Aggregator

Multiple U.S.-based companies in the insurance sector have already been hit over the past week and a half, according to Mandiant.

The post Scattered Spider, fresh off retail sector attack spree, pivots to insurance industry appeared first on CyberScoop.

Threat intelligence researchers are warning of hackers breaching multiple U.S. companies in the insurance industry using all the tactics observed with Scattered Spider activity. [...]

A vulnerability has been found in Xen on x86 and classified as critical. This vulnerability affects unknown code of the component Top-level Shadow Reference Handler. The manipulation leads to improper check for dropped privileges. This vulnerability was named CVE-2023-34322. The attack needs to be initiated within the local network. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Xen 4.15.x/4.16.x/4.17.x. It has been rated as problematic. This issue affects some unknown processing of the component ARM Helper. The manipulation leads to information disclosure. The identification of this vulnerability is CVE-2023-46837. Attacking locally is a requirement. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in MediaTek MT2735, MT6813, MT6833, MT6833P, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6877T, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895T, MT6896, MT6897, MT6980, MT6980D, MT6983T, MT6983W, MT6983Z, MT6985, MT6985T, MT6989 and MT6990. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the component Modem IMS Stack. The manipulation leads to denial of service. This vulnerability is known as CVE-2023-32887. The attack can be launched remotely. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability, which was classified as problematic, was found in MediaTek MT6580, MT6731, MT6735, MT6737, MT6739, MT6753, MT6757, MT6757C, MT6757CD, MT6757CH, MT6761, MT6762, MT6763, MT6765, MT6768, MT6769, MT6771, MT6779, MT6781, MT6785, MT6789, MT6833, MT6835, MT6853, MT6853T, MT6855, MT6873, MT6875, MT6877, MT6879, MT6883, MT6885, MT6886, MT6889, MT6891, MT6893, MT6895, MT6983, MT6985, MT8185, MT8321, MT8385, MT8666, MT8667, MT8673, MT8675, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791, MT8791T, MT8797 and MT8798. Affected is an unknown function of the component keyInstall. The manipulation leads to information disclosure. This vulnerability is traded as CVE-2023-32875. An attack has to be approached locally. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in MediaTek MT6762, MT6765, MT6833, MT6879, MT6883, MT6885, MT6983, MT8167, MT8168, MT8188, MT8321, MT8765, MT8766, MT8768, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8797 and MT8798. It has been classified as problematic. This affects an unknown part of the component Battery. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2023-32880. It is possible to launch the attack on the local host. There is no exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Cesanta MJS 2.20.0. It has been classified as problematic. This affects the function mjs_getretvalpos of the file msj.c. The manipulation leads to denial of service. This vulnerability is uniquely identified as CVE-2023-49549. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in iodine up to 0.7.33. It has been declared as critical. This vulnerability affects unknown code of the component Static File Service. The manipulation leads to path traversal. This vulnerability was named CVE-2024-22050. The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as critical has been found in Dzzoffice 2.01. Affected is an unknown function of the component Network Disk Backend. The manipulation of the argument doobj/doevent leads to sql injection. This vulnerability is traded as CVE-2023-39853. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability was found in GetSimple CMS 3.3.16. It has been classified as problematic. Affected is an unknown function of the file /admin/edit.php. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2023-51246. It is possible to launch the attack remotely. There is no exploit available.

A vulnerability, which was classified as critical, was found in NetScout nGeniusONE 6.3.4. This affects an unknown part of the component File Handler. The manipulation leads to xml external entity reference. This vulnerability is uniquely identified as CVE-2023-26999. It is possible to initiate the attack remotely. There is no exploit available.

Output-driven SIEM — 13 years later

Output-driven SIEM! Apart from EDR and SOC visibility triad, this is probably my most known “invention” even though I was very clear that I stole this from the Vigilant crew back in 2011.

Anyhow, I asked this question on X the other day:

So, what year is this? Let me see … 2025! Anyhow, get a time machine, we are flying to 2012…. whooosh….

… we landed … no dinosaurs in sight so we didn’t screw the time settings.

Now, WTH is “output-driven SIEM”? Back then, I said that it stands for “deploying your SIEM in such a way that NOTHING comes into your SIEM unless and until you know how it would be utilized and/or presented.” This is not about “don’t collect unless you detect” as some have mis-interpreted it, because you may have some logs for context, or for IR or even … gasp … for compliance. Just not for the sheer heck of it :-)

Gemini Deep Research infographic element (2025)

What changed?

Let’s see what is different 13 years later, in 2025.

