, and affected companies are now tightening vendor controls, reinforcing help-desk protocols, and training staff to question any out-of-the-blue IT requests. Here's to better days ahead...Cheers!Austin MillerEditor-in-ChiefThis week's articlesMastering Palo Alto NetworksWe do our best to be good to you all - so here's a free look into Mastering Palo Alto Networks by Tom Piens. The whole chapter is for free as a thank you for staying with us over the years. Check it out!Check out this excerpt!News BytesQantas suffers massive data breach via third‑party call centre:Australia’s flagship airline confirmed that hackers accessed a third-party customer‑service platform, compromising personal info—including names, emails, phone numbers, birth dates, and frequent flyer numbers—of around 6 million customers. No financial or passport data was exposed. Regulatory bodies and law enforcement are engaged, and Qantas has initiated containment, support services, and strengthened monitoring.SK Telecom fined after data leak affecting 27 million records: South Korea’s top mobile carrier was reprimanded and fined ~30 million won after a breach revealed nearly 27 million pieces of user data (including USIM data). The government mandated quarterly security reviews and a ₩700 billion investment over 5 years. SK Telecom is also replacing millions of SIM cards as a precaution.Aflac hit by social‑engineering attack tied to Scattered Spider: Health insurer Aflac reported a data breach stemming from a sophisticated phone-based social‑engineering campaign by the Scattered Spider group. The intrusion—which may have exposed customer SSNs, claims, and health data—was shut down within hours. This incident aligns with similar recent attacks on Erie and Philadelphia insurers.FBI warns airlines face rising threat from Scattered Spider: The FBI has issued alerts that Scattered Spider—an agile cybercriminal gang specializing in social engineering—has turned its focus to airlines. Previously known for breaching casinos and insurers, the group uses help‑desk impersonation and MFA bypass tactics. Cooperation with industry partners is underway to strengthen defenses.Credentials dump exposes 16 billion login details (Apple, Google, Facebook): A massive aggregation of stolen credentials—16 billion records including usernames, passwords, and URLs—was exposed, drawing from various infostealer malware campaigns. Experts warn this could fuel credential stuffing, phishing, and identity theft. Users are strongly advised to enable 2FA/passkeys, use password managers, and monitor dark‑web trade.Job‑seekers targeted in new “employment” phishing scams: Attackers are increasingly exploiting job‑seekers with fake hiring campaigns, impersonating real firms (e.g., Socure). Victims report losses averaging ~$8,000. With FTC receiving 100,000+ scam reports in 2024, companies like Socure are tightening verification. Meanwhile, DHS warns that Iranian-aligned threat actors could retaliate via cyberattacks on U.S. critical infrastructure—a reminder of broader geopolitical threats.This week's academiaThe AI Security Pyramid of Pain (Chris M. Ward et al.): This 2024 study introduces the AI Security Pyramid of Pain, adapting David Bianco’s original framework to AI systems. It structures threat levels from Data Integrity (bottom), through AI System Performance, Adversarial Tools, Adversarial Input, Data Provenance, and up to intelligent TTP-based attacks (top). The paper guides defenders on focusing defenses at higher levels that cause the most “pain” to adversaries.So, I climbed to the top of the pyramid of pain — now what? (Vasilis Katos, Emily Rosenorn‑Lanng, et al.): Published May 30, 2025, this paper examines the limitations of conventional models and proposes the Human Layer Kill Chain, integrating human factors (psychological manipulation) with AI-augmented TTPs. It introduces a “Sociotechnical Kill Plane” concept for holistic defensive strategy, bridging the Pyramid of Pain and human‑centric threat vectors.Analysis of adversary activities using cloud‑based web services to enhance cyber threat intelligence: This paper delves into proactive threat intelligence, explicitly citing Bianco’s Pyramid of Pain to clarify how different IOCs—from IPs to TTPs—vary in difficulty for adversaries and defenders. It emphasizes mapping indicators to pyramid levels to inform where defense efforts yield the greatest attack disruption.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at the issuesYour business runs on data. But how do you know if it’s reliable?Find out how to leverage Twilio Segment to collect and activate reliable data for smarter decision-making.We know you run your business on data, so you better be able to depend on it.Twilio Segment was purpose-built so that you don’t have to worry about your data. Forget the data chaos, dissolve the silos between teams and tools, and bring your data together with ease.So that you can spend more time innovating and less time integrating.Learn more#204: Spying on the Kill ChainA look at the issuesWelcome to another_secpro!This week, we're moving onto the Cyber Kill Chain and making it clear how we can apply the framework in the average day-to-day workings of a secpro. We've collected a range of useful insights and academic papers to keep you going, so scroll down and check them out!Check out _secpro premiumCheers!Austin MillerEditor-in-ChiefPinterest, Tinder, Meta speaking at DeployCon GenAI Summit!DeployCon is a free, no-fluff, engineer-first summit for builders on the edge of production AI—and you’re on the guest list. On June 25 Predibase is taking over the AWS Loft in San Francisco and Streaming Online for a day of candid technical talks and war stories from the teams that ship large-scale AI.In-Person @ AWS GenAI Loft – San FranciscoJune 25, 9:30AM–2:00PM PTCoffee, lightning talks, and lunch with the AI infra communityThe event is free, but space is limited so register now. Hope to see you there!Reserve Your SeatLive Stream – Wherever You AreCan’t make it to SF? Join virtually and get the same expert content, live.June 25, 10:30AM–1:30PM PTReserve Your SeatThis week's articlesReconnaissance and the Cyber Kill ChainAnd here we go ahead! Now that we're done with MITRE ATT&CK, we're moving onto Lockhead Martin's Cyber Kill Chain. This week, a general introduction before we move onto the important moving parts of the approach.Set up to startAI GRCJoin Hemang as he sketches out the issues for GRC in the age of AI. This was our premium expert article for_secpro last month, so make sure to sign up for premium on Substack and find out everything we have to offer!Check it out now!News BytesCheck out Krebs' coverage of this month's Patch Tuesday!Brian Krebs survives a record ~6.3 Tbps DDoS via Aisuru IoT botnet: Krebs reports an unprecedented DDoS attack—peaking at ~6.3 Tbps over 45 seconds—on his site, orchestrated by a new IoT botnet dubbed “Aisuru,” marking one of the largest volumetric attacks to date.Suspected Russian Hackers Use Advanced Phishing on UK Researcher: Reuters reports that Russian government–linked threat actors impersonated a U.S. State Department official over two weeks, using highly polished emails—potentially powered by AI—to trick Chatham House researcher Keir Giles into handing over an app-specific password. This highlights a new level of sophistication in phishing campaigns.Breaking Down the Latest Patch Tuesday Report by the SecMaster: "Microsoft has released its June 2025 Patch Tuesday security updates, addressing 66 vulnerabilities across Windows, Office, Exchange Server, Azure, Visual Studio, and other products. This includes fixes for two zero-day vulnerabilities, with one being actively exploited in the wild."Australia Requires Ransomware Victims to Declare Payments: "A new Australian law requires larger companies to declare any ransomware payments they have made."Critical Langflow Vulnerability (CVE-2025-3248) Actively Exploited to Deliver Flodrix Botnet: Trend Micro reveals active exploitation of a critical zero-day (CVE‑2025‑3248) in Langflow (< v1.3.0), delivering the Flodrix botnet for system compromise, DDoS, and data exfiltration. Reported June 17.Race-condition flaws CVE‑2025‑5054 & CVE‑2025‑4598 leak core dump data: Qualys TRU uncovered two local info-leak bugs in Linux crash-report tools—Apport (Ubuntu) and systemd-coredump (RHEL/Fedora). Both can expose sensitive data (even /etc/shadow) via race conditions. Users are urged to patch or disable SUID core dumps.This week's academiaImpact of AI on the Cyber Kill Chain: A Systematic Review (Heliyon, 2024): A systematic literature review of 62 studies (2013–2023) examining how AI tools bolster attackers in early kill‑chain stages and highlighting defense gaps, with suggestions for AI‑aware defenses.Technical Aspects of Cyber Kill Chain (arXiv, 2016): A foundational paper outlining methodologies, tools, and techniques attackers use at each of the seven stages of the Cyber Kill Chain—helpful for researchers developing defensive strategies.A Cyber Kill Chain Based Taxonomy of Banking Trojans (arXiv, 2018): This study develops a CKC‑based taxonomy specifically for banking Trojans and validates it using 127 real-world samples, aiding the design of stage‑targeted detection and mitigation strategies.