toad.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
Mastodon server operated by David Troy, a tech pioneer and investigative journalist addressing threats to democracy. Thoughtful participation and discussion welcome.

Administered by:

Server stats:

218
active users

#incidentresponse

5 posts5 participants0 posts today

Hey everyone! It's been a pretty packed 24 hours in the cyber world, with critical zero-day exploits, major breaches, new malware tactics, and some significant policy shifts from the UK government. Let's dive in:

SharePoint Zero-Days Under Active Exploitation by China-Linked APTs ⚠️
- Microsoft SharePoint on-premise servers are under active attack via a chain of zero-day vulnerabilities (CVE-2025-53770, CVE-2025-53771), allowing unauthenticated Remote Code Execution (RCE) and spoofing.
- Microsoft attributes exploitation to China-linked nation-state groups Linen Typhoon (APT27), Violet Typhoon (APT31), and Storm-2603, who are deploying web shells and stealing MachineKeys for persistence.
- Emergency patches have been released for SharePoint Server Subscription Edition, 2019, and 2016, but organisations with internet-exposed on-premise servers should assume compromise and rotate ASP.NET machine keys and restart IIS.

🤖 Bleeping Computer | bleepingcomputer.com/news/micr
🤖 Bleeping Computer | bleepingcomputer.com/news/micr
🤫 CyberScoop | cyberscoop.com/microsoft-share
🕵🏼 The Register | go.theregister.com/feed/www.th

Cisco ISE RCE Flaws Actively Exploited 🛡️
- Cisco warns of active exploitation of three maximum-severity (CVSS 10.0) unauthenticated Remote Code Execution (RCE) vulnerabilities in Cisco Identity Services Engine (ISE): CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337.
- These flaws allow attackers to execute arbitrary commands as root or upload and execute malicious files without authentication.
- Immediate patching to ISE 3.3 Patch 7 or ISE 3.4 Patch 2 is critical, as there are no workarounds.

🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Recent Cyber Attacks and Breaches 🚨
- Dell confirmed a breach of its "Solution Center" demo environment, stating that the exfiltrated 1.3 TB of data by WorldLeaks (Hunters International rebrand) was "primarily synthetic (fake) data" or non-sensitive.
- Hungarian police arrested a 23-year-old suspect, "Hano," for a prolonged series of DDoS attacks against independent media outlets in Hungary and the Vienna-based International Press Institute (IPI) since April 2023.
- AMEOS Group, a major Central European healthcare network, disclosed a security breach where external actors gained unauthorised access to IT systems, potentially exposing patient, employee, and partner data, leading to a full IT system shutdown.
- A Silicon Valley engineer, Chenguang Gong, pleaded guilty to stealing thousands of trade secrets, including sensitive US missile technology and radiation-hardened camera designs, from his employers, with links to Chinese "talent programs."

🕵🏼 The Register | go.theregister.com/feed/www.th
🗞️ The Record | therecord.media/hungary-arrest
🕵🏼 The Register | go.theregister.com/feed/www.th
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

New Malware and Ransomware Tactics 👾
- CISA and FBI issued a joint warning about escalating Interlock ransomware activity, which targets businesses and critical infrastructure, particularly healthcare, using unusual initial access methods like drive-by downloads from compromised sites and fake browser updates.
- Russian cybersecurity researchers disrupted NyashTeam, a Russian-speaking group operating a malware-as-a-service scheme (DCRat, WebRat) since 2022, by dismantling over 110 domains and removing associated Telegram channels and instructional videos.
- A new variant of the Coyote banking trojan is abusing Microsoft's UI Automation (UIA) framework to identify banking and cryptocurrency exchange sites, a technique that evades Endpoint Detection and Response (EDR) and marks the first real-world case of UIA abuse for data theft.
- Arch Linux removed three malicious packages ("librewolf-fix-bin", "firefox-patch-bin", "zen-browser-patched-bin") from its Arch User Repository (AUR) that were installing the CHAOS Remote Access Trojan (RAT), highlighting the risks of community-maintained repositories.

