Lmst
Login

#incidentresponse

RootShellrootshellonline@infosec.exchange
2025-12-03

What’s trending in cybersecurity today? Find out with the latest YouTube playlist we’ve curated. 👀 youtube.com/playlist?list=PLXq
#Malware #Phishing #IncidentResponse #CyberAwareness #AppSec

SOC Goulashsoc_goulash@infosec.exchange
2025-12-03

It's been a jam-packed 24 hours in the cyber world, with major breaches, critical zero-days under active exploitation, and significant law enforcement actions. Let's dive in:

Recent Cyber Attacks and Breaches ⚠️

Askul Ransomware Recovery ⏳
- Japanese e-tailer Askul is slowly recovering 45 days after a ransomware attack, resuming partial B2B online sales.
- The incident, attributed to RansomHouse, caused a major data breach of customer and supplier details, impacting logistics for other brands like Muji.
- Full recovery, including consumer services and financial reporting, is still pending, highlighting the long-term operational and financial fallout of such attacks.
🤖 Bleeping Computer | go.theregister.com/feed/www.th
🗞️ The Record | therecord.media/askul-resumes-

University of Phoenix / Oracle EBS Breach 🎓
- The University of Phoenix disclosed a data breach affecting "numerous individuals" after attackers exploited a zero-day in Oracle E-Business Suite (EBS).
- This breach is part of a larger Clop ransomware gang extortion campaign, which has impacted multiple US universities (Harvard, UPenn, Dartmouth) and companies since August 2025.
- Stolen data includes names, contact info, dates of birth, Social Security numbers, and bank account details, underscoring the severe impact of supply chain vulnerabilities in third-party platforms.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🗞️ The Record | therecord.media/university-of-

Freedom Mobile Data Breach 📱
- Canada's fourth-largest wireless carrier, Freedom Mobile, disclosed a data breach impacting an undisclosed number of customers.
- Attackers gained access to the customer account management platform via a compromised subcontractor account, stealing personal and contact information.
- Exposed data includes names, addresses, dates of birth, phone numbers, and account numbers, with customers advised to watch for phishing attempts.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Leroy Merlin Data Breach 🏡
- French DIY retail giant Leroy Merlin is notifying French customers of a data breach affecting their personal information.
- Exposed data includes full name, phone number, email, postal address, date of birth, and loyalty program info, but no banking details or passwords.
- The company states the stolen data hasn't been misused yet and urges vigilance against phishing, indicating a potential lack of public leak by attackers.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Korea IP Camera Hacking Ring 📸
- Korean police arrested four individuals for hacking over 120,000 IP cameras and selling intimate footage to a foreign adult site.
- The suspects, including one who hacked 63,000 cameras, generated significant virtual assets from selling hundreds of illicit videos.
- Authorities are also pursuing website operators and viewers of the content, highlighting the severe legal consequences for all involved in such exploitation.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

DOJ Takes Down Myanmar Scam Site 🚫
- The US Department of Justice (DOJ) has dismantled tickmilleas.com, a spoofed trading platform used by a Myanmar scam center.
- This action is part of the recently created Scam Center Strike Force's efforts against the Tai Chang compound, which has siphoned billions from Americans via "pig butchering" schemes.
- The FBI has identified multiple victims who lost cryptocurrency through the fake site and is collaborating with international law enforcement and tech companies to combat these operations.
🗞️ The Record | therecord.media/doj-takes-down

Vulnerabilities Under Active Exploitation 🛡️

Critical React Server Components RCE ⚛️
- A critical deserialization vulnerability, CVE-2025-55182, has been discovered in React Server Components, allowing unauthenticated RCE in default configurations.
- The flaw affects a wide range of React frameworks and bundlers, including Next.js (CVE-2025-66478), with researchers expecting active exploitation imminently.
- Developers are urged to patch immediately, as exploitation is trivial and could lead to devastating impacts, including access to sensitive information and network pivots.
🤫 CyberScoop | cyberscoop.com/react-server-vu

Windows LNK Zero-Day Exploitation 🪟
- Microsoft has silently mitigated CVE-2025-9491, a Windows LNK vulnerability actively exploited as a zero-day since 2017 by multiple state-backed and cybercrime groups.
- The flaw allowed attackers to hide malicious commands in LNK file properties by padding with whitespaces, making them invisible to users and enabling malware deployment.
- While Microsoft initially downplayed the severity, the November 2025 updates now show the full command string; however, third-party patches offer more robust warnings against long LNK target strings.
🤖 Bleeping Computer | bleepingcomputer.com/news/micr
🌐 The Hacker News | thehackernews.com/2025/12/micr

WordPress King Addons Flaw Under Attack 👑
- A critical privilege escalation vulnerability, CVE-2025-8489, in the King Addons for Elementor WordPress plugin is under active exploitation.
- Unauthenticated attackers can register with administrator privileges by specifying the 'administrator' role during user registration due to an insecure handle_register_ajax() function.
- Site administrators must update to version 51.1.35 or later, audit for suspicious admin accounts, and monitor for abnormal activity to prevent site takeover.
🌐 The Hacker News | thehackernews.com/2025/12/word

