Leadership

Email Security: An Enablement Journey, Not a Maturity Ladder

Most organizations treat email authentication as a checkbox exercise. Deploy SPF, publish DMARC in reporting mode, call it done. But the real story isn’t about maturity tiers—it’s about what you unlock at each phase of implementation. And frankly, the gap between where organizations are and where they need to be is brutal.

This post outlines an enablement journey: each phase builds on the previous one and creates new capabilities that weren’t possible before.

Read more “Email Security: An Enablement Journey, Not a Maturity Ladder”
Cybercrime

Using shame to enable extortion

When we look at ‘sextortion’ and ’email based extortion’ tactics used by threat actors we see a common pattern, one that leverages shame & fear. I’ve worked with some victims of this and it’s really not nice for them, the impacts are not just financial, they are emotional and sometimes more. It’s fortunately (for me) don’t however deal with this in volume, however I wanted to highlight something, the similarities between extortion and what I would describe as ‘Security Scanning’ shame scamming. Now you might think, that’s a massive leap… but bear with me, I’ve been looking at this (CTI/OSINT) plus working with ‘victims’ for years…

I’ll be posting about some research I’ve done on DNSSEC shortly too, I’ve kind of figured this topic was over years ago, but it’s recently come back on my radar, you know sometimes ‘duty calls’. But let’s look at shame based extortion patterns for now:

Read more “Using shame to enable extortion”
Threat Intel

cPanel Vulnerability Exploited ITW

Mass iternet exploitation events are never fun, this week we have CVE-2026-41940 being exploited! Luckily we have the awesome and cool honeypots at Defused to help us investigate threat actor activity! So let’s take a look! (there’s a good writeup here from Watchtowr.

Kill Chain

We have used ‘AI’ (Claude) to create a timeline based on packets from Defused honeypots:

What did Claude say?

I exported the logs from the Defused honeypot TI feed focused on a single IP then imported that include a chat with Claude:

Here’s the breakdown of what the data shows:

Attack summary — CVE-2026-41940 against a cPanel honeypot

The attacker at 80.87.206.131 ran a structured, two-wave exploitation chain over approximately 22 minutes. The CVE pattern maps to a known cPanel authentication bypass class: forge a session via the preauth endpoint, propagate it through a cache gadget, then leverage the resulting authenticated context to make privileged JSON-API calls.

Wave 1 (06:36–06:37) was a minimal two-step probe — session mint followed immediately by a single cache propagation attempt. This is consistent with tooling running an initial reachability check before committing to full exploitation.

Wave 2 (06:57–06:58) is the main effort. The attacker repeated the session mint, fired the cache gadget twice (likely confirming propagation), and within 9 seconds of the second gadget request had transitioned to authenticated API calls — specifically authorizesshkey (SSH key injection) and listaccts (account enumeration). The two events timestamped 06:58:28suggest either a scripted burst or the tooling executing the auth’d phase in parallel.

Key indicators for hunting:

  • POST /login/?login_only=1 as the session mint vector
  • GET /scripts2/listaccts as the cache gadget trigger
  • Rapid pivot to /json-api/ endpoints within seconds of gadget confirmation
  • 20-minute gap between waves is characteristic of automated tooling with a callback/retry loop

Worth checking whether 80.87.206.131 appears in any other decoy logs — the structured cadence strongly suggests an automated exploit kit rather than manual operation.

We can see here, the exploit here is very simple, POST then a GET followed by API access!

Not only do we now have data to write detections from, we can also look at creating a PoC for penetration testing and vulnerability assessment purposes! A double win! This really goes to show how valuable honeypots can be from a broad TI perspective as well as supporting defence and offence!

A double edged sword (or pot?), like so many things in life!

Suggested Actions to take

  • Check if you or your hosting providers run CPANEL
  • Check for compromise (or request intel from a partner)
  • If no compromise detected patch the server
    • if you can’t patch consider using an IP allow list/VPN or other method to shield access from anywhere on the internet (you might want to do this even if you have patched)
  • If compromised follow your incident repsonse process

Each scenario is different so I’ll not try and tell everyone exactly what they should do here, the key point of this blog is to highlight the vulnerability, the threat/risk so people can take the appropriate steps.

Also, you probably want to check out the honeypots at Defused! They are awesome!

[update] just found this in the packets: H2ckt3ch@g0dl1k3 (cm9vdDpIMmNrdDNjaEBnMGRsMWsz is the BASE64). I won’t publish all the packets right now (because that probably won’t help this early on) but this string was interesting…

Threat Intel

Administrator:password

Imagine this, you setup a server and it has a really weak administrator password! Now let’s imagine you expose RDP to the internet. How long would it take to get pw3nd?

Well we did this, using a custom configuration to make this safe, we setup a Windows Server, setup an administrator account with the password of ‘password’ and monitored the logs! So let’s see what we found.

Read more “Administrator:password”
Threat Intel

FortiSIEM CVE-2025-64155 Exploitation Analysis

‘An improper neutralization of special elements used in an OS command (‘OS Command Injection’) vulnerability [CWE-78] in FortiSIEM may allow an unauthenticated attacker to execute unauthorized code or commands via crafted TCP requests.’

https://www.fortiguard.com/psirt/FG-IR-25-772

This analysis was conducted using data from Defused, enrichment from IPINFO and SHODAN and then analysis using an LLM (GROK) (so take the analysis with a pinch of salt):

Read more “FortiSIEM CVE-2025-64155 Exploitation Analysis”
Leadership

The danger of internet exposed RDP

There’s lots of things in cyber security to consider when looking at how to defend a network, and whilst the world goes mad about public wifi and juice jacking, the real threats are often far simpler. Imagine having say an Active Directory domain member, or even controller exposed to the internet with Remote Desktop Protocol? Might sound insane but this is a common route for entry for ransomware actors.

Read more “The danger of internet exposed RDP”
Guides

What are passkeys and how do they work?

Phishing, Brute Force, Data Breaches, Info stealers etc. are all ways in which people steal credentials. We’ve had this problem for decades, stealing something or guessing something people know is relatively trivial over the internet. This leads to a huge volume of the breaches we have seen over the last 20+ years. Whilst people seem to understand this, they don’t seem to know how to change to fix this…. (it’s not that we don’t know it’s that change is hard for lots of reasons). So there might be a solution with the adoption of passkeys! So what are passkeys?

Read more “What are passkeys and how do they work?”
Copyright (c) Xservus Limited