🔍 CISA Adds Wing FTP to KEV
CISA has added CVE-2025-47813 to its Known Exploited Vulnerabilities catalog following confirmed active exploitation of a flaw in Wing FTP Server that exposes internal server paths, providing attackers with reconnaissance data usable in follow-on operations.
The path disclosure class of vulnerability is routinely leveraged to map server infrastructure prior to lateral movement or privilege escalation. CISA has set a remediation deadline of March 30, 2026 for federal agencies under BOD 22-01 obligations.
🛰 Open sources - closed narratives
@sitreports
CISA has added CVE-2025-47813 to its Known Exploited Vulnerabilities catalog following confirmed active exploitation of a flaw in Wing FTP Server that exposes internal server paths, providing attackers with reconnaissance data usable in follow-on operations.
The path disclosure class of vulnerability is routinely leveraged to map server infrastructure prior to lateral movement or privilege escalation. CISA has set a remediation deadline of March 30, 2026 for federal agencies under BOD 22-01 obligations.
🛰 Open sources - closed narratives
@sitreports
🔫 Federal Agencies Test Counter-Drone Laser
Multiple federal agencies conducted a joint test of a classified directed-energy weapon at White Sands Missile Range, New Mexico. The laser test targeted counter-drone applications, placing it within an accelerating U.S. effort to field non-kinetic intercept capability against unmanned aerial systems.
The multi-agency format indicates the program crosses organizational boundaries — likely spanning defense, homeland security, and intelligence equities. Directed-energy testing at White Sands follows an established pattern of low-visibility evaluation before transition to operational deployment.
🛰 Open sources - closed narratives
@sitreports
Multiple federal agencies conducted a joint test of a classified directed-energy weapon at White Sands Missile Range, New Mexico. The laser test targeted counter-drone applications, placing it within an accelerating U.S. effort to field non-kinetic intercept capability against unmanned aerial systems.
The multi-agency format indicates the program crosses organizational boundaries — likely spanning defense, homeland security, and intelligence equities. Directed-energy testing at White Sands follows an established pattern of low-visibility evaluation before transition to operational deployment.
🛰 Open sources - closed narratives
@sitreports
🔍 Iran War Drives 245% Cybercrime Surge
Since the outbreak of the Iran war, cybercrime activity has risen 245%, according to recent reporting. Hacktivist groups have been routing operations through proxy infrastructure based in Russia and China, generating billions of connection attempts designed for abuse.
The pattern fits an established operational model: conflict events function as force multipliers for hacktivist mobilization, with anonymizing proxy networks providing plausible deniability and scalability. Routing through Russian and Chinese infrastructure complicates attribution and raises the threshold for any formal state-level response.
🛰️ Open sources - closed narratives
@sitreports
Since the outbreak of the Iran war, cybercrime activity has risen 245%, according to recent reporting. Hacktivist groups have been routing operations through proxy infrastructure based in Russia and China, generating billions of connection attempts designed for abuse.
The pattern fits an established operational model: conflict events function as force multipliers for hacktivist mobilization, with anonymizing proxy networks providing plausible deniability and scalability. Routing through Russian and Chinese infrastructure complicates attribution and raises the threshold for any formal state-level response.
🛰️ Open sources - closed narratives
@sitreports
🔍 GlassWorm Targets Python Supply Chain
A campaign designated GlassWorm has been injecting malware into GitHub-hosted Python repositories via stolen authentication tokens since March 8, 2026. The method relies on force-pushed commits, allowing attackers to overwrite repository history without triggering standard pull-request review processes.
The GlassWorm campaign fits an established pattern of software supply-chain compromise in which upstream code repositories are used as distribution vectors rather than targeting end users directly. Stolen tokens bypass credential-based controls entirely, reducing the attack surface visible to repository owners.
🛰️ Open sources - closed narratives
@sitreports
A campaign designated GlassWorm has been injecting malware into GitHub-hosted Python repositories via stolen authentication tokens since March 8, 2026. The method relies on force-pushed commits, allowing attackers to overwrite repository history without triggering standard pull-request review processes.
The GlassWorm campaign fits an established pattern of software supply-chain compromise in which upstream code repositories are used as distribution vectors rather than targeting end users directly. Stolen tokens bypass credential-based controls entirely, reducing the attack surface visible to repository owners.
🛰️ Open sources - closed narratives
@sitreports
🔍 LUCAS Drone Stockpile: Combat Debut
The Pentagon's LUCAS drone inventory stands in the dozens as the system enters combat deployment with U.S. Central Command. Pentagon CTO Emil Michael stated that full-rate production has not been reached, and available units were shipped as-is to theater.