Picklescan Bugs Allow ML Model Evasion 🐍
- Three critical flaws (CVE-2025-10155, CVE-2025-10156, CVE-2025-10157) in the Picklescan utility allow malicious PyTorch models to evade detection and execute arbitrary code.
- These vulnerabilities enable attackers to bypass the scanner via file extension manipulation, CRC errors in ZIP archives, or by undermining unsafe globals checks.
- Patched in Picklescan version 0.0.31, these issues highlight the risks in ML supply chains and the need for adaptive, intelligence-driven security for AI models.
🌐 The Hacker News | thehackernews.com/2025/12/pick

New Threat Research 🔬

Aisuru Botnet Unleashes Record DDoS 💥
- The Aisuru botnet has set a new record with a 29.7 Tbps DDoS attack, part of over 1,300 attacks launched in Q3 2025.
- Comprising 1-4 million compromised routers and IoT devices, Aisuru is a botnet-for-hire service targeting telecommunications, gaming, hosting, and financial sectors.
- These hyper-volumetric attacks can disrupt entire ISPs, even if not directly targeted, and often last less than 10 minutes, demanding rapid response capabilities.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Malicious Rust Crate Targets Web3 Devs 🦀
- A malicious Rust crate, "evm-units," was found delivering OS-specific malware to Windows, macOS, and Linux systems, masquerading as an EVM helper tool.
- The package, downloaded over 7,000 times, checks for Qihoo 360 antivirus before downloading and silently executing a next-stage payload from "download.videotalks[.]xyz."
- This supply chain attack, also impacting "uniswap-utils," specifically targets Web3 developers, indicating a China-focused threat actor profile.
🌐 The Hacker News | thehackernews.com/2025/12/mali

Data Privacy and Regulatory Issues 🔒

India Drops Mandatory 'Cyber Safety' App 🇮🇳
- India's Communications Ministry has reversed its plan to mandate a government-backed "cyber safety" app on all new smartphones.
- The decision follows significant backlash and privacy concerns from digital rights groups and tech companies like Apple, who argued it could compromise security.
- While the government claimed the Sanchar Saathi app was for fraud prevention, its mandatory, undeletable nature raised fears of widespread surveillance.
🗞️ The Record | therecord.media/india-drops-ma

Canadian Police Trial Facial Recognition Body Cams 🇨🇦
- The Edmonton Police Service in Canada is trialling body cameras equipped with facial recognition technology, a first for a Canadian department.
- The Axon cameras will compare faces to mugshots for outstanding warrants, but the system will only be enabled during investigations, not in the field, and matches will be human-verified.
- This pilot raises significant privacy concerns, particularly regarding accuracy and potential discrimination, with Alberta's privacy commissioner demanding a privacy impact assessment.
🗞️ The Record | therecord.media/canadian-polic

Other Noteworthy Incidents 🌍

India Airports Face GPS Spoofing ✈️
- India's Civil Aviation Minister revealed GPS spoofing and jamming incidents at eight major airports, including Delhi, Kolkata, and Mumbai, since 2023.
- While no harm was caused, these incidents force pilots to rely on alternative navigation, with previous similar events in Europe blamed on Russia.
- Authorities are investigating the source of interference and implementing advanced cybersecurity solutions for IT networks and infrastructure in the aviation sector.
🕵🏼 The Register | go.theregister.com/feed/www.th

#CyberSecurity #ThreatIntelligence #Ransomware #ZeroDay #Vulnerability #DDoS #SupplyChainAttack #Malware #DataBreach #Privacy #FacialRecognition #InfoSec #IncidentResponse #Web3Security #AIsecurity #GPSspoofing

RootShellrootshellonline@infosec.exchange
2025-12-03

What’s trending in cybersecurity today? Find out with the latest YouTube playlist we’ve curated. 👀 youtube.com/playlist?list=PLXq
#Malware #Phishing #IncidentResponse #CyberAwareness #AppSec

LMG SecurityLMGsecurity@infosec.exchange
2025-12-03

Recovery times are improving, and the rise of truly immutable backups is a major reason why.

This short video breaks down what “immutable” actually means, why it matters for ransomware resilience, and how proactive planning accelerates recovery.

If you’re reassessing your backup strategy, this is a clear look at what’s driving faster bounce-backs.

Watch here: youtube.com/watch?v=XgdPWZ5OKB0

#Cybersecurity #Ransomware #DataRecovery #BackupSecurity #ImmutableBackups #Resilience #IncidentResponse #BusinessContinuity

FIRST.orgfirstdotorg@infosec.exchange
2025-12-03

🎶Closing Timeee🎶 CFS for #FIRSTCON26 closes tomorrow! Get those last-minute submissions in ➡️🔗 go.first.org/bMBiu #incidentresponse #secconf

DiscernibleDiscernible@infosec.exchange
2025-12-03

A ransomware attack has completely halted production across 12 manufacturing facilities in different countries, costing $20 million per day.

💫 Communication Challenge: How would you coordinate communication across multiple time zones, languages, and regulatory environments during this crisis?

#DiscernibleExperience #IncidentResponse #SecurityCommunications

If you want more experience thinking through communication challenges like these, subscribe to our weekly Discernible Experience.

