Hello there 👋
Welcome back to the Kraven Security weekly newsletter, triaging the week. We round up the week’s top news stories, highlight our featured article, give you some learning resources, and finish with a few personal notes about what’s happening at the company. Enjoy!
Top 5 News Stories
Identity Attacks and Infostealers Take Center Stage in the 2025 Threat Landscape
The 2025 Red Canary Threat Detection Report reveals a surge in identity attacks and infostealers, with nearly 93,000 threats detected in 2024 across endpoints, clouds, and identities. Packed with actionable insights, this report is a must-read for security teams navigating today’s evolving cyber threats!
Key takeaways:
🔍 Massive Threat Surge: Red Canary detected nearly 93,000 threats in 2024, a 33% jump from last year, driven by expanded visibility into cloud and identity infrastructure.
🕵️♂️ Identity Attacks Dominate: Compromised identities fuel the rise of cloud-based threats, with adversaries heavily exploiting VPNs and email rules for access.
💾 Infostealers on the Rise: Malware like ChromeLoader and Atomic Stealer lead the pack, targeting endpoints and macOS systems with sneaky tactics.
🌐 Cloud Hijacking Emerges: The report highlights “Cloud Service Hijacking” as a growing technique where attackers abuse compromised cloud accounts, including AI services.
🎯 Actionable Guidance: With trends like VPN abuse and insider threats, the report offers detection and mitigation strategies for security pros to stay ahead.
Supply Chain Attack on tj-actions/changed-files Exposes CI/CD Secrets Across 23,000 GitHub Repos
A supply chain attack on the popular GitHub Action tj-actions/changed-files has put 23,000+ repos at risk, leaking CI/CD secrets like AWS keys and GitHub tokens to public logs. Devs need to rotate secrets and pin commits ASAP. Trust in open source just took a hit!
Key takeaways:
🕵️♂️ Attack Unveiled: On March 14, 2025, a threat actor compromised tj-actions/changed-files, a GitHub Action used by over 23,000 repositories, injecting malicious code to steal CI/CD secrets like AWS access keys and GitHub PATs from build logs.
🔓 Secret Leak: The attacker altered the tool’s code and retroactively updated version tags to point to a malicious commit, dumping secrets into logs—which are publicly accessible in many cases—exposing organizations to potential breaches.
💻 Widespread Risk: Dozens of repositories, including those of large enterprises, were hit, with stolen credentials risking access to private systems; the attack (CVE-2025-30066, CVSS 8.6) exploited a bot’s compromised PAT.
🛠️ GitHub Response: GitHub suspended accounts and removed the malicious content, while tj-actions devs nixed PAT usage—meanwhile, experts urge pinning commits over tags to avoid future tag tampering.
🛡️ Action Needed: Rotate exposed secrets, review workflows for unexpected outputs, and adopt allow-listing for GitHub Actions to lock down your CI/CD pipelines against this sneaky supply chain threat.
Apache Tomcat Vulnerability Exploited Within 30 Hours of Disclosure, Enabling RCE Attacks
A critical Apache Tomcat flaw (CVE-2025-24813) is under active attack just 30 hours after its PoC dropped, allowing remote code execution with a single PUT request. Wallarm reports no auth needed. Update to Tomcat 9.0.99, 10.1.35, or 11.0.3 now to lock it down!
Key takeaways:
🕵️♂️ Rapid Exploitation: A severe Apache Tomcat vulnerability (CVE-2025-24813) was exploited in the wild within 30 hours of a public proof-of-concept release on March 10, 2025, targeting servers globally.
🔓 RCE Risk: The flaw allows unauthenticated remote code execution via PUT requests if write-enabled servlets and partial PUT support are active, potentially exposing sensitive files or enabling backdoors.
💻 Affected Versions: Hits Tomcat 9.0.0-M1 to 9.0.98, 10.1.0-M1 to 10.1.34, and 11.0.0-M1 to 11.0.2—Wallarm confirmed attacks using serialized payloads to breach systems.
🛠️ Patch Available: This is fixed in versions 9.0.99, 10.1.35, and 11.0.3; admins must update ASAP as exploits are already live; no workaround exists.
🛡️ Act Fast: With conditions like known file names aligning, organizations need to patch, audit configs, and monitor traffic to stop this fast-moving threat.
Unpatched Windows Zero-Day Fuels State-Sponsored Cyber Espionage
Since 2017, 11 state-sponsored hacking groups from China, Iran, North Korea, and Russia have exploited a critical unpatched Windows zero-day flaw (ZDI-CAN-25373) for espionage and data theft. Despite nearly 1,000 exploit samples identified, Microsoft has not prioritized an immediate fix, leaving systems vulnerable.
Key takeaways:
🕵️♂️ Exploitation by State Actors: Since 2017, 11 state-sponsored groups from China, Iran, North Korea, and Russia have used the ZDI-CAN-25373 flaw for cyber espionage and data theft.
📁 Method of Attack: The vulnerability is exploited via malicious .LNK files with hidden command-line arguments, enabling stealthy execution of malicious payloads.
