Dragon Bytes

Dragon Bytes
  • 0.0 (0)
  • TECNOLOGÍA
  • CADA SEMANA

Delivering weekly insights, research, and threat indicators to help security professionals track emerging threats and intelligence.

Episodios

  1. Edge Warfare, MDM Hijacks, and the Warlock Blitz

    HACE 4 DÍAS

    Edge Warfare, MDM Hijacks, and the Warlock Blitz

    This week on Dragon News Bites, Will Baxter, Eli Woodward, and Will Thomas break down a week of high-velocity threats targeting the "foundational" layers of enterprise connectivity. From the long-term compromise of Singapore’s ISP infrastructure to the critical hijacking of Mobile Device Management (MDM) platforms, the team explores how state actors and financially motivated groups are bypassing the endpoint to live directly on the edge. Part 1: The Telco Breach & The Attribution Maze Singapore ISP Compromise: Four of Singapore's main ISPs suffered a long-term breach by a suspected China-nexus APT. UNC3886 vs. Salt Typhoon: Will Thomas breaks down the tactical nuances between these groups. While Salt Typhoon strategically moves upstream via Cisco switches, UNC3886 utilizes zero-days and rootkits to target FortiGates, Juniper, and VMware. The Global Trend: This follows last week's reporting on Norway being targeted, signaling a coordinated global focus on the telecommunications sector. Part 2: MDM Hijacking — More Dangerous than a SIEM Breach? European Commission Compromised: Attackers utilized a zero-day in Ivanti EPMM (formerly Mobile Iron) to breach the European Commission. The Power of the MDM: The team discusses why an MDM compromise is a "nightmare scenario"—allowing attackers to track physical locations, deploy malicious apps, and snoop on encrypted chats like Signal. The Geopolitical Connection: A clear trend is emerging of edge device exploitation targeting entities not geopolitically aligned with China. Part 3: The Rise of Warlock & Edge Blitzing Who is Warlock? A suspected Chinese-speaking ransomware group (tracked as Storm-2603) that deviates from the typical Russian-speaking model. Targeting SmarterMail: Warlock is weaponizing vulnerabilities in SmarterTools/SmarterMail (an Exchange alternative). Ironically, the vendor itself was hit by its own unpatched system. The MFA Shift: Eli Woodward notes that as MFA makes phishing harder, attackers have pivoted aggressively to edge device exploitation (Log4j, CenterStack, etc.) as the primary method for initial access. Part 4: Payroll Pirates & SaaS Fraud Social Engineering the Help Desk: Threat actors are chaining help desk social engineering with VDI session hijacking to divert direct deposits in HR SaaS platforms. Red Flag Alert: Organizations should immediately investigate any direct deposit change that occurs within two hours of an MFA reset. Events & Community: RISE USA (San Francisco): February 18–19 at Stripe HQ. 🔗 to register: https://go.team-cymru.com/rise-usa-2026 Brews and Briefings (Minneapolis): February 25th session focused on DPRK threat activity. 🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware. 🔗 to register: https://www.fsisac.com/events/2026-americas-spring RISE Ireland (Dublin): April 14–15 at Stripe Dublin. Call for Papers (CFP) is currently open. 🔗 to register: https://go.team-cymru.com/rise-ireland Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Topics & ReferencesDisclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    19 min
  2. Agentic Overload: The Rise of AI Exploits and the "Wet Bandit" APT

