脆弱性管理の次の時代 ── Exposure Management とは何か
https://qiita.com/keitah/items/8dbbbbdf530e2673ec1a?utm_campaign=popular_items&utm_medium=feed&utm_source=popular_items

#qiita #Security #Gartner #脆弱性管理 #ExposureManagement #CTEM

CTEM для внешнего периметра

Привет, Хабр! Я Айдар Фатыхов, менеджер продуктов в Innostage. Хочу разобрать практическую задачу, с которой регулярно сталкиваются ИБ-команды крупных компаний: защита самой горячей точки в инфраструктуре – внешнего сетевого периметра. Отчёты по уязвимостям растут, поверхность атаки постоянно меняется и увеличивается, рук для закрытия рисков постоянно не хватает и ясного ответа, что закрывать в первую очередь по внешнему периметру нет. И вроде бы внедряются технические средства, различные сканеры, межсетевые экраны, WAF и другие средства, но во многих случаях проблема не в отсутствии инструментов, а в разрыве между выявленными уязвимостями и бизнес-ценностью активов, фрагментированной работой с данными разных средств защиты, и в отсутствии правильного сведения в единую картину данных от внешних и внутренних сканеров. Дальше разберу, как подойти к этой задаче с помощью фреймворка CTEM: связать результаты обнаружения с контекстом и телеметрией, получить управляемые приоритеты и доводить устранение до подтверждённого результата через повторную проверку. Почему именно периметр? Перед тем, как переходить к методологии, важно зафиксировать, почему внешний периметр почти всегда оказывается в фокусе. Периметр меняется быстрее всего. Появляются новые сервисы, конфигурации правятся, порты открываются и закрываются, где-то всплывают временные стенды и пилоты. И значительная часть рисков возникает именно на стыке изменений и контроля. По итогам 1-го полугодия 2025 года наши эксперты Innostage SOC CyberART зафиксировали рост OSINT-инцидентов на 50% почти до 10 тысяч. При этом более 70% таких инцидентов было связано с изменениями на периметре: открытие портов, смена конфигураций сервисов, появление новых ресурсов или изменения сведений о существующих. Это важный сигнал: периметр часто уязвим не только из-за конкретной уязвимости, а из-за неуправляемых изменений и слабого контроля того, что именно и как выставлено наружу.

https://habr.com/ru/companies/innostage/articles/995384/

#CTEM #Внешний_сетевой_периметр #управление_уязвимостями #ASM #Приоритизация_рисков #SIEM #телеметрия_безопасности #Проактивное_управление_угрозами #threat_intelligence #osint

Rok 2026 – czas na risk-first w bezpieczeństwie, a nie tylko kontrolki

Czy rok 2026 będzie tym, w którym przestaniemy gapić się w kontrolki i wreszcie skręcimy? Krótkie wyjaśnienie: chodzi o to, by bezpieczeństwo nie było już katalogiem zagrożeń, tylko systemem podejmowania decyzji.

Czytaj dalej:
https://pressmind.org/rok-2026-czas-na-risk-first-w-bezpieczenstwie-a-nie-tylko-kontrolki/

#PressMindLabs #agentoweai #ctem #ransomware #riskfirst #roc

Fortinet’s 2026 Cyberthreat Predictions anticipate a shift toward automated, AI-driven, high-throughput cybercrime.

AI-enabled reconnaissance, accelerated intrusion, and industrialized attack workflows may significantly reduce defender response windows.

Do you see machine-speed defence becoming standard in 2026?

Source: https://www.expresscomputer.in/news/fortinet-warns-of-machine-speed-cybercrime-in-2026-new-report-predicts-rise-of-ai-driven-attacks-and-industrialized-cybercrime-networks/130351/

Follow us for more detailed threat insights and technical updates.

