Remote code execution vulnerability found in meshtastic, looks potentially bad enough that you might be able to make a worm.

yikes

https://www.cvedetails.com/cve/CVE-2025-24797/

OH! I did not realize @ESETresearch was on Mastodon!

They do *fantastic* security and threat research. Highly recommend you follow 'em and/or add them to your RSS reader.

Among other things, Meta is now making it mandatory to store voice recordings from their Rayban "smart" glasses in the Meta cloud, and making Meta AI's ability to train and see through your lenses "always on" unless you disable it each time manually.

Gonna be honest, any time someone with Raybans talks to me, I'm going to ask them to remove the glasses.

https://www.theverge.com/news/658602/meta-ray-ban-privacy-policy-ai-training-voice-recordings

Who loves YARAify? We do! 💛 And now there’s even more to love with the latest cool features making 🕵️‍♂️ threat hunting easier:

👉 Auto-delete files after scanning! If enabled, YARAify now deletes raw files after 7 days - while keeping scan results and metadata available. Want to keep those juicy files private? You can still disable file sharing ⛔

👉 Trigger a file rescan for a previously uploaded sample! Also accessible via the API. ✨ Bonus: Grab Python 3 script from our GitHub repo: https://github.com/abusech/YARAify

👉 Deploy YARA rules directly via the API! ✨ And, yes, there’s a sample script on GitHub for that too!

🎥 Want a walkthrough? Jump to 11:08 in this demo to see these updates in action:
https://www.youtube.com/live/xobmSNfZ-sk

Is today #FediHire Friday? Sure looks like it!

What I'm looking for: A senior level, individual contributor role supporting Windows, Active Directory, Certificates, PKI, Azure, and information security in a large environment. Interested in relocating outside of the US. I like to solve weird problems and make computers run smoothly. I want to help others use technology effectively.

My main focus the last few years has been rebuilding and modernizing a struggling certificate management team. That includes growing the team to meet our company needs, migrating our AD-integrated private PKI stack, getting a handle on our web PKI consumption, and making massive improvements to our certificate lifecycle management platform. I supported and advised our CyberSec and Desktop teams as we rolled out multi-factor authentication to 50,000 employees and contractors across the US. My background in understanding deep computer fundamentals, talent for quickly grasping nuances of larger systems, and calmness in a crisis have contributed to quickly resolving major technology outages regardless of root cause.

This role hasn't been exclusively technical. A big part of my current job is building relationships with our developers to help them understand how certificates work, the responsible ways to use them, and what our relevant internal policies are. I've been training and teaching junior and mid-level engineers both practical PKI concepts and our specific enterprise requirements. I've gotten to spend some time with upper management to both explain the immediate challenges we've had and the plans we can implement improve our infrastructure, reducing costs and outages.

While this position has been focused on certs and how to use them, I'm very comfortable considering a technical leadership role for Windows (server and desktop) administration and Active Directory. I also have some good experience with Azure and virtualization platforms, but they haven't been my daily focus for several years.

My current employer is direct retail for general public consumers. I've also worked in banking/finance, manufacturing, and architecture firms. The common thread is I love to help people leverage technology for their goals, to help them be more effective.

In my personnel/volunteer time I've done very similar: working backstage with lights/sounds/projections so live performers can do their best.

Right now I'm in Syracuse, New York (about five hours from NYC), but I'm open to relocation/migration anywhere in the world.

PMs open if you want to talk details. Boosts/reshares appreciated.

🚨 9X Surge in Scanning for Ivanti Connect Secure. No CVEs are tied to this yet, but patterns like this often precede exploitation. Full analysis + suspicious IPs:

I love it when employers install creepware #surveillance nonsense because they have zero respect for their employees, and end up publishing 21 million internal screenshots to the web instead, leaking their most sensitive information.

Very nice, no issues.

#cybersecurity #infosec #assholeBoss

“Employee monitoring app leaks 21 million screenshots in real time”

As someone who spends a portion of my workdays running logging and monitoring systems, it’s amazing to me that this image is NOT more widely used in

Govt ofvls under #Biden & #Trump improperly shared sensitive documents w/thousands of federal workers, including potentially #classified floor plans of the #WhiteHouse, acc/to internal records reviewed by WaPo.

Career employees at the #GSA, which provides administrative & tech support for much of the federal bureaucracy & manages the govt’s real estate portfolio, were responsible for the oversharing, which spurred a #cybersecurity incident report & investigation last week.

