Merav

We'll be right back with your regularly scheduled TeamPCP programming, but while you wait ... wiz.io/blog/fragnesia…

My new research on the Jenkins threat landscape 🔍☁️ Exposed instances, deprecated plugins, CI/CD attack paths… and based on TeamPCP’s recent activity, I think they read it too 👀 wiz.io/blog/jenkins-t…

🚨 CRITICAL: MongoBleed (CVE-2025-14847). MongoDB bug leaks in-memory data pre-auth and is exploited in the wild. 42% of clouds are vulnerable, ~87K exposed. Atlas patched. Self-hosted: patch now or disable zlib. wiz.io/blog/mongoblee…

We were analyzing the new RSC vulnerability and its impact. RSC is a React feature, but most apps use it through Next.js, which bundles RSC widely. So it will likely surface most often as Next.js CVE-2025-66478. Patch snippet below 🧐 Initial analysis: wiz.io/blog/critical-…

🚨 CRITICAL RCE ALERT: React & Next.js Vulnerability ↓ Critical remote code execution (RCE) vulnerabilities have been published affecting the React 19 ecosystem and Next.js. These vulnerabilities (CVE-2025-55182 & CVE-2025-66478) reside in the React Server Components (RSC) "Flight" protocol. They allow unauthenticated attackers to execute arbitrary code on the server by sending a specially crafted HTTP POST request. → Severity: Critical. → Vector: Remote, Unauthenticated. → Success Rate: Near 100% in default configurations. → Affected: Standard deployments of Next.js (App Router) and React 19. 🟢 Immediate action required: Patch. There are no workarounds other than patching. Security teams must prioritize upgrading dependencies to hardened versions immediately. — Read our full technical breakdown and remediation guide here: wiz.io/blog/critical-…

We found a way to access Max Verstappen's passport, driver's license, and personal information. Along with every other @Formula1 driver's sensitive data. It took us 10 minutes using one simple security flaw 🧵

Our recent research reveals how malware-less database ransomware actually scales ⚡️ Finding: MongoDB is the most dominant target, and a newly exposed DB can be discovered and hijacked within minutes - without dropping a single binary. 👾 (1/5)🧵

We started this research to connect the dots between malware campaigns and the misconfigurations that enable them 👾 Our biggest takeaway? While you can patch a CVE, you can't patch a human error. Our blog post dives into this critical gap > wiz.io/blog/beyond-cv…

Just updated our Shai-Hulud blog 🪱 Throughout the day we added payload analysis, more affected packages, and IOCs. Check it out! @wiz_io wiz.io/blog/shai-hulu…

crazy thing to wake up to 🤯

👉 The repos are gone, but the damage has been done - Rotate credentials + upgrade immediately. Full breakdown here: wiz.io/blog/s1ngulari…

Check out @merav_br's great in-depth writeup on TraderTraitor's tradecraft (traitcraft?) and history of operations:

🚨 TraderTraitor: North Korea's cyber "traitor" inside the crypto world. This hacking crew hijacks dev workflows, poisons open-source, and compromises cloud environments — all to steal billions in crypto. Here's how they do it 🧵

🚨 New vulnerabilities in #NetScaler (incl. a 0-day) are now exploited in the wild. 2 enable admin access via session theft. 3.5% of clouds exposed. POCs out. Patch now. 🔍 Full breakdown → wiz.io/blog/critical-…

Tracking Cloud-Fluent Threat Actors – Part Two: Behavioral Cloud IOCs By Merav Bar & Gili Tikochinski Sophisticated attackers leave behind behavioral indicators of compromise (IOCs) that traditional detection methods often miss. This article explores how to track cloud-fluent threat actors by analyzing their unique patterns of movement and activity inside cloud environments. ⚡ Key takeaways: 🔹 Why static IOCs aren't enough—attackers rotate IPs, credentials, and infrastructure too fast 🔹 Behavioral IOCs that reveal cloud-based intrusions, like unusual API calls, privilege escalation patterns, and suspicious session persistence 🔹 Real-world case studies showing how attackers evade detection and how security teams can stay ahead 🛠 What you’ll learn: ✅ How to identify attacker tradecraft through cloud-native behavioral patterns ✅ Which AWS, Azure, and GCP logs provide the best visibility into suspicious activity ✅ How to proactively detect threats using behavioral analytics 💡 Why this matters: 🔸 Traditional security tools often fail to detect cloud-native threats—understanding behavioral IOCs gives defenders a critical edge 🔸 Attackers reuse techniques across victims—learning their playbook helps security teams predict and prevent future breaches 🔗 Read the full breakdown here: wiz.io/blog/detecting… This was first mentioned in AWS Security Digest Issue #193: awssecuritydigest.com/past-issues/aw…

Check out Gili and my BSidesSF talk before Taylor’s team takes it down for copyright infringement (which would be an honor) ✨ Blank Space: Filling the Gaps in Atomic and Behavioral Cloud-Specific IOCs youtube.com/watch?v=n5HG2P…

Check out @AminovDanielle and @GiliTikochinki's recent talk at @DistrictCon about exploitation in the wild of application misconfigurations - this category of risk is well known to threat actors but often ignored by defenders: youtube.com/watch?v=hFqcT5…

You belong with me. 💚💛💜❤️🩵🖤 Letter on my site :)