ConnectWise Automate vulnerable to agent communication interception

ConnectWise patched two vulnerabilities in Automate (CVE-2025-11492 and CVE-2025-11493) affecting versions prior to 2025.9. They allow network attackers to intercept unencrypted agent communications and substitute malicious updates due to inadequate encryption enforcement and integrity checks.

**If you're running on-premises ConnectWise Automate (any version before 2025.9), plan an update to 2025.9 and then verify that TLS 1.2 or higher encryption is enforced for all agent communications. Otherwise, someone will find a way to inject malware in the packets reaching ConnectWise or the endpoints, and hack them.**
#cybersecurity #infosec #advisory #vulnerability
https://beyondmachines.net/event_details/connectwise-automate-vulnerable-to-agent-communication-interception-j-r-5-f-v/gD2P6Ple2L

#CyberSecurity #Apprenticeships

Alt...

THIS PRAYING MANTIS TRAPPED IN AMBER IS OVER 30 MILLION YEARS OLD. ALMOST ENOUGH YEARS OF EXPERIENCE FOR A JUNIOR CYBERSECURITY ROLE

Another edition of Scrolls is now out. Go take a look! 📜 👀

https://shellsharks.com/scrolls/scroll/2025-10-17

There's a lot of great links (as always), and I have everyone below to thank! Those mentioned below have made this week's writeup as fun and unique as ever.

@bojidar_bg @jaz @xandra @susam @nova @readbeanicecream @mdhughes @anubiarts @nopatience @JohnHammond @ana @ragman @qsky @grimalkina @ricci @clarigaricus @xero @gayint @jaz @Mikal @sylvia

#infosec #cybersecurity #indieweb #fediverse

It appears that someone here in Massachusetts found my unused domain BostonSocial.online a tempting domain to use for spamming Massachusetts people. But because I have my unused domains protected from being spoofed, they failed.

Spoofers constantly try using all my domains. I guarantee it's happening with your domains. If your domains aren't protected from it, people are getting emails that appear to be coming from you.

Here's a report sent to me by one of the larger email providers (mail.ru) informing me of a spoof attempt. They tossed the email.

Only a very few larger email providers will provide notifications. I appreciate the notifications when I get them.

Protect your domains, unused or otherwise, from spammer takeover!

https://www.cloudflare.com/learning/dns/dns-records/protect-domains-without-email/

#CyberSecurity #Spoofing #Spammers

Alt...

Image of an XML file sent by mail.ru showing a rejected attempt by an IP address in Massachusetts to use my BostonSocial.online domain for spam email.

The #Signal App gets only a 9 out of 10 for #Privacy protection, and it's not just because it requires a phone number.

"While most of Google’s analytics are turned off in the Signal app, it still uses the Google Maps API to handle location data. Calls to Google Maps turn over a bunch of metadata, including the IP you’re connecting from. For a project that’s so invested in privacy, it’s surprising that Signal doesn’t use an open source alternative such as Open Street Map."

They call a Google API with location data and hand over the IP? Seriously?

https://www.mozillafoundation.org/en/nothing-personal/signal-privacy-review/#good-and-bad

#cybersecurity

One year, I had a chat with the fine people @suricata during the @cert_eu conference, and they were wondering why we didn't create an open source website for all the different rules (YARA, Suricata, and many others) — a place to allow comments, reviews, bundling, and integration with @misp.

We’ve just released the first beta version of the rulezet.org service! 🎉

The platform is open and publicly available and the entire back-end is fully open source.

It’s still in beta, so feedback is very welcome!

🔗 https://rulezet.org/

#cti #yara #threatintelligence #osint #dfir #cybersecurity #suricata

@misp
@circl

Alt...

rulezet.org screenshot of a Suricata rule.

Alt...

rulezet.org screenshot of a list of rules.

I'm curious to hear what others are #SelfHosting! Here's my current setup:

Hardware & OS

• Hardware: #RaspberryPi500 (8 GB RAM, 512 GB SD card) #RPi #RPi500 #SingleBoardComputers #HomeLab
• OS: #Stormux, an accessible #Linux distro based on #ArchLinuxARM #LinuxAccessibility #AccessibleTech

Infrastructure & Networking

• Dashboard: #Glance (#Docker) #DockerApps
• Reverse Proxy: #Caddy
• DNS: #Cloudflare
• Domain Registrar: #Porkbun
• Networking & Remote Access: #Tailscale (non-Docker), love its SSH agent and magic DNS features. #NetworkSecurity

