ChaDFIR

There’s a lot of noise around Mythos and AI in cybersecurity. In our latest ModernCISO blog, Nathan Hamiel shares a more grounded view of what it means for security leaders, and why fundamentals like prioritization, remediation, and AppSec still matter. 👉 kdlski.co/4vISIDI

@CyberCyborg @KudelskiSec Yes, you can reach us to kudelskisecurity.com/research/rss.x…

@KudelskiSec This is really cool. Thanks for sharing it with the community. Does your sit have an rss feed to keep up with the blogs?

When a security tool becomes the threat. Our latest Kudelski Security blog examines the Trivy supply-chain compromise, from CI/CD credential theft to a persistent backdoor, and what it means for supply-chain risk. 👉 kdlski.co/4tguW07

@KudelskiSec #TeamPCP #Trivy kudelskisecurity.com/research/inves…

One SharePoint bug. Big consequences. An intruder slipped in via a weakness, planted a tiny backdoor, used everyday tools to blend in, and quietly prepared data to take. See the signs and what to do next: kdlski.co/4nDWqtD #KudelskiSecurity #SharePoint #CyberSecurity

New on @KudelskiSec ModernCISO blog: Why Outsource IR? Much like insurance, incident response capabilities are something you need to have, but never want to have to use. If you’re considering IR engagement models, read this post by IR leader Marc Schläppi kdlski.co/3UP1OOI

In this cautionary tale of averting a large-scale supply chain attack, a follow-up to Kudelski Security researchers @tmlxs and @nathanhamiel’s Black Hat USA presentation, we detail our RCE on CodeRabbit’s production servers and write access to 1m repos. kdlski.co/4oIvuKs

🚨 CVE-2025-53770 is under active exploitation. If you're running Microsoft SharePoint on-prem, your environment could be exposed. Get the technical breakdown and mitigation steps: 🔗 kdlski.co/4kWiYUN #CyberSecurity #CVE202553770 #SharePoint #Infosec #ZeroDay

ICYMI: Scattered Spider uses social engineering to bypass MFA, breach clouds, and launch ransomware. Learn how to defend against this human-layer attack. 🔗 kdlski.co/460IWm9 #CyberSecurity #Ransomware #ZeroTrust #MFA #KudelskiSecurity

🚨 Akira ransomware is exploiting a likely zero day in SonicWall Gen 7 SSL-VPNs, bypassing MFA and hitting fully patched devices. Kudelski Security’s IR team has confirmed multiple intrusions. Read the full advisory 👉 kdlski.co/41sLrdK #CyberSecurity #KudelskiSecurity

Hackers are hitting ASP . Net apps, exploiting exposed MachineKeys for RCE and stealthy webshells like Godzilla. They’re pivoting fast to tools like Cobalt Strike and chasing privilege escalation. Scan, patch, stay ahead. kdlski.co/4koAJMh #CyberSecurity #KudelskiSecurity

🚨 Big SAP Security Warning 🚨 Hackers are hitting a new SAP NetWeaver flaw (CVE-2025-31324) to sneak in webshells and Cobalt Strike tools. It’s serious and could lead to ransomware attacks. Learn what to watch for: kdlski.co/4eRcCVe #CyberSecurity #SAP #ZeroDay

@Horizon3Attack @Horizon3Attack , can you put some content or screenshots of NS.log that do not contain sensitive information? Thanks

Indicators of Compromise: 🔹 Depending on logging configurations, log entries in ns.log with non-printable characters are a pretty good indicator that something is amiss. 🔹 The Citrix advisory recommends terminating existing ICA and PCoIP sessions, which leads us to believe that endpoints related to those features are being targeted. Entries for those logs may similarly contain contents of leaked memory, which may or may not include session tokens. 🔹 Auditing active sessions is also recommended. As an example, a single session being used from multiple client IP addresses could be an indicator that the session may have been compromised. Active sessions for NetScaler Gateway can be found in the WebUI via “NetScaler Gateway -> Active User Sessions -> Select applicable context -> Continue” Session information can also be viewed on the command line by running commands such as “show sessions” or “show session”

CVE-2025-5777, aka #CitrixBleed 2, allows leaking of memory in the response which can allow for compromising session tokens, and other sensitive information. A deep-dive to follow next week.

@HubertoMadera @AlertesInfos 🤣🤣🤣🤣

@AlertesInfos Il fait partie de l'organisation des frères non musulmans

🇫🇷⚖️ ALERTE INFO – Un suspect de 19 ans a été INTERPELLÉ et placé en GARDE À VUE. Il a reconnu les faits. Il est poursuivi pour provocation publique à la haine, à la violence et à la discrimination en raison de la religion, apologie publique de crime ou de délit, ainsi que pour port ou exhibition d’un uniforme, d’un insigne ou d’un emblème rappelant ceux d’une organisation déclarée criminelle par le tribunal militaire de Nuremberg. Il sera jugé le 16 juin. (Procureur)

@collysucker Rumor about Fortigate SSL VPN... Also versions 7.0.17 and 6.4.16 are not affected...

There is a rumor about a new FortiGate vulnerability exploited in the wild from internet/external interfaces. FortiOS >=7.2.11 & >=7.4.7 is not affected. Does anyone know something about that? #infosec #fortigate

@TopDesHagras On dirait Volodomir Zelensky après un séjour à Marrakech.

@CerfiaFR Je n'ai jamais entendu une chose aussi débile et les journalistes de @LCI qui n'interviennent même pas. Que fait l'arcom ?

🇫🇷🇮🇱 FLASH | « Une chose qui pourrait excuser [l]es Israéliens, ce serait si les gendarmes avaient l’air d’origine MAGHRÉBINE/ARABE », a affirmé Samantha de Bendern, chercheuse, après l’arrestation de gendarmes FRANÇAIS à Jérusalem en domaine français. x.com/grenier_actu/s…

@LanceurI @RolandLescure L'opium aussi non ?

@RolandLescure Avec l'élection de Trump, enfin l'opinion des populations européens va peut-être écoutée et l'argent consacré au redressement de leur propre pays ! Le Populisme c'est l'opinion des Peuples !

L’Europe a un devoir de rassemblement et de réveil collectif. L’Europe doit se rassembler, se renforcer, se réveiller face à la potentielle et probable victoire de Donald Trump.

@MonThreat @SANGFOR

🚨 Sangfor SSL VPN Preauth RCE Sale Allegation A threat actor on the Darkweb forum claimed to be selling a vulnerability in Sangfor SSL VPN software that allows remote code execution with root privileges without authentication (pre-auth). #Vulnerability #Darkweb #ThreatIntelligence