Security & IT News

As AI tools become more accessible, employees are adopting them without formal approval from IT and security teams. While these tools may boost productivity, automate tasks, or fill gaps in existing workflows, they also operate outside the visibility of security teams, bypassing controls and creating new blind spots in what is known as shadow AI. While similar to the phenomenon of

Microsoft has suspended developer accounts used to maintain multiple high-profile open-source projects without proper notification and no way to quickly reinstate them, effectively blocking them from publishing new software builds and security patches for Windows users. [...]

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

In a previous diary [1], we looked to see how numbers were used within passwords submitted to honeypots. One of the items of interest was how dates, and more specifically years, were represented within the data and how that changed over time. It is often seen that years and seasons are used in passwords, especially when password change requirements include frequenty password changes. Some examples we might see today: Spring2026! Spring26 April2026 April@2026 AprilShowers26 Bloom2026 Easter2026! Passover2026 How is this data represented within passwords submitted to honeypots? Are bots updated to incorporate new year values at certain intervals? Date range of data: 4//21/2024 - 3/29/2026 Number of unique passwords: 496,562 Figure 1: Top 10 contiguous numbers used in passwords submitted to sample of DShield honeypots. When looking at contiguous numbers used within passwords, we see similar data from a couple of years ago. The top two contigious numbers seen within passwords submitted to honeypots were 123 and 1 . However, rather than many of the other high volume contiguous numbers representing a subset of 123456 , the passwords included other numbers such as 100000 , 19 , 69 , 200 . It turns out that this activity was related to a potential DDoS or stress testing of and endpoing using ICMP. 100000 was the desired number of packets sent to the destionation host and the other numbers represented each octet of the destination IP. Figure 2: Passwords submitted to honeypots that were supposed to be commands run once access was gained to the honeypot. The source IP %%ip:147.45.47.117%% was attempting these commands between 11/18/2024 and 11/24/2024. The activity was seen on honeypots distributed in GCP, Digital Ocean, Azure and a residential honeypot. This was not seen on samples from an AWS honeypot. Other activities from this source were seen between 11/14/2024 and 12/1/2024. Most of the sessions from this host are repeated attempts to download a script from %%ip:45.125.66.215%% and install it as a service. Figure 3: Repeated attempts to setup and install a service using a downloaded script from %%ip:45.125.66.215%%. Unfortunately, the file was not downloaded by any of the honeypots, so there was not a file to reference. Okay, back to passwords and number usage. Let's take a look at number frequency use in the passwords submitted to honeypots. Figure 4: Individual number frequency used within passwords submitted to honeypots. Similar to the previous review, generally the lower the number, the more frequently it's used in a password. The most common digits used are 0 , 1 , 2 and 3 . What about 4-digit numbers? Figure 5: Top 10 numbers used within passwords submitted to honeypots only containing 4 digits. This was also similar to the previous review. 1234 is still the most common and usually the most prevelant year seen is the prior year. We do see 2026 in this list, but since there's only a few months of data, it hasn't quite hit the vo

Cybersecurity researchers have flagged a new variant ofmalware called Chaosthat'scapable of hitting misconfigured cloud deployments, marking an expansion of the botnet's targeting infrastructure. "Chaos malware is increasingly targeting misconfigured cloud deployments, expanding beyond its traditional focus on routers and edge devices," Darktrace said in a new report.

Ninja Forms File Upload RCE via unauthenticated arbitrary file upload; update to 3.3.27 immediately

One question that often comes up when I talk about honeypots: Are attackers able to figure out if they are connected to a honeypot? The answer is pretty simple: Yes! Most medium interaction honeypots, like the one we are using, are just simulating various systems. These simulations are incomplete. For example, we are using the Cowrie honeypot to emulate SSH and telnet servers. Once an attacker is connected, any package they are installing will appear to install. In the past, I have written about attackers attempting to install bogus packages. If the install appears to succeed, the attacker knows they are connected to a honeypot. Some attackers look for SSH artifacts, such as the number and types of ciphers supported by SSH. Today, I noticed one attacker, (IP address %%ip:45.135.194.48%%), using another common trick: Cowrie will often allow attackers to connect randomly . The effect is that various username and password combinations appear to work. In this case, the attacker used usernames and passwords that are highly unlikely to work. If they succeed, they know they are connected to a honeypot. Here are some of the usernames and passwords used: username password admin definitely_not_valid_creds honeypot indexer honeypotter imaginegettingindexed xXhoneypotXx P@ssw0rd1337! youjustgotindexed getindexedretard Will we do anything to block these types of requests? Maybe... I am not sure it is important enough to hide honeypots. One advantage we have is that many of our honeypots are connected to home networks with dynamic IPs. As a result, any IP address list an attacker will create is somewhat ephemeral. Secondly, we are mostly interested in internet-wide scans. We are not going to detect targeted attacks or zero days. -- Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu Twitter | (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A $30,000 AI GPU doesn't outperform consumer GPUs at password cracking. Specops explains why attackers don't need exotic hardware to break weak passwords. [...]