Security & Monitoring

• Ad Blocking: #AdGuardHome (non-Docker). Previously used PiHole but find AdGuardHome slightly faster. #PrivacyTools
• Server Monitoring: #Beszel (non-Docker). Tried Grafana/Prometheus/Alertmanager (accessible but overkill) and Netdata (poor screen reader accessibility). Beszel isn't perfect but best compromise so far. #ServerMonitoring
• Server Overview: #Cockpit (non-Docker)
• Security Tools: #Fail2ban, #FirewallD, #ClamAV, and #Rkhunter (non-Docker). Tried CrowdSec but couldn't get it working on Stormux. #CyberSecurity
• Service Uptime Monitoring: #UptimeKuma (Docker), accessible and easy to use. #MonitoringTools

Authentication & Identity Management

• Authelia (Docker): Just set this up for two-factor authentication and single sign-on. Seems to be working well so far!
  
• LLDAP (Docker): Lightweight LDAP server for managing authentication. Also seems to be working pretty well!
  #AuthenticationTools #IdentityManagement

Productivity & Personal Tools

• Docker Management: #Dockge (Docker). More accessible than Portainer; main issue is built-in terminal isn't readable with screen readers. #DockerCompose
• Docker Logs Viewer: #Dozzle (Docker), great web interface and easy searching.
• Git Hosting: #Forgejo (non-Docker), my personal Git server. #GitServer
• Backups: #IDrive (non-Docker), backs up all my devices easily. #BackupSolutions
• Notes: #Joplin server (Docker). Accessibility improving; love the VSCode extension. #NoteTakingApps
• Bookmarks: #Linkding (Docker). Accessible bookmark manager with good browser extension support. #BookmarkManager
• Recipes: #Mealie (Docker), starting to learn cooking! 🍳📖  #CookingApps
• RSS Feeds: #Miniflux (non-Docker), excellent accessibility. Originally wanted better podcast support but other options had major accessibility issues. #RSSReader
• Automation & Workflows: #N8N (Docker). Haven't explored deeply yet—open to ideas! #AutomationTools #WorkflowAutomation
• Pastebin Service: #PrivateBin (non-Docker). Considering alternatives or CLI tool for easier console access. #PastebinAlternative
• File Sharing & Editing: #Samba (non-Docker), easy file management from my Windows 11 mini PC. #FileSharing #Windows11
• Search Engine: #SearXNG (non-Docker), accessible and searches multiple engines at once. #PrivacySearchEngine
• IRC Client: #TheLounge (non-Docker). Some accessibility issues but best I've found so far for always-connected IRC. #IRCClient
• Read Later Service: #Wallabag (Docker). Biggest issue is Wallabagger Chrome extension doesn't work for me yet. #ReadItLater

Notifications & Development Workflow

• Notifications via: #Ntfy (Docker) and Zoho's ZeptoMail (#Zoho)
• Development Environment: Mostly using VSCode connected to my server via Remote-SSH extension. #VSCodeRemote

Accessibility Focus ♿️🖥️

Accessibility heavily influences my choices—I use a screen reader full-time (#ScreenReader), so I prioritize services usable without sight (#InclusiveDesign, #DigitalAccessibility). Always open to discussing accessibility experiences or recommendations!

I've also experimented with:

• Ollama (#Ollama): Not enough RAM on my Pi.
• Habit trackers like Beaver Habit Tracker (#HabitTracking): Accessibility issues made it unusable for me.

I don't really have a media collection, so no Plex or Jellyfin here (#MediaServer)—but I'm always open to suggestions! I've gotten a bit addicted to exploring new self-hosted services! 😄

What's your setup like? Any cool services you'd recommend I try?

#SelfHosted #LinuxSelfHost #OpenSource #TechCommunity #FOSS #TechDIY

@selfhost @selfhosted @selfhosting@a.gup.pe

🎣 Phishing Alert!

Malicious attackers use lookalike domains to trick you into clicking fake links. These sites steal logins, banking info & more.

🛡️ Stay safe:
🔹 Double-check URLs
🔹 Don’t log in via links
🔹 Bookmark official sites

👉 Check the full guide: https://tuta.com/blog/how-to-prevent-phishing

Stay alert this #CyberSecurityMonth

#CyberSecurity #Phishing

Alt...

Image of a hacker with the text: Spot the difference? citibank.com VS citibank.com The "a" in the second url is a cyrillic letter, directing to a hacker's website.

