Author: Curated

The Attack Cycle is Accelerating: Announcing the Rapid7 2026 Global Threat Landscape Report

Source: Rapid7 Cybersecurity Blog

Author: Rapid7 Labs

URL: https://www.rapid7.com/blog/post/tr-accelerating-attack-cycle-2026-global-threat-landscape-report/

ONE SENTENCE SUMMARY:

Rapid7’s 2026 report shows attacker speed collapsing remediation windows, industrialized cybercrime, identity-first intrusions, and AI-accelerated exploitation requiring proactive controls.

MAIN POINTS:

  1. Confirmed exploitation of new CVSS 7–10 vulnerabilities rose 105% year over year.
  2. Median time to CISA KEV inclusion dropped from 8.5 days to 5.0.
  3. Previously “safe” triage buffers shrank as severe flaws were exploited near-immediately.
  4. Reactive vulnerability management cycles increasingly fail against machine-speed adversaries.
  5. Underground operations mirror SaaS supply chains via brokers, operators, and subscription infostealers.
  6. Ransomware appeared in 42% of MDR investigations; leak posts grew 46.4%.
  7. Active ransomware groups expanded from 102 to 140, reflecting ecosystem maturity.
  8. Valid non-MFA accounts drove 43.9% of incidents, favoring “log in” over break in.
  9. Exploitation clustered around reliable weaknesses like deserialization, auth bypass, and memory corruption.
  10. AI boosted phishing, recon, and malware iteration while also expanding attack surface in AI systems.

TAKEAWAYS:

  1. Prioritize exposure reduction and preemptive remediation over scheduled patch cycles.
  2. Enforce MFA universally and harden session, token, and identity control-plane protections.
  3. Treat cybercrime specialization as a scalable market that rapidly monetizes access.
  4. Focus defenses on repeatable, pre-auth vectors rather than chasing sheer CVE volume.
  5. Implement AI governance and AI-enabled security workflows to match attacker velocity.

How to Lead Effective Tabletops

Source: Blog – Black Hills Information Security, Inc.

Author: BHIS

URL: https://www.blackhillsinfosec.com/how-to-lead-effective-cybersecurity-tabletops/

ONE SENTENCE SUMMARY:

Gamified tabletop incident-response exercises improve engagement, reveal plan gaps, and build better decisions through believable scenarios, roles, randomness, and flexibility.

MAIN POINTS:

  1. Traditional tabletop exercises often feel monotonous and disengaging for participants.
  2. Gamification transforms preparedness drills into collaborative, strategy-driven challenges.
  3. Enjoyable exercises can enhance learning effectiveness and retention.
  4. Clear audience identification shapes scenario complexity and facilitation style.
  5. Defined objectives separate technical IR training from leadership awareness outcomes.
  6. Assumptions should be challenged, including overconfidence in controls like EDR and WAFs.
  7. Fictional companies reduce ego, defensiveness, and attachment to real-world outcomes.
  8. Role-playing exaggerated characters expands perspectives across business and technical functions.
  9. Realism can be grounded using MITRE ATT&CK and threat intelligence inspirations.
  10. Dice-based randomization models investigative uncertainty and role-specific strengths or weaknesses.

TAKEAWAYS:

  1. Make tabletop exercises fun to increase participation and improve security readiness.
  2. Tailor scenarios to the participant mix and the exercise’s intended learning goals.
  3. Use believable fiction plus realistic threat references to balance safety and authenticity.
  4. Stay adaptable because participants will drive scenarios in unexpected directions.
  5. Incorporate structured gamified tools like HackBack Gaming or Backdoors & Breaches.

How CISOs Can Secure the “Sausage Factory” of Agentic AI

Source: CISO Tradecraft® Newsletter

Author: CISO Tradecraft

URL: https://cisotradecraft.substack.com/p/how-cisos-can-secure-the-sausage

ONE SENTENCE SUMMARY:

Vibe coding shifts software creation to natural language prompts, forcing CISOs to secure AI-driven development environments through visibility, identities, controls.

MAIN POINTS:

  1. English prompts increasingly replace traditional programming languages via agentic AI coding tools.
  2. Rapid AI code generation overwhelms traditional AppSec “scan-before-production” security gates.
  3. Security focus must move from output code to the development “sausage factory.”
  4. Developer environments become major attack surfaces when AI agents enter enterprise workflows.
  5. MCP interfaces can expose real-world systems through overly permissive agent integrations.
  6. On-demand “skills” let agents instantly gain powerful capabilities, including dangerous data access.
  7. Poisoned AI rules can exfiltrate secrets or introduce vulnerabilities inside IDE-driven workflows.
  8. Shadow AI usage bypasses governance through personal accounts and unvetted external models.
  9. Autonomous agents can fail unpredictably, creating “9-year-old with car keys” operational risk.
  10. CISOs should enable innovation while becoming the “Department of Visibility,” not “No.”

TAKEAWAYS:

  1. Build a centralized inventory dashboard for all AI tools, models, and agents in use.
  2. Assign agent identities with least privilege plus formal onboarding and offboarding procedures.
  3. Deploy local workstation proxies to inspect, sanitize, and block risky prompt/traffic flows.
  4. Vet MCPs and downloadable skills like third-party dependencies before allowing enterprise access.
  5. Redefine AppSec toward orchestrating agent intent, posture, and controls over manual code review.

New Microsoft Purview innovations for Fabric to safely accelerate your AI transformation

Source: Microsoft Security Blog

Author: Darren Portillo

URL: https://techcommunity.microsoft.com/blog/microsoft-security-blog/new-microsoft-purview-innovations-for-fabric-to-safely-accelerate-your-ai-transf/4502156

ONE SENTENCE SUMMARY:

Microsoft Purview adds Fabric-focused DLP, IRM, DSPM, and Unified Catalog enhancements to reduce AI oversharing and improve data governance.