Rapid7’s Incident Response (IR) team was engaged to investigate an incident involving exploitation of CVE-2025-59718 against a vulnerable FortiGate appliance. In December 2025, Fortinet disclosed this improper verification of cryptographic signature vulnerability that facilitates an SSO login bypass on affected appliances. After the initial exploitation, the attackers maintained a low-profile posture, systematically compromising additional firewalls before moving to internal network hosts. Ultimately, this grace period allowed responders to contain the threat before further impact could occur within the environment. This blog details exploitation insights, attack progression, and practical detection opportunities for defenders handling their own environments. Investigative methodology: Tracing the initial access vector in FortiGate appliances Identifying the Initial Access Vector (IAV) is a cornerstone of any incident response engagement. However, when the source of compromise is not immediately obvious, particularly when edge device exploitation is involved, responders often need to take a broader investigative approach. Rather than starting with a clear point of entry, investigators must analyze the available telemetry, reconstruct attacker activity, and work backwards to determine how access was first obtained. This process often involves multiple investigative workstreams running in parallel, each designed to answer different questions about the intrusion. As many IR responders and enthusiasts know, the first suspicious event observed during an investigation is rarely the first action taken by the attacker. Instead, it typically represents a point somewhere in the middle of a larger attack chain. A key step in incident response investigations is reconstructing the attacker timeline. Responders often take an “inside out” approach where they move outward from the initial alert to the full scope of the malicious activity (IAV), correlating multiple data sources to map the unfolding of the event. This process involves examining authentication logs, endpoint telemetry, firewall events, and records of system changes, rather than depending on just one log source. It also typically requires frequent pivoting between artifacts as investigations rarely ever unfold in a linear fashion. By aligning these findings and events chronologically, investigators often identify activity that predates the initial alert. CVE-2025-59718: Technical analysis and observed attacker behavior The first activity that drew attention was enumeration and credential discovery within the internal environment. This basic enumeration included gathering information about users, systems, and accessible resources within common user directories. This activity eventually expanded to SMB-based file scraping and network share access, allowing attackers to review files stored across the environment. While this behavior resembled routine administration, the chronological sequence of file

p CISA has added one new vulnerability to its a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" Known Exploited Vulnerabilities (KEV) Catalog /a , based on evidence of active exploitation. /p ul li a href="https://www.cve.org/CVERecord?id=CVE-2026-1340" target="_blank" CVE-2026-1340 /a Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability /li /ul p This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. /p p a href="https://www.cisa.gov/binding-operational-directive-22-01" Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities /a established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf" BOD 22-01 Fact Sheet /a for more information. /p p Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" data-entity-type="node" data-entity-uuid="79453b83-86b9-4e2f-b1ec-abf73c6eb291" data-entity-substitution="canonical" title="Known Exploited Vulnerabilities Catalog" KEV Catalog vulnerabilities /a as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the a href="https://www.cisa.gov/known-exploited-vulnerabilities" data-entity-type="node" data-entity-uuid="f2adba9a-0404-494c-a90c-4363a4a5c934" data-entity-substitution="canonical" title="Reducing the Significant Risk of Known Exploited Vulnerabilities" specified criteria /a . nbsp; /p

The Fragmented State of Modern Enterprise Identity Enterprise IAM is approaching a breaking point. As organizations scale, identity becomes increasingly fragmented across thousands of applications, decentralized teams, machine identities, and autonomous systems. The result is Identity Dark Matter: identity activity that sits outside the visibility of centralized IAM and

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

U.S. victims lost nearly $21 billion to cyber-enabled crimes last year, driven primarily by investment scams, business email compromise, tech support fraud, and data breaches, the Federal Bureau of Investigation says. [...]

