Court records, leaked router configs, and interviews with five utility operators trace how a PRC-linked group quietly built persistence across water, energy, and transit networks — and why "living-off-the-land" made it invisible to most defenders until it was already inside.
CipherGuard-issued bulletins, updated as reporting changes. Each links to source filings and our coverage.
A flaw in the management web interface allows an unauthenticated attacker to create a privileged account and execute arbitrary commands. Mass-scanning observed within 48 hours of disclosure.
Pre-auth SQLi in the Ivanti EPM agent endpoint allows extraction of credentials and lateral movement. CISA added the flaw to the KEV catalog on May 24.
A normalisation bug allows reading of files outside the document root. Proof-of-concept is public; no exploitation observed in production telemetry yet.
Certain extensions allow a non-superuser to register functions that execute as superuser at install time. Configuration mitigation available pending the next minor release.
A heap overflow in the FortiManager daemon allows pre-auth code execution. CISA flagged active exploitation by a state-aligned actor on May 19.
A specially crafted X.509 certificate can trigger excessive memory allocation during chain verification. Practical impact is limited to TLS clients that auto-fetch chains.
Re-reading 60,000 internal messages — the affiliate market, the OPSEC fatigue, and what the splinter groups inherited.
Tested four CASB vendors against 312 controlled SaaS apps. Discovery rates ranged 38–71% — and the gaps tracked predictably with how each catalog gets sourced.
Most SBOM programmes are theatre. A working pipeline needs three things shops keep skipping: deterministic builds, a queryable graph store, and a triage process that does not depend on a single hero.
A class of attack declared dead in 2018 is back, exploiting modern browser handling of WebRTC and Private Network Access. We walk a working PoC against three IoT controllers.
Court records, leaked router configs and interviews with five utility operators trace how a PRC-linked group built quiet persistence across water, energy and transit networks.
A standing scoreboard CipherGuard updates with each major disclosure. Illustrative figures from CISA, OSV.dev and our own SBOM corpus.
Counts include both vendor-issued and community-reported advisories.
Court records, leaked router configs and interviews with five utility operators trace how a PRC-linked group quietly built persistence across water, energy and transit networks — and why 'living-off-the-land' made it invisible to most defenders until it was already inside.
Re-reading 60,000 internal messages with fresh eyes — what they reveal about the affiliate market, OPSEC fatigue, and how the brand splintered into the groups still extorting hospitals today.
We tested four leading Cloud Access Security Brokers against a controlled set of 312 SaaS apps. Discovery rates ranged from 38% to 71% — and the gaps tracked predictably with how vendors source their app catalogs.
Most SBOM programmes are theatre. A working pipeline needs three things shops keep skipping: deterministic builds, a queryable graph store, and a triage process that does not depend on a single hero.
A class of attack we declared dead in 2018 is back, exploiting the way modern browsers handle WebRTC and Private Network Access. We walk a working proof-of-concept against three popular IoT controllers.