Cybersecurity Latest Rundown

Threat Rundown

Industry Watch

🚨 Finance (SOX/FISMA) CRITICAL

Active Insider Recruitment Campaigns

Key threat: Darknet actors offering 5k+ for internal banking access

Action: Review Insider Threat: Hackers Paying Company Insiders, WatchGuard Patches Firebox Zero-Day

Technology (General) ELEVATED

Infrastructure & Mobile Zero-Days

Key threat: Exploitation of firewalls and Android ecosystem vulnerabilities

Action: Review Android Security Update Triggers Renewed Attention, WatchGuard Patches Firebox Zero-Day

CyberSecurity Latest Rundown

Heroes, publications will be as needed this week. Here's a curated look at the current cybersecurity landscape for December 22, 2025.

CRITICAL ITEMS

Insider Threat: Hackers Paying Company Insiders to Bypass Security
Date & Time: 2025-12-22T11:44:15

A new intelligence report indicates a surge in cybercriminals actively recruiting employees from major financial, telecom, and tech sectors via Telegram and the darknet. Attackers are offering substantial cash payouts (up to $15,000) for credentials or direct internal access, bypassing traditional perimeter defenses.

Business impact

A compromised insider renders most technical defenses useless, leading to undetectable data theft or sabotage; this significantly increases liability under SOX and FISMA due to failure in access governance.

Recommended action

Ask your Security Operations team: "Do we have behavioral monitoring in place to detect anomalous data access by privileged users, and have we reminded staff of our whistleblower policies?"

CVE: n/a | Compliance: SOX, FISMA | Source: HackRead ↗
WatchGuard Patches Firebox Zero-Day Exploited in the Wild
Date & Time: 2025-12-22T09:44:19

WatchGuard has released emergency patches for a critical vulnerability in its Firebox firewall appliances that allows attackers to execute malicious code remotely without logging in. This flaw is currently being actively exploited by attackers to breach corporate networks at the perimeter.

Business impact

If exploited, attackers gain full control of your network perimeter, allowing them to intercept traffic, deploy ransomware, or pivot internally to steal sensitive data—expect immediate operational disruption and potential regulatory fines.

Recommended action

Ask your IT team: "Have we identified all WatchGuard Firebox appliances in our network and confirmed the installation of the emergency patch for the 'iked' process vulnerability?"

CVE: n/a | Compliance: SOX | Source: SecurityWeek ↗, The Hacker News ↗
Security Affairs Malware Newsletter: Active Botnet Campaigns
Date & Time: 2025-12-21T13:13:03

Recent intelligence highlights the resurgence of the AndroxGh0st botnet and "Operation MoneyMount-ISO," targeting cloud credentials and deploying phantom malware. These campaigns leverage known vulnerabilities in web frameworks to steal AWS and SendGrid keys.

Business impact

Successful infection leads to cloud resource hijacking (cryptomining) and mass data exfiltration, resulting in unexpected cloud bills and potential GDPR breaches involving customer data.

Recommended action

Ask your Cloud Security team: "Are we scanning for exposed .env files and AWS keys in our public-facing web applications?"

CVE: CVE-2021-41773 | Compliance: SOX, GDPR | Source: SecurityAffairs ↗

HIGH SEVERITY ITEMS

Waymo Suspends Service After Power Outage
Date & Time: 2025-12-22T00:53:32

A major blackout in San Francisco forced Waymo to suspend its autonomous robotaxi service after vehicles were left stranded. This incident underscores the fragility of IoT and autonomous systems when physical infrastructure (power) fails.

Business impact

For organizations relying on autonomous logistics or IoT, physical infrastructure failures can lead to immediate revenue cessation and operational paralysis.

Recommended action

Ask your Operations Director: "Do our critical IoT and autonomous systems have fail-safe protocols for extended power loss scenarios?"

CVE: n/a | Compliance: SOX | Source: SecurityAffairs ↗
Android Security Update Triggers Renewed Attention
Date & Time: 2025-12-21T13:25:29

Google's latest Android security bulletin has triggered a complex staggered rollout of patches addressing critical flaws, alongside renewed scrutiny on related ecosystem vulnerabilities like those in FortiManager. The fragmentation of these updates creates a window of exposure for enterprise mobile fleets.

