Una señal es cualquier evento operacional detectado en las últimas 24h–30d: CVEs en KEV explotados activamente, advisories de vendor, exposición cloud, ransomware y avisos regulatorios. Cada señal se prioriza por severidad, freshness y match con tu Digital Twin.
Para análisis editorial y noticias generales visita Noticias.
Intel Center Basic
Discover muestra una cola corta de señales recientes para exploración. Los planes Pro desbloquean el catálogo KEV completo, más histórico, contexto por Digital Twin y priorización ampliada.
Priority Command Strip
Discover muestra 8 señales operativas recientes. Sube a Consultant Pro o Professional Pro para abrir el feed completo, histórico ampliado y el catálogo KEV.
Filtered for operational relevance. Powered by a curated catalog of vulnerability, CERT, vendor and threat-intelligence sources.View methodology →
Explotación activa confirmada. Riesgo material para entornos expuestos.
The Blackfield ransomware gang is asking for a $2 million ransom from Nidec Corporation, a large Japanese manufacturer of electronic components for automotive and computing applications. [...] Vendors: Microsoft. DORA relevance: high.
Por qué importa
Explotación reportada sobre Microsoft. Verificar exposición real en el inventario.
Acción recomendada
Notify owners for Microsoft technology stacks.
Researchers have identified a new backdoor program that has been used in enterprise intrusions since April and appears to be linked to an initial access broker that sells network footholds to ransomware gangs. Dubbed Mistic by researchers from Symantec, the malware program has been deployed on networks belonging to organizations from multiple sectors, including insurance, education, IT, and professional services. In some cases it has been used alongside ModeloRAT, a piece of malware written in Python that’s associated with threat actor Woodgnat, also known as KongTuke. “Woodgnat reportedly functions primarily as an IAB [initial access broker],” the Symantec researchers said in their report. “Its goal is not to deliver the final payload, but to establish highly durable remote access within an enterprise and sell this high-level access to ransomware affiliates and other attackers for a fee. The Symantec Threat Hunter Team has observed ModeloRAT being used in attacks delivering the Qilin ransomware.” Woodgnat has been operating since at least May 2024 and has served multiple ransomware gangs over the past two years, including Interlock, Rhysida, Akira, 8Base, and Black Basta. Its attacks are largely opportunistic by routing web visitors through a variety of ClickFix social engineering campaigns. A backdoor with credential stealing capabilities The Mistic backdoor is launched through a technique called DLL sideloading, where a legitimate executable belonging to another program is executed first and searches for a DLL of a particular name to load into memory. This is a very popular technique for avoiding detection, as many legitimate programs perform dynamic DLL searches across multiple folders and are vulnerable to DLL poisoning. Ironically in this case the attackers deliver and execute a file called MpExtMs.exe, which is digitally signed and belongs to Microsoft Defender. This file searches for a DLL called version.dll, which in turn searchers for and loads another one Vendors: Microsoft, Cisco, Google. DORA relevance: high.
Por qué importa
Explotación reportada sobre Microsoft / Cisco. Verificar exposición real en el inventario.
Acción recomendada
Notify owners for Microsoft, Cisco, Google technology stacks.
I work as a principal specialist at a pipeline operator where Operational Technology (OT) is the backbone of the business. I do not report to the board or act as a CISO, but the issues that get raised to those levels affect my job every single day. Since the Colonial pipeline ransomware incident in 2021, it has become apparent that our industry has started posing different tones of “Are we zero trust yet?” I frequently witness its intense significance through auditing requests, TSA security directives and conversations around some control project’s goals. One experience the zero trust role has changed is that it often feels misaligned with OT heavy environments. The NIST’s Zero Trust Architecture (SP 800‑207) model works for all, but is originally written as though for an IT network, not terminals, compressor stations and control rooms where equipment must run 24/7, perhaps more aged than the technology present within the organization. CISA’s guidance on adapting zero trust principles to operational technology helps close that gap, but applying it means satisfying the OT teams and company leadership at the same time. The zero trust question I hear behind the scenes I am pretty sure we all know it comes as a jolt of reality after something really major has happened, rather than a bullet point on a slide deck. You have pipeline. The whole distribution stops for six days. In Washington, DC, US congressional hearings are underway, and legislation is coming. TSA Directive 2021-02C requires pipeline operators to attest to several things, like network segmentation and zero-trust architectures. NERC CIP-013 exists on a similar tack, more around supply chain security. In our case, the decision on how to select and manage a vendor partner and control their remote access is driven by regulatory compliance and governance frameworks. So, you have all those things that happen externally and force change. They say, “Are you zero trust? Yes or no?” We always get “yes.” They know it Vendors: Microsoft. DORA relevance: high.
Por qué importa
Explotación reportada sobre Microsoft. Verificar exposición real en el inventario.
Acción recomendada
Notify owners for Microsoft technology stacks.
Kaspersky researchers analyze incidents related to The Gentlemen RaaS group, disclose their tools and TTPs, and find a new ransomware variant. Vendors: Microsoft, Google. DORA relevance: medium.
Por qué importa
Explotación reportada sobre Microsoft / Google. Verificar exposición real en el inventario.
Acción recomendada
Notify owners for Microsoft, Google technology stacks.
Rising threats from third-party actors are forcing institutions to play defense to protect student data from ransomware and other attacks. DORA relevance: medium.
Por qué importa
CVE con evidencia de explotación. Revisar exposición del perímetro.
Acción recomendada
Review source, confirm applicability, and monitor for follow-up guidance.
After a global lull, ransomware gangs are setting sights on a rich new arena: attacking EU organizations and their suppliers. DORA relevance: medium.
Por qué importa
CVE con evidencia de explotación. Revisar exposición del perímetro.
Acción recomendada
Review source, confirm applicability, and monitor for follow-up guidance.
A malicious Microsoft Edge extension dubbed 'Edgecution' has been used in a ransomware attack to escape the browser sandbox and deploy a Python-based backdoor. [...] Vendors: Microsoft, Cisco, Google, Fortinet. DORA relevance: medium.
Por qué importa
Explotación reportada sobre Microsoft / Cisco. Verificar exposición real en el inventario.
Acción recomendada
Notify owners for Microsoft, Cisco, Google, Fortinet technology stacks.
Microsoft, Europol, and international partners have disrupted infrastructure used by the Amadey and StealC malware operations as part of Operation Endgame, which targets cybercriminal services and ransomware gangs. [...] Vendors: Microsoft, Fortinet. DORA relevance: medium.
Por qué importa
Explotación reportada sobre Microsoft / Fortinet. Verificar exposición real en el inventario.
Acción recomendada
Notify owners for Microsoft, Fortinet technology stacks.