    9 FEB

    Agentic Overload: The Rise of AI Exploits and the "Wet Bandit" APT

    This week on Dragon News Bytes, Will Baxter and Will Thomas dive into a week defined by "Paradigm Shifts." We break down how top-tier state actors like Salt Typhoon are abandoning traditional phishing to live inside your edge infrastructure and how a new era of Agentic AI is creating a "One-Click RCE" nightmare for enterprise security teams. Plus, we look at the "Wet Bandits" of the APT world—a state-aligned group that remains surprisingly easy to hunt—and discuss why the latest hoax from 0APT was a "Vibe-Op" designed specifically to waste your team's time. Topics & References: Part 1: The Edge is the New Endpoint Salt Typhoon’s European Pivot: Norwegian intelligence (PST) confirms that Salt Typhoon is bypassing EDR entirely. They are now persisting inside edge gateways and telco infrastructure using the D-Knife Linux-based implant. TGR-STA-1030 (The Shadow Campaigns): A state-aligned group targeting global ministries of finance. Their tradecraft includes using Mega[.]nz for C2 to blend in with legitimate business traffic. Critical Takeaway: If your detection strategy assumes compromise starts on a laptop, you’ve already lost the battle. The "Metal Layer" of the network is the current battlefield. Part 2: Emerging AI Threats & "Vibe-Ops" OpenClaw & Agentic AI (CVE-2026-25253): We examine the birth of the "Agentic Supply-Chain Attack." Malicious AI "skills" are now being used to exfiltrate tokens via WebSocket hijacking. 0APT: Anatomy of a "Vibe-Op": Claims of a new ransomware operation targeting retail and healthcare turned out to be a low-capability hoax. We discuss why this was a "resource-drain operation" intended to panic security teams rather than a technical breach. Operation Neusploit: Zscaler observes APT28 (Fancy Bear) weaponizing Microsoft RTF vulnerabilities (CVE-2026-21509) at "wartime tempo"—just days after the patch was released. Hunter’s Field Notes (Immediate Action): Hunt for D-Knife: Look for any Linux process on Cisco or Fortinet appliances spawning a shell, or outbound connections from management interfaces not tied to update daemons. Mega[.]nz Monitoring: Flag high-volume uploads to Mega[.]nz from Server VLANs or Service Accounts. Ask, "why is a domain controller talking to Mega?" AI Socket Hunting: Monitor for unfamiliar WebSocket (WS/WSS) connections initiated from workstations to external IPs during browser navigation windows. Events & Community: RISE USA (San Francisco): February 18–19 at Stripe HQ. 🔗 to register: https://go.team-cymru.com/rise-usa-2026 Brews and Briefings (Minneapolis): February 25th session focused on DPRK threat activity. 🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware. 🔗 to register: https://www.fsisac.com/events/2026-americas-spring RISE Ireland (Dublin): April 14–15 at Stripe Dublin. Call for Papers (CFP) is currently open. 🔗 to register: https://go.team-cymru.com/rise-ireland Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    17 min
  3. Sandboxes, Seizures, and the Industrialization of Cybercrime

    2 FEB

    Sandboxes, Seizures, and the Industrialization of Cybercrime

    This week on Dragon News Bytes, Eli Woodward and Will Baxter are joined Will Thomas to break down a convergence of nation-state activity and critical infrastructure disruptions. We cover the FBI’s massive takedown of the RAMP cybercrime forum, the re-attribution of Poland’s energy sector cyberattack to Dragonfly, and a wave of critical sandbox escapes impacting developer and AI environments. Plus, we discuss how attackers are weaponizing physical snail mail for extortion and the strategic impact of Google’s latest disruption of the IPIDEA proxy infrastructure. Topics & References: Part 1: Major Infrastructure & Law Enforcement Actions FBI Seizes RAMP Cybercrime Forum: A major blow to Russian-speaking initial access brokers (IABs). RAMP stood as a safe haven for ransomware groups like Black Cat and LockBit after other forums banned the activity. Analyst Note: Expect forum migration and operational mistakes as these actors scatter to new homes. Read more: https://shorturl.at/cURYo Google Disrupts IPIDEA Infrastructure: A coordinated takedown of a massive residential proxy network leveraged by botnets (Kimwolf/AISURU) and fraud operations. The Impact: This creates a short-term detection window for hunters as adversaries migrate to noisier fallback infrastructure. Poland Energy Sector Re-attribution: CERT.PL has officially attributed the massive energy incident from late 2025 to Dragonfly (Energetic Bear) rather than Sandworm. Critical Takeaway: Hitachi Energy confirmed no product flaws were used; the breach stemmed from default credentials and environmental misconfigurations. Read more:  https://shorturl.at/I707p Part 2: Emerging Vulnerabilities & Malware Campaigns Critical Sandbox Escapes (CVE-2026-22709): Assumptions of "safe execution" are failing in developer tooling and AI environments. We break down the Grist-Core Pyodide escape and the popular vm2 NodeJS library bypass. SolarWinds Web Help Desk RCE (CVE-2025-40551): An unauthenticated remote code execution vulnerability that serves as a high-impact lateral movement enabler. Key TTPs Whitelist bypass using malformed URIs containing /ajax/ Exploitation path includes: /helpdesk/WebObjects/Helpdesk.woa/wo/ with wopage=LoginPref Read more: https://tinyurl.com/y3x7vase CVE-2026-21962: "AI Slop" or Exploit? ISC observed scanning activity targeting WebLogic with non-functional, AI-generated payloads, highlighting a new challenge in distinguish signal from noise. Read more: https://tinyurl.com/yx52bkwa TA584 Extortion Pivots: This initial access broker has tripled campaign volume, now using photos of physical snail mail customized with victim details to increase psychological pressure.  New Report: Voices of the Cybersecury strategist - A Benchmark Report for Security Leaders. Insights from leading  CISOs, VPs, and Directors on navigating threat landscapes, allocating resources, and aligning security with business objectives. Read the full report: https://tinyurl.com/4jxb3kc5 Events & Community: RISE USA (San Francisco): February 18–19 at Stripe HQ. 🔗 to register: https://go.team-cymru.com/rise-usa-2026 Brews and Briefings (Minneapolis): February 25th session focused on DPRK threat activity. 🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware. 🔗 to register: https://www.fsisac.com/events/2026-americas-spring RISE Ireland (Dublin): April 14–15 at Stripe Dublin. Call for Papers (CFP) is currently open. 🔗 to register: https://go.team-cymru.com/rise-ireland Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnbDisclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    27 min
  4. Malicious Prompts, Botnet Backdoors, and the Industrialization of Cybercrime

