SecPro

A busy week for the SEC makes for excellent new?sWebinar: Introducing a Market-Changing Approach to Mobile App SecurityJoin Guardsquare to learn more about our new guided configuration approach to mobile application protection.Our latest innovation ensures that all developers can effortlessly launch apps with industry-leading protection in less than a day.This webinar will: walk through Guardsquare's new guided configuration approach; discuss how this new approach empowers mobile app publishers to easily configure security features, receive actionable insights, and monitor protection outcomes without sacrificing app performance or user experience; and cover a case study addressing how customers successfully implemented the technology.Register NowSPONSORED#174: Hacked BackA busy week for the SEC makes for excellent newsWelcome to another_secpro!It can be hard to know what to believe when it comes to the internet. Not only are the various stories sometimes obviously contradictory, but they might also be written by people who have an interest in presenting contradictory stories to drive up engagement. With that in mind, here are some talking heads the Editor thinks you can rely on (Editor: along with, of course, the Editor...).Bruce Schneier dispelled exaggerated claims about China breaking modern encryption and highlighted concerns over AI use in whistleblower programs influencing stock markets. He also discussed the indictment of a CEO for security certification fraud and detailed an Israeli operation sabotaging Hezbollah’s communication devices. Meanwhile, Cisco reported a denial-of-service vulnerability in its VPN services, and LinkedIn was fined €310 million by the Irish Data Protection Commission for privacy violations. FortiGuard Labs identified a critical vulnerability in FortiManager software, while new ransomware (Qilin.B) with enhanced evasion tactics was documented by Halcyon. Additionally, Brazil arrested a cybercriminal involved in breaches of sensitive U.S. data, and the SEC charged companies for misleading cybersecurity disclosures.Check out _secpro premiumAs always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!Cheers!Austin MillerEditor-in-ChiefNews BytesBruce Schneier -No, The Chinese Have Not Broken Modern Encryption Systems with a Quantum Computer: "The headline is pretty scary: “China’s Quantum Computer Scientists Crack Military-Grade Encryption.” No, it’s not true. This debunkingsaved me the trouble of writing one. It all seems to have come fromthis news article, which wasn’t bad but was taken widely out of proportion. Cryptography is safe, andwill befor along time."Bruce Schneier -AI and the SEC Whistleblower Program: "Whistleblowing firms can also use the information they uncover to guide market investments byactivist short sellers. Since 2006, the investigative reporting siteSharesleuthclaimsto have tanked dozens of stocks and instigated at least eight SEC cases against companies in pharma, energy, logistics, and other industries, all after its investors shorted the stocks in question. More recently, a new investigative reporting site calledHunterbrook Mediaand partner hedge fund Hunterbrook Capital, have churned out18investigative reports in their first five months of operation and disclosed short sales and other actions alongside each. In at least one report, Hunterbrooksays they filed an SEC whistleblower tip."Bruce Schneier -Justice Department Indicts Tech CEO for Falsifying Security Certifications: TheWall Street Journalisreportingthat the CEO of a still unnamed company has been indicted for creating a fake auditing company to falsify security certifications in order to win government business.Bruce Schneier -More Details on Israel Sabotaging Hezbollah Pagers and Walkie-Talkies: "TheWashington Posthas a long and detailedstoryabout the operation that’s well worth reading (alternate versionhere). The sales pitch came from a marketing official trusted by Hezbollah with links to Apollo. The marketing official, a woman whose identity and nationality officials declined to reveal, was a former Middle East sales representative for the Taiwanese firm who had established her own company and acquired a license to sell a line of pagers that bore the Apollo brand. Sometime in 2023, she offered Hezbollah a deal on one of the products her firm sold: the rugged and reliable AR924."Cisco - Cisco Adaptive Security Appliance and Firepower Threat Defense Software Remote Access VPN Brute Force Denial of Service Vulnerability: "A vulnerability in the Remote Access VPN (RAVPN) service of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) of the RAVPN service... An attacker could exploit this vulnerability by sending a large number of VPN authentication requests to an affected device. A successful exploit could allow the attacker to exhaust resources, resulting in a DoS of the RAVPN service on the affected device. Depending on the impact of the attack, a reload of the device may be required to restore the RAVPN service."(Irish) Data Protection Agency - Irish Data Protection Commission fines LinkedIn Ireland €310 million: The inquiry examined LinkedIn’s processing of personal data for the purposes of behavioural analysisand targeted advertisingof users who have created LinkedIn profiles (members). The decision, which was made by the Commissioners for Data Protection, Dr Des Hogan and Dale Sunderland, and notified to LinkedIn on 22 October 2024, concerns the lawfulness, fairness and transparency of this processing. The decision includes a reprimand, an order for LinkedIn to bring its processing into compliance, and administrative fines totalling €310 million.FortiGuard Labs - Missing authentication in fgfmsd: A missing authentication for critical function vulnerability [CWE-306] in FortiManager fgfmd daemon may allow a remote unauthenticated attacker to execute arbitrary code or commands via specially crafted requests. Reports have shown this vulnerability to be exploited in the wild.Halcyon - New Qilin.B Ransomware Variant Boasts Enhanced Encryption and Defense Evasion: Researchers at anti-ransomware solutions provider Halcyon have documented a new version of the Qilin ransomware payload dubbedQilin.B for tracking. According to thePower Rankings: Ransomware Malicious Quartilereport, Qilin (aka Agenda) is a ransomware-as-a-service (RaaS) operation that emerged in July of 2022 that can target both Windows and Linux systems. ‍Qilin operations include data exfiltration for double extortion. Krebs on Security - Brazil Arrests ‘USDoD,’ Hacker in FBI Infragard Breach: "Brazilian authorities reportedly have arrested a 33-year-old man on suspicion of being “USDoD,” a prolific cybercriminal who rose to infamy in 2022 after infiltrating theFBI’s InfraGardprogram and leaking contact information for 80,000 members. More recently, USDoD was behind a breach at the consumer data brokerNational Public Data that led to the leak of Social Security numbers and other personal information for a significant portion of the U.S. population."Krebs on Security - The Global Surveillance Free-for-All in Mobile Ad Data: "Not long ago, the ability to digitally track someone’s daily movements just by knowing their home address, employer, or place of worship was considered a dangerous power that should remain only within the purview of nation states. But a new lawsuit in a likely constitutional battle over a New Jersey privacy law shows that anyone can now access this capability, thanks to a proliferation of commercial services that hoover up the digital exhaust emitted by widely-used mobile apps and websites..."SEC - SEC Charges Four Companies With Misleading Cyber Disclosures:The charges against the four companies result from an investigation involving public companies potentially impacted by the compromise of SolarWinds’ Orion software and by other related activity. “As today’s enforcement actions reflect, while public companies may become targets of cyberattacks, it is incumbent upon them to not further victimize their shareholders or other members of the investing public by providing misleading disclosures about the cybersecurity incidents they have encountered,” said Sanjay Wadhwa, Acting Director of the SEC’s Division of Enforcement.Tenable - CVE-2024-8260: SMB Force-Authentication Vulnerability in OPA Could Lead to Credential Leakage: Tenable Research discovered an SMB force-authentication vulnerability in Open Policy Agent (OPA) that is now fixed in the latest release of OPA. The vulnerability could have allowed an attacker to leak the NTLM credentials of the OPA server's local user account to a remote server, potentially allowing the attacker to relay the authentication or crack the password. The vulnerability affected both the OPA CLI (Community and Enterprise editions) and the OPA Go SDK.This week's toolsgoliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.Upcoming events for _secprosSecTor(October 23rd-26th): SecTor is renowned for bringing together international experts to discuss underground threats and corporate defenses. This cyber security conference offers a unique opportunity for IT security professionals, managers, and executives to connect and learn from experienced mentors. This year, SecTor introduces the ‘Certified Pentester’ program, including a full-day practical examination, adding to the event’s educational offerings.LASCON 2024(October 24-25th): The Lonestar Application Security Conference (LASCON) is an annual event in Austin, TX, associated with OWASP, gathering 400+ web app developers, security engineers, mobile developers, and infosec professionals. Being in Texas, home to numerous Fortune 500 companies, and located in Austin, a startup hub, LASCON attracts leaders, security architects, and developers to share innovative ideas, initiatives, and technology advancements in application security.SANS HackFest Hollywood 2024 (October 29th): Choose Your Experience: In-Person or Live Online - whether you're planning to dive into the full HackFest experience in Hollywood, or the free, curated content offered Live Online, you'll walk away with new tools, techniques, and connections that will have a lasting impact on your career.ODSC West 2024 (October 29th): "Since 2015, ODSC has been the essential event for AI and data science practitioners, business leaders, and those reskilling into AI. It offers cutting-edge workshops, hands-on training, strategic insights, and thought leadership. Whether deepening technical skills, transforming a business with AI, or pivoting into an AI-driven career, ODSC provides unparalleled opportunities for learning, networking, and professional growth."*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A week of madness where AI went haywireIntroducing A Market-Changing Approach to Mobile App Protection by GuardsquareMobile applications face constant, evolving threats; to address these challenges, Guardsquare is proud to announce the launch of our innovative guided configuration approach to mobile app protection. By combining the highest level of protection with unparalleled ease of use, we empower developers and security professionals to secure their applications against even the most sophisticated threats. Guardsquare is setting a new standard for mobile app protection and we invite you to join us on this journey to experience the peace of mind that comes with knowing your mobile applications are protected by the most advanced and user-friendly product on the market.Learn More#171: Going hAIwireA week of madness where AI went haywireIn the lead up to October - Cybersecurity Awareness Month! - we're offering everyone a chance to jump on the _secpro train...For a limited time, get 20% off all subscriptions at the checkout. You can get access to our podcasts, our templates, our security guides, and other _secpro events for a fifth off. And you can cancel anyway. What's there to lose?Thanks and enjoy!Upgrade for 20% off!Welcome to another_secpro!AI developers and users have suffered this week, with multiple reports of difficulties and insecurities coming from the most prominent platforms in the world. If you're the kind of person who has integrated AI into their home- and worklife (as opposed to the Editor, who is currently trying to find an empty cabin in the woods...), there will be plenty worth paying attention to here...Check out _secpro premiumIf you missed it, we sent out the first issue of the new _secproPremium (_secpro Premium #1: Change is Difficult) as a free edition. As a teaser for those thinking of subscribing and as a treat for everyone else. Don't miss out!Cheers!Austin MillerEditor-in-ChiefTime for some news!Aqua Nautilus - perfctl: A Stealthy Malware Targeting Millions of Linux Servers: "The name perfctl comes from the cryptominer process that drains the system’s resources, causing significant issues for many Linux developers. By combining “perf” (a Linux performance monitoring tool) with “ctl” (commonly used to indicate control in command-line tools), the malware authors crafted a name that appears legitimate. This makes it easier for users or administrators to overlook during initial investigations, as it blends in with typical system processes."Bruce Schneier - Weird Zimbra Vulnerability: Hackers can execute commands on a remote computer by sending malformed emails to a Zimbra mail server. It’s critical, but difficult to exploit. "In an email sent Wednesday afternoon, Proofpoint researcher Greg Lesnewich seemed to largely concur that the attacks weren’t likely to lead to mass infections that could install ransomware or espionage malware. The researcher provided the following details..." Findthe rest on Schneier's website.Bruce Schneier - AI and the 2024 US Elections: "For years now, AI has undermined the public’s ability to trust what it sees, hears, and reads. TheRepublican National Committeereleased a provocative ad offering an “AI-generated look into the country’s possible future if Joe Biden is re-elected,” showing apocalyptic, machine-made images of ruined cityscapes and chaos at the border.Fake robocallspurporting to be from Biden urged New Hampshire residents not to vote in the 2024 primary election. This summer, the Department of Justice cracked down on aRussian bot farmthat was using AI to impersonate Americans on social media, and OpenAI disrupted anIranian group using ChatGPT to generate fake social-media comments..." Findthe rest on Schneier's website.Bruce Schneier - California AI Safety Bill Vetoed: "Governor Newsom hasvetoed the state’s AI safety bill. I have mixed feelings about thebill. There’s a lot to like about it, and I want governments to regulate in this space. But, for now, it’s allEU."Bruce Schneier - Hacking ChatGPT by Planting False Memories into Its Data: "This vulnerability hacks a feature that allows ChatGPT to have long-term memory, where it uses information from past conversations to inform future conversations with that same user. A researcher found that he could use that feature to plant “false memories” into that context window that could subvert the model."Cloudflare - How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack: "Since early September,Cloudflare's DDoS protection systems have been combating a month-long campaign of hyper-volumetric L3/4 DDoS attacks. Cloudflare’s defenses mitigated over one hundred hyper-volumetric L3/4 DDoS attacks throughout the month, with many exceeding 2 billion packets per second (Bpps) and 3 terabits per second (Tbps). The largest attack peaked 3.8 Tbps — the largest ever disclosed publicly by any organization. Detection and mitigation was fully autonomous. The graphs below represent two separate attack events that targeted the same