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at the issues#202: The First Link in the ChainA look at the issuesWelcome to another_secpro!This week, we're moving onto the Cyber Kill Chain and making it clear how we can apply the framework in the average day-to-day workings of a secpro. We've collected a range of useful insights and academic papers to keep you going, so scroll down and check them out!Check out _secpro premiumCheers!Austin MillerEditor-in-ChiefThis week's articlesUnderstanding the Cyber Kill ChainAnd here we go ahead! Now that we're done with MITRE ATT&CK, we're moving onto Lockhead Martin's Cyber Kill Chain. This week, a general introduction before we move onto the important moving parts of the approach.Set up to startCyberUK 2025: Building Resilience in a Shifting Cyber LandscapeIn case you missed it last week...A retrospective on the UK's biggest event so far this year. CyberUK 2025, held in Manchester from May 6–8, brought together over 2,000 cybersecurity professionals, policymakers, and industry leaders to tackle the pressing challenges facing the UK's digital landscape. Organized by the National Cyber Security Centre (NCSC), this year's conference centered around the theme “Transforming Resilience. Countering Threats.”Get up to speedAI GRCJoin Hemang as he sketches out the issues for GRC in the age of AI. This was our premium expert article for_secpro last month, so make sure to sign up for premium on Substack and find out everything we have to offer!Check it out now!News BytesCheck out Krebs' coverage of this month's Patch Tuesday!“EchoLeak” zero-click vulnerability in Microsoft 365 Copilot:A first-of-its-kind “zero-click” exploit, dubbed EchoLeak, was discovered in Microsoft 365 Copilot. It allows attackers to exfiltrate sensitive data without any user interaction—fully weaponizing AI agents. Microsoft has since issued a patch. Aim Security confirms this is the first weaponizable zero-click AI attacker chain.GreyNoise uncovers coordinated brute‑force campaign targeting Apache Tomcat: GreyNoise Intelligence observed a sharp rise in brute-force login attempts—over hundreds of malicious IPs—aimed at Apache Tomcat Manager interfaces since June 5, indicating a likely precursor to exploitation.Bruce Schneier exposes covert Android tracking via browser–app leaks: Schneier highlights research showing how Meta and Yandex leveraged unintended browser-app communication to covertly track Android users, converting ephemeral web tags into persistent app-level IDs. Both companies ceased the practice after disclosure.Schneier testifies on AI-data exfiltration risks in U.S. government: During a House Oversight hearing on AI’s role in government, Schneier warned about “DOGE” agency affiliates exfiltrating large datasets from federal systems to feed AI tools—raising serious national security concerns.Brian Krebs survives a record ~6.3 Tbps DDoS via Aisuru IoT botnet: Krebs reports an unprecedented DDoS attack—peaking at ~6.3 Tbps over 45 seconds—on his site, orchestrated by a new IoT botnet dubbed “Aisuru,” marking one of the largest volumetric attacks to date.Race-condition flaws CVE‑2025‑5054 & CVE‑2025‑4598 leak core dump data: Qualys TRU uncovered two local info-leak bugs in Linux crash-report tools—Apport (Ubuntu) and systemd-coredump (RHEL/Fedora). Both can expose sensitive data (even /etc/shadow) via race conditions. Users are urged to patch or disable SUID core dumps.This week's academiaImpact of AI on the Cyber Kill Chain: A Systematic Review (Heliyon, 2024): A systematic literature review of 62 studies (2013–2023) examining how AI tools bolster attackers in early kill‑chain stages and highlighting defense gaps, with suggestions for AI‑aware defenses.Technical Aspects of Cyber Kill Chain (arXiv, 2016): A foundational paper outlining methodologies, tools, and techniques attackers use at each of the seven stages of the Cyber Kill Chain—helpful for researchers developing defensive strategies.A Cyber Kill Chain Based Taxonomy of Banking Trojans (arXiv, 2018): This study develops a CKC‑based taxonomy specifically for banking Trojans and validates it using 127 real-world samples, aiding the design of stage‑targeted detection and mitigation strategies.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at the issuesWeb Devs: Turn Your Knowledge Into IncomeBuild the knowledge base that will enable you to collaborate AI for years to come.💰 Competitive Pay Structure⏰ Ultimate Flexibility🚀 Technical Requirements (No AI Experience Needed)Weekly payouts + remote work: The developer opportunity you've been waiting for!The flexible tech side hustle paying up to $50/hourApply now!#201: Anarchy in the CyberUKA look at the issuesWelcome to another_secpro!For everyone who won a prize from our last issue, you will receive an email this week to roll out an offer. Keep your eyes open and we'll arrange your gift! This week's issue contains:-New Linux Vulnerabilities (Schneier)- Microsoft Offers Free Cybersecurity Support to European Governments- One-Third of U.S. Cybersecurity Agency Staff Depart Amid Budget Cuts- Infosecurity Europe 2025 Highlights Emerging Cyber Threats- Victoria's Secret Shuts Down Website Following Cyberattack- Google Uncovers Vishing Campaign Targeting Salesforce Users-Dell Addresses Critical Vulnerabilities in PowerScale OneFS- PentestGPT: An LLM-empowered Automatic Penetration Testing Tool-Enhancing Cybersecurity Resilience Through Advanced Red-Teaming Exercises and MITRE ATT&CK Framework Integration-Offense For Defense: The Art and Science of Cybersecurity Red TeamingCheck out _secpro premiumCheers!Austin MillerEditor-in-ChiefThis week's articlesCyberUK 2025: Building Resilience in a Shifting Cyber LandscapeA retrospective on the UK's biggest event so far this year. CyberUK 2025, held in Manchester from May 6–8, brought together over 2,000 cybersecurity professionals, policymakers, and industry leaders to tackle the pressing challenges facing the UK's digital landscape. Organized by the National Cyber Security Centre (NCSC), this year's conference centered around the theme “Transforming Resilience. Countering Threats.”Get up to speedAI GRCJoin Hemang as he sketches out the issues for GRC in the age of AI. This was our premium expert article for_secpro last month, so make sure to sign up on Substack and find out everything we have to offer!Check it out now!Reflecting on MITRE ATT&CKMaking our way through the MITRE ATT&CK's Top Ten most exploited techniques over the last 10 weeks has been fun. We're almost ready to dive into the most exploited T-number, but we thought it'd be good to stop and smell the adversarial roses for a minute first - just make sure you've been paying attention. These T-numbers are on the test, so make sure to go back and check out #10 through #2 in the list below:- #1: T1055- #2: T1059- #3: T1333- #4: T1071- #5: T1562- #6: T1486- #7: T1082- #8: T1547- #9: T1506- #10: T1005We have five copies of Glen Singh's Kali Linux book to give away. Leave a comment in order to win a virtual copy! And now, here is our number one...News BytesNew Linux Vulnerabilities (Schneier): Tracked asCVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems.Microsoft Offers Free Cybersecurity Support to European Governments: Microsoft has launched a new initiative to provide European governments with free cybersecurity support aimed at enhancing defenses against increasingly sophisticated cyber threats, including those powered by artificial intelligence (AI).One-Third of U.S. Cybersecurity Agency Staff Depart Amid Budget Cuts: Since the beginning of President Trump's second term, approximately one-third of the workforce at the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have left, significantly weakening