Threat Intel

Cyber Attack on Poland’s Electric System 2025

This week there’s been a lot of activity on reporting on a compromise which occurred in 2025 in Poland.

I’m neck deep inside some project work so I don’t have time to pour over this but I did spent a few minutes prompting GROK.

“On December 29, 2025, Poland experienced a coordinated and destructive cyber attack targeting its electric grid, specifically focusing on distributed energy resources (DERs) such as more than 30 wind farms, solar (photovoltaic) installations, and one major combined heat and power (CHP) plant that supplies heat to nearly half a million residents. The assault, which occurred amid harsh winter weather including low temperatures and snowstorms, exploited vulnerabilities like exposed FortiGate firewalls/VPNs lacking multi-factor authentication, default or weak credentials on devices (e.g., Hitachi RTUs, Mikronika controllers), and poor network segmentation. Attackers gained access to operational technology (OT) systems, deploying wiper malware (including variants like DynoWiper and LazyWiper), overwriting disks, deleting files, resetting configurations, and uploading corrupted firmware to “brick” certain hardware—resulting in permanent field-level impairment and complete loss of remote monitoring and control at affected sites. Despite these actions, no power outages or heat supply disruptions occurred, thanks to the grid’s coal-heavy inertia, resilient generation continuity, and partial mitigations such as endpoint detection and response (EDR) blocking wipers in the CHP environment.

Read more “Cyber Attack on Poland’s Electric System 2025”
Threat Intel

FortiSIEM CVE-2025-64155 Exploitation Analysis

‘An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.’

https://www.fortiguard.com/psirt/FG-IR-25-772

This analysis was conducted using data from Defused, enrichment from IPINFO and SHODAN and then analysis using an LLM (GROK) (so take the analysis with a pinch of salt):

Read more “FortiSIEM CVE-2025-64155 Exploitation Analysis”
Leadership

The danger of internet exposed RDP

There’s lots of things in cyber security to consider when looking at how to defend a network, and whilst the world goes mad about public wifi and juice jacking, the real threats are often far simpler. Imagine having say an Active Directory domain member, or even controller exposed to the internet with Remote Desktop Protocol? Might sound insane but this is a common route for entry for ransomware actors.

Read more “The danger of internet exposed RDP”
Threat Intel

Fortiweb – CVE-2025-58034

‘CVE-2025-58034 is an OS command injection vulnerability (CWE-78) in Fortinet FortiWeb, allowing an authenticated attacker to execute unauthorized code on the system through crafted HTTP requests or CLI commands. It affects versions including FortiWeb 8.0.0-8.0.1, 7.6.0-7.6.5, 7.4.0-7.4.10, 7.2.0-7.2.11, and 7.0.0-7.0.11. The vulnerability has a CVSSv3 score of 6.7 (medium severity) and has been observed exploited in the wild, prompting its addition to CISA’s Known Exploited Vulnerabilities catalog.’

Read more “Fortiweb – CVE-2025-58034”
Threat Intel

Analysing 1 Million Honeypot events with Defused Cyber Deception

A common perimeter firewall in organisations is the CISCO ASA. Back when I started in the industry we used to have CISCO PIX firewalls, the ASA was the next generation of these! Why is this important? Well its important to understand how common threat actors work, you will see from a while ago I wrote a review of the manual 2.0 by Bassterlord (a known cybercriminal), this is to help understand how attackers work, what real world cybercrime looks like so that we can enable people to help defend against these threats.

Read more “Analysing 1 Million Honeypot events with Defused Cyber Deception”
Copyright (c) Xservus Limited