A critical, massively exploited vulnerability in Fortinet's web application firewall (WAF) is putting customers at significant risk. Security researchers and federal authorities are raising concerns about the vendor's delay in notifying the public, which has given attackers a head start and left defenders at a disadvantage.
Business impact
The delay in disclosure means many organizations may have already been compromised without their knowledge. A compromised WAF can expose sensitive web applications to data theft, defacement, or further network intrusion, potentially leading to major data breaches and regulatory fines.
Recommended action
Prioritize patching all Fortinet WAF devices immediately. Initiate a threat hunt to look for signs of compromise dating back before the public disclosure. Review vendor communication policies and establish alternative threat intelligence feeds to mitigate risks from delayed disclosures.
The RondoDox botnet is actively targeting and compromising servers running unpatched versions of the XWiki collaboration platform. The attackers are exploiting a critical remote code execution (RCE) vulnerability, CVE-2025-24893, to infect servers and add them to the botnet. Patches for this flaw have been available since February 2025, indicating that attackers are preying on organizations with poor patch management hygiene.
Business impact
A compromised XWiki server can lead to the theft of sensitive internal documentation, intellectual property, and credentials. The server can also be used as a pivot point for further attacks into the internal network or to participate in DDoS attacks, consuming network resources and potentially incurring legal liability.
Recommended action
Immediately identify and patch all XWiki instances to the latest version. Scan for indicators of compromise related to the RondoDox botnet. Isolate any suspected compromised systems from the network for forensic analysis.
Microsoft's Azure DDoS Protection service successfully mitigated the largest cloud-based Distributed Denial-of-Service (DDoS) attack ever recorded, peaking at 15.7 terabits per second (Tbps). The attack, attributed to the 'Aisuru' botnet, originated from over 500,000 IP addresses and utilized massive UDP floods. This event highlights the escalating scale and power of modern botnets.
Business impact
While this specific attack was mitigated, it demonstrates the immense threat that large-scale DDoS attacks pose to cloud-hosted services. An unmitigated attack of this magnitude would completely cripple online services, leading to catastrophic business disruption, reputational damage, and financial loss for any organization.
Recommended action
Organizations using cloud services should ensure they have robust, scalable DDoS protection plans enabled. Review and test incident response plans for DDoS scenarios. Consider multi-cloud or hybrid architectures to improve resilience against platform-specific outages.
The North Korea-linked threat group behind the "Contagious Interview" campaign is now using legitimate JSON data storage services (like JSON Keeper and npoint.io) to host and deliver malware. This tactic helps them evade detection by hiding malicious payloads on trusted domains, which are less likely to be blocked by security tools.
Business impact
This technique makes it harder to detect and block command-and-control (C2) traffic and malware downloads. It increases the likelihood of a successful compromise, potentially leading to espionage, data theft, or ransomware deployment.
Recommended action
Enhance network monitoring to inspect traffic to legitimate but less common data storage sites. Implement application control to block unauthorized executables. Educate employees on social engineering tactics used in campaigns like "Contagious Interview," which often involve fake job offers.
Food delivery service DoorDash has announced a data breach that exposed customer personal information, including names, addresses, email addresses, and phone numbers. The breach occurred after an employee was tricked by a social engineering attack, granting the attacker access to internal systems.
Business impact
The exposure of customer PII can lead to identity theft, targeted phishing campaigns against customers, and significant reputational damage. The breach will likely result in regulatory scrutiny and potential fines under data protection laws.
Recommended action
Implement and enforce multi-factor authentication (MFA) across all internal tools to mitigate the impact of credential theft. Conduct regular, sophisticated social engineering training and testing for all employees, especially those with access to sensitive data.
This report from Cybercrime Magazine provides a forward-looking analysis of the cybersecurity market for 2026. It highlights the growing financial imperative to protect digitized businesses, critical infrastructure, and IoT devices, offering statistics and predictions that can inform strategic planning and budget allocation for security leaders.
AWS has introduced support for post-quantum cryptography in its Key Management Service (KMS) and Private Certificate Authority (CA). This allows customers to begin creating public key infrastructure (PKI) and digital signatures that are resistant to attacks from future quantum computers, representing a major step in future-proofing enterprise security.