The deployment reflects a pattern common to accelerated defense acquisition cycles: operational introduction precedes production scale-up. Fielding low-inventory systems into active commands functions as a live validation phase, with production ramp contingent on battlefield performance data.
🛰️ Open sources - closed narratives
@sitreports
The Pentagon's LUCAS drone inventory stands in the dozens as the system enters combat deployment with U.S. Central Command. Pentagon CTO Emil Michael stated that full-rate production has not been reached, and available units were shipped as-is to theater.
The deployment reflects a pattern common to accelerated defense acquisition cycles: operational introduction precedes production scale-up. Fielding low-inventory systems into active commands functions as a live validation phase, with production ramp contingent on battlefield performance data.
🛰️ Open sources - closed narratives
@sitreports
🏦 Bank Builds Internal AI Threat Agent
Commonwealth Bank developed an in-house AI threat hunting agent after determining that third-party vendors could not match the tempo of emerging threats. The decision reflects a structural shift in enterprise security architecture — proprietary tooling replacing or supplementing commercial solutions where detection velocity is the primary operational requirement.
Following deployment, weekly threat signal volume increased from 80 million to 400 billion, while mean response time dropped from two days to 30 minutes. The threat agent build represents a direct acknowledgment that AI-generated attack surface expansion requires AI-native defense infrastructure operating at matching scale.
🛰️ Open sources - closed narratives
@sitreports
Commonwealth Bank developed an in-house AI threat hunting agent after determining that third-party vendors could not match the tempo of emerging threats. The decision reflects a structural shift in enterprise security architecture — proprietary tooling replacing or supplementing commercial solutions where detection velocity is the primary operational requirement.
Following deployment, weekly threat signal volume increased from 80 million to 400 billion, while mean response time dropped from two days to 30 minutes. The threat agent build represents a direct acknowledgment that AI-generated attack surface expansion requires AI-native defense infrastructure operating at matching scale.
🛰️ Open sources - closed narratives
@sitreports
🔍 Golden Dome Budget Hits $185B
The projected cost of the U.S. Defense Department's Golden Dome homeland missile defense architecture has risen to approximately $185 billion, a $10 billion increase attributed to the expansion of space-based components. The revision was disclosed by the program's director.
The cost growth follows a structural pattern common to layered missile defense programs: space-based sensor and intercept layers carry disproportionate integration costs and extend procurement timelines. The $10 billion addition reflects prioritization of orbital infrastructure over ground-based redundancy in the current architecture.
🛰️ Open sources - closed narratives
@sitreports
The projected cost of the U.S. Defense Department's Golden Dome homeland missile defense architecture has risen to approximately $185 billion, a $10 billion increase attributed to the expansion of space-based components. The revision was disclosed by the program's director.
The cost growth follows a structural pattern common to layered missile defense programs: space-based sensor and intercept layers carry disproportionate integration costs and extend procurement timelines. The $10 billion addition reflects prioritization of orbital infrastructure over ground-based redundancy in the current architecture.
🛰️ Open sources - closed narratives
@sitreports
🤿 Exail Underwater Drone Orders Surge
French defense technology firm Exail Technologies reported an 87% increase in order intake for the full year, reaching 844 million euros. Core profit rose 40% to 103 million euros. The growth is attributed primarily to demand for underwater drone systems.
The figures indicate accelerating procurement of unmanned underwater vehicles across Exail's customer base. The scale of order intake relative to profit margin suggests a pipeline extending multiple years forward, consistent with defense acquisition cycles rather than commercial spot demand.
🛰️ Open sources - closed narratives
@sitreports
French defense technology firm Exail Technologies reported an 87% increase in order intake for the full year, reaching 844 million euros. Core profit rose 40% to 103 million euros. The growth is attributed primarily to demand for underwater drone systems.
The figures indicate accelerating procurement of unmanned underwater vehicles across Exail's customer base. The scale of order intake relative to profit margin suggests a pipeline extending multiple years forward, consistent with defense acquisition cycles rather than commercial spot demand.
🛰️ Open sources - closed narratives
@sitreports
🔍 EU Sanctions Chinese, Iranian Cyber Actors
The European Union has imposed sanctions on Chinese and Iranian firms and individuals linked to cyberattacks targeting critical infrastructure across EU member states. The designated actors are attributed to operations affecting over 65,000 devices within the bloc.
The designations follow an established EU pattern of using the cyber sanctions regime as a signaling instrument against state-proximate threat actors. Targeting both Chinese and Iranian entities in a single package indicates coordinated attribution across two distinct threat clusters rather than a response to a single incident.