Discernible experience logo on a dark blue background featuring white text for ‘DISCERNIBLE’ with ‘experience’ in lighter text below, a white shark silhouette integrated into the design, the word ‘MINI’ with radiating lines in the upper left corner, and three light blue decorative stars scattered in the lower left portion.
Manuel Bisseymbissey@cyberplace.social
2025-12-03

Crisis management frameworks are evolving — faster playbooks, clearer escalation, and collaboration-first response are now essential. Preparedness beats panic. 📘⚡️ #IncidentResponse #CrisisManagement

helpnetsecurity.com/2025/12/03

RootShellrootshellonline@infosec.exchange
2025-12-03

What’s trending in cybersecurity today? Find out with the latest YouTube playlist we’ve curated. 👀 youtube.com/playlist?list=PLXq
#Malware #Phishing #IncidentResponse #CyberAwareness #AppSec

Callgoose SQIBSCallgoose_SQIBS
2025-12-03

How Callgoose SQIBS Elevates Automation in the Airline Industry✈️

Read More 👉 callgoose.com/u/tYs

SOC Goulashsoc_goulash@infosec.exchange
2025-12-02

It's been a busy 24 hours in the cyber world with significant updates on recent breaches, evolving threat actor tactics, critical vulnerabilities, and some interesting developments in data privacy and law enforcement. Let's dive in:

Clop's Oracle EBS Exploitation Continues ⚠️
- The University of Pennsylvania has confirmed a data breach stemming from the Clop ransomware gang's exploitation of a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite.
- This incident, which occurred in August, impacted at least 1,488 Maine residents, with the total number of affected individuals likely much higher, and follows similar breaches at Dartmouth and Harvard Universities.
- Clop has a history of mass exploitation of file-transfer services, and while Penn has applied Oracle's patches, the group has yet to list the university on its leak site, suggesting ongoing negotiations or a potential ransom payment.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🕵🏼 The Register | go.theregister.com/feed/www.th
🤫 CyberScoop | cyberscoop.com/university-penn

Edtech Firm Fined for 10M Student Data Breach 🔒
- Illuminate Education, an edtech provider, faces action from the Federal Trade Commission (FTC) for a 2021 breach that exposed sensitive data of 10.1 million students, including health information.
- The breach was facilitated by an attacker using credentials of a former employee, highlighting severe security failures such as storing data in plain text, poor access controls, and delayed breach notifications.
- The FTC settlement mandates Illuminate to delete unnecessary data, implement a robust security program, and cease misrepresenting its security posture, though no monetary fines were issued by the FTC directly.
🕵🏼 The Register | go.theregister.com/feed/www.th
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

London Council Confirms Data Theft 🚨
- The Royal Borough of Kensington and Chelsea (RBKC) has confirmed that data was stolen from its systems during a cyber incident last week, which initially appeared as an IT outage.
- While the type and extent of stolen data are still under investigation, RBKC believes it impacts "historical data" and is urging residents to be vigilant for suspicious communications.
- This incident, affecting a shared IT environment with Hammersmith & Fulham and Westminster councils, is being investigated by the NCSC and Metropolitan Police, with the possibility of stolen data appearing publicly.
🕵🏼 The Register | go.theregister.com/feed/www.th

Microsoft Defender Portal Outage 📉
- Microsoft's Defender XDR portal experienced a 10-hour outage, impacting access to advanced threat hunting alerts and device visibility for some customers.
- The disruption was attributed to a "spike in traffic" causing high CPU utilization on core components, leading to critical service issues.
- Microsoft has implemented mitigation measures and is working with affected organisations to restore full functionality and investigate client-side diagnostics.
🤖 Bleeping Computer | bleepingcomputer.com/news/micr

Glassworm Malware Targets VS Code Developers 🐛
- The Glassworm campaign has re-emerged for a third time, deploying 24 new malicious packages on OpenVSX and Microsoft Visual Studio marketplaces.
- This malware, now using Rust-based implants and invisible Unicode characters, aims to steal GitHub, npm, OpenVSX accounts, and cryptocurrency wallet data, while also deploying a SOCKS proxy and HVNC for remote access.
- The threat actors inflate download counts to appear legitimate, impersonating popular developer tools like Flutter, Vim, and React Native, making detection challenging for developers.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

MuddyWater Targets Critical Infrastructure 🎣
- The Iran-linked threat actor MuddyWater has been observed targeting critical infrastructure in Egypt and Israel with a new spyware variant, MuddyViper, disguised as the classic Snake game.
- The campaign uses spearphishing emails with PDF attachments leading to spyware installers hosted on free file-sharing platforms.
- MuddyViper, with its custom 'Fooder' loader, is designed for stealth and persistence, exfiltrating Windows login credentials, browser data, and system information, showcasing MuddyWater's technical evolution.
🗞️ The Record | therecord.media/iran-linked-ha

