How to minimize the risks and consequences of flawed inference from AI models.

Welcome to another_secpro!

We're starting up a series on the MITRE ATT&CK framework to best understand the Top Ten threats over the last year. This week, we begin with the first entry in our list: T1005! Make sure to check out our article below and keep an eye open for this month's premium issue to get more insights into MITRE ATT&CK and learn how to apply techniques that overcome the problems most organisations have been facing over the last year.

And then, of course, we've got our usual news, tools, and conference venues roundup. In the editor's spotlight this week, I advise you to all read Picus Security'sRed Report 2025!

As always, make sure to check out the templates, podcasts, and other stuff on ourSubstackand access the very best that we have to offer. You might even learn something!

Cheers!
Austin Miller
Editor-in-Chief

Many organizations still find it challenging to effectively implement and meaningfully integrate security into rapid, agile DevOps practices. Dive into Snyk’s six pillars for success and how we arrived here in the first place.

Snyk's new whitepaper DevSecOps is dead...or is it? dives into:
- Why traditional DevSecOps approaches often fall short
- The critical role of Developer Security in true DevSecOps success
- How to move beyond the limitations and achieve a more robust and efficient security posture

Addressing these core issues will help organizations build a successful DevSecOps framework for modern application security.

In the MITRE ATT&CK framework, T1005 refers to the technique called Data from Local System. Notable threat groups such as Bianlian Ransomware Group, Mustang Panda, Twelve Hacktivist Group, CRON#TRAP Campaign, APT36, and Shedding Zmiy, leveraging malware such as Voldemort Backdoor and GLOBSHELL over the last year.

Bruce Schneier - Critical GitHub Attack: "This isserious: A sophisticated cascading supply chain attack has compromised multiple GitHub Actions, exposing critical CI/CD secrets across tens of thousands of repositories. The attack, which originally targeted the widely used “tj-actions/changed-files” utility, is now believed to have originated from an earlier breach of the “reviewdog/action-setup@v1” GitHub Action, according to a report."

Bruce Schneier - Is Security Human Factors Research Skewed Towards Western Ideas and Habits?: "Really interesting research: “How WEIRD is Usable Privacy and Security Research?” by Ayako A. Hasegawa Daisuke Inoue, and Mitsuaki Akiyama."

Bruce Schneier - Improvements in Brute Force Attacks: "New paper: “GPU Assisted Brute Force Cryptanalysis of GPRS, GSM, RFID, and TETRA: Brute Force Cryptanalysis of KASUMI, SPECK, and TEA3."

Bruce Schneier - TP-Link Router Botnet: "There is a new botnet that isinfecting TP-Link routers: The botnet can lead to command injection which then makes remote code execution (RCE) possible so that the malware can spread itself across the internet automatically. This high severity security flaw (tracked asCVE-2023-1389) has also been used to spread other malware families as far back as April 2023 when it was used in theMirai botnet malware attacks. The flaw also linked to the Condi and AndroxGh0st malware attacks."

Catalyst -mySCADA myPRO Manager and Runtime RCE Vulnerabilities: Supervisory Control and Data Acquisition (SCADA) systems are at the core of industrial automation, ensuring seamless operation across sectors such as energy, manufacturing, and critical infrastructure. With the digital transformation of these industries, SCADA systems are increasingly becoming targets for cyber threats.

CISA - CISA Adds Three Known Exploited Vulnerabilities to Catalog:CISA has added three new vulnerabilities to itsKnown Exploited Vulnerabilities Catalog, based on evidence of active exploitation; CVE-2025-1316 Edimax IC-7100 IP Camera OS Command Injection Vulnerability; CVE-2024-48248 NAKIVO Backup and Replication Absolute Path Traversal Vulnerability; and, CVE-2017-12637 SAP NetWeaver Directory Traversal Vulnerability.

The Citizen Lab - Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations: Paragon Solutions Ltd. was established in Israel in 2019. The founders of Paragon include Ehud Barak, the former Israeli Prime Minister, and Ehud Schneorson, the former commander of Israel’sUnit 8200. Paragon sells a spyware product called Graphite, whichreportedlyprovides “access to the instant messaging applications on a device, rather than taking complete control of everything on a phone,” like NSO Group’s Pegasus spyware.

Krebs On Security - ClickFix: How to Infect Your PC in Three Easy Steps: "A clever malware deployment schemefirst spotted in targeted attacks last yearhas now gone mainstream. In this scam, dubbed “ClickFix,” the visitor to a hacked or malicious website is asked to distinguish themselves from bots by pressing a combination of keyboard keys that causesMicrosoft Windowsto download password-stealing malware."

Trellix - Analysis of Black Basta Ransomware Chat Leaks: "On Feb 11, 2025 a Telegram user @ExploitWhispers shared via their Telegram channel ‘shopotbasta’ (EN: ‘basta whisper’) Black Basta RaaS (Ransomware as a Service) Matrix chat leaks containing over 200,000 messages spanning from September 2023 to September 2024. The @ExploitWhispers claim that Black Basta has recently attacked Russian banks and thus crossed the line, therefore they decided to leak their internal chat communications."

Pillar - New Vulnerability in GitHub Copilot and Cursor: How Hackers Can Weaponize Code Agents:Pillar Security researchers have uncovered a dangerous new supply chain attack vector we've named"Rules File Backdoor."This technique enables hackers to silently compromise AI-generated code by injecting hidden malicious instructions into seemingly innocent configuration files used by Cursor and GitHub Copilot—the world's leading AI-powered code editors.

MalwareArchaeology/ATTACK - These Cheat Sheets are provided for you to use in your assessments and improvements of your security program and so that you may customize them to your unique environment.

nshalabi/ATTACK-Tools - This repository contains the following: ATT&CK™ Data Model: a relational data model for ATT&CK™ and ATT&CK™ View: an adversary emulation planning tool.

mdecrevoisier/EVTX-to-MITRE-Attack - A set of EVTX samples mapped to MITRE ATT&CK tactic and techniques to measure your SIEM coverage or developed new use cases.

Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!

RSA Conference (28th April - 1st May): The RSA Conference is a cornerstone of the global cybersecurity calendar. Known for its comprehensive content tracks, this conference addresses everything from cloud security to zero-trust architectures. The event also features an innovation sandbox, where start-ups showcase breakthrough technologies.

CyberUK (6th-7th May): Organised by the UK’s National Cyber Security Centre (NCSC), CyberUK is the government’s flagship cybersecurity event. It brings together security leaders, policymakers, and industry professionals to discuss pressing cybersecurity issues. With a strong focus on collaboration and innovation, CyberUK is a hub for public and private sector expertise.

DSEI (9t-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.

Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.

Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.