Over 60 digital commerce and trade groups are publicly urging governments worldwide to reject any proposals that would weaken or create backdoors in encryption. This highlights a growing tension between national security interests and the fundamental need for strong encryption to protect privacy, secure data, and maintain trust in the digital economy.
Spotlight Rationale: Today's threats include active exploitation of perimeter devices (Cisco CVE-2025-20333, Fortinet WAF) and massive-scale infrastructure attacks (Azure DDoS). While patching is a reactive necessity, a forward-looking strategy involves building fundamentally more secure infrastructure. The introduction of post-quantum cryptography by AWS represents a strategic shift to secure data and communications against future high-capability adversaries.
Platform Focus: AWS Key Management Service (KMS) & AWS Private Certificate Authority (Private CA) with ML-DSA support
AWS is enabling organizations to future-proof their Public Key Infrastructure (PKI). As nation-states and advanced actors develop quantum computing, today's encrypted data is at risk of "harvest now, decrypt later" attacks. By integrating the ML-DSA post-quantum algorithm, AWS allows organizations to issue digital certificates and sign code in a way that will remain secure even after quantum computers become a reality, protecting long-lived assets and critical infrastructure.
Actionable Platform Guidance: 1. Identify long-term assets requiring quantum-resistant protection (e.g., root CAs, code signing certificates, IoT device identities). 2. Use AWS Private CA to create a new subordinate CA specifying the ML-DSA algorithm. 3. Begin issuing post-quantum certificates for internal services or code signing as a pilot program to test compatibility. 4. Monitor NIST's finalization of Post-Quantum Cryptography (PQC) standards for broader adoption.
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - AWS Private CA
# Conceptual AWS CLI commands to create a post-quantum subordinate CA
# This example assumes a root CA already exists.
# 1. Create the CA configuration file (ca_config.json)
cat < ca_config.json
{
"KeyAlgorithm": "ML_DSA_FALCON_512",
"SigningAlgorithm": "ML_DSA_FALCON_512_SHA256",
"Subject": {
"Country": "US",
"Organization": "Example Corp",
"OrganizationalUnit": "Post-Quantum PKI",
"State": "Virginia",
"Locality": "Herndon",
"CommonName": "pqc-sub.example.com"
}
}
EOF
# 2. Create the subordinate CA
aws acm-pca create-certificate-authority \
--certificate-authority-configuration file://ca_config.json \
--certificate-authority-type "SUBORDINATE"
# 3. Generate a CSR and have it signed by the root CA
# (Follow standard procedures to get the subordinate CA certificate signed)
# 4. Import the signed certificate to activate the new post-quantum CA
aws acm-pca import-certificate-authority-certificate ...
# 5. Begin issuing post-quantum certificates from the new CA
aws acm-pca issue-certificate ...
2. YARA Rule for RondoDox Botnet (CVE-2025-24893)
rule Detect_RondoDox_XWiki_Exploit_IOCs {
meta:
description = "Detects potential indicators associated with the RondoDox botnet exploiting XWiki CVE-2025-24893."
author = "Threat Rundown"
date = "2025-11-17"
reference = "https://securityaffairs.com/?p=184702"
severity = "high"
tlp = "white"
strings:
$s1 = "/xwiki/bin/view/Main/?rce_payload=" ascii wide
$s2 = "/tmp/javaupdate.sh" ascii wide
$s3 = "RondoDox_C2_ConnectBack" ascii wide
$s4 = "-O /tmp/bot.bin http://[redacted_c2_ip]/payload"
condition:
any of them
}
3. SIEM Query — XWiki RCE Post-Exploitation
// Splunk Search
// Detects web server processes spawning suspicious child processes, indicative of RCE.
index=os sourcetype=linux_audit
parent_process_name IN ("java", "tomcat*", "httpd", "nginx")
process_name IN ("sh", "bash", "curl", "wget", "nc", "ncat", "python*")
| stats count by _time, host, parent_process_name, process_name, process_command_line
| rename parent_process_name as web_server, process_name as suspicious_child, process_command_line as command
| table _time, host, web_server, suspicious_child, command
4. PowerShell Script — Generic IOC File Scanner
# This script scans for specific file IOCs on a list of Windows hosts.
# Note: RondoDox primarily targets Linux-based XWiki servers, but this can be adapted for second-stage payloads on Windows systems.