Business impact

Unpatched mobile devices and management servers can serve as entry points for attackers to access corporate email and 2FA codes, potentially compromising the entire authentication chain.

Recommended action

Ask your MDM administrator: "What is our compliance status for the latest Android security patch level, and have we verified our FortiManager instances are not exposed?"

CVE: CVE-2024-47575 | Compliance: SOX | Source: CentralEyes ↗

MEDIUM SEVERITY ITEMS

Wiz Supports Oracle Cloud Identity
Date & Time: 2025-12-22T13:00:00

Wiz has expanded its Cloud Infrastructure Entitlement Management (CIEM) to Oracle Cloud Infrastructure (OCI). This allows for unified visibility into permissions and identities across multi-cloud environments, reducing the attack surface of Non-Human Identities.

CVE: n/a | Compliance: SOX | Source: Wiz ↗
Man Boards Flight Without Ticket in Security Breach
Date & Time: 2025-12-22T01:27:05

A significant physical security breach occurred at Heathrow Airport where an individual boarded a flight without any documentation. This highlights failures in physical access controls that often mirror gaps in digital identity verification.

CVE: n/a | Compliance: SOX | Source: Hacker News ↗

🔵 LOW SEVERITY ITEMS

Cyberctf.space - Early Access Open
Date & Time: 2025-12-22T09:25:08

A new Docker-based CTF platform aligned with MITRE ATT&CK techniques has opened for early access. While not a threat, it represents a new resource for training security teams on real-world exploits.

CVE: n/a | Compliance: SOX | Source: Reddit ↗

VENDOR SPOTLIGHT

Spotlight Rationale: With the surge in cloud-based threats and the specific focus on "Non-Human Identities" (NHIs) in today's intelligence, securing cross-cloud permissions is critical.

Threat Context: Security Affairs Malware Newsletter (Cloud Credential Theft)

Platform Focus: Wiz (Cloud Security Platform)

Wiz has introduced unified visibility for Oracle Cloud Infrastructure (OCI) identities, directly addressing the challenge of managing permissions across fragmented cloud environments. By mapping permissions and policies into a Security Graph, Wiz enables teams to detect the exact type of excessive agency that botnets like AndroxGh0st exploit to pivot from a compromised web app to full cloud takeover.

Actionable Platform Guidance: Enable the OCI connector in the Wiz portal to immediately ingest identity metadata. Use the Security Graph to query for "OCI Users with Admin privileges" and correlate them with "Publicly Exposed Instances" to prioritize remediation of high-risk identities.

Source: Wiz ↗

DETECTION & RESPONSE KIT

⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.

1. Vendor Platform Configuration - Wiz

# Wiz OCI Identity Integration Steps
# Goal: Gain visibility into OCI Non-Human Identities to prevent misuse

1. Login to Wiz Portal > Settings > Cloud Connectors.
2. Select "Add Connector" > "Oracle Cloud Infrastructure (OCI)".
3. Configure OCI Tenant OCID and User OCID with Reader permissions.
4. Enable "Identity Analysis" module toggle.
5. Verification Query (Wiz Graph):
Type: "Identity"
Where: "Cloud Platform" equals "OCI"
And: "Has High Privileges" equals "True"

2. YARA Rule for AndroxGh0st

rule AndroxGh0st_Botnet_Indicators {
meta:
description = "Detects artifacts associated with AndroxGh0st botnet targeting Laravel/AWS keys"
author = "Threat Rundown"
date = "2025-12-22"
reference = "https://securityaffairs.com/?p=185956"
severity = "medium"
tlp = "white"
strings:
$s1 = "AndroxGh0st" ascii wide
$s2 = "Laravel" ascii wide
$s3 = "AWS_ACCESS_KEY_ID" ascii wide
$s4 = "SendGrid" ascii wide
$s5 = "Twilio" ascii wide
$s6 = "/api/v1/configuration" ascii wide
condition:
3 of ($s*) or ( $s1 and any of ($s2,$s3,$s4) )
}

3. SIEM Query — FortiManager CVE-2024-47575 Exploitation

index=security sourcetype="fortinet:firewall"
(msg="*FortiManager*" OR app="FortiManager")
(cve="CVE-2024-47575" OR action="blocked" OR threat_name="*FortiManager*")
| eval risk_score=case(
match(_raw, "CVE-2024-47575"), 100,
action=="blocked", 50,
1==1, 25)
| where risk_score >= 50
| table _time, src_ip, dest_ip, threat_name, action, risk_score
| sort -_time

