Posted on Cloud Security Incidents & Breaches Security Operations Vulnerability Intelligence

Taiwan CERT warns of “Operation WrtHug” targeting ASUS routers via AiCloud command-injection flaws

Taiwan’s TWCERT/CC issued an urgent alert citing SecurityScorecard’s STRIKE team research into “Operation WrtHug,” a sustained campaign targeting ASUS small office/home office routers worldwide. The activity is reported to abuse known, publicly disclosed OS command-injection vulnerabilities—including issues referenced alongside CVE-2023-39780—focused on the AiCloud service. TWCERT/CC says compromised routers may be backdoored and incorporated into a large global infected network used for follow-on cyber threat activity and espionage, with STRIKE reporting identification of more than 50,000 infected IP devices over the past six months. The advisory urges immediate firmware updates, replacement of end-of-life (EoL) models that cannot be patched, and consultation of ASUS product security advisories for official mitigation steps. Read more

Posted on Cloud Security Incidents & Breaches Security Operations Vulnerability Intelligence

Taiwan CERT warns WSUS RCE CVE-2025-59287 (CVSS 9.8) is under active exploitation

Taiwan’s TWCERT/CC is urging organizations to urgently patch a high-severity Windows Server Update Services (WSUS) vulnerability, CVE-2025-59287 (CVSS 9.8), after U.S. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog and Dutch NCSC-NL also confirmed real-world exploitation. The flaw enables unauthenticated remote code execution as SYSTEM via a deserialization trigger, but only impacts Windows Server systems where the WSUS server role is enabled. TWCERT/CC also cited Huntress reporting attacker scanning for exposed WSUS ports 8530/8531 and delivering malicious requests, with post-exploitation activity potentially involving PowerShell-based payload execution and data discovery/exfiltration. Read more

Posted on Cloud Security Identity & Governance Incidents & Breaches Security Operations

Taiwan CERT flags “EtherHide” as an emerging blockchain-based C2 technique paired with ClearFake fake-update lures

Taiwan’s national CERT (TWCERT/CC) warns that attackers are increasingly using public blockchains as command-and-control (C2) infrastructure. The advisory highlights “EtherHide,” a technique first described by security researchers in October 2023, where adversaries store malicious commands or payload locations inside smart contracts. Malware (or malicious web scripts) can then query the chain for updated instructions, reducing the effectiveness of traditional controls like domain/IP blocking and traffic monitoring. TWCERT/CC also notes EtherHide is frequently chained with the “ClearFake” social-engineering pattern—fake system notifications or software update prompts—often delivered via compromised WordPress sites embedding malicious JavaScript. The combined flow uses Binance Smart Chain (BSC) smart contracts and read-only calls (e.g., eth_call) to retrieve attacker instructions without on-chain transaction fees, improving stealth and persistence. Read more

Posted on AI Security Cloud Security Incidents & Breaches Security Operations

Taiwan’s TWCERT/CC convenes 2025 incident response conference, spotlighting secure-by-design and PSIRT as supply-chain trust levers

Taiwan’s national CERT (TWCERT/CC) held its 2025 Taiwan Cybersecurity Incident Notification & Response Annual Conference on Dec. 3 under the theme “Build Secure Products, Connect a Trusted Defense Line.” Government leaders from the Ministry of Digital Affairs and the Administration for Cyber Security emphasized that product security is now tied to brand trust and global market access, citing AI, IoT, and smart manufacturing expansion—and noting that international rules increasingly treat product security as a supply-chain governance requirement. The event brought together major Taiwan and regional vendors and institutes (including ASUS, Zyxel, Delta Electronics, Synology, Panasonic Taiwan, Institute for Information Industry, and others) to share practices around AI-driven threats, vulnerability disclosure, and PSIRT governance—signals relevant to global security and infrastructure teams that rely on Taiwan-linked hardware, NAS, networking, and industrial components. Read more

Posted on Cloud Security Incidents & Breaches Security Operations Vulnerability Intelligence

MongoDB “MongoBleed” (CVE-2025-14847) memory disclosure: unauthenticated zlib packets can leak secrets; added to CISA KEV

Taiwan’s TWCERT/CC warns that a high-risk MongoDB Server vulnerability, CVE-2025-14847 (CVSS v4: 8.7), is under active exploitation and can leak sensitive data from server memory. The issue—dubbed “MongoBleed” by researchers—stems from incorrect handling of the reported length of zlib-decompressed messages, which can cause uninitialized heap memory residues to be included in responses. TWCERT/CC notes that more than 87,000 internet-exposed MongoDB servers could be at risk, and that CISA added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on 2025-12-29, signaling elevated urgency for enterprises and government agencies. Read more