Cloudflare customer and were mitigated autonomously."Interpol - Arrests in international operation targeting cybercriminals in West Africa: "Eight individuals have been arrested as part of an ongoing international crackdown on cybercrime, dealing a major blow to criminal operations in Côte d’Ivoire and Nigeria. The arrests were made as part of INTERPOL’s Operation Contender 2.0, an initiative aimed at combating cyber-enabled crimes, primarily in West Africa, through enhanced international intelligence sharing."Europol - LockBit power cut: four new arrests and financial sanctions against affiliates: "Europol supported a new series of actions against LockBit actors, which involved 12 countries and Eurojust and led to four arrests and seizures of servers critical for LockBit’s infrastructure. A suspected developer of LockBit was arrested at the request of the French authorities, while the British authorities arrested two individuals for supporting the activity of a LockBit affiliate. The Spanish officers seized nine servers, part of the ransomware’s infrastructure, and arrested an administrator of a Bulletproof hosting service used by the ransomware group. In addition, Australia, the United Kingdom and the United States implemented sanctions against an actor who the National Crime Agency had identified as prolific affiliate of LockBit and strongly linked to Evil Corp. The latter comes after LockBit’s claim that the two ransomware groups do not work together. The United Kingdom sanctioned fifteen other Russian citizens for their involvement in Evil Corp’s criminal activities, while the United States also sanctioned six citizens and Australia sanctioned two."Krebs on Security - A Single Cloud Compromise Can Feed an Army of AI Sex Bots: "Organizations that get relieved of credentials to their cloud environments can quickly find themselves part of a disturbing new trend: Cybercriminals using stolen cloud credentials to operate and resell sexualized AI-powered chat services. Researchers say these illicit chat bots, which use custom jailbreaks to bypass content filtering, often veer into darker role-playing scenarios, including child sexual exploitation and rape."Krebs on Security - Crooked Cops, Stolen Laptops & the Ghost of UGNazi: A California man accused of failing to pay taxes on tens of millions of dollars allegedly earned from cybercrime also paid local police officers hundreds of thousands of dollars to help him extort, intimidate and silence rivals and former business partners, the government alleges. KrebsOnSecurity has learned that many of the man’s alleged targets were members of UGNazi, a hacker group behind multiple high-profile breaches and cyberattacks back in 2012.Patchstack- Unauthenticated Stored XSS Vulnerability in LiteSpeed Cache Plugin Affecting 6+ Million Sites: "This plugin suffers from unauthenticated stored XSS vulnerability. It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request. The described vulnerability was fixed in version6.5.1and assignedCVE-2024-47374. The CCSS and UCSS generation functions_ccss()and_load() take the required parameters and HTTP headers to generate and save the data. The queue is generated using the following code lines."Securonix- SHROUDED#SLEEP: A Deep Dive into North Korea’s Ongoing Campaign Against Southeast Asia: "The Securonix Threat Research team has uncovered an ongoing campaign, identified as SHROUDED#SLEEP, likely attributed to North Korea’s APT37 (also known as Reaper or Group123). This advanced persistent threat group is believed to be based in North Korea and is delivering stealthy malware to targets across Southeast Asian countries. APT37, unlike other APT groups from the region such as Kimsuky, has a long history of targeting countries outside of the expected South Korean targets. This includes a number of recent campaigns against Southeast Asia countries."This week's toolsgoliate/hidden-tear: It's a ransomware-like file crypter sample which can be modified for specific purposes. Simples.ncorbuk/Python-Ransomware - A Python Ransomware Tutorial with a YouTube tutorial explaining code and showcasing the ransomware with victim/target roles.ForbiddenProgrammer/conti-pentester-guide-leak: Leaked pentesting manuals given to Conti ransomware crooks.codesiddhant/Jasmin-Ransomware: Jasmin Ransomware is an advanced red team tool (WannaCry Clone) used for simulating real ransomware attacks. Jasmin helps security researchers to overcome the risk of external attacks.Upcoming events for _secprosInnovate Cybersecurity Summit (October 6-8th): Powered by the collective knowledge of cybersecurity executives, practitioners, and cutting-edge solution providers, Innovate is the premier resource for CISO education & collaboration.PSC Defense Conference(October 8th): "The PSC Defense Conference is where you will hear from senior executives across the Department of Defense and industry discuss current initiatives aimed at accelerating innovation and delivering capabilities to the Future Force."Cybersecurity Expo 2024(October 8-9th): "Please join us for the annual United States Department of Agriculture (USDA) Cybersecurity Expo on October 8th and October 9th (10:30AM-4:00PM EDT). This virtual event engages and educates cybersecurity professionals and enthusiasts with the goal of raising awareness about cybersecurity and increasing the resiliency in the event of a cyber incident."Red Hat Summit: Connect 2024 (October 15th, 17th, & 22nd): Red Hat® Summit: Connect is coming to cities across Asia Pacific. Join us as we explore the future of Al, hybrid cloud, open source technology, and IT. With plenty of opportunities to engage during sessions, demos, and networking, this year's in-person event will give you access to Red Hat experts and industry leaders- all at no cost.BSidesNYC Conference (October 19th): BSidesNYC is an information security conference coordinated by security professionals within the tri-state area as part of the larger BSides framework. The conference prides itself on building an environment focused on technical content covering various security topics - from offensive security to digital forensics and incident response.SecTor (October 23rd-26th): SecTor is renowned for bringing together international experts to discuss underground threats and corporate defenses. This cyber security conference offers a unique opportunity for IT security professionals, managers, and executives to connect and learn from experienced mentors. This year, SecTor introduces the ‘Certified Pentester’ program, including a full-day practical examination, adding to the event’s educational offerings.LASCON 2024 (October 24-25th): The Lonestar Application Security Conference (LASCON) is an annual event in Austin, TX, associated with OWASP, gathering 400+ web app developers, security engineers, mobile developers, and infosec professionals. Being in Texas, home to numerous Fortune 500 companies, and located in Austin, a startup hub, LASCON attracts leaders, security architects, and developers to share innovative ideas, initiatives, and technology advancements in application security.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{line-height:0;font-size:75%} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at the week gone byBuilding GenAI infra sounds cool—until it’s 3am and your LLM is downThis free guide helps you avoid the pitfalls. Learn the hidden costs, real-world tradeoffs, and decision framework to confidently answer: build or buy? Includes battle-tested tips from Checkr, Convirza & more.Grab it now!#199: An ATT&CK Review and into the BlogosphereA look at the weekWelcome to another_secpro!For all of you who attended the RSA Conference, we hope you had a great time getting up to scratch with the goings on in this industry. Got something to share? Reply to this email and tell us about your thoughts. This week's issue contains:-Apple's AirPlay Vulnerabilities Expose Devices to Hijacking Risks-U.S. Charges 16 Russians Linked to DanaBot Malware Operation-Budget Cuts to U.S. Cybersecurity Agency Raise Concerns Amid Rising Threats-Anthropic Implements Stricter Safeguards for New AI Model Amid Biosecurity Concerns-Russian Hackers Target Western Firms Supporting Ukraine, U.S. Intelligence Reports-MITRE ATT&CK - Explained- Understanding the use cases of the MITRE ATT&CK Framework-Integrating MITRE ATT&CK with SIEM Tools-Demystifying the MITRE ATT&CK FrameworkCheck out _secpro premiumCheers!Austin MillerEditor-in-ChiefReflecting on MITRE ATT&CKMaking our way through the MITRE ATT&CK's Top Ten most exploited techniques over the last 9 weeks has been fun. We're almost ready to dive into the most exploited T-number, but we thought it'd be good to stop and smell the adversarial roses for a minute first - just make sure you've been paying attention. These T-numbers are on the test, so make sure to go back and check out #10 through #2 in the list below:- #2: T1059- #3: T1333- #4: T1071- #5: T1562- #6: T1486- #7: T1082- #8: T1547- #9: T1506- #10: T1005We have five copies of Glen Singh's Kali Linux book to give away. Leave a comment in order to win a virtual copy!RSA Conference 2025 – Navigating the New Cyber FrontierA reflection on this year's eventsRead the rest here!News BytesApple's AirPlay Vulnerabilities Expose Devices to Hijacking Risks: Researchers at cybersecurity firm Oligo have identified 23 significant security flaws in Apple's AirPlay system, collectively dubbed "AirBorne." These vulnerabilities could allow hackers to hijack devices connected to the same Wi-Fi network, affecting both Apple's native AirPlay protocol and third-party implementations. The discovery underscores the need for prompt security updates to protect users relying on AirPlay-compatible gadgets. Oligo's analysis reveals that the vulnerabilities stem from issues in the AirPlay protocol's implementation, allowing for zero-click remote code execution (RCE) attacks. The flaws are particularly concerning due to their wormable nature, enabling potential rapid spread across devices.U.S. Charges 16 Russians Linked to DanaBot Malware Operation: The U.S. Department of Justice has charged 16 Russian nationals associated with the DanaBot malware operation, a sophisticated tool used globally for cybercrime, espionage, and wartime attacks. DanaBot infected over 300,000 systems and was sold to other hackers via an affiliate model. Notably, it was used in state-linked espionage, including attacks on Ukraine’s defense institutions during the Russian invasion. DanaBot is a modular banking Trojan that has evolved to include functionalities such as credential theft, remote access, and data exfiltration. Its architecture allows for dynamic updates, making it adaptable to various malicious activities. Additional commentary at WeLiveSecurity.Budget Cuts to U.S. Cybersecurity Agency Raise Concerns Amid Rising Threats: Security experts warn that proposed 17% budget cuts to the Cybersecurity and Infrastructure Security Agency (CISA) could leave the U.S. vulnerable to retaliatory cyberattacks, especially as Chinese cyberattacks surge. The cuts would lead to the dismissal of 130 employees and cancellation of key contracts, compromising national cyberdefense at a time of heightened threat. Analysts express concern that the reduction in CISA's budget and workforce will hinder the agency's ability to coordinate threat intelligence sharing and respond effectively to cyber incidents, particularly those targeting critical infrastructure. See commentary by Dark Reading.Anthropic Implements Stricter Safeguards for New AI Model Amid Biosecurity Concerns: Anthropic has released Claude Opus 4, its most advanced AI model, under heightened safety measures due to concerns it could assist in bioweapons development. Internal testing indicated that the model significantly outperformed earlier versions in guiding potentially harmful activities. As a result, Anthropic activated its Responsible Scaling Policy, applying stringent safeguards including enhanced cybersecurity and anti-jailbreak measures. The Responsible Scaling Policy includes AI Safety Level 3 (ASL-3) measures, such as prompt classifiers to detect harmful queries, a bounty program for vulnerability detection, and enhanced monitoring to prevent misuse of the AI model. See Anthropic News.Russian Hackers Target Western Firms Supporting Ukraine, U.S. Intelligence Reports: Hackers affiliated with Russian military intelligence have been targeting Western technology, logistics, and transportation firms involved in aiding Ukraine. The cyber campaign sought to obtain intelligence on military and humanitarian aid shipments, using tactics like spearphishing and exploiting vulnerabilities in small office and home networks. Over 10,000 internet-connected cameras near Ukrainian borders and other key transit points were targeted. The attackers, linked to the group "Fancy Bear," employed advanced persistent threat (APT) techniques, including the exploitation of unsecured IoT devices and spearphishing campaigns, to infiltrate networks and gather intelligence on aid logistics. See the NSA report (PDF).This week's blogsMITRE ATT&CK - Explained: This comprehensive guide breaks down the MITRE ATT&CK framework, detailing its components such as tactics, techniques, and procedures. It also compares ATT&CK with the Cyber Kill Chain model, highlighting how ATT&CK provides a more flexible approach to understanding adversary behaviors across different platforms.Understanding the use cases of the MITRE ATT&CK Framework: Tailored for newcomers, this blog offers a step-by-step approach to utilizing the MITRE ATT&CK framework. It emphasizes the benefits of integrating ATT&CK into cybersecurity practices, such as improved threat detection, incident management, and communication among security professionals.Integrating MITRE ATT&CK with SIEM Tools:This article explores how to integrate the MITRE ATT&CK framework with Security Information and Event Management (SIEM) systems, specifically Microsoft Sentinel. It discusses features like the MITRE ATT&CK Blade, rule creation, and tagging, providing insights into enhancing detection and response capabilities.Demystifying the MITRE ATT&CK Framework: This blog offers a clear explanation of the MITRE ATT&CK framework, discussing its role in understanding cyber-attack patterns and applying appropriate mitigation strategies. It emphasizes the framework's value in improving an organization's cybersecurity posture and adapting to evolving threats.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at 200 issuesTrain your own R1 reasoning model with UnslothYou can now run and fine-tune Qwen3 and Meta's new Llama 4 models with 128K context length & superior accuracy. Unsloth is an open-source project that allows easy fine-tuning of LLMs and that also uploads accurately quantized models to Hugging Face. Check it out on Github!Unsloth's new Dynamic 2.0 quants outperform other quantization methods on 5-shot MMLU & KL Divergence benchmarks, meaning you can now run + fine-tune quantized LLMs while preserving as much precision as possible.Tutorial for running Qwen3 here.Tutorial for running Llama 4 here.Take a look!