4. PowerShell Script — Check for Suspicious Port Activity (AndroxGh0st context)

$computers = "localhost"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
# Check for processes listening on common web framework ports often targeted
$ports = Get-NetTCPConnection -State Listen | Where-Object { $_.LocalPort -eq 80 -or $_.LocalPort -eq 443 -or $_.LocalPort -eq 8080 }
if ($ports) {
Write-Host "[!] Web ports active on $computer - Verify application integrity against AndroxGh0st indicators."
$ports | Select-Object LocalAddress, LocalPort, OwningProcess, State
}
}
}

This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!

{ "type": "bundle", "id": "bundle--87a42c01-0933-4211-b756-9ff08d6cf8bc", "objects": [ { "type": "marking-definition", "spec_version": "2.1", "id": "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487", "created": "2022-10-01T00:00:00.000Z", "definition_type": "tlp:2.0", "name": "TLP:CLEAR", "definition": { "tlp": "clear" } }, { "type": "identity", "spec_version": "2.1", "id": "identity--a44377f8-a81f-4b08-a668-d6d577f1bb5f", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "name": "MikeGPT Intelligence Platform", "description": "AI-powered threat intelligence collection and analysis platform providing automated cybersecurity intelligence feeds", "identity_class": "organization", "sectors": [ "technology", "defense" ], "contact_information": "Website: https://mikegptai.com | Email: intel@mikegptai.com", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "type": "report", "spec_version": "2.1", "id": "report--dd6e28b4-5090-4809-995a-e5bc0ba5736f", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "name": "Threat Intelligence Report - 2025-12-22", "description": "Threat Intelligence Report - 2025-12-22\n\nThis report consolidates actionable cybersecurity intelligence from 60 sources, processed through automated threat analysis and relationship extraction.\n\nKEY FINDINGS:\n• Insider Threat: Hackers Paying Company Insiders to Bypass Security (Score: 100)\n• Android Security Update Triggers Renewed Attention with Mid-Month Changes (Score: 100)\n• Waymo suspends service after power outage hit San Francisco (Score: 100)\n• Cyberctf.space - Early Access Open (Score: 95.1)\n• Man boards flight without ticket, boarding pass or passport in security breach (Score: 93.8)\n\nEXTRACTED ENTITIES:\n• 16 Attack Pattern(s)\n• 1 Marking Definition(s)\n• 1 Vulnerability(s)\n\nCONFIDENCE ASSESSMENT:\nVariable confidence scoring applied based on entity type and intelligence source reliability. Confidence ranges from 30-95% reflecting professional intelligence assessment practices.\n\nGENERATION METADATA:\n- Processing Time: Automated\n- Validation: Three-LLM consensus committee\n- Standards Compliance: STIX 2.1\n", "published": "2025-12-22T14:59:47.606Z", "object_refs": [ "identity--a44377f8-a81f-4b08-a668-d6d577f1bb5f", "vulnerability--45bd1d6b-c7a7-481e-906a-5fd5f4dfda48", "identity--5628e46e-1b6e-44ea-b638-9a413eed25cb", "identity--383b3fde-7ceb-4c55-ba9d-b89a6dc48e8e", "identity--3f42deb4-8f25-455c-8286-1ab1da35e6df", "identity--ffcb7d8b-baba-45c2-aa38-1da79520a543", "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396", "identity--e579f0b6-29fc-4f87-be26-0870951a61da", "identity--c68346cc-fb19-42f3-a304-0715ffcaddf9", "identity--87c13a02-6790-4855-8085-815d7ed680c6", "identity--52f4ec65-cc38-4eb9-904a-c4475b19e7c1", "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "attack-pattern--a45b8295-9056-4ed5-b811-6e7d2a71483e", "attack-pattern--886a4798-e626-4753-818e-9a4cb8b7255a", "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "attack-pattern--41bd95ba-5d08-4741-8e71-841aca46051c", "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "attack-pattern--171b894d-4a95-4d61-a038-093eaef8dc9e" ], "labels": [ "threat-report", "threat-intelligence" ], "created_by_ref": "identity--a44377f8-a81f-4b08-a668-d6d577f1bb5f", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:46.701Z", "modified": "2025-12-22T14:59:46.701Z", "confidence": 95, "type": "vulnerability", "id": "vulnerability--45bd1d6b-c7a7-481e-906a-5fd5f4dfda48", "name": "CVE-2025-59374", "description": "\"UNSUPPORTED WHEN ASSIGNED\" Certain versions of the ASUS Live Update client were distributed with unauthorized modifications introduced through a supply chain compromise. The modified builds could cause devices meeting specific targeting conditions to perform unintended actions. Only devices that met these conditions and installed the compromised versions were affected. The Live Update client has already reached End-of-Support (EOS) in October 2021, and no currently