Dragon Bytes

Dragon Bytes

Delivering weekly insights, research, and threat indicators to help security professionals track emerging threats and intelligence.

  1. APJ Ransomware, Axios NPM Hijack, and AI Privacy Nightmares

    HACE 6 DÍAS

    APJ Ransomware, Axios NPM Hijack, and AI Privacy Nightmares

    This week on Dragon News Bytes, Eli Woodward and Will Baxter are joined by Ben Archie to break down a high-velocity week of supply chain compromises and surging regional threats. We cover the explosive growth of ransomware in the APJ region, the North Korean state-actor hijack of the Axios NPM package, and the TrueConf zero-day exposing Southeast Asian governments. Plus, we discuss how the recent Anthropic Claude code leak could weaponize package management and the frightening implications of AI on personal data extortion. Topics & References: Part 1: The APJ Threat Landscape & TrueConf Zero-Day Ransomware Surge: APJ is currently the fastest-growing region for ransomware, marking a 59% year-on-year increase and accounting for 64% of global incidents. Healthcare Under Fire: The Dragonforce ransomware group recently claimed a breach of the Australian health management system, underscoring massive third-party risks across the country's health sector. TrueConf Zero-Day (CVE-2026-3502): A critical vulnerability in video conferencing software is being abused to compromise on-prem servers and push Havoc malware to connected endpoints. This supply chain attack heavily targets Southeast Asian government networks and was recently added to the CISA KEV catalog. Part 2: Supply Chain Nightmares & The Axios Compromise The Axios NPM Hijack: Attackers compromised the NPM publishing account of Axios' lead maintainer, releasing two malicious legacy versions (1.14.1 and 0.30.40). The threat actors injected a phantom runtime dependency without altering the source code, and the packages remained live for roughly two to three hours before NPM yanked them. Attribution: Microsoft has attributed the Axios NPM compromise infrastructure to Sapphire Sleet, a known North Korean state actor. Shiny Hunters Target Cisco: The group claims to have breached Cisco’s internal development environment using credentials stolen during the Trivy GitHub compromise. They allege the theft of AWS keys and over three million Salesforce records, setting an extortion deadline of April 3. Part 3: Threat Actor Drama & AI Privacy Risks Ransomware Soap Opera: Threat groups like Team PCP and The Comm are engaging in public trash-talk, echoing previous incidents where The Comm publicly dumped an Oracle EBS zero-day to humiliate Klopp. Anthropic Claude Code Leak: The team discusses how leaked source code could lower the barrier to entry for attackers, allowing them to better understand package management prioritization and weaponize AI models for supply chain attacks. Handala Hack & AI Extortion: Iranian activist group Handala breached the personal email of FBI Director Kash Patel. This sparks a broader discussion on the future of personal extortion, warning that attackers could soon use LLMs to scrape and weaponize the intimate, sensitive data users dump into AI mental health and companion apps. Events & Community: RISE Ireland: April 14 -25 in Dublin, Ireland 🔗 to register: https://go.team-cymru.com/rise-ireland RISEx Sydney: May 6 in Sydney, Australia 🔗 to register: https://www.team-cymru.com/events/rise-sydney-2026 RISEx Frankfurt: May 28th in Frankfurt, Germany 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026 RISEx New York: June 16 in New York City, US 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026 Underground Economy: September 7th -9th in Strasbourg, France To be hosted at the Council of Europe, expecting 600-700 attendees.  FirstCon26 (Denver): Eli Woodward will be presenting two sessions. 🔗 to register: https://www.first.org/conference/2026/registration-options Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    24 min
  2. Pipeline Peril, Citrix Bleed 3.0, and the Hacktivist Playbook