Posted on Cloud Security Identity & Governance Incidents & Breaches Security Operations

Okta’s support-system intrusion highlights why HAR files and session tokens must be treated as privileged secrets

Okta’s root-cause report says a threat actor accessed files in its customer support case management system from Sept. 28 to Oct. 17, 2023, affecting 134 customers (under 1%). Some accessed files were HAR files containing session tokens, enabling session hijacking; Okta says tokens were used to hijack sessions for 5 customers. The incident stemmed from a support-system service account credential that was likely exposed after being saved to an employee’s personal Google account via Chrome sign-in on an Okta-managed laptop. Okta also disclosed a logging visibility gap that delayed identifying file downloads until an IP indicator was shared by BeyondTrust. Read more

Posted on AI Security Cloud Security Incidents & Breaches Security Operations

Microsoft’s Storm-0558 postmortem highlights identity signing-key leakage paths and validation gaps that can bridge consumer and enterprise trust domains

Microsoft’s MSRC investigation into Storm-0558 concludes that operational errors likely allowed Microsoft Account (MSA) consumer signing key material to escape a secure token signing environment via a crash-dump/debug workflow, after which the actor (attributed by Microsoft as China-based) likely obtained it by compromising a Microsoft engineer’s corporate account with access to the debugging environment. A separate engineering failure—missing issuer/scope validation when mail systems relied on a common key metadata endpoint—meant a consumer key could be used to forge tokens accepted for enterprise email access. Microsoft says it has since corrected the race condition, improved key-material detection and credential scanning, and updated libraries to automate scope validation. Read more

Posted on Cloud Security Incidents & Breaches Security Operations Vulnerability Intelligence

CISA/FBI: CL0P turned MOVEit Transfer into a repeatable mass data-theft pathway via CVE-2023-34362

A joint CISA and FBI advisory details how the CL0P ransomware group (also tracked as TA505) exploited a previously unknown SQL injection flaw (CVE-2023-34362) in Progress Software’s MOVEit Transfer managed file transfer (MFT) product to implant a web shell (“LEMURLOOT”) and exfiltrate data from underlying databases. The advisory frames MOVEit as the latest example of a broader TA505 pattern: targeting internet-facing MFT platforms with zero-day exploits (Accellion FTA in 2020–2021, GoAnywhere MFT in early 2023, and MOVEit in May 2023) to conduct large-scale theft and extortion—often emphasizing data exfiltration over encryption. Read more

Posted on Cloud Security Identity & Governance Incidents & Breaches Security Operations

Microsoft’s Secure Future Initiative: a multi-year, hyperscaler-scale reset on how Microsoft builds and operates security

Microsoft’s Secure Future Initiative (SFI), launched in November 2023, is a multi-year, cross-company program intended to “increasingly secure” how Microsoft designs, builds, tests, and operates its products and services. Microsoft says the first year prioritized security across the company through internal training and substantial engineering investment to reduce risk. SFI is structured around security principles (innovate, implement, guide) and six engineering pillars mapped to Zero Trust principles and the NIST Cybersecurity Framework, signaling a governance-and-engineering approach rather than a point-product response. For global cloud, identity, and security teams, SFI matters because it describes Microsoft’s internal hardening focus areas—identity and secrets, tenant isolation, network segmentation, SDLC/build integrity, unified detection, and faster remediation—that can influence default configurations, platform controls, and operational expectations across Microsoft’s cloud and software ecosystem over time. Microsoft also publishes periodic SFI progress reports (including references to a November 2025 report and earlier updates), indicating the initiative is intended to be measured and iterated in “waves” as threats evolve. Read more

Posted on AI Security Cloud Security Identity & Governance Security Operations

Google’s SAIF reframed AI security as operational controls, not just model research

Google introduced the Secure AI Framework (SAIF) in June 2023 as a conceptual security framework for AI systems, explicitly mapping AI-specific threats (e.g., model theft, data poisoning, prompt injection, and training-data leakage) to familiar security disciplines such as secure-by-default infrastructure, detection and response, automation, consistent platform controls, continuous testing/feedback loops, and end-to-end risk assessment. While SAIF is not a standard, Google positioned it as a bridge between traditional security programs and emerging AI risks, and tied it to ongoing industry work including NIST’s AI Risk Management Framework and ISO/IEC 42001. Read more