supported devices or products. CVSS Score: 9.8 (CRITICAL). CISA KEV: Active exploitation confirmed. EPSS: 30.5% exploitation probability", "x_cvss_score": 9.8, "x_cvss_severity": "CRITICAL", "x_kev_status": true, "x_epss_score": 0.30457, "external_references": [ { "source_name": "cve", "external_id": "CVE-2025-59374", "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59374" }, { "source_name": "nvd", "external_id": "CVE-2025-59374", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59374" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "vulnerability" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:46.701Z", "modified": "2025-12-22T14:59:46.701Z", "confidence": 95, "type": "identity", "id": "identity--5628e46e-1b6e-44ea-b638-9a413eed25cb", "name": "Check Point Research", "identity_class": "organization", "labels": [ "identity" ], "description": "Cybersecurity research organization", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:46.701Z", "modified": "2025-12-22T14:59:46.701Z", "confidence": 95, "type": "identity", "id": "identity--383b3fde-7ceb-4c55-ba9d-b89a6dc48e8e", "name": "Apple", "identity_class": "organization", "labels": [ "identity" ], "description": "Technology company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:46.701Z", "modified": "2025-12-22T14:59:46.701Z", "confidence": 95, "type": "identity", "id": "identity--3f42deb4-8f25-455c-8286-1ab1da35e6df", "name": "Coinbase", "identity_class": "unknown", "labels": [ "identity" ], "description": "Cryptocurrency exchange", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:46.702Z", "modified": "2025-12-22T14:59:46.702Z", "confidence": 95, "type": "identity", "id": "identity--ffcb7d8b-baba-45c2-aa38-1da79520a543", "name": "the Federal Reserve", "identity_class": "organization", "labels": [ "identity" ], "description": "Central bank of the United States", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:46.702Z", "modified": "2025-12-22T14:59:46.702Z", "confidence": 95, "type": "identity", "id": "identity--8a7ca088-fae7-4645-8f55-5f28dd9b1396", "name": "Google", "identity_class": "organization", "labels": [ "identity" ], "description": "Technology company", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:46.702Z", "modified": "2025-12-22T14:59:46.702Z", "confidence": 95, "type": "identity", "id": "identity--e579f0b6-29fc-4f87-be26-0870951a61da", "name": "Android", "identity_class": "unknown", "labels": [ "identity" ], "description": "Mobile operating system", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:46.702Z", "modified": "2025-12-22T14:59:46.702Z", "confidence": 95, "type": "identity", "id": "identity--c68346cc-fb19-42f3-a304-0715ffcaddf9", "name": "Jiangyi Deng", "identity_class": "unknown", "labels": [ "identity" ], "description": "Researcher", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:46.702Z", "modified": "2025-12-22T14:59:46.702Z", "confidence": 95, "type": "identity", "id": "identity--87c13a02-6790-4855-8085-815d7ed680c6", "name": "Xinfeng Li", "identity_class": "unknown", "labels": [ "identity" ], "description": "Researcher", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:46.702Z", "modified": "2025-12-22T14:59:46.702Z", "confidence": 95, "type": "identity", "id": "identity--52f4ec65-cc38-4eb9-904a-c4475b19e7c1", "name": "Yanjiao Chen", "identity_class": "unknown", "labels": [ "identity" ], "description": "Researcher", "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:46.702Z", "modified": "2025-12-22T14:59:46.702Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--280ebd89-59bc-4ae2-a9db-1c01a56e50dc", "name": "Exploit Public-Facing Application", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1190", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1190/", "external_id": "T1190" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--e5974f70-5745-450a-908a-6483ad9c4678", "name": "Exploitation for Client Execution", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1203", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1203/", "external_id": "T1203" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--771ed4e5-6dde-43a8-9c72-d006b0c83e3d", "name": "Command and Scripting Interpreter", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "execution" } ], "x_mitre_id": "T1059", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1059/", "external_id": "T1059" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--2da268b5-7100-4dbc-b23b-d5deafdf268c", "name": "Spearphishing Attachment", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/001/", "external_id": "T1566.