    31 MAR

    Pipeline Peril, Citrix Bleed 3.0, and the Hacktivist Playbook

    This week on Dragon News Bytes, Eli Woodward and Will Baxter break down a relentless wave of CI/CD pipeline compromises. The team dives into the rapid-fire attacks by Team PCP, the emergence of Citrix Bleed 3.0, and the psychological warfare tactics of Iranian-aligned hacktivists. Plus, we explore why English-speaking ransomware actors are ditching encryption entirely in favor of "Exfil and Extort" models. Topics & References Part 1: The CI/CD Pipeline Blitz & Team PCP The Team PCP Blitz: A new group has claimed responsibility for five major incidents in a single week, including compromises of Trivy, React Native, LightLLM, and Telnyx. AI-Enabled Supply Chain Attacks: The duo discusses the "Hacker Clawbot" proof of concept and how AI is likely being used to rapidly identify and weaponize common software packages. The CTI Shift: Cyber Threat Intelligence teams must now broaden their perspective to include enterprise architecture and software supply chain workflows. Part 2: Edge Warfare: Citrix Bleed 3.0 CVE-2026-3055: A new critical Citrix vulnerability is actively being exploited in the wild. The "Memory Cough" Technique: Attackers are repeatedly hitting vulnerable endpoints to scrape memory bit-by-bit until they gather enough to gain full access. Edge vs. MFA: The widespread success of MFA has forced attackers to pivot aggressively toward edge device exploitation as their primary initial access vector over the last five years. Part 3: Iranian Geopolitical Hacking & Hacktivist Playbooks High-Profile Leaks: Discussion on the Lockheed Martin data leak and the hacking of FBI Director Cash Patel’s personal email. The "Hacktivist BS" Playbook: Eli breaks down how opportunistic actors use scary videos and exaggerated propaganda to spin minor MSP breaches into massive national incidents. Handala & Wipers: Opportunistic attacks tied to the Handala group are utilizing stealers and new wiper variants to impact organizations. Part 4: The Death of Encryption? Exfil and Extort: Google Threat Intelligence reports that 77% of incidents by English-speaking actors now involve data exfiltration without encryption. The Backup Victory: As corporate backups become more resilient, attackers are finding that pure data theft and leak site pressure offer a better ROI than providing decrypters. Events & Community RISE Ireland: April 14 -25 in Dublin, Ireland 🔗 to register: https://go.team-cymru.com/rise-ireland RISEx Sydney: May 6 in Sydney, Australia 🔗 to register:https://www.team-cymru.com/events/rise-sydney-2026 RISEx Frankfurt: May 28th in Frankfurt, Germany 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026 RISEx New York: June 16 in New York City, US 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026 Underground Economy: September 7th -9th in Strasbourg, FranceTo be hosted at the Council of Europe, expecting 600-700 attendees. Registration will open first week of April Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymruSubscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    23 min
  3. Operation Ghost Mail, Starlink Evasion, and the Stoat Waffle Threat

    24 MAR

    Operation Ghost Mail, Starlink Evasion, and the Stoat Waffle Threat

    This week on Dragon News Bytes, Eli Woodward and Will Thomas dive into a packed week of vulnerability disclosures, APT campaigns, and geopolitical cyber fallout. From Iranian threat actors utilizing Starlink to bypass national internet blocks, to North Korean campaigns targeting developers with "Stoat Waffle" malware, the team unpacks the strategies adversaries are using to breach global enterprises. Plus, a look at Team Cymru's latest intel on tracking Beast ransomware infrastructure and an update on our upcoming global events. Topics & References Part 1: The Vulnerability Landscape Cisco Secure Firewall RCE (CVE-2026-20131): An insecure deserialization flaw was added to the CISA KEV catalog on March 19th, with active exploitation tracked back to late January. The Interlock ransomware gang has been identified as a threat actor exploiting this vulnerability. SharePoint On-Prem Pre-Auth RCE: Warlock Ransomware has targeted unpatched Microsoft SharePoint servers (2016 and 2019) in a major exfiltration and extortion campaign. Part 2: APT Operations & Geopolitics Handala (Void Manticore) & Starlink: Following the disruptive attack on medical tech company Stryker via Intune, Checkpoint released research showing Handala operators utilizing Starlink terminals to bypass Iran's national internet blackouts. Operation Ghost Mail: Russia's APT 28 (Fancy Bear) is aggressively targeting Zimbra Webmail servers to compromise Ukrainian government operations. Waterplum's "Stoat Waffle": A North Korean group is targeting Web3 and cryptocurrency developers with malicious Python, NPM, and JavaScript packages under the guise of "contagious interview" job offers. Part 3: Supply Chain Threats & Intel Insights Invisible Supply Chain Attacks: Aikido Security demonstrated how threat actors are using Unicode to hide disappearing text and malicious scripts in repositories. Beast Ransomware Operations: Team Cymru's latest research highlights how Open Directories data combined with NetFlow can unmask ransomware actor infrastructure and target lists. Events & Community: NCAA March Madness Watch Party:  March 27th in Atlanta, US 🔗 to register: https://go.team-cymru.com/march-madness-atlanta-2026  RISE Ireland: April 14 -25 in Doublim, Ireland 🔗 to register: https://go.team-cymru.com/rise-ireland RISEx Sydney: May 6 in Sydney, Australia 🔗 to register:https://www.team-cymru.com/events/rise-sydney-2026 RISEx Frankfurt: May 28th in Frankfurt, Germany 🔗 to register: https://www.team-cymru.com/events/rise-frankfurt-2026 RISEx New York: June 16 in New York City , US 🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026 Underground Economy: To be hosted at the Council of Europe, expecting 600-700 attendees. Registration will open first week of April Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    19 min
  4. Intune Wipers, Veeam RCEs, and DPRK's $800M IT Empire

    17 MAR

    Intune Wipers, Veeam RCEs, and DPRK's $800M IT Empire

    This week on Dragon News Bytes, Eli Woodward and Will Thomas hold down the fort while Will Baxter is in Japan. The team breaks down a highly active week in the cyber world, covering critical unauthenticated vulnerabilities, the weaponization of foundational IT tools, and the staggering financial scale of nation-state operations. From Handala's devastating Intune wiper attacks to Shiny Hunters' 60-second data exfiltration capabilities, we explore the tactical shifts security teams need to prioritize right now. Topics & References Part 1: Critical RCEs & AI Bug Hunting Veeam Backup RCE: A critical, unauthenticated remote code execution vulnerability was identified in Veeam backup and replication software. Threat groups like Fin7, Black Cat, Akira, and Fog Ransomware have historically targeted these systems, making immediate patching and network isolation essential. Telnet D Exposure: Another unauthenticated pre-auth RCE was discovered in Telnet D (Port 23), reinforcing the dangers of leaving legacy remote access services exposed. AI Supercharging Discovery: Anthropic partnered with Mozilla and used AI to find 22 vulnerabilities in Firefox in just two weeks—almost double the normal output in half the time. Part 2: Cybercrime Speed & Vishing Gone in 60 Seconds: Unit 42 research on Shiny Hunters (part of the Scattered Lapses Hunters Alliance) revealed the group moving from initial access to data exfiltration in under 60 seconds. Salesforce Targeting: Attackers are using custom Data Loader apps and routing traffic through Tor nodes and Mullvad VPNs to siphon cloud data. Automated Vishing (P1 Bot): Security researcher Ross Lazerwitz uncovered "P1 Bot", an AI-enabled voice phishing campaign that automates account takeovers using compromised 11 Labs accounts. Part 3: Nation-State Disruptions The Intune Wiper Nightmare: The pro-Iranian hacktivist group Handala successfully compromised Microsoft Intune administrator accounts at Stryker, a multinational medical device company. Attackers used the mobile device management (MDM) platform to remotely wipe thousands of employee devices, including the personal phones of the C-suite. Middle East Espionage: Proofpoint and Checkpoint observed Chinese-linked APTs using spearfishing and PlugX malware to target Middle Eastern governments like Qatar. DPRK's $800M IT Hustle: The US Treasury sanctioned individuals tied to North Korean IT worker operations, revealing they generated a massive $800 million in 2024 alone. APT 28 Open Directory: Researchers found a RoundCube toolkit belonging to the GRU-affiliated APT 28 exposed in an open directory, which was being used to target Ukrainian government entities. Events & Community RSA Conference: March 23 in San Francisco 🔗 to register: https://www.rsaconference.com/usa NCAA March Madness Watch Party:  March 27th in Atlanta 🔗 to register: https://go.team-cymru.com/march-madness-atlanta-2026  RISEx New York: June 16 in New York City  🔗 to register: https://www.team-cymru.com/events/rise-new-york-city-2026 Connect with Us Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    27 min
  5. JWT Cracks, South American Telecom Breaches, and the Kinetic-Cyber Nexus in Iran

