This week, we're taking a look at Mastering Palo Alto Networks by Tom Piens aka 'reaper'. The book is available for a knockdown price for a limited time, so don't miss out!

Unlock the full potential of Palo Alto Networks firewalls with expert insights and hands-on strategies for mastering next-gen security:

- Master Palo Alto Networks firewalls with hands-on labs and expert guidance
- Stay up to date with the latest features, including cloud and security enhancements
- Learn how to set up and leverage Strata Cloud Manager
- Purchase of the print or Kindle book includes a free PDF eBook

Welcome to another_secpro!

It's been a busy few weeks for those of us wrestling with Scattered Spider.Over the past two weeks, the hacker group (also tracked as UNC3944 or Muddled Libra) has ramped up attacks across major industries. They’ve been using social-engineering tricks—ringing up help desks or call centers, pretending to be employees and convincing staff to reset or add MFA devices. That’s the pathway they use to slip past security, move through networks, and grab sensitive data or deploy ransomware.

UK retail giants like M&S, Harrods, and Co‑Op have been hit in a wave of attacks, causing disruptions and steep financial losses. They quickly pivoted to U.S. insurance firms, and this week they’ve focused on aviation. At least Hawaiian Airlines and WestJet reported IT system incidents in late June, and most recently Qantas confirmed a breach of a third-party contact‑center platform tied to Scattered Spider tactics. That incident potentially exposed personal data of up to six million customers—names, emails, birthdates and frequent-flyer numbers—though no passports or credit card details were taken.

The FBI, Google/Mandiant, CrowdStrike and others issued warnings, flagging how the group targets entire industries in waves. Their method is low-tech but effective: exploit human trust to bypass tech defenses, then move laterally, extort data, and sometimes encrypt systems.

Impact on global industry has been significant—retail sales stalled, insurance providers scrambled, airlines huddled with cybersecurity teams and regulators. Stock prices dipped, and affected companies are now tightening vendor controls, reinforcing help-desk protocols, and training staff to question any out-of-the-blue IT requests. Here's to better days ahead...

Cheers!
Austin Miller
Editor-in-Chief

Before attackers can steal data, lock up systems, or pivot through a network, they need to get their malicious code to a target. That step is delivery. It’s the moment the payload—often malware or a malicious script—is moved from the attacker’s infrastructure into the environment of the target.

“Mamona” – Minimalist, Offline Ransomware: Wazuh researchers have discovered a new Windows ransomware strain named Mamona, notable for its incredibly compact, self‑contained design. It encrypts files locally (adding a “.HAes” extension), delays execution using a ping trick, then self‑deletes—leaving minimal forensic traces. It doesn’t rely on C2 infrastructure, which makes detection via traditional network monitoring very difficult.

Shellter Elite Hijacked for Infostealer Campaigns: Elastic Security Labs reports that a leaked version of the Shellter Elite pentest tool has been abused by threat actors to deploy info‑stealer malware such as ArechClient2/Sectop RAT and Rhadamanthys. This underscores the risks when legitimate offensive‑security tools fall into malicious hands. Tool developers responded by tightening access controls and patching misused components.

Oyster Malware Loader Distributed via SEO Poisoning: Arctic Wolf reveals a campaign distributing the Oyster loader (aka Broomstick/CleanUpLoader) through fake, SEO‑optimized landing pages that mimic popular Windows utilities like PuTTY and WinSCP. Once installed, Oyster persists via scheduled tasks and delivers secondary payloads through DLL injection and obfuscated strings, communicating securely over HTTPS

LummaC2 Targeting Critical Infrastructure: In a joint alert, CISA and the FBI spotlight LummaC2, a malware strain used in spear‑phishing campaigns against U.S. critical‑infrastructure organizations. Written to exfiltrate credentials, wallet data, MFA tokens, and more, LummaC2 employs obfuscation to evade detection and maintain persistence by mimicking benign API calls.

Calendarwalk – Google Calendar as C2: TeamT5 via Virus Bulletin reports on Calendarwalk, a sophisticated malware tied to APT41. It abuses Windows Workflow Foundation and uses Google Calendar events as a stealthy C2 channel. The malware includes obfuscated shellcode and integrates an AES‑encrypted Chatloader backdoor, indicating deep technical innovation and evasion

Medusa Ransomware’s ABYSSWORKER Driver to Disable EDR: Elastic Security Labs has uncovered a novel Bring‑Your‑Own‑Vulnerable‑Driver (BYOVD) attack: Medusa ransomware used a revoked driver called smuol.sys (from the “ABYSSWORKER” family) to impersonate a legitimate CrowdStrike driver and disable anti‑malware protections. It was packaged via a paid packer service named HeartCrypt.

From Promise to Peril: Rethinking Cybersecurity Red and Blue Teaming in the Age of LLMs: This recent position paper examines how LLMs are transforming red and blue team operations. It explores how LLMs can enhance offensive capabilities—e.g., generating exploits and phishing content—while also bolstering defensive workflows like threat intelligence and root cause analysis. Abuadbba, Hicks, and the rest of the team balance LLM potential against limitations (hallucinations, context issues), dual-use risks, and propose safeguards like human oversight and privacy-preserving measures.

Color Teams for Machine Learning Development: This 2021 arXiv article extends the familiar red/blue team concept into ML development workflows by introducing color-coded roles: Yellow (builders), Red (attackers), Blue (defenders), Orange, Green, and Purple teams. It outlines responsibilities across these roles and how combining them—especially Purple—creates more robust ML systems by integrating adversarial testing and defensive analysis throughout the pipeline.

Red Teaming with Artificial Intelligence‑Driven Cyberattacks: A Scoping Review: This review examines how AI is being leveraged in red team activities. The paper systematically surveys AI-assisted attack tools—from automated penetration tools to social-engineering automation—highlighting their implications for both red teams and blue team defenses. It underscores the growing threat and calls for defensive strategies that address intelligent, adaptive attacks

Here are the five conferences we're looking forward to the most this year (in no particular order...) and how you can get involved to boost your posture!

DSEI (9th-12th September): DSEI stands out as a global platform that bridges defence, security, and cybersecurity. With its broad focus on cutting-edge technologies, this event is critical for those involved in national defence, law enforcement, and private security. Cybersecurity is a prominent theme, with sessions addressing both offensive and defensive cyber strategies.

Defcon (7th-10th August): Defcon is a legendary event in the hacker and cybersecurity communities. Known for its hands-on approach, Defcon offers interactive workshops, capture-the-flag contests, and discussions on emerging threats. The conference is ideal for those looking to immerse themselves in technical aspects of cybersecurity.

Black Hat (2nd-7th August): Black Hat USA is synonymous with advanced security training and research. This premier event features technical briefings, hands-on workshops, and sessions led by global security experts. Attendees can explore the latest trends in penetration testing, malware analysis, and defensive techniques, making it a must-attend for cybersecurity professionals.