cybercrime – PwnDefend

FortiSIEM CVE-2025-64155 Exploitation Analysis

‘An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.’

https://www.fortiguard.com/psirt/FG-IR-25-772

This analysis was conducted using data from Defused, enrichment from IPINFO and SHODAN and then analysis using an LLM (GROK) (so take the analysis with a pinch of salt):

Leadership

The danger of internet exposed RDP

There’s lots of things in cyber security to consider when looking at how to defend a network, and whilst the world goes mad about public wifi and juice jacking, the real threats are often far simpler. Imagine having say an Active Directory domain member, or even controller exposed to the internet with Remote Desktop Protocol? Might sound insane but this is a common route for entry for ransomware actors.

Guides

What are passkeys and how do they work?

Phishing, Brute Force, Data Breaches, Info stealers etc. are all ways in which people steal credentials. We’ve had this problem for decades, stealing something or guessing something people know is relatively trivial over the internet. This leads to a huge volume of the breaches we have seen over the last 20+ years. Whilst people seem to understand this, they don’t seem to know how to change to fix this…. (it’s not that we don’t know it’s that change is hard for lots of reasons). So there might be a solution with the adoption of passkeys! So what are passkeys?

Defense

People and Passwords, why passkeys might change the game

This weekend at BSIDES London it was great to have the UK National Cyber Security Center (NCSC) (the UK’s technical authority on cyber security) give a talk about passkeys!

Threat Intel

Analysing 1 Million Honeypot events with Defused Cyber Deception

A common perimeter firewall in organisations is the CISCO ASA. Back when I started in the industry we used to have CISCO PIX firewalls, the ASA was the next generation of these! Why is this important? Well its important to understand how common threat actors work, you will see from a while ago I wrote a review of the manual 2.0 by Bassterlord (a known cybercriminal), this is to help understand how attackers work, what real world cybercrime looks like so that we can enable people to help defend against these threats.

Education

A threat to sanity – Cyber Myth: Juice Jacking

“Juice jacking” has become a modern cybersecurity myth — a catchy scare story built on a long-patched Android debugging issue and fueled by viral fear rather than facts. Despite years of warnings, there are no confirmed cases of real-world juice jacking attacks; the cost, effort, and low reward make it an impractical method for criminals. Yet the myth persists because it’s vivid, simple, and scary — everything our brains latch onto. The real danger is not the USB port at the airport, but the distraction such myths create. When people focus on imaginary threats, they waste precious attention that should go toward genuine risks like weak passwords, missing MFA, unpatched systems, and poor backups. So let’s take a bit of a deeper dive into this subject, because by it’s important to understand what to, and what not to focus on in my experience!

News

‘Secure’ Firewall backups, until they are not!

Firewalls are often both a defended gate but also the front door to access corporate network. That is all lovely until it’s not! You see so many corporate network intrusion incidents occur from threat actors simply logging into the VPN (due to lack of VPN), and then we have the software vulnerabilities where they shell their way in, but did you think that another way could be from stealing all the backups from a ‘security’ provider? Well now you might! There’s been bit of an incident (one that started as it’s only 5% of customers but actually it was 100% of customers who used the backup feature! YIKES), but before that let’s look at the typical landscape!

Threat Intel

Shiny Hunters / Scattered Spider Alleged Victims

Shiny Hunters/Scattered spider have published a leaked download site (DLS)/extortion site etc.
This is a fast publish with content mainly generated using an LLM (GROK). This appears to relate to victims who have been victims of social engineering, it does not appear to be related to the Salesforce, SalesLoft Drift breach: https://help.salesforce.com/s/articleView?id=005134951&type=1

Defence

Business Email Compromise: Impact Assessment

If you are are a victim of unauthorised mailbox access and/or attempted fraud via mailbox compromise (BEC) then you know that one of the tasks outside of understanding how the compromise has occurred, what configurations have been tampered with, removing devices and resetting usernames/passwords (and tokens/MFA) etc. is to start to understand the data breach impact.

If someone has logged into a mailbox it’s very very unlikely that zero data has been accessed!

News

Japan goes on the Cyber Offensive

Ok with my AI companion GROK I’ve gone exploring on the differences between Japan’s new cyber laws and the UK! This is more GROK than me, but I thought people might find this interesting!