🚨 Scale of Threat: Nearly 1,000 exploit samples have been detected, highlighting widespread use and significant risk to organizations.
🛡️ Microsoft’s Response: Despite the threat, Microsoft has classified the issue as not requiring urgent updates, leaving systems exposed.
🌐 Global Impact: The flaw’s exploitation underscores the persistent danger of unpatched vulnerabilities in widely used operating systems like Windows.
Black Basta Ransomware Unleashes Automated VPN Brute-Forcing Tool ‘BRUTED’
The Black Basta ransomware gang has developed ‘BRUTED,’ an automated tool for brute-forcing VPNs and firewalls, targeting edge devices for easy network breaches. EclecticIQ warns of its use in large-scale attacks since 2023.
Key takeaways:
🕵️♂️ New Tool Uncovered: EclecticIQ revealed Black Basta’s ‘BRUTED,’ an automated brute-forcing framework that has been targeting edge devices like VPNs and firewalls since 2023, streamlining ransomware attacks.
🔓 How It Works: BRUTED scans subdomains and IPs, extracts SSL certificate data for password guesses, and performs bulk credential-stuffing attacks to exploit weak or reused credentials.
🌍 Global Threat: In 2024, the tool fueled large-scale attacks worldwide, amplifying Black Basta’s reach by targeting exposed corporate network devices with minimal effort.
🛡️ Protect Yourself: Keep devices updated with the latest patches, enforce strong passwords, and use multi-factor authentication to block this automated menace.
Top Tips of the Week
Threat Intelligence
- Educate stakeholders on the value of threat intelligence. Awareness promotes collaboration and enhances overall security.
Threat Hunting
- Share cyber threat hunting experiences at industry events. Learn from peers and contribute to the community’s knowledge.
Custom Tooling
- Implement secure communication channels for custom tools. Protect data in transit and minimize the risk of interception.
- Implement secure coding practices for custom tools. Address vulnerabilities and ensure robust protection against potential exploits.
- Create custom tools with flexibility in mind. Design solutions that can adapt to changing requirements and evolving cybersecurity landscapes.
- Secure sensitive data in custom tools. Follow best practices for encryption and access controls to protect critical information.
- Incorporate user training in custom tool deployment. Empower users with the knowledge to effectively utilize and maximize the benefits of the tool.
Feature Article
Cyber threat intelligence (CTI) is built on models and frameworks that allow you to turn raw data into actionable intelligence. One of the key operational models you will use as a CTI analyst is the F3EAD intelligence loop.
This guide will teach you how to use this model to structure your day-to-day intelligence work, from finding the needed data, exploiting it with specialist skill sets, and disseminating it with key stakeholders. You will learn where the F3EAD loop fits into the CTI process, how to complete each of its six stages, and see the model in action with practical examples.
The F3EAD loop is a fundamental model in CTI that you will use daily to fulfill your intelligence requirements. Let’s jump in and explore it!
Learning Resources
Feeling Under-Valued at Work?
Do you feel your employer is not treating you the way they expect? Is there a disconnect between self-perception and how others see you? While you might evaluate yourself based on intentions and effort, employers focus on results and impact. This gap can lead to misunderstandings in job applications, performance reviews, and promotions.
To receive the hard-fought rewards you deserve, you must align your communication and actions with employer expectations, seek honest feedback, and adjust your approach accordingly.
This excellent video highlights how you can do this by focusing on outcomes rather than intentions, adapting to feedback, and recognizing the difference between personal perception and employer needs can lead to better job performance and career growth.
How to Teach CTI Better
Cyber threat intelligence (CTI) can be a difficult topic to teach. It requires extensive background knowledge, reading long threat reports, and studying countless models and frameworks.
In this talk, Bryan Quillen and Jibby Saetang will share their unique and innovative method of using a custom-built game to teach CTI to high school students, a demographic typically seen as too young for such advanced topics.
The pair focused on gamifying CTI and highlighting the stories behind the data, so students developed a genuine curiosity about cyber security, along with the ethical and personal implications. A great watch for anyone teaching cyber security.
Top 5 Clean Code Principles For Beginners
Coding is a game-changer for anyone working in cyber security. It saves time and money and transforms the way you think about problems!
As you progress on your coding journey, you must learn clean coding principles to ensure your code is easy to understand, maintain, and extend. This video highlights five clean code principles that every beginner should know.
These principles benefit individual programmers and enhance team collaboration and project scalability. Implementing these best practices leads to more robust and reliable applications, ultimately contributing to a more efficient development process and a higher-quality end product.
The Art of Cyber Denial and Deception
Cyber deception involves interacting with an adversary to detect and redirect the adversary on the defender’s terms. Sometimes, it can be written off as “just research” or a “waste of resources,” but with a bit of upfront planning, it can be a game-changer for organizations that want to defend themselves proactively.
This panel discussion from MITRE Engage provides key insights on critical things to consider before beginning a deception campaign, such as understanding your organization’s goals and resources, the different approaches to adversary engagement, and the necessity of getting buy-in from non-technical leadership.