North Korea's Fake IT Worker Scheme 🎭
- North Korea's Famous Chollima (Lazarus Group) is actively luring legitimate engineers to "rent" their identities for remote IT jobs at Western companies, acting as frontmen for DPRK agents.
- The scheme involves DPRK agents using AI-powered tools (e.g., deepfakes, AIApply) for interviews and applications, then leveraging the engineer's computer as a proxy for malicious activities, offering a percentage of the salary.
- Researchers, through a honeypot operation, observed the group's tactics, including the use of Astrill VPN, Google Remote Desktop, and various AI extensions to automate and conceal their operations.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Shai-Hulud 2.0 Leaks 400K Dev Secrets 🔑
- The second wave of the Shai-Hulud attack infected over 800 NPM packages, leading to the exposure of approximately 400,000 raw secrets across 30,000 GitHub repositories.
- These secrets, including GitHub usernames, tokens, cloud credentials, and NPM tokens, were harvested using a modified TruffleHog scanner, with over 60% of leaked NPM tokens still valid and posing an active risk.
- The malware primarily targeted Linux systems, often in containers and GitHub Actions CI/CD environments, indicating a sophisticated supply chain attack with potential for future waves.
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Actively Exploited Android Zero-Days 🛡️
- Google has released its December security update for Android, patching 107 vulnerabilities, including two high-severity zero-days (CVE-2025-48633 and CVE-2025-48572) actively exploited in targeted attacks.
- These flaws, affecting the Android framework, can lead to information disclosure and elevation of privilege, respectively, impacting Android versions 13 through 16.
- While details are scarce, such zero-days are often leveraged by commercial spyware or nation-state actors against high-value targets, underscoring the importance of prompt patching.
🤫 CyberScoop | cyberscoop.com/android-securit
📰 The Hacker News | thehackernews.com/2025/12/goog
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

US Telecom Cybersecurity Debate 🗣️
- A Senate Commerce Committee hearing debated the US response to the Salt Typhoon operation, where Chinese hackers systematically penetrated US communications networks.
- Experts are divided on whether to strengthen cybersecurity through more voluntary information sharing between government and industry, or through stricter regulatory enforcement, with some senators expressing concern over telcos' lack of transparency.
- The consensus is that Salt Typhoon exploited basic weaknesses like unpatched vulnerabilities and weak passwords, rather than Chinese equipment, highlighting fundamental cybersecurity hygiene issues.
🤫 CyberScoop | cyberscoop.com/salt-typhoon-se

India's Mandatory Cyber Safety App Sparks Backlash 📱
- India's government has mandated that all smartphone manufacturers pre-install its "Sanchar Saathi" app on every handset, with a 90-day deadline and requirements for it to be non-removable.
- While intended to combat fraud and phone theft, the app's ability to access call logs and messages, and share them with the Department of Telecommunications, has raised significant privacy and surveillance concerns.
- Apple has indicated it will resist the order, citing iOS security architecture, while the Indian Telecom Minister has claimed the app is optional and not for monitoring, despite the directive's wording.
🕵🏼 The Register | go.theregister.com/feed/www.th
🗞️ The Record | therecord.media/india-faces-ba

EU Court Rules Marketplaces Responsible for Ad Data 🇪🇺
- The European Union's top court has ruled that online marketplaces are "data controllers" under GDPR for personal data appearing in advertisements on their platforms.
- This means marketplaces must obtain explicit consent for any personal data in ads and screen/verify ads before publication, particularly for sensitive information.
- The decision, stemming from a 2018 case involving a fake ad with a woman's personal details, has major implications for free expression, access to information, and could force many small sites to shut down due to compliance burdens.
🗞️ The Record | therecord.media/eu-top-court-r

US Legislation Targets Cyber Threat Actors 🏛️
- New legislation, the Cyber Deterrence and Response Act, has been reintroduced in the US House, aiming to formally designate "critical cyber threat actors" for sanctions.
- The bill seeks to establish a clear framework for attributing cyberattacks and holding malicious foreign parties accountable, with the Office of the National Cyber Director taking a leading role.
- This move reflects growing congressional concern over sophisticated cyberattacks and a desire to strengthen deterrence, particularly in the wake of incidents like Salt Typhoon.
🤫 CyberScoop | cyberscoop.com/legislation-wou

Europol Shuts Down Cryptomixer Laundering Hub 💰
- Europol, in collaboration with German and Swiss authorities, has successfully shut down Cryptomixer, a major cryptocurrency laundering platform, as part of Operation Olympia.
- The operation seized three Swiss servers, the cryptomixer.io domain, 12 terabytes of data, and over €25 million in Bitcoin, disrupting a service that had laundered more than €1.3 billion since 2016.
- This takedown is part of a broader strategy by law enforcement to dismantle cybercrime infrastructure, including infostealers and bulletproof hosting providers, to make it harder for criminals to conceal illicit gains.
🕵🏼 The Register | go.theregister.com/feed/www.th

#CyberSecurity #ThreatIntelligence #Ransomware #APT #ZeroDay #Vulnerability #SupplyChainAttack #Malware #DataPrivacy #GDPR #LawEnforcement #CyberAttack #InfoSec #IncidentResponse

Bryan Kingbdking71.wordpress.com@bdking71.wordpress.com
2025-12-02

Ransomware Is Evolving Faster Than Defenders Can Keep Up — Here’s How You Protect Yourself

1,505 words, 8 minutes read time.

By the time most people hear about a ransomware attack, the damage is already done—the emails have stopped flowing, the EDR is barely clinging to life, and the ransom note is blinking on some forgotten server in a noisy datacenter. From the outside, it looks like a sudden catastrophe. But after years in cybersecurity, watching ransomware shift from crude digital vandalism into a billion-dollar criminal industry, I can tell you this: nothing about modern ransomware is sudden. It’s patient. It’s calculated. And it’s evolving faster than most organizations can keep up.