Webshells remain a popular method for attackers to maintain persistence on a compromised web server. Many arbitrary file write and remote code execution vulnerabilities are used to drop small files on systems for later execution of additional payloads. The names of these files keep changing and are often chosen to fit in with other files. Webshells themselves are also often used by parasitic attacks to compromise a server. Sadly (?), attackers are not always selecting good passwords either. In some cases, webshells come with pre-set backdoor credentials, which may be overlooked by a less sophisticated attacker. I noticed first requests for a particular URL: /turkshell.php . This URL is linked to a well-known webshell. On this particular day, only four IPs were scanned for it: 20.48.232.178, 20.215.65.23, 51.12.84.116, 51.103.130.249 It is a little bit odd, but all four appear to be assigned to Microsoft. There may be an attacker targeting systems inside Microsoft's cloud environment. Or all four are used by the same (compromised?) organization. Next, I queried our database to see which other URLs these IP addresses probed, and ended up with 287(!) hits. Here are the top 10: URL Count /wp-content/ 45 /ms-edit.php 44 /fe5.php 43 /wp-content/admin.php 39 /av.php 36 /wp-content/plugins/hellopress/wp_filemanager.php 27 /wp-content/themes/index.php 23 /k.php 23 /goods.php 23 /222.php 23 One common theme was the use of the prefix wp- , likely to better fit in on WordPress sites. The scans also included non-webshell URLs like /wp-content/plugins/hellopress/wp_filemanager.php, which may be useful for fingerprinting the site or may be vulnerable to being used as or deployed as webshells. What should you do to protect yourself from webshells? Don't have any remote code execution or file upload vulnerabilities (yes... easy to say) Restrict permissions to not allow file uploads to your document root (sadly, in particular CMSs like WordPress sometimes have to be able to do so) Monitor the file system for changes What does not work (or not work very well): Scanning for specific filenames. The 287 files these four IPs looked for make a rather incomplete list. I will add it below, but please don't consider it complete. I am not even sure it is worth the effort to scan for these specific filenames. You may also get some false positives. Not every item on this list is a webshell, and some sites may use identical filenames for regular content. /.mopj.php /.tmb/8.php /.tmb/a5.php /.tmb/nano.php /.well-known/ /.well-known/7.php /.well-known/8.php /.well-known/a5.php /.well-known/f35.php /.well-known/simple.php /.yuf.php //a1.php //aa.php //about.php //admin.php //admina.php //adminfuns.php //av.php //cacheee.php //cgi-bin/index.php //edit.php //f6.php //fetch.php //inputs.php //wp-content/admin.php //wp-content/uploads/2021/02/index.php //wp-includes/css/dist/ //wp-includes/css/index.php //wp-includes/js/jquery/ //wp-includes/l10n/ //wp-mter.php //xwpg.php

Hackers are exploiting a maximum-severity vulnerability, tracked as CVE-2025-59528, in the open-source platform Flowise for building custom LLM apps and agentic systems to execute arbitrary code. [...]

The Russia-linked threat actor known as APT28 (aka Forest Blizzard) has been linked to a new campaign that has compromised insecure MikroTik and TP-Link routers and modified their settings to turn them into malicious infrastructure under their control as part of a cyber espionage campaign since at least May 2025. The large-scale exploitation campaign has been codenamed

In the rapid evolution of the 2026 threat landscape, a frustrating paradox has emerged for CISOs and security leaders: Identity programs are maturing, yet the risk is actually increasing. According to new research from the Ponemon Institute, hundreds of applications within the typical enterprise remain disconnected from centralized identity systems. These "dark

GrafanaGhost is a critical vulnerability in Grafana’s AI components that uses indirect prompt injection and protocol-relative URL bypasses to exfiltrate data.

An international operation from law enforcement authorities in partnership with private companies has disrupted FrostArmada, an APT28 campaign hijacking local traffic from MikroTik and TP-Link routers to steal Microsoft account credentials. [...]

A high-severity security vulnerability has been disclosed in Docker Engine that could permit an attacker to bypass authorization plugins (AuthZ) under specific circumstances. The vulnerability, tracked as CVE-2026-34040 (CVSS score: 8.8), stems from an incomplete fix for CVE-2024-41110, a maximum-severity vulnerability in the same component that came to light in July 2024. "