    10 MAR

    JWT Cracks, South American Telecom Breaches, and the Kinetic-Cyber Nexus in Iran

    This week, the Dragon News Bytes team dives into a critical series of high-impact vulnerabilities and escalating geopolitical tensions. We start with a deep dive into the latest wave of JWT authentication bypasses before moving to the "Famous Sparrow" APT targeting South American telecommunications. The episode concludes with a sobering look at how Iranian cyber operations are morphing into kinetic strikes against regional infrastructure. Topics & References: Part 1: The JWT "Golden Key" Vulnerability The team discusses a series of critical vulnerabilities in JSON Web Tokens (JWT) where public keys intended for encryption are being misused to gain full administrative access. Will Baxter highlights the persistence of these flaws since early 2025, culminating in a CVSS 10.0 "open access" scenario. Part 2: “Famous Sparrow” Operating in South America Will Thomas breaks down a new Cisco Talos report on the likely China-nexus threat actor group "Famous Sparrow". The group is targeting South American ISPs and telcos and is typically viewed as an initial access broker for China-nexus APTs. Part 3: The Kinetic Reality of Iranian Cyber Ops Eli Woodward discusses how Iran is launching purposeful kinetic strikes against AWS data centers in Bahrain and the UAE. This shows Iran is considering commercial facilities as legitimate military targets, with a focus on key infrastructure across the region. Events & Community: NCAA March Madness Watch Party:  March 27th in Atlanta 🔗 to register: https://go.team-cymru.com/march-madness-atlanta-2026 RISE Ireland (Dublin): April 14–15 at Stripe Dublin.  🔗 to register: https://go.team-cymru.com/rise-ireland Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb

    19 min
  6. Project Compass, AI-Augmented Pipelines, and the Air-Gap Jumpers

    3 MAR

    Project Compass, AI-Augmented Pipelines, and the Air-Gap Jumpers

    This week, the Dragon News Bytes team dives into a major international crackdown on "The Com," a decentralized cybercrime network. They also break down how AI is being used as a force multiplier for automated exploitation, a series of critical vulnerabilities in edge networking gear, and sophisticated new tactics from North Korean threat actors targeting air-gapped systems. Topics & References:  Part 1: Law Enforcement Strikes Back with Project Compass: Europol led a year-long operation against "The Com" (also known as Scattered Spider or 764), resulting in 30 arrests and the identification of nearly 200 suspects across 28 countries. Victim Safeguarding: Beyond arrests, the operation prioritized safeguarding victims—many of whom are minors—from the group’s brutal tactics of sextortion, harassment, and physical violence. Part 2: The Edge Under Fire and AI-Augmented Pipelines: Amazon’s threat intelligence team recently detailed a Russian-speaking actor using commercial GenAI to automate a mass-exploitation pipeline targeting FortiGate. This targeting comes as multiple edge devices are suffering vulnerabilities:  Cisco Catalyst SD-WAN: A critical zero-day (CVE-2026-20127) was revealed to have been exploited in the wild for over three years, allowing attackers to establish rogue peers and maintain long-term persistence. Juniper PTX Series: A 9.8 CVSS vulnerability in Junos OS Evolved’s anomaly detection framework has emerged, potentially allowing unauthenticated root-level takeover of core ISP routers. Part 3: Advanced Persistent Threats (APTs), Ruby Jumper Campaign: North Korean group APT37 (ScarCruft) has introduced a new toolkit, including the "FootWine" and "ThumbSBD" implants, specifically designed to bridge air-gapped networks via infected USB drives. Dohdoor & UAT-10027: Cisco Talos identified a new campaign targeting U.S. healthcare and education sectors using a novel DNS-over-HTTPS (DoH) backdoor to evade traditional detection. Events & Community: FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware. 🔗 to register: https://www.fsisac.com/events/2026-americas-spring NCAA March Madness Watch Party:  March 27th in Atlanta 🔗 to register: https://go.team-cymru.com/march-madness-atlanta-2026 RISE Ireland (Dublin): April 14–15 at Stripe Dublin.  🔗 to register: https://go.team-cymru.com/rise-ireland RISEx Frankfurt: May 28th - Registrations will open March 6th Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb

    29 min
  7. The Long Game and the Laptop Farm

    25 FEB

    The Long Game and the Laptop Farm

    In this episode of Dragon News Bytes, Will Baxter and Eli Woodward sit down in person to dissect the "long game" of modern cyber espionage. We dive into the Dell RecoverPoint zero-day exploited by China-linked actors and why some threat actors are now sitting silent in networks for over a year before acting. We also go full circle on the DPRK laptop farm saga, discussing the sentencing of a Ukrainian national who facilitated North Korean IT workers infiltrating U.S. businesses. Finally, we cover Interpol’s Operation Red Card 2.0, a massive crackdown on West African scam networks, and why Nigeria’s demographic shift makes it a critical region for defenders to watch over the next decade. Topics & References: Part 1: The One-Year Sleep – Dell Zero-Days & Grim Bolt Dell RecoverPoint Exploitation: Discussion on the recent zero-day (CVE-2025-6201) and its active abuse by China-linked actors. The Grim Bolt / Silk Taker Connection: Analyzing the infrastructure overlap between UN 6201 (Grim Bolt) and UN 5221 (Silk Taker/Brickstorm). Operational Patience: Why threat actors are waiting 12+ months for logs to "age out" before taking action on objectives. Hunter’s Field Note: Is one year of log retention enough? We discuss the shift toward 3-year "cold storage" for modern forensics. Part 2: The Infrastructure of Deception – DPRK & Laptop Farms The Sentencing of Alexander Didenko: The "back half" of the Christina Chapman case, involving a million-dollar scheme to host North Korean remote workers. Webcam Forensics: How a security team used "Impossible Travel" alerts to activate a webcam and catch a laptop farm manager in the act. Identity Theft at Scale: How thousands of fake accounts were created using stolen U.S. identities to bypass employment verification. Part 3: Operation Red Card 2.0 & The Rise of Nigeria Interpol Crackdown: An 8-week operation across 16 African countries resulting in 651 arrests and millions recovered from mobile money fraud. The Demographic Shift: Why Nigeria’s projected population growth (set to surpass the U.S. by 2050) makes Nigeria a pivotal part in the cyber landscape defenders need to start taking notice of now. Individual Impact: A reminder that while BEC hits corporations, these scams devastate individuals and families. Events & Community: FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware. 🔗 to register: https://www.fsisac.com/events/2026-americas-spring RISE Ireland (Dublin): April 14–15 at Stripe Dublin.  🔗 to register: https://go.team-cymru.com/rise-ireland Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Disclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    15 min
  8. Edge Warfare, MDM Hijacks, and the Warlock Blitz