#200: The Bicentennial Giveaway!A look at the past 200 issuesWelcome to another_secpro!200 issues! Where does the time go? We're here providing the same usual content that we always do, but ask our readers to also check out the _secpro archive on Substack for a walk down memory lane or an exciting dive into what you missed before you subscribed. This week's issue contains:-AI Chatbots Enhance Phishing Email Sophistication- U.S. Sanctions Funnull for $200M Romance Baiting Scams Tied to Crypto Fraud-ConnectWise Breached in Cyberattack Linked to Nation-State Hackers-PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto-Earth Lamia Develops Custom Arsenal to Target Multiple Industries-China-Linked Hackers Exploit Google Calendar in Cyberattacks on Governments- PentestGPT: An LLM-empowered Automatic Penetration Testing Tool-Enhancing Cybersecurity Resilience Through Advanced Red-Teaming Exercises and MITRE ATT&CK Framework Integration-Offense For Defense: The Art and Science of Cybersecurity Red TeamingCheck out _secpro premiumCheers!Austin MillerEditor-in-ChiefReflecting on MITRE ATT&CKMaking our way through the MITRE ATT&CK's Top Ten most exploited techniques over the last 10 weeks has been fun. We're almost ready to dive into the most exploited T-number, but we thought it'd be good to stop and smell the adversarial roses for a minute first - just make sure you've been paying attention. These T-numbers are on the test, so make sure to go back and check out #10 through #2 in the list below:- #2: T1059- #3: T1333- #4: T1071- #5: T1562- #6: T1486- #7: T1082- #8: T1547- #9: T1506- #10: T1005We have five copies of Glen Singh's Kali Linux book to give away. Leave a comment in order to win a virtual copy! And now, here is our number one...#1: T1055Check it out here!News BytesAI Chatbots Enhance Phishing Email Sophistication: AI chatbots like ChatGPT are making scam emails harder to detect due to their flawless grammar and human-like tone, enabling more sophisticated phishing schemes. This evolution demands new detection strategies centering on user vigilance and corporate preemptive measures. See also:Zscaler ThreatLabz 2025 Phishing ReportU.S. Sanctions Funnull for $200M Romance Baiting Scams Tied to Crypto Fraud: The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) has levied sanctions against a Philippines-based company named Funnull Technology Inc. and its administrator Liu Lizhi for providing infrastructure to conduct romance baiting scams that led to massive cryptocurrency losses. See also: Understanding Romance Scams and Cryptocurrency FraudConnectWise Breached in Cyberattack Linked to Nation-State Hackers: ConnectWise, the developer of remote access and support software ScreenConnect, has disclosed that it was the victim of a cyber attack that it said was likely perpetrated by a nation-state threat actor.PumaBot Botnet Targets Linux IoT Devices to Steal SSH Credentials and Mine Crypto: Embedded Linux-based Internet of Things (IoT) devices have become the target of a new botnet dubbed PumaBot. Written in Go, the botnet is designed to conduct brute-force attacks against SSH instances to expand in size and scale and deliver additional malware to the infected hosts.Earth Lamia Develops Custom Arsenal to Target Multiple Industries: A Chinese threat actor group known as Earth Lamia has been actively exploiting known vulnerabilities in public-facing web applications to compromise organizations across sectors such as finance, government, IT, logistics, retail, and education.China-Linked Hackers Exploit Google Calendar in Cyberattacks on Governments: China-linked hackers are exploiting Google Calendar in cyberattacks on governments, using the platform to deliver malicious links and coordinate attacks, highlighting the need for increased vigilance in monitoring cloud-based services. See also:Securing Cloud-Based Collaboration Tools.This week's academiaPentestGPT: An LLM-empowered Automatic Penetration Testing Tool: This paper introduces PentestGPT, an automated penetration testing tool powered by Large Language Models (LLMs). The study evaluates the performance of LLMs on real-world penetration testing tasks and presents a robust benchmark created from test machines. Findings reveal that while LLMs demonstrate proficiency in specific sub-tasks, they encounter difficulties maintaining an integrated understanding of the overall testing scenario. PentestGPT addresses these challenges with three self-interacting modules, each handling individual sub-tasks to mitigate context loss.Enhancing Cybersecurity Resilience Through Advanced Red-Teaming Exercises and MITRE ATT&CK Framework Integration: This study presents a transformative approach to red-teaming by integrating the MITRE ATT&CK framework. By leveraging real-world attacker tactics and behaviors, the integration creates realistic scenarios that rigorously test defenses and uncover previously unidentified vulnerabilities. The comprehensive evaluation demonstrates enhanced realism and effectiveness in red-teaming, leading to improved vulnerability identification and actionable insights for proactive remediation.Offense For Defense: The Art and Science of Cybersecurity Red Teaming: This article delves into the methodologies, tools, techniques, and strategies employed in red teaming, emphasizing the planning practices that underpin successful engagements. It highlights the strategic application of cyber deception techniques, such as honeypots and decoy systems, to enhance an organization’s threat identification and response capabilities. The piece underscores the importance of continuous improvement and adaptation of strategies in response to evolving threats and technologies.Upcoming events for _secpros this yearHere are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Exploring Unit 42's findingsDon't miss out!Sign up today!#221: Digging into Social Engineering, part 1Welcome to another_secpro!This week, we're poking the brain of CISO expert David Gee to deliver you some insights which line up nicely with his new book: A Day in the Life of a CISO. We've also included our popular PDF resource again, to help you improve your training sessions and help the non-specialists amongst us to make the right moves in the age of AI. Check it out!Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefThis week's articleUnit 42 on non-phishing vectorsRecently, along with a wealth of other industry-critical information and resources, Palo Alto’s Unit 42 published their incident response report concerning social engineering. As an area of practice that has always fascinated me—as more art than science—this immediately grabbed my attention and almost forced me to start taking notes. With this in mind, we as a team are heading out over the next few weeks to dig deeper into social engineering and help you discern the golden kernels that you need to access.Check it out todayNews BytesUnit 42 Threat Bulletin – October 2025: Published 21 October 2025, this monthly bulletin by Unit 42 (the threat-research arm of Palo Alto Networks) surfaces multiple emerging threats. Highlights include the self-propagating supply-chain worm “Shai-Hulud”, an advanced supply-chain attack targeting npm packages; detailed technical IOCs; and spotting a new Chinese-nexus APT “Phantom Taurus” targeting government/telecom across Africa/Middle East/Asia.PacketWatch Cyber Threat Intelligence Report: Crafted by Intelligence Team and published 20 October 2025, this bi-weekly briefing highlights: (a) the major breach incident at F5 Networks (source code + undisclosed vulnerabilities); (b) a list of critical and high-severity vulnerabilities across major platforms (Oracle, Microsoft, Veeam, SAP, 7-Zip, Ivanti); and (c) a renewed emphasis on user-targeted attacks such as credential phishing, fake CAPTCHA software, and fake downloads.Disrupting malicious uses of AI(PDF): Released by OpenAI, this October 2025 update (PDF) details how threat actors are increasingly leveraging multiple AI tools (e.g., using one model for planning and another for execution), integrating AI into existing cyber-attack workflows, rather than inventing wholly new attack methods. The report also gives case studies of misuse (scams, code-signing abuse, social engineering) and how defence and detection are adapting.Microsoft Digital Defense Report 2025: Lighting the path to a secure future(PDF):Published by Microsoft 21 October 2025, this annual-style report provides their threat intelligence view: major uptick in AI-enabled adversary operations, increasing geopolitical cyber-conflict, supply chain risk, and the imperative for defenders to rethink traditional security models given the speed and scale of modern attacksENISA Threat Landscape 2025 (PDF):Published 7 October 2025 by ENISA (European Union Agency for Cyber Security), this comprehensive PDF analyses 4,875 incidents (1 July 2024–31 June 2025) to map global threat trends: shift toward mixed/campaign-style operations, AI-enabled threat activity, supply chain convergence, and increased adversary speed. Though slightly earlier than your window, its release date is timely and gives context for many of the current week’s incidents.This week's academiaFrom Texts to Shields: Convergence of Large Language Models and Cybersecurity (Tao Li, Ya-Ting Yang, Yunian Pan & Quanyan Zhu):This paper explores how large language models (LLMs) are increasingly converging with cybersecurity tasks: for example, using LLMs for vulnerability analysis, network and software security tasks, 5G-vulnerability assessment, generative security engineering and automated reasoning in defence scenarios. The authors highlight socio-technical challenges (trust, transparency, human-in-the-loop, interpretability) when deploying LLMs in high-stakes security settings, and propose a forward-looking research agenda to integrate formal methods, human-centred design and organisational policy in LLM-enhanced cyber-operations.Adversarial Defense in Cybersecurity: A Systematic Review of GANs for Threat Detection and Mitigation (Tharcisse Ndayipfukamiye, Jianguo Ding, Doreen Sebastian Sarwatt, Adamu Gaston Philipo & Huansheng Ning): This survey conducts a PRISMA-style review (2021–Aug 2025) of how Generative Adversarial Networks (GANs) are being used both as attack tools and defensive tools in cybersecurity. They analyse 185 peer-reviewed studies, develop a taxonomy across four dimensions (defensive function, GAN architecture, cybersecurity domain, adversarial threat model), and identify key gaps: training instability, lack of standard benchmarks, high computational cost, limited explainability. They propose a roadmap towards scalable, trustworthy GAN-powered defences.Securing the AI Frontier: Urgent Ethical and Regulatory Imperatives for AI-Driven Cybersecurity (Vikram Kulothungan): This article examines the ethical and regulatory challenges arising from the deployment of AI in cybersecurity. It traces historical regulation of AI, analyses current global frameworks (e.g., the EU AI Act), and discusses key issues including bias, transparency, accountability, privacy, human oversight. The paper proposes strategies for enhancing AI literacy, public engagement, and global harmonisation of regulation in AI-driven cyber-systems.A Defensive Framework Against Adversarial Attacks on Machine Learning-Based Network Intrusion Detection Systems (Benyamin Tafreshian & Shengzhi Zhang):The authors propose a multi-layer defensive framework aimed at ML‐based Network Intrusion Detection Systems (NIDS) which are vulnerable to adversarial evasion. Their framework integrates adversarial training, dataset balancing, advanced feature engineering, ensemble learning, and fine-tuning. On benchmark datasets NSL-KDD and UNSW-NB15, they report on average a ~35% increase in detection accuracy and ~12.5% reduction in false positives under adversarial conditions.Cyber Security: State of the Art, Challenges and Future (W.S. Admass et al.): This article presents an overview of the state of the art in cybersecurity: existing architectures, key challenges, and emerging trends globally. It reviews tactics, techniques, and procedures (TTPs), current defence mechanisms and future research directions.DYNAMITE: Dynamic Defense Selection for Enhancing Machine Learning-based Intrusion Detection Against Adversarial Attacks (Jing Chen, Onat Güngör, Zhengli Shang, Elvin Li & Tajana Rosing): This paper introduces “DYNAMITE”, a framework for dynamically selecting the optimal defence mechanism for ML-based Intrusion Detection Systems (IDS) when under adversarial attack. Instead of applying a static defence, DYNAMITE uses a meta-ML selection mechanism to pick the best defence in real-time, reducing computational overhead by ~96.2% compared to an oracle and improving F1-score by ~76.7% over random defence and ~65.8% over the best static defence.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A take on a new threat from an old adversaryIt’s increasingly difficult to see through the hype of AI in cybersecurity in a sea of shiny vendor demos that fail to deliver in production.We recently aired a discussion between Gourav Nagar (Head of Information Security and IT at Upwind) and Jon Hencinski (Head of Security Operations at Prophet Security, ex-Expel) that provides a practitioner's perspective on building comprehensive AI-driven cybersecurity programs.Key topics they discussed include:• Getting organizational buy-in (where leadership and practitioners are aligned)• Improving alert detection, triage, and investigations• Maturing your cybersecurity program (alert management is no longer a constraint)Watch On-Demand!Looking for some of the AI SOC best practices discussed?1. Cover all the alerts you care about: You can feed in informational, low, and medium alerts so even these signals can be investigated while they’re early indicators, not after they’ve been aged into incidents.2. Require deterministic consistency: Your Tier 1 analyst at 3:20am may not function like your Tier 2 at 12:00pm, but your AI SOC platform should absolutely enforce the same level of deterministic consistency and rigor in its reasoning and conclusions.3. Unshackle your detection engineers: Stop suppressing rules because your team can’t handle the volume.4. Keep humans in the loop for remediation: There is a distinction to be made between autonomous investigation and autonomous remediation, and the latter requires trust to be built amongst the practitioners on your team.5. Verify the AI with a parallel run: It’s critical you run the AI alongside your SOC for a couple of weeks (or more) to build trust in its accuracy in your environment and team’s workflow.Watch On-Demand!#234: What is Olalampo?A take on a new threat from an old adversaryWelcome to another_secpro!Cybersecurity in 2026 is being shaped by a convergence of accelerating attack speeds, expanding digital ecosystems, and increasingly autonomous adversary capabilities. Recent threat intelligence points to a shift from manually orchestrated intrusions toward highly adaptive operations, including the emergence of agentic AI systems capable of planning and executing multi-stage attacks with minimal human oversight. These developments are enabling adversaries to scale campaigns and adjust tactics in real time, while AI-assisted reconnaissance and credential abuse continue to compress intrusion timelines. In some environments, attackers are now moving laterally within minutes of initial access, leaving little margin for delayed detection or response.At the same time, threat actors are increasingly exploiting trusted access paths and identity-based weaknesses rather than relying solely on traditional malware. Credential compromise, third-party exposure, and cross-domain movement remain dominant techniques, reflecting the growing dependence of organizations on interconnected services and supply chains. Ransomware groups continue to prioritize sectors where operational disruption increases the likelihood of payment, while intelligence-driven campaigns such as recent MuddyWater activity demonstrate sustained investment in targeted espionage operations.Despite the growing sophistication of adversaries, many successful intrusions still exploit familiar weaknesses, including poor credential hygiene and unpatched systems. The current threat landscape underscores a clear reality: as attack capabilities evolve, resilience depends not only on advanced defenses but also on disciplined execution of fundamental security controls.