MAIN POINTS:

  1. AI adoption increases need for data security and governance as foundational capabilities.
  2. Skepticism persists due to sensitive data oversharing and poor data quality concerns.
  3. 86% of organizations lack visibility into AI data flows and employee sharing.
  4. 67% of executives are uncomfortable using data for AI because of quality issues.
  5. Purview unifies security and governance across M365, Fabric, and Azure estates.
  6. New Fabric security updates emphasize Information Protection, DLP, IRM, and DSPM.
  7. GA DLP policy tips help prevent sensitive-data oversharing into Fabric Warehouses.
  8. Preview DLP access restrictions limit sensitive KQL/SQL DB and Warehouse assets.
  9. GA IRM adds Fabric lakehouse risk indicators, data theft policies, and usage reporting.
  10. Unified Catalog adds publication workflows and data quality for ungoverned Fabric assets.

TAKEAWAYS:

  1. Reducing oversharing requires both detection and enforcement directly within Fabric workloads.
  2. Insider-risk signals are expanding beyond Power BI to cover lakehouse activities and exfiltration.
  3. Governing Copilots and agents needs risk discovery, audits, investigations, and remediation actions.
  4. Catalog workflows improve controlled publishing of data products and glossary terms enterprise-wide.
  5. Scalable data quality checks on ungoverned assets help make AI inputs more trustworthy.

Betterleaks, a new open-source secrets scanner to replace Gitleaks

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/betterleaks-a-new-open-source-secrets-scanner-to-replace-gitleaks/

ONE SENTENCE SUMMARY:

Betterleaks, an MIT-licensed successor to Gitleaks, speeds secret detection with validation, tokenization, and AI-friendly workflows for developers.

MAIN POINTS:

  1. Betterleaks scans directories, files, and Git repositories for valid exposed secrets.
  2. Secret scanners detect accidentally committed credentials, API keys, private keys, and tokens.
  3. Attackers routinely mine public repositories’ configuration files to steal sensitive access data.
  4. Project positions itself as a more advanced successor to the widely used Gitleaks.
  5. Zach Rice created Betterleaks after losing full control over the original Gitleaks project.
  6. Validation rules use CEL (Common Expression Language) to confirm findings more accurately.
  7. BPE tokenization improves recall to 98.6% versus 70.4% entropy on CredData.
  8. Pure Go design eliminates CGO and Hyperscan dependencies for simpler builds.
  9. Scanner automatically detects doubly or triply encoded secrets and expands provider coverage.
  10. Roadmap includes LLM-assisted classification, revocation APIs, more sources, and performance tuning.

TAKEAWAYS:

  1. Choosing validation-backed scanners reduces false positives compared with pattern-only secret detection.
  2. Tokenization-based approaches can significantly outperform entropy heuristics for secret discovery.
  3. Dependency-light Go tooling eases adoption in CI/CD pipelines and diverse environments.
  4. Faster parallel Git scanning makes large-repository auditing more practical and frequent.
  5. Upcoming AI-agent features suggest secret scanning will increasingly target AI-generated code workflows.

Hybrid resilience: Designing incident response across on-prem, cloud and SaaS without losing your mind

Source: Hybrid resilience: Designing incident response across on-prem, cloud and SaaS without losing your mind | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4144310/hybrid-resilience-designing-incident-response-across-on-prem-cloud-and-saas-without-losing-your-mind.html

ONE SENTENCE SUMMARY:

Hybrid incident response succeeds by enforcing shared language, portable telemetry, and engineered escalations that bridge on-prem, cloud, and SaaS seams.

MAIN POINTS:

  1. Standardizing tools is slower than adopting a shared incident language contract.
  2. Severity must reflect customer impact rather than paging paths or team boundaries.
  3. Maintaining a single evolving hypothesis prevents fragmented, competing root-cause narratives.
  4. Capturing one decision-focused timeline enables alignment across domains and late joiners.
  5. Eliminating parallel war rooms requires one channel, one incident commander, and domain leads.
  6. Lightweight roles improve execution: commander, operations, communications, plus domain leads.
  7. Four-line updates balance uncertainty with clarity: facts, suspicions, next actions, next time.
  8. Minimum viable telemetry starts with end-to-end user journey metrics as shared truth.
  9. Cross-domain correlation relies on propagated identifiers and strict time synchronization discipline.
  10. Escalation engineering uses time-to-human targets, provider cards, and rollback/failover decision matrices.

TAKEAWAYS:

  1. Treat seams between ownership models as the primary failure point in hybrid incidents.
  2. Use user journey signals to adjudicate “healthy” components and expose end-to-end failures.
  3. Make correlation portable with IDs and accurate timestamps to accelerate triage.
  4. Prebuild escalation paths so vendor and on-prem constraints don’t become the critical path.
  5. Implement month-one sequencing: contract, journeys, correlation/time, escalation cards, decision matrix.

Attackers Don’t Just Send Phishing Emails. They Weaponize Your SOC’s Workload

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/03/attackers-dont-just-send-phishing.html

ONE SENTENCE SUMMARY:

Attackers weaponize phishing volume to exhaust SOC analysts, so decision-ready, transparent agentic AI triage maintains speed and quality under load.