🗞️ The Record | therecord.media/russia-hacker-
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🕵🏼 The Register | go.theregister.com/feed/www.th
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🗞️ The Record | therecord.media/fbi-vigilance-

UK Government's Ransomware Policy Shift 🇬🇧
- The UK government is proposing a ban on ransomware payments by public sector organisations and critical national infrastructure (CNI) to disrupt the criminal business model and make these entities less attractive targets.
- New measures, part of the Cyber Resilience Bill, will also mandate reporting of all ransomware incidents to law enforcement and require private businesses to notify the government before making any ransom payments.
- While aiming to improve visibility and resilience, concerns remain about the effectiveness of a payment ban on opportunistic attackers and whether law enforcement will have sufficient resources to utilise the increased intelligence.

🕵🏼 The Register | go.theregister.com/feed/www.th
🗞️ The Record | therecord.media/mandatory-repo
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🤫 CyberScoop | cyberscoop.com/uk-ransomware-p

New Wi-Fi Tracking Raises Privacy Concerns 🔒
- Researchers in Italy have developed "WhoFi," a technique that creates a unique biometric identifier for individuals based on how their bodies interfere with Wi-Fi signals (Channel State Information - CSI).
- This method allows for re-identification and tracking of people across different Wi-Fi networks with high accuracy (up to 95.5%), even if they are not carrying a device.
- The research raises significant privacy concerns, as it enables pervasive surveillance without traditional visual or device-based tracking.

🕵🏼 The Register | go.theregister.com/feed/www.th

CISA CyberSentry Program Funding Lapses 📉
- Funding for CISA's CyberSentry Program, a critical public-private partnership that monitors US critical infrastructure (IT/OT) for nation-state threats, expired on Sunday.
- This lapse has forced Lawrence Livermore National Laboratory to stop monitoring networks, creating a significant gap in visibility into potential cyberattacks on essential services.
- The incident highlights ongoing instability and funding challenges within CISA and the broader federal government, impacting vital cybersecurity initiatives.

🕵🏼 The Register | go.theregister.com/feed/www.th

Open Source Security: Eyeballs and Trust 👀
- An opinion piece highlights that while open source software benefits from "many eyes" for security, this doesn't come for free; trust is built through clear communication and defensive coding.
- Automated scanners can misidentify benign, low-level system utilities as malware, as demonstrated by John Hammond's analysis of the "Talon" Windows de-bloater.
- Developers of open source tools that perform system-wide modifications should provide thorough documentation and and comments to clarify their intent and avoid triggering suspicion.

🕵🏼 The Register | go.theregister.com/feed/www.th

Windows Server Update Issues ⚙️
- Microsoft has acknowledged a known issue where the July 8th Windows Server 2019 security update (KB5062557) causes the Cluster service to repeatedly stop and restart.
- This bug can prevent nodes from rejoining clusters, lead to virtual machine restarts, and trigger Event ID 7031 errors, especially on systems with BitLocker enabled on Cluster Shared Volumes (CSV) drives.
- While a mitigation is available, Microsoft has not yet rolled it out publicly and is advising affected organisations to contact business support for assistance.

🤖 Bleeping Computer | bleepingcomputer.com/news/micr

Leaked and Loaded: DOGE’s API Key Crisis

One leaked API key exposed 52 private LLMs and potentially sensitive systems across SpaceX, Twitter, and even the U.S. Treasury.

In this episode of Cyberside Chats, @sherridavidoff and @MDurrin break down the DOGE/XAI API key leak. They share how it happened, why key management is a growing threat, and what you should do to protect your organization from similar risks.

🎥 Watch the video: youtu.be/Lnn225XlIc4

🎧 Listen to the podcast: chatcyberside.com/e/api-key-ca

Urgent SharePoint Security Update

Microsoft has released out-of-band patches for two actively exploited SharePoint zero-days, CVE-2025-53770 and CVE-2025-53771, used in ToolShell attacks that have already impacted dozens of organizations worldwide. Microsoft has patches for Microsoft SharePoint Subscription Edition and SharePoint 2019, but is still working on an update for SharePoint 2016.

Admins, patch and:
✔ Rotate machine keys after patching
✔ Review logs for suspicious activity
✔ Investigate any signs of compromise immediately

Don't delay—these RCE flaws bypass earlier fixes and are being actively exploited.

