Attacks & Vulnerabilities |
Fortinet patches FortiGate Firewall vulnerabilities that allowed hackers to steal enterprise credentials (3 minute read)
SentinelOne observed attackers exploiting three critical CVSS 9.8 vulnerabilities in FortiGate NGFWs between December 2025 and February 2026: CVE-2025-59718 and CVE-2025-59719, both stemming from improper cryptographic signature verification, which allowed unauthenticated attackers to forge SAML tokens and gain administrative access. CVE-2026-24858 was exploited as a zero-day to log into devices using an alternative account. CVE-2025-59718 was added to CISA's KEV catalog in late January 2026. Fortinet responded by suspending FortiCloud SSO before releasing a firmware patch. Defenders should apply the patch immediately, rotate all LDAP and AD credentials associated with FortiGate devices, enforce strong admin access controls, audit mS-DS-MachineAccountQuota settings, and monitor EDR telemetry from servers adjacent to the NGFW for unauthorized local admin account creation. |
Stryker Targeted by Large-Scale Wiper Attack, Tens of Thousands of Devices Lost (2 minute read)
The pro-Iranian hacktivist group Handala compromised Stryker's Microsoft Intune environment on March 11, abusing legitimate MDM remote-wipe functionality to factory reset tens of thousands of Windows endpoints across 79 countries, erasing up to 95% of devices in some offices before containment. Handala, assessed by Palo Alto Networks to operate under the Iranian Ministry of Intelligence and Security, claims to have wiped over 200,000 systems and exfiltrated 50 TB of corporate data prior to triggering the destructive wipe. Medical devices, Vocera, Mako surgical robotics, LIFEPAK, and SurgiCount platforms remained unaffected due to architectural isolation from the impacted Microsoft environment. Organizations should audit MDM admin credential access and enforce conditional access policies to prevent similar living-off-the-land abuse. |
Marquis says over 672,000 people had personal and financial data stolen in ransomware attack (2 minute read)
Marquis had 672,075 people's data stolen in an August 2025 ransomware attack. Stolen data includes names, birth dates, addresses, bank and card account numbers, and Social Security numbers, with over half the victims living in Texas. Marquis sued its firewall vendor, SonicWall, in February, as it claims SonicWall's failings let attackers steal firewall configuration backup files to breach its network. |
|
Accelerate and Automate Remediation with Semgrep Autofix (4 minute read)
Semgrep Autofix, now in public beta, pairs the Semgrep Pro static analysis engine with frontier-model LLMs to deliver contextual upgrade guidance, line-level breaking change analysis, and AI-generated fix suggestions directly in pull requests. The tool performs dual static analysis — first-party code analysis to map how your codebase uses a dependency, and third-party version diffing to identify breaking changes — before passing results to an LLM to produce high-confidence remediation. Layered on top of Semgrep Assistant's existing 95% false positive reduction via codebase-aware reachability analysis, Autofix shifts developer effort from writing fixes to reviewing AI-generated patches. |
Agent Skills are the New Packages of AI: It's Time to Manage Them Securely (10 minute read)
JFrog launched the Agent Skills Registry, a centralized repository for governing AI agent skills — reusable, file-system-based instruction sets that execute with the invoking user's privileges and carry the same supply chain risks as OSS packages: prompt poisoning, malicious code, version drift, and weak provenance. The registry integrates with Agent Skills, ClawHub, and OpenShell, and enforces a publish-time security pipeline via `jf skills publish` that runs a two-stage behavioral scan, generates in-toto compliant attestations, and optionally produces cryptographically signed provenance evidence before a skill reaches the repository. At install time, `jf skill install` verifies that evidence chain, providing zero-trust consumption across coding agents, CI/CD pipelines, and automation tooling without locking teams into vendor-specific marketplaces. |
The Most Organized Threat Actors Use Your ITSM (BMC FootPrints Pre-Auth Remote Code Execution Chains) (9 minute read)