$computers = "localhost", "SERVER01", "WKSTN01"
$iocs = @(
"C:\Windows\Temp\payload.exe",
"C:\Users\Public\update.dll"
)
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "Scanning $computer..." -ForegroundColor Yellow
foreach ($ioc in $iocs) {
try {
if (Test-Path -LiteralPath "\\$computer\$($ioc.Replace(':', '$'))" -ErrorAction Stop) {
Write-Host "[ALERT] IOC Found on $computer: $ioc" -ForegroundColor Red
}
} catch {
# Handle access denied or other errors
Write-Warning "Could not access path on $computer: $ioc"
}
}
} else {
Write-Warning "Could not connect to $computer."
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
{
"type": "bundle",
"id": "bundle--e5499d0d-32af-4bee-b114-06df398c473f",
"objects": [
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487",
"created": "2022-10-01T00:00:00.000Z",
"definition_type": "tlp:2.0",
"name": "TLP:CLEAR",
"definition": {
"tlp": "clear"
}
},
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--10fa9c38-e2fb-4a0c-9b69-9e83c2531508",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"name": "MikeGPT Intelligence Platform",
"description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds",
"identity_class": "organization",
"sectors": [
"technology",
"defense"
],
"contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--b4589691-0640-4ed9-a670-667f42883d7e",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"name": "Threat Intelligence Report - 2025-11-17",
"description": "Threat Intelligence Report - 2025-11-17\n\nThis report consolidates actionable cybersecurity intelligence from 85 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Cisco Firewall, Unified CCX, and ISE Vulnerability Summary (Nov 2025) (Score: 100)\n• Fortinet’s delayed alert on actively exploited defect put defenders at a disadvantage (Score: 100)\n• Microsoft mitigated the largest cloud DDoS ever recorded, 15.7 Tbps (Score: 100)\n• Collaborative research by Microsoft and NVIDIA on real-time immunity (Score: 100)\n• ⚡ Weekly Recap: Fortinet Exploited, China's AI Hacks, PhaaS Empire Falls & More (Score: 100)\n\nEXTRACTED ENTITIES:\n• 14 Attack Pattern(s)\n• 2 Malware(s)\n• 1 Marking Definition(s)\n• 1 Tool(s)\n• 2 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n",
"published": "2025-11-17T23:48:06.503Z",
"object_refs": [
"identity--10fa9c38-e2fb-4a0c-9b69-9e83c2531508",
"identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"identity--ddf9ab08-d8c7-40a9-8735-cef11de2c25a",
"identity--e1caf464-ddb1-4c18-aa59-f7fddf317b78",
"identity--71f85f3a-f375-4433-bbe5-13c5996244f2",
"identity--63dcc5be-7f74-487d-aea0-a792ee1f8372",
"malware--f0ecd81c-a5a3-471e-813d-242ae1d86322",
"identity--64dd5a4a-9478-4b23-8273-5496fadcbb50",
"vulnerability--e5a7c537-16af-4003-b162-757807c9107d",
"identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"identity--e1fde903-5189-4f0f-968a-c4b8779de55f",
"vulnerability--79785aec-b79d-4b48-9193-077cbe55287a",
"identity--a93b92c8-300b-4246-82c4-21435ea28e99",
"identity--c4bddfde-bffe-4aa3-970b-dd430d1877f3",
"identity--96156130-e3fd-45e1-b222-82ec42704089",
"identity--fae77683-6df0-4040-af7e-4c5c489cdb9d",
"identity--8394f2d7-b7b6-4be0-8bd6-a3bf29a65a2e",
"identity--d7348cc1-2945-4a6e-88de-8a61054f0770",
"identity--5521899f-0e13-4caf-bc42-c9b49c395a97",
"identity--c468f88a-e09b-4a28-addf-b2bb0aaa66d1",
"identity--961bf1d9-a6ca-4b5b-b1f9-cea0765e47bf",
"identity--514fc068-74fa-41c5-84ba-a27b8441532d",
"identity--156b3b47-ed2f-48fb-ab0e-b915c1e5184a",
"identity--8c1fecc5-666c-4007-be86-c4b6d149231b",
"identity--f200f78c-e02d-40c8-a93a-e3b60075276c",
"identity--8ae5d816-5a8c-4427-92e1-c2375e723814",
"identity--b1998ba8-2e4e-43c0-b93a-2e4de39859b9",
"tool--81c013c8-6886-4a1d-a232-084220d7b777",
"identity--28c67172-6169-4df2-8aea-3854138c4c6e",
"identity--592f9428-bb61-4737-b25e-0afd2936b0ce",
"malware--976ce2e1-087a-423a-8970-751424066065",
"attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314",
"attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b",
"attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6"
],
"labels": [
"threat-report",
"threat-intelligence"
],
"created_by_ref": "identity--10fa9c38-e2fb-4a0c-9b69-9e83c2531508",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.500Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "identity",
"id": "identity--ae4d5f46-29c5-40ae-842b-378abf057c12",
"name": "Microsoft",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Microsoft is a multinational technology company that develops, manufactures, licenses, and supports a wide range of software products, services, and devices.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "identity",
"id": "identity--ddf9ab08-d8c7-40a9-8735-cef11de2c25a",
"name": "NVISO",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "NVISO is a cybersecurity consulting firm that provides threat intelligence, incident response, and security advisory services to help organizations protect themselves against cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "identity",
"id": "identity--e1caf464-ddb1-4c18-aa59-f7fddf317b78",
"name": "Logitech",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Logitech is a company that designs, manufactures, and markets personal computer peripherals and software.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "identity",
"id": "identity--71f85f3a-f375-4433-bbe5-13c5996244f2",
