Priority Intel
Critical Now — top 6 by score
CISA: Hackers now exploit SolarWinds Serv-U flaw to crash servers
CISA warned today that hackers are now actively exploiting a recently patched high-severity SolarWinds Serv-U flaw to crash servers. [...]
- Immediately patch SolarWinds Serv-U to versions that address CVE-2024-38112 and CVE-2024-35248.
- Block inbound traffic to Serv-U SSH (TCP/22) and Serv-U FTP (TCP/21) ports at the network perimeter if not required for external access.
Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US …
Advisory at a Glance Title Iranian-Affiliated Cyber Actors Exploit Programmable Logic Controllers Across US Critical Infrastructure Original Publication April …
- Isolate Allen-Bradley/ Rockwell Automation PLCs (e.g., ControlLogix, CompactLogix) from the public internet; implement a firewall with strict rules allowing only necessary traffic from trusted IPs.
- Apply the latest firmware updates to Rockwell Automation PLCs and HMI devices, referencing advisories for CVE-2024-2193 and CVE-2024-2194.
Chinese APT deploys new malware to keep access to hacked networks
A Chinese espionage group tracked as UNC5221 has been accessing Microsoft 365 environments using the Brickstorm backdoor and previously undocumented malware …
- Enable Microsoft 365 audit logging and use Advanced Hunting to search for suspicious PowerShell execution (e.g., AgentPSD) or unusual file creation events associated with UNC5221 TTPs.
- Implement Conditional Access policies requiring MFA for all administrative and user access to Microsoft 365, and block legacy authentication protocols.
IronWorm and New Miasma Worm Variant Hit npm in Supply Chain Attacks
Multiple software supply chain attacks have hit the npm ecosystem, with threat actors using both malicious and poisoned versions of over 50 legitimate packages …
- Implement npm audit and software composition analysis (SCA) tools to block installation of known malicious packages (e.g., 'node-hide-console-windows', 'temporary-secure-storage').
- Enforce outbound firewall rules for developer workstations to block connections to known C2 domains used by IronWorm and Miasma.
Securing CI/CD in an agentic world: Claude Code Github action case
Microsoft Threat Intelligence identified a prompt injection pathway in Claude Code GitHub Action that allowed access to workflow secrets under specific …
- Update Claude Code GitHub Action to version 1.2.1 or later which mitigates the prompt injection vulnerability.
- Restrict GitHub Actions workflow permissions to 'read-only' by default using `permissions:` key in workflows, and avoid passing secrets to AI-powered steps.
Android Spyware Asin Targets Arabic Users via Fake News, PDF and War Map Apps
Arabic-speaking users have emerged as the target of a new Android spyware codenamed Asin, according to findings from ESET. The Slovakian cybersecurity company …
- Deploy mobile threat defense (MTD) solutions configured to detect and block Asin spyware hashes and C2 domains (e.g., govlens[.]net).
- Enforce Android Enterprise work profiles with application allow-listing, blocking installations from unknown sources (side-loading).