Hmm, Mastodon always reminds you that direct messages are not End to End encrypted (and can be snagged by any other server or appropriate request). T*** Social is also based on the same software, THEREFORE, certain rage posting people known for accidentally public posting DMs also have publicly accessible DMs. That's got to be great for National Security. 🤔 #cybersecurity

Anthropic: "In a joint study with the UK AI Security Institute and the Alan Turing Institute, we found that as few as 250 malicious documents can produce a "backdoor" vulnerability in a large language model—regardless of model size or training data volume. "

https://www.anthropic.com/research/small-samples-poison

#cybersecurity #backdoor #datapoisoning #llm #ai

Alt...

A small number of samples can poison LLMs of any size

404 Media: BREAKING: A catastrophic breach has impacted Discord user data including selfies and identity documents uploaded as part of the app’s verification process, email addresses, phone numbers, approximately where the user lives.

https://www.404media.co/the-discord-hack-is-every-users-worst-nightmare/

#discord #breach #cybersecurity

just to let you guys know, i'm not ever joining #infragard ever. infragard for starters, is now using cloudflare for its products. now I guess that's not a sin on its own, I have used cloudflare, and use it for workers applications.
but as we know, cloudflare ended up in a data breech. now for someone like me, that's fine. I know what I 'mdoing, I use 2factor authentication, i'm pretty good...
but for infragard? yeah, that's...pretty fucking stupid, because they want their own information sharing network.
again, my website is just want average Joe website.
it can withstand a couple hours of outage.]
but infragard absa fucking lutely cannot take a hit, because this isn't some average Joe website, it's an entire threat assessment #threat information sharing network.
they need absolute uptime.
second, I don't know if you're aware, but infragard was actually using #microsoft #windows server 2012 in the passed. keep in mind, this isn't supported anymore. in fact, I have to bet they're still using it today.
just hiding it to make us not think they're using it by putting it behind cloudflare.
and also, they're using a service called id.me which had a major unauthorized access incedent back in 2018.
o and infragard had a hole registration fuckin breech which involved a user called USDOD registering as a CEO with no legal verification.
if I was running infragard, I'd do things a lot differently.
first off, maybe run some actual fucking hardware, I don't know? maybe run some new up to date shit? sounds like a great idea, right? it's never been done before, it's absolutely amazing right?
...no!
it can be done, and I don't know why it hasn't.
but second, i'd use PIVs, not some email/and/or password. in fact, if you are working for the military you must use a PIV/CAC to login. it's mandatory.
also, I wouldn't run the application online. i'd have them vetted at a local FBI office and/or in a friendly country the US partners with.
this will be a lot more secure than vetting online which clearly didn't work last time.
so really this information sharing act congress had was basically useless on the point it was not secure.
@kkarhan #infosec #opsec #cybersecurity

wonna know something?
so there's a company called cellcrypt which (was) actually NSA certified. they're trying to get certified again, it's expected to come out of testing soon.
but they wrote this artical which is now archived https://web.archive.org/web/20250126023940/https://www.cellcrypt.com/post/consumer-secure-messaging-apps-are-not-the-solution for those that can't parse hyperlinks. they basically argue against public infrastructure (reasonible) yet they now have an offering which uses public infrastructure.
are you for it, or are you against it? com e on, make up your mind!
@kkarhan #infosec #cybersecurity #security #encryption #cellcrypt #niap #nsa

📢 FOR IMMEDIATE RELEASE - Ivy Cyber Launches Course Taught by CIA Whistleblower @JohnKiriakou and Yale #Cybersecurity Expert @profdiggity 👇

https://ivycyber.com/press-release-ivy-cyber-launches-surveillance-defense-course/

Alt...

Ivy Cyber Press Release

Alt...

Ivy Cyber Press Release

Want to shout out Silobreaker for a moment - they've been putting out *really* well-done geopolitical briefs every week that provide substantial, timely, and relevant analysis without feeling like a chore to make time for.

#threatintel #infosec #cybersecurity

https://www.silobreaker.com/resources/reports/silobreaker-weekly-geopolitical-risk-brief/

https://www.linkedin.com/newsletters/geopolitical-risk-briefs-7198660674779004928/

🔐 Tor Browser 14.5.8 released — now available for all platforms

This update includes key security patches from Firefox, updated Tor (0.4.8.19), and OpenSSL (3.5.4). 🔧
Fixes include Safest mode search issues, HTTPS exception bugs, and Snowflake bridge updates. 🛠️

YEC 2025 UI changes also implemented across desktop and Android. 📱💻

🔗 https://blog.torproject.org/new-release-tor-browser-1458/

#Tor #Privacy #CyberSecurity #Firefox #OpenSource #TorBrowser #Linux #Android #iOS #TechNews #Encryption #SecurityUpdate #OpenSSL #Snowflake

Not quite back on the normal Friday publishing cadence but I've got another issue of Scrolls out today! I think this officially catches me up on things I'd been saving over the past few weeks/months. Check it out for a ton of awesome #IndieWeb, #Fediverse and #Infosec / #cybersecurity stuff as usual!

https://shellsharks.com/scrolls/scroll/2025-10-07

Thanks to everyone below for their contributions to this weeks edition. The stuff they create and share make this newsletter so fun and interesting!

@mkj @daemon_nova @anarodrigues @AlexWolfe @sophie @daj @patcharcana @syuilo @molly0xfff @sparklepanic @johnnydecimal @SJHoodlet @octade @vilmibm @domi @ricci @hamatti @axxuy @Larvitz @artlung @davew @stefan @mathling @stephtara @tek @Taweret @joel @Edmonds_Scanner

If you need something to read this morning, we published original research on Friday around an activity cluster specifically targeting 18+ interests, especially gambling and porn.

Well. Also tax websites. Which I suppose is an adult interest, of a sort. But not as fun.

#threatintel #infosec #cybersecurity

https://infosec.exchange/@DomainTools/115311254350600284

New, from us, today: coordinated cluster of dozens of domains delivering infostealers or phishing credentials, targeting users of TikTok, YouTube, gambling apps, and more. Domain profiles and deeper IOCs provided.

#infosec #cybersecurity #threatintel

https://dti.domaintools.com/securitysnack-18e-crime/

Last paper I read from Agarwal & Vasek was great, excited to dive into this one.

Fishing for Smishing: Understanding SMS Phishing Infrastructure and Strategies by Mining Public User Reports

Agarwal, Sharad; Papasavva, Antonis; Suarez-Tangil, Guillermo; Vasek, Marie.

Proceedings of the ACM Internet Measurement Conference 2025

#infosec #cybersecurity

https://discovery.ucl.ac.uk/id/eprint/10214522/

Hardly a surprise, considering the region. There will certainly be more that hasn't been uncovered throughout that region.

The Record: Researchers uncover spyware targeting messaging app users in the UAE https://therecord.media/researchers-spyware-uae-infections @therecord_media #cybersecurity #infosec #spyware

I hope nobody is really using a free fly-by-night VPN.

https://www.infosecurity-magazine.com/news/free-vpn-apps-security-flaws/

#CyberSecurity #VPN

Did that thing again where I reach deep into the DomainTools Investigations noosphere to mine our infosec egregores and present them on a monthly cadence.

or...y'know...drummed up a reading list of stuff that caught our attention.

#infosec #cybersecurity

https://dti.domaintools.com/cybersecurity-reading-list-week-of-2025-09-29/

welp, #k12 #sysadmins , I found a new #vulnerability of #contentkeeper #cloud AKA CK-Express TP extension client side.
the new vulnerability still evolves around DNS, but still works either way.
I have moved to enterprise cloud flare gateway and modified a DNS configuration.
the problem with blocking is it still goes someware.
so let me tell you an even better solution for this: DNS remapping!
specifically, remapping all requests to contentkeeper.net and it's related subdomains to 0.0.0.0 which means CK doesn't even know what it doesn't connect to.
again, fokes, this is why you don't use client side agents for web filtering!
this is not a good idea!
again, you're trusting contentkeeper will be able to connect without a single problem.
the problem with the last flaw was that it attempted to display a block page. but this? this is even better because it can't do anything at all, even during the first initialization process ,it will simply think the device is completely offline with no network connection.
and like the last one that simply blocked rather than remapped, it gives a device not supported error.
it still needs to be on first reinitialization, but this will work.
here's how it works.
first, a user makes a DNS request not to block, but to remap, DNS entries from contentkeeper.net to 0.0.0.0 . ideally, also connections to contentkeeper.com, goguardian.com, and some other services to the same IP (this is completely possible to do on cloud flares end in 1 policy) but that's out of the scope of this.
next, they point to their DNS string which cloud flare has assigned them, or, if it has a static DNS IP, point to that.
of course, again, it needs to point on startup, either through the signin screen or before opening chrome. even better, turn off the wifi for a bit, go to the settings of the saved networks, then from there change the nameservers, bam!
and once done, if CK-ETP attempts to start, it will not work.
yes, I have found a nother #security vulnerability which is even better than reblock.
#cybersecurity #security #webfiltering #cipa #contentkeeper

alright #k12 #sysadmin and #cybersecurity fokes, we are going to have a nice...chat...
here's a little lesson for your #web #filtering #webfiltering solutions.
if you have to use a web filtering solution like contentkeeper express than this is bad!
let me tell you why.
remember when contentkeeper said they knew how to keep tech savi kids from bypassing the filter?
not anymore!
there are 2 vulnerabilities that allow for this.
the first is turn off the wifi of the device for the default period of time, which is usually 5minutes, though I think it has been increased to 5mins and 30sec.
the second one is even more proactive, though. simply block the contentkeeper.net domains, so it can't contact anything in any way whatsoever.
this works more well than you might expect, because when it needs to initialize, it tries to phone home.
this is something it, simply put, cannot do if the domain is blocked on the DNS or DPI level.
it's just impossible, take it from me.
and after that period of time contentkeeper will give the same error each vulnerability, system compatability check complete. result: failed.

something like that.
here's what should happen.
your districts device should automatically connect to an on prem proxy server, or at least a contentkeeper server hosted on your domain, EG, ckj01.insertschooldistricthere.com and have it do the filtering. that way even if that domain is blocked at DNS level, it cannot connect to the internet at all, and they will have to change the DNS server.
the DNS solution is actually more comfortable because you don't have to remember to wait 5minutes and turn the wifi back on, it's just blocked, and all that user has Todo is wait.
yhid is why I don't recommend you use extensions for this purpose, they don't work, they have multiple flaws.

From 2020, but this is hilarious (someone who hacked a coffee maker and replaced it with their own firmware)

https://www.gendigital.com/blog/insights/research/the-fresh-smell-of-ransomed-coffee-0

#hacked #coffee #cybersecurity

In case you need good weekend reading, make sure you've hit this @InfobloxThreatIntel piece on Vane Viper.

It's absurdly well-done, weaving expert technical details with deep narrative to provide a thorough understanding of not just malicious adtech but related behavior and effective methods to fingerprint and track it.

#threatintel #cybersecurity #infosec

https://blogs.infoblox.com/threat-intelligence/deniability-by-design-dns-driven-insights-into-a-malicious-ad-network/

ICYMI, quick reminder that @DomainTools Investigations published a comprehensive writeup on SALT TYPHOON yesterday.

I'm particularly proud of it, and we're getting really positive feedback on it.

#threatintel #infosec #cybersecurity

https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat/

Cofense, from yesterday: Inside Vietnamese Threat Actor Lone None’s Copyright Takedown-Spoofing Campaign https://cofense.com/blog/inside-vietnamese-threat-actor-lone-none-s-copyright-takedown-spoofing-campaign #cybersecurity #infosec

Interpol, posted yesterday: USD 439 million recovered in global financial crime operation https://www.interpol.int/News-and-Events/News/2025/USD-439-million-recovered-in-global-financial-crime-operation #cybersecurity #infosec

Breakfast is served!

This morning, DomainTools Investigations published a comprehensive report on SALT TYPHOON consolidating known intelligence, indictments, IOCs, and operational profiles for Salt Typhoon to support attribution, detection, and threat modeling.

#infosec #threatintel #cybersecurity

https://dti.domaintools.com/inside-salt-typhoon-chinas-state-corporate-advanced-persistent-threat/

Random advice: Pegging an IT employee's performance review to the number/volume of IT or cybersecurity incidents filed/resolved will backfire, one way or another. #cybersecurity

@ai6yr

Interesting how the narrative is being handled

"...within 35 miles of the U.N..." got translated into a Russia / China / Israel plot against the UN GA

"“My instinct is this is #espionage,” said Ferrante, who previously served in top cybersecurity positions at the White House & the FBI."

In addition to jamming the cellular network, [Anthony J. Ferrante, the global head of the #cybersecurity practice at FTI] said, such a large amount of equipment near the #UN could be used for #Eavesdropping."

Last time I bothered to check there was a *hell* of a lot of important stuff "...within 35 miles of the U.N..."

Oh well...

Thread here: https://masto.ai/@Nonilex/115253809123931700

Hmm, interesting, wonder who funded this absolutely massive cache of cell phone devices and SIMs?

(links to .gov)

https://www.secretservice.gov/newsroom/releases/2025/09/us-secret-service-dismantles-imminent-telecommunications-threat-new-york

#cybersecurity #communications #telecom

Alt...

Pile of cell phone devices with antennas