MAIN POINTS:

  1. Phishing defense overemphasizes prevention, neglecting post-report investigation bottlenecks attackers exploit.
  2. Alert fatigue turns SOC attention into an attack surface during volume spikes.
  3. High-volume commodity phish can hide targeted spear-phish inside investigation queues.
  4. Informational Denial-of-Service floods degrade triage depth and decision quality predictably.
  5. Under workload pressure, analysts anchor on superficial indicators and miss novel IOCs.
  6. Cost asymmetry favors attackers: near-zero email generation versus expensive analyst time.
  7. More awareness training increases reports, unintentionally increasing SOC queue pressure.
  8. Core constraint is decision speed, not lack of indicators or additional alert sources.
  9. Rule-based automation creates predictable blind spots and suffers from low trust.
  10. Agentic AI using explainable, multi-signal analysis can resolve reports in under five minutes.

TAKEAWAYS:

  1. Treat phishing floods as SOC denial-of-service attempts, not isolated email threats.
  2. Prioritize consistent investigation quality under load to prevent queue-based exploitation.
  3. Build “decision-ready” outputs with reasoning, enabling review instead of manual assembly.
  4. Favor transparent, auditable automation to earn trust and avoid rework.
  5. Measure resilience with decision latency, escalation accuracy, and transparency—not just ticket throughput.

Attackers Don’t Just Send Phishing Emails. They Weaponize Your SOC’s Workload

Source: The Hacker News

Author: info@thehackernews.com (The Hacker News)

URL: https://thehackernews.com/2026/03/attackers-dont-just-send-phishing.html

ONE SENTENCE SUMMARY:

Attackers weaponize phishing volume to exhaust SOC analysts, hiding spear-phish; decision-ready, transparent AI triage preserves speed and quality under load.

MAIN POINTS:

  1. Phishing defense often neglects post-report investigation workflows where attackers exploit analyst overload.
  2. Alert fatigue becomes an attack surface when queues stretch investigations from minutes to hours.
  3. High-volume “commodity” phishing can function as informational denial-of-service against SOC attention.
  4. Carefully crafted spear-phish hides inside the noise, targeting privileged users and critical systems.
  5. Under surge conditions, triage shortcuts increase missed novel indicators and reduce investigation depth.
  6. Economic asymmetry favors adversaries: near-zero decoy cost versus costly analyst time per report.
  7. Awareness programs can unintentionally increase report volume, amplifying queue pressure vulnerabilities.
  8. Adding more tools and alerts worsens overload without improving decision-making speed and precision.
  9. Rule-based automation creates predictable blind spots and often lacks explainability, reducing trust.
  10. Agentic AI can produce auditable, multi-signal investigations that shift analysts to review roles.

TAKEAWAYS:

  1. Treat phishing resilience as maintaining consistent investigation quality during volume spikes.
  2. Prioritize decision latency reduction; minutes versus hours directly changes breach likelihood.
  3. Demand transparent reasoning from automation to build calibrated trust and prevent rework.
  4. Use specialized agents (auth, content, telemetry) to synthesize decision-ready verdicts at scale.
  5. Track resilience metrics like escalation accuracy under load, not just tickets closed per analyst.

Detecting and analyzing prompt abuse in AI tools

Source: Microsoft Security Blog

Author: Microsoft Incident Response

URL: https://www.microsoft.com/en-us/security/blog/2026/03/12/detecting-analyzing-prompt-abuse-in-ai-tools/

ONE SENTENCE SUMMARY:

This post explains detecting, investigating, and responding to AI prompt abuse using Microsoft tools, focusing on indirect injections via hidden URL fragments.

MAIN POINTS:

  1. Transition from AI threat-modeling to operational detection and incident response practices.
  2. Prompt injection ranks among top OWASP 2025 LLM application vulnerabilities.
  3. Prompt abuse manipulates natural-language inputs to bypass rules or expose sensitive data.
  4. Detection difficulty stems from subtle phrasing changes and limited visible indicators.
  5. Missing logging and telemetry can hide attempts to access or summarize sensitive information.
  6. Direct prompt override coerces models to ignore system prompts and safety policies.
  7. Extractive prompt abuse aims to reveal confidential data beyond allowed summarization boundaries.
  8. Indirect prompt injection hides instructions in documents, emails, webpages, or chats.
  9. Scenario shows URL fragments after “#” enabling HashJack-style hidden-instruction injections.
  10. Playbook maps visibility, monitoring, access controls, investigation, and continuous oversight to Microsoft defenses.

TAKEAWAYS:

  1. Apply threat-model outputs by instrumenting prompts, context inputs, and AI interactions for monitoring.
  2. Treat unsanctioned AI tools as key risk multipliers requiring discovery and governance enforcement.
  3. Sanitize inputs like URL fragments and metadata to reduce indirect injection opportunities.
  4. Combine DLP, conditional access, and tool control to limit sensitive-data exposure pathways.
  5. Correlate AI events in SIEM and audit logs to investigate biased outputs and contain incidents quickly.

US disrupts SocksEscort proxy network powered by Linux malware

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/us-disrupts-socksescort-proxy-network-powered-by-linux-malware/

ONE SENTENCE SUMMARY:

International law enforcement and Lumen dismantled SocksEscort, a decade-old proxy botnet abusing AVRecon-infected Linux routers, seizing domains, servers, and crypto.

MAIN POINTS:

  1. Black Lotus Labs reported ~20,000 infected edge devices active weekly for years.
  2. First publicly documented in 2023, the service operated over a decade selling proxy routing.
  3. Advertisements promised “clean” ISP IPs able to evade common blocklists.
  4. DOJ stated access was sold to roughly 369,000 distinct IP addresses since summer 2020.
  5. By February 2026, customers could choose from ~8,000 infected routers, 2,500 in the U.S.
  6. Investigators linked the proxy service to cryptocurrency theft and multiple large fraud losses.
  7. Europol-coordinated actions seized 34 domains and 23 servers across seven countries.
  8. U.S. authorities froze $3.5 million in cryptocurrency tied to the operation.
  9. AVRecon, active since at least May 2021, infected over 70,000 Linux SOHO routers.
  10. After Lumen’s 2023 C2 null-routing, operators resumed using about 15 C2 nodes.