Read the details: bleepingcomputer.com/news/micr

A number of sites are misreporting a Premier Health Partners breach as affecting 154,731 patients. That number was actually a partial number from an earlier incident and not from the 2023 one they have just issued a press release about.

More background and details at:

databreaches.net/2025/07/20/pr

databreaches.netPremier Health Partners issues a press release about a breach two years ago. Why was this needed now? – DataBreaches.Net

Holiday Horror Stories: Why Hackers Love Long Weekends!

In this episode of Cyberside Chats, @sherridavidoff and @MDurrin break down real-life cyberattacks that hit during holiday weekends, including the infamous Kaseya ransomware attack and the MOVEit data breach.

You’ll hear:
• Why 91% of ransomware attacks happen outside business hours
• How hackers strategically time attacks around holidays—when your staff is least prepared
• Lessons from Krispy Kreme, Target, and even the Bank of Bangladesh
• Practical takeaways to harden your defenses before the next long weekend

📽️ Watch the video: youtu.be/pCuYx9nPXgk
🎧 Listen to the podcast: chatcyberside.com/e/cyber-atta

Plan ahead. Patch before you relax, and test your holiday response plan. Contact us if you need help with testing, policy development, or training.

🍔🍟 New Discernible Drill Alert!

The recent McDonald’s AI hiring chatbot disclosure got us thinking about how unprepared most organizations are for third-party AI security incidents.

We’ve developed a new incident comms drill that puts security teams in the hot seat when researchers discover critical vulnerabilities in AI platforms. The twist? You’re not just managing technical remediation - you’re navigating:

🛣️ Multiple disclosure pathways (coordinated, immediate, regulatory)
🤝 Complex researcher relationships and coalition dynamics
🫣 Uncooperative vendors who resist transparency
📊 Business continuity during peak operations
🎯 Incident communication across franchise networks

How confident are you in managing researcher disclosure timelines when your vendor relationship becomes adversarial? When was the last time your team practiced coordinating with security researchers on a vendor vulnerability impacting your customers?

This drill forces teams to think beyond technical fixes to strategic communication that can either enhance or destroy your security reputation based on how you handle researcher relationships.

Subscribe to join at DiscernibleInc.com/Drills

🚨 KongTuke FileFix Leads to New Interlock RAT Variant

Researchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). This new malware, a shift from the previously identified JavaScript-based Interlock RAT (aka NodeSnake), uses PHP and is being used in a widespread campaign.

🧅 Attack Chain
FileFix lure ➡️ PowerShell ➡️ Obfuscated PHP RAT

🧠 Key Capabilities
🔍 Automated Discovery
‣ Enumerates processes, services, ARP tables, and user context

🛠️ Hands-On-Keyboard Activity
‣ net user, tasklist, nltest, whoami, dir, and more

⚙️ Execution & Persistence
‣ Runs EXE, DLL, and shell commands
‣ Establishes persistence via registry Run key

📖 Full Report:

thedfirreport.com/2025/07/14/k

The DFIR Report · KongTuke FileFix Leads to New Interlock RAT VariantResearchers from The DFIR Report, in partnership with Proofpoint, have identified a new and resilient variant of the Interlock ransomware group’s remote access trojan (RAT). This new malware,…

A critical vulnerability in old Telerik software gave an attacker remote code execution on an SFTP-only Windows server. That meant they didn’t need credentials, antivirus didn’t trigger, and default log sizes meant almost nothing useful was captured.

From there? PowerShell exclusions, admin account created, RDP tunnelled in via Ngrok, ransomware deployed.

They even opened Pornhub either to cover traffic or celebrate the moment. Who knows?

This attack wasn’t subtle. But it worked because basic controls were missing.

We’ve broken down the incident. Plus, recommendations you can act on now to prevent the same thing.

📌pentestpartners.com/security-b

Online extortion is the new ransomware. Is your organization prepared?

Today’s hackers frequently skip the encryption step of ransomware and go straight to online extortion, stealing your data and threatening to leak it unless you pay.

In our latest blog, we break down:
• Why exfiltration-only attacks are surging
• How threat actors like World Leaks operate
• What your organization can do to stay ahead

Read the details: lmgsecurity.com/online-extorti

LMG SecurityOnline Extortion Is the New Ransomware: Why Hackers Just Want Your Data | LMG SecurityOnline extortion is on the rise as hackers skip ransomware encryption and go straight to data theft and blackmail. Read about this trend and how to protect your organization.

