Category: Cybersecurity

Just as triathletes know that peak performance requires more than expensive gear, cybersecurity teams are discovering that AI success depends less on the tools they deploy and more on the data that powers them

The junk food problem in cybersecurity

Imagine a triathlete who spares no expense on equipment—carbon fiber bikes, hydrodynamic wetsuits, precision GPS watches—but fuels their training with processed snacks and energy drinks. Despite the premium gear, their performance will suffer because their foundation is fundamentally flawed. Triathletes see nutrition as the fourth discipline of their training that can have a significant impact on performance and can even determine race outcomes.

Today’s security operations centers (SOCs) face a similar issue. They’re investing heavily in AI-powered detection systems, automated response platforms, and machine learning analytics—the equivalent of professional-grade triathlon equipment. But they’re powering these sophisticated tools with legacy data feeds that lack the richness and context modern AI models need to perform effectively.

Just as a triathlete needs to master swimming, cycling, and running in seamless coordination, SOC teams must excel at detection, investigation, and response. However, without their own “fourth discipline,” SOC analysts will be working with sparse endpoint logs, fragmented alert streams, and data silos that don’t communicate, it’s like trying to complete a triathlon fueled only by a bag of chips and a beer—no matter how good your training or equipment, you’re not crossing the finish line first. While you may load up on sugar and calories on race day to ensure you have the energy to make it through, that isn’t a sustainable, long-term regimen that will optimize your body for the best performance.

The hidden cost of legacy data diets

“We’re living through the first wave of an AI revolution, and so far the spotlight has focused on models and applications,” said Greg Bell, Corelight chief strategy officer. “That makes sense, because the impacts for cyber defense are going to be huge. But I think there’s starting to be a dawning realization that ML and GenAI tools are gated by the quality of data they consume.”

This disconnect between advanced AI capabilities and outdated data infrastructure creates what security professionals are now calling “data debt”—the accumulated cost of building AI systems on foundations that weren’t designed for machine learning consumption.

AI-driven threat detection becomes dramatically more effective when powered by forensic-grade network evidence that includes full context and real-time collection across on-premise, hybrid, and multi-cloud environments. This enables AI models to identify subtle patterns and anomalies that would be invisible in traditional log formats.

AI workflows transform the analyst experience by providing expert-authored processes enhanced with AI-driven payload analysis, historical context, and session-level summaries. This is equivalent to having a world-class coach who can instantly analyze performance data and provide specific, actionable guidance for improvement.

AI-enabled ecosystem integrations ensure that AI-ready data flows seamlessly into existing SOC tools—SIEMs, SOAR platforms, XDR systems, and data lakes—without requiring custom integrations or format conversions. It’s automatically compatible with nearly every tool in an analyst’s arsenal.

The compound effect of superior data

The impact of transitioning to AI-ready data creates a compound effect across security operations. Teams can correlate unusual access patterns and privilege escalations in ephemeral cloud environments, critical for addressing cloud-native threats that traditional tools miss. They gain expanded coverage for novel, evasive, and zero-day threats while enabling faster development of new detections.

Perhaps most importantly, analysts can quickly understand incident timelines without parsing raw logs, get plain-language summaries of suspicious behaviors across hosts and sessions, and focus their attention on priority alerts with clear justifications for why each incident matters.

“High quality, context-rich data is the ‘clean fuel’ AI needs to achieve its full potential,” added Bell. “Models starved of quality data will inevitably disappoint. As AI augmentation becomes the standard for both attack and defense, organizations that succeed will be the ones that understand a fundamental truth: in the world of AI security, you are what you eat.”

The training decision every SOC must make

As AI becomes standard for both attack and defense, AI-driven security tools can’t reach their potential without the right data. Organizations that continue feeding these systems with legacy data may find their significant investment in next-generation technology underperforming against increasingly advanced threats. Those that recognize this isn’t about replacing existing security investments — it’s about providing them with the high-quality fuel to deliver on their promise — will be positioned to unlock AI’s competitive advantage.

In the escalating battle against AI-enhanced threats, peak performance truly begins with what you feed your engine.

For more information about industry-standard security data models that all the major LLMs have already been trained on, visit www.corelight.com. Corelight delivers forensic-grade telemetry to power SOC workflows, drive detection, and enable the broader SOC ecosystem.

Aug 01, 2025Ravie LakshmananThreat Intelligence / Ransomware

The threat actor linked to the exploitation of the recently disclosed security flaws in Microsoft SharePoint Server is using a bespoke command-and-control (C2) framework called AK47 C2 (also spelled ak47c2) in its operations.

The framework includes at least two different types of clients, HTTP-based and Domain Name System (DNS)-based, which have been dubbed AK47HTTP and AK47DNS, respectively, by Check Point Research.

The activity has been attributed to Storm-2603, which, according to Microsoft, is a suspected China-based threat actor that has leveraged the SharePoint flaws – CVE-2025-49706 and CVE-2025-49704 (aka ToolShell) – to deploy Warlock (aka X2anylock) ransomware.

A previously unreported threat cluster, evidence gathered following an analysis of VirusTotal artifacts shows that the group may have been active since at least March 2025, deploying ransomware families like LockBit Black and Warlock together – something that’s not observed commonly among established e-crime groups.

“Based on VirusTotal data, Storm-2603 likely targeted some organizations in Latin America throughout the first half of 2025, in parallel to attacking organizations in APAC,” Check Point said.

The attack tools used by the threat actor includes legitimate open-source and Windows utilities like masscan, WinPcap, SharpHostInfo, nxc, and PsExec, as well as a custom backdoor (“dnsclient.exe”) that uses DNS for command-and-control with the domain “update.updatemicfosoft[.]com.”

The backdoor is part of the AK47 C2 framework, alongside AK47HTTP, that’s employed to gather host information and parse DNS or HTTP responses from the server and execute them on the infected machine via “cmd.exe.” The initial access pathway used in these attacks are unknown.

A point worth mentioning here is that the aforementioned infrastructure was also flagged by Microsoft as used by the threat actor as a C2 server to establish communication with the “spinstall0.aspx” web shell. In addition to the open-source tools, Storm-2603 has been found to distribute three additional payloads –

• 7z.exe and 7z.dll, the legitimate 7-Zip binary that’s used to sideload a malicious DLL, which delivers Warlock
• bbb.msi, an installer that uses clink_x86.exe to sideload “clink_dll_x86.dll,” which leads to LockBit Black deployment

Check Point said it also discovered another MSI artifact uploaded to VirusTotal in April 2025 that’s used to launch Warlock and LockBit ransomware, and also drop a custom antivirus killer executable (“VMToolsEng.exe”) that employs the bring your own vulnerable driver (BYOVD) technique to terminate security software using ServiceMouse.sys, a third-party driver provided by Chinese security vendor Antiy Labs.

Ultimately, Storm-2603’s exact motivations remain unclear at this stage, making it harder to determine if it’s espionage-focused or driven by profit motives. However, it bears noting that there have been instances where nation-state actors from China, Iran, and North Korea have deployed ransomware on the side.

“Storm-2603 leverages BYOVD techniques to disable endpoint defenses and DLL hijacking to deploy multiple ransomware families – blurring the lines between APT and criminal ransomware operations,” Check Point said. “The group also uses open-source tools like PsExec and masscan, signaling a hybrid approach seen increasingly in sophisticated attacks.”

Jul 31, 2025Ravie LakshmananCyber Espionage / Network Security

The Russian nation-state threat actor known as Secret Blizzard has been observed orchestrating a new cyber espionage campaign targeting foreign embassies located in Moscow by means of an adversary-in-the-middle (AitM) attack at the Internet Service Provider (ISP) level and delivering a custom malware dubbed ApolloShadow.

“ApolloShadow has the capability to install a trusted root certificate to trick devices into trusting malicious actor-controlled sites, enabling Secret Blizzard to maintain persistence on diplomatic devices, likely for intelligence collection,” the Microsoft Threat Intelligence team said in a report shared with The Hacker News.

The activity is assessed to be ongoing since at least 2024, with the campaign posing a security risk to diplomatic personnel relying on local ISPs or telecommunications services in Russia.

Secret Blizzard (formerly Krypton), affiliated with the Russian Federal Security Service, is also tracked by the broader cybersecurity community under the monikers Blue Python, Iron Hunter, Pensive Ursa, Snake, SUMMIT, Uroburos, Turla, Venomous Bear, and Waterbug.

In December 2024, Microsoft and Lumen Technologies Black Lotus Labs disclosed the hacking group’s use of a Pakistan-based threat actor’s command-and-control (C2) infrastructure to carry out its own attacks as a way to cloud attribution efforts.

The adversary has also been observed piggybacking on malware associated with other threat actors to deliver its Kazuar backdoor on target devices located in Ukraine.

The Windows maker noted that the AitM position is likely facilitated by lawful intercept and includes the installation of root certificates under the guise of Kaspersky antivirus to obtain elevated access to the system.

Initial access is achieved by redirecting target devices to threat actor-controlled infrastructure by putting them behind a captive portal, leading to the download and execution of the ApolloShadow malware.

The malware then beacons host information to the C2 server and runs a binary called CertificateDB.exe should the device not be running on default administrative settings, and retrieves as a second-stage payload an unknown Visual Basic Script.

In the last step, the ApolloShadow process launches itself again and presents the user with a user access control (UAC) pop-up window and instructs them to grant it the highest privileges available to the user.

ApolloShadow’s execution path varies if the running process is already running with sufficient elevated privileges, abusing them to set all networks to Private via registry profile changes and create an administrative user with the username UpdatusUser and a hard-coded password, allowing persistent access to the machine.

“This induces several changes, including allowing the host device to become discoverable, and relaxing firewall rules to enable file sharing,” the company said. “While we did not see any direct attempts for lateral movement, the main reason for these modifications is likely to reduce the difficulty of lateral movement on the network.”

Once this step is successfully completed, victims are displayed a window showing that the deployment of the digital certificates is in progress, causing two root certificates to be installed on the machine using the certutil utility. Also dropped is a file called “wincert.js” that allows Mozilla Firefox to trust the root certificates.

To defend against Secret Blizzard activity, diplomatic entities operating in Moscow are urged to implement the principle of least privilege (PoLP), periodically review privileged groups, and route all traffic through an encrypted tunnel to a trusted network or use a virtual private network (VPN) service provider.

Jul 31, 2025Ravie LakshmananPhishing / Threat Intelligence

Cybersecurity researchers have disclosed details of a new phishing campaign that conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses.

“Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click,” the Cloudflare Email Security team said.

“While this is effective against known threats, attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time.”

The activity, observed over the last two months, once again illustrates how threat actors find different ways to leverage legitimate features and trusted tools to their advantage and perform malicious actions, in this case, redirecting victims to Microsoft 365 phishing pages.

It’s noteworthy that the abuse of link wrapping involves the attackers gaining unauthorized access to email accounts that already use the feature within an organization, so that any email message containing a malicious URL sent from that account is automatically rewritten with the wrapped link (e.g., urldefense.proofpoint[.]com/v2/url?u=<malicious_website>).

Another important aspect concerns what Cloudflare calls “multi-tiered redirect abuse,” in which the threat actors first cloak their malicious links using a URL shortening service like Bitly, and then send the shortened link in an email message via a Proofpoint-secured account, causing it to be obscured a second time.

This behavior effectively creates a redirection chain, where the URL passes through two levels of obfuscation – Bitly and Proofpoint’s URL Defense – before taking the victim to the phishing page.

In the attacks observed by the web infrastructure company, the phishing messages masquerade as voicemail notifications, urging recipients to click on a link to listen to them, ultimately directing them to a bogus Microsoft 365 phishing page designed to capture their credentials.

Alternate infection chains employ the same technique in emails that notify users of a supposed document received on Microsoft Teams and trick them into clicking on booby-trapped hyperlinks.

A third variation of these attacks impersonates Teams in emails, claiming that they have unread messages and that they can click on the “Reply in Teams” button embedded in the messages to redirect them to credential harvesting pages.

“By cloaking malicious destinations with legitimate urldefense[.]proofpoint[.]com and url[.]emailprotection URLs, these phishing campaigns’ abuse of trusted link wrapping services significantly increases the likelihood of a successful attack,” Cloudflare said.

The development comes amid a spike in phishing attacks that weaponize Scalable Vector Graphics (SVG) files to get around traditional anti-spam and anti-phishing protections and initiate multi-stage malware infections.

“Unlike JPEG or PNG files, SVG files are written in XML and support JavaScript and HTML code,” the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) said last month. “They can contain scripts, hyperlinks, and interactive elements, which can be exploited by embedding malicious code within harmless SVG files.”

Phishing campaigns have also been observed embedding fake Zoom videoconferencing links in emails that, when clicked, trigger a redirection chain to a fake page that mimics a realistic-looking interface, after which they are served a “meeting connection timed out” message and taken to a phishing page that prompts them to enter their credentials to rejoin the meeting.

“Unfortunately, instead of ‘rejoining,’ the victim’s credentials along with their IP address, country, and region are exfiltrated via Telegram, a messaging app notorious for ‘secure, encrypted communications,’ and inevitably sent to the threat actor,” Cofense said in a recent report.

Jul 31, 2025Ravie LakshmananCryptocurrency / Malware

The North Korea-linked threat actor known as UNC4899 has been attributed to attacks targeting two different organizations by approaching their employees via LinkedIn and Telegram.

“Under the guise of freelance opportunities for software development work, UNC4899 leveraged social engineering techniques to successfully convince the targeted employees to execute malicious Docker containers in their respective workstations,” Google’s cloud division said [PDF] in its Cloud Threat Horizons Report for H2 2025.

UNC4899 overlaps with activity tracked under the monikers Jade Sleet, PUKCHONG, Slow Pisces, and TraderTraitor. Active since at least 2020, the state-sponsored actor is known for its targeting of cryptocurrency and blockchain industries.

Notably, the hacking group has been implicated in significant cryptocurrency heists, including that of Axie Infinity in March 2022 ($625 million), DMM Bitcoin in May 2024 ($308 million), and Bybit in February 2025 ($1.4 billion).

Another example that highlights its sophistication is the suspected exploitation of JumpCloud’s infrastructure to target downstream customers within the cryptocurrency vertical.

According to DTEX, TraderTraitor is affiliated with the Third Bureau (or Department) of North Korea’s Reconnaissance General Bureau and is the most prolific of any of the Pyongyang hacking groups when it comes to cryptocurrency theft.

Attacks mounted by the threat actor have entailed leveraging job-themed lures or uploading malicious npm packages, and then approaching employees at target companies with a lucrative opportunity or asking them to collaborate on a GitHub project that would then lead to the execution of the rogue npm libraries.

“TraderTraitor has demonstrated a sustained interest in cloud-centric and cloud-adjacent attack surfaces, often with a final goal of compromising companies that are customers of cloud platforms rather than the platforms themselves,” cloud security firm Wiz said in a detailed report of TraderTraitor this week.

The attacks observed by Google Cloud targeted the respective organizations’ Google Cloud and Amazon Web Services (AWS) environments, paving the way for a downloader called GLASSCANNON that’s then used to serve backdoors like PLOTTWIST and MAZEWIRE that can establish connections with an attacker-controlled server.

In the incident involving the Google Cloud environment, the threat actors have been found to employ stolen credentials to interact remotely using Google Cloud CLI over an anonymous VPN service, carrying out extensive reconnaissance and credential theft activities. However, they were thwarted in their efforts due to the multi-factor authentication (MFA) configuration applied to their credentials.

“UNC4899 eventually determined the victim’s account had administrative privileges to the Google Cloud project and disabled the MFA requirements,” Google said. “After successfully gaining access to the targeted resources, they immediately re-enabled MFA to evade detection.”

The intrusion targeting the second victim’s AWS environment is said to have followed a similar playbook, only this time the attackers used long-term access keys obtained from an AWS credential file to interact remotely via AWS CLI.

Although the threat actors ran into access control roadblocks that prevented them from performing any sensitive actions, Google said it found evidence that likely indicated the theft of the user’s session cookies. These cookies were then used to identify relevant CloudFront configurations and S3 buckets.

UNC4899 “leveraged the inherent administrative permissions applied to their access to upload and replace existing JavaScript files with those containing malicious code, which were designed to manipulate cryptocurrency functions and trigger a transaction with the cryptocurrency wallet of a target organization,” Google said.

The attacks, in both cases, ended with the threat actors successfully withdrawing several million worth of cryptocurrency, the company added.

The development comes as Sonatype said it flagged and blocked 234 unique malware npm and PyPI packages attributed to North Korea’s Lazarus Group between January and July 2025. Some of these libraries are configured to drop a known credential stealer referred to as BeaverTail, which is associated with a long-running campaign dubbed Contagious Interview.

“These packages mimic popular developer tools but function as espionage implants, designed to steal secrets, profile hosts, and open persistent backdoors into critical infrastructure,” the software supply chain security firm said. “The surge of activity in H1 2025 demonstrates a strategic pivot: Lazarus is now embedding malware directly into open source package registries, namely npm and PyPI, at an alarming rate.”

Cyber threats and attacks like ransomware continue to increase in volume and complexity with the endpoint typically being the most sought after and valued target. With the rapid expansion and adoption of AI, it is more critical than ever to ensure the endpoint is adequately secured by a platform capable of not just keeping pace, but staying ahead of an ever-evolving threat landscape.

SentinelOne’s steadfast commitment to delivering AI-powered cybersecurity enables global customers and partners to achieve resiliency and reduce risk with real-time, autonomous protection across the entire enterprise — all from a single agent and console with a robust, rigorously tested platform that keeps the customer in control.

Cybersecurity today isn’t just about detection—it’s about operational continuity under pressure. For example, endpoint solutions must account for encrypted traffic inspection, policy enforcement during identity compromise, and fast containment across distributed environments. These capabilities are especially critical in industries like healthcare or finance, where seconds can mean regulatory penalties or breached patient records.

Gartner recently named SentinelOne a Leader in the 2025 Gartner® Magic Quadrant for Endpoint Protection Platforms for the fifth consecutive year. This recognition builds on the Singularity Platform’s momentum in innovation as the first solution with an AI analyst and the first unified platform delivering EDR, CNAPP, Hyperautomation, and SIEM to be FedRAMP High (the highest level of U.S. federal cloud security authorization) Authorized.

SentinelOne provides protection for organizations of all sizes—from small businesses to global governments and enterprises—meeting their unique needs in the face of an increasingly complex cyber landscape. The Singularity Platform secures organizations across any device, any OS, and any cloud, providing industry-leading signal-to-noise so SOC teams can focus on responding as quickly as possible. With advanced XDR, AI SIEM, and CNAPP capabilities, a lightweight agent, and responsible architecture, SentinelOne offers a solution designed for both security and operational resiliency.

Organizations using Singularity Endpoint and Purple AI detect threats 63% faster, reduce MTTR by 55%, and lower the likelihood of a security incident by 60%. Customers have reported a 338% ROI over three years, maximizing the value of their security investments while strengthening their endpoint security.

SentinelOne has set the standard in modern endpoint protection since entering the market more than a decade ago, disrupting both traditional antivirus and early next-gen AV approaches.

Unlike signature-based protection and cloud-dependent defenses, the platform pioneered the use of static and behavioral AI and machine learning to detect even novel techniques, solve for both online and air-gapped environments, and automate response. These innovations differentiate SentinelOne from traditional AV and even next-gen EDR solutions, offering deeper automation and on-device intelligence compared to competitors that rely heavily on cloud lookups or manual workflows.

This innovation, architecture, and design philosophy continues to evolve through Purple AI, advanced behavioral detection models, automated remediation and rollback, XDR capabilities, and more. The security platform now offers solutions spanning Identity, Cloud, AI SIEM, Hyperautomation, expert-managed detection and response, and a range of threat services.

Accelerating the SOC and staying ahead of attacks in the age of AI requires platforms that harness innovation in AI and automation to radically improve detection, triage, and response. SentinelOne’s platform has long embedded AI and automation as a foundational element. The company continues to develop accessible, compliant AI and automation to transform the SOC.

Behavioral AI and the Future of Cyber Threat Detection

Over the last decade, SentinelOne has advanced behavioral AI detections, automated remediation, and introduced agentic AI for security.

Rather than merely assisting analysts, agentic AI—defined as a class of autonomous AI systems capable of initiating and executing security actions without human prompting—autonomously takes action, handles routine tasks, and accelerates decision making while keeping the human operator in control.

Purple AI, the platform’s AI security analyst, translates natural language questions into powerful threat hunting queries, suggests follow-up questions, recommends next steps, and generates reports and email summaries to accelerate remediation. Built on the Open Cybersecurity Schema Framework (OCSF), a vendor-agnostic standard for unifying data models, Purple AI ensures unified visibility across all security data, enabling fast, precise threat detection.

Figure 2: A natural language query using Purple AI to hunt for Privilege Escalation activity

This capability is integrated into Singularity Complete, SentinelOne’s EDR solution, positioning Purple AI as a transformative force in SOC operations. By combining human insight with AI-level reasoning and automation, it enables faster, more accurate triage, investigation, threat management, and response.

How Endpoint Security Has Evolved in the Age of AI

Product innovation remains central to SentinelOne’s strategy, driven by customer feedback, cost and time savings, and deep integration of AI and automation.

• Detects suspicious and malicious patterns in real time using behavioral and static AI models across servers, workstations, and workloads
• Correlates telemetry data from endpoints, cloud workloads, and identity sources into detailed, visual Storylines

Figure 3: Storyline helps security teams understand, investigate, and respond to threats faster and more effectively

• Offers one-click rollback to a pre-attack state, drastically reducing remediation time
• Enables custom workflows and incident response via Singularity Hyperautomation’s no-code, drag-and-drop canvas

SentinelOne also plays a central role in Zero Trust architectures, supporting identity-based segmentation and continuous trust evaluation across cloud, hybrid, and air-gapped environments. By aligning with frameworks like MITRE ATT&CK, OCSF, and NIST 800-207, the platform enables cohesive telemetry correlation and policy enforcement—positioning it as more than just endpoint protection, but a pillar in enterprise-wide cyber resilience.

Balancing Control and Stability in Modern Cybersecurity Platforms

The Singularity Platform delivers simplicity, stability, and ease of use across various deployment environments—on-premises, hybrid, air-gapped, or fully cloud-based. SentinelOne offers comprehensive OS support, including legacy systems such as Windows XP, 2008, and 2012, and spans more than 20 years of Windows Server coverage.

Customer control is a cornerstone of the platform’s philosophy. The multi-tenant management console emphasizes analyst experience, with streamlined deployment, configuration, and management. Updates are rigorously tested, responsibly deployed, and controlled by the customer to ensure stability and autonomy.

As recognized by Gartner in this year’s evaluation, the unified agent and intuitive console deliver deep enterprise visibility while reducing overhead and administrative burden, allowing security teams to focus on high-priority tasks.

Earning Industry Trust Through Proven Performance

SentinelOne continues to lead in endpoint cybersecurity, earning trust from nearly 15,000 customers—including Fortune 10, Fortune 500, Global 2000 companies, and major government agencies. The company consistently achieves top results in MITRE ATT&CK Enterprise Evaluations, delivering an industry-leading signal-to-noise ratio.

In addition to being named a Leader in the 2025 Gartner Magic Quadrant for Endpoint Protection Platforms, SentinelOne’s Singularity Platform has been recognized as a 2025 Customers’ Choice in the Voice of the Customer for Extended Detection and Response (XDR), a 2024 Customers’ Choice for Cloud-Native Application Protection Platforms (CNAPP), and a 2024 Customers’ Choice for Managed Detection and Response (MDR). SentinelOne was also named a Strong Performer in the 2025 Gartner Peer Insights Voice of the Customer for Cloud Security Posture Management tools (CSPM).

To see how SentinelOne can transform endpoint security within an organization, stakeholders can request a tailored demo or download the full Gartner report for detailed evaluation insights.

Jul 31, 2025The Hacker NewsSecurity Operations / Threat Detection

Security Operations Centers (SOCs) are stretched to their limits. Log volumes are surging, threat landscapes are growing more complex, and security teams are chronically understaffed. Analysts face a daily battle with alert noise, fragmented tools, and incomplete data visibility. At the same time, more vendors are phasing out their on-premises SIEM solutions, encouraging migration to SaaS models. But this transition often amplifies the inherent flaws of traditional SIEM architectures.

The Log Deluge Meets Architectural Limits

SIEMs are built to process log data—and the more, the better, or so the theory goes. In modern infrastructures, however, log-centric models are becoming a bottleneck. Cloud systems, OT networks, and dynamic workloads generate exponentially more telemetry, often redundant, unstructured, or in unreadable formats. SaaS-based SIEMs in particular face financial and technical constraints: pricing models based on events per second (EPS) or flows-per-minute (FPM) can drive exponential cost spikes and overwhelm analysts with thousands of irrelevant alerts.

Further limitations include protocol depth and flexibility. Modern cloud services like Azure AD frequently update log signature parameters, and static log collectors often miss these changes—leaving blind spots. In OT environments, proprietary protocols like Modbus or BACnet defy standard parsers, complicating or even preventing effective detection.

False Positives: More Noise, Less Security

Up to 30% of a SOC analyst’s time is lost chasing false positives. The root cause? Lack of context. SIEMs can correlate logs, but they don’t “understand” them. A privileged login could be legitimate—or a breach. Without behavioral baselines or asset context, SIEMs either miss the signal or sound the alarm unnecessarily. This leads to analyst fatigue and slower incident response times.

The SaaS SIEM Dilemma: Compliance, Cost, and Complexity

While SaaS-based SIEMs are marketed as a natural evolution, they often fall short of their on-prem predecessors in practice. Key gaps include incomplete parity in rule sets, integrations, and sensor support. Compliance issues add complexity, especially for finance, industry, or public sector organizations where data residency is non-negotiable.

And then there’s cost. Unlike appliance-based models with fixed licensing, SaaS SIEMs charge by data volume. Every incident surge becomes a billing surge—precisely when SOCs are under maximum stress.

Modern Alternatives: Metadata and Behavior Over Logs

Modern detection platforms focus on metadata analysis and behavioral modeling rather than scaling log ingestion. Network flows (NetFlow, IPFIX), DNS requests, proxy traffic, and authentication patterns can all reveal critical anomalies like lateral movement, abnormal cloud access, or compromised accounts without inspecting payloads.

These platforms operate without agents, sensors, or mirrored traffic. They extract and correlate existing telemetry, applying adaptive machine learning in real time—an approach already embraced by newer, lightweight Network Detection & Response (NDR) solutions purpose-built for hybrid IT and OT environments. The result is fewer false positives, sharper alerts, and significantly less pressure on analysts.

A New SOC Blueprint: Modular, Resilient, Scalable

The slow decline of traditional SIEMs signals the need for structural change. Modern SOCs are modular, distributing detection across specialized systems and decoupling analytics from centralized logging architectures. By integrating flow-based detection and behavior analytics into the stack, organizations gain both resilience and scalability—allowing analysts to focus on strategic tasks like triage and response.

Conclusion

Classic SIEMs—whether on-prem or SaaS—are relics of a past that equated log volume with security. Today, success lies in smarter data selection, contextual processing, and intelligent automation. Metadata analytics, behavioral modeling, and machine-learning-based detection are not just technically superior—they represent a new operational model for the SOC. One that protects analysts, conserves resources, and exposes attackers sooner—especially when powered by modern, SIEM-independent NDR platforms.

Jul 31, 2025Ravie Lakshmanan

The financially motivated threat actor known as UNC2891 has been observed targeting Automatic Teller Machine (ATM) infrastructure using a 4G-equipped Raspberry Pi as part of a covert attack.

The cyber-physical attack involved the adversary leveraging their physical access to install the Raspberry Pi device and have it connected directly to the same network switch as the ATM, effectively placing it within the target bank’s network, Group-IB said. It’s currently not known how this access was obtained.

“The Raspberry Pi was equipped with a 4G modem, allowing remote access over mobile data,” security researcher Nam Le Phuong said in a Wednesday report.

“Using the TINYSHELL backdoor, the attacker established an outbound command-and-control (C2) channel via a Dynamic DNS domain. This setup enabled continuous external access to the ATM network, completely bypassing perimeter firewalls and traditional network defenses.”

UNC2891 was first documented by Google-owned Mandiant in March 2022, linking the group to attacks targeting ATM switching networks to carry out unauthorized cash withdrawals at different banks using fraudulent cards.

Central to the operation was a kernel module rootkit dubbed CAKETAP that’s designed to hide network connections, processes, and files, as well as intercept and spoof card and PIN verification messages from hardware security modules (HSMs) to enable financial fraud.

The hacking crew is assessed to share tactical overlaps with another threat actor UNC1945 (aka LightBasin), which was previously identified compromising managed service providers and striking targets within the financial and professional consulting industries.

Describing the threat actor as possessing extensive knowledge of Linux and Unix-based systems, Group-IB said its analysis uncovered backdoors named “lightdm” on the victim’s network monitoring server that are designed to establish active connections to the Raspberry Pi and the internal Mail Server.

The attack is significant for the abuse of bind mounts to hide the presence of the backdoor from process listings and evade detection.

The end goal of the infection, as seen in the past, is to deploy the CAKETAP rootkit on the ATM switching server and facilitate fraudulent ATM cash withdrawals. However, the Singaporean company said the campaign was disrupted before the threat actor could inflict any serious damage.

“Even after the Raspberry Pi was discovered and removed, the attacker maintained internal access through a backdoor on the mail server,” Group-IB said. “The threat actor leveraged a Dynamic DNS domain for command-and-control.”

Jul 31, 2025Ravie LakshmananVulnerability / Website Security

Threat actors are actively exploiting a critical security flaw in “Alone – Charity Multipurpose Non-profit WordPress Theme” to take over susceptible sites.

The vulnerability, tracked as CVE-2025-5394, carries a CVSS score of 9.8. Security researcher Thái An has been credited with discovering and reporting the bug.

According to Wordfence, the shortcoming relates to an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been addressed in version 7.8.5 released on June 16, 2025.

CVE-2025-5394 is rooted in a plugin installation function named “alone_import_pack_install_plugin()” and stems from a missing capability check, thereby allowing unauthenticated users to deploy arbitrary plugins from remote sources via AJAX and achieve code execution.

“This vulnerability makes it possible for an unauthenticated attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, which is typically leveraged for a complete site takeover,” Wordfence’s István Márton said.

Evidence shows that CVE-2025-5394 began to be exploited starting July 12, two days before the vulnerability was publicly disclosed. This indicates that the threat actors behind the campaign may have been actively monitoring code changes for any newly addressed vulnerabilities.

The company said it has already blocked 120,900 exploit attempts targeting the flaw. The activity has originated from the following IP addresses –

• 193.84.71.244
• 87.120.92.24
• 146.19.213.18
• 185.159.158.108
• 188.215.235.94
• 146.70.10.25
• 74.118.126.111
• 62.133.47.18
• 198.145.157.102
• 2a0b:4141:820:752::2

In the observed attacks, the flaw is averaged to upload a ZIP archive (“wp-classic-editor.zip” or “background-image-cropper.zip”) containing a PHP-based backdoor to execute remote commands and upload additional files. Also delivered are fully-featured file managers and backdoors capable of creating rogue administrator accounts.

To mitigate any potential threats, WordPress site owners using the theme are advised to apply the latest updates, check for any suspicious admin users, and scan logs for the request “/wp-admin/admin-ajax.php?action=alone_import_pack_install_plugin.”

Jul 30, 2025Ravie LakshmananCryptocurrency / Browser Security

Cybersecurity researchers are calling attention to an ongoing campaign that distributes fake cryptocurrency trading apps to deploy a compiled V8 JavaScript (JSC) malware called JSCEAL that can capture data from credentials and wallets.

The activity leverages thousands of malicious advertisements posted on Facebook in an attempt to redirect unsuspecting victims to counterfeit sites that instruct them to install the bogus apps, according to Check Point. These ads are shared either via stolen accounts or newly created ones.

“The actors separate the installer’s functionality into different components and most notably move some functionality to the JavaScript files inside the infected websites,” the company said in an analysis. “A modular, multi-layered infection flow enables the attackers to adapt new tactics and payloads at every stage of the operation.”

It’s worth noting that some aspects of the activity were previously documented by Microsoft in April 2025 and WithSecure as recently as this month, with the latter tracking it as WEEVILPROXY. According to the Finnish security vendor, the campaign has been active since March 2024.

The attack chains have been found to adopt novel anti-analysis mechanisms that rely on script-based fingerprinting, before delivering the final JSC payload.

“The threat actors implemented a unique mechanism that requires both the malicious site and the installer to run in parallel for successful execution, which significantly complicates analysis and detection efforts,” the Israeli cybersecurity company noted.

Clicking on the link in the Facebook ads triggers a redirection chain, ultimately leading the victim to a fake landing page mimicking a legitimate service like TradingView or a decoy website, if the target’s IP address is not within a desired range or the referrer is not Facebook.

The website also includes a JavaScript file that attempts to communicate with a localhost server on port 30303, in addition to hosting two other JavaScript scripts that are responsible for tracking the installation process and initiating POST requests that are handled by the components within the MSI installer.

For its part, the installer file downloaded from the site unpacks a number of DLL libraries, while simultaneously initiating HTTP listeners on localhost:30303 to process incoming POST requests from the phony site. This interdependency also means that the infection chain fails to proceed further if any of these components doesn’t work.

“To ensure the victim does not suspect abnormal activity, the installer opens a webview using msedge_proxy.exe to direct the victim to the legitimate website of the application,” Check Point said.

The DLL modules are designed to parse the POST requests from the website and gather system information and commence the fingerprinting process, after which the captured information is exfiltrated to the attacker in the form of a JSON file by means of a PowerShell backdoor.

If the victim host is deemed valuable, the infection chain moves to the final stage, leading to the execution of the JSCEAL malware by leveraging Node.js.

The malware, besides establishing connections with a remote server to receive further instructions, sets up a local proxy with the goal of intercepting the victim’s web traffic and injecting malicious scripts into banking, cryptocurrency, and other sensitive websites to steal their credentials in real-time.

Other functions of JSCEAL include gathering system information, browser cookies, auto-fill passwords, Telegram account data, screenshots, keystrokes, as well as conducting adversary-in-the-middle (AitM) attacks and manipulating cryptocurrency wallets. It can also act as a remote access trojan.

“This sophisticated piece of malware is designed to gain absolute control of the victim machine, while being resilient against conventional security tools,” Check Point said. “The combination of compiled code and heavy obfuscation, while displaying a wide variety of functionality, made analysis efforts challenging and time-consuming.”

“Using JSC files allows attackers to simply and effectively conceal their code, helping it evade security mechanisms, and making it difficult to analyze.”