TAKEAWAYS:

  1. Edge routers remain high-value infrastructure for criminal proxy services and anonymity.
  2. One-time C2 disruption can be temporary without persistent takedowns and ecosystem coordination.
  3. Proxy networks monetizing “residential” IPs materially enable fraud and crypto theft.
  4. Replace end-of-life routers and apply firmware updates to reduce AVRecon-style compromise.
  5. Harden administration by changing defaults and disabling unnecessary remote management interfaces.

Cyber Retaliation: Analyzing Iranian Cyber Activity Following Operation Epic Fury

Source: Tenable Blog

Author: Research Special Operations

URL: https://www.tenable.com/blog/cyber-retaliation-analyzing-iranian-cyber-activity-following-operation-epic-fury

ONE SENTENCE SUMMARY:

Post–Operation Epic Fury, Iranian MOIS-linked actors escalated from espionage to disruptive hybrid retaliation, abusing criminal infrastructure and exploiting IP-camera vulnerabilities.

MAIN POINTS:

  1. Retaliatory cyber activity surged alongside continued kinetic strikes against Iranian leadership and infrastructure.
  2. Campaigns shifted toward coordinated disruptive and destructive operations against Western and regional targets.
  3. MOIS-affiliated groups MuddyWater and Handala showed notably increased malicious activity.
  4. MuddyWater pre-positioned access weeks earlier, targeting U.S. and Israeli organizations.
  5. Newly identified backdoors Dindoor and Fakeset were linked to MuddyWater intrusions.
  6. Operation Olalampo targeted MENA entities and used Telegram bot command-and-control.
  7. Handala collaborates with initial-access brokers, then deploys custom wipers after exfiltration.
  8. Handala claimed a destructive attack on Stryker, including Intune-related mobile device wiping.
  9. MOIS-linked actors increasingly use ransomware/criminal infrastructure (e.g., Qilin) to obscure attribution.
  10. Iranian-nexus operators boosted Hikvision/Dahua IP camera exploitation using multiple known CVEs.

TAKEAWAYS:

  1. Expect hybrid retaliation blending cyber disruption with geopolitical and physical-warfare objectives.
  2. Prioritize detection of pre-positioning behavior and handoffs between access brokers and wiper operators.
  3. Treat cybercriminal tooling and infrastructure reuse as an intentional MOIS deniability strategy.
  4. Patch and monitor internet-connected cameras and management platforms, especially Hikvision/Dahua.
  5. Increase preparedness across aviation, finance, healthcare, telecom, and critical infrastructure sectors.

Your SQL Server Is Handing Attackers a Map — By Default

Source: CQURE Academy

Author: Daniel

URL: https://cqureacademy.com/blog/your-sql-server-is-handing-attackers-a-map-by-default/

ONE SENTENCE SUMMARY:

SQL Server grants public VIEW ANY DATABASE by default, enabling enumeration and exposing misconfigurations like guest access and TRUSTWORTHY escalation.

MAIN POINTS:

  1. Newly created logins can list all databases without any explicit permissions.
  2. Default visibility occurs because public is granted server permission VIEW ANY DATABASE.
  3. Enumerating database names reveals sensitive business context before any data access.
  4. Attackers can probe for databases with guest CONNECT accidentally enabled.
  5. Guest CONNECT enabled in one database grants access to every server login.
  6. Scripted checks can identify databases where guest is effectively active.
  7. REVOKE CONNECT FROM guest is recommended outside master, tempdb, and msdb.
  8. Filtering for is_trustworthy_on highlights potential privilege escalation targets.
  9. TRUSTWORTHY ON plus sa ownership enables db_owner to reach sysadmin via EXECUTE AS OWNER.
  10. Revoking VIEW ANY DATABASE has manageable operational impacts on tools and SSMS visibility.

TAKEAWAYS:

  1. Remove public’s database enumeration power, then explicitly grant it to needed accounts only.
  2. Audit every database for accidental guest CONNECT grants and disable where unnecessary.
  3. Treat db_owner requests as high risk, granting least privilege instead.
  4. Identify and remediate TRUSTWORTHY ON databases, especially those owned by sysadmin accounts.
  5. Accept msdb’s TRUSTWORTHY requirement but harden by restricting code, permissions, and monitoring DDL.

Overly permissive ‘guest’ settings put Salesforce customers at risk

Source: Overly permissive ‘guest’ settings put Salesforce customers at risk | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4143667/overly-permissive-guest-settings-put-salesforce-customers-at-risk.html

ONE SENTENCE SUMMARY:

Salesforce warns ShinyHunters is mass-scanning misconfigured Experience Cloud guest access to steal exposed CRM data for extortion.

MAIN POINTS:

  1. Salesforce urged customers to review Experience Cloud “guest” configurations after active data-theft reports.
  2. ShinyHunters claims breaches across hundreds of organizations, including 400 websites and 100 high-profile companies.
  3. Campaign targets misconfigured public portals, not underlying Salesforce platform vulnerabilities.
  4. Salesforce CSOC observed a known threat actor scanning public Experience Cloud sites at scale.
  5. Attackers leverage a modified Aura Inspector tool to probe and extract accessible data.
  6. Exploitation focuses on the “/s/sfsites/aura” API endpoint exposed by Experience Cloud sites.
  7. Overly permissive guest profiles can allow direct querying of backend CRM objects without credentials.
  8. Advisory highlights three risky conditions enabling unauthorized data access through guest profiles.
  9. Salesforce environments attract attackers due to sensitive data and complex layered permission models.
  10. Recommended mitigations include auditing guest permissions, limiting APIs, restricting object visibility, and least privilege.