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefThe MCP Maturity Model was created by Stacklok, who have built an MCP platform and are working with enterprises to put MCP into production. Their Applied AI Engineers work hands-on with leaders to curate trusted registries, deploy advanced security measures and light up AI agents. You can learn more about the company atstacklok.com, or just drop them an email atenterprise@stacklok.comto start a conversation.This week's articleOperation OlalampoOperation Olalampois a cyber-espionage campaign attributed to the Iranian state-aligned Advanced Persistent Threat (APT) group MuddyWater. Identified by Group-IB threat intelligence researchers, the campaign represents a continuation of MuddyWater’s long-standing strategy of targeting organizations across geopolitically significant regions, particularly the Middle East and North Africa (MENA). First observed on 26 January 2026,Operation Olalampodemonstrates the group’s increasing technical sophistication and operational maturity, particularly through the deployment of custom malware families, the use of novel command-and-control (C2) channels, and evidence of artificial intelligence-assisted development practices.Check it out todayIf you'd like to find out about our series on social engineering, start here: the adversary moves in the age of AI, then make sure to check out the articles link in this introduction: here, here, here, here, and here.News BytesAgentic AI: The 2026 Threat Multiplier Reshaping Cyberattacks (Barracuda): Barracuda researchers describe the emergence of agentic AI systems capable of autonomously planning and executing multi-stage cyberattacks. Unlike generative AI tools, these systems can coordinate actions, adapt to defenses, and persist without human oversight, significantly increasing attack speed and scalability.CrowdStrike 2026 Global Threat Report Findings (Adam Meyers): CrowdStrike reported adversaries increasingly using trusted access paths and cross-domain movement to evade detection. AI-assisted intrusion techniques and malware-free attacks are becoming more common, with rapid lateral movement remaining a key threat.GRIT 2026 Ransomware & Cyber Threat Report Industry Insights (GuidePoint Research): Analysis shows ransomware operators continue targeting sectors where operational disruption increases the likelihood of payment. Credential-based access and third-party compromise remain dominant initial access vectors.Cyber Threat Landscape 2026 Update (Panorays Research): Recent analysis highlights increased reliance on third-party ecosystems and supply chains as attack surfaces. Organizations face growing risk from identity compromise and external partner exposure.CrowdStrike Warns Attackers Move in Under 30 Minutes (TechRadar): CrowdStrike data shows attackers now move laterally in networks in an average of 29 minutes, with some compromises occurring in under a minute. AI-enabled reconnaissance and credential abuse are accelerating intrusion timelines.IBM X-Force Threat Intelligence Index 2026 (IBM): IBM’s latest threat index reports increasing use of AI-assisted attacks alongside persistent exploitation of basic security weaknesses such as unpatched systems and poor credential management.Operation Olalampo – MuddyWater Campaign (Group-IB): Researchers documented a new MuddyWater campaign using updated malware variants and Telegram-based command infrastructure. The operation targeted regional organizations with espionage-focused tooling.Into the blogosphere...Cybersecurity Predictions for 2026 (Frankly Speaking): This article outlines major cybersecurity predictions for 2026, including shrinking security budgets, consolidation of tools, and the increasing impact of AI automation. The author argues that specialized “tool babysitters” will decline as AI simplifies security operations and organizations move toward generalist security practitioners. The post also highlights how AI spending may divert resources away from traditional cybersecurity investments.SACR Cybersecurity 2026 Outlook (SACR team): This industry-focused outlook reviews major cybersecurity developments and forecasts trends across security platforms, identity security, SecOps, mergers and acquisitions, and AI-driven defense technologies. The article analyzes how enterprise security architectures are evolving and where investment and innovation are concentrating in 2026.Cybersecurity Trends for 2026 (Trust in Digital Life): This expert-panel article compiles practitioner predictions for cybersecurity in 2026, covering topics such as AI-driven attacks, evolving threat actors, regulatory pressures, and new enterprise security challenges. It emphasizes the increasing complexity of defending digital infrastructure as organizations expand cloud and AI deployments.The 6 Security Shifts AI Teams Can’t Ignore in 2026 (Gradient Flow): This article examines how AI-native companies must rethink security strategies. It highlights the move from traditional static security models to systems designed for autonomous AI agents interacting directly with enterprise environments. Key issues include identity security, data integrity, governance risks, and expanded attack surfaces.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Exploring Unit 42's findingsDon't miss out!Sign up today!#220: Social Engineering for Counter-AdversariesWelcome to another_secpro!This week, we're poking the brain of CISO expert David Gee to deliver you some insights which line up nicely with his new book: A Day in the Life of a CISO. We've also included our popular PDF resource again, to help you improve your training sessions and help the non-specialists amongst us to make the right moves in the age of AI. Check it out!Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefThis week's article2025 Unit 42 Global Incident Response Report: Social Engineering EditionRecently, along with a wealth of other industry-critical information and resources, Palo Alto’s Unit 42 published their incident response report concerning social engineering. As an area of practice that has always fascinated me—as more art than science—this immediately grabbed my attention and almost forced me to start taking notes. With this in mind, we as a team are heading out over the next few weeks to dig deeper into social engineering and help you discern the golden kernels that you need to access.Check it out todayNews BytesUnit 42: PhantomVAI Loader Delivers a Range of Infostealers: Researchers from Unit 42 describe a new loader named PhantomVAI, used to deploy various infostealers (malware that exfiltrates sensitive data). The loader uses techniques like steganography (hiding payload in an image file, e.g. a GIF file or other image) and obfuscated PowerShell to download and load the payload. The embedded data (DLL) is encoded inside images, hiding the payload from simple detection. Once loaded, it communicates with command-and-control servers to pull further stages.Unit 42: When AI Remembers Too Much – Persistent Behaviors in AI Agents via Indirect Prompt Injection: Shows a proof of concept demonstrating how adversaries can perform indirect prompt injection against AI agents. The technique doesn’t require direct user prompt, but uses external content (webpages, documents, metadata) feeding into the the agent’s memory or long-term memory subsystem. Once instructions are embedded via external content, they persist across sessions, meaning an attacker can embed malicious instructions that get loaded into the agent memory and later used to exfiltrate data, by instructing the agent to leak conversation history or other secrets. The attack is stealthy because it uses external content rather than explicit prompts.Unit 42: The Golden Scale: Bling Libra and the Evolving Extortion Economy: This threat brief analyzes how extortion actors (including groups using variants like Bling Libra) are evolving. They discuss stolen data, ransom demands, deadlines, leaking stolen credentials or data, and extortion notes targeted at executives. The group is apparently coordinating via Telegram channels, recruiting other actors to send extortion notes (e.g. executive level), focusing on stolen data (Salesforce data) and pressing for payment. They set deadlines (e.g. threat actor set Oct 10, 2025 as a deadline to pay ransom or leak files).CrowdStrike: Campaign targeting Oracle E‑Business Suite (Oracle EBS) zero-day CVE-2025-61882: CrowdStrike reports on a campaign targeting the zero-day vulnerability CVE-2025-61882 in Oracle E-Business Suite. This is an unauthenticated remote code execution (RCE) vulnerability (i.e. attackers can exploit without prior credentials). Oracle disclosed the vulnerability on 4 October 2025, but CrowdStrike observes that there are indicators of potential or likely exploitation in the wild. They note IOCs, commands, and files from Oracle’s advisory, suggesting real-world exploitation.Unit 42: 2025 Global Incident Response Report: Social Engineering Edition: A large incident response / threat intelligence report covering social engineering cases from May 2024 to May 2025. Some key findings: social engineering was the top initial access vector in their caseload (~36% of cases). Techniques go beyond phishing to non-phishing vectors (help desk, fake system prompts, help desk manipulation, fake prompts). Attackers exploit trust, identity workflow, help desk resets, compromised accounts, etc. They provide recommendations for defenders: just-in-time provisioning, restricting sensitive workflows, data loss prevention, identity correlation, etc. (Check in next week to read our first steps into unpacking this important analysis!)This week's academiaNeuromorphic Mimicry Attacks Exploiting Brain-Inspired Computing for Covert Cyber Intrusions: (Hemanth Ravipati)Neuromorphic computing, which mimics the brain’s neural structure in hardware, is increasingly used for efficient AI/edge computing. This paper introduces Neuromorphic Mimicry Attacks (NMAs), a novel class of threats that exploit the probabilistic, non-deterministic behavior of neuromorphic chips. By manipulating synaptic weights or poisoning sensory inputs, attackers can mimic legitimate neural activity, thereby evading standard intrusion detection systems. The work includes a theoretical framework, simulation experiments, and proposals for defenses—e.g. anomaly detection tuned to synaptic behavior, secure synaptic learning. The paper highlights that neuromorphic architectures introduce new cybersecurity risk surfaces.APT-LLM: Embedding-Based Anomaly Detection of Cyber Advanced Persistent Threats Using Large Language Models: (Sidahmed Benabderrahmane, Petko Valtchev, James Cheney, Talal Rahwan)This paper tackles the hard problem of detecting Advanced Persistent Threats (APTs), which tend to blend into normal system behavior. Their approach, APT-LLM, uses large language models (e.g. BERT, ALBERT, etc.) to embed process–action provenance traces into semantic-rich embeddings. They then use autoencoder models (vanilla, variational, denoising) to learn normal behavior and flag anomalies. Evaluated on highly imbalanced real-world datasets (some with only 0.004% APT-like traces), they demonstrate substantial gains over traditional anomaly detection methods. The core idea is leveraging the representational strength of LLMs for cybersecurity trace analysis.Precise Anomaly Detection in Behavior Logs Based on LLM Fine-Tuning: (S. Song et al.)Insider threats are notoriously difficult to detect because anomalies in user behavior often blur with benign but unusual actions. This paper proposes converting user behavior logs into natural language narratives, then fine-tuning a large language model with a contrastive learning objective (first at a global behavior level, then refined per user) to distinguish between benign and malicious anomalies. They also propose a fine-grained tracing mechanism to map detected anomalies back to behavioral steps. On the CERT v6.2 dataset, their approach achieves F1 ≈ 0.8941, outperforming various baseline methods. The method aims to reduce information loss in translation of logs to features and improve interpretability.Exposing the Ghost in the Transformer: Abnormal Detection for Large Language Models via Hidden State Forensics: (Shide Zhou, Kailong Wang, Ling Shi, Haoyu Wang) As LLMs are embedded into real-world systems, they become potential attack targets (jailbreaks, backdoors, adversarial attacks). This work proposes a detection method that inspects internal hidden states (activation patterns) across layers and uses “hidden state forensics” to detect abnormal behaviors in real-time. The approach is claimed to detect a variety of threats (e.g. backdoors, deviations) with >95% accuracy and low overhead. The method operates without needing to retrain or heavily instrument the model, offering a promising path toward monitoring LLM security in deployment.Robust Anomaly Detection in O-RAN: Leveraging LLMs against Data Manipulation Attacks: (Thusitha Dayaratne, Ngoc Duy Pham, Viet Vo, Shangqi Lai, Sharif Abuadbba, Hajime Suzuki, Xingliang Yuan, Carsten Rudolph) The Open Radio Access Network (O-RAN) architecture, used in 5G, introduces openness and programmability (xApps), but also novel attack vectors. The authors identify a subtle “hypoglyph” attack: injecting Unicode-wise manipulations (e.g. look-alike characters) into data that evade traditional ML-based anomaly detectors. They propose using LLMs (via prompt engineering) to robustly detect anomalies, even in manipulated data, and demonstrate low detection latency (<0.07 s), making it potentially viable for near-real-time use in RAN systems. This work bridges wireless systems and AI-based security in a timely domain.Generative AI in Cybersecurity: A Comprehensive Review of Future Directions: (M. A. Ferrag et al.) This is a survey/review paper covering the intersection of Generative AI / LLMs and cybersecurity. It synthesizes recent research on how generative models can be used for threat creation (e.g. adversarial attacks, automated phishing, malware synthesis) and defense (e.g. automated patch generation, security policy synthesis, anomaly detection). The paper also outlines open challenges and risks (e.g. misuse, model poisoning, hallucination) and proposes a structured roadmap for future research. As the field is evolving rapidly, this review is becoming a frequently cited reference point.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Helping beginners see from the top#219: Getting a CISO's viewpointHelping beginners see from the topWelcome to another_secpro!This week, we're poking the brain of CISO expert David Gee to deliver you some insights which line up nicely with his new book: A Day in the Life of a CISO. We've also included our popular PDF resource again, to help you improve your training sessions and help the non-specialists amongst us to make the right moves in the age of AI. Check it out!Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefMeet Albus—the first AI Identity Agent—and see why AI-native IGA is set to replace legacy governance tools.Join Lumos on Oct 30, 12–1pm EST for a live webinar with CEO Andrej Safundzic and CTO Aurangazeb Khan. Learn how agentic AI is transforming Identity Governance with autonomous policies, approvals, and reviews—and see Albus, the industry’s first identity agent, in action.Register NowThis week's articleRootkits in Focus: A CISO's PerspectiveToday, we’re taking a closer look at two kernel-level Linux rootkits that, while discovered a few years ago, still reflect the techniques seen in many of today’s advanced threats:Syslogkand CMK Rootkit.Syslogk, reported by Avast (part of Gen) in 2022, is a kernel-mode rootkit for Linux based on the older Adore-Ng Linux kernel rootkit. It’s notable for its stealthy behavior: it can hide files, processes, kernel modules, and network connections. What makes it especially evasive is its use of “magic packets”—specific network traffic that acts as a trigger to activate its payload, such as a backdoor, only under certain conditions.Check it out todayNews Bytes“State-of-the-Art in Software Security Visualization: A Systematic Review”: This paper reviews and categorises modern techniques for visualising software system security, particularly to support threat detection, compliance monitoring, and security analytics. It argues that traditional textual or numerical approaches are increasingly insufficient as systems become more complex, and proposes a taxonomy (graph-based, metaphor-based, matrix, notation) of visualization approaches. It also discusses gaps and future research directions.“Vulnerability Management Chaining: An Integrated Framework for Efficient Cybersecurity Risk Prioritization”: This paper proposes a new integrated framework that combines historical exploitation evidence (Known Exploited Vulnerabilities, KEV), predictive threat modeling (EPSS), and technical impact (CVSS) to better prioritise vulnerabilities. The test over ~28,000 real-world CVEs suggests substantial efficiency gains (14-18×) and large reductions in urgent remediation workload, while maintaining high coverage of actual threats.“From Texts to Shields: Convergence of Large Language Models and Cybersecurity”: This paper analyses how large language models (LLMs) are being integrated with cybersecurity across multiple dimensions: network/software security, generative/automated security tools, 5G vulnerability analysis, and security operations. It explores both the potential (e.g. AI-driven analytics, automated reasoning) and the challenges (trust, transparency, adversarial robustness, governance). It lays out a research agenda for securing LLMs in high-stakes environments.“LLM-Assisted Proactive Threat Intelligence for Automated Reasoning”: This paper investigates how LLMs, combined with real-time threat intelligence (via Retrieval-Augmented Generation systems), can improve detection and response to emerging threats. Using feeds like KEV, EPSS, and CVE databases, the authors show that their system (Patrowl framework) better handles recently disclosed vulnerabilities compared to baseline LLMs, improving real-time responsiveness and reasoning in threat analysis.“CAI: An Open, Bug Bounty-Ready Cybersecurity AI”: This research introduces CAI, an open-source AI designed specifically to support bug bounty testing. It benchmarks CAI against human experts in CTF (Capture the Flag) environments and demonstrates that CAI can outperform state-of-the-art results, finding vulnerabilities faster and more efficiently, particularly when humans oversee the system (Human-In-The-Loop). It also shows how CAI can democratise access to powerful security testing tools.“A Framework for Evaluating Emerging Cyberattack Capabilities of AI”: This paper argues that current evaluation frameworks for AI in cybersecurity (e.g., via CTFs, benchmarks) are inadequate to assess real-world risk, and proposes a comprehensive framework to evaluate emerging AI offensive capabilities. It examines dual-use risks, adversarial models, and practical implications for red/blue teams, defenders, and policymakers.This week's academiaSmartAttack: Air-Gap Attack via Smartwatches: Demonstrates a practical ultrasonic covert-channel that uses a smartwatch’s microphone as a receiver to exfiltrate data from air-gapped machines. The study measures range, bit-rate, effects of body occlusion, noise, and suggests mitigations for high-security environments. This paper triggered broad media coverage because it shows how everyday wearables can defeat classical air-gap assumptions. (Mordechai Guri)RAMBO: Leaking Secrets from Air-Gap Computers by Spelling Covert Radio Signals from Computer RAM: Introduces RAMBO, a side-channel that programs RAM access patterns to generate detectable electromagnetic/radio emissions from memory buses. Shows how malware can encode and transmit secrets from air-gapped machines (with SDR receivers) and discusses countermeasures. The attack has been widely reported and discussed in the infosec press. (Mordechai Guri)Security Concerns for Large Language Models: A Survey: A comprehensive academic survey of emergent security/privacy threats tied to LLMs (prompt injection, jailbreaking, data-poisoning/backdoors, misuse for malware/disinformation, and risks from autonomous agents). Summarizes recent studies (2022–2025), evaluates defense approaches and open problems — highly relevant as LLMs increasingly factor into both offensive and defensive cyber operations.(Miles Q. Li and Benjamin C. M. Fung.)Why Johnny Signs with Sigstore: Examining Tooling as a Factor in Software-Signing Adoption in the Sigstore Ecosystem: Qualitative case study / interviews with practitioners on tooling, usability, and adoption barriers for modern software signing (Sigstore ecosystem). Offers practical recommendations to improve adoption of signing/provenance tools — directly relevant to ongoing software supply-chain security conversations after high-profile incidents. This paper has been cited in industry and academic discussions about improving supply-chain resilience. (Kelechi G. Kalu, Sofia Okorafor, Tanmay Singla, Sophie Chen, Santiago Torres-Arias, James C. Davis)“LLMs unlock new paths to monetizing exploits”: Technical/academic analysis showing how large language models lower the cost and change the economics of finding and monetizing software vulnerabilities — enabling more targeted, user-specific exploit generation and tailored extortion. The paper provides proof-of-concept demonstrations and argues for new defense strategies and measurements. It has stirred debate about the near-term impact of LLMs on attacker capabilities. (Nicholas Carlini, Milad Nasr, Edoardo Debenedetti, Barry Wang, Christopher A. Choquette-Choo, Daphne Ippolito, Florian Tramèr, Matthew Jagielski.)“Extortionality” in Ransomware Attacks: A Microeconomic Study of Extortion and Externality: Microeconomic / empirical treatment of ransomware payments and externalities: when victims pay, they may increase incentives for attackers and raise risk for others (an externality). The paper studies decision drivers for ransom payments and discusses policy implications (should ransom payments be regulated, taxed, or subsidized to reduce social harm?). This work is being referenced in policy discussions and media coverage about whether public institutions should be allowed to pay ransoms. (Tim Meurs and collaborators).*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Interested in something new?Life doesn't stand still. Neither does cybersecurity. In part, this is because cybersecurity is a concept and concepts can't stand at all—still or otherwise—but that is a concern for another day. If you have a finger on the pulse of the current landscape, you've probably noticed that quite a lot of people have quite a lot to say about AI, its role in cybersecurity, and how the future seems to be changing... and possibly even for the better.If you're interested in keeping up with this conversation (or you have been living under a rock and need to do some quick catching up), you might like our soon-to-be available newsletter:CyberAI with Packt. We will be riding the currents of the day, diving into the emerging issues and getting to the heart of the problem with our friends working on the front lines and wanting to show their battle scars. Sound like something interesting? Check out the survey below and tell us what you'd like to see.Take the survey - get the newsletter#218: AI for BeginnersA friendly resource for people low down the ladderWelcome to another_secpro!This week, we've included a PDF resource to help you improve your training sessions and help the non-specialists amongst us to make the right moves in the age of AI. We've also expanded the news we've been pouring over as well as included a few academic essays. Check them out!- A Global Analysis of Cyber Threats to the Energy Sector: “Currents of Conflict”- Kaspersky ICS CERT: Dynamics of External and Internal Threats to Industrial Control Systems, Q2 2025- Threat landscape for industrial automation systems (Kaspersky ICS CERT, Q2 2025)- Analysis of Publicly Accessible Operational Technology and Associated Risks- Tenable FAQ on CVE-2025-20333 / CVE-2025-20362: Cisco ASA / FTD Zero-Days Exploited- Kudelski Security Advisory: Cisco ASA WebVPN & HTTP Zero-Day Vulnerabilities (CVE-2025-20333 / CVE-2025-20362 / CVE-2025-20363)- Greenbone: “Cisco CVEs 2025: Critical Flaws in ASA & FTD”- CIRT.GY Advisory: Cisco ASA and FTD Zero-Day Vulnerabilities Actively Exploited in State-Sponsored Attacks- FortiGuard Labs: “Threat Signal Report – ArcaneDoor Attack (Cisco ASA Zero-Day)”- Black Arrow Cyber Threat Intelligence Briefing (26 Sept 2025): MFA Bypass, Supply Chain and Airport DisruptionsCheck out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefHere's a little meme to keep you going...Source: RedditThis week's articleCybersecurity AI FAQsA cybersecurity professional's worst nightmare often instead an APT, a skilled hacker, or even a bored script kiddie with time to waste. It's often the most fearsome threat to internal security known to humanity: the average Joe employee.The kinds of errors that the adversary can seize upon are the kinds of errors that the average Joe makes through ignorance - and, often, it's not entirely his fault that he's ignorant about these things. Due to the nature of cybersecurity and cyberthreats, even a curious layman with a strong sense of responsibility to make sure he understands the newest emergent threats doesn't have enough time to get into the nitty-gritty of what makes a seemingly innocent action into the very thing the adversary needs to get working. Because of that, we've put together a handy little 10-point document to share with your coworkers, staple to walls, and build into your training sessions.Click below to check it out!Get the shareable document hereNews BytesA Global Analysis of Cyber Threats to the Energy Sector: “Currents of Conflict”: This arXiv paper provides a novel geopolitical threat-intelligence-based analysis of cyber threats targeting the energy sector. By applying generative AI to structure raw threat data, the authors map actor origins vs target geographies, assess detection tool effectiveness (especially learning-based), and highlight evolving trends (including supply chain, third-party, and state-actor activity) in the energy domain. Their findings offer actionable insights into risk exposure and resilience for operators and policymakers.Kaspersky ICS CERT: Dynamics of External and Internal Threats to Industrial Control Systems, Q2 2025: This report examines threat activity targeting ICS (Industrial Control Systems) in Q2 2025, breaking down external vs internal threats, types of malware detected, and penetration depth across network boundaries. Key findings include that ~20.5% of ICS systems blocked some threats, with malware types including spyware, backdoors, malicious scripts, and rogue documents. The report also analyses “borderline” systems where initial external penetration meets internal propagation, highlighting persistent risks in OT infrastructures.Threat landscape for industrial automation systems (Kaspersky ICS CERT, Q2 2025): A companion to the previous report, this document specifically focuses on industrial automation systems (e.g., HMIs, SCADA, local control networks) and tracks how often these systems are attacked, what types of malware and scripts are used, and the trends in exposure over time. It also discusses implications for segmentation, detection, and response in critical infrastructure settings.Analysis of Publicly Accessible Operational Technology and Associated Risks: This research quantifies and analyses OT devices exposed on the public internet, identifying nearly 70,000 such systems globally using vulnerable protocols (e.g. ModbusTCP, EtherNet/IP, S7). The authors use automated screenshot analysis to reveal exposed HMIs/SCADA interfaces, outdated firmware, and predictable configurations. The study underscores how misconfigured or publicly accessible OT systems create dangerous attack paths into critical infrastructure.Tenable FAQ on CVE-2025-20333 / CVE-2025-20362: Cisco ASA / FTD Zero-Days Exploited: Tenable’s research team provides a detailed walkthrough of two zero-day vulnerabilities actively exploited in Cisco’s Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) products (CVE-2025-20333 and CVE-2025-20362). They explain how these flaws can be chained, the attack surface involved (VPN web server), the threat actor attribution (UAT4356 / ArcaneDoor), and mitigation strategies. This is timely given the widespread deployment of Cisco ASA in critical networks.Kudelski Security Advisory: Cisco ASA WebVPN & HTTP Zero-Day Vulnerabilities (CVE-2025-20333 / CVE-2025-20362 / CVE-2025-20363): This threat research brief gives technical detail on how Cisco ASA vulnerabilities impacting WebVPN and HTTP/HTTPS services are being actively exploited by state-sponsored attackers. It highlights persistent techniques (including firmware and ROM modification), evasion of logging, and the survival of implants across device reboots/updates. Useful for defenders needing to understand the root cause and attack chain.Greenbone: “Cisco CVEs 2025: Critical Flaws in ASA & FTD”: Greenbone’s security blog summarises the newly disclosed Cisco CVEs (including CVE-2025-20333 and CVE-2025-20362) and provides context for detection and remediation via their vulnerability scanners. They explain the exploitation risk (especially for unpatched VPN web server configurations) and give guidance for scanning and prioritising vulnerable assets.CIRT.GY Advisory: Cisco ASA and FTD Zero-Day Vulnerabilities Actively Exploited in State-Sponsored Attacks: This advisory provides detailed technical description and IOCs (Indicators of Compromise) for the exploitation of Cisco ASA/FTD zero-days by threat actors, particularly focusing on configuration bypass, persistence, and the importance of isolating impacted devices. It also includes recommendations for network segmentation and migration to supported hardware due to end-of-life concerns.FortiGuard Labs: “Threat Signal Report – ArcaneDoor Attack (Cisco ASA Zero-Day)”: FortiGuard provides a technical briefing on the ArcaneDoor espionage campaign, tracking its evolution, exploitation patterns, and implications for Cisco firewall deployments. The report discusses how the attackers maintain persistence, perform reconnaissance and lateral movement, and how defenders should respond at scale.Black Arrow Cyber Threat Intelligence Briefing (26 Sept 2025): MFA Bypass, Supply Chain and Airport Disruptions: In their weekly digest, Black Arrow highlights several important cyber events: (1) the exploitation of MFA bypass and third-party/supply chain weaknesses contributing to prolonged cyber incidents, (2) disruption at European airports via attacks targeting Collins Aerospace’s Muse software, and (3) increasing sophistication of ransomware groups focusing on data theft. While not a formal academic paper, this briefing is authored by credible threat intelligence analysts and includes incident