That’s the story too few people in leadership—and even some new analysts—understand. We aren’t fighting the ransomware of five years ago. We’re fighting multilayered, human-operated, reconnaissance-intensive campaigns that look more like nation-state operations than smash-and-grab cybercrime. And unless we confront the reality of how ransomware has changed, we’ll be stuck defending ourselves against ghosts from the past while the real enemy is already in the building.

In this report-style analysis, I’m laying out the hard truth behind today’s ransomware landscape, breaking it into three major developments that are reshaping the battlefield. And more importantly, I’ll explain how you, the person reading this—whether you’re a SOC analyst drowning in alerts or a CISO stuck justifying budgets—can actually protect yourself.

Modern Ransomware Doesn’t Break In—It Walks In Through the Front Door

If there’s one misconception that keeps getting people burned, it’s the idea that ransomware “arrives” in the form of a malicious payload. That used to be true back when cybercriminals relied on spam campaigns and shady attachments. But those days are over. Today’s attackers don’t break in—they authenticate.

In almost every major ransomware attack I’ve investigated or read the forensic logs for, the initial access vector wasn’t a mysterious file. It was:

  • A compromised VPN appliance
  • An unpatched Citrix, Fortinet, SonicWall, or VMware device
  • A stolen set of credentials bought from an initial access broker
  • A misconfigured cloud service exposing keys or admin consoles
  • An RDP endpoint that never should’ve seen the light of day

This shift is massive. It means ransomware groups don’t have to gamble on phishing. They can simply buy their way straight into enterprise networks the same way a burglar buys a master key.

And once they’re inside, the game really begins.

During an incident last year, I watched an attacker pivot from a contractor’s compromised VPN session into a privileged internal account in under an hour. They didn’t need to brute-force anything. They didn’t need malware. They just used legitimate tools: PowerShell, AD enumeration commands, and a flat network that offered no meaningful resistance.

This is why so many organizations think they’re doing enough. They’ve hardened their perimeter against yesterday’s tactics, but they’re wide open to today’s. Attackers aren’t battering the gates anymore—they’re flashing stolen IDs at the guard and strolling in.

Protection Strategy for Today’s Reality:
If your externally facing systems aren’t aggressively patched, monitored, and access-controlled, you are already compromised—you just don’t know the attacker’s timeline. Zero Trust isn’t a buzzword here; it’s the bare minimum architecture for surviving credential-driven intrusions. And phishing-resistant MFA (FIDO2, WebAuthn) is no longer optional. The attackers aren’t breaking locks—they’re using keys. Take the keys away.

Ransomware Has Become a Human-Operated APT—Not a Malware Event

Most news outlets still describe ransomware attacks as if they happen all at once: someone opens a file, everything locks up, and chaos ensues. But in reality, the encryption stage is just the final act in a very long play. Most organizations aren’t hit by ransomware—they’re prepared for ransomware over days or even weeks by operators who have already crawled through their systems like termites.

The modern ransomware lifecycle looks suspiciously like a well-executed red-team engagement:

Reconnaissance → Privilege Escalation → Lateral Movement → Backup Destruction → Data Exfiltration → Encryption

This isn’t hypothetical. It’s documented across the MITRE ATT&CK framework, CISA advisories, Mandiant reports, CrowdStrike intel, and pretty much every real-world IR case study you’ll ever read. And every step is performed by a human adversary—not just an automated bot.

I’ve seen attackers spend days mapping out domain trusts, hunting for legacy servers, testing which EDR agents were asleep at the wheel, and quietly exfiltrating gigabytes of data without tripping a single alarm. They don’t hurry, because there’s no reason to. Once they’re inside, they treat your network like a luxury hotel: explore, identify the vulnerabilities, settle in, and prepare for the big finale.

There’s also the evolution in extortion:
First there was simple encryption.
Then “double extortion”—encrypting AND stealing data.
Now some groups run “quadruple extortion,” which includes:

  • Threatening to leak data
  • Threatening to re-attack
  • Targeting customers or partners with the stolen information
  • Reporting your breach to regulators to maximize pressure

They weaponize fear, shame, and compliance.

And because attackers spend so long inside before triggering the payload, many organizations don’t even know a ransomware event has begun until minutes before impact. By then it’s too late.

Protection Strategy for Today’s Reality:
You cannot defend the endpoint alone. The malware is the final strike—what you must detect is the human activity leading up to it. That means investing in behavioral analytics, log correlation, and SOC processes that identify unusual privilege escalation, lateral movement, or data staging.

If your security operations program only alerts when malware is present, you’re fighting the last five minutes of a two-week attack.

Defenders Still Rely on Tools—But Ransomware Actors Rely on Skill

This is the part no vendor wants to admit, but every seasoned analyst knows: the cybersecurity industry keeps selling “platforms,” “dashboards,” and “single panes of glass,” while attackers keep relying on fundamentals—privilege escalation, credential theft, network misconfigurations, and human error.

In other words, attackers practice.
Defenders purchase.

And the mismatch shows.

A ransomware affiliate I studied earlier this year used nothing but legitimate Windows utilities and a few open-source tools you could download from GitHub. They didn’t trigger a single antivirus alert because they never needed to. Their skills carried the attack, not their toolset.

Meanwhile, many organizations I’ve worked with:

  • Deploy advanced EDR but never tune it
  • Enable logging but never centralize it
  • Conduct tabletop exercises but never test their backups
  • Buy Zero Trust solutions but still run flat networks
  • Use MFA but still rely on push notifications attackers can fatigue their way through

If you’re relying on a product to save you, you’re missing the reality that attackers aren’t fighting your tools—they’re fighting your people, your processes, and your architecture.

And they’re winning when your teams are burned out, understaffed, or operating with outdated assumptions about how ransomware works.

The solution starts with a mindset shift: you can’t outsource resilience. You can buy detection. You can buy visibility. But the ability to respond, recover, and refuse to be extorted—that’s something that has to be built, not bought.

Protection Strategy for Today’s Reality:
Focus on the fundamentals. Reduce attack surface. Prioritize privileged access management. Enforce segmentation that actually blocks lateral movement. Train your SOC like a team of threat hunters, not button-pushers. Validate your backups the way you’d validate a parachute. And for the love of operational sanity—practice your IR plan more than once a year.

Tools help you.
Architecture protects you.
People save you.

Attackers know this.
It’s time defenders embrace it too.

Conclusion: Ransomware Isn’t a Malware Problem—It’s a Strategy Problem

The biggest mistake anyone can make today is believing ransomware is just a piece of malicious software. It’s not. It’s an entire ecosystem—a criminal economy powered by stolen credentials, unpatched systems, lax monitoring, flat networks, and the false sense of security that comes from buying tools instead of maturing processes.

Ransomware isn’t evolving because the malware is getting smarter. It’s evolving because the attackers are.

And the only way to protect yourself is to accept the truth:
You can’t defend yesterday’s threats with yesterday’s assumptions. The ransomware gangs have adapted, industrialized, and professionalized. Now it’s our turn.

If you understand how ransomware really works, if you harden your environment against modern access vectors, if you detect human behavior instead of waiting for encryption, and if you treat security as a practiced discipline rather than a product—you can survive this. You can protect your organization. You can protect your career. You can protect yourself.

But you have to fight the enemy that exists today.
Not the one you remember from the past.

Call to Action

If this breakdown helped you think a little clearer about the threats out there, don’t just click away. Subscribe for more no-nonsense security insights, drop a comment with your thoughts or questions, or reach out if there’s a topic you want me to tackle next. Stay sharp out there.

D. Bryan King

Sources

Disclaimer:

The views and opinions expressed in this post are solely those of the author. The information provided is based on personal research, experience, and understanding of the subject matter at the time of writing. Readers should consult relevant experts or authorities for specific guidance related to their unique situations.

#cisoStrategy #cloudSecurityRisk #credentialTheftAttacks #cyberDefenseFundamentals #cyberExtortion #cyberHygiene #cyberThreatIntelligence #cyberattackEscalation #cybercrimeTrends #cybersecurityLeadership #cybersecurityNewsAnalysis #cybersecurityResilience #dataExfiltration #digitalForensics #doubleExtortionRansomware #edrBestPractices #enterpriseSecurityStrategy #ethicalHackingInsights #humanOperatedRansomware #incidentResponse #lateralMovementDetection #malwareBehaviorAnalysis #mitreAttckRansomware #modernRansomwareTactics #networkSegmentation #nistCybersecurity #patchManagementStrategy #phishingResistantMfa2 #privilegedAccessManagement #ransomwareAttackVectors #ransomwareAwareness #ransomwareBreachImpact #ransomwareBreachResponse #ransomwareDefense #ransomwareDetectionMethods #ransomwareDwellTime #ransomwareEncryptionStage #ransomwareEvolution #ransomwareExtortionMethods #ransomwareIncidentRecovery #ransomwareIndustryTrends #ransomwareLifecycle #ransomwareMitigationGuide #ransomwareNegotiation #ransomwareOperatorTactics #ransomwarePrevention #ransomwareProtection #ransomwareReadiness #ransomwareReport #ransomwareSecurityPosture #ransomwareThreatLandscape #securityOperationsCenterWorkflows #socAnalystTips #socThreatDetection #supplyChainCyberRisk #threatHunting #vpnVulnerability #zeroTrustSecurity

A cybersecurity analyst studies glowing monitors in a dark operations room, reviewing ransomware alerts, lateral movement paths, and encrypted file warnings during a modern cyberattack.
RootShellrootshellonline@infosec.exchange
2025-12-02

Two playlists every day on hacking & defense. Discover the latest tools and techniques now. 🎥 youtube.com/playlist?list=PLXq

#CyberSecurity #IncidentResponse #CloudSecurity #Hacking #Phishing

Dissent Doe :cupofcoffee:PogoWasRight@infosec.exchange
2025-12-01

@funnymonkey @douglevin @mkeierleber

You might want to compare what the #FTC now requires of them to what Illuminate's settlement with three state attorneys general requires:

ag.ny.gov/sites/default/files/

#enforcement #edtech #databreach #edusec #cybersecurity #incidentresponse

SOC Goulashsoc_goulash@infosec.exchange
2025-12-01

Alright cyber pros, it's been a pretty packed 24 hours! We've got major data breaches impacting millions, new insights into nation-state tactics, a huge takedown of a crypto mixer, and a stark warning about the security implications of agentic AI browsers. Let's dive in:

Major Data Breaches Unfold ⚠️
- South Korean e-commerce giant Coupang, often dubbed the "Amazon of Korea," confirmed a data breach impacting 33.7 million customers, over half the country's population. Exposed data includes names, emails, phone numbers, addresses, and order history, with local reports suggesting a former Chinese employee used unrevoked access tokens.
- The French Football Federation (FFF) also reported a breach of its member management software via a compromised account, exposing personal details like names, gender, DOB, nationality, and contact info for an undisclosed number of its 2.2 million members.
- The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, pushing a malicious update that included a hidden library for device fingerprinting and remote configuration. Users are urged to revert to older, safe builds and reset Google account passwords.

🗞️ The Record | therecord.media/coupang-south-
🕵🏼 The Register | go.theregister.com/feed/www.th
🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🕵🏼 The Register | go.theregister.com/feed/www.th
🤖 Bleeping Computer | bleepingcomputer.com/news/secu

Nation-State Actors Evolve Tactics 🕵🏼
- North Korea's Lazarus Group is accused by South Korean officials of stealing $30 million from the Upbit cryptocurrency exchange, using tactics similar to a 2019 attack. The group allegedly impersonated administrators to transfer funds, prompting Upbit to suspend services and move assets to cold storage.
- The Tomiris APT, linked to Kazakhstan-based Storm-0473, is increasingly leveraging public services like Telegram and Discord for command-and-control (C2) in attacks targeting government entities and foreign ministries across Central Asia and Russia. This shift aims to blend malicious traffic with legitimate activity, making detection harder.
- Leaked documents, analysed by Iranian opposition activist Nariman Gharib, allegedly link Iran's "Charming Kitten" (APT35) to assassination operations, suggesting compromised airline, hotel, and medical databases are used to locate regime enemies.

🗞️ The Record | therecord.media/officials-accu
📰 The Hacker News | thehackernews.com/2025/12/tomi
🕵🏼 The Register | go.theregister.com/feed/www.th

Malicious Browser Extensions Run Rampant 🛡️
- A seven-year-long "ShadyPanda" campaign infected over 4.3 million Chrome and Edge users through 145 seemingly legitimate browser extensions that later pushed malware-laden updates. These extensions evolved from affiliate fraud and search hijacking to deploying remote code execution (RCE) backdoors and spyware.
- The RCE backdoor checks for new instructions hourly, executing arbitrary JavaScript with full browser API access, while spyware components exfiltrate extensive user data including browsing history, keystrokes, and sensitive identifiers to Chinese servers.
- Despite Google removing some, several extensions with millions of installs remain active on the Microsoft Edge Add-ons platform, highlighting a critical gap in ongoing marketplace security reviews post-approval.

🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🕵🏼 The Register | go.theregister.com/feed/www.th

AI Browsers: A New Security Nightmare 🧠
- The emergence of "agentic" AI browsers, like OpenAI's ChatGPT Atlas, is transforming browsers from passive tools into autonomous AI agents that can perform actions on behalf of users.
- These agents require maximum privileges, including access to session cookies, credentials, and payment details, creating an unprecedented attack surface and bypassing traditional "human-in-the-loop" safeguards and MFA.
- Prompt injection is a significant risk, where hidden text can command the AI to exfiltrate data, and traditional security tools often miss these threats due to a "session gap" where actions occur locally within the browser.

📰 The Hacker News | thehackernews.com/2025/12/webi

Data Privacy Under Scrutiny 🔒
- Switzerland's data protection officers (Privatim) have advised public bodies to avoid hyperscale clouds and SaaS, specifically Microsoft 365, for sensitive data due to a lack of true end-to-end encryption, exposure to the US CLOUD Act, and providers' ability to unilaterally change terms.
- Exercise-tracking app Strava is updating its terms of service to require users to accept all risks associated with geolocation features, following past incidents where user data revealed sensitive locations like military bases.
- Edtech provider Illuminate Education settled with the FTC over a 2021 data breach affecting 10.1 million students, with allegations of poor security practices, deceptive claims, and delayed breach notifications (up to two years for some).

🕵🏼 The Register | go.theregister.com/feed/www.th
🗞️ The Record | therecord.media/illuminate-edu

Regulatory Actions and Government Directives 📜
- Singapore's Ministry of Home Affairs has issued directives to Google and Apple, requiring them to prevent fake government messages and spoofed sender names on iMessage and Google Messages, with significant fines for non-compliance.
- Russia's Roskomnadzor has imposed "restrictive measures" on WhatsApp, citing violations of Russian law and its alleged use for terrorism, crime, and espionage, urging users to switch to domestic alternatives and threatening a full block.
- The Israel Defense Forces (IDF) is reportedly banning Android smartphones for top brass, standardising on iOS devices to reduce exposure to surveillance via social media apps.

🕵🏼 The Register | go.theregister.com/feed/www.th
🗞️ The Record | therecord.media/russia-whatsap
🕵🏼 The Register | go.theregister.com/feed/www.th

Law Enforcement Strikes Back 🚨
- A major cryptocurrency mixing service, Cryptomixer, was taken down by Swiss and German law enforcement in "Operation Olympia," seizing three servers, its domain, and €24-29 million in Bitcoin. The service allegedly laundered over €1.3 billion for cybercriminals since 2016.
- South Korean police arrested four individuals for compromising over 120,000 IP cameras, with some suspects creating and selling sexually exploitative videos from intimate locations by exploiting weak passwords.
- In Australia, a man was jailed for over seven years for using "evil twin" Wi-Fi traps at airports and on flights to steal credentials and intimate material, while in the UK, a man received a 6.5-year sentence for operating a dark web drug empire.