TAKEAWAYS:

  1. Misconfiguration, especially guest access, can expose significant Salesforce data without any exploit.
  2. Automated scanning tools make public Experience Cloud portals high-risk if permissions are lax.
  3. Three controls matter most: guest permissions, private external defaults, and disabling public APIs.
  4. Complex Salesforce access models and integrations increase accidental exposure and blast radius.
  5. Hardening requires continuous auditing and strict least-privilege enforcement across portals and APIs.

12 ways attackers abuse cloud services to hack your enterprise

Source: 12 ways attackers abuse cloud services to hack your enterprise | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4142001/12-ways-attackers-abuse-cloud-services-to-hack-your-enterprise.html

ONE SENTENCE SUMMARY:

Attackers increasingly “live off the cloud,” abusing trusted SaaS, APIs, and identity systems to hide C2, exfiltrate data, and persist.

MAIN POINTS:

  1. High-reputation services like AWS and OpenAI increasingly carry command-and-control traffic.
  2. Cloud migration shifts attacker tradecraft from endpoint binaries to cloud-native APIs.
  3. Valid credentials or tokens enable stealthy enumeration, privilege escalation, and persistence via administrative calls.
  4. Domain reputation and static blocklists fail when abuse occurs inside trusted providers.
  5. Google Sheets has been weaponized as a C2 datastore using Service Account tokens.
  6. OpenAI Assistants API has been used to disguise malware communications as normal AI development.
  7. Microsoft Graph API enables reading commands and writing outputs in SharePoint/OneDrive-like folders.
  8. Object storage buckets host staged payloads and configs on-demand to reduce endpoint footprint.
  9. Slack and Discord webhooks can exfiltrate secrets through routine HTTPS POST requests.
  10. Cloud-native kill chains combine IMDS credential theft, cloud compute, and provider-impersonating domains end-to-end.

TAKEAWAYS:

  1. Monitoring must focus on abnormal cloud API behavior, not just endpoint indicators.
  2. Identity security is central; credential and token theft unlock cloud-wide attacker actions.
  3. Trusted collaboration and AI platforms can function as covert C2 and exfiltration channels.
  4. Ephemeral serverless and tunneling services complicate IP blocking and perimeter-based controls.
  5. Cloud management-plane attacks (snapshots, tenant trusts, vaults) bypass traditional network defenses.

Microsoft patches 80+ vulnerabilities, six flagged as “more likely” to be exploited

Source: Help Net Security

Author: Zeljka Zorz

URL: https://www.helpnetsecurity.com/2026/03/11/march-2026-patch-tuesday/

ONE SENTENCE SUMMARY:

Microsoft’s March 2026 Patch Tuesday fixed 80+ flaws, emphasizing privilege-escalation, Office/Print RCE, Excel Copilot XSS, and Authenticator MITM risks.

MAIN POINTS:

  1. March 2026 updates addressed 80+ vulnerabilities across Microsoft software and cloud services.
  2. Two publicly disclosed issues included SQL Server SQLAdmin escalation and .NET denial-of-service.
  3. Microsoft rated the disclosed SQL Server bug less likely, and .NET DoS unlikely, to exploit.
  4. Six “more likely” vulnerabilities were all local privilege-escalation paths to SYSTEM/admin.
  5. Windows Kernel use-after-free bugs (CVE-2026-24289, CVE-2026-26132) enabled elevation attacks.
  6. Windows Graphics race condition (CVE-2026-23668) highlighted need for patch variant investigations.
  7. SMB Server improper authentication (CVE-2026-24294) could facilitate privilege elevation.
  8. Winlogon link-resolution flaw (CVE-2026-25187) enabled escalation via file-access misresolution.
  9. ATBroker accessibility component (CVE-2026-24291) offered reliable limited-user to SYSTEM transition.
  10. Rapid patching recommended for Print Spooler RCE, Excel Copilot XSS, and Office Preview Pane RCEs.

TAKEAWAYS:

  1. Prioritize SYSTEM-level elevation fixes, especially ATBroker, due to broad Windows prevalence.
  2. Treat Office Preview Pane RCEs as high-risk given repeated patch history and likely future exploitation.
  3. Patch Print Spooler quickly because authenticated RCE remains a frequent enterprise attack vector.
  4. Evaluate Copilot/agent-assisted data exfiltration exposure from Excel XSS and tighten data controls.
  5. Enforce MFA app selection via MDM to reduce rogue-app deep-link MITM risk in Microsoft Authenticator.

New ‘BlackSanta’ EDR killer spotted targeting HR departments

Source: BleepingComputer

Author: Bill Toulas

URL: https://www.bleepingcomputer.com/news/security/new-blacksanta-edr-killer-spotted-targeting-hr-departments/

ONE SENTENCE SUMMARY:

A Russian-speaking actor spear-phished HR with ISO “resumes,” deploying stealthy loaders and BlackSanta to disable EDR using BYOD drivers.

MAIN POINTS:

  1. Russian-speaking threat actor targeted HR departments for over a year with malware.
  2. Initial access likely used spear-phishing emails directing victims to cloud-hosted ISO files.
  3. Malicious ISOs impersonated resumes and were hosted on services like Dropbox.
  4. ISO contained LNK masquerading as PDF, PowerShell script, image, and ICO file.
  5. LNK executed PowerShell to extract steganographic payload from image into memory.
  6. ZIP download included legitimate SumatraPDF plus malicious DWrite.dll for DLL sideloading.
  7. Malware fingerprinted hosts, contacted C2, and evaded sandboxes, VMs, and debuggers.
  8. Windows Defender was weakened, disk-write tests performed, and payloads ran via process hollowing.
  9. BlackSanta EDR killer reduced alerts, altered Defender exclusions, and lowered telemetry/submission settings.
  10. BYOD drivers RogueKiller and IObitUnlocker enabled kernel-level unlocking and termination of security processes.