🔥 New Discernible Drill this week!

Recent Scattered Spider attacks on airlines highlight the challenges of responding to a network compromise when every minute of downtime affects thousands of passengers and critical safety operations.

Our latest drill scenario puts you in the SOC during an active airline intrusion. You'll navigate the unique communication challenges of balancing security containment with operational continuity when flight schedules, passenger safety, and regulatory compliance are all on the line.

Perfect for:
✈️ SOC analysts and engineers
✈️ Incident response teams
✈️ Anyone working in critical infrastructure security

The aviation industry's complex operational requirements create communication scenarios you won't find in typical incident response training.

Ready to see how you'd handle it?

Subscribe to join at DiscernibleInc.com/drills

#IncidentResponse #SecurityCommunications
#ScatteredSpider

A major cybersecurity legal case is moving forward. ✈️ Delta Air Lines proceeding with its $550M+ lawsuit against CrowdStrike over the July 2024 outage that canceled 7,000 flights and impacted 1.3M passengers.

⚖️ The court allowed claims of:
🧠 Gross negligence
💻 Computer trespass
🕵️‍♂️ Limited fraud

📉 Delta claims the update could have been caught with a simple test. CrowdStrike is pushing back, saying damages should be limited under Georgia law. This case may redefine how courts view software vendor liability, especially for updates in critical infrastructure.

💬 Should companies expect higher legal accountability for third-party software failures?

#CyberSecurity #Delta #CrowdStrike #LegalTech #IncidentResponse

reuters.com/sustainability/boa

Valuable insights from Eireann Leverett, security researcher and advisor to FIRST, featured in CSO on conducting effective post-incident reviews!

The article explores how organizations can strengthen cybersecurity defenses through structured post-incident analysis, moving beyond mitigation to meaningful learning and improvement.

Key recommendations:

🔍 Document incidents as they evolve, not just as they end
📊 Capture context behind decision-making processes during incidents
⚡Focus on structural learning over individual blame

Thank you Bob Violino and CSO for showcasing how thoughtful incident analysis drives continuous security improvement.

Read more: go.first.org/ISkJp

CSO OnlineHow to conduct an effective post-incident reviewMitigation and remediation aren’t the endpoints of incident response. Having a structured process to analyze and learn from a cybersecurity incident once it has been resolved is paramount to improving security operations.

Most organizations think security communications = crisis PR, but this narrow focus actually sabotages the media relationships they're trying to protect.

When security incidents hit the news, journalists aren't starting from scratch -- they're drawing on accumulated context about your organization's communication patterns and competence built over months or years.

That means the real work of effective security communications happens in internal meetings, stakeholder interactions, and organizational messaging long before any reporter gets involved.

Here's a new post from us on building comprehensive security communications that strengthen rather than undermine your credibility: discernibleinc.com/blog/sabota

Your UPS might be a silent security risk.

Watch our new video to see how a standard uninterruptible power supply (UPS) became the gateway to hacking a real bank.

We walk you through:

▪ How UPS devices connect to networks—and why that matters
▪ The danger of default credentials on embedded systems
▪ How spoofed email servers let attackers steal domain credentials
▪ The exact steps that led to full network compromise

Watch now! youtu.be/Ru5RR9COqYw

youtu.be- YouTubeEnjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.

In August 2020, @SchizoDuckie and I published what was to become the first of a series of articles or posts called "No Need to Hack When It's Leaking."

In today's installment, I bring you "No Need to Hack When It's Leaking: Brandt Kettwick Defense Edition." It chronicles efforts by @JayeLTee, @masek, and I to alert a Minnesota law firm to lock down their exposed files, some of which were quite sensitive.

Read the post and see how even the state's Bureau of Criminal Apprehension had trouble getting this law firm to respond appropriately.

databreaches.net/2025/07/04/no

Great thanks to the Minnesota Bureau of Criminal Apprehension for their help on this one, and to @TonyYarusso and @bkoehn for their efforts.

databreaches.netNo need to hack when it’s leaking: Brandt Kettwick Defense edition – DataBreaches.Net