Defense
Today I was browsing twitter and I saw a falcon feed post about NoName claiming to have DoS’d some UK government sites, and well it got me thinking (and talking to some friends) about why in 2026 we haven’t solved this problem. (DoS = Denial of Service, DDoS = Distributed Denial of Service)
Read more “2026: Why have we not solved DDoS Yet?”
Threat Intel
Mass iternet exploitation events are never fun, this week we have CVE-2026-41940 being exploited! Luckily we have the awesome and cool honeypots at Defused to help us investigate threat actor activity! So let’s take a look! (there’s a good writeup here from Watchtowr.
We have used ‘AI’ (Claude) to create a timeline based on packets from Defused honeypots:
I exported the logs from the Defused honeypot TI feed focused on a single IP then imported that include a chat with Claude:
Here’s the breakdown of what the data shows:
Attack summary — CVE-2026-41940 against a cPanel honeypot
The attacker at 80.87.206.131 ran a structured, two-wave exploitation chain over approximately 22 minutes. The CVE pattern maps to a known cPanel authentication bypass class: forge a session via the preauth endpoint, propagate it through a cache gadget, then leverage the resulting authenticated context to make privileged JSON-API calls.
Wave 1 (06:36–06:37) was a minimal two-step probe — session mint followed immediately by a single cache propagation attempt. This is consistent with tooling running an initial reachability check before committing to full exploitation.
Wave 2 (06:57–06:58) is the main effort. The attacker repeated the session mint, fired the cache gadget twice (likely confirming propagation), and within 9 seconds of the second gadget request had transitioned to authenticated API calls — specifically authorizesshkey (SSH key injection) and listaccts (account enumeration). The two events timestamped 06:58:28suggest either a scripted burst or the tooling executing the auth’d phase in parallel.
Key indicators for hunting:
POST /login/?login_only=1 as the session mint vectorGET /scripts2/listaccts as the cache gadget trigger/json-api/ endpoints within seconds of gadget confirmationWorth checking whether 80.87.206.131 appears in any other decoy logs — the structured cadence strongly suggests an automated exploit kit rather than manual operation.
We can see here, the exploit here is very simple, POST then a GET followed by API access!
Not only do we now have data to write detections from, we can also look at creating a PoC for penetration testing and vulnerability assessment purposes! A double win! This really goes to show how valuable honeypots can be from a broad TI perspective as well as supporting defence and offence!
A double edged sword (or pot?), like so many things in life!
Each scenario is different so I’ll not try and tell everyone exactly what they should do here, the key point of this blog is to highlight the vulnerability, the threat/risk so people can take the appropriate steps.
Also, you probably want to check out the honeypots at Defused! They are awesome!
[update] just found this in the packets: H2ckt3ch@g0dl1k3 (cm9vdDpIMmNrdDNjaEBnMGRsMWsz is the BASE64). I won’t publish all the packets right now (because that probably won’t help this early on) but this string was interesting…
Threat Intel
‘An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.’
https://www.fortiguard.com/psirt/FG-IR-25-772
This analysis was conducted using data from Defused, enrichment from IPINFO and SHODAN and then analysis using an LLM (GROK) (so take the analysis with a pinch of salt):
Read more “FortiSIEM CVE-2025-64155 Exploitation Analysis”
Leadership
There’s lots of things in cyber security to consider when looking at how to defend a network, and whilst the world goes mad about public wifi and juice jacking, the real threats are often far simpler. Imagine having say an Active Directory domain member, or even controller exposed to the internet with Remote Desktop Protocol? Might sound insane but this is a common route for entry for ransomware actors.
Read more “The danger of internet exposed RDP”
Guides
Phishing, Brute Force, Data Breaches, Info stealers etc. are all ways in which people steal credentials. We’ve had this problem for decades, stealing something or guessing something people know is relatively trivial over the internet. This leads to a huge volume of the breaches we have seen over the last 20+ years. Whilst people seem to understand this, they don’t seem to know how to change to fix this…. (it’s not that we don’t know it’s that change is hard for lots of reasons). So there might be a solution with the adoption of passkeys! So what are passkeys?
Read more “What are passkeys and how do they work?”
Defense
This weekend at BSIDES London it was great to have the UK National Cyber Security Center (NCSC) (the UK’s technical authority on cyber security) give a talk about passkeys!
Threat Intel
A common perimeter firewall in organisations is the CISCO ASA. Back when I started in the industry we used to have CISCO PIX firewalls, the ASA was the next generation of these! Why is this important? Well its important to understand how common threat actors work, you will see from a while ago I wrote a review of the manual 2.0 by Bassterlord (a known cybercriminal), this is to help understand how attackers work, what real world cybercrime looks like so that we can enable people to help defend against these threats.
Read more “Analysing 1 Million Honeypot events with Defused Cyber Deception”
Education
“Juice jacking” has become a modern cybersecurity myth — a catchy scare story built on a long-patched Android debugging issue and fueled by viral fear rather than facts. Despite years of warnings, there are no confirmed cases of real-world juice jacking attacks; the cost, effort, and low reward make it an impractical method for criminals. Yet the myth persists because it’s vivid, simple, and scary — everything our brains latch onto. The real danger is not the USB port at the airport, but the distraction such myths create. When people focus on imaginary threats, they waste precious attention that should go toward genuine risks like weak passwords, missing MFA, unpatched systems, and poor backups. So let’s take a bit of a deeper dive into this subject, because by it’s important to understand what to, and what not to focus on in my experience!
Read more “A threat to sanity – Cyber Myth: Juice Jacking”
News
Firewalls are often both a defended gate but also the front door to access corporate network. That is all lovely until it’s not! You see so many corporate network intrusion incidents occur from threat actors simply logging into the VPN (due to lack of VPN), and then we have the software vulnerabilities where they shell their way in, but did you think that another way could be from stealing all the backups from a ‘security’ provider? Well now you might! There’s been bit of an incident (one that started as it’s only 5% of customers but actually it was 100% of customers who used the backup feature! YIKES), but before that let’s look at the typical landscape!
Read more “‘Secure’ Firewall backups, until they are not!”
Threat Intel
Shiny Hunters/Scattered spider have published a leaked download site (DLS)/extortion site etc.
This is a fast publish with content mainly generated using an LLM (GROK). This appears to relate to victims who have been victims of social engineering, it does not appear to be related to the Salesforce, SalesLoft Drift breach: https://help.salesforce.com/s/articleView?id=005134951&type=1