🛰️ Open sources - closed narratives
@sitreports
The European Union has imposed sanctions on Chinese and Iranian firms and individuals linked to cyberattacks targeting critical infrastructure across EU member states. The designated actors are attributed to operations affecting over 65,000 devices within the bloc.
The designations follow an established EU pattern of using the cyber sanctions regime as a signaling instrument against state-proximate threat actors. Targeting both Chinese and Iranian entities in a single package indicates coordinated attribution across two distinct threat clusters rather than a response to a single incident.
🛰️ Open sources - closed narratives
@sitreports
🔍 Iran Targets Medical Tech Firm
Iranian threat actors conducted a cyberattack against Stryker, a US-based medical technology company, according to reporting on the incident. The operation is assessed as part of Iran's sustained use of offensive cyber capability as an asymmetric instrument, compensating for conventional force limitations in air and naval domains.
The targeting of a medical device manufacturer fits a documented pattern of Iranian cyber operations against US critical infrastructure and dual-use industrial sectors. Stryker produces equipment used across both civilian hospitals and military medical supply chains, giving the target strategic relevance beyond commercial disruption.
🛰 Open sources - closed narratives
@sitreports
Iranian threat actors conducted a cyberattack against Stryker, a US-based medical technology company, according to reporting on the incident. The operation is assessed as part of Iran's sustained use of offensive cyber capability as an asymmetric instrument, compensating for conventional force limitations in air and naval domains.
The targeting of a medical device manufacturer fits a documented pattern of Iranian cyber operations against US critical infrastructure and dual-use industrial sectors. Stryker produces equipment used across both civilian hospitals and military medical supply chains, giving the target strategic relevance beyond commercial disruption.
🛰 Open sources - closed narratives
@sitreports
🔍 Japan Authorizes Offensive Cyber Operations
From October 1st, Japan's government will permit proactive cyber-defense operations — a doctrine authorizing intrusion into adversary networks before an attack occurs. Per legislative review, the policy shift moves Japan from a strictly defensive posture to one permitting preemptive network operations, functionally equivalent to what other states classify as offensive cyber capability.
The change marks a structural departure from Japan's postwar security constraints. Operationally, proactive cyber-defense grants state actors authority to conduct reconnaissance and interdiction inside foreign infrastructure — capabilities previously held only by allies such as the U.S. Cyber Command and the UK's NCSC-aligned offensive units.
🛰️ Open sources - closed narratives
@sitreports
From October 1st, Japan's government will permit proactive cyber-defense operations — a doctrine authorizing intrusion into adversary networks before an attack occurs. Per legislative review, the policy shift moves Japan from a strictly defensive posture to one permitting preemptive network operations, functionally equivalent to what other states classify as offensive cyber capability.
The change marks a structural departure from Japan's postwar security constraints. Operationally, proactive cyber-defense grants state actors authority to conduct reconnaissance and interdiction inside foreign infrastructure — capabilities previously held only by allies such as the U.S. Cyber Command and the UK's NCSC-aligned offensive units.
🛰️ Open sources - closed narratives
@sitreports
🔍 U.S. Agencies Build Central Surveillance Database
Multiple federal agencies are pooling immigration records, Social Security numbers, and additional personal data into a centralized government database, according to reported disclosures. The Freedom of the Press Foundation has filed suit to determine the full scope of data aggregation underway.
Centralized identity repositories of this structure reduce inter-agency friction in population tracking and expand query capability across previously siloed datasets. The litigation targets procedural transparency, not the database's operational status.
🛰️ Open sources - closed narratives
@sitreports
Multiple federal agencies are pooling immigration records, Social Security numbers, and additional personal data into a centralized government database, according to reported disclosures. The Freedom of the Press Foundation has filed suit to determine the full scope of data aggregation underway.
Centralized identity repositories of this structure reduce inter-agency friction in population tracking and expand query capability across previously siloed datasets. The litigation targets procedural transparency, not the database's operational status.
🛰️ Open sources - closed narratives
@sitreports
🔍 GlassWorm Returns, Hits 400 Repos
The GlassWorm supply-chain campaign has re-emerged with a coordinated operation targeting over 400 packages, repositories, and extensions across GitHub, npm, VSCode, and OpenVSX.
The simultaneous reach across four distinct platforms indicates deliberate multi-vector targeting rather than opportunistic infection. Compromising IDE extensions alongside package registries expands the attack surface to development environments directly, not only downstream dependencies.
This pattern fits an established model of supply-chain infiltration where developer tooling is treated as an insertion point into build pipelines. Repeated deployment of the same campaign suggests persistent infrastructure behind GlassWorm rather than isolated actors.