watchTowr chained four flaws in BMC FootPrints — an auth bypass (CVE-2025-71257), two SSRF bugs (CVE-2025-71258, CVE-2025-71259), and a Java deserialization RCE (CVE-2025-71260) — to achieve pre-authenticated remote code execution on fully patched versions 20.20.02 through 20.24.01.001. The auth bypass leaks a session token via the password-reset endpoint, which then unlocks the SSRF and deserialization chains. BMC shipped hotfixes in September 2025 after a three-month back-and-forth reproduction process. CVEs were only assigned in March. FootPrints had no CVEs since 2014, making it an under-scrutinized target sitting on networks that also hold IT asset inventories and incident data. |
|
7 must-have features to secure your workforce (Sponsor)
Threat actors don't break in — they log in. As credential-based attacks become the primary entry point for breaches, you need workforce identity verification (IDV) to verify that every login is legitimate. The Workforce IDV checklist breaks down the seven must-have features to help you evaluate solutions and protect against unauthorized access.Download the checklist today |
VMkatz (GitHub Repo)
VMkatz is a ~2.5 MB static binary that extracts Windows credentials directly from VM memory snapshots and virtual disks across VMware, VirtualBox, Proxmox, and Hyper-V without exfiltrating disk images. It supports all 9 LSASS SSP providers via in-place decryption, native VMFS-6 raw SCSI access to bypass file locks on running ESXi VMs, and natively parses NTDS.dit ESE databases for full Active Directory hash extraction with no impacket or external dependencies. |
Native Security (Product Launch)
Native provides a multi-cloud security control plane that turns high-level security policy into provider-native controls, enforcing secure-by-design architecture across AWS, Azure, Google Cloud, and Oracle using built‑in security features instead of after-the-fact detection. |
Fim (GitHub Repo)
FIM is an Open Source Host-based file integrity monitoring tool that performs file system analysis, file integrity checking, real-time alerting, and provides Audit daemon data. |
|
Iranian Botnet Exposed via Open Directory: 15-Node Relay Network and Active C2 (8 minute read)
An OPSEC failure on an Iranian-hosted staging server at 185.221.239[.]162 exposed a financially motivated operator's full working environment, including a 15-node KCP-based relay network spanning Finnish Hetzner nodes and Iranian ISPs, a Python botnet deployer (ohhhh.py) opening 500 concurrent SSH sessions to compile and launch a DDoS bot client (cnc) directly on victim machines via gcc, and MHDDos tooling tested against live targets. The exposed .bash_history documented three operational phases: tunnel deployment using paqet and 3x-ui, DDoS development targeting a FiveM GTA server (5.42.223[.]60:30120) and 194.147.222[.]151, and iterative C2 botnet buildout with Farsi inline comments confirming operator origin. Defenders should block the listed IOCs, monitor for unexpected gcc invocations and renamed binaries ("hex"), audit SSH access logs for credential-stuffing patterns, and treat any recruited hosts as independently compromised regardless of C2 reachability. |
The Shadow AI Problem: How SaaS Apps Are Quietly Enabling Massive Breaches (2 minute read)
A Grip Security analysis of 23,000 SaaS environments found every one of them runs embedded AI, with public SaaS attacks up 490% year-over-year and 80% of incidents exposing PII or customer data. The 2025 Salesloft Drift breach shows the blast radius: attackers stole OAuth tokens and used them to access 700+ organizations, including Cloudflare and Palo Alto Networks. Companies average 140 AI-enabled SaaS environments, most of which are installed without a security review. |
'Claudy Day' Trio of Flaws Exposes Claude Users to Data Theft (2 minute read)
Oasis Security researchers combined three vulnerabilities — an invisible prompt injection through URL parameters, an open redirect on claude.com, and data exfiltration via the Anthropic Files API into a single attack called "Claudy Day." When a victim clicks a malicious Google search result, it loads covert instructions that silently extract conversation history, save it to a file, and then upload it to the attacker's Anthropic account. If MCP servers or integrations are active, the attack's impact extends to files, messages, and connected APIs. |
|
| Love TLDR? Tell your friends and get rewards! | | Share your referral link below with friends to get free TLDR swag! | | | |
| Track your referrals here. |
|
| |
0 Comments