    26 ENE

    Malicious Prompts, Botnet Backdoors, and the Industrialization of Cybercrime

    This week on Dragon News Bytes, Eli Woodward and Will Baxter dive into the shift from "cottage industry" cybercrime to an industrialized assembly line fueled by AI. We break down high-urgency RCEs in Cisco Unified Platforms, the massive comeback of the Kimwolf Botnet via IoT backdoors, and the "new SQL injection" taking over AI workflows: Prompt Injection. Plus, we discuss the weaponization of VS Code extensions by North Korean actors (Purple Bravo) and provide a full update on our upcoming global event schedule. Topics & References: Part 1: Patch Now: High-Urgency Threats & Evolving Infrastructure Cisco Unified Platform RCE (CVE-2026-20045): A critical unauthenticated Remote Code Execution vulnerability granting root access to video and phone systems. Target URLs include /webcalling/Unity/ and /UCMuser. Read more: https://arcticwolf.com/resources/blog/cve-2026-20045/  TP-Link VIGI & Edge Vulnerabilities: Critical flaws in VIGI cameras allow for remote takeover, highlighting the persistent risk in edge and IoT infrastructure. Read more: https://securityaffairs.com/187110/hacking/critical-tp-link-vigi-camera-flaw-allowed-remote-takeover-of-surveillance-systems.html Kimwolf Botnet Resurgence: Now exceeding two million devices, this botnet is scaling via pre-baked backdoors in consumer devices like TV boxes. Read more: https://krebsonsecurity.com/2026/01/kimwolf-botnet-lurking-in-corporate-govt-networks/ Part 2: Hacking the Human OS & AI Abuse Help Desk Social Engineering: West African criminal groups are increasingly impersonating employees via phone calls to reset passwords for "payroll redirects." The AI Prompt Injection Revolution: Described as the "new SQL injection," prompt injection is resetting years of input sanitization efforts. We discuss agentic browsers bypassing security controls and a Microsoft Teams bug used to steal user tokens. DPRK (Purple Bravo) Targeting Developers: North Korean actors are weaponizing VS Code extensions and using tasks.json in the Evelyn Stealer malware to auto-execute when repositories are opened.  Events & Community: SANS CTI Summit Happy Hour (Arlington, VA): Join Team Cymru and OpenCTI on January 26th. RISE USA (San Francisco): February 18–19 at Stripe HQ.🔗 to register: https://go.team-cymru.com/rise-usa-2026 Brews and Briefings (Minneapolis): Late February session focused on DPRK threat activity.🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis FS-ISAC Spring Summit (Orlando): March presentations on the latest fintech threats.🔗 to register: https://www.fsisac.com/events/2026-americas-spring RISE Ireland (Dublin): April 14–15 at Stripe Dublin.🔗 to register: https://go.team-cymru.com/rise-ireland Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    21 min
  5. The Call Is Coming from Inside the House

    19 ENE

    The Call Is Coming from Inside the House

    This week on Dragon News Bytes, Eli Woodward and Will Baxter break down the operational fires you need to fight now and the emerging AI threats targeting your internal guardrails. We cover the critical FortiSIEM zero-day RCE, the rise of AI prompt injection attacks across Microsoft Copilot and Salesforce, and the massive 58% year-over-year surge in ransomware victims. Plus, we discuss the strategic impact of the Red VDS infrastructure takedown and our upcoming global event schedule. Topics & References: Part 1: Emerging Threats FortiSIEM Zero-Day RCE (CVE-2025-64155): Critical remote code execution via the pH monitor service. If you use FortiSIEM, restrict TCP port 7900 immediately. Read more: https://horizon3.ai/attack-research/vulnerabilities/cve-2025-64155-fortinet-fortisiem/ Red VDS Infrastructure Takedown: Microsoft’s disruption of a major "bulletproof" virtual desktop service used for fraud and financially motivated phishing. Ransomware Surge 2026: A 58% increase in publicly posted victims compared to 2024, with 124 active groups now tracked globally. Part 2: Emerging AI Threats AI Honeypot Findings: Discovery of automated scanning for Open LLM endpoints (Claude, ChatGPT, Ollama) originating from a single German source.  AI Prompt Injection Attacks: New research into malicious prompts embedded in links that can hijack AI agents in Microsoft Copilot, Salesforce, and ServiceNow to steal user tokens and secrets. Read more:  https://appomni.com/ao-labs/bodysnatcher-agentic-ai-security-vulnerability-in-servicenow/ https://www.varonis.com/blog/reprompt The Three Pillars of AI Security: A strategic framework for defending from AI attacks, defending the AI your organization uses, and defending using AI tools. Read more: https://www.pillar.security/blog/the-agent-security-paradox-when-trusted-commands-in-cursor-become-attack-vectors Events & Community: SANS CTI Summit Happy Hour (Arlington, VA): Join Team Cymru and OpenCTI on January 26th. RISE USA (San Francisco): February 17–19 at Stripe HQ.🔗 to register: https://go.team-cymru.com/rise-usa-2026 Brews and Briefings (Minneapolis): Late February session focused on DPRK threat activity.🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis FS-ISAC Spring Summit (Orlando): March presentations on the latest fintech threats.🔗 to register: https://www.fsisac.com/events/2026-americas-spring RISE Ireland (Dublin): April 14–15 at Stripe Dublin.🔗 to register: https://go.team-cymru.com/rise-ireland Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    20 min
  6. Dragon Bytes: The "Trust Nothing" Update

    10 ENE

    Dragon Bytes: The "Trust Nothing" Update

    This week on Dragon Bytes, we break down the operational fires you need to fight now and the emerging threats you’ll be fighting tomorrow. We cover the critical "Ni8mare" RCE in n8n automation tools, the new "ClickFix" social engineering waves hitting hospitality, and the "Zombie" D-Link routers building massive botnets. Plus, we dive into China-linked UAT-7290 targeting telcos and why Black Cat ransomware is poisoning your Google search results. Topics & References: Part 1: Emerging Threats The "Ni8mare" RCE (CVE-2026-21858): Critical unauthenticated remote code execution in n8n workflow automation tools. Read more: Horizon3.ai Analysis "ClickFix" Phishing Campaign: Fake "Blue Screen of Death" pages forcing users to run malicious PowerShell scripts. Currently targeting the European hospitality sector. Read more: Computing.co.uk Report "MongoBleed" (CVE-2025-14847): Unauthenticated memory leak in MongoDB exposing sensitive RAM data. Read more: Rapid7 Advisory "Ghost Tap" NFC Fraud: Android malware bridging the gap between cyber and physical payment terminal fraud. Read more: Inetco Research "ZombieAgent" AI Flaw: Embedding hidden text in documents to hijack AI agents via indirect prompt injection. Read more: SecurityBrief Asia GoBruteforcer Botnet: Golang-based malware targeting Linux servers to reach Web3/Crypto assets. Read more: BleepingComputer Part 2: Operational Fires D-Link "Zombie" RCE (CVE-2026-0625): Active exploitation of legacy D-Link DSL routers to build residential botnets. Read more: SC Media Report APT Alert: UAT-7290: China-linked espionage group using "Operational Relay Boxes" (ORBs) to target Telecommunications and Defense sectors. Read more: Infosecurity Magazine Black Cat Ransomware SEO Poisoning: The ransomware gang is now poisoning search results for IT tools like "WinSCP" and "Notepad++". Read more: News4Hackers Supply Chain & Breaches: Fake WinRAR Installers: Malwarebytes Ledger / Global-e Breach: Ledger Support NordVPN Breach Claim (Denied): NordVPN Blog Connect with Us: Subscribe to the Dragon News Bytes feed: Team Cymru Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    30 min
  • 6 episodios

Acerca de

Delivering weekly insights, research, and threat indicators to help security professionals track emerging threats and intelligence.

Información

  • Creador
    Dragon Bytes
  • Años de actividad
    2 k
  • Episodios
    6
  • Clasificación
    Apto
  • Copyright
    © Dragon Bytes
  • Mostrar sitio web
    Dragon Bytes

También te podría interesar