Imagine this, you setup a server and it has a really weak administrator password! Now let’s imagine you expose RDP to the internet. How long would it take to get pw3nd?
Well we did this, using a custom configuration to make this safe, we setup a Windows Server, setup an administrator account with the password of ‘password’ and monitored the logs! So let’s see what we found.
Read more “Administrator:password”
‘An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.’
https://www.fortiguard.com/psirt/FG-IR-25-772
This analysis was conducted using data from Defused, enrichment from IPINFO and SHODAN and then analysis using an LLM (GROK) (so take the analysis with a pinch of salt):
Read more “FortiSIEM CVE-2025-64155 Exploitation Analysis”
Whilst some people go on about DNSSEC, PUBLIC WIFI and JUICE JACKING they seem to be missing out on a threat that is real, active and has seen increased adoption by threat actors. SMS BLASTING!
Sounds cool, but basically it’s an ISMSI Catcher/Fake CELL network that is broadcasted between 500m and 2Km that lets an attacker send SPOOFED SMS messages to any cell that connects. This can be used for scams, phishing etc.
Read more “SMSBlasters Historic Incidents”
‘CVE-2025-58034 is an OS command injection vulnerability (CWE-78) in Fortinet FortiWeb, allowing an authenticated attacker to execute unauthorized code on the system through crafted HTTP requests or CLI commands. It affects versions including FortiWeb 8.0.0-8.0.1, 7.6.0-7.6.5, 7.4.0-7.4.10, 7.2.0-7.2.11, and 7.0.0-7.0.11. The vulnerability has a CVSSv3 score of 6.7 (medium severity) and has been observed exploited in the wild, prompting its addition to CISA’s Known Exploited Vulnerabilities catalog.’
Read more “Fortiweb – CVE-2025-58034”
Another day another exploit in the wild it seems! (ok I’m a bit slow to this one). Using Defused Cyber’s Honeypots we have another packet to analyse:
Read more “Fortiweb – CVE-2025-64446”
Off the back of Operation Endgame (great work everyone involved!) we have some more data to show what many of us in the cyber industry know but isn’t so easy to show people. So I figured this might help explain part of how and why infostealers are a problem but also I look at how we might be able to use this takedown to help feed into a risk modelling process.
Read more “Rhadamanthys – Over 44 Million Credentials Stolen”
A common perimeter firewall in organisations is the CISCO ASA. Back when I started in the industry we used to have CISCO PIX firewalls, the ASA was the next generation of these! Why is this important? Well its important to understand how common threat actors work, you will see from a while ago I wrote a review of the manual 2.0 by Bassterlord (a known cybercriminal), this is to help understand how attackers work, what real world cybercrime looks like so that we can enable people to help defend against these threats.
Read more “Analysing 1 Million Honeypot events with Defused Cyber Deception”
Shiny Hunters/Scattered spider have published a leaked download site (DLS)/extortion site etc.
This is a fast publish with content mainly generated using an LLM (GROK). This appears to relate to victims who have been victims of social engineering, it does not appear to be related to the Salesforce, SalesLoft Drift breach: https://help.salesforce.com/s/articleView?id=005134951&type=1
In evaluating capabilities for LLMs (AI) recently, I’m looking at the viability of creating more content with them. I’m explicitly calling out where I do, aside from my writing style, I’m also keen to show the pros and cons. Do LLMs replace humans? Not from my experience so far. I’ve been looking at combined physical + digital attacks recently and the associated threat classes… I’m trying to avoid the word group or gang, because collectives are slightly different and are dynamic, almost mission focused if you will.
Read more “The Com, 764, and Associated Groups”
Motivation and a diverse network of people and capabilities can go a long way, then add in digital skills and winning steak… and you have: scattered spider!
There’s a big difference between zero day spraying the internet and planting webshells or copying someone’s open S3 bucket and say…. doxing staff, their families and attacking them and their assets in the real and digital worlds.
I think people won’t broadly grasp the effects that can be achieved (harm) when the adversary is motivated, dedicated, capable, resourced and has very little moral qualms.
There is no magic bullet to defend against an adversary like this, you need a whole of organisation defence (and to pursue even more than that!).
Read more “An evolution of threat actor”