TAKEAWAYS:

  1. HR-focused lures exploiting resume workflows remain highly effective for initial compromise.
  2. ISO/LNK plus PowerShell and steganography form a stealthy, memory-resident infection chain.
  3. DLL sideloading with trusted executables helps attackers blend malicious code into legitimate processes.
  4. EDR killers increasingly rely on kernel-level BYOD techniques to reliably disable defenses.
  5. Strong opsec and resilient infrastructure can keep campaigns undetected even when C2 is intermittently unavailable.

Microsoft to enable Windows hotpatch security updates by default

Source: BleepingComputer

Author: Sergiu Gatlan

URL: https://www.bleepingcomputer.com/news/microsoft/microsoft-to-enable-hotpatch-security-updates-by-default-in-may/

ONE SENTENCE SUMMARY:

Microsoft will enable Windows hotpatch updates by default via Autopatch from May 2026, accelerating Intune-managed device compliance while allowing opt-out controls.

MAIN POINTS:

  1. Hotpatch security updates become default for eligible Intune and Microsoft Graph-managed devices in May 2026.
  2. Delivery will occur through Windows Autopatch for Windows and Microsoft 365 enterprise update management.
  3. Prior restart grace periods of 3–5 days left organizations exposed before forced compliance.
  4. Microsoft expects 90% patch compliance time to be reduced by roughly half.
  5. Default hotpatching affects all eligible devices, with additional IT controls arriving in April 2026.
  6. Tenant-level settings can disable hotpatching or selectively enable it per-device.
  7. Admins can verify readiness using Intune’s Hotpatch quality updates report.
  8. April 2026 acts as the baseline update required for May hotpatch eligibility.
  9. Opt-out controls go live April 1, 2026 within Intune Tenant administration settings.
  10. Administrators have until May 11, 2026 before hotpatch updates begin deploying.

TAKEAWAYS:

  1. Faster patching reduces exposure windows created by delayed user restarts.
  2. Testing readiness in April is critical to avoid unexpected May rollout issues.
  3. Centralized tenant toggles provide governance while still supporting targeted exceptions.
  4. Autopatch’s scale and maturity suggest operational viability for large enterprise fleets.
  5. Planning should include change management for restart-less updates and updated compliance reporting.

Are We Ready for Auto Remediation With Agentic AI?

Source: Dark Reading

Author: Melinda Marks

URL: https://www.darkreading.com/application-security/auto-remediation-agentic-ai

ONE SENTENCE SUMMARY:

Agentic AI enables automated risk remediation, requiring security teams to build readiness across governance, data, processes, tooling, and skills.

MAIN POINTS:

  1. Rapid AI innovation is accelerating automated risk identification and remediation capabilities.
  2. Agentic AI can autonomously take actions to reduce threats and exposures.
  3. Security teams must assess organizational readiness before deploying agentic AI.
  4. Threat management and exposure management are key areas for AI-driven automation.
  5. Effective remediation depends on high-quality, accessible security data sources.
  6. Clear governance is required to control AI actions and prevent unintended impact.
  7. Operational processes should define approval paths, escalation, and rollback procedures.
  8. Tooling integration across security platforms is necessary for end-to-end automation.
  9. Human oversight remains essential to validate actions and manage exceptions.
  10. Skills development is needed to operate, monitor, and tune agentic AI systems.

TAKEAWAYS:

  1. Prioritize readiness assessments to safely unlock AI-driven remediation outcomes.
  2. Establish guardrails so autonomous actions align with policy and risk appetite.
  3. Improve data hygiene and visibility to strengthen AI decision-making.
  4. Integrate workflows to enable closed-loop detection-to-fix automation.
  5. Invest in training to ensure teams can supervise and optimize agentic AI.

Modern incident response lessons from the SoundCloud breach

Source: SC Media

Author: unknown

URL: https://news.google.com/rss/articles/CBMimwFBVV95cUxPSnlRT2F6dm5ndW0xYW5wUUhrMlFMX2lTLW53cmE0cVlwSGVPSEYtUWZUVk9CdEhuSW5yb0J0TW0tWDViVk1SWUlTRG0xejZ0anRPQUs0M2NDR3RYZTU3Y1czdU9MNGVfMHZ5MlNURkl4OUZpRGlLUmpDNjJlT3J2bDNBclZVODhGV2xaNDlsMjNtdWtnWFNKRVZsYw?oc=5

ONE SENTENCE SUMMARY:

SoundCloud’s breach highlights that rapid detection, credential containment, transparent communication, and post-incident hardening define effective modern incident response.

MAIN POINTS:

  1. Early anomaly detection depends on high-fidelity logging, alerting, and clear ownership.
  2. Containment should prioritize revoking sessions, tokens, and API keys immediately.
  3. Forensic triage requires preserving evidence while restoring critical services safely.
  4. Credential exposures demand forced resets, MFA rollout, and monitoring for credential stuffing.
  5. Third-party integrations can amplify impact, so inventory and rotate shared secrets quickly.
  6. Least-privilege access limits blast radius when attacker reaches internal systems.
  7. Clear user communications reduce confusion and enable faster protective actions.
  8. Cross-functional war rooms align security, engineering, legal, and support during response.
  9. Postmortems must translate findings into measurable controls and tracked remediation work.
  10. Continuous testing via tabletop exercises and drills improves speed and decision quality.