#CyberSecurity #ThreatIntel #Fortinet #AIThreats #CTEM #MachineSpeedDefense #Infosec #TechNadu

Continuous Exposure Management: Wie CEM die Schwachstellenbehebung revolutioniert

SOC-Analysten verschwenden wertvolle Zeit mit der Triage von Fehlalarmen und manuellen Untersuchungen.

https://www.all-about-security.de/continuous-exposure-management-wie-cem-die-schwachstellenbehebung-revolutioniert/

#ctem #cem #ContinuousExposureManagement #soc #schwachstellen #kitools #Assets

Alright team, it's been a packed 24 hours in the cyber world! We've got major updates on active exploitation, nation-state activity, a massive crypto seizure, and some serious data privacy concerns. Let's dive in:

Recent Cyber Attacks & Breaches ⚠️

- Japanese brewer Asahi confirmed its September cyberattack was ransomware (Qilin group) and personal information may have been exfiltrated.
- Qilin claims 27GB of data, including employee records, causing significant disruption to Asahi's logistics and delaying financial results.
- This incident, alongside a UK NCSC report, highlights a sharp rise in ransomware and data theft attacks globally.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/14/asahi_breach_update/

Qantas Customer Data Leaked by Scattered LAPSUS$ Hunters ✈️

- Australian airline Qantas confirmed the Scattered LAPSUS$ Hunters group released customer data stolen in a July cyberattack via a third-party Salesforce platform.
- Data for 5.7 million people was affected, including names, emails, and frequent flyer numbers, though no credit card or passport details were compromised.
- Salesforce refused to pay the ransom, leading to the data release, and while the FBI took down initial leak domains, the hackers quickly established new platforms.
🗞️ The Record | https://therecord.media/qantas-cybercriminals-stolen-data

Michigan City Falls Victim to Obscura Ransomware 🏙️

- Michigan City, Indiana, confirmed a September "network disruption" was a ransomware attack by the Obscura gang, impacting government systems and data.
- Obscura claims to have stolen 450GB of data and has since published it after the ransom deadline expired.
- This incident adds to a growing list of municipalities targeted by ransomware, highlighting the critical need for robust incident response and recovery plans.
🗞️ The Record | https://therecord.media/michigan-indiana-city-ransomware

Massive Crypto Seizure in "Pig Butchering" Scam Crackdown 💰

- US authorities, in coordination with the UK, seized an unprecedented $15 billion in Bitcoin from Chen Zhi, chairman of Cambodia's Prince Group, for operating a vast "pig butchering" crypto investment fraud network.
- The criminal enterprise involved human trafficking, forced labour in scam compounds, and sophisticated money laundering techniques across over 30 countries.
- This marks the largest financial seizure in Justice Department history and a significant blow against transnational cybercrime operations in Southeast Asia.
🤫 CyberScoop | https://cyberscoop.com/southeast-asia-cybercrime-networks-sanctions-seizure/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/us-seizes-15-billion-in-crypto-from-pig-butchering-kingpin/
🗞️ The Record | https://therecord.media/feds-sanction-cambodian-conglomerate-scams-seize-15-billion

New Threat Research & Tradecraft 🛡️

Malicious Packages Weaponise Discord for C2 📦

- Researchers found malicious npm, PyPI, and RubyGems packages (e.g., mysql-dumpdiscord, sqlcommenter_rails) using Discord webhooks as command-and-control (C2) channels.
- These packages exfiltrate sensitive developer data like config files, API keys, and host details, leveraging Discord's free and fast webhooks to avoid hosting infrastructure and blend with normal traffic.
- North Korean threat actors, part of the "Contagious Interview" campaign, also deployed over 300 malicious npm packages, often typosquatting legitimate ones, to deliver malware like HexEval and BeaverTail to Web3 and crypto developers.
🌐 The Hacker News | https://thehackernews.com/2025/10/npm-pypi-and-rubygems-packages-found.html