"name": "Oracle",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Oracle is a multinational technology corporation that provides enterprise software and database management systems for various industries, including cloud computing, artificial intelligence, and cybersecurity.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "identity",
"id": "identity--63dcc5be-7f74-487d-aea0-a792ee1f8372",
"name": "Logitech Confirms Data Breach Following Designation",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Logitech Confirms Data Breach Following Designation is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "malware",
"id": "malware--f0ecd81c-a5a3-471e-813d-242ae1d86322",
"name": "RondoDox",
"is_family": true,
"malware_types": [
"trojan"
],
"labels": [
"malicious-activity"
],
"description": "RondoDox is a botnet malware that targets unpatched XWiki servers to exploit vulnerabilities for arbitrary code execution, specifically leveraging the CVE-2025-24893 vulnerability for its malicious activities.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "identity",
"id": "identity--64dd5a4a-9478-4b23-8273-5496fadcbb50",
"name": "XWiki",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "XWiki is a free and open-source wiki software platform that allows users to create and manage collaborative content and applications.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--e5a7c537-16af-4003-b162-757807c9107d",
"name": "CVE-2025-24893",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-24893",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-24893"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-24893",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24893"
}
],
"description": "The botnet malware known as RondoDox has been observed targeting unpatched XWiki instances against a critical security flaw that could allow attackers to achieve arbitrary code execution. The vulnerability in question is CVE-2025-24893 (CVSS score: 9.8), an eval injection bug that could allow any gu",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "identity",
"id": "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396",
"name": "Google",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Google is a multinational technology company specializing in Internet-related services and products, including search engines, online advertising technologies, cloud computing, and software.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "identity",
"id": "identity--437b7cf0-8e51-4d57-8ed6-fd20a9f08d8c",
"name": "Creators & Presenters",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "Creators & Presenters is a company.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "identity",
"id": "identity--e1fde903-5189-4f0f-968a-c4b8779de55f",
"name": "NSFOCUS Cloud DDoS Protection Service",
"identity_class": "unknown",
"labels": [
"identity"
],
"description": "NSFOCUS Cloud DDoS Protection Service is a cloud-based solution that provides real-time detection and mitigation of Distributed Denial of Service (DDoS) attacks to protect online infrastructure and applications.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "vulnerability",
"id": "vulnerability--79785aec-b79d-4b48-9193-077cbe55287a",
"name": "CVE-2025-20362",
"external_references": [
{
"source_name": "cve",
"external_id": "CVE-2025-20362",
"url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20362"
},
{
"source_name": "nvd",
"external_id": "CVE-2025-20362",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-20362"
}
],
"description": "CVE-2025-20333 and CVE-2025-20362 Details Cisco disclosed a new active attack variant targeting and exploiting the previously known vulnerabilities in the Cisco Secure Firewall ASA and FTD software (CVE-2025-20333 and CVE-2025-20362) leading to unpatched devices to reboot/reload unexpectedly creatin",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"vulnerability"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.501Z",
"confidence": 95,
"type": "identity",
"id": "identity--a93b92c8-300b-4246-82c4-21435ea28e99",
"name": "the Cisco Secure Firewall ASA",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "The Cisco Secure Firewall ASA is a network security appliance that provides firewall, intrusion prevention, and virtual private network (VPN) capabilities to protect and manage network traffic.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.501Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--c4bddfde-bffe-4aa3-970b-dd430d1877f3",
"name": "Fortinet",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Fortinet is a company that specializes in developing and providing cybersecurity solutions, including network security, threat protection, and network access control, to protect organizations from cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--96156130-e3fd-45e1-b222-82ec42704089",
"name": "Azure DDoS Protection",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Azure DDoS Protection is a cloud-based service that helps protect Azure resources from Distributed Denial of Service (DDoS) attacks by detecting and mitigating traffic anomalies in real-time.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--fae77683-6df0-4040-af7e-4c5c489cdb9d",
"name": "AWS Private Certificate Authority",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "AWS Private Certificate Authority is a managed service that enables organizations to create, manage, and deploy private certificates for their AWS resources and on-premises environments.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--8394f2d7-b7b6-4be0-8bd6-a3bf29a65a2e",