🛰️ Open sources - closed narratives
@sitreports
The GlassWorm supply-chain campaign has re-emerged with a coordinated operation targeting over 400 packages, repositories, and extensions across GitHub, npm, VSCode, and OpenVSX.
The simultaneous reach across four distinct platforms indicates deliberate multi-vector targeting rather than opportunistic infection. Compromising IDE extensions alongside package registries expands the attack surface to development environments directly, not only downstream dependencies.
This pattern fits an established model of supply-chain infiltration where developer tooling is treated as an insertion point into build pipelines. Repeated deployment of the same campaign suggests persistent infrastructure behind GlassWorm rather than isolated actors.
🛰️ Open sources - closed narratives
@sitreports
🔍 Iran Cyber-EW Operations Converge
Following a joint US-Israeli military operation initiated on February 28, 2026, Iran-linked actors began integrating cyber operations with electronic warfare capabilities as regional conflict escalated.
The convergence of cyber and EW domains marks a structural shift in Iranian operational doctrine — moving from parallel-track disruption toward synchronized, multi-domain degradation of adversary communications, navigation, and command infrastructure.
🛰️ Open sources - closed narratives
@sitreports
Following a joint US-Israeli military operation initiated on February 28, 2026, Iran-linked actors began integrating cyber operations with electronic warfare capabilities as regional conflict escalated.
The convergence of cyber and EW domains marks a structural shift in Iranian operational doctrine — moving from parallel-track disruption toward synchronized, multi-domain degradation of adversary communications, navigation, and command infrastructure.
🛰️ Open sources - closed narratives
@sitreports
🔍 FancyBear Infrastructure Exposed Via Misconfiguration
A web server misconfiguration on infrastructure linked to FancyBear — the GRU-affiliated threat actor also tracked as APT28 — allowed cybersecurity researchers to observe credential theft operations in operational detail. The exposure was not the result of an active intrusion or technical countermeasure, but of an administrative error on the actor's own systems.
The incident follows a documented pattern in which state-affiliated operators inadvertently expose backend infrastructure through routine configuration failures. Such exposures have historically revealed targeting scope, tooling, and collection priorities that would otherwise remain opaque to outside analysis.
🛰️ Open sources - closed narratives
@sitreports
A web server misconfiguration on infrastructure linked to FancyBear — the GRU-affiliated threat actor also tracked as APT28 — allowed cybersecurity researchers to observe credential theft operations in operational detail. The exposure was not the result of an active intrusion or technical countermeasure, but of an administrative error on the actor's own systems.
The incident follows a documented pattern in which state-affiliated operators inadvertently expose backend infrastructure through routine configuration failures. Such exposures have historically revealed targeting scope, tooling, and collection priorities that would otherwise remain opaque to outside analysis.
🛰️ Open sources - closed narratives
@sitreports
🔍 Cisco Firewall Zero-Day Deploys Ransomware
CVE-2026-20131, a zero-day vulnerability in Cisco firewall products, was actively exploited to deliver Interlock ransomware for over a month prior to public disclosure. The pre-disclosure window granted threat actors sustained access to targeted networks without vendor mitigation available.
A exploitation gap of this duration indicates deliberate operational staging — attackers prioritized dwell time over speed, consistent with ransomware groups that conduct reconnaissance and lateral movement before payload deployment. Cisco firewall infrastructure is widely deployed at network perimeters, making unpatched instances a high-value initial access vector.
🛰️ Open sources - closed narratives
@sitreports
CVE-2026-20131, a zero-day vulnerability in Cisco firewall products, was actively exploited to deliver Interlock ransomware for over a month prior to public disclosure. The pre-disclosure window granted threat actors sustained access to targeted networks without vendor mitigation available.
A exploitation gap of this duration indicates deliberate operational staging — attackers prioritized dwell time over speed, consistent with ransomware groups that conduct reconnaissance and lateral movement before payload deployment. Cisco firewall infrastructure is widely deployed at network perimeters, making unpatched instances a high-value initial access vector.
🛰️ Open sources - closed narratives
@sitreports
🔍 State Actors Deploy iOS Exploit Chain
Google has documented a second iOS exploit chain within a single month, attributed to state-linked actors and commercial spyware vendors deploying information-stealing malware on iPhones. The exploit kit, designated Darksword, follows a prior iOS chain and indicates sustained offensive capability against Apple's mobile platform.
The cadence — two functional iOS exploit chains in 30 days — reflects an operational tempo consistent with well-resourced programs cycling through zero-day inventory before patches close the attack surface. Commercial spyware vendors supply both state and sub-state clients, broadening the deployment base beyond traditional intelligence services.