    16 FEB

    Edge Warfare, MDM Hijacks, and the Warlock Blitz

    This week on Dragon News Bites, Will Baxter, Eli Woodward, and Will Thomas break down a week of high-velocity threats targeting the "foundational" layers of enterprise connectivity. From the long-term compromise of Singapore’s ISP infrastructure to the critical hijacking of Mobile Device Management (MDM) platforms, the team explores how state actors and financially motivated groups are bypassing the endpoint to live directly on the edge. Part 1: The Telco Breach & The Attribution Maze Singapore ISP Compromise: Four of Singapore's main ISPs suffered a long-term breach by a suspected China-nexus APT. UNC3886 vs. Salt Typhoon: Will Thomas breaks down the tactical nuances between these groups. While Salt Typhoon strategically moves upstream via Cisco switches, UNC3886 utilizes zero-days and rootkits to target FortiGates, Juniper, and VMware. The Global Trend: This follows last week's reporting on Norway being targeted, signaling a coordinated global focus on the telecommunications sector. Part 2: MDM Hijacking — More Dangerous than a SIEM Breach? European Commission Compromised: Attackers utilized a zero-day in Ivanti EPMM (formerly Mobile Iron) to breach the European Commission. The Power of the MDM: The team discusses why an MDM compromise is a "nightmare scenario"—allowing attackers to track physical locations, deploy malicious apps, and snoop on encrypted chats like Signal. The Geopolitical Connection: A clear trend is emerging of edge device exploitation targeting entities not geopolitically aligned with China. Part 3: The Rise of Warlock & Edge Blitzing Who is Warlock? A suspected Chinese-speaking ransomware group (tracked as Storm-2603) that deviates from the typical Russian-speaking model. Targeting SmarterMail: Warlock is weaponizing vulnerabilities in SmarterTools/SmarterMail (an Exchange alternative). Ironically, the vendor itself was hit by its own unpatched system. The MFA Shift: Eli Woodward notes that as MFA makes phishing harder, attackers have pivoted aggressively to edge device exploitation (Log4j, CenterStack, etc.) as the primary method for initial access. Part 4: Payroll Pirates & SaaS Fraud Social Engineering the Help Desk: Threat actors are chaining help desk social engineering with VDI session hijacking to divert direct deposits in HR SaaS platforms. Red Flag Alert: Organizations should immediately investigate any direct deposit change that occurs within two hours of an MFA reset. Events & Community: RISE USA (San Francisco): February 18–19 at Stripe HQ. 🔗 to register: https://go.team-cymru.com/rise-usa-2026 Brews and Briefings (Minneapolis): February 25th session focused on DPRK threat activity. 🔗 to register: https://go.team-cymru.com/brews-briefings-minneapolis FS-ISAC Spring Summit (Orlando): March 1–4 presentations on the latest fintech threats and CLOP ransomware. 🔗 to register: https://www.fsisac.com/events/2026-americas-spring RISE Ireland (Dublin): April 14–15 at Stripe Dublin. Call for Papers (CFP) is currently open. 🔗 to register: https://go.team-cymru.com/rise-ireland Connect with Us: Follow us on LinkedIn: https://www.linkedin.com/company/team-cymru Subscribe to the Dragon News Bytes feed: https://www.team-cymru.com/dnb Topics & ReferencesDisclaimer: The views expressed in this podcast are those of the hosts and do not necessarily reflect the official policy or position of our employers.

    19 min
Ver todo (13)

Acerca de

Delivering weekly insights, research, and threat indicators to help security professionals track emerging threats and intelligence.

Información

  • Creador
    Dragon Bytes
  • Años de actividad
    2 k
  • Episodios
    13
  • Clasificación
    Apto
  • Copyright
    © Dragon Bytes
  • Mostrar sitio web
    Dragon Bytes

También te podría interesar