1. “Output driven SIEM” is still largely a good idea in 2025. Don’t collect unless you have “the WHY for it” sounds like common sense, that most uncommon of all senses. It is also closely related to thinking about the use cases around SIEM, something I also spent years evangelizing.
2. Weirdly, I intuit that there was a time between 2012 and today when “just collect it” was almost workable (storage got cheap before log volumes got up). However, I think in 2025, today’s logs overrun today’s storage just as reliably as 2010 logs overran 2010 storage.
3. SOAR (when it came around 2015) was a way for people who refused to practice “output driven SIEM” (and/or tune the detections) to survive for a bit longer, without changing the fundamentals. SOAR saved some people with “input-centric SIEM” for a bit, just as it saved some people with shit detections (also for a bit)
4. What about “AI SOC”? Similar to SOAR … but also different! I think “AI SOC” will help people with poor detection decisions more than it will help people with poor [read: too wide open] collection decisions. Ultimately, if you collect, you pay (decentralized trick may work for some people and for some logs some of the time).
5. Also, “Output driven SIEM” is still a part of a healthy answer to alert fatigue in 2025. If you collect lots of random stuff and run some random detections on it, you will have alert fatigue. And you won’t have a good time. So be “output-driven” … think what you want to see at the … you got it… OUTPUT! AI does not change this, frankly.

What to do?

What was the best way to architect “output-driven SIEM” yet still not lose the data you may need later for some purpose? Before and around 2010, it was almost always a two-tier system: a SIEM + central log management (CLM). Here are some of my examples from 2009. Is 2 tier system SIEM+CLM still the best answer?

Naturally, we have way more log storage options in 2025 (Clickhouse anybody), but there is a fundamental truth that remains: if you collect a log and save it, somebody somewhere pays for a hard drive. Nothing has ever charged it, and probably never will.

Look, I like modern one-tier stuff as much as the next person. Google SecOps (formerly Chronicle) can store logs hot for a year (or more!) in a very affordable fashion. But very obviously “one tier for all logs” is not an answer for all SIEM and logging questions (at the very least, because compliance retention requirements drives the quest for ever-cheaper storage, eventually devolving to “write-only log retention”).

Gemini Deep Research infographic element (2025)

So, to conclude, my “3AM answer” for how to architect an output-driven SIEM in 2025 is: look at modern one-tier approach (like, well, our SecOps), but if that does not fit, go back to the classics (cheap/broad log management tool or a data lake + a SIEM based on “output-driven” model).

What to expect?

My analysis is usually grounded in reality, some say too grounded (read: not ambitious enough). So let me try to act out one of my impulses here. I think AI agents in SOC have a chance — in the future — to shift us from the “output-driven SIEM” to “outcome-driven SOC.” What I — hypothetically — mean by this is that a human operator defines a strategic security outcome for a SOC, and then agents get to work and decide the collection, detection and response datasets, tooling and practices. And then do the work! Amazing, eh? Well, there is a caveat…

And it is … can we have this IRL? Obviously not today (we are far from it), but ask me again in … 3 years. My time machine does not have a forward button, so I have to “crystal ball it”… otherwise, just “organically” wait for 2028. Humans to decide what to do … and then I want the robots to do it!

Eventually.

Related blogs:

• Debating SIEM in 2023, Part 1
• Debating SIEM in 2023, Part 2
• 15+ Years of Loading Threat Intel into SIEM: Why Does This Still Suck?
• Decoupled SIEM: Brilliant or Stupid?
• Log Centralization: The End Is Nigh?
• SIEM Content, False Positives and Engineering (Or Not) Security

Output-driven SIEM — 13 years later was originally published in Anton on Security on Medium, where people are continuing the conversation by highlighting and responding to this story.

The post Output-driven SIEM — 13 years later appeared first on Security Boulevard.

A vulnerability, which was classified as critical, has been found in TP-LINK TL-WR940N, TL-WR841N and TL-WR740N. Affected by this issue is some unknown functionality of the file /userRpm/WlanNetworkRpm. The manipulation leads to command injection. This vulnerability is handled as CVE-2023-33538. The attack needs to be done within the local network. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, has been found in Wazuh up to 4.9.0. This issue affects the function as_wazuh_object of the file framework/wazuh/core/cluster/common.py. The manipulation leads to deserialization. The identification of this vulnerability is CVE-2025-24016. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in GNU grub2. It has been classified as critical. Affected is an unknown function. The manipulation leads to out-of-bounds write. This vulnerability is traded as CVE-2025-0690. Attacking locally is a requirement. There is no exploit available.

A vulnerability classified as critical has been found in Apache InLong up to 1.7.x. Affected is an unknown function of the component Global Function Handler. The manipulation leads to sql injection. This vulnerability is traded as CVE-2023-43667. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in SourceCodester Judging Management System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file login.php. The manipulation of the argument Password leads to sql injection. This vulnerability was named CVE-2023-5589. The attack can be initiated remotely. Furthermore, there is an exploit available.