"name": "Tyler Tucker",
"identity_class": "individual",
"labels": [
"identity"
],
"description": "Tyler Tucker is a cybersecurity researcher and author, specializing in wireless, cellular, and satellite security. He has presented at conferences alongside Nathaniel Bennett, Martin Kotuliak, Simon Erni, Srdjan Capkun, and Kevin Butler.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--d7348cc1-2945-4a6e-88de-8a61054f0770",
"name": "ETH Zurich",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "ETH Zurich is a Swiss federal institute of technology, known for its academic excellence in science, technology, engineering, mathematics, and other fields. In the context of cybersecurity, researchers from ETH Zurich have been involved in various projects and publications related to wireless, cellular, and satellite security.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--5521899f-0e13-4caf-bc42-c9b49c395a97",
"name": "Amazon EventBridge",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Amazon EventBridge is a serverless event bus service that enables event-driven architectures by allowing users to connect and process events from various sources, such as AWS services, applications, and custom applications.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--c468f88a-e09b-4a28-addf-b2bb0aaa66d1",
"name": "NetSupport",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "NetSupport is a company that provides remote monitoring and management software for IT professionals to manage and support computers, mobile devices, and other endpoints in a network.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--961bf1d9-a6ca-4b5b-b1f9-cea0765e47bf",
"name": "eSentire",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "eSentire is a cybersecurity company that provides threat hunting, incident response, and risk management services to help organizations detect and respond to advanced cyber threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--514fc068-74fa-41c5-84ba-a27b8441532d",
"name": "StockX",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "StockX is a resale marketplace for buying and selling new and used sneakers, streetwear, and other collectibles.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--156b3b47-ed2f-48fb-ab0e-b915c1e5184a",
"name": "Tsinghua University",
"identity_class": "organization",
"labels": [
"organization"
],
"description": "Tsinghua University is a major research university in Beijing, China, and a key institution in the country's science and technology development. In the context of cybersecurity, researchers from Tsinghua University have been involved in various studies and projects related to wireless and cellular security, as well as satellite security. The university's researchers have also been authors and presenters at conferences and sessions related to these topics.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--8c1fecc5-666c-4007-be86-c4b6d149231b",
"name": "FortiWeb",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "FortiWeb is a web application firewall (WAF) that protects web applications from various types of cyber threats, including SQL injection, cross-site scripting (XSS), and denial-of-service (DoS) attacks.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--f200f78c-e02d-40c8-a93a-e3b60075276c",
"name": "Microsoft 365",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Microsoft 365 is a cloud-based productivity and security suite that integrates Microsoft Office applications, security tools, and collaboration features to enhance business productivity and protect digital assets.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--8ae5d816-5a8c-4427-92e1-c2375e723814",
"name": "Oracle’s E-Business Suite",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Oracle’s E-Business Suite is a comprehensive enterprise resource planning (ERP) software suite that integrates various business functions, including financial management, human capital management, and supply chain management, to support business operations and decision-making.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--b1998ba8-2e4e-43c0-b93a-2e4de39859b9",
"name": "Firefox & Chrome",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Firefox and Chrome are popular web browsers that provide secure and private browsing experiences, offering features such as ad-blocking, password management, and automatic updates to protect users from online threats.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "tool",
"id": "tool--81c013c8-6886-4a1d-a232-084220d7b777",
"name": "Firefox",
"tool_types": [
"unknown"
],
"labels": [
"tool"
],
"description": "Firefox is a popular open-source web browser developed by Mozilla, widely used for internet browsing and online activities. In the context provided, a user has created an extension for Firefox, indicating its relevance in the cybersecurity and online community.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--28c67172-6169-4df2-8aea-3854138c4c6e",
"name": "Tailscale",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "Tailscale is a network security company that provides a zero-configuration VPN solution for secure remote access and networking.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "identity",