Security Firm @SophosXOps published another report, this one on incidents at small and medium-sized businesses by @thepacketrat and Anna Szalay. One of the things I always look for in these reports are easy #cybersecurity wins -- and this report has a bunch of them.

First off - take a look at this chart: Top 15 dual-use tools. Imagine the pain you can cause threat actors by blocking the use of these tools and disrupting their playbooks!

Solid write up on Scattered Spider by Silent Push, but trademarking a stupid new cybersecurity terms is gross and not helpful to the industry at large.

https://www.silentpush.com/blog/scattered-spider-2025/

@GossiTheDog

The solution to this problem is not MFA.

When you have a problem with passwords getting compromised/phished/bruteforced, and you solve it with #MFA, now you have two problems.

The solution to this problem is smart cards.

#cybersecurity, if you could be less anti-#adhd / #neurophobic[1] that'd be great.

In this particular instance, I'm referring to continually rebooting/restarting processes

AND LOSING ALL MY STATE !!!!!!

I keep my brain on here. Please stop throwing it in the trash.

And don't tell me to "keep notes". I already have a full-time job, I don't need to also manually repeat work the computer could be doing.

I'm a professional #software #engineer. I know you have the power to save and restore my state exactly. You are chosing not to because it makes life easier FOR YOU. But this tool is for ME.

[1]Did I just invent a term?

(sophos.com) Evilginx: How Attackers Bypass MFA Through Adversary-in-the-Middle Attacks https://news.sophos.com/en-us/2025/03/28/stealing-user-credentials-with-evilginx/

A short descriptive article about Evilginx and how stealing credentials work, a few suggested ways of detecting etc.

Summary:
This article examines Evilginx, a tool that leverages the legitimate nginx web server to conduct Adversary-in-the-Middle (AitM) attacks that can bypass multifactor authentication (MFA). The tool works by proxying web traffic through malicious sites that mimic legitimate services like Microsoft 365, capturing not only usernames and passwords but also session tokens. The article demonstrates how Evilginx operates, showing how attackers can gain full access to a user's account even when protected by MFA. It provides detection methods through Azure/Microsoft 365 logs and suggests both preemptive and reactive mitigations, emphasizing the need to move toward phishing-resistant FIDO2-based authentication methods.

All-in-One platform leaks millions of attachments from their clients.

This server contained a bit of everything, from sensitive piercing selfies next to identity docs, to passports, cvs, insurance docs and more.

Read about it here: https://jltee.substack.com/p/all-in-one-platform-gohighlevel-exposed-attachments-from-clients

@GossiTheDog @kchr @kimzetter

And again, I challenge you to show me ANYWHERE that #Signal is permitted for the processing or storage of non-public government information. The NSA memo (link below) explicitly calls out that it shall not be used even for *unclassified* (protected, FOUO, CUI) data. And that would apply to everybody in the national security apparatus.

Anybody stating anything to the contrary is a liar, a shill or both.

https://www.scribd.com/document/843124910/NSA-full

Dealing with something ridiculous at the moment that is a great example of just how 'easy' it really is to close down exposed data:

Found a server recently with no access controls at all that was hit by ransomware in May 2024 and most of the data is encrypted. (It got hit by an automated script, it wasn't targeted by a ransom group)

Found a non encrypted directory:

The company is STILL uploading, monthly, hundreds of millions of records of logs with their clients data.

Tried to reach out to the company, nothing. Company is from AUS so I tried ASD, nothing.

I sent an email to AUSCERT, they validated with me the issue and forwarded the information and my contact to ASD, they also tried to reach out to the company themselves.

Not a word from anyone and the server is still exposed a month after my initial alerts.

Logs are still being uploaded to the server so it's obvious no one did anything.

So what am I supposed to do here?

It would appear as if Wiz may have discovered another supply-chain compromise:

https://www.wiz.io/blog/new-github-action-supply-chain-attack-reviewdog-action-setup

The attack involved compromising the v1 tag of reviewdog/action-setup between March 11th 18:42 and 20:31 UTC. Unlike the tj-actions attack that used curl to retrieve a payload, this attack directly inserted a base64-encoded malicious payload into the install.sh file. When executed, the code dumped CI runner memory containing workflow secrets, which were then visible in logs as double-encoded base64 strings. The attack chain appears to have started with the compromise of reviewdog/action-setup, which was then used to compromise the tj-actions-bot Personal Access Token (PAT), ultimately leading to the compromise of tj-actions/changed-files. Organizations are advised to check for affected repositories using GitHub queries, examine workflow logs for evidence of compromise, rotate any leaked secrets, and implement preventive measures like pinning actions to specific commit hashes rather than version tags.

