Threat Intel
We can see from Defused honeypots and conducting a triage that CVE-2026-34910 (updated as I had the wrong CVE number, wrong as in this packet does show a traversal but is the using command exec) is being exploited in the wild!
Read more “CVE-2026-34910 Exploitation ITW – building a botnet (MIRAI)”
Education
SPF and DMARC stop criminals from sending email as you. MTA-STS stops attackers from intercepting email sent to you. They defend different things, and you need all three. Here’s what each one actually protects against — and why MTA-STS, the one almost nobody has enabled, is the obvious next step.
Read more “Lock Down Your Email: SPF and DMARC as the Baseline — Then Turn On MTA-STS”
Research
A position snapshot of the full Majestic Million across three layers — DNSSEC signing, email authentication (SPF / DMARC / MTA-STS), and DANE. This is the scorecard: what is deployed, on how many domains, and how it’s distributed by rank and TLD. Remember Majestic Million is a bit old so a chunk of the domains no longer resolve, but the data gives a good thematic view.
Read more “The State of DNS Security — Where the Top Million Stands: DNSSEC, Email Authentication & DANE by the Numbers”
Cybercrime
When we look at ‘sextortion’ and ’email based extortion’ tactics used by threat actors we see a common pattern, one that leverages shame & fear. I’ve worked with some victims of this and it’s really not nice for them, the impacts are not just financial, they are emotional and sometimes more. It’s fortunately (for me) don’t however deal with this in volume, however I wanted to highlight something, the similarities between extortion and what I would describe as ‘Security Scanning’ shame scamming. Now you might think, that’s a massive leap… but bear with me, I’ve been looking at this (CTI/OSINT) plus working with ‘victims’ for years…
I’ll be posting about some research I’ve done on DNSSEC shortly too, I’ve kind of figured this topic was over years ago, but it’s recently come back on my radar, you know sometimes ‘duty calls’. But let’s look at shame based extortion patterns for now:
Read more “Using shame to enable extortion”
Vulnerabilities
Fast publish: If the past gives us any indication for the future, if you are running MoveIT you want to be aware of:
Read more “I like to MoveIT MoveIT”
AI
Do you ever struggle to keep up with the cyber world? Not everyone is plugged into the internet 24/7 as some people (I swear I get offline sometimes!) so keeping up to date with the cyber world can be pretty tricky! Also who has time to read everything? no one that’s who! But what about if we used an LLM to read things for us and then give us an update? Well here’s an example of this!
Read more “Using AI in a positive (non scary) way”
AI
Yesterday I ran a pentest against an RDP server, the process was ok but not amazing, I had to provide more help than I would have liked, resource consumption and the idea it should keep going…. wasn’t great. The process and output wasn’t terrible at all but it didn’t blow me away.
So today I wanted to see if Claude could take on as simple active directory lab! Now let’s be clear, there were I think one or two updates to the Claude client in that time! The Claude UI even changed look and feel! So I span up an AD lab I had made a while ago and got to work!
AI
AI hype is everywhere, and don’t get me wrong, I’m a heavy AI user, I’m creating tools, conducting analysis and using AI constantly these days in my work a research. But I wanted to see, how well does an agent work if we try and give it the whole task to conduct with as minimal help as possible.
Read more “AI as the penetration tester”
Threat Intel
This week there’s been a lot of activity on reporting on a compromise which occurred in 2025 in Poland.
I’m neck deep inside some project work so I don’t have time to pour over this but I did spent a few minutes prompting GROK.
“On December 29, 2025, Poland experienced a coordinated and destructive cyber attack targeting its electric grid, specifically focusing on distributed energy resources (DERs) such as more than 30 wind farms, solar (photovoltaic) installations, and one major combined heat and power (CHP) plant that supplies heat to nearly half a million residents. The assault, which occurred amid harsh winter weather including low temperatures and snowstorms, exploited vulnerabilities like exposed FortiGate firewalls/VPNs lacking multi-factor authentication, default or weak credentials on devices (e.g., Hitachi RTUs, Mikronika controllers), and poor network segmentation. Attackers gained access to operational technology (OT) systems, deploying wiper malware (including variants like DynoWiper and LazyWiper), overwriting disks, deleting files, resetting configurations, and uploading corrupted firmware to “brick” certain hardware—resulting in permanent field-level impairment and complete loss of remote monitoring and control at affected sites. Despite these actions, no power outages or heat supply disruptions occurred, thanks to the grid’s coal-heavy inertia, resilient generation continuity, and partial mitigations such as endpoint detection and response (EDR) blocking wipers in the CHP environment.
Leadership
There’s lots of things in cyber security to consider when looking at how to defend a network, and whilst the world goes mad about public wifi and juice jacking, the real threats are often far simpler. Imagine having say an Active Directory domain member, or even controller exposed to the internet with Remote Desktop Protocol? Might sound insane but this is a common route for entry for ransomware actors.
Read more “The danger of internet exposed RDP”