blue team – PwnDefend

Email Security: An Enablement Journey, Not a Maturity Ladder

Most organizations treat email authentication as a checkbox exercise. Deploy SPF, publish DMARC in reporting mode, call it done. But the real story isn’t about maturity tiers—it’s about what you unlock at each phase of implementation. And frankly, the gap between where organizations are and where they need to be is brutal.

This post outlines an enablement journey: each phase builds on the previous one and creates new capabilities that weren’t possible before.

Research

The State of DNS Security — Where the Top…

A position snapshot of the full Majestic Million across three layers — DNSSEC signing, email authentication (SPF / DMARC / MTA-STS), and DANE. This is the scorecard: what is deployed, on how many domains, and how it’s distributed by rank and TLD. Remember Majestic Million is a bit old so a chunk of the domains no longer resolve, but the data gives a good thematic view.

Leadership

DNSSEC

‘You are totally compromised!’ because you don’t have DNSSEC configured on domain…..

The implication is that you’re one packet away from catastrophe. It’s alarming. It’s also, for the overwhelming majority of organisations, not true. I have been talking about this for years and years!

Here’s the quickest way to see through it. I scanned the Majestic Million – the top one million domains on the internet – for DNSSEC. About 6.75% were signed (around 8.2% if you only count domains that actually resolve). The .com zone, which is half the list, sits at 4.6%. And the unsigned set includes google.com, amazon.com and microsoft.com.

So if “no DNSSEC” means “totally compromised,” then the three most-attacked, best-defended companies on the planet are totally compromised, and have been for years, on purpose. They aren’t. The finding is measuring conformance to a checklist, not risk. Let’s understand why this is!

Threat Intel

cPanel Vulnerability Exploited ITW

Mass iternet exploitation events are never fun, this week we have CVE-2026-41940 being exploited! Luckily we have the awesome and cool honeypots at Defused to help us investigate threat actor activity! So let’s take a look! (there’s a good writeup here from Watchtowr.

Kill Chain

We have used ‘AI’ (Claude) to create a timeline based on packets from Defused honeypots:

What did Claude say?

I exported the logs from the Defused honeypot TI feed focused on a single IP then imported that include a chat with Claude:

Here’s the breakdown of what the data shows:

Attack summary — CVE-2026-41940 against a cPanel honeypot

The attacker at 80.87.206.131 ran a structured, two-wave exploitation chain over approximately 22 minutes. The CVE pattern maps to a known cPanel authentication bypass class: forge a session via the preauth endpoint, propagate it through a cache gadget, then leverage the resulting authenticated context to make privileged JSON-API calls.

Wave 1 (06:36–06:37) was a minimal two-step probe — session mint followed immediately by a single cache propagation attempt. This is consistent with tooling running an initial reachability check before committing to full exploitation.

Wave 2 (06:57–06:58) is the main effort. The attacker repeated the session mint, fired the cache gadget twice (likely confirming propagation), and within 9 seconds of the second gadget request had transitioned to authenticated API calls — specifically authorizesshkey (SSH key injection) and listaccts (account enumeration). The two events timestamped 06:58:28suggest either a scripted burst or the tooling executing the auth’d phase in parallel.

Key indicators for hunting:

POST /login/?login_only=1 as the session mint vector
GET /scripts2/listaccts as the cache gadget trigger
Rapid pivot to /json-api/ endpoints within seconds of gadget confirmation
20-minute gap between waves is characteristic of automated tooling with a callback/retry loop

Worth checking whether 80.87.206.131 appears in any other decoy logs — the structured cadence strongly suggests an automated exploit kit rather than manual operation.

We can see here, the exploit here is very simple, POST then a GET followed by API access!

Not only do we now have data to write detections from, we can also look at creating a PoC for penetration testing and vulnerability assessment purposes! A double win! This really goes to show how valuable honeypots can be from a broad TI perspective as well as supporting defence and offence!

A double edged sword (or pot?), like so many things in life!

Suggested Actions to take

Check if you or your hosting providers run CPANEL
Check for compromise (or request intel from a partner)
If no compromise detected patch the server
- if you can’t patch consider using an IP allow list/VPN or other method to shield access from anywhere on the internet (you might want to do this even if you have patched)
If compromised follow your incident repsonse process

Each scenario is different so I’ll not try and tell everyone exactly what they should do here, the key point of this blog is to highlight the vulnerability, the threat/risk so people can take the appropriate steps.

Also, you probably want to check out the honeypots at Defused! They are awesome!

[update] just found this in the packets: H2ckt3ch@g0dl1k3 (cm9vdDpIMmNrdDNjaEBnMGRsMWsz is the BASE64). I won’t publish all the packets right now (because that probably won’t help this early on) but this string was interesting…

Education

Passkeys are better than passwords!

The future is here today! Ok, perhaps that’s a bit over dramatic, however there’s one thing in cyber security that is and has always been a general problem: Passwords! So enter the lord and saviour of all cyber security: Passkeys! (ok, they aren’t but they are cool and useful in a range of scenarios!) Let’s take a deeper look.

Using AI in a positive (non scary) way

Do you ever struggle to keep up with the cyber world? Not everyone is plugged into the internet 24/7 as some people (I swear I get offline sometimes!) so keeping up to date with the cyber world can be pretty tricky! Also who has time to read everything? no one that’s who! But what about if we used an LLM to read things for us and then give us an update? Well here’s an example of this!

Threat Intel

Cyber Attack on Poland’s Electric System 2025

This week there’s been a lot of activity on reporting on a compromise which occurred in 2025 in Poland.

I’m neck deep inside some project work so I don’t have time to pour over this but I did spent a few minutes prompting GROK.

“On December 29, 2025, Poland experienced a coordinated and destructive cyber attack targeting its electric grid, specifically focusing on distributed energy resources (DERs) such as more than 30 wind farms, solar (photovoltaic) installations, and one major combined heat and power (CHP) plant that supplies heat to nearly half a million residents. The assault, which occurred amid harsh winter weather including low temperatures and snowstorms, exploited vulnerabilities like exposed FortiGate firewalls/VPNs lacking multi-factor authentication, default or weak credentials on devices (e.g., Hitachi RTUs, Mikronika controllers), and poor network segmentation. Attackers gained access to operational technology (OT) systems, deploying wiper malware (including variants like DynoWiper and LazyWiper), overwriting disks, deleting files, resetting configurations, and uploading corrupted firmware to “brick” certain hardware—resulting in permanent field-level impairment and complete loss of remote monitoring and control at affected sites. Despite these actions, no power outages or heat supply disruptions occurred, thanks to the grid’s coal-heavy inertia, resilient generation continuity, and partial mitigations such as endpoint detection and response (EDR) blocking wipers in the CHP environment.

Threat Intel

FortiSIEM CVE-2025-64155 Exploitation Analysis

‘An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.’

https://www.fortiguard.com/psirt/FG-IR-25-772

This analysis was conducted using data from Defused, enrichment from IPINFO and SHODAN and then analysis using an LLM (GROK) (so take the analysis with a pinch of salt):

Leadership

The danger of internet exposed RDP

There’s lots of things in cyber security to consider when looking at how to defend a network, and whilst the world goes mad about public wifi and juice jacking, the real threats are often far simpler. Imagine having say an Active Directory domain member, or even controller exposed to the internet with Remote Desktop Protocol? Might sound insane but this is a common route for entry for ransomware actors.

Defense

People and Passwords, why passkeys might change the game

This weekend at BSIDES London it was great to have the UK National Cyber Security Center (NCSC) (the UK’s technical authority on cyber security) give a talk about passkeys!