patterns, risks, and mitigation recommendations.This week's academiaRansomware 3.0: Self-Composing and LLM-Orchestrated: introduces a research prototype and threat model for LLM-orchestrated ransomware that uses large language models at runtime to synthesize payloads, perform reconnaissance, and carry out extortion in a closed loop. The paper evaluates this capability across personal, enterprise and embedded environments and presents behavioral signals/telemetry to help build defenses. This work sparked media attention because it shows how low-cost LLMs could materially lower the barrier to generating effective malware (research demonstration, not a deployed criminal campaign).Author(s): (Md Raz, Meet Udeshi, P.V. Sai Charan, Prashanth Krishnamurthy, Farshad Khorrami, Ramesh Karri.)A Survey of Attacks on Large Language Models: a systematic survey cataloguing attacks against LLMs and LLM-based agents (training-phase attacks, inference-phase attacks, availability/integrity attacks). The paper reviews representative methods and defenses, organizes threat taxonomies, and highlights open research challenges for securing deployed LLM systems. This is useful background for anyone tracking LLM security trends and countermeasures. (Wenrui Xu, Keshab K. Parhi)To Patch or Not to Patch: Motivations, Challenges, and Implications for Cybersecurity: a focused review on why organizations delay or avoid applying security patches. The paper synthesizes industry and academic literature to identify incentives/disincentives (resource limits, legacy systems, risk perceptions, vendor relationships, human factors) and discusses implications for vulnerability management and policy. Highly relevant given recurring mass-exploitation incidents (Log4Shell, WannaCry, supply-chain incidents) where delayed patching was critical. (Jason R. C. Nurse, Institute of Cyber Security for Society / University of Kent)Unraveling Log4Shell: Analyzing the Impact and Response to the Log4j Vulnerability: a comprehensive technical measurement and analysis of the Log4Shell (Log4j/CVE-2021-44228) incident: discovery timeline, exploitation patterns, measured attack volumes, impacted sectors, and mitigation/response strategies. Useful both as a historical case study and as a guide to improving open-source component hygiene and incident response practices.Author(s): John Doll, Carson McCarthy, Hannah McDougall, Suman Bhunia (Dept. of Computer Science & Software Engineering, Miami University).*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A last look at Hemang Doshi's advice for AI, auditing, and privacyYou may have outsourced CIAM to the engineering team, but security still gets the call when there’s a breach. It’s time for you to take control, not the blame.Frontegg gives security teams direct control over the policies that safeguard your customer-facing application. No more waiting for developers to implement step-up MFA or manage compliance updates.Start Your Free TrialTake a look at the Security Suite directly#217: Privacy and YouAnother look at CISA and a survey of the landscapeWelcome to another_secpro!In cybersecurity, there's no such thing as standing still. While standing still might mean "going with the flow" in ordinary life, it means the very opposite when it comes to jousting with the adversary - indeed, standing still means "letting the flow go past you"! That's why we in the _secpro team are always pushing ourselves and pushing our readers to pick up ideas, develop skills, and stay above water in the rushing waves of "the flow"!That's why this week we are beginning a four-part series that looks into the deeds and needs of a CISA-trained professional - and, more importantly, how you can get to that plateau too. With the help of Hemang Doshi's fantastic book, we're taking the necessary steps to move from IT generalist or junior secpro into the higher echelons of auditing. Sound good? Check out this week's excerpt: Data Privacy Program and Principles.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefAdvance your technical career with actionable, practical solutionsAWS re:Invent 2025 Las VegasTransform your skills at AWS re:Invent 2025. Master new AWS services, join immersive workshops, and network with top cloud innovators at AWS re:Invent 2025. As a re:Invent attendee,you'll receive 50% discount code towards any AWS Certification exam.Our 2025 event catalog is now available!Explore the EventHere's a little meme to keep you going...Source: RedditThis week's articleData Privacy Program and PrinciplesAI is revolutionizing various industries, including auditing. Traditionally, auditing has been a manual and time-consuming process, requiring auditors to sift through large volumes of data to identify discrepancies and ensure compliance. However, with the advent of AI, the audit process is becoming more efficient, accurate, and insightful. AI can analyze vast amounts of data quickly, identify patterns, and even predict potential risks, making it an invaluable tool in modern auditing.Read the rest here!News BytesCisco ASA / FTD Zero-Days Under Active Exploitation: On 25 September, Cisco and CISA published security advisories confirming that multiple zero-day vulnerabilities affecting Cisco ASA / FTD (Firewall, VPN) products are being actively exploited. Two of these (CVE-2025-20333, CVE-2025-20362) were confirmed to have been exploited in the wild.Threat actors have leveraged advanced evasion techniques (disabling logs, intercepting CLI commands, modifying boot processes) and deployed bootkits such as RayInitiator combined with malware (e.g., LINE VIPER) to persist across reboots and firmware upgrades. The urgency prompted CISA to issue an Emergency Directive 25-03, mandating U.S. federal agencies to inventory, assess, and mitigate vulnerable Cisco devices.Continued Attack Campaign on Cisco Firewalls (Rommon / Bootkit-level Persistence) (PDF): Following the zero-day disclosures, deeper forensics revealed that the adversaries are not merely exploiting web/VPN logic flaws, but targeting the ROM Monitor (ROMMON) / boot environment of ASA devices. The RayInitiator bootkit persists in the boot chain, and it loads LINE VIPER, a malware module that can intercept commands, bypass VPN AAA, suppress logs, and embed itself into core ASA processes (e.g. lina). Some devices lack Secure Boot / Trust Anchor support, making them more vulnerable. These mechanisms impede forensic detection and complicate patching strategies — for example, even after reboots or upgrades, malicious modules can survive.Scattered Spider: Retail Service Desk Exploits Renewed Focus: Throughout the week, multiple analyses surfaced reaffirming that the hacking collective Scattered Spider (aka UNC3944 / Octo Tempest) is continuing to rely heavily on social engineering of service desks / help desks to gain initial footholds in enterprise networks. A new PDF—Cross-Sector Mitigations: Scattered Spider—jointly produced by sector cyber-information shares, outlines updated TTPs (tactics, techniques, procedures) and countermeasures for financial services, IT/retail, health, etc. In one prominent case, attackers impersonated internal staff, tricked the helpdesk into resetting MFA / disabling controls, and escalated privileges inside M&S / Co-op systems. Forensic Visualization Toolkit: Enhancing Threat Hunting: In a freshly published academic work (11 September 2025), researchers present “Enhancing Cyber Threat Hunting – A Visual Approach with the Forensic Visualization Toolkit”. The toolkit offers interactive visualizations of forensic and telemetry data (network, file access, process graphs) to assist threat hunters in spotting anomalies that may evade automated detection systems. The authors argue that combining human analytical insight with visualization accelerates detection of stealthy threats, especially those embedded in normal-looking activity windows.The paper includes realistic case studies and performance comparisons, making it a timely reference for SOC / IR teams aiming to ramp threat‐hunting maturity.Burnout in Cybersecurity: A Strategic Risk Report: While not a direct breach event, a notable paper published earlier in 2025 — “A Roadmap to Address Burnout in the Cybersecurity Profession” — has gained renewed attention this week in security circles. The work synthesizes findings from a multi-disciplinary workshop involving practitioners, academics, and ex-NSA cyber operators. It outlines the human, organizational, and workflow stresses contributing to attrition and mental fatigue, and presents a roadmap of interventions (training, rotation, psychological support, team-based structures) to mitigate erosion of security capacity. Given current pressure on SOC/IR teams (e.g. responding to high-tempo incidents like the Cisco zero-days), this issue is increasingly treated as a strategic risk in cybersecurity planning.Digital Forensics & Risk Mitigation Strategy for Modern Enterprises: Another academic contribution gaining traction is “Comprehensive Digital Forensics and Risk Mitigation Strategy for Modern Enterprises”, published February 2025. The paper walks through a simulated case of a large identity/data-analytics firm under attack and develops an integrated strategy covering pre-incident readiness (forensic architecture design, monitoring), live response, post-incident lessons, and regulatory compliance.It emphasizes adaptive AI/ML techniques, integration of threat intelligence into forensics workflows, and continuous “forensic readiness” as a discipline. In the context of emerging threats (e.g. boot-level persistence, identity-based service desk attacks), the paper serves as a robust blueprint for mature enterprise response programs.This week's academiaAdversarial Machine Learning: A Taxonomy and Terminology: A comprehensive NIST report that builds a clear taxonomy and standardized terminology for adversarial machine learning (AML). It describes attacker goals and capabilities across ML life-cycles, categorizes AML attack and defense types, and outlines current technical and measurement challenges for trustworthy AI in security-sensitive systems. Highly cited and used as a baseline by both researchers and practitioners.(A. Vassilev et al. NIST Trustworthy & Responsible AI group).On Adversarial Attack Detection in the Artificial Intelligence Era: Survey/analysis of detection techniques for adversarial attacks on ML models, contrasting classic concealment/malware tactics with modern adversarial-example threats. The paper evaluates state-of-the-art detection approaches and points to gaps where attackers are leveraging large models and automation to evade defenses. Useful for defenders designing layered ML security. (N. Al Roken and collaborators).A Defense-Oriented Model for Software Supply Chain Security: Introduces the AStRA graph-based model (Artifacts, Steps, Resources, Principals) to represent software supply chains and reason about security objectives and defenses bottom-up. Applies the model to case studies and maps past supply-chain attacks to show where defenses succeed or fail — a practical roadmap for research and industry focusing on supply-chain mitigations (SBOMs, build integrity, provenance, etc.). (E. A. Ishgair and coauthors).Securing Automotive Software Supply Chains: NDSS paper that examines unique risks in automotive software supply chains (ECUs, OTA updates, third-party components). It evaluates real automotive update pipelines, shows practical attack scenarios, and recommends defenses tailored to the automotive context (signing, reproducible builds, hardened update channels). Very relevant given recent high-profile industrial supply-chain incidents. (Marina Moore, Aditya Sirish A. Yelgundhalli, Justin Cappos).Managing Deepfakes with Artificial Intelligence: Introducing a Business/Privacy Calculus: Academic analysis of deepfake threats and defenses from both technical and socio-economic angles. Proposes an AI-assisted detection/mitigation framework and a privacy/business calculus for organizations to evaluate risks vs. countermeasure costs (useful for enterprises facing deepfake-enabled fraud or reputational attacks). Timely as synthetic media use explodes. (G. Vecchietti and collaborators).*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Brought to you by Frontegg with Packt _secproYou may have outsourced CIAM to the engineering team, but security still gets the call when there’s a breach. It’s time for you to take control, not the blame.Frontegg gives security teams direct control over the policies that safeguard your customer-facing application. No more waiting for developers to implement step-up MFA or manage compliance updates.That’s whereFrontegg’sAI Security Suitecomes in.We’ve built our platform to address the realities you face every day:• Adaptive anomaly detectionthat learns user behavior and flags deviations in real time.• Identity and session protection, like impossible travel, to battle account takeovers and bots.• Policy automation at scaleso your access controls are consistent.• Operational visibilitythat integrates directly into your existing SecOps workflow.The result: faster detection, fewer false positives, and a security posture that evolves as threats do.Start Your Free TrialDelivered by Packt SecPro in partnership with Frontegg.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at CISA and the wider landscape#216: Agile Audits in the Age of AIAnother look at CISA and a survey of the landscapeWelcome to another_secpro!In cybersecurity, there's no such thing as standing still. While standing still might mean "going with the flow" in ordinary life, it means the very opposite when it comes to jousting with the adversary - indeed, standing still means "letting the flow go past you"! That's why we in the _secpro team are always pushing ourselves and pushing our readers to pick up ideas, develop skills, and stay above water in the rushing waves of "the flow"!That's why this week we are beginning a four-part series that looks into the deeds and needs of a CISA-trained professional - and, more importantly, how you can get to that plateau too. With the help of Hemang Doshi's fantastic book, we're taking the necessary steps to move from IT generalist or junior secpro into the higher echelons of auditing. Sound good? Check out this week's excerpt: Agile Auditing.