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--baad7d00-8591-4c49-8f48-fabb6a35df65", "name": "Spearphishing Link", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.002", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/002/", "external_id": "T1566.002" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--c627c29c-1385-4d76-9046-9c2db86dab11", "name": "Spearphishing via Service", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1566.003", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1566/003/", "external_id": "T1566.003" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--13fc9cbe-9444-4eba-872b-a44565ae3ab7", "name": "Supply Chain Compromise", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "initial-access" } ], "x_mitre_id": "T1195", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1195/", "external_id": "T1195" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 90, "type": "attack-pattern", "id": "attack-pattern--5aa11eb6-804f-4920-a45f-1fae275ef314", "name": "Remote Services", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "lateral-movement" } ], "x_mitre_id": "T1021", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1021/", "external_id": "T1021" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--a45b8295-9056-4ed5-b811-6e7d2a71483e", "name": "Multi-Factor Authentication", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" }, { "kill_chain_name": "mitre-attack", "phase_name": "persistence" } ], "x_mitre_id": "T1556.006", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1556/006/", "external_id": "T1556.006" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--886a4798-e626-4753-818e-9a4cb8b7255a", "name": "Multi-Factor Authentication Request Generation", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_id": "T1621", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1621/", "external_id": "T1621" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 85, "type": "attack-pattern", "id": "attack-pattern--624fa034-c944-4489-a990-1f1111e2e237", "name": "Botnet", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "resource-development" } ], "x_mitre_id": "T1583.005", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1583/005/", "external_id": "T1583.005" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 78, "type": "attack-pattern", "id": "attack-pattern--41bd95ba-5d08-4741-8e71-841aca46051c", "name": "Multi-Factor Authentication Interception", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" } ], "x_mitre_id": "T1111", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1111/", "external_id": "T1111" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--d2a77ce3-d278-4f77-97f0-227b744a33d3", "name": "Archive via Utility", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1560.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1560/001/", "external_id": "T1560.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--a6ff86fe-f269-42e5-9428-ab17d04e30e2", "name": "Screen Capture", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1113", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1113/", "external_id": "T1113" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 70, "type": "attack-pattern", "id": "attack-pattern--e8d516a9-a107-4c4b-806f-bc9c612eef18", "name": "Adversary-in-the-Middle", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "credential-access" }, { "kill_chain_name": "mitre-attack", "phase_name": "collection" } ], "x_mitre_id": "T1557", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1557/", "external_id": "T1557" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] }, { "spec_version": "2.1", "created": "2025-12-22T14:59:47.606Z", "modified": "2025-12-22T14:59:47.606Z", "confidence": 69, "type": "attack-pattern", "id": "attack-pattern--171b894d-4a95-4d61-a038-093eaef8dc9e", "name": "System Firmware", "kill_chain_phases": [ { "kill_chain_name": "mitre-attack", "phase_name": "persistence" }, { "kill_chain_name": "mitre-attack", "phase_name": "defense-evasion" } ], "x_mitre_id": "T1542.001", "external_references": [ { "source_name": "MITRE ATT&CK", "url": "https://attack.mitre.org/techniques/T1542/001/", "external_id": "T1542.001" } ], "object_marking_refs": [ "marking-definition--94868c89-83c2-464b-929b-a1a8aa3c8487" ], "labels": [ "mitre-attack" ] } ] }

Playbook for the Secure Enterprise

Industry Watch

CyberSecurity Latest Rundown

CRITICAL ITEMS

HIGH SEVERITY ITEMS

MEDIUM SEVERITY ITEMS

🔵 LOW SEVERITY ITEMS

VENDOR SPOTLIGHT

DETECTION & RESPONSE KIT

Cookie Notice

STIX 2.1 Threat Intelligence Bundle

If you like MikeGPT CyberSecurity Newsletter, spread the word.