one of the country's key defenses against cyber threats.Infosecurity Europe 2025 Highlights Emerging Cyber Threats: Infosecurity Europe 2025, held at the ExCeL in London, marked its 30th anniversary with a focus on "Building a Safer Cyber World". Keynote speakers addressed evolving cyber threats, the impact of quantum and AI technologies, and the geopolitical dimensions of cybersecurity.Victoria's Secret Shuts Down Website Following Cyberattack: Victoria's Secret has temporarily shut down its online operations following a suspected cyberattack, although its physical retail stores continue to function normally. The company has engaged third-party cybersecurity experts to investigate the breach.Google Uncovers Vishing Campaign Targeting Salesforce Users: Google has disclosed details of a financially motivated threat cluster that specializes in voice phishing (vishing) campaigns designed to breach organizations' Salesforce instances for large-scale data theft and subsequent extortion.Dell Addresses Critical Vulnerabilities in PowerScale OneFS: Dell Technologies has released a critical security advisory addressing multiple flaws in its PowerScale OneFS. The most severe allows unauthenticated remote attackers to access and manipulate the file system.This week's academiaPentestGPT: An LLM-empowered Automatic Penetration Testing Tool: This paper introduces PentestGPT, an automated penetration testing tool powered by Large Language Models (LLMs). The study evaluates the performance of LLMs on real-world penetration testing tasks and presents a robust benchmark created from test machines. Findings reveal that while LLMs demonstrate proficiency in specific sub-tasks, they encounter difficulties maintaining an integrated understanding of the overall testing scenario. PentestGPT addresses these challenges with three self-interacting modules, each handling individual sub-tasks to mitigate context loss.Enhancing Cybersecurity Resilience Through Advanced Red-Teaming Exercises and MITRE ATT&CK Framework Integration: This study presents a transformative approach to red-teaming by integrating the MITRE ATT&CK framework. By leveraging real-world attacker tactics and behaviors, the integration creates realistic scenarios that rigorously test defenses and uncover previously unidentified vulnerabilities. The comprehensive evaluation demonstrates enhanced realism and effectiveness in red-teaming, leading to improved vulnerability identification and actionable insights for proactive remediation.Offense For Defense: The Art and Science of Cybersecurity Red Teaming: This article delves into the methodologies, tools, techniques, and strategies employed in red teaming, emphasizing the planning practices that underpin successful engagements. It highlights the strategic application of cyber deception techniques, such as honeypots and decoy systems, to enhance an organization’s threat identification and response capabilities. The piece underscores the importance of continuous improvement and adaptation of strategies in response to evolving threats and technologies.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at 200 issuesTrain your own R1 reasoning model with UnslothYou can now run and fine-tune Qwen3 and Meta's new Llama 4 models with 128K context length & superior accuracy. Unsloth is an open-source project that allows easy fine-tuning of LLMs and that also uploads accurately quantized models to Hugging Face. Check it out on Github!Unsloth's new Dynamic 2.0 quants outperform other quantization methods on 5-shot MMLU & KL Divergence benchmarks, meaning you can now run + fine-tune quantized LLMs while preserving as much precision as possible.Tutorial for running Qwen3 here.Tutorial for running Llama 4 here.Take a look!#200: The Bicentennial Giveaway!A look at the past 200 issuesWelcome to another_secpro!200 issues! Where does the time go? We're here providing the same usual content that we always do, but ask our readers to also check out the _secpro archive on Substack for a walk down memory lane or an exciting dive into what you missed before you subscribed. This week's issue contains:-AI Chatbots Enhance Phishing Email Sophistication- U.S. Sanctions Funnull for $200M Romance Baiting Scams Tied to Crypto Fraud-ConnectWise Breached in Cyberattack Linked to Nation-State Hackers-PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto-Earth Lamia Develops Custom Arsenal to Target Multiple Industries-China-Linked Hackers Exploit Google Calendar in Cyberattacks on Governments- PentestGPT: An LLM-empowered Automatic Penetration Testing Tool-Enhancing Cybersecurity Resilience Through Advanced Red-Teaming Exercises and MITRE ATT&CK Framework Integration-Offense For Defense: The Art and Science of Cybersecurity Red TeamingCheck out _secpro premiumCheers!Austin MillerEditor-in-ChiefReflecting on MITRE ATT&CKMaking our way through the MITRE ATT&CK's Top Ten most exploited techniques over the last 10 weeks has been fun. We're almost ready to dive into the most exploited T-number, but we thought it'd be good to stop and smell the adversarial roses for a minute first - just make sure you've been paying attention. These T-numbers are on the test, so make sure to go back and check out #10 through #2 in the list below:- #2: T1059- #3: T1333- #4: T1071- #5: T1562- #6: T1486- #7: T1082- #8: T1547- #9: T1506- #10: T1005We have five copies of Glen Singh's Kali Linux book to give away. Leave a comment in order to win a virtual copy! And now, here is our number one...#1: T1055Check it out here!News BytesAI Chatbots Enhance Phishing Email Sophistication: AI chatbots like ChatGPT are making scam emails harder to detect due to their flawless grammar and human-like tone, enabling more sophisticated phishing schemes. This evolution demands new detection strategies centering on user vigilance and corporate preemptive measures. See also:Zscaler ThreatLabz 2025 Phishing ReportU.S. Sanctions Funnull for $200M Romance Baiting Scams Tied to Crypto Fraud: The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) has levied sanctions against a Philippines-based company named Funnull Technology Inc. and its administrator Liu Lizhi for providing infrastructure to conduct romance baiting scams that led to massive cryptocurrency losses. See also: Understanding Romance Scams and Cryptocurrency FraudConnectWise Breached in Cyberattack Linked to Nation-State Hackers: ConnectWise, the developer of remote access and support software ScreenConnect, has disclosed that it was the victim of a cyber attack that it said was likely perpetrated by a nation-state threat actor.PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto: Embedded Linux-based Internet of Things (IoT) devices have become the target of a new botnet dubbed PumaBot. Written in Go, the botnet is designed to conduct brute-force attacks against SSH instances to expand in size and scale and deliver additional malware to the infected hosts.Earth Lamia Develops Custom Arsenal to Target Multiple Industries: A Chinese threat actor group known as Earth Lamia has been actively exploiting known vulnerabilities in public-facing web applications to compromise organizations across sectors such as finance, government, IT, logistics, retail, and education.China-Linked Hackers Exploit Google Calendar in Cyberattacks on Governments: China-linked hackers are exploiting Google Calendar in cyberattacks on governments, using the platform to deliver malicious links and coordinate attacks, highlighting the need for increased vigilance in monitoring cloud-based services. See also:Securing Cloud-Based Collaboration Tools.This week's academiaPentestGPT: An LLM-empowered Automatic Penetration Testing Tool: This paper introduces PentestGPT, an automated penetration testing tool powered by Large Language Models (LLMs). The study evaluates the performance of LLMs on real-world penetration testing tasks and presents a robust benchmark created from test machines. Findings reveal that while LLMs demonstrate proficiency in specific sub-tasks, they encounter difficulties maintaining an integrated understanding of the overall testing scenario. PentestGPT addresses these challenges with three self-interacting modules, each handling individual sub-tasks to mitigate context loss.Enhancing Cybersecurity Resilience Through Advanced Red-Teaming Exercises and MITRE ATT&CK Framework Integration: This study presents a transformative approach to red-teaming by integrating the MITRE ATT&CK framework. By leveraging real-world attacker tactics and behaviors, the integration creates realistic scenarios that rigorously test defenses and uncover previously unidentified vulnerabilities. The comprehensive evaluation demonstrates enhanced realism and effectiveness in red-teaming, leading to improved vulnerability identification and actionable insights for proactive remediation.Offense For Defense: The Art and Science of Cybersecurity Red Teaming: This article delves into the methodologies, tools, techniques, and strategies employed in red teaming, emphasizing the planning practices that underpin successful engagements. It highlights the strategic application of cyber deception techniques, such as honeypots and decoy systems, to enhance an organization’s threat identification and response capabilities. The piece underscores the importance of continuous improvement and adaptation of strategies in response to evolving threats and technologies.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at the week gone byBuilding GenAI infra sounds cool—until it’s 3am and your LLM is downThis free guide helps you avoid the pitfalls. Learn the hidden costs, real-world tradeoffs, and decision framework to confidently answer: build or buy? Includes battle-tested tips from Checkr, Convirza & more.Grab it now!#199: An ATT&CK Review and into the BlogosphereA look at the weekWelcome to another_secpro!For all of you who attended the RSA Conference, we hope you had a great time getting up to scratch with the goings on in this industry. Got something to share? Reply to this email and tell us about your thoughts. This week's issue contains:-Apple's AirPlay Vulnerabilities Expose Devices to Hijacking Risks-U.S. Charges 16 Russians Linked to DanaBot Malware Operation-Budget Cuts to U.S. Cybersecurity Agency Raise Concerns Amid Rising Threats-Anthropic Implements Stricter Safeguards for New AI Model Amid Biosecurity Concerns-Russian Hackers Target Western Firms Supporting Ukraine, U.S. Intelligence Reports-MITRE ATT&CK - Explained- Understanding the use cases of the MITRE ATT&CK Framework-Integrating MITRE ATT&CK with SIEM Tools-Demystifying the MITRE ATT&CK FrameworkCheck out _secpro premiumCheers!Austin MillerEditor-in-ChiefReflecting on MITRE ATT&CKMaking our way through the MITRE ATT&CK's Top Ten most exploited techniques over the last 9 weeks has been fun. We're almost ready to dive into the most exploited T-number, but we thought it'd be good to stop and smell the adversarial roses for a minute first - just make sure you've been paying attention. These T-numbers are on the test, so make sure to go back and check out #10 through #2 in the list below:- #2: T1059- #3: T1333- #4: T1071- #5: T1562- #6: T1486- #7: T1082- #8: T1547- #9: T1506- #10: T1005We have five copies of Glen Singh's Kali Linux book to give away. Leave a comment in order to win a virtual copy!RSA Conference 2025 – Navigating the New Cyber FrontierA reflection on this year's eventsRead the rest here!News BytesApple's AirPlay Vulnerabilities Expose Devices to Hijacking Risks: Researchers at cybersecurity firm Oligo have identified 23 significant security flaws in Apple's AirPlay system, collectively dubbed "AirBorne." These vulnerabilities could allow hackers to hijack devices connected to the same Wi-Fi network, affecting both Apple's native AirPlay protocol and third-party implementations. The discovery underscores the need for prompt security updates to protect users relying on AirPlay-compatible gadgets. Oligo's analysis reveals that the vulnerabilities stem from issues in the AirPlay protocol's implementation, allowing for zero-click remote code execution (RCE) attacks. The flaws are particularly concerning due to their wormable nature, enabling potential rapid spread across devices.U.S. Charges 16 Russians Linked to DanaBot Malware Operation: The U.S. Department of Justice has charged 16 Russian nationals associated with the DanaBot malware operation, a sophisticated tool used globally for cybercrime, espionage, and wartime attacks. DanaBot infected over 300,000 systems and was sold to other hackers via an affiliate model. Notably, it was used in state-linked espionage, including attacks on Ukraine’s defense institutions during the Russian invasion. DanaBot is a modular banking Trojan that has evolved to include functionalities such as credential theft, remote access, and data exfiltration. Its architecture allows for dynamic updates, making it adaptable to various malicious activities. Additional commentary at WeLiveSecurity.Budget Cuts to U.S. Cybersecurity Agency Raise Concerns Amid Rising Threats: Security experts warn that proposed 17% budget cuts to the Cybersecurity and Infrastructure Security Agency (CISA) could leave the U.S. vulnerable to retaliatory cyberattacks, especially as Chinese cyberattacks surge. The cuts would lead to the dismissal of 130 employees and cancellation of key contracts, compromising national cyberdefense at a time of heightened threat. Analysts express concern that the reduction in CISA's budget and workforce will hinder the agency's ability to coordinate threat intelligence sharing and respond effectively to cyber incidents, particularly those targeting critical infrastructure. See commentary by Dark Reading.Anthropic Implements Stricter Safeguards for New AI Model Amid Biosecurity Concerns: Anthropic has released Claude Opus 4, its most advanced AI model, under heightened safety measures due to concerns it could assist in bioweapons development. Internal testing indicated that the model significantly outperformed earlier versions in guiding potentially harmful activities. As a result, Anthropic activated its Responsible Scaling Policy, applying stringent safeguards including enhanced cybersecurity and anti-jailbreak measures. The Responsible Scaling Policy includes AI Safety Level 3 (ASL-3) measures, such as prompt classifiers to detect harmful queries, a bounty program for vulnerability detection, and enhanced monitoring to prevent misuse of the AI model. See Anthropic News.Russian Hackers Target Western Firms Supporting Ukraine, U.S. Intelligence Reports: Hackers affiliated with Russian military intelligence have been targeting Western technology, logistics, and transportation firms involved in aiding Ukraine. The cyber campaign sought to obtain intelligence on military and humanitarian aid shipments, using tactics like spearphishing and exploiting vulnerabilities in small office and home networks. Over 10,000 internet-connected cameras near Ukrainian borders and other key transit points were targeted. The attackers, linked to the group "Fancy Bear," employed advanced persistent threat (APT) techniques, including the exploitation of unsecured IoT devices and spearphishing campaigns, to infiltrate networks and gather intelligence on aid logistics. See the NSA report (PDF).This week's blogsMITRE ATT&CK - Explained: This comprehensive guide breaks down the MITRE ATT&CK framework, detailing its components such as tactics, techniques, and procedures. It also compares ATT&CK with the Cyber Kill Chain model, highlighting how ATT&CK provides a more flexible approach to understanding adversary behaviors across different platforms.Understanding the use cases of the MITRE ATT&CK Framework: Tailored for newcomers, this blog offers a step-by-step approach to utilizing the MITRE ATT&CK framework. It emphasizes the benefits of integrating ATT&CK into cybersecurity practices, such as improved threat detection, incident management, and communication among security professionals.Integrating MITRE ATT&CK with SIEM Tools:This article explores how to integrate the MITRE ATT&CK framework with Security Information and Event Management (SIEM) systems, specifically Microsoft Sentinel. It discusses features like the MITRE ATT&CK Blade, rule creation, and tagging, providing insights into enhancing detection and response capabilities.Demystifying the MITRE ATT&CK Framework: This blog offers a clear explanation of the MITRE ATT&CK framework, discussing its role in understanding cyber-attack patterns and applying appropriate mitigation strategies. It emphasizes the framework's value in improving an organization's cybersecurity posture and adapting to evolving threats.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at the week gone byJoin Packt’s Accelerated Agentic AI Bootcamp this June and learn to design, build, and deploy autonomous AI Agents using LangChain, AutoGen, and CrewAI. Hands-on training, expert guidance, and a portfolio-worthy project—delivered live, fast, and with purpose.Spots are limited - book now to save 50%! Don’t miss your chance to join at the lowest price.Use Code CYBER50 at checkoutOffer Valid until 18th May MidnightDon't miss out!#198: Armed with Deepfakes, Script Interpreters, and CybergeopoliticsA look at the weekWelcome to another_secpro!For all of you who attended the RSA Conference, we hope you had a great time getting up to scratch with the goings on in this industry. Got something to share? Reply to this email and tell us about your thoughts. This week's issue contains:- AI-Generated Law-Google’s Advanced Protection Now on Android-Another Move in the Deepfake Creation/Detection Arms Race-Japan Enacts Active Cyberdefence Law to Counter Foreign Threats-Dior Suffers Data Breach Exposing Customer Information-U.S. House GOP Proposal to Block State AI Laws Raises Cybersecurity Concerns-Navvis and SSM Health Agree to $6.5M Settlement Over Data Breach-Indian Government Warns of Cyber Threats Post Ceasefire with Pakistan-Maharashtra Appoints First Female Cyber CommandoCheck out _secpro premiumCheers!Austin MillerEditor-in-ChiefMITRE ATT&CK #2: T1059Understanding "Command andScripting Interpreter" exploitationRead the rest here!RSA Conference 2025 – Navigating the New Cyber FrontierA reflection on this year's eventsRead the rest here!Aembit Workload IAM PlatformSecure AI agents and app workloads without secrets.Identity-based, just-in-time access across AWS, Azure, GCPNo custom auth code required" MFA for machines" with Zero Trust built in.Backed by Snowflake, Aembit makes identity-first security practical for today’s multi-cloud, AI-powered environments.Learn more about AembitNews BytesAI-Generated Law: On April 14, Dubai’s ruler, Sheikh Mohammed bin Rashid Al Maktoum,announcedthat the United Arab Emirates would begin usingartificial intelligence to help write its laws. A new Regulatory Intelligence Office would use the technology to “regularly suggest updates” to the law and “accelerate the issuance of legislation by up to 70%.” AI would create a “comprehensive legislative plan” spanning local and federal law and would be connected to public administration, the courts, and global policy trends. From Bruce Schneier.Google’s Advanced Protection Now on Android: Google hasextended its Advanced Protection features to Android devices. It’s not for everybody, but something to be considered by high-risk users. From Bruce Schneier.Another Move in the Deepfake Creation/Detection Arms Race:Deepfakes are nowmimicking heartbeats. In a nutshell: Recent research reveals that high-quality deepfakes unintentionally retain the heartbeat patterns from their source videos, undermining traditional detection methods that relied on detecting subtle skin color changes linked to heartbeats; the assumption that deepfakes lack physiological signals, such as heart rate, is no longer valid. This challenges many existing detection tools, which may need significant redesigns to keep up with the evolving technology; to effectively identify high-quality deepfakes, researchers suggest shifting focus from just detecting heart rate signals to analyzing how blood flow is distributed across different facial regions, providing a more accurate detection strategy. From Bruce Schneier.Japan Enacts Active Cyberdefence Law to Counter Foreign Threats: Japan has passed the Active Cyberdefence Law, empowering its government to proactively monitor and counter cyber threats, including those from foreign actors. The legislation allows for the surveillance of foreign IP communications and authorizes offensive cyber actions by law enforcement and the Self-Defense Forces, marking a significant shift in Japan's cybersecurity posture. See DIESEC's analysis here.Dior Suffers Data Breach Exposing Customer Information: Luxury fashion brand Dior confirmed a cyberattack that compromised customer data, including names, contact details, and purchase histories. The breach, which did not affect financial information, was disclosed on Dior's South Korean website, with affected customers also reportedly contacted in China.U.S. House GOP Proposal to Block State AI Laws Raises Cybersecurity Concerns: A Republican-led initiative in the U.S. House aims to impose a 10-year moratorium on state-level AI regulations, intending to create a unified federal framework. However, cybersecurity experts warn that this could weaken consumer protections and data privacy safeguards, especially in the absence of comprehensive federal legislation.Navvis and SSM Health Agree to $6.5M Settlement Over Data Breach: Healthcare providers Navvis and SSM Health have agreed to a $6.5 million settlement following a 2023 data breach that exposed sensitive patient information. Affected individuals may receive up to $7,000 in compensation, depending on the extent of their losses, and are eligible for two years of free credit monitoring.Indian Government Warns of Cyber Threats Post Ceasefire with Pakistan: Following a recent ceasefire between India and Pakistan, the Indian government has issued advisories highlighting potential cyber threats. Officials are urged to remain vigilant, as cyber operations and espionage activities may continue despite the cessation of active hostilities.Maharashtra Appoints First Female Cyber Commando: Assistant Inspector Rupali Bobade of the Sangli Cyber Cell has become Maharashtra’s first female "cyber commando" after completing a rigorous six-month national training program. This initiative aims to strengthen India's digital security infrastructure by training 5,000 officers over five years.This week's toolsATT&CK Splunk Add-on (as part of Attack Range): This Splunk-supported environment is designed for testing and training based on real-world attack scenarios. It leverages MITRE ATT&CK to simulate threats and includes preconfigured Splunk dashboards and detections for ATT&CK techniques, offering a lab-like setting for defenders to hone their response strategies.ATT&CK Navigator: ATT&CK Navigator is a web-based tool for visualizing and annotating MITRE ATT&CK matrices. It allows analysts to overlay data like detection coverage, threat actor usage, or red/blue team test results to better understand where gaps exist in detection or mitigation strategies.Caldera: Caldera is an automated adversary emulation system designed to evaluate the effectiveness of cyber defense tools and processes. It uses the MITRE ATT&CK framework to model adversary behavior and execute post-compromise techniques, allowing blue teams to validate detection and response capabilities.Detection Rules: Detection Rules is a collection of threat detection rules for use with Elastic Security. These rules are directly mapped to MITRE ATT&CK techniques and tactics, enabling high-fidelity detection of adversarial behavior in environments monitored by the Elastic Stack (Elasticsearch, Kibana, etc.).Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

The conference, Lockbit exposure, an Apple vulnerability, and moreLive Webinar | Scale AppSec with Security Champions – May 15Security Champions programs are a proven way to scale AppSec across dev teams. Join Snyk’s live webinar on May 15 @ 11AM ET where we’ll cover👇✓ Defining the role of security champions✓ Designing a scalable, tailored program✓ Recognizing, rewarding & growing your champions🎓 BONUS: Earn CPE credits for attending!Save Your Spot!#197: RSA Reflections and Password Store InfectionsKnowing the landscape and improving the postureWelcome to another_secpro!For all of you who attended the RSA Conference, we hope you had a great time getting up to scratch with the goings on in this industry. Got something to share? Reply to this email and tell us about your thoughts. This week's issue contains:- RSA Conference 2025 – Navigating the New Cyber Frontier- MITRE ATT&CK Top Ten Breakdown #3: T1555-LockBit Ransomware Group Compromised; Internal Chats Leaked- Berkeley Research Group Breach Exposes Sensitive Data in Catholic Church Abuse Cases- Co-op Data Breach Affects Millions of UK Customers- AirBorne Vulnerability in Apple’s AirPlay Puts Billions at Risk- U.S. Customs and Border Protection Confirms Use of Hacked TeleMessage AppCheck out _secpro premiumCheers!Austin MillerEditor-in-ChiefNew developer products provide a glimpse into the future of app building on HubSpot, including deeper extensibility, flexible UI, modern development tools, and moreHubSpot’s AI-powered ecosystem presents a global opportunity projected to reach $10.2 billion by 2028. To capitalize on that growth potential, we are opening our platform more, starting with expanded APIs, customizable app UI, and tools that better support a unified data strategy.Learn moreMITRE ATT&CK #4: T1555Understanding "Credentials from Password Stores"Read the rest here!RSA Conference 2025 – Navigating the New Cyber FrontierA reflection on this year's eventsRead the rest here!News BytesLockBit Ransomware Group Compromised; Internal Chats Leaked: The notorious LockBit ransomware gang suffered a significant breach, leading to the exposure of internal chat logs and operational details. These leaks provide unprecedented insights into the group's tactics, including their use of known vulnerabilities, adoption of proof-of-concept exploits, and targeting strategies.Berkeley Research Group Breach Exposes Sensitive Data in Catholic Church Abuse Cases: Berkeley Research Group (BRG), involved in managing Catholic Church bankruptcy cases related to sexual abuse lawsuits, experienced a cyberattack that potentially exposed sensitive victim data. The attacker infiltrated BRG's systems by impersonating an IT worker on Microsoft Teams, deployed Chaos ransomware, and demanded payment. Although BRG has not found evidence of data dissemination, the U.S. Justice Department is scrutinizing the firm's delayed disclosure and potential conflicts of interest.Co-op Data Breach Affects Millions of UK Customers: The Co-op experienced a cyberattack where hackers accessed and extracted personal data from one of its systems, affecting a significant number of its more than 6.2 million current and past members. The breach forced the Co-op to temporarily shut down parts of its IT systems. The UK's National Crime Agency and National Cyber Security Centre are investigating the incident.AirBorne Vulnerability in Apple’s AirPlay Puts Billions at Risk: A critical security flaw dubbed "AirBorne" has been discovered in Apple’s AirPlay protocol and SDK, potentially allowing hackers on the same Wi-Fi network to deploy malware, access private data, or eavesdrop on conversations. Public spaces like coffee shops and airports are particularly vulnerable. While Apple has issued security updates, many third-party devices relying on the affected AirPlay SDK may not receive timely patches, leaving users at risk.U.S. Customs and Border Protection Confirms Use of Hacked TeleMessage App: The U.S. Customs and Border Protection (CBP) confirmed its use of a communication application by TeleMessage, which clones popular apps like Signal and WhatsApp with added record-retention archiving. Following the discovery of a cyber incident, CBP suspended its use of TeleMessage while investigating the breach. Significant security vulnerabilities have been identified in TeleMessage’s Android code, prompting U.S. Senator Ron Wyden to urge the Department of Justice to investigate the company, characterizing it as a national security risk.This week's toolsATT&CK Splunk Add-on (as part of Attack Range): This Splunk-supported environment is designed for testing and training based on real-world attack scenarios. It leverages MITRE ATT&CK to simulate threats and includes preconfigured Splunk dashboards and detections for ATT&CK techniques, offering a lab-like setting for defenders to hone their response strategies.ATT&CK Navigator: ATT&CK Navigator is a web-based tool for visualizing and annotating MITRE ATT&CK matrices. It allows analysts to overlay data like detection coverage, threat actor usage, or red/blue team test results to better understand where gaps exist in detection or mitigation strategies.Caldera: Caldera is an automated adversary emulation system designed to evaluate the effectiveness of cyber defense tools and processes. It uses the MITRE ATT&CK framework to model adversary behavior and execute post-compromise techniques, allowing blue teams to validate detection and response capabilities.Detection Rules: Detection Rules is a collection of threat detection rules for use with Elastic Security. These rules are directly mapped to MITRE ATT&CK techniques and tactics, enabling high-fidelity detection of adversarial behavior in environments monitored by the Elastic Stack (Elasticsearch, Kibana, etc.).Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture! Check out next week's issue to find our coverage of CyberUK!CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.Wysh Life Benefit allows any financial institution to offer free life insurance directly through their customers’ savings accounts. By embedding micro life insurance into deposit accounts, Life Benefit provides built-in financial protection that grows with account balances. It’s a simple, no-cost innovation that enhances loyalty, encourages deposits, and differentiates institutions in a competitive market. No paperwork. No medical exams. Just automatic coverage that provides peace of mind—without changing how customers bank.Talk to the Team Today*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at T1701Live Webinar | Scale AppSec with Security Champions – May 15Security Champions programs are a proven way to scale AppSec across dev teams. Join Snyk’s live webinar on May 15 @ 11AM ET where we’ll cover👇✓ Defining the role of security champions✓ Designing a scalable, tailored program✓ Recognizing, rewarding & growing your champions🎓 BONUS: Earn CPE credits for attending!Save Your Spot!#196: Beneath the Application Layer...A look at T1701Welcome to another_secpro!For all of you who are attending the ongoing RSA Conference, we hope you're having a great time getting up to scratch with the goings on in this industry. For those of you who aren't so lucky [Editor's note: such as the editor...], don't worry: this month's _secpro premium issue is focused exactly on that and you can get access to it from tomorrow. We're looking at the big events, the interesting insights, and the budding signs of this year's cybersecurity fruits to give you a boost. But, before that, we're continuing our series on the MITRE ATT&CK framework and the Top Ten threats over the last year. Check it out below! This week, we look at #4: 1701.And then, of course, we've got our usual news, tools, and conference venues roundup. In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAre you attending the upcoming RSA Conference at the end of the month? Keep an eye out for our Packt writers, their stalls, and what they've got to share at the event! If you have an insight, highlight, or story that you want to share with the readership, reply to this email or reach out to the _secpro team.Cheers!Austin MillerEditor-in-ChiefBuild, secure, and automate networks to master and future-proof your skills$814 Value • Pay What You WantMITRE ATT&CK #4: T1071Understanding Application Layer Protocol attacksRead the rest here!News BytesBruce Schneier - WhatsApp Case Against NSO Group Progressing:Meta is suing NSO Group,basically claiming that the latter hacks WhatsApp and not just WhatsApp users. We have a procedural ruling: Underthe order, NSO Group is prohibited from presenting evidence about its customers’ identities, implying the targeted WhatsApp users are suspected or actual criminals, or alleging that WhatsApp had insufficient security protections.Bruce Schneier - Applying Security Engineering to Prompt Injection Security: This seems like animportant advance in LLM security against prompt injection: Google DeepMind hasunveiled CaMeL(CApabilities for MachinE Learning), a new approach to stopping prompt-injection attacks that abandons the failed strategy of having AI models police themselves. Instead, CaMeL treats language models as fundamentally untrusted components within a secure software framework, creating clear boundaries between user commands and potentially malicious content.Krebs on Security - Alleged ‘Scattered Spider’ Member Extradited to U.S.: "A 23-year-old Scottish man thought to be a member of the prolific Scattered Spider cybercrime group was extradited last week from Spain to the United States, where he is facing charges of wire fraud, conspiracy and identity theft. U.S. prosecutors allege Tyler Robert Buchanan and co-conspirators hacked into dozens of companies in the United States and abroad, and that he personally controlled more than $26 million stolen from victims."TrendMicro - Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations: Internet access is scarce in North Korea; their national network only has1,024 IP addresses assigned to it, yet the country’s role in cybercrime is significant. Multiple high-profile campaigns were publicly attributed to North Korean actors by international law enforcement, one of the latest being theUS$1.5 billion Bybit hack.This week's toolsMalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at T1562[Rubrik Guided Lab] AWS Cloud Native ProtectionAccording to an IBM report, 82% of breaches involved data stored in the cloud. What's your data recovery plan? Join us for Virtual Camp Rubrik: AWS Cloud Protection to:- Protect AWS workloads, Amazon EC2, Amazon RDS, and Amazon EBS- Recover and restore your AWS data and workloads- Discuss the current state of the cloud threat landscapeSave Your Space#195: Repair Impaired DefenseA look at T1562Welcome to another_secpro!Life is never easy for security professionals, but it might now become a whole lot more difficult if rumours around the withdrawal of funding for CVE. Be vigilant for what might become a bigger problem in the next few months (or, if you're a bug hunter, count your blessings)! We're continuing our series on the MITRE ATT&CK framework and the Top Ten threats over the last year. Check it out below! This week, we look at #5: 1562.And then, of course, we've got our usual news, tools, and conference venues roundup. In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAre you attending the upcoming RSA Conference at the end of the month? Keep an eye out for our Packt writers, their stalls, and what they've got to share at the event! If you have an insight, highlight, or story that you want to share with the readership, reply to this email or reach out to the _secpro team.Cheers!Austin MillerEditor-in-ChiefMITRE ATT&CK #5: T1486Understanding "impair defenses"Read the rest here!News BytesBruce Schneier - Cryptocurrency Thefts Get Physical: Longstoryof a $250 million cryptocurrency theft that, in a complicated chain events, resulted in a pretty brutal kidnapping.Bruce Schneier - New Linux Rootkit: "The company has released a working rootkit called “Curing” that uses io_uring, a feature built into the Linux kernel, to stealthily perform malicious activities without being caught by many of the detection solutions currently on the market. At the heart of the issue is the heavy reliance on monitoring system calls, which has become the go-to method for many cybersecurity vendors. The problem? Attackers can completely sidestep these monitored calls by leaning on io_uring instead. This clever method could let bad actors quietly make network connections or tamper with files without triggering the usual alarms."Bruce Schneier - Regulating AI Behavior with a Hypervisor: As AI models become more embedded in critical sectors like finance, healthcare, and the military, their inscrutable behavior poses ever-greater risks to society. To mitigate this risk, we propose Guillotine, a hypervisor architecture for sandboxing powerful AI models—models that, by accident or malice, can generate existential threats to humanity. Although Guillotine borrows some well-known virtualization techniques, Guillotine must also introduce fundamentally new isolation mechanisms to handle the unique threat model posed by existential-risk AIs.Krebs on Security - Whistleblower: DOGE Siphoned NLRB Case Data: "A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk‘s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity."Krebs on Security - DOGE Worker’s Code Supports NLRB Whistleblower: "A whistleblower at the National Labor Relations Board (NLRB) alleged last week that denizens of Elon Musk’s Department of Government Efficiency (DOGE) siphoned gigabytes of data from the agency’s sensitive case files in early March. The whistleblower said accounts created for DOGE at the NLRB downloaded three code repositories from GitHub."JPCERT CC - DslogdRAT Malware Installed in Ivanti Connect Secure: "Ina previous article of JPCERT/CC Eyes, we reported on SPAWNCHIMERA malware, which infects the target after exploiting the vulnerability in Ivanti Connect Secure. However, this is not the only malware observed in recent attacks. This time, we focus on another malware DslogdRAT and a web shell that were installed by exploiting a zero-day vulnerability at that time, CVE-2025-0282, during attacks against organizations in Japan around December 2024."ReliaQuest - ReliaQuest Uncovers New Critical Vulnerability in SAP NetWeaver: On April 22, 2025, ReliaQuest published details of our investigation into exploitation activity targeting SAP NetWeaver systems that could enable unauthorized file uploads and execution of malicious files. On April 24, 2025, SAP disclosed "CVE-2025-31324," a critical vulnerability in SAP NetWeaver Visual Composer with the highest severity score of 10.SecureList - Operation SyncHole: Lazarus APT goes back to the well: "The campaign, dubbed “Operation SyncHole”, has impacted at least six organizations in South Korea’s software, IT, financial, semiconductor manufacturing, and telecommunications industries, and we are confident that many more companies have actually been compromised. We immediately took action by communicating meaningful information to the Korea Internet & Security Agency (KrCERT/CC) for rapid action upon detection, and we have now confirmed that the software exploited in this campaign has all been updated to patched versions."This week's toolsMalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Decrypting encryptionHubSpot has announced new developer features, designed to speed up development and embed integrations more deeply into the areas where users are most productiveFrom more extensible APIs to customizable UI, discover how HubSpot's latest developer tools empower you to build tailored solutions.Explore powerful integration tools and enhanced capabilities that let you create exactly what your customers need, right where they're getting work doneLearn more#194: Locked Down for ImpactA look at T1486Welcome to another_secpro!Life is never easy for security professionals, but it might now become a whole lot more difficult if rumours around the withdrawal of funding for CVE. Be vigilant for what might become a bigger problem in the next few months (or, if you're a bug hunter, count your blessings)! We're continuing our series on the MITRE ATT&CK framework and the Top Ten threats over the last year. Check it out below! This week, we look at #6: 1486And then, of course, we've got our usual news, tools, and conference venues roundup. In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAre you attending the upcoming RSA Conference at the end of the month? Keep an eye out for our Packt writers, their stalls, and what they've got to share at the event! If you have an insight, highlight, or story that you want to share with the readership, reply to this email or reach out to the _secpro team.Cheers!Austin MillerEditor-in-ChiefNeed some light relief? Here's a memeGot any good memes you want to share? Or an idea that you need someone to put together? Reply to this email with your meme or idea and get a chance to win afree Packt book (and there's only one available this week)!MITRE ATT&CK #6: T1486Understanding "System information discovery"Read the rest here!News BytesAbnormal - Multi-Stage Phishing Attack Exploits Gamma, an AI-Powered Presentation Tool: "In this newly uncovered campaign, attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraudulent Microsoft SharePoint login portal. Capitalizing on the fact that employees may not be as familiar with the platform (and thus not aware of its potential for exploitation), threat actors create a phishing flow so polished it feels legitimate at every step."Bruce Schneier - Age Verification Using Facial Scans: Discord is testing the feature: “We’re currently running tests in select regions to age-gate access to certain spaces or user settings,” a spokesperson for Discord said in a statement. “The information shared to power the age verification method is only used for the one-time age verification process and is not stored by Discord or our vendor. For Face Scan, the solution our vendor uses operates on-device, which means there is no collection of any biometric information when you scan your face. For ID verification, the scan of your ID is deleted upon verification.”Bruce Schneier - CVE Program Almost Unfunded: Mitre’s CVE’s program—which provides common naming and other informational resources about cybersecurity vulnerabilities—was about to be cancelled, as the US Department of Homeland Security failed to renew the contact. It was funded for eleven more months at the last minute.Bruce Schneier - Slopsquatting: As AI coding assistants invent nonexistent software libraries to download and use, enterprising attackers create and upload libraries with those names—laced with malware, of course.Check Point Research - CVE-2025-24054, NTLM Exploit in the Wild: ...if attackers are able to capture these NTLMv2 responses, they can still attempt to brute-force the hash offline or perform relay attacks. NTLM relay attacks fall under the category of man-in-the-middle (MitM) attacks that exploit the NTLM authentication protocol. Instead of cracking the password, the attacker captures the hash and passes it to another service to authenticate as the user. NTLM relay attacks are much more dangerous when the stolen credentials belong to a privileged user, as the attacker is using it for privilege escalation and lateral movement on the network.Cisco Talos - Unmasking the new XorDDoS controller and infrastructure: The XorDDoS trojan is a well-known DDoS malware that targets Linux machines, turning them into "zombie bots" that carry out attacks. First identified in 2014, its sub-controller was uncovered in 2015. Based on the simplified Chinese user interface and instructions of the XorDDoS controllers and builder, Talos assess with high confidence that the operators are Chinese-speaking individuals.Critical security vulnerability in the Erlang/OTP SSH implementation: The vulnerability allows an attacker withnetwork access to an Erlang/OTP SSH server to execute arbitrary codewithout prior authentication.Cymulate - Task Scheduler– New Vulnerabilities for schtasks.exe: A UAC Bypass vulnerability has been found in Microsoft Windows, enabling attackers to bypass the User Account Control prompt, allowing them to execute high-privilege (SYSTEM) commands without user approval. By exploiting this weakness, attackers can elevate their privileges and run malicious payloads with Administrators’ rights, leading to unauthorized access, data theft, or further system compromise.Krebs on Security - China-based SMS Phishing Triad Pivots to Banks: China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad” mainly impersonated toll road operators and shipping companies. But experts say these groups are now directly targeting customers of international financial institutions, while dramatically expanding their cybercrime infrastructure and support staff.SonicWall - Authenticated SMA100 Arbitrary Command Injection Vulnerability: Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user, which could potentially lead to code execution.This week's toolsMalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at T1082Did you miss the _secpro premium?Another month has gone by, another premium issue of the _secpro has landed in the inboxes of our faithful readership. Thank you to you all! We wouldn't be able to do this without your contributions - in both content and support.If you'd like to sign up and get access to podcasts, templates, premium articles, special offers for events and Packt books, as well as a load of other great features, click the link below to sign up for only $8/month on Substack.Check out _secpro premium#193: System discovery, beyond recoveryA look at T1082Welcome to another_secpro!We're starting up a series on the MITRE ATT&CK framework to best understand the Top Ten threats over the last year. Check it out below! This week, we look at #7: 1082.And then, of course, we've got our usual news, tools, and conference venues roundup. In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefNeed some light relief? Here's a memeGot any good memes you want to share? Or an idea that you need someone to put together? Reply to this email with your meme or idea and get a chance to win afree Packt book (and there's only one available this week)!MITRE ATT&CK #7: T1082Understanding "System information discovery"Read the rest here!News BytesBruce Schneier - Arguing Against CALEA: "At a Congressional hearingearlier this week, Matt Blazemade the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in today’s threat environment and should be rethought: In other words, while the legally-mandated CALEA capability requirements have changed little over the last three decades, the infrastructure that must implement and protect it has changed radically. This has greatly expanded the “attack surface” that must be defended to prevent unauthorized wiretaps, especially at scale...Bruce Schneier - Arguing Against CALEA: "At a Congressionalhearingearlier this week, Matt Blazemade the point that CALEA, the 1994 law that forces telecoms to make phone calls wiretappable, is outdated in todBruce Schneier - Troy Hunt Gets Phished: In case you need proof thatanyone, even people who do cybersecurity for a living, Troy Hunt has a long, iterativestoryon his webpage about how he got phished. Worth reading.Bruce Schneier - Web 3.0 Requires Data Integrity: If you’ve ever taken a computer security class, you’ve probably learned about thethree legs of computer security—confidentiality, integrity, and availability—known as theCIA triad. When we talk about a system being secure, that’s what we’re referring to. All are important, but to different degrees in different contexts. In a world populated by artificial intelligence (AI) systems and artificial intelligent agents, integrity will be paramount.Europol - Operation Endgame follow-up leads to five detentions and interrogations as well as server takedowns: "Following the massive botnet takedown codenamedOperation Endgame in May 2024, which shut down the biggest malware droppers, including IcedID, SystemBC, Pikabot, Smokeloader and Bumblebee, law enforcement agencies across North America and Europe dealt another blow to the malware ecosystem in early 2025."Krebs on Security - China-based SMS Phishing Triad Pivots to Banks: China-based purveyors of SMS phishing kits are enjoying remarkable success converting phished payment card data into mobile wallets from Apple and Google. Until recently, the so-called “Smishing Triad” mainly impersonated toll road operators and shipping companies. But experts say these groups are now directly targeting customers of international financial institutions, while dramatically expanding their cybercrime infrastructure and support staff.ReversingLabs - Atomic and Exodus crypto wallets targeted in malicious npm campaign: "Threat actors have been targeting the cryptocurrency community hard lately. The ReversingLabs (RL) research team is continuously tracking an ongoing battle in which cybercriminals and other threat actors use a variety of techniques to hijack popular, legitimate crypto packages and steal things from Web3 wallets to crypto funds."SecureList - GOFFEE continues to attack organizations in Russia: "GOFFEE is a threat actor that first came to our attentionin early 2022. Since then, we have observed malicious activities targeting exclusively entities located in the Russian Federation, leveraging spear phishing emails with a malicious attachment. Starting in May 2022 and up until summer of 2023, GOFFEE deployed modifiedOwowa (malicious IIS module) in their attacks. As of 2024, GOFFEE started to deploy patched malicious instances of explorer.exe via spear phishing."SentinelOne - AkiraBot | AI-Powered Bot Bypasses CAPTCHAs, Spams Websites At Scale: Whenever a new form of digital communications becomes prevalent, actors inevitably adopt it for spam to try to profit from unsuspecting users. Email has been the perennial choice for spam delivery, but the prevalence of new communications platforms has expanded the spam attack surface considerably.Sysmantec- Shuckworm Targets Foreign Military Mission Based in Ukraine: "Shuckworm’s relentless focus on Ukraine has continued into 2025, with the group targeting the military mission of a Western country based in the Eastern European nation. This first activity in this campaign occurred in February 2025, and it continued into March. The initial infection vector used by the attackers appears to have been an infected removable drive."TrendMicro - Incomplete NVIDIA Patch to CVE-2024-0132 Exposes AI Infrastructure and Data to Critical Risks: "In September 2024, NVIDIAreleased several updatesto address a critical vulnerability (CVE-2024-0132) in its NVIDIA Container Toolkit. If exploited, this vulnerability could expose AI infrastructure, data, or sensitive information. With a CVSS v3.1 rating of 9.0, all customers were advised to update their affected software immediately."This week's toolsMalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}