Flax Typhoon Abuses ArcGIS for Year-Long Persistence 🗺️

- The Chinese state-sponsored APT group Flax Typhoon (aka Ethereal Panda, RedJuliett) maintained undetected persistence for over a year by weaponising a Java Server Object Extension (SOE) in the ArcGIS geo-mapping tool.
- Attackers used valid administrator credentials to upload a malicious SOE acting as a web shell, then installed SoftEther VPN Bridge as a Windows service for covert C2 and lateral movement.
- This novel technique highlights how sophisticated actors "live off the land" by manipulating legitimate software components to evade detection and establish deep, long-term access.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-geo-mapping-tool-for-year-long-persistence/
🌐 The Hacker News | https://thehackernews.com/2025/10/chinese-hackers-exploit-arcgis-server.html

Vulnerabilities & Active Exploitation 🚨

Fortra GoAnywhere MFT Zero-Day Actively Exploited ⚠️

- Fortra confirmed active exploitation of CVE-2025-10035, a maximum-severity flaw in its GoAnywhere MFT service, with Microsoft linking it to the Storm-1175 ransomware group.
- The vulnerability allows unauthorised activity, but researchers are still questioning how attackers obtained a private key seemingly required for exploitation, highlighting a transparency gap.
- CISA has added this to its Known Exploited Vulnerabilities Catalog, urging immediate patching for both cloud and on-premises deployments.
🤫 CyberScoop | https://cyberscoop.com/fortra-goanywhere-vulnerability-exploitation/

Microsoft Edge IE Mode Zero-Day Under Attack 🌐

- Microsoft is restricting Internet Explorer mode in Edge after discovering active exploitation of an unpatched zero-day in the Chakra JavaScript engine.
- Attackers use social engineering to direct targets to spoofed websites, prompting them to load pages in IE mode, then exploit the Chakra flaw for remote code execution and privilege escalation.
- Users should be cautious of prompts to activate IE mode, and enterprise users should ensure policies are in place to limit its use to only necessary, trusted sites.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/microsoft-restricts-ie-mode-access-in-edge-after-zero-day-attacks/

Oracle E-Business Suite Hit by Multiple Zero-Days 🔓

- Oracle has rushed out another emergency patch for CVE-2025-61884 (CVSS 7.5) in its E-Business Suite (EBS) Runtime UI, a remotely exploitable flaw allowing unauthenticated access to sensitive resources.
- This follows a previous zero-day (CVE-2025-61882) exploited by the Clop ransomware group, with a PoC for CVE-2025-61884 publicly leaked by ShinyHunters.
- Oracle's disclosure around these EBS vulnerabilities has been criticised for lack of clarity, with multiple exploit chains observed and IOCs not always aligning with patches, making it crucial for admins to apply all available updates immediately.
🕵🏼 The Register | https://go.theregister.com/feed/www.theregister.com/2025/10/14/oracle_rushes_out_another_emergency/
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/oracles-silently-fixes-zero-day-exploit-leaked-by-shinyhunters/

AMD RMPocalypse Threatens Confidential Computing 💻

- AMD has released fixes for "RMPocalypse" (CVE-2025-0033, CVSS 5.9), a race condition in EPYC processors' SEV-SNP confidential computing that allows a malicious hypervisor to manipulate the Reverse Map Paging (RMP) table.
- A single 8-byte write to the RMP can lead to a full breach of confidentiality and integrity for confidential virtual machines (CVMs), enabling arbitrary tampering and secret exfiltration.
- Affected EPYC 7003, 8004, 9004, and 9005 series processors require BIOS updates, with some embedded versions still awaiting fixes.
🌐 The Hacker News | https://thehackernews.com/2025/10/rmpocalypse-single-8-byte-write-shatters-amds-sev-snp-confidential-computing.html

Android "Pixnapping" Steals 2FA Codes Pixel-by-Pixel 📱

- A new side-channel attack, "Pixnapping" (CVE-2025-48561, CVSS 5.5), affects Google and Samsung Android devices (versions 13-16), allowing rogue apps to steal sensitive data like 2FA codes without permissions.
- The attack combines the GPU.zip side-channel with Android's window blur API to covertly extract pixels from other apps, including secure communication tools like Signal and Google Authenticator, in under 30 seconds for 2FA codes.
- While Google issued a patch in September, a bypass was found, and a more robust fix is expected in December 2025; an app list bypass remains unpatched.
🌐 The Hacker News | https://thehackernews.com/2025/10/new-pixnapping-android-flaw-lets-rogue-apps-steal-2fa-codes-without-permissions.html
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/new-android-pixnapping-attack-steals-mfa-codes-pixel-by-pixel/

Secure Boot Bypass on Linux Framework Systems 🐧

- Approximately 200,000 Linux Framework laptops were shipped with signed UEFI shells containing a 'memory modify' (mm) command, which can be exploited to bypass Secure Boot protections.
- This command allows direct read/write access to system memory, enabling attackers to disable signature verification and load persistent bootkits that evade OS-level controls.
- Framework is rolling out firmware updates (BIOS/DBX) to address this oversight, and users are urged to apply patches or implement physical access prevention as a temporary mitigation.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/security/secure-boot-bypass-risk-on-nearly-200-000-linux-framework-sytems/

Microsoft's October Patch Tuesday: 6 Zero-Days, 172 Flaws 🩹

- Microsoft's October Patch Tuesday addressed 172 vulnerabilities, including six zero-days, making it the largest assortment of defects disclosed this year.
- Two actively exploited zero-days are CVE-2025-24990 (Windows Agere Modem Driver Elevation of Privilege) and CVE-2025-59230 (Windows Remote Access Connection Manager Elevation of Privilege), both added to CISA's KEV catalog.
- Other notable fixes include CVE-2025-0033 (AMD RMPocalypse) and CVE-2025-47827 (IGEL OS Secure Boot bypass), with Windows 10 reaching its end of free support.
🤖 Bleeping Computer | https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2025-patch-tuesday-fixes-6-zero-days-172-flaws/
🤫 CyberScoop | https://cyberscoop.com/microsoft-patch-tuesday-october-2025/

Threat Landscape Commentary 🌍

UK Cyberattacks Reach Record High 📈

- The UK's NCSC reported a record 204 "nationally significant" cyberattacks between September 2024 and August 2025, more than double the previous year, with 18 being "highly significant."
- This surge in sophisticated and frequent hostile cyber activity, exemplified by incidents like the Jaguar Land Rover disruption, poses a direct threat to the UK's economic security.
- The government is urging CEOs and board chairs of leading businesses to take concrete actions and make cyber resilience a top-level responsibility.
🗞️ The Record | https://therecord.media/uk-hit-by-record-number-significant-cyberattacks

Taiwan Reports Surge in Chinese Cyber & Disinformation Campaigns 🇨🇳

- Taiwan's National Security Bureau (NSB) warns of a significant increase in Chinese cyberattacks and online disinformation, with government networks facing 2.8 million intrusions daily (17% increase).
- These state-level operations, involving the PLA and other agencies, target critical infrastructure and use "online troll armies" and AI-generated content to erode public trust and sow division ahead of 2026 elections.
- The campaign aims to promote pro-China narratives and undermine trust in the US, highlighting the integrated nature of cyber espionage and information warfare.
🗞️ The Record | https://therecord.media/taiwan-nsb-report-china-surge-cyberattacks-influence-operations/

#CyberSecurity #ThreatIntelligence #Ransomware #ZeroDay #Vulnerability #ActiveExploitation #APT #NationState #DataBreach #Privacy #PatchTuesday #SupplyChainAttack #Malware #CTEM #Infosec

@scottwilson Not dissing the article, nor the (newer) term #CTEM, however isn't real time, prioritized, validated and continual improvement what we have wanted for many years?
Such as understanding actual exposure (the environmental metric in CVSS) etc.

(Might just be grumpy ol' me) <3