So, Cloudflare analyzed passwords people are using to log in to sites they protect and discovered lots of re-use.

Let me put the important words in uppercase.

So, CLOUDFLARE ANALYZED PASSWORDS PEOPLE ARE USING to LOG IN to sites THEY PROTECT and DISCOVERED lots of re-use.

[Edit with H/T: https://benjojo.co.uk/u/benjojo/h/cR4dJWj3KZltPv3rqX]

https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/

It feels quite uncomfortable that cloudflare is somewhat openly admitting to analysing login credentials that are going through the reverse proxy, and providing aggregated stats on it (without explicit consent of the user it appears?)

Based on Cloudflare's observed traffic between September - November 2024, 41% of successful logins across websites protected by Cloudflare involve compromised passwords.

Don't get me wrong the results are actually pretty interesting, but I just cannot think of a ethical way of doing this, and it feels kind of jarring that they just "did that"

https://blog.cloudflare.com/password-reuse-rampant-half-user-logins-compromised/

The free service from portmap.io is being abused to support malware C2 communications. If you don’t use it, I suggest blocking *.portmap.io via DNS, NGFW and/or web proxy.

#cybersecurity #threatintel

From: @ScumBots

#StagedC2 config observed at Sat Mar 15 18:09:04 2025 UTC, located at hXXps://pastebin[.]com/raw/a0epCKQK C2: xdeadlylez-30616[.]portmap[.]io:30616 (IP: 193.161.193.99)

I’ve never heard of the MSP-focused bluetrait.io but add it to the list of legitimate services that get abused. If you don’t use this RMM service, I suggest blocking it via DNS, NGFW or Web security proxy. #cybersecurity

From: @threatinsight

New cyber threat research from Proofpoint highlights how attackers are adapting to law enforcement disruptions, leveraging trusted software to evade detection and compromise systems.

This blog details our team's findings: https://www.proofpoint.com/us/blog/threat-insight/remote-monitoring-and-management-rmm-tooling-increasingly-attackers-first-choice?campaign=2025&utm_medium=social_organic.

#malware #ransomware #financialtheft #dataloss

🚨 March 12 UPDATE: Grafana Exploitation May Signal Multi-Phase SSRF Attacks. Update + original analysis:

We are excited to announce that CIRCL has three open positions available.

As a team strongly oriented towards open-source development, we value contributions that drive innovation and strengthen the cybersecurity community. These roles are open to EU citizens, with the workplace based in Luxembourg. If you’re passionate about cybersecurity and open-source collaboration, we encourage you to apply and make a meaningful impact.

• CIRCL - Software Engineer and Intelligence Analyst (software-engineering-analyst)

🔗 https://www.circl.lu/projects/position/software-engineering-analyst/

• CIRCL - Security Analyst and Researcher (Security-Analyst-and-Researcher)

🔗 https://www.circl.lu/projects/position/security-analyst-researcher/

• CIRCL - Incident and Vulnerability Disclosure Coordinator/Analyst (nis2-incident-analyst)

🔗 https://www.circl.lu/projects/position/nis2-incident-analyst/

@circl

❌ No safe message scanning technology exists.

⚠️ These powers would force a cybersecurity weakness onto apps like WhatsApp and Signal.

‼️ Hackers, predators and spies could crowbar their way into everything you send.

✍️ Tell Ofcom: End-to-end Encryption Means Online Safety ➡️ https://action.openrightsgroup.org/48-hours-tell-ofcom-practice-safe-text

⏰ CLOSES Monday 10 March at 5pm.

#PracticeSafeText 💬

🚨 Time is Running Out to Save Encryption 🔐

Ofcom is consulting on implementing message scanning powers in the UK Online Safety Act.

This would break end-to-end encryption on the messaging apps we all use!

⏰ CLOSES Monday 10 March, 5pm.

Use our tool to tell Ofcom #PracticeSafeText 💬

ACT NOW ⬇️

https://action.openrightsgroup.org/48-hours-tell-ofcom-practice-safe-text