TAKEAWAYS:

  1. Build playbooks that treat token revocation and key rotation as first-class actions.
  2. Invest in telemetry that shortens time-to-detect and time-to-contain.
  3. Assume password reuse; combine resets with MFA and anti-stuffing protections.
  4. Maintain an accurate secrets and integration inventory to reduce response chaos.
  5. Turn lessons into engineering backlog items with deadlines, owners, and verification.

Dangling DNS Records: Removing Unused CNAMEs

Source: dmarcian

Author: Steven Iacoviello

URL: https://dmarcian.com/dangling-dns-cname-records/

ONE SENTENCE SUMMARY:

Dangling CNAMEs can delegate SPF to attackers, enabling DMARC-passing spoofing; maintain DNS hygiene, monitor sources, and alert on changes.

MAIN POINTS:

  1. CNAME records alias one domain to another canonical domain in DNS.
  2. Organizations delegate SPF or DKIM via CNAMEs to third-party vendors for easier management.
  3. SPF delegation through CNAME lets the target domain owner control authorized sending IPs.
  4. Dangling CNAMEs persist after services retire, pointing to nonexistent or abandoned resources.
  5. Domain ownership changes can let attackers weaponize dangling CNAME targets for malicious hosting.
  6. Abusers can publish their own SPF under the acquired CNAME target and send authorized mail.
  7. DMARC p=reject won’t stop aligned SPF mail if attackers control the delegated SPF path.
  8. Regularly review vendors and delete obsolete CNAMEs and other unnecessary DNS records.
  9. Examine MAIL FROM subdomains for SPF delivered via CNAME, removing unused delegations.
  10. DMARC reporting and alerting reveal anomalies like new sources, 100% SPF alignment, 0% DKIM.

TAKEAWAYS:

  1. Removing unused CNAMEs prevents domain-takeover abuse paths in DNS and email authentication.
  2. Delegated SPF via CNAME is powerful; treat the CNAME target as a critical trust boundary.
  3. DMARC visibility can expose dangling-CNAME exploitation patterns before major damage occurs.
  4. Automated monitoring for new subdomains and DNS changes speeds detection and response.
  5. Alerting integrations (email, Slack, Teams, webhooks) help operationalize continuous DNS hygiene.

Only 30 minutes per quarter on cyber risk: Why CISO-board conversations are falling short

Source: Only 30 minutes per quarter on cyber risk: Why CISO-board conversations are falling short | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4141873/only-30-minutes-per-quarter-on-cyber-risk-why-ciso-board-conversations-are-falling-short.html

ONE SENTENCE SUMMARY:

Report finds board-CISO cybersecurity discussions are brief, passive, and insufficiently forward-looking, especially regarding AI-driven threats and strategic risk decisions.

MAIN POINTS:

  1. Enterprise boards increasingly include cybersecurity, yet conversations remain superficial and time-boxed.
  2. Typical CISO-board interaction lasts 30 minutes per quarter, limiting meaningful engagement.
  3. Only 30% of boards rate relationships with CISOs as strong and collaborative.
  4. Most CISOs report quarterly, but updates are often routed through committees.
  5. Limited follow-through makes cybersecurity feel like a briefing rather than exploration.
  6. Extended airtime correlates with strategic dialogue on trade-offs, risk tolerance, and decisions.
  7. Directors understand regulatory trends and current initiatives better than emerging AI threats.
  8. AI amplifies attack sophistication while creating new high-value assets and loss scenarios.
  9. Less than half of boards join simulations or tabletop exercises, keeping oversight passive.
  10. Effective CISOs tie cyber narratives to business risk, ROI, and enterprise strategy.

TAKEAWAYS:

  1. Prioritize longer, discussion-oriented board sessions to enable strategic cybersecurity decision-making.
  2. Translate cyber metrics into business-impact narratives about risk tolerance and trade-offs.
  3. Provide forward-looking analysis on AI-enabled threats and AI model/asset protection.
  4. Increase board participation in exercises to build experiential understanding of incident dynamics.
  5. Adopt a business-leader posture to shape the cyber agenda around enterprise risks.

mquire: Open-source Linux memory forensics tool

Source: Help Net Security

Author: Anamarija Pogorelec

URL: https://www.helpnetsecurity.com/2026/03/04/mquire-open-source-linux-memory-forensics-tool/

ONE SENTENCE SUMMARY:

Trail of Bits’ mquire enables Linux kernel memory forensics without external symbols using BTF, Kallsyms, and SQL-based querying.

MAIN POINTS:

  1. Traditional Linux memory forensics relies on exact kernel debug symbols that often aren’t available.
  2. mquire analyzes memory dumps without needing external debug repositories or symbol packages.
  3. BTF provides compact kernel type layouts, offsets, and relationships for structure parsing.
  4. Kallsyms addresses are located by scanning dumps, mirroring live /proc/kallsyms functionality.
  5. BTF requires Linux kernel 4.18+ with BTF enabled, common in major distributions.
  6. Kallsyms support requires kernel 6.4+ due to scripts/kallsyms.c format changes.
  7. An interactive SQL interface, inspired by osquery, enables intuitive forensic exploration.
  8. Queries can join processes, open files, dentries, and network connections for correlated analysis.
  9. Page-cache extraction recovers open or deleted files via .dump, plus raw carving with .carve.
  10. Hidden process detection compares task-list enumeration against PID namespace enumeration strategies.

TAKEAWAYS:

  1. Eliminating external debug symbols reduces failure modes during time-sensitive incident response.
  2. BTF+Kallsyms lets analysts reconstruct kernel structures directly from the dump.
  3. SQL makes complex cross-artifact correlations approachable and repeatable in investigations.
  4. Page-cache recovery can retrieve valuable evidence even after on-disk deletion.
  5. Kernel-only scope limits user-space visibility, and future Kallsyms changes may require tool updates.

Minimum viable probabilistic cyber risk quantification

Source: Ryan McGeehan

Author: unknown

URL: https://r10n.com/mvp-cyber-risk-quantification/

ONE SENTENCE SUMMARY:

A minimum viable, panel-elicited probabilistic method builds annual cyber loss distributions and tail scenarios for iterative, calibration-driven security prioritization.

MAIN POINTS:

  1. Produces incident definition, annual loss distribution, tail-loss taxonomy, and review cadence with scoring loop.
  2. Requires no platforms, minimal time, and works without historical loss datasets.
  3. Starts by defining “incident” using operational triggers like on-call pages or IR activation.
  4. Elicits P50/P90 incident costs, then fits a parametric severity distribution (often lognormal).
  5. Forecasts annual incident counts via P50/P90 to create a frequency distribution.
  6. Combines frequency and severity with Monte Carlo sampling to generate annual loss distribution.
  7. Includes comprehensive cost components such as churn, delivery disruption, sales friction, and regulatory delays.
  8. Uses anonymous-first elicitation and re-elicitation to reduce anchoring, dominance, and bias.
  9. Constructs MECE taxonomy for >P90 “heavy hitter” scenarios, with controlled “other” category usage.
  10. Links every mitigation initiative to scenario classes and updates probabilities/impacts over time.

TAKEAWAYS:

  1. Treat risk quant as an updateable forecast artifact, not a claim of truth.
  2. Fast elicitation plus simple modeling enables early prioritization without becoming a data project.
  3. Tail-loss scenario thinking drives actionable alignment between mitigations and largest potential damages.
  4. Bias-resistant group forecasting improves calibration and decision quality over ad-hoc judgment.
  5. Quarterly refreshes and scoring create a feedback loop that continuously refines assumptions.

The TTX + TTP Replay FAQ: Executive and Practitioner Guide to Evidence-Backed Cyber Defense Validation

Source: Lares

Author: Andrew Heller

URL: https://www.lares.com/blog/ttxttp-faq/

ONE SENTENCE SUMMARY:

Integrating tabletop exercises with TTP replays replaces assumed readiness with quantified control effectiveness, aligning people, process, and technology for defensible cyber resilience.

MAIN POINTS:

  1. Confidence in incident readiness often exceeds real-world decision accuracy during crises.
  2. Traditional security testing stays siloed, creating gaps between plans and technical reality.
  3. Tabletop Exercises evaluate coordination, process maturity, and decisions under pressure.
  4. TTX outcomes depend on unverified assumptions about control behavior and tool performance.
  5. TTP Replays execute real adversary behaviors safely in production to validate detections.
  6. Running only TTX yields theoretical response plans detached from actual telemetry.
  7. Running only TTP Replay produces technical findings lacking executive context and escalation paths.
  8. Integrated TTX+TTP links scenarios to measured outcomes, enabling evidence-backed improvements.
  9. Quantitative metrics include MTTD, MTTR, alert fidelity, and false negative rate.
  10. A five-level maturity model progresses from compliance confidence to continuous validation aligned with CTEM.

TAKEAWAYS:

  1. Capture technical assumptions during tabletops, then test them via adversary emulation playbooks.
  2. Prioritize detection engineering using replay-exposed visibility gaps rather than MITRE “coverage” targets.
  3. Validate ROSI by proving tool effectiveness, enabling tuning, vendor remediation, or budget reallocation.
  4. Strengthen board oversight using objective control-performance data instead of theoretical response narratives.
  5. Support regulatory timelines like SEC 4-day disclosure by combining fast detection validation and materiality decision rehearsal.

Structured analysis for small CTI teams: Using AI to reinforce tradecraft

Source: Feedly Blog

Author: Dave Johnson

URL: https://feedly.com/ti-essentials/posts/structured-analysis-for-small-cti-teams-using-ai-to-reinforce-tradecraft

ONE SENTENCE SUMMARY:

Small CTI teams can use prompt-driven LLM workflows to apply structured analytic techniques quickly, improving rigor, consistency, and defensibility.

MAIN POINTS:

  1. Structured analytic techniques are taught widely but frequently skipped under operational time pressure.
  2. Collaboration-centric SATs clash with remote, understaffed CTI team realities.
  3. Accepting reporting at face value increases bias risk and weakens conclusions.
  4. LLMs can act as sparring partners that challenge assumptions, not replace analysts.
  5. AI assistance can surface assumptions, organize evidence, and generate alternative hypotheses.
  6. Salt Typhoon case study illustrated uncertainty hidden beneath confident attribution narratives.
  7. Key assumptions checks can be accelerated via prompts producing assumption tables and gaps.
  8. ACH prompts help eliminate weaker hypotheses by structuring evidence against alternatives.
  9. Devil’s advocacy prompts generate credible critiques to harden assessments against stakeholder challenges.
  10. Pre-mortems reconstruct failure paths to reveal missing evidence, dependencies, and overconfidence drivers.

TAKEAWAYS:

  1. Lightweight SATs can be completed in roughly 20 minutes using repeatable prompt templates.
  2. Separate sessions per problem reduces anchoring and cross-contamination bias in analysis.
  3. Grounding outputs in curated intelligence and citations improves defensibility and traceability.
  4. Using structured outputs increases clarity, consistency, and auditability of analytic reasoning.
  5. Some structured analysis is better than none when resources prevent full team collaboration.