Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

This week’s briefing covers: Fortinet Warns of Active Exploitation of Known Vulnerabilities Fortinet has identified a post-exploitation technique used by threat actors targeting known, unpatched vulnerabilities in FortiGate devices. The threat actor leveraged a symbolic link trick to maintain read-only access to FortiGate devices, even after the original access vector was remediated.

This week’s briefing covers: North Korean Fake Workers Expand to European Organizations Kroll has previously reported on the growing scale of the DPRK IT worker fraud scheme where the U.S. was a key focus, with some Southeast Asian countries also seeing fraudulent activity. It has since been reported that an increase in active operations in Europe has been observed—a notable expansion since its beginnings in 2024.

March 31, 2025 Cyber Threat Intelligence Briefing.

March 24, 2025 Cyber Threat Intelligence Briefing This week’s briefing covers: KTA134 (BLACKBASTA) Chats Suggests Help From Russian Officials Upon review of leaked chat logs, it appears that KTA248 (Oleg Nefedov, GG, Tramp, Kurva) was able to evade trial by eliciting the help of Russian government officials. Supply Chain Attack Leaks Secrets from GitHub A supply chain attack on the popular GitHub Action tj-actions/changed-files caused many repositories to leak their secrets over the weekend.

This week’s briefing covers: KTA080 (CLOP) Update CL0P has recently published files from victim organizations that were last revealed from the E-H listing around February 24, 2025. Some victim organizations were removed from the E-H listing as well as the H-W listing, likely due to negotiations with the threat actor group to refrain from sensitive data to be published. Additional victim companies have also been published outside of the E-H listing.

Infostealers Remain Prominent.

The Evolving Phishing Threat.

March 10, 2025 Cyber Threat Intelligence Briefing This week’s briefing covers: BLACK BASTA Affiliates Linked to CACTUS Ransomware Researchers have linked CACTUS ransomware tactics to former affiliates of BLACKBASTA, noting the use of similar tools and techniques. CACTUS employs the BackConnect (BC) module for persistent control over infected systems, allowing for data theft and remote command execution.

This week’s briefing covers: KTA080 (CL0P) Update KTA080 has released the names of the previously redacted victim organizations ranging from E-H. Additionally, KTA080 has identified 183 victims’ organization names broadly covering H-W. KTA374 (Salt Typhoon) Telecoms Targeting Update Cisco Talos has released further information on the targeting of telecoms organizations identified in late 2024. This information includes the high level of living-off-the-land techniques used by the threat actor.

February 24, 2025 Cyber Threat Intelligence Briefing This week’s briefing covers: KTA080 (CL0P) Update CL0P has again updated their data leak site with a new list of redacted victim organizations possibly linked to the Cleo vulnerability. The list contains company names beginning with the letters E-H. This follows the current pattern the group has established with releasing redacted names to then later slowly start releasing the actual entity and published data associated with it if the victim organization has not reached out to CL0P.