"id": "identity--592f9428-bb61-4737-b25e-0afd2936b0ce",
"name": "www.token2.ch",
"identity_class": "organization",
"labels": [
"identity"
],
"description": "www.token2.ch is a company that specializes in secure authentication and access management solutions, providing products such as smart cards and authentication tokens.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 95,
"type": "malware",
"id": "malware--976ce2e1-087a-423a-8970-751424066065",
"name": "Gh0st RAT",
"is_family": true,
"malware_types": [
"remote-access-trojan"
],
"labels": [
"malicious-activity"
],
"description": "Gh0st RAT is a type of remote access trojan (RAT) malware that allows attackers to remotely access and control infected computers. It is often used by threat actors to gain unauthorized access to sensitive information and systems. In this context, Gh0st RAT is being used by the threat actor known as Dragon Breath to target Chinese-speaking users.",
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.502Z",
"modified": "2025-11-17T23:48:06.502Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc",
"name": "Exploit Public-Facing Application",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1190",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1190/",
"external_id": "T1190"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678",
"name": "Exploitation for Client Execution",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "execution"
}
],
"x_mitre_id": "T1203",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1203/",
"external_id": "T1203"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c",
"name": "Spearphishing Attachment",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/001/",
"external_id": "T1566.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65",
"name": "Spearphishing Link",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.002",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/002/",
"external_id": "T1566.002"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11",
"name": "Spearphishing via Service",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1566.003",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1566/003/",
"external_id": "T1566.003"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314",
"name": "Remote Services",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "lateral-movement"
}
],
"x_mitre_id": "T1021",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1021/",
"external_id": "T1021"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 90,
"type": "attack-pattern",
"id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7",
"name": "Supply Chain Compromise",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "initial-access"
}
],
"x_mitre_id": "T1195",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1195/",
"external_id": "T1195"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 78,
"type": "attack-pattern",
"id": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237",
"name": "Botnet",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1584.005",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1584/005/",
"external_id": "T1584.005"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 75,
"type": "attack-pattern",
"id": "attack-pattern--0b9d5f9a-d372-4a5d-8f9f-e62f6d5e8719",
"name": "Vulnerabilities",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/006/",
"external_id": "T1588.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--0ec57ff0-0257-4287-888c-8f20c7e08c6b",
"name": "Cloud Secrets Management Stores",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
}
],
"x_mitre_id": "T1555.006",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1555/006/",
"external_id": "T1555.006"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3",
"name": "Archive via Utility",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1560.001",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1560/001/",
"external_id": "T1560.001"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2",
"name": "Screen Capture",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1113",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1113/",
"external_id": "T1113"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 70,
"type": "attack-pattern",
"id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18",
"name": "Adversary-in-the-Middle",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "credential-access"
},
{
"kill_chain_name": "mitre-attack",
"phase_name": "collection"
}
],
"x_mitre_id": "T1557",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1557/",
"external_id": "T1557"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
},
{
"spec_version": "2.1",
"created": "2025-11-17T23:48:06.503Z",
"modified": "2025-11-17T23:48:06.503Z",
"confidence": 69,
"type": "attack-pattern",
"id": "attack-pattern--648fba01-e867-4fc6-96df-cc8f6217bee6",
"name": "Artificial Intelligence",
"kill_chain_phases": [
{
"kill_chain_name": "mitre-attack",
"phase_name": "resource-development"
}
],
"x_mitre_id": "T1588.007",
"external_references": [
{
"source_name": "MITRE ATT&CK",
"url": "https://attack.mitre.org/techniques/T1588/007/",
"external_id": "T1588.007"
}
],
"object_marking_refs": [
"marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487"
],
"labels": [
"mitre-attack"
]
}
]
}
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT