Who's your lunch buddy for the day? 
Make sure to connect with your old and new pals at #FIRSTCON25 #inspiringconnections #incidentresponse #secconf 
https://go.first.org/LV4lq
We’re proud to welcome Richard D. Pethia to the FIRST Incident Response Hall of Fame, announced today at #FIRSTCON25 in Copenhagen, Denmark.
As the founding director of the CERT Coordination Center (CERT/CC), now part of the CERT Division of the Carnegie Mellon University Software Engineering Institute (CMU SEI), Pethia’s vision and leadership helped shape the modern practice of cybersecurity incident response.
Congratulations, Rich, and thank you for your lasting impact on our field!
Read more: https://go.first.org/bFM9v
Excited to introduce FIRST CORE with our founding partner Fortinet!
This new sponsorship initiative will strengthen incident response capabilities worldwide, focusing on capacity building in underrepresented regions across Africa, the Asia-Pacific, Latin America and the Caribbean.
Together, we're expanding our Community and Capacity Building Program to provide critical training, mentorship and resources where they're needed most.
Fortinet's decade-long commitment to our mission makes them the perfect partner to help us build resilient cybersecurity communities grounded in internationally recognized best practices.
Learn more here: https://go.first.org/UTC8W
McLaren provides written notice to 743,131 patients after ransomware attack in July 2024:
#HealthSec #databreach #encryption #extortion #transparency #incidentresponse
This was their second ransomware attack in a year. Personal injury lawyers are already recruiting plaintiffs.
Why a Business-First Incident Response Approach Works Best https://www.byteseu.com/1121222/ #business #BusinessLeadership #BusinessOperations #ChaosManagement #CommunicationPlan #ContinuityPlans #CrisisManagement #CyberCrisis #EmployeeEngagement #IncidentResponse #LegalImplications #OutdatedSystems #recovery #Resilience #Semperis #SimonHodgkinson #TabletopExercises #TechnicalContainment #YossiRachman
New Supply Chain Security Comms Drill!
Supply chain attacks are becoming one of the most challenging threats facing security teams today. But here's what we've learned from working with hundreds of #IncidentResponse teams — the technical response is often the easy part.
The real challenge? Coordinating communication across your entire organization when Legal needs regulatory guidance, Sales is worried about customer retention, Engineering is weighing security vs. business continuity, and your biggest customer is demanding answers right now.
We've just created a new drill that puts you in the role of Security Incident Commander during a supply chain compromise. No technical deep-dives — just the messy, real-world communication challenges that make or break incident response.
What you'll practice:
Managing competing stakeholder priorities Making information-sharing decisions Coordinating cross-functional teams
Perfect for security leaders, incident commanders, and anyone who's ever had to explain a complex security situation to executives, customers, or legal teams while the clock is ticking.
Ready to test your incident communication skills?
Link to subscribe: DiscernibleInc.com/drills
Attribution is hard, Thursday edition...
NEW by me: A guilty plea in the PowerSchool case still leaves unanswered questions
#PowerSchool #hack #extortion #attribution #transparency #incidentresponse
As a researcher, have you ever been told this sentence?
"While we acknowledge the concern, we do not have the authority to
remove or restrict access to the reported content. We'd appreciate it
if you could consider reporting the issue to Google through their
official reporting channels."
JAPANCERT - JPCERT
È finalmente arrivato il professionista che nessun SOC voleva, ma che tutti si meritano!
Addestrato in un gruppo Telegram.
Certificato da “CyberSecurity spiegata male S.r.l.”
Specializzato in: “Non è colpa nostra, sarà mica l’IT esterno?”
AI is the new attack surface—are you ready?
From shadow AI to deepfake-driven threats, attackers are finding creative ways to exploit your organization’s AI tools, often without you realizing it.
Watch our new 3-minute video, How Attackers Target Your Company’s AI Tools, for advice on:
The rise of shadow AI (yes, your team is probably using it!)
Real-world examples of AI misconfigurations and account takeovers
What to ask vendors about their AI usage
How to update your incident response plan for deepfakes
Actionable steps for AI risk assessments and inventories
Don’t let your AI deployment become your biggest security blind spot.
Watch now: https://youtu.be/R9z9A0eTvp0
DATE: June 05, 2025 at 08:37AM
SOURCE: HEALTHCARE INFO SECURITY
Direct article link at end of text block below.
What are the most commonly overlooked details of #ransomware #incidentresponse plans? https://t.co/cL89jDVfGq
Here are any URLs found in the article text:
Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"
-------------------------------------------------
Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org
Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.
-------------------------------------------------
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering
It looks like the Gunra ransomware gang is escalating its leak of data from American Hospital Dubai ("AHD"). Their spokesperson informs me that they are planning to leak the data on the clearnet so more people will have access to downloading it.
AHD did not respond to my email inquiries yesterday. A second request was emailed to them this morning.
Background on this attack and AHD's internal communications about the breach:
DATE: June 04, 2025 at 03:34PM
SOURCE: HEALTHCARE INFO SECURITY
Direct article link at end of text block below.
The Forgotten Details of #Ransomware #IncidentResponse Plans https://t.co/zd347KRPTE
Here are any URLs found in the article text:
Articles can be found by scrolling down the page at https://www.healthcareinfosecurity.com/ under the title "Latest"
-------------------------------------------------
Private, vetted email list for mental health professionals: https://www.clinicians-exchange.org
Healthcare security & privacy posts not related to IT or infosec are at @HIPAABot . Even so, they mix in some infosec with the legal & regulatory information.
-------------------------------------------------
#security #healthcare #doctors #itsecurity #hacking #doxxing #psychotherapy #securitynews #psychotherapist #mentalhealth #psychiatry #hospital #socialwork #datasecurity #webbeacons #cookies #HIPAA #privacy #datanalytics #healthcaresecurity #healthitsecurity #patientrecords @infosec #telehealth #netneutrality #socialengineering
Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.:
To make matters worse, AHD communicated about the breach and their incident response while the attackers still had access.
#databreach #ransomware #healthsec #cybersecurity #transparency #incidentresponse #Gunra
Incident response as a competitive advantage? Absolutely!
Last week's Discernible Drill challenged security pros to switch from "damage control" to "what could go right?" thinking during a ransomware scenario. The results were remarkable.
One team developed a brilliant competitive differentiation strategy that positioned their organization as "incident-tested" versus competitors with only theoretical capabilities.
Their approach:
Create side-by-side comparisons of recovery capabilities vs. industry standards
Develop messaging around being "Proven Under Pressure"
Use actual incident metrics as sales tools
This is the power of positive incident framing. When you prepare excellently, incidents become proof points that no marketing campaign can match.
Here’s the catch: If you want the opportunity to use incident response in this way, you have to plan for it to ensure you’re demonstrating excellence. It won’t happen by accident.
Read our full analysis from the drill:
Texas gastroenterology and surgical practice victim of ransomware attack:
InterLock has dumped a lot of data with #PHI from Texas Digestive Specialists. The medical group does not appear to have either confirmed nor denied any claimed breach, but there are a ton of pathology reports on Texas Digestive Specialists letterhead that I saw in the tranche:
Okay, so I wanted to share a little incident from a few months back that really hammered home the power of knowing your Linux internals when things go sideways. I got a frantic call, "something weird is going on with our build server, it's acting sluggish and our monitoring is throwing odd network alerts." No fancy EDR on this particular box, just the usual ssh and bash. My heart always sinks a little when it's a Linux box with vague symptoms, because you know it's time to get your hands dirty.
First thing I did, even before reaching for any specific logs, was to get a quick snapshot of the network. Instead of netstat, which honestly feels a bit dated now, I immediately hit ss -tunap. That p is crucial cause it shows you the process and user ID for each connection. What immediately jumped out was an outbound TCP connection on a high port to a sketchy-looking IP, and it was tied to a process that definitely shouldn't have been making external calls. My gut tightened. I quickly followed up with lsof -i just to be super sure no deleted binaries were clinging on to network connections.
With that IP and PID in hand, I moved to process investigation. pstree -ap was my next stop. It showed the suspicious process, and more importantly, its parent. It wasn't a child of systemd or a normal service. It was spawned by a build script that shouldn't have been executing anything like this. That hierarchical view was key. Then, to really understand what this thing was doing, I dared to strace -p <PID>. Watching the system calls unfurl was like watching a movie of its malicious intent: it was reading from /etc/passwd, making connect() calls, and trying to write to some odd /tmp directories. Simultaneously, I checked ls -l /proc/<PID>/exe to confirm the actual binary path (it was indeed in /tmp) and /proc/<PID>/cwd to see its working directory. No doubt, this was a rogue process.
Knowing it was a fresh infection, I immediately shifted to the filesystem. My go-to is always find / -type f -newermt '2 days ago' -print0 | xargs -0 ls -latr. This quickly pulls up any files modified in the last 48 hours, sorted by modification time. It's often where you find dropped payloads, modified configuration files, or suspicious scripts. Sure enough, there were a few more binaries in /tmp and even a suspicious .sh script in a developer's home directory. I also scanned for SUID/SGID binaries with find / -perm /6000 just in case they'd dropped something for privilege escalation. And while stat's timestamps can be tampered with, I always glance at atime, mtime, and ctime on suspicious files; sometimes, a subtle mismatch offers a tiny clue if the attacker wasn't meticulous.
The final piece of the puzzle, and often the trickiest, is persistence. I checked the usual suspects: crontab -l for root and every other user account I could find. Then I cast a wider net with grep -r "suspect_domain_or_ip" /etc/cron.* /etc/systemd/system/ /etc/rc.d/ and similar common boot directories. Sure enough, a new systemd timer unit had been added that was scheduled to execute the /tmp binary periodically. Finally, I didn't forget the user dotfiles (~/.bashrc, ~/.profile, etc.). It’s surprising how often an attacker will drop a malicious alias or command in there, assuming you won't dig deep into a developer's setup.
Long story short, we quickly identified the ingress vector, isolated the compromise, and cleaned up the persistence. But what really stuck with me is how quickly you can triage and understand an incident if you're comfortable with these fundamental Linux commands. There's no substitute for getting your hands dirty and really understanding what strace is showing you or why ss is superior to netstat in a high-pressure situation. These tools are your best friends in a firefight.
I felt like it was deja vu all over again (as Yogi might have said): The Virgin Islands Lottery restored services after a cyberattack without paying the demanded $1M ransom.
But was this their second cyberattack like this since early 2024? Was it the same gang? Was it same means of access? There's much we don't know yet.
Cloudflare is an American company. So how is it doing business with Russian entities?
We were just hit with a phishing campaign pointing to a Russian URL, from a brand new Russian domain, from a Russian registrar, but content served through Cloudflare.
I may be mistaken on the totality of global sanctions against Russia, but it would seem that Cloudflare would not want to do business with these entities.