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefAI-Powered Platform EngineeringPlatform engineering is moving fast and AI is at the center of it. In this 5 hour workshop, George Hantzaras will show you how to design golden paths, build smarter developer portals, and bring AI into ops and observability. You’ll leave with practical patterns, real examples, and a 90-day roadmap to start implementing right away.Reserve your spot today at 30% offHere's a little meme to keep you going...Source: RedditThis week's articleAgile auditingAI is revolutionizing various industries, including auditing. Traditionally, auditing has been a manual and time-consuming process, requiring auditors to sift through large volumes of data to identify discrepancies and ensure compliance. However, with the advent of AI, the audit process is becoming more efficient, accurate, and insightful. AI can analyze vast amounts of data quickly, identify patterns, and even predict potential risks, making it an invaluable tool in modern auditing.Read the rest here!News BytesChrome 0-day (CVE-2025-10585): Google disclosed and patched CVE-2025-10585, a type-confusion bug in the V8 JavaScript / WebAssembly engine that has been observed exploited in the wild. Because this is an actively-exploited browser engine bug, the authoritative technical artifact is Google’s Chrome release/security bulletin (stable channel update) and associated vendor advisories rather than a research whitepaper. The release notes identify the V8 type-confusion fix and list affected Chromium builds.Chaos Mesh “Chaotic Deputy” GraphQL flaws: JFrog Security (and follow-ups in the vulnerability ecosystem) published a technical disclosure of a set of critical flaws in Chaos-Mesh’s controller manager that expose an unauthenticated GraphQL debug API. The exposed API allows attacker-controlled calls (including endpoints to kill processes inside pods, manipulate iptables, etc.), enabling remote code execution and potential full Kubernetes cluster takeover if the operator does not restrict access. JFrog’s writeup includes proof-of-concept explanations, recommended mitigations and the patched versions.DELMIA Apriso CVE-2025-5086: CISA added CVE-2025-5086 (deserialization of untrusted data in Dassault Systèmes DELMIA Apriso) to its KEV catalog after evidence of active exploitation. The vulnerability allows maliciously crafted serialized input to trigger remote code execution — attackers in observed campaigns delivered malicious DLLs via the flaw. CISA’s KEV listing and the NVD entry provide technical details, affected versions and required mitigation timelines (patch or compensating controls).Shai-Hulud: Unit 42/Sysdig technical investigations: Multiple security research teams identified a novel, self-replicating worm campaign (tracked as Shai-Hulud) that has compromised hundreds of NPM packages. The malware steals developer credentials/tokens (npm, GitHub, cloud keys), implants backdoors and malicious CI workflows, and uses those stolen tokens to publish infected package updates — creating a developer-to-supply-chain propagation mechanism. Unit 42 and Sysdig provide in-depth technical writeups (IOC lists, indicators, malware behavior, recommended detection and remediation steps).EggStreme APT framework by Bitdefender: Bitdefender published a detailed technical report on a newly observed APT toolkit dubbed EggStreme, used in targeted espionage against a Philippine military organization. Bitdefender’s writeup is a full technical breakdown: multi-stage loaders, fileless/in-memory reflective loading, DLL sideloading techniques, gRPC-based C2, and modular backdoor/keylogger payloads (EggStremeFuel → EggStremeLoader → EggStremeReflectiveLoader → EggStremeAgent). The report contains IOCs, behavioral descriptions and recommended detection rules. This is effectively a vendor whitepaper / technical advisory. Axios abuse through the “Salty 2FA” phishing kits: ReliaQuest published a technical “Threat Spotlight” describing a surge in automated phishing using the Axios HTTP client and abuse of Microsoft 365 Direct Send to evade mail defences. Their analysis documents how Axios-based tooling and specialized phishing kits (nicknamed “Salty 2FA”) attempt to harvest credentials or bypass MFA at scale. The ReliaQuest writeup includes telemetry, attack flows, and mitigation guidance (policy hardening, Direct Send restrictions, EDR/IDS detection hints).This week's academiaMultimodal Prompt Injection Attacks: Risks and Defenses: Systematic study of prompt-injection threats when inputs are multimodal (text + images + other modalities). Identifies new attack vectors that bypass text-only defenses (for example, embedding malicious instructions in images or mixed content) and evaluates mitigation strategies — useful reading for defenders building multimodal LLM appsPrompt Injection 2.0: Hybrid AI Threats: Extends prompt-injection analysis to hybrid attacks that combine classical web/vulnerability techniques (XSS, CSRF, etc.) with prompt-injection to escape sandboxing and exfiltrate data. The paper analyzes attack chains, demonstrates proof-of-concepts, and evaluates defensive measures that bridge web security and LLM guardrails.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Another look at CISA and a survey of the landscapeBeating the Bots: How to Stop Automated Mobile App AttacksProtecting your mobile app and defending its APIs from bots and automated attacks is more important than ever. Learn how modern API protections can help prevent attacks and mitigate bot impact. Start prepping your defenses by registering for our upcoming webinar.Register Now#215: AI RegeneratingAnother look at CISA and a survey of the landscapeWelcome to another_secpro!In cybersecurity, there's no such thing as standing still. While standing still might mean "going with the flow" in ordinary life, it means the very opposite when it comes to jousting with the adversary - indeed, standing still means "letting the flow go past you"! That's why we in the _secpro team are always pushing ourselves and pushing our readers to pick up ideas, develop skills, and stay above water in the rushing waves of "the flow"!That's why this week we are beginning a four-part series that looks into the deeds and needs of a CISA-trained professional - and, more importantly, how you can get to that plateau too. With the help of Hemang Doshi's fantastic book, we're taking the necessary steps to move from IT generalist or junior secpro into the higher echelons of auditing. Sound good? Check out this week's excerpt: Use of AI in Audit Planning.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefAI-Powered Platform EngineeringPlatform engineering is moving fast and AI is at the center of it. In this 5 hour workshop, George Hantzaras will show you how to design golden paths, build smarter developer portals, and bring AI into ops and observability. You’ll leave with practical patterns, real examples, and a 90-day roadmap to start implementing right away.Seats are limited!Reserve your spot today at 30% offHere's a little meme to keep you going...Source: RedditThis week's articleUse of AI in the Audit ProcessAI is revolutionizing various industries, including auditing. Traditionally, auditing has been a manual and time-consuming process, requiring auditors to sift through large volumes of data to identify discrepancies and ensure compliance. However, with the advent of AI, the audit process is becoming more efficient, accurate, and insightful. AI can analyze vast amounts of data quickly, identify patterns, and even predict potential risks, making it an invaluable tool in modern auditing.Read the rest here!News BytesSnowflake-Linked Data Breaches Hit Multiple Firms: Attackers exploited stolen credentials to access customer environments on the Snowflake cloud platform, impacting high-profile companies and exposing large datasets. Investigators warn of ongoing attempts to monetize the stolen data.Critical Infrastructure Targeted in ‘Volt Typhoon’ Campaign: A sophisticated state-aligned threat group expanded its Volt Typhoon operations, deploying stealthy living-off-the-land techniques to compromise U.S. energy and transportation sectors without triggering standard alerts. For further coverage from May, see here.Okta Warns of Credential Stuffing Surge Against Admin Portals: Identity management provider Okta reported a sharp spike in automated credential stuffing attacks on its administrator portals, prompting urgent guidance on MFA enforcement and IP allowlisting.New macOS Spyware ‘FrostedWeb’ Slips Past Apple’s Security Controls: Researchers detailed a novel macOS spyware strain capable of bypassing Gatekeeper and XProtect, harvesting browser data and keystrokes while maintaining persistence through undocumented APIs.This week's academiaHere Comes The AI Worm: Unleashing Zero-click Worms that Target GenAI-Powered Applications: Introduces Morris-II, a self-replicating “AI worm” that exploits RAG/GenAI pipelines by embedding adversarial, self-replicating prompts which cause GenAI apps to both execute malicious payloads and propagate the prompt to other agents. The paper demonstrates feasibility in controlled environments and proposes detection/mitigation (the “Virtual Donkey”) to detect propagation. (Stav Cohen, Ron Bitton, Ben Nassi and collaborators).Ransomware 3.0: Self-Composing and LLM-Orchestrated: A proof-of-concept study showing how LLMs can autonomously orchestrate full ransomware campaigns: reconnaissance, synthesis of payloads (code), environment-specific adaptation, exfiltration/encryption, and personalized extortion. The work demonstrates the economic feasibility of LLM-driven ransomware and argues for new behavioral/telemetry defenses. (Md Raz, Meet Udeshi, P. V. Sai Charan, Prashanth Krishnamurthy, Farshad Khorrami, Ramesh Karri)Multimodal Prompt Injection Attacks: Risks and Defenses: Systematic study of prompt-injection threats when inputs are multimodal (text + images + other modalities). Identifies new attack vectors that bypass text-only defenses (for example, embedding malicious instructions in images or mixed content) and evaluates mitigation strategies — useful reading for defenders building multimodal LLM appsPrompt Injection 2.0: Hybrid AI Threats: Extends prompt-injection analysis to hybrid attacks that combine classical web/vulnerability techniques (XSS, CSRF, etc.) with prompt-injection to escape sandboxing and exfiltrate data. The paper analyzes attack chains, demonstrates proof-of-concepts, and evaluates defensive measures that bridge web security and LLM guardrails.Revealing a Hidden Class of Task-in-Prompt Adversarial Attacks (PDF): Presents and characterizes Task-in-Prompt (TIP) attacks — adversarial inputs that appear as innocuous tasks but cause LLMs to perform unintended or harmful actions. The paper provides taxonomy, attack generation techniques, responsible disclosure details, and recommended mitigation guidance for model builders and integrators. This paper was presented at ACL and has sparked active discussion in the NLP/AI safety community. (S. Berezin et al.)A Survey on Model Extraction / Model-Stealing Attacks and Defenses for Large Language Models: A comprehensive survey and taxonomy of model extraction attacks against deployed LLMs (functionality extraction, training-data extraction, prompt-targeted attacks), plus an overview of defensive techniques (rate-limiting, watermarking, API-level defenses). This survey is gaining traction as practitioners scramble to protect proprietary models and user privacy. (K. Zhao et al.)Source: Reddit*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

Learning about risk, CISA, and stepping upLast chance! It's nearly here!We're into our final week before we host a range of big names in the business talking about what they know best - practical security in the age of AI. Drawing on a wealth of experience, they have plenty to share and will join myself for a day of insights, explorations, and, most importantly for you, discussions that build and rebuild our understanding of the landscape in these new, particular challenges.As a thank you for your continued subscription and engagement, we've even managed to get a code especially for you, my reader: by using SECPRO60, you get 30% and can book your tickets without breaking the bank. What more could you ask for?Check out the link below and clear out your calendar for next Saturday!Check it out on Eventbrite!#214: Risky BusinessLearning about risk, CISA, and stepping upWelcome to another_secpro!In cybersecurity, there's no such thing as standing still. While standing still might mean "going with the flow" in ordinary life, it means the very opposite when it comes to jousting with the adversary - indeed, standing still means "letting the flow go past you"! That's why we in the _secpro team are always pushing ourselves and pushing our readers to pick up ideas, develop skills, and stay above water in the rushing waves of "the flow"!That's why this week we are beginning a four-part series that looks into the deeds and needs of a CISA-trained professional - and, more importantly, how you can get to that plateau too. With the help of Hemang Doshi's fantastic book, we're taking the necessary steps to move from IT generalist or junior secpro into the higher echelons of auditing. Sound good? Check out this week's excerpt: Risk-Based Audit Planning.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefHere's a little meme to keep you going...Source: RedditThis week's articleRisk-Based Audit PlanningRisk-based audit planning prioritizes the high-risk areas of an organization so as to maximize the effectiveness of the audit. By focusing on areas with the greatest potential for financial loss, compliance issues, or operational inefficiencies, auditors can proactively identify vulnerabilities and support management in making informed decisions.Read the rest here!Interested in our Next-Gen AI Conference?If you're looking forward to our upcoming conference or just want a little insight into who these industry-leading speakers are, here's a little bio on two of our closest collaborators: Mark Simos and Nikhil Kumar.Introducing Mark SimosMark Simos is Lead Cybersecurity Architect for Microsoft where he leads the development of cybersecurity reference architectures, best practices, reference strategies, prescriptive roadmaps, CISO workshops, and other guidance to secure organizations in the digital age.Check out the conference on Eventbrite!Introducing Nikhil KumarNikhil is an industry expert and thought leader in Digital Transformation, Zero Trust and InfoSec, AI, Cloud Computing, APIs and SOA, with a passion for applying technology in an actionable manner. An entrepreneur with over 20 years experience, he is known as a servant leader able to create amazing solutions and bridge people, process, business and technology.Check out the conference on Eventbrite!News BytesThousands kept waiting for Land Rovers after hack: UK-based automaker Jaguar Land Rover (JLR) experienced a sharp production halt across several plants due to a cyberattack, affecting operations and causing delays in vehicle deliveries. The attack was attributed to a hacker alias “Rey” from the Scattered Lapsus Hunters 4.0 group. While no customer data loss has been confirmed, authorities are investigating.Cybersecurity failures rock FEMA and 24 IT staff fired: U.S. Homeland Security Secretary Kristi Noem dismissed two dozen FEMA IT staff following serious cybersecurity mishandlings. The incident involved reactivating compromised credentials after they had been disabled, despite nearly $500 million spent on cybersecurity in FY 2025. The breach may involve state-linked Chinese hackers exploiting Microsoft vulnerabilities.SentinelOne earnings point to strong AI-driven cybersecurity demand: SentinelOne delivered better-than-expected Q2 2026 results, pushing annual recurring revenue above $1 billion and raising full-year guidance. The surge was driven by increased demand for AI-shielded cybersecurity solutions, including its acquisition of Prompt Security. Analysts attribute growth to rising generative-AI threats and tighter regulatory demands.The Resilient Retailer’s Guide to Proactive Cyber Defense: Retailers such as Co-operative and M&S are under rising threat from SIM-swapping and misconfigured appliances. This guide offers a defense blueprint: strong security hygiene, enforced password policies, timely patching, employee training, MDR services, and “assume breach” readiness help mitigate risks and safeguard reputations.Chinese hackers infiltrated critical British infrastructure: GCHQ revealed that Chinese state-sponsored group Salt Typhoon has compromised the UK’s critical infrastructure—telecoms, transport, and governmental systems—as part of a broader global espionage campaign. Active since 2021, the group is linked to multiple Chinese firms, with operations traced in 80 countries, including sensitive targeting of the UK’s NCSC.Grok's security measures have been potentially bypassed, allowing for millions to be