🤖 Bleeping Computer | bleepingcomputer.com/news/secu
🗞️ The Record | therecord.media/cryptomixer-se
🤫 CyberScoop | cyberscoop.com/cryptomixer-tak
🕵🏼 The Register | go.theregister.com/feed/www.th

Developer Secrets Exposed 🔑
- A security engineer scanned 5.6 million public GitLab repositories and discovered 17,000 verified live secrets, including over 5,000 Google Cloud credentials, 2,000+ MongoDB credentials, and numerous OpenAI, AWS, and Telegram bot tokens.
- The scan, costing about $770 and completed in 24 hours, found GitLab had a 35% higher density of leaked secrets per repository compared to Bitbucket, highlighting a pervasive issue of exposed credentials in public code.

🕵🏼 The Register | go.theregister.com/feed/www.th

Teen Cybercrime: Just a Phase? 📊
- A Dutch government report suggests that most adolescent cybercriminals tend to desist from offending by the age of 20, similar to other types of youth crime.
- The study indicates that only about four percent of those who start a "black hat" career maintain it into adulthood, often driven by technological curiosity and skill-building rather than financial gain.
- The report highlights the challenge of quantifying the specific social cost of cybercrime due to a lack of longitudinal data and its rapidly evolving nature, though overall adolescent crime costs the Netherlands €10.3 billion annually.

🕵🏼 The Register | go.theregister.com/feed/www.th

#CyberSecurity #ThreatIntelligence #DataBreach #APT #LazarusGroup #Tomiris #ShadyPanda #Malware #BrowserExtensions #RCE #AI #AgenticAI #DataPrivacy #RegulatoryCompliance #LawEnforcement #CryptoMixer #Cybercrime #InfoSec #IncidentResponse

FIRST.orgfirstdotorg@infosec.exchange
2025-12-01

The pressure is on! Only 2 more days until the CFS for #FIRSTCON26 closes. Tap the link below to submit yours today ➡️🔗go.first.org/bMBiu #annualconference #incidentresponse

Callgoose SQIBSCallgoose_SQIBS
2025-12-01

🏦 How Callgoose SQIBS Is Transforming Automation in the Retail Banking Sector

Read More 👉 https://www.callgooseADmemo

Terryn :unverified:ChocolateCoat@infosec.exchange
2025-12-01

Over the last year I've been sharing a framework and mindset for how to perform an investigation as an analyst during Incident Response.

I hope this serves as a great introduction to ADAPT, more to come!

chocolatecoat4n6.com/2025/11/3

#DFIR #infosec #cybersecurity #incidentresponse

SOC Goulashsoc_goulash@infosec.exchange
2025-11-30

Hey everyone! It's been a bit quiet on the news front over the last 24 hours, but we've got one significant update concerning an actively exploited SCADA vulnerability and a look at some sustained exploitation efforts. Let's dive in:

Actively Exploited SCADA XSS Added to CISA KEV ⚠️

- CISA has added CVE-2021-26829, a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR (affecting Windows through v1.12.4 and Linux through v0.9.1), to its Known Exploited Vulnerabilities (KEV) catalog due to active exploitation.
- This flaw was recently leveraged by the pro-Russian hacktivist group TwoNet, who targeted a Forescout honeypot (mistaking it for a water treatment facility). After gaining initial access via default credentials, they exploited the XSS to deface the HMI login page and disable logs/alarms.
- Separately, VulnCheck has identified a long-running exploit operation, active for about a year, originating from Google Cloud OAST infrastructure and primarily targeting Brazil. This operation scans for over 200 CVEs, including a custom variant of a Fastjson RCE flaw, demonstrating sustained, regionally-focused attack efforts.

📰 The Hacker News | thehackernews.com/2025/11/cisa

#CyberSecurity #ThreatIntelligence #Vulnerability #CVE #XSS #SCADA #ICS #CISA #KEV #Hacktivism #TwoNet #Exploitation #InfoSec #IncidentResponse

SOC Goulashsoc_goulash@infosec.exchange
2025-11-29

It's been a bit quiet over the last 24 hours, but we do have an important update on a significant data breach from a major Japanese beverage company. Let's dive in:

Asahi Group Suffers Major Data Breach ⚠️
- Japanese beer giant Asahi Group Holdings has confirmed that a September ransomware attack by Qilin impacted up to 1.9 million individuals, including 1.5 million customers and nearly 400,000 employees and their families.
- The compromised data includes full names, genders, physical and email addresses, phone numbers, and for employees, dates of birth, posing a significant risk for phishing and identity theft.
- Two months post-incident, Asahi is still restoring systems and implementing extensive security upgrades, highlighting the long-term operational and reputational impact of such breaches.

🤖 Bleeping Computer | bleepingcomputer.com/news/secu

#CyberSecurity #DataBreach #Ransomware #Qilin #Asahi #InfoSec #IncidentResponse #CyberAttack

RootShellrootshellonline@infosec.exchange
2025-11-29

New playlist online: from malware analysis to ethical hacking demos. Check it out here 👉 youtube.com/playlist?list=PLXq
#Malware #EthicalHacking #CyberDefense #NetworkSecurity #IncidentResponse

Client Info

Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst