Cybersecurity Exploit Techniques

🗞️ A must-have for anyone teaching Russian disinformation tactics. A comprehensive yet highly pedagogical and illustrated catalogue of tactics with concrete examples. 👏🏼Well done @center for countering disinformation with the support of The European Union Advisory Mission Ukraine (#EUAM Ukraine) 🇪🇺 1️⃣ The first part is dedicated to the Mechanisms of destructive information influence: • Bots 🤖 • Fake accounts 🤳🏻 • Anonymous authority 👁️ • Appeal to authority 🔨 • Deepfakes 👾 • Potemkin villages 🤡 • Duplicating websites or accounts 👨🏻💻 • Framing 🖼️ • Information overload 🌧️ • Agenda-setting 📆 • Demonisation • Polarisation 🤯 • Confirmation bias 🧠 • Primacy effect 🪢 • Deceptive sources 🎭 • Information alibi 🥸 2️⃣ The second part offers an overview of the Tactics of destructive information influence. Particularly useful to identifies the perverse rhetorical tricks at play and counter them with the right arguments: • Clickbaiting • Rating • Information sandwich • Lost in translation • Presence effects • Contextomy • Gish gallop • Whataboutism • Conspiracy theories • Talking away • Mundanisation • Doublespeak • Sleeper effect • “Check it if you can” • False analogy • Trolling • False dilemma • Using jokes or memes • Stereotyping 3️⃣ The last part describes the various soft power tools weaponized to leverage influence : Soft power tools: Russia’s influence through… • films 🎦 • e-sports 🎮 • literature 📕 • music 🎶 • sports ⚽️ • churches ⛪️ • cultural centre networks 🤝🏻 • educational programmes and grants 🎓 • historical revisionism 🖊️ • loyal political structures🏰 👐🏻Many thanks to the authors for a reference document which deserves to be widely shared As someone who srudied humanities, I always longed for the ancient “class of rhetorics” which was, until the late 19th century, the penultimate year of secondary education in France before philosophy: students learned the full art of persuasion—finding ideas, structuring them, refining style, memorizing, and delivering speeches—through constant practice and study of classical models. The purpose was to train them in the art of eloquence—to speak and write clearly, elegantly, and persuasively. And to prepare future orators -lawyers, priests, politicians- as well as any educated citizen. Were this classical knowledge more widely shared today, we might be better equipped to resist the tactics outlined in part 2️⃣ as we would more spontaneously recognize the persuasion strategies used against us -even if they come in alluring video forms these days! - and be able to counter them with the tools of logic and structured argument.

Snowflake, CrowdStrike, and Mandiant (part of Google Cloud) just published a statement on our preliminary findings associated with a threat campaign impacting Snowflake customers.   Threat actors are actively compromising organizations’ Snowflake customer tenants by using stolen credentials obtained by infostealing malware and logging into databases that are configured with single factor authentication.    Any SaaS solution that is configured without multifactor authentication is susceptible to be mass exploited by threat actors. We anticipate threat actors will replicate this campaign across other SaaS solutions that contain sensitive enterprise data.   Here are some of Mandiant’s observations related to infostealers from the past few years: ☣️ Since the beginning of 2020, employees and contractors working from home increasingly use their personal computers to access corporate systems.  ☣️ People often synchronize their web browsers on their work computers and personal computers. ☣️ People (or their children) sometimes inadvertently install software laced with infostealing malware on their personal computers. The malware can capture credentials from their web browsers. ☣️ Threat actors opportunistically search for corporate credentials stolen by infostealing malware and use them to compromise enterprises, steal data, and conduct extortion. 

Intelligence agencies and the FBI, DOJ and CISA have revealed that unit 29155 of Russia’s GRU—a unit responsible for coup attempts, assassinations, and bombings—is now engaged in brazen hacking operations with targets across the world, including in Ukraine and the US. A broad group of Western government agencies from countries including the US, the UK, Ukraine, Australia, Canada, and five European countries on Thursday revealed that a hacker group that has launched multiple hacking operations targeting Ukraine, the US, and other countries in Europe, Asia, and Latin America is in fact part of the GRU's Unit 29155, the division of the spy agency known for its brazen acts of physical sabotage and politically motivated murder. That unit has been tied in the past, for instance, to the attempted poisoning of GRU defector Sergei Skripal with the Novichok nerve agent in the UK, which led to the death of two bystanders, as well as another assassination plot in Bulgaria, the explosion of an arms depot in the Czech Republic, and a failed coup attempt in Montenegro. Now that infamous section of the GRU appears to have developed its own active team of cyber warfare operators. Since 2022, GRU Unit 29155's more recently recruited hackers have taken the lead on cyber operations, including with the data-destroying wiper malware known as Whispergate, which hit at least two dozen Ukrainian organizations on the eve of Russia's February 2022 invasion, as well as the defacement of Ukrainian government websites and the theft and leak of information from them under a fake “hacktivist” persona known as Free Civilian. "Special forces don’t normally set up a cyber unit that mirrors their physical activities,” one official tells WIRED. “This is a heavily physical operating unit, tasked with the more gruesome acts that the GRU is involved. I find it very surprising that this unit that does very hands-on stuff is now doing cyber things from behind a keyboard.” https://lnkd.in/ehvpRzeJ

Cyberattacks by AI agents are coming - MIT Technology Review Agents could make it easier and cheaper for criminals to hack systems at scale. We need to be ready. Agents are the talk of the AI industry—they’re capable of planning, reasoning, and executing complex tasks like scheduling meetings, ordering groceries, or even taking over your computer to change settings on your behalf. But the same sophisticated abilities that make agents helpful assistants could also make them powerful tools for conducting cyberattacks. They could readily be used to identify vulnerable targets, hijack their systems, and steal valuable data from unsuspecting victims.  At present, cybercriminals are not deploying AI agents to hack at scale. But researchers have demonstrated that agents are capable of executing complex attacks (Anthropic, for example, observed its Claude LLM successfully replicating an attack designed to steal sensitive information), and cybersecurity experts warn that we should expect to start seeing these types of attacks spilling over into the real world. “I think ultimately we’re going to live in a world where the majority of cyberattacks are carried out by agents,” says Mark Stockley, a security expert at the cybersecurity company Malwarebytes. “It’s really only a question of how quickly we get there.” While we have a good sense of the kinds of threats AI agents could present to cybersecurity, what’s less clear is how to detect them in the real world. The AI research organization Palisade Research has built a system called LLM Agent Honeypot in the hopes of doing exactly this. It has set up vulnerable servers that masquerade as sites for valuable government and military information to attract and try to catch AI agents attempting to hack in. While we know that AI’s potential to autonomously conduct cyberattacks is a growing risk and that AI agents are already scanning the internet, one useful next step is to evaluate how good agents are at finding and exploiting these real-world vulnerabilities. Daniel Kang, an assistant professor at the University of Illinois Urbana-Champaign, and his team have built a benchmark to evaluate this; they have found that current AI agents successfully exploited up to 13% of vulnerabilities for which they had no prior knowledge. Providing the agents with a brief description of the vulnerability pushed the success rate up to 25%, demonstrating how AI systems are able to identify and exploit weaknesses even without training. #cybersecurity #AI #agenticAI #cyberattacks #vulnerabilities #honeypots #LLMhoneypots

This UK bank spent £5M/year on cyber security. They were convinced that it was bulletproof. So, we sent in a man wearing a £4 high-vis jacket… and he tore it all down. Here's the full story: A few years ago, I worked with a mid-tier investment bank that wanted to prove their security was 'impenetrable.' They had a big security budget. A large internal team. And they were confident they’d pass with flying colours. So we started with the technical side: → Penetration testing (getting access to systems) → External perimeter testing → Trying every trick in the book They held strong for many months. Their technical controls were really solid. But good security doesn’t stop at the firewall. Next came the physical stage. We sent a trained agent through the front door, aiming to get access to their offices. Reception did what they were supposed to do: → Check the visitor list → Refuse when they weren’t on it Fair play — their process worked. So we went back a week later and increased the pressure. Our agent walked in during a busy time of day – queues forming, phones ringing, staff everywhere – and wore a high-vis jacket with a fake ID clipped to the front. Using social engineering, he raised the tension and made reception feel that they needed to let him through NOW. It worked. The receptionist waved him through. He • walked in • found a loose network cable • connected it to his own device • quietly hoovered up internal data until morning No alarms. No alerts. No one noticed. TAKEAWAY: The bank's firewall was sound, but their people were the biggest vulnerability. When we’re overwhelmed, we tend to default to the simplest decision: "Just let them through so I can get back to this.” You can have great policies. You can have top-tier tech. You can even test them both. But if you don’t simulate pressure, stress, and uncertainty, you're testing an ideal world and not the real one. Even the most advanced security systems can be undone by human error. Equip your team to recognise social engineering. It's your first line of defence.

🚨 𝗡𝗲𝘄 𝗣𝗵𝗶𝘀𝗵𝗶𝗻𝗴 𝗧𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲 𝗔𝗹𝗲𝗿𝘁 A sneaky new attack method is making waves — exploiting 𝗲𝗺𝗮𝗶𝗹 𝘀𝘆𝘀𝘁𝗲𝗺𝘀 by "𝗮𝘁𝗼𝗺𝗶𝘇𝗶𝗻𝗴" 𝗺𝗲𝘀𝘀𝗮𝗴𝗲𝘀 to bypass 𝘁𝗿𝗮𝗱𝗶𝘁𝗶𝗼𝗻𝗮𝗹 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗰𝗵𝗲𝗰𝗸𝘀! 🔍 𝗛𝗼𝘄 𝗜𝘁 𝗪𝗼𝗿𝗸𝘀 : • Attackers split a single 𝗲𝗺𝗮𝗶𝗹 into multiple 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝘀 ("𝗮𝘁𝗼𝗺𝘀") before it reaches the inbox. • Each 𝗮𝘁𝗼𝗺 looks harmless alone — no full malicious payload is visible at once. • When the 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝘀 𝗮𝗿𝗲 𝗿𝗲𝗮𝘀𝘀𝗲𝗺𝗯𝗹𝗲𝗱 by the 𝗲𝗺𝗮𝗶𝗹 𝗰𝗹𝗶𝗲𝗻𝘁, the full phishing or malicious email is revealed. • This bypasses 𝗦𝗣𝗙, 𝗗𝗞𝗜𝗠, and 𝗗𝗠𝗔𝗥𝗖 𝗽𝗿𝗼𝘁𝗲𝗰𝘁𝗶𝗼𝗻𝘀, making the email appear 𝗹𝗲𝗴𝗶𝘁𝗶𝗺𝗮𝘁𝗲. 🎯 𝗪𝗵𝗼’𝘀 𝗕𝗲𝗶𝗻𝗴 𝗧𝗮𝗿𝗴𝗲𝘁𝗲𝗱? • Enterprises relying on 𝗲𝗺𝗮𝗶𝗹 𝗴𝗮𝘁𝗲𝘄𝗮𝘆𝘀 and 𝘀𝘁𝗮𝗻𝗱𝗮𝗿𝗱 𝗮𝘂𝘁𝗵𝗲𝗻𝘁𝗶𝗰𝗮𝘁𝗶𝗼𝗻 𝗰𝗵𝗲𝗰𝗸𝘀. • Organizations with 𝘄𝗲𝗮𝗸 𝗲𝗺𝗮𝗶𝗹 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗽𝗼𝗹𝗶𝗰𝗶𝗲𝘀. 🛡️ 𝗛𝗼𝘄 𝘁𝗼 𝗦𝘁𝗮𝘆 𝗦𝗮𝗳𝗲 : • Apply 𝘀𝘁𝗿𝗶𝗰𝘁 𝗶𝗻𝗯𝗼𝘂𝗻𝗱 𝗲𝗺𝗮𝗶𝗹 𝗽𝗼𝗹𝗶𝗰𝗶𝗲𝘀 — 𝗲𝘀𝗽𝗲𝗰𝗶𝗮𝗹𝗹𝘆 𝗳𝗼𝗿 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝗲𝗱 𝗲𝗺𝗮𝗶𝗹𝘀. • Monitor 𝗲𝗺𝗮𝗶𝗹 𝗯𝗲𝗵𝗮𝘃𝗶𝗼𝗿, not just static properties like 𝗵𝗲𝗮𝗱𝗲𝗿𝘀. • Educate teams about spotting suspicious 𝗳𝗿𝗮𝗴𝗺𝗲𝗻𝘁𝗲𝗱 𝗰𝗼𝗺𝗺𝘂𝗻𝗶𝗰𝗮𝘁𝗶𝗼𝗻𝘀. • Strengthen 𝗲𝗺𝗮𝗶𝗹 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 and 𝗮𝗻𝗼𝗺𝗮𝗹𝘆 𝗱𝗲𝘁𝗲𝗰𝘁𝗶𝗼𝗻 𝘁𝗼𝗼𝗹𝘀. ⚡ This isn’t just bypassing a filter — it’s a whole new way to weaponize the very structure of email itself. - #CyberSecurity #Phishing #EmailSecurity #ThreatIntel #InfoSec #AtomizedAttack #SPF #DMARC

7\ Cybersecurity: Bigger Impact from AI Enterprise SaaS is being reshaped because AI executes work. Cybersecurity will be reshaped because AI DECIDES and ATTACKS. In enterprise Saas, the shift is from human-in-the-loop to agentic execution with a control plane. In cybersecurity, I think the shift will be even more extreme because BOTH SIDES become agentic. IMO when it comes to the cyber stack, it will not be about “AI features in security products”. It will be a complete phase change. Security will move from alerting and investigation to continuous machine reasoning and autonomous response. Most elements of security stack today still assume: Telemetry -> Detection -> Alert -> Human Triage -> Response Even where automation exists, and blocking is enforced, its typically still brittle (pre-defined rules and flows), siloed (tool specific) and slow to adapt (humans tune rules and tune underlying ML models). Frontier LLMs with added tools use enables attackers to operationalize : Recon Agents: enumerate assets, identities, SaaS sprawl, exposed APIs, misconfigs Social Engineering Agents: Hyper personalized phishing at scale with org context Exploit Chain Agents: Find, adapt and re-try techniques across environments Malware Polymorphism: mutate payloads and tactics to evade signatures/heuristics Cross Border Automation: Automate sequences across end points and cloud APIs The important point is not “LLMs write malware”. Its LLMs+tools turn attacks into closed loop systems that learn and iterate. The real challenge with current tool sets is not a gap in needing “more telemetry”. Its semantic correlation i.e., which events across identity, endpoint, cloud, network belong to the same attack chain. Traditional SIEM correlation is rules + joins + heuristics. This approach will not be able to keep up with the sophistication of AI driven threat vectors without a new architectural construct. The future model requires NEW LAYERS that sit above point products and coordinate decisions and actions across them: Security Data Plane coalescing signals from end points, identity/auth, network/edge telemetry, cloud logs, SaaS audit logs and code Security Reasoning Plane which makes sense of the signals. Basically a reasoning system, that can build hypothesis, construct attack graphs, predict blast radius and propose interventions. This is where the LLM act as stateful planners operating over structured security primitives. Response Orchestration Plane which is the execution layer and can run bounded actions across the stack. Eg Isolate end points, revoke tokens/sessions, rotate keys, change conditional access policies, block at WAF/edge of network, quarantine workloads, roll back deployments, create and assign incident tasks The winning cybersecurity architecture will not be assistive, it will need to make safe, correct decisions and execute them at machine speed. Signals -> Reasoning -> Autonomous Response -> Continuous Adaptation

As a SOC Analyst, it's tempting to rely on VirusTotal as the Ultimate Solution for spotting threats, but attackers know how to stay ahead. Here's a real-world example that demonstrates why behavioral detection matters more than static signatures: When analyzing binaries like Mimikatz, you might spot a string like "mimikatz_doLocal" being flagged as Malicious. However, attackers can easily evade this detection by tweaking the source code: 1- Changing strings: Replace "mimikatz_doLocal" with "anythingkatz_doLocal". 2- Renaming commands: Instead of "sekurlsa::logonpasswords," attackers use "securelsa::loginpasswordz." 3- Renaming prompts and executables: Change "mimikatz.exe" to "mimidogz.exe" and alter the application's interface to say "mimidogz." After recompiling, these small changes can bypass the AV and VirusTotal checks. Even if one part of the binary is flagged (like an error string), attackers will iterate until it’s clean. What Should SOC Analysts Do? - Focus on Behaviors: Tools like Mimikatz perform specific malicious actions (e.g., dumping LSASS memory). Behavioral detection makes it harder for attackers to evade. - Use Advanced Tools: Rely on EDR/XDR solutions that analyze patterns like process injection, suspicious memory reads, or credential dumping. - Contextualize Threats: Don't stop at VirusTotal scores. Investigate anomalies in logs, traffic patterns, and system behaviors. - Proactive Threat Hunting: Regularly hunt for renamed binaries, odd command usage, and unusual process trees in your environment. - Train Your Mindset: Always ask, "What is this file trying to achieve?" rather than, "What is its VirusTotal score?" Remember, attackers evolve their tactics to exploit over-reliance on static detections. To truly defend your organization, think like an attacker and hunt for what they do, not just the tools they use. #SOCAnalyst #ThreatHunting #DetectionTips #CyberSecurity

New research published today from Palo Alto Networks Unit 42 dives deep into North Korean threat activity, providing new evidence and insight to the ongoing efforts by North Korean threat actors against US businesses and individuals. We found two unique campaigns with the goal of espionage, cryptocurrency theft and simply earning cash: -North Korean actors are seeking employment with US based orgs, representing an opportunity to embed insiders in targeted companies. We discovered a stockpile of data including resumes with identities impersonating individuals from various nations, job interview Q&As and scripts, downloaded job postings from US companies, and a scanned fake ID. -North Korean threat actors are manipulating job seekers to install malware. They pose as employers, post fictitious jobs, set up interviews with software developers and deliver malware during the interview process. According to our research, this campaign is still active. If these efforts by North Korean threat actors are successful, there is a critical impact on both job seekers (who may be using devices from their current employers throughout the interview process) and the organizations they’re applying to. Now more than ever, it’s critical organizations proactively prioritize cybersecurity in the face of sophisticated campaigns like this. Check out the full research and insights from Unit 42 here: https://lnkd.in/gtwWZHSs Link in comments to Reuters coverage of this important research by Michael Sikorski & the Unit 42 Threat Intelligence team. 

Oracle just issued a Security Alert for CVE-2025-61882, a remote code execution vulnerability (CVSS 9.8 – Critical) affecting Oracle E-Business Suite versions 12.2.3 through 12.2.14. Published October 4, 2025, it allows unauthenticated attackers to execute code remotely over HTTP without user interaction. In plain terms: if your EBS environment is reachable on the network, and especially if it’s internet facing, it’s at risk for full compromise. Oracle has released indicators of compromise (IOCs). This is “stop-what-you’re-doing and patch immediately” vulnerability. The bad guys are likely already exploiting in the wild, and the race is on before others identify and target vulnerable systems. What to do right now: 1. Apply Oracle’s patch (available below). 2. Confirm you’ve applied the October 2023 Critical Patch Update first — it’s a prerequisite. 3. Isolate or firewall EBS servers so BI Publisher/Concurrent Processing components aren’t network-exposed. 4. Review Oracle’s published IOCs and hunt. 5. Monitor your threat intel feeds — exploit activity could escalate quickly. Oracle EBS remains a backbone ERP system for major enterprises and public-sector environments, which means attackers have every incentive to weaponize this one fast. If you suspect compromise - please connect with us. https://lnkd.in/extFev3a Federal Bureau of Investigation (FBI) FBI Cyber Division #FBICyber