affected with malware: Cybersecurity researchers have flagged a new technique that cybercriminals have adopted to bypass social media platform X's malvertising protections and propagate malicious links using its artificial intelligence (AI) assistant Grok.This week's academiaPatient Care Technology Disruptions Associated With the CrowdStrike Outage (Jeffrey L. Tully; Sumanth Rao; Isabel Straw; Rodney A. Gabriel; Christopher A. Longhurst; Stefan Savage; Geoffrey M. Voelker; Christian J. Dameff): Cross-sectional study of 2,232 U.S. hospitals showing widespread disruptions to patient-facing and operational systems during the July 2024 CrowdStrike incident; proposes internet-measurement methods to monitor critical healthcare tech in real time.LLM Agents Can Autonomously Exploit One-Day Vulnerabilities (Richard Fang; Xinye Li; Mohit Iyyer; Yixuan Li; Yanjun Qi; David Evans; Neil Gong; Z. Morley Mao; Aurore Fass; Danqi Chen; et al.): Shows that language-model agents, given tools and goals, can autonomously find and exploit freshly disclosed (“one-day”) software bugs, raising urgent questions about automated vulnerability exploitation and defenses.On the Feasibility of Using LLMs to Execute Multistage Network Attacks (Aidan D. Singer; Mark Goldstein; Pang Wei Koh; Adam Gleave; Micah Goldblum; Zico Kolter; Dan Hendrycks) Evaluates whether modern LLMs can plan and carry out realistic, multi-step network intrusions; reports non-trivial success on chained attack tasks and analyzes controls needed to prevent misuse.Con Instruction: Universal Jailbreaking of Multimodal LLMs via Non-Textual Modalities (Zhichao Geng; Haohan Wang; Shiyu Chang; Bo Li; Huan Zhang; et al.): Demonstrates a general jailbreak strategy for multimodal models by embedding adversarial “instructions” in images/audio/etc., transferring across models and tasks; highlights weaknesses beyond text-only prompts.Injecting Universal Jailbreak Backdoors into LLMs in Minutes (Zhuowei Chen; Qiannan Zhang; Shichao Pei): Introduces JailbreakEdit, a model-editing method that plants a universal jailbreak backdoor post-training—in minutes—without dataset poisoning, preserving model utility while reliably bypassing safety.Wolves in the Repository: A Software Engineering Analysis of the XZ Utils Supply Chain Attack (Piotr Przymus; Thomas Durieux):Forensically reconstructs the XZ backdoor (CVE-2024-3094), showing how long-term social engineering and project maintenance tactics enabled the attack; offers actionable lessons for OSS governance and CI/CD.Source: Reddit*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}}

A look at this year's infamous playersMore than 50% of enterprises are experimenting or building with the Model Context Protocol (MCP). They useMCP to connect their AI agents to data and systems behind their corporate firewall, providing agents with the context they need to deliver real value: better code, richer responses, deeper insights, etc. The technical leaders who help their companies deploy MCP in production will create huge competitive advantages.So, how do you get out in front of MCP?Start with thisMCP Maturity ModelWith this model in hand, you will know where you are today and how to take the next step. The model includes a simple process and technology indicators for every stage and best of all, there are no forms - it’s yours to freely access and share.The MCP Maturity Model was created by Stacklok, who have built an MCP platform and are working with enterprises to put MCP into production. Their Applied AI Engineers work hands-on with leaders to curate trusted registries, deploy advanced security measures and light up AI agents. You can learn more about the company atstacklok.com, or just drop them an email atenterprise@stacklok.comto start a conversation.Check out the MCP Maturity Model#233: Who's Who?Thinking about who we've seen and when we'll see them againWelcome to another_secpro!If the last week has felt unusually loud in cybersecurity, you’re not imagining it. The threat landscape rarely sits still, but the volume and velocity of activity over the past several days have been particularly notable — from fresh zero-day disclosures to the continued industrialization of ransomware operations.Several incidents reinforced a now-familiar pattern: adversaries are moving faster between initial access and lateral movement, compressing dwell time and forcing defenders to detect and respond in near real time. We’ve seen renewed exploitation of edge devices and VPN infrastructure, alongside opportunistic abuse of newly published proof-of-concept code. Patch latency remains a decisive risk factor.Ransomware groups, meanwhile, continue to evolve their business models. Double-extortion is table stakes; data theft without encryption is resurging as affiliates look to reduce operational friction while maintaining leverage. Law enforcement pressure has fragmented some major crews, but the ecosystem remains resilient — smaller operators are filling the gaps quickly.Another theme this week: the expanding role of AI in offensive tradecraft. Security teams are tracking more convincing phishing pretexts, better-localized lures, and automated reconnaissance workflows. While not revolutionary on their own, these incremental gains are compounding attacker efficiency.On the defensive side, there’s cautious optimism. Organizations accelerating identity hardening, network segmentation, and telemetry aggregation are seeing measurable gains in detection fidelity.In this issue, we break down the most consequential events, extract the technical lessons that matter, and outline practical mitigation steps you can operationalize immediately. Let’s get into it.Check out _secpro premiumIf you want more, you know what you need to do: sign up to the premium and get access to everything we have on offer. Click the link above to visit our Substack and sign up there!Cheers!Austin MillerEditor-in-ChiefThe Problem with One-Size-Fits-All Mobile App Security and How to Fix ItIs your team struggling to balance security requirements with user experience? Join us on February 24 at 4 PM CET / 10 AM ET for a webinar discussing how leading financial services teams are shifting to data-driven, risk-based mobile security for more precise responses.Register NowThis week's articleThe 2026 Rogue's GalleryIn 2025, cybersecurity experts continued to track an evolving landscape of financially motivated and geopolitically aligned threat groups whose operations grew in scale, coordination, and technical sophistication. Among the most prevalent were Cl0p, known for large-scale data-extortion campaigns exploiting zero-day vulnerabilities in managed file transfer platforms, and Qilin, a ransomware-as-a-service operation that refined double-extortion and partner affiliate models.Check it out todayIf you'd like to find out about our series on social engineering, start here: the adversary moves in the age of AI, then make sure to check out the articles link in this introduction: here, here, here, here, and here.News BytesGoogle Warns of Hackers Leveraging Gemini AI for All Stages of Cyberattacks (Google Threat Intelligence Group): State-backed and criminal actors are operationalizing Gemini for recon, payload development, phishing lure generation, and automation across intrusion lifecycles.Palo Alto Soft-Pedals China Attribution in Global Espionage Campaign (Reuters – Christopher Bing et al.): Unit 42 reporting tied activity to a China-aligned cluster but public attribution was reportedly toned down due to geopolitical and business risk considerations.GTIG Analysis Exposes Growing Cyber Threats to Military Infrastructure (Google Threat Intelligence Group): Defense industrial base entities face escalating intrusion attempts, with targeting focused on logistics, contractors, and operational support systems.CrashFix Campaign Deploys ModeloRAT via Browser Extension Abuse (Cyware Threat Intelligence): ClickFix evolution uses malicious ad-blocker extensions to crash browsers, coercing victims into executing commands that deploy a remote-access trojan.React2Shell Exploitation Surges Following Public Tooling Release (Cyware Research): CVE-2025-55182 exploitation exceeded 1.4 million attempts in a week, enabling unauthenticated RCE and deployment of reverse shells and XMRig miners.GlassWorm Supply-Chain Malware Targets OpenVSX Extensions (Cyware / Threat Briefing): Attackers hijacked developer accounts to push trojanized updates using invisible Unicode obfuscation and persistent macOS backdoors.OpenClaw AI “Skill” Ecosystem Weaponized for Credential Theft (Cyware / Jamieson O’Reilly research): Over 230 malicious skills delivered infostealers via fake tooling, harvesting API keys, wallets, and browser credentials.BYOVD Intrusion Uses Revoked EnCase Driver to Kill EDR (Acumen Cyber / Huntress-linked research): Attackers leveraged a signed but revoked kernel driver for privilege escalation and direct termination of endpoint security controls.European Commission MDM Platform Breach Disclosure (Acumen Cyber Threat Digest): Unauthorized access to centralized mobile device management infrastructure exposed staff contact metadata but not enrolled devices.Into the blogosphere...Security for AI-Native Companies: The 6 Shifts You Can’t Ignore (Gradient Flow): This article examines structural security changes required for organizations building AI-first products. It argues that perimeter security is obsolete and must be replaced with identity-centric controls governing humans and AI agents alike. The piece highlights risks such as model impersonation, agent privilege escalation, and dataset poisoning, emphasizing Zero Trust architectures adapted for autonomous systems.LLMs + Coding Agents = Security Nightmare (Gary Marcus): Marcus explores how large language models integrated into coding agents introduce systemic vulnerabilities. He outlines risks including insecure code generation, exploit scaffolding, and accelerated malware development. The article frames LLMs as amplifiers of existing AppSec failures—particularly when deployed without human review or secure SDLC guardrails.How Hackers Turned Claude Code Into a Semi-Autonomous Cyber Weapon (Ben Dickson): This piece analyzes adversarial misuse of AI coding systems. It documents how attackers decomposed malicious objectives into benign prompts, bypassing safety filters. The article details attack chaining, guardrail evasion, and autonomous exploit iteration—illustrating how generative AI can operationalize cyberattacks at machine speed.Capital, Competition, and the Business of Cybersecurity (Ross Haleliuk): This article analyzes macro-economic and venture dynamics shaping the cybersecurity sector. It explores consolidation pressures, platformization of security tooling, and the funding gap between early-stage innovators and incumbents. The post is frequently cited in operator and VC circles for its market intelligence and strategic forecasting.This week's academiaFederated Learning-Driven Cybersecurity Framework for IoT Networks with Privacy-Preserving and Real-Time Threat Detection Capabilities (Milad Rahmati): This paper proposes a decentralized cybersecurity architecture tailored to IoT ecosystems using federated learning. Instead of aggregating sensitive telemetry in a central repository, models are trained locally on edge devices and securely aggregated using homomorphic encryption. The framework leverages recurrent neural networks to detect anomalies such as DDoS attacks while preserving data privacy. Reported detection accuracy exceeds 98%, with improved energy efficiency relative to centralized approaches. The study addresses scalability, privacy preservation, and real-time detection—three persistent bottlenecks in IoT security.Adaptive Cybersecurity: Dynamically Retrainable Firewalls for Real-Time Network Protection (Sina Ahmadi): This research introduces machine-learning firewalls capable of continual retraining in production environments. Unlike static rule-based systems, these firewalls adapt to emergent threat signatures using reinforcement and continual learning pipelines. The architecture supports distributed micro-services deployments, integrates with Zero Trust models, and optimizes latency and throughput. The work frames adaptive perimeter defense as essential given polymorphic malware and AI-assisted intrusion techniques.Adversarial Defense in Cybersecurity: A Systematic Review of GANs for Threat Detection and Mitigation (Tharcisse Ndayipfukamiye; Jianguo Ding; Doreen Sebastian Sarwatt; Adamu Gaston Philipo; Huansheng Ning): This systematic review analyzes 185 peer-reviewed studies on the dual use of Generative Adversarial Networks in cyber offense and defense. It proposes a four-dimensional taxonomy covering GAN architectures, defensive roles, threat models, and cybersecurity domains. Findings show GANs improve intrusion detection, malware classification, and synthetic threat simulation but suffer from training instability, explainability deficits, and computational overhead. The paper outlines a research roadmap emphasizing hybrid GAN models and defenses against LLM-driven cyberattacks.Algorithmic Segmentation and Behavioral Profiling for Ransomware Detection Using Temporal-Correlation Graphs (Ignatius Rollere; Caspian Hartsfield; Seraphina Courtenay; Lucian Fenwick; Aurelia Grunwald): This article presents a graph-analytics framework for ransomware detection based on temporal-correlation modeling of system behaviors. By mapping encryption activity, process lineage, and anomaly timing, the system distinguishes malicious from benign operations in real time. Experimental evaluations show superior precision and recall compared to signature-based and heuristic tools, particularly against polymorphic ransomware strains. The architecture is designed for enterprise scalability and modular SOC integration.Generative AI Revolution in Cybersecurity: A Comprehensive Review of Threat Intelligence and Operations (Mueen Uddin; Muhammad Saad Irshad; Irfan Ali Kandhro; et al.): This review examines how generative AI is transforming cyber threat intelligence, SOC automation, and attack simulation. It surveys applications including automated phishing detection, malware generation analysis, vulnerability discovery, and incident response orchestration. The authors also evaluate risk externalities—such as AI-enabled social engineering and autonomous attack tooling—positioning generative models as both defensive accelerants and threat multipliers.Keeping Up with the KEMs: Stronger Security Notions for KEMs and Automated Analysis of KEM-based Protocols (Cas Cremers; Alexander Dax; Niklas Medinger): Focused on post-quantum cryptography, this award-winning paper advances formal security models for Key Encapsulation Mechanisms (KEMs), a foundational primitive in hybrid and quantum-resistant encryption schemes. The authors introduce stronger security definitions and automated symbolic analysis techniques to validate KEM-based protocols. The work is highly relevant as governments and critical infrastructure sectors prepare for quantum decryption threats.*{box-sizing:border-box}body{margin:0;padding:0}a[x-apple-data-detectors]{color:inherit!important;text-decoration:inherit!important}#MessageViewBody a{color:inherit;text-decoration:none}p{line-height:inherit}.desktop_hide,.desktop_hide table{mso-hide:all;display:none;max-height:0;overflow:hidden}.image_block img+div{display:none}sub,sup{font-size:75%;line-height:0} @media (max-width: 100%;display:block}.mobile_hide{min-height:0;max-height:0;max-width: 100%;overflow:hidden;font-size:0}.desktop_hide,.desktop_hide table{display:table!important;max-height:none!important}.reverse{display:table;width: 100%;