🛰️ Open sources - closed narratives
@sitreports
Google has documented a second iOS exploit chain within a single month, attributed to state-linked actors and commercial spyware vendors deploying information-stealing malware on iPhones. The exploit kit, designated Darksword, follows a prior iOS chain and indicates sustained offensive capability against Apple's mobile platform.
The cadence — two functional iOS exploit chains in 30 days — reflects an operational tempo consistent with well-resourced programs cycling through zero-day inventory before patches close the attack surface. Commercial spyware vendors supply both state and sub-state clients, broadening the deployment base beyond traditional intelligence services.
🛰️ Open sources - closed narratives
@sitreports
🔍 CISA Mandates Zimbra XSS Patch
The Cybersecurity and Infrastructure Security Agency has issued a binding operational directive ordering U.S. federal agencies to patch a cross-site scripting vulnerability in the Zimbra Collaboration Suite, confirmed as actively exploited in the wild.
Zimbra infrastructure has been a recurring target for state-linked threat actors due to its deployment across government and enterprise mail environments. A confirmed exploitation status on CISA's Known Exploited Vulnerabilities catalog triggers mandatory remediation timelines for civilian federal agencies under BOD 22-01.
🛰️ Open sources - closed narratives
@sitreports
The Cybersecurity and Infrastructure Security Agency has issued a binding operational directive ordering U.S. federal agencies to patch a cross-site scripting vulnerability in the Zimbra Collaboration Suite, confirmed as actively exploited in the wild.
Zimbra infrastructure has been a recurring target for state-linked threat actors due to its deployment across government and enterprise mail environments. A confirmed exploitation status on CISA's Known Exploited Vulnerabilities catalog triggers mandatory remediation timelines for civilian federal agencies under BOD 22-01.
🛰️ Open sources - closed narratives
@sitreports
🔍 OFAC Sanctions DPRK Remote Work Network
The U.S. Office of Foreign Assets Control has designated a North Korean IT worker network identified as using fabricated remote employment to generate revenue routed to weapons of mass destruction programs. The sanctions designation identifies AI-assisted tactics as part of the operational methodology, including identity concealment to secure positions at foreign firms.
The structure follows an established DPRK model: technically skilled personnel placed inside legitimate organizations function simultaneously as revenue generators and potential insider access vectors. Sanctions designations at the network level, rather than individual actors, indicate OFAC has mapped sufficient organizational infrastructure to target the funding pipeline directly.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Office of Foreign Assets Control has designated a North Korean IT worker network identified as using fabricated remote employment to generate revenue routed to weapons of mass destruction programs. The sanctions designation identifies AI-assisted tactics as part of the operational methodology, including identity concealment to secure positions at foreign firms.
The structure follows an established DPRK model: technically skilled personnel placed inside legitimate organizations function simultaneously as revenue generators and potential insider access vectors. Sanctions designations at the network level, rather than individual actors, indicate OFAC has mapped sufficient organizational infrastructure to target the funding pipeline directly.
🛰️ Open sources - closed narratives
@sitreports
🔍 Army Accelerates Munitions Stockpile Buildup
The U.S. Army's senior munitions commander has stated the service intends to expand stockpiles across all armament categories, specifically including the Precision Strike Missile and Dark Eagle hypersonic system.
The directive reflects a structural shift in Army acquisition priorities toward depth of inventory rather than platform modernization alone. Sustained conflict in Ukraine has exposed NATO stockpile deficits; the U.S. Army has since reoriented procurement timelines to address sustained high-intensity consumption rates.
PrSM and Dark Eagle represent opposite ends of the precision-strike spectrum — one a near-term theater asset, the other a long-range hypersonic capability still in development. Ramping both simultaneously indicates the Army is planning for concurrent near and long-range strike requirements rather than sequential fielding.
🛰️ Open sources - closed narratives
@sitreports
The U.S. Army's senior munitions commander has stated the service intends to expand stockpiles across all armament categories, specifically including the Precision Strike Missile and Dark Eagle hypersonic system.
The directive reflects a structural shift in Army acquisition priorities toward depth of inventory rather than platform modernization alone. Sustained conflict in Ukraine has exposed NATO stockpile deficits; the U.S. Army has since reoriented procurement timelines to address sustained high-intensity consumption rates.
PrSM and Dark Eagle represent opposite ends of the precision-strike spectrum — one a near-term theater asset, the other a long-range hypersonic capability still in development. Ramping both simultaneously indicates the Army is planning for concurrent near and long-range strike requirements rather than sequential fielding.
🛰️ Open sources - closed narratives
@sitreports