incident-response

Patch and Pray Failed: FIRESTARTER Proves Cisco Devices Can Stay Owned

John Z Black Apr 23, 2026

Security Operations & Resilience #cisco #firestarter #persistence #malware #cisa #federal #incident-response #patch-management

A federal agency followed the rules, patched the CVE, and still got owned. FIRESTARTER is a specialized Cisco backdoor designed to survive the remediation cycle. It’s time to stop assuming a patch equals a clean network.

Akira Ransomware Can Encrypt Your Network in Under an Hour

John Z Black Apr 5, 2026

Ransomware & Cybercrime #akira #ransomware #incident-response #speed #halcyon

Akira ransomware completes full attack lifecycles in under an hour, making traditional detect-and-respond strategies basically useless.

Stryker Finds a Malicious File in Its Systems. Production Is Coming Back Online.

John Z Black Mar 25, 2026

Incidents & Breaches #stryker #handala #iran #healthcare #incident-response #unit42

Stryker's forensic investigation with Palo Alto Networks Unit 42 found a malicious file used to run commands and conceal activity, a separate finding from the initial Handala attack. Production recovery is underway.

M-Trends 2026: The 22-Second Stat Everyone Is Misreading

John Z Black Mar 24, 2026

Security Operations & Resilience #m-trends #mandiant #ransomware #incident-response #dwell-time #initial-access-brokers #recovery-denial

Mandiant's M-Trends 2026 report is getting misquoted everywhere. The 22-second ransomware handoff is real -- but it's not what you think, and the dwell time stat buried in the report is scarier.

AI Exploits in Hours: The Patch Window Just Collapsed

John Z Black Mar 21, 2026

AI Security #ai-security #langflow #rce #vulnerability-management #incident-response

Rapid exploitation plus cross-platform AI exposure means next-sprint patching is no longer a safe operating model.

After Stryker: Why Incident Response Now Starts in the Management Plane

John Z Black Mar 20, 2026

Security Operations & Resilience #incident-response #intune #control-plane-security #extortion #law-enforcement-coordination #iran-linked-threats

The Stryker fallout, Intune warnings, and leak-site disruption show a hard truth: incident response now lives or dies on control-plane integrity and coordinated external action.

DarkSword Spread Beyond One Campaign. Mobile Risk Has to Follow.

John Z Black Mar 19, 2026

Threat Intelligence #darksword #ios #mobile-exploitation #threat-intelligence #enterprise-security #high-risk-users #incident-response

Google threat intelligence ties DarkSword-linked iOS exploitation to a broader actor picture than earlier reporting suggested. The bigger signal isn't the exploit chain. It's that the capability is spreading across actors and channels.

Federal Cyber Reality Check: Capacity, Coordination, and Confidence Are Out of Sync

John Z Black Mar 18, 2026

Policy, Law & Governance #cisa #dhs #critical-infrastructure #governance #policy #incident-response #federal-cyber

Staffing gaps, fuzzy lead-agency roles, and public messaging that doesn't always match operational uncertainty -- the layers of federal cyber aren't running in sync right now.

Breach Disclosure Lag Is Becoming the Real Story in Financial Supply Chains

John Z Black Mar 18, 2026

Incidents & Breaches #breach #financial-services #third-party-risk #disclosure #ransomware #governance #incident-response

The Marquis breach started with a ransomware attack. The damage is still accumulating months later -- not because of what happened technically, but because of how disclosure was handled.

The Insider No One Suspected: DOJ Says a Ransomware "Helper" Was Running the Attack

John Z Black Mar 14, 2026

Ransomware #blackcat #ransomware #incident-response #doj #trust #insider-threat #alphv #digitalmint

A ransomware negotiator was secretly feeding BlackCat operators confidential victim data to jack up ransom payments. The DOJ just charged him.

The Ransomware 'Negotiator' Was Running the Attack: DigitalMint's $75M Double Cross

John Z Black Mar 13, 2026

Ransomware #ransomware #incident-response #digitalmint #blackcat #vendor-risk #extortion

Federal charges reveal DigitalMint's ransomware negotiators were allegedly running the attacks themselves. The second